Highlights

The session was focused on CCM and Gates provided an excellent summary of existing guidance, which he strongly suggested people read. The panel discussed  who the CCM customer is and or should be. In this context I explained my view of the CM macro, explaining there is an ever-expanding interest in monitoring in general, along with the financial world’s focus on continuous controls monitoring (CCM) and or continuous controls monitoring of transaction (CCM-T).  In general customers/shareholders etc. have a growing expectation that basic monitoring is in place to provide cost savings and information integrity. Similar to how Federal Express changed the base case for package tracking information.

The panel discussed various barriers and how to overcome them, return on investment and many examples of CCM implementations. One theme was the need to engage company operations management. We suggested one of internal audit’s roles in CCM is to identify and recommend specific CM and CCM applications. This is like low hanging fruit, to impact the business in a positive way.  For more on this see my recent article in EDPACS at http://canco.us/2010/07/01/internal-audits-role-in-continuous-monitoring/.

There was a presentation on testing controls – which continues to shift from manual to automated. Finally there are three presentations from CCM software providers, combined with examples of actual CCM customer success stories. This provides valuable examples of concepts and benefits. For example Ben Cagle from Oversight teamed up with Donna Tillapaugh from Celanese to present and discuss examples of how Celanese and Oversight automated 25% of their SOX controls; identified duplicate payments and reduced onerous recovery fees and identified business transaction errors.

I was particularly impressed with the Celanese “Annual Transaction Errors Pyramid” showing how CCM could be preventing a potential error with financial statement impact!

Please see his new article, “Internal Audit’s Role in Continuous Monitoring” recently published in EDPACS.

Regarding the article Michael says, “I am passionate in my belief in expanding monitoring however there is a great need to expand coordinated efforts to achieve greater adoption of CM. This article discusses the Internal Auditors role in expanding the use of monitoring in their organizations.” Please see the article at www.canco.us under Canco – In the News.

Read the full text here.

This was the theme of a keynote I presented on March 17, 2010, titled: Economic Crisis- Auditors Evolving Role. As a former CAE, CFO and CEO, I implored the over 150 internal auditors to put themselves in their management’s position. Audit and compliance costs (internal and external) have doubled in the past 8 years. Be assured, this increase has management’s attention!

The recession has put pressure on revenues and companies are responding by cutting costs. IA needs to find ways to reduce compliance costs while expanding coverage. I proposed two, low cost high imagination, solutions. Outsourcing aspects to IA to lower cost countries and using automation through continuous monitoring of controls CCM.

I discussed the trend of business process outsourcing (BPO) of for example, payroll, payables and recently accounting and mail room functions, to countries such as Costa Rica and India. As for CCM, I suggested IA should be recommending it to operations, as a way to build in compliance integrated right into the systems. IA is in a perfect position to identify CCM applications which should reduce cost overtime, expand compliance coverage and save audit time as well.

I quoted Oversight Systems President Patrick Taylor, “No business process works perfectly. The sooner an error is identified and corrected the better.”  IA should continue to use continuous auditing (CA) to automate the audit process but these concepts (use of automation to drive down costs and expand coverage) should be driven throughout the organization, with CCM.

Another post credit crisis issue is the push to involve IA in ERM. My advice was to set the IA Charter very carefully when it comes to ERM. IA can be a factor but is not in the board room where most major risks are assumed.

(Please click here to see the full power point presentation)

Integration of SOX 404 as part of a broader approach to risk and compliance; and

A major movement towards streamlining of control testing through Continuous Control Monitoring CCM.

The research is based on extensive discussions with foreign private issuers, backed by a series of detailed interviews with 14 of Europe’s largest public companies. According to the report:

“Almost without exception, European companies are either moving toward, or at least seriously considering the introduction of some form of Continuous Control Monitoring (typically transactional in nature) in their SOX programs, and indeed more broadly in risk and control-related functions:

“The degree of intelligence that one can derive [from CCM] is staggering and enables it to deliver a higher level of assurance.”

“Pretty much everybody I talk to is looking at CCM to see whether they can benefit from it in their SOX programs.”

A key driver of this trend is a desire to move away from manual controls and toward a greater reliance upon IT systems. Yet paradoxically, IT remains the single area in which SOX program leaders have the biggest skills and resources challenges.”   Read the report

No matter what operational source system you use, we can easily access and integrate data from multiple systems. With Extractor from Oversight, we remove the first barrier for a smooth implementation of continuous transaction monitoring (CTM). Oracle, SAP, PeopleSoft, JD Edwards, Lawson, MFG Pro, Infinium, Geac, Baan, Ross Systems, Siebel and custom applications can all be mapped to our common data model without affecting the performance of operational systems.

So why not try CTM? With such software predicted to be one of the top three governance, risk and compliance investments for 2010, ring in the new year with savings to the bottom line and the peace of mind of Oversight’s 100% money-back guarantee.

Here I explain the important steps in data extraction for CTM and why Oversight’s Extractor is the best process out there. <watch>

Individual cardholders have the authority to use travel cards, but your company is still liable for payment. You can’t rely on card suppliers’ controls to prevent and identify potential mistakes and misuse throughout the purchasing process. These suppliers automatically monitor established parameters, such as spending limits or authorized merchant codes at the point of sale, and they’re particularly adept at identifying when a card is lost or stolen. But card suppliers don’t have the depth of information necessary to recognize the nuances characteristic of misuse, and they certainly don’t have the access to your travel and expense reimbursement policies.  The good news is you do. <more>

Oversight eliminates improper payments by analyzing individual transactions in the disparate data sources used to monitor program integrity activities. The solution provides workflow and reports to quickly investigate each issue and resolve errors and violations as they occur.  Oversight is available with out-of-the-box functionality to stop erroneous payments before funds are disbursed.