What is Continuous Controls Monitoring?

Continuous Controls Monitoring (CCM) refers to the application of technologies that reduces business losses and audit costs. This is achieved through the continuous monitoring and auditing of the controls in applications to eliminate surprises, reduce compliance costs, improve governance and ensure continuity. Continuous Controls Monitoring also helps reduce business losses by using effective continuous auditing mechanisms and control monitoring of various aspects of the applications involved. It helps organizations validate the effectiveness of controls designed to mitigate risk. It is part of constant auditing, where a set of automated procedures monitors the internal controls. Some of the controls monitored by continuous monitoring include authorizations, access, system configurations, master data, transactions, and business process settings.

Most finance and audit leaders know CCM and its benefits. Yet, their potential is often not fully recognized, particularly at the enterprise-wide level. In the current environment of increasing risks, regulatory shifting, and rising compliance costs, it is an ideal time to consider the potential of CCM in your organization.

Top controls challenges ERP customers face

Today, organizations need to transform risk management practices from manual controls to automated fine-grained controls that monitor business activities enabled by applications. Enterprises are rapidly moving into a digital universe. An increasing number of people are connected to the internet through cloud applications or smart devices. All these changes are unleashing new waves of challenges for organizations. Specifically challenges in controls monitoring for ERP customers. Some of those challenges are:

• The need to eliminate manual management of the internal control process and its documentation
• Desire to include all the participants in the internal control processes (process owners, control owners, auditors, managers, etc.) to develop a more efficient communication among them
• Disruptive risks due to pandemic, globalization, transformative technologies, and complex regulations
• Control costs and improve the user's experience
• The cost and burden of managing controls have significantly increased over time
• Increasing difficulty in assuring the effectiveness of internal controls without having a continuous monitoring process
• Huge volumes of data in different systems

All of the above challenges are clearly applicable but it also goes beyond what is listed here. The vast majority of organizations today have an ERP system in place, so one of the challenges is knowing where you are in the process of your ERP evolution. are you planning an upgrade? A move to the cloud? Knowing this would determine your next move in terms of how you want to address these challenges. 

Without having a continuous monitoring process in place, it’s difficult for organizations to provide assurance of the effectiveness of their internal controls. It’s no longer acceptable to tell your auditors you were unaware of issues. Organizations should be proactive to avoid unwanted surprises.

Business drivers for continuous controls monitoring

One of the responsibilities of management in organizations, (particularly in financial services) is to assure the CEO and executives that high-risk factors are being managed and appropriate controls are in place and operating effectively. With regulatory control, an increasing number of organizations are seeking productivity improvements in evaluating the performance of internal controls. One method to improve productivity is using technology to monitor controls effectiveness continuously. 

Improved management and monitoring of controls through CCM may reduce the extent to which audit and security staff need to perform complex controls testing. In addition to cost reductions through improved efficiency and effectiveness, other benefits of CCM include:

• Eliminate surprises - avoid control weaknesses
• Prevent fraud, misconduct, misuse, and abuse
• Remain competitive while lowering ongoing compliance costs
• Protect sensitive data from unauthorized users and identities
• Real-time visibility and remediation
• Provide assurance that controls are operating effectively
• More efficient and effective audits
• Maintain data Integrity
• Early detection of issues 
• Safeguard from data breaches, proactive cyber security
• Save future audit fees
• Avoid reputational risk

Another issue to consider is a remote workforce's impact on your organization and its audit requirements. Use your control risk matrix to determine where you spend time testing these controls. Are they controls for compliance or general operational controls like a fraud? And is there anything you can do to take advantage of technology to streamline your process? And think of it as not just mitigating risk but also improving performance.

While CCM is primarily about controls, it can also help you improve your operations. For example, manufacturing customers use controls monitoring to improve their revenue cycle by improving their supply chain. These customers do an excellent job from a financial risk perspective, and they are now proactively looking at operational risk in the supply chain.

A CCM solution enables you to see real-time results. It can also provide assurance to business owners that a user's access to an ERP such as Oracle is approved and gives them the ability to determine its use over a period of time. To confirm that that control was in place and operating effectively.

Continuous Controls Monitoring is all about being proactive rather than reactive. Technology allows you to streamline the process to improve performance, control top-line risk and improve operations.

What to look for in a solution?

Your organization likely has some form of controls in place to detect risk. However, your existing controls may be disparate tools or point solutions that don't adequately protect your organization. Additionally, compromises can happen if you don't know if these devices are turned on and configured to work together to protect your assets. 

When looking for solutions, the first thing you want to consider is your ERP. If you plan to upgrade or move to the cloud for example, it is important to keep that in mind as you evaluate solutions. It's also important to look at what applications you want to target now and what your long-term vision is.

CCM solutions should include the following functionality:

• Cross-platform capability for future flexibility
• Closed-loop workflow
• Dynamic Dashboards, actionable intelligence, drill-down to transaction level
• Audit trail on all users, super users, PAM
• Single centralized risk across the enterprise
• Predictive Analytics
• Fine-grained risk mitigation
• Incident Management for closed-loop processes
• Real-time alerts
• Transactional Monitoring

By continuously monitoring and automatically monitoring control gaps and performance against assets, security teams can prevent a control failure from becoming a security breach. By implementing a solution such as MonitorPaaS™, you can have real-time visibility of your business controls.

Proactively Manage Risk

1. Streamline Risk Management

Risk Threshold - there is some risk that organizations just have to accept. For example, there will be people that can post journal entries, change bank accounts but setting themselves up a bank account is a red flag. you should also avoid false-positives. Many solutions fail when they report too many incidents that are false-positives. 

Closed-loop workflow - Organizations should ensure the process owners receive risk information and make it closed loop.  Reporting tools don't provide two-way risk management. 

Dashboards - People want to see areas that are relevant to them - for example financial risk or supply chain risk. 

Incident History - Audit for example, will be interested in knowing if a journal entry that was over a certain amount. this can then be adjusted and resolved using documentation. Incident history can lower future costs. For example, if entries are not understood they take up audit and remediation time, not to mention surprises again. 

2. Early Detection of Potential Issues

You want to be able to monitor changing parameters, configurations and transactions. For example, if you have a three-way match rule and identify that someone turned off the control in your ERP or somehow transactions were posted. 

Fuzzy Logic - Find similar invoice numbers, similar payment numbers, similar supply numbers...

Advanced Analytics - Help you detect potential risks before they materialize.

3. Rapid Deployment - Ability to deploy the solution at the speed of cloud. 

How can SafePaaS help?

MonitorPaaS™ delivers actionable insight into business processes for a timely response to events based on your management team's risk tolerance and treatment guidelines as mandated by regulators. MonitorPaaS™ enables you to continuously monitor business activities within the enterprise applications with instant access to the most extensive catalog of automated application monitors covering 1,000+ business objects for major processes such as Procure-to-Pay, Order-to-Cash, Hire-to-Retire, Design-to-Ship, and Financial Record-to-Report. 

You can also make process improvements by enforcing consistent application setup and operating standards.

MonitorPaaS™ enforces a granular level of risk mitigation to targeted users and events by invoking approvals and notifications when key risk fields are modified.

READ MORE

Best Practices

Learn how a telecom giant implemented CCM with SafePaaS to prevent risks and lower costs. READ SUCCESS STORY