Continuous Controls Monitoring, Three Key Considerations

Increasing complexity and challenging new business risks pervade today’s global environments. To address these risks and meet regulatory requirements, organizations must establish effective internal controls, along with processes to make sure these controls remain repeatable, sustainable, and cost-effective. Therefore, as part of their overall governance, risk, and compliance (GRC) strategies, organizations are building continuous controls monitoring (CCM) programmes to improve efficiencies, avoid controls deficiencies and focus resources on managing critical risks. With an effective and sustainable CCM programme that’s designed, managed, and optimized to account for changes such as regulatory shifts, mergers and acquisitions, and system upgrades an organization can meet its compliance objectives, reduce risk exposures, and meet the expectations of key stakeholders. Over time, as their CCM processes mature, companies can transition from manual risk detection efforts to automated prevention measures. Organizations considering CCM must first focus on their control objectives and establish sound processes.

1. Create a Foundation for Your CCM Programme.

A CCM programme should include risk detection, prevention, remediation, and compliance components, all focusing on people, processes, and technology. Using CCM to evaluate and monitor key business processes against predetermined business rules enables an  organization to identify patterns and anomalies to help minimize potential risk exposures.

When a company embarks upon a CCM initiative, the automation or technical aspects often become their primary focus. Although automating the controls can be very beneficial to the organization, it is recommended that companies focus initially on the following control objectives:

1).Application access controls and segregation of duties (SoD) can reduce opportunities for fraud or for material errors by ensuring that financial and operational transactions are properly authorized and approved. A CCM strategy should drive the development and enforcement of effective user and role governance processes, practical SoD rules, and sustainable access controls.

 2).Business process controls help users evaluate system configuration settings to identify events that occur outside of set control limits.

 3).Master and transactional data controls are used to analyse sensitive fields and transactional data against predefined control criteria. The analysis of this data supports the detection of potential controls violations, such as changes to vendor addresses or terms, duplicate payments, timing issues, and other anomalies. Additionally, the transactional data analysis can facilitate business efficiency improvements.

2. Manage the CCM Life Cycle

To create and sustain an effective CCM programme, an organization must understand and manage the entire CCM life cycle, which includes:

Process design. This begins with a clear vision based on operational objectives (i.e., achieve compliance, reduce risk). It is impractical to monitor all of a companies controls, and therefore it’s essential to first identify the controls most in need of monitoring, based on business objectives. It is also recommended to establish a CCM governance body to lead the process design effort and to help ensure that business objectives are met.

Business rule development. A CCM programme is only as effective as the business rules used to evaluate the control data. Business rules for SoD, master and transactional data, and automated application controls are used as filters and applied against data sources to identify potential control anomalies.

Controls optimization. Once significant risks have been identified within business process areas, appropriate controls must be established to mitigate them. A vital step in achieving control optimization is establishing controls that cover multiple risk areas and eliminate redundant or ineffective controls.

Exception validation and rationalization. Organizations often become overwhelmed by the volume of control exceptions. Since some exceptions are legitimate, organizations can manage risks and reduce the number of reported exceptions and therefore the cost of compliance by filtering out legitimate business exceptions.

Resolution reporting. To successfully manage and mitigate business risk, and to ensure timely resolution of compliance violations, it is important to set up a process that allows the company to diligently review and resolve reported violations.

Process optimization. The processes that make up the CCM programme should be flexible and allow the company to dynamically react to change. They also should be continually adjusted to meet business needs and sustain the CCM investment.

 3. Automate CCM with SAP Functionality

Companies running SAP have a significant advantage when enabling and automating CCM because integrated business disciplines such as financial accounting and asset management can be built into a centralized CCM programme. A CCM programme that encompasses well designed controls, appropriate business rules, and the diligent management of the CCM life cycle, allows organizations to focus on their enhancement and automation efforts, reducing time and resources that would otherwise be spent manually monitoring controls.

As companies move toward automation, they should make managing configurable controls through benchmarking a part of their testing strategy, since it is a mechanism that ensures configurable controls remain unchanged. SAP provides this capability through table logging, which can help reduce year-to-year control testing.

SAP also provides a number of tools embedded in its GRC solution suite, which can be used to automate the CCM process. These tools include SAP GRC Access Control, SAP GRC Process Control, and SAP GRC Global Trade Services. An organization can leverage these tools, combined with the functionality already embedded within SAP systems, to gain a clear advantage in creating an effective end-to-end solution for managing risk and compliance.

Make CCM a Priority

Having a GRC strategy and making an effective CCM programme a priority can help Companies drive their compliance efforts, identify potential processing errors, and proactively detect fraud. It also is critical to design practical processes as you develop your GRC strategy and CCM programme. Many companies hold the misconception that an automated controls solution will solve all compliance needs. However, an automated solution is only effective after a successful CCM programme has been established based on well designed controls, appropriate business rules, and ongoing management of the CCM programme.


Tags: , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: