In preceding articles, we developed two themes: make full use of your enterprise resource planning (ERP) investment in meeting your governance, risk and compliance (GRC) obligations; and do this in a way that is well planned, effective, and as efficient as possible. In this article, we will talk about a practical way to take action on these two themes. Continuous controls monitoring (CCM) and continuous transaction monitoring (CTM) are increasingly becoming an integral part of the journey to achieve an effective and efficient GRC program.
Let’s begin at a basic level, with ad hoc transaction monitoring. This is classic detective work that can be performed in the back office. Let’s say, for example, there is a concern about fraud or a specific risk in a business process (e.g., application of credit memos).
The ad hoc investigation is performed to figure out where fraud or other specific risk can occur, what data is relevant, where it is located, and how the transaction moves through the business processes and systems. It also determines where new controls are needed, and if controls already exist, why they failed. This process can be costly and time-consuming, but if it’s properly executed, you will not only learn a lot, but also gain structured data and metrics that are essential to evolving your compliance capabilities.
Whether you are interested in monitoring transactions or monitoring controls, the sheer volume of transactions on a daily basis — in multiple regions around the globe with varying regulations — cannot be tracked manually. So, a critical step toward continuous control monitoring is automation, which can reside within your ERP or on one or more standalone systems within your business.
Insights and intelligence derived from ad hoc detective work enable you to transform unstructured data to structured data inside the ERP, making better use of the powerful processing and analytical tools inherent in the ERP environment. It is essentially a quantum leap forward in terms of sophistication, cost reduction, and risk reduction.
Structured data enables the design and development of automated controls and control metrics. It also facilitates the implementation of continuous transaction monitoring and continuous controls monitoring. These two different, but complementary approaches ensure the integrity of transactions that pass through the system and provide insight and foresight to ensure controls remain current and resilient to changes in the business environment.
Before we go further, it is important to have a common understanding or definition of terms as we discuss transactions and controls.
Continuous transaction monitoring tests transactions for integrity after they have been processed. CTM answers this question: Is the transaction flawed? This is an error detection operation, and “continuous” can mean monitoring transactions at various time intervals, e.g., hourly, daily, weekly, or quarterly. This sort of monitoring helps you design or re-design processes, policies, and controls. It gives you information on transactions that have already taken place; it is retrospective.
Think of it as a quality control function. Does the transaction meet specifications or is it flawed? To move from hindsight to insight and foresight, we need to focus on monitoring controls.
Continuous control monitoring tests controls to determine whether they are operating correctly. CCM tests the controls over the process through which the transaction flows. It answers the question: Are the controls operating correctly?
Think of it this way: Controls monitor transaction activity and ensure business processes are running according to design specifications. They ensure against systemic failure.
When reviewing CTM tests, it’s important to remember that if a transaction is flawed, it does not mean there is a systemic error. Hence, this leads to a commonly asked question: Do I need both CCM and CTM? Our general answer is yes. They complement each other; and serve different but very similar purposes. One (CTM) can tell you that something did go wrong, and the other can tell you whether something might go wrong (CCM). An effective combination of the two will help streamline GRC processes by narrowing down the potential exceptions thereby reducing the time needed to meet compliance objectives.
If a transaction is flawed, it doesn’t necessarily mean there is systemic error or that one or more controls are malfunctioning. Random errors appear frequently in all systems. But a “correct” transaction does not mean the controls are truly effective, either. Controls can go out of calibration and fail to catch systemic error or fraud. This is because all automated systems that require manual interaction adapt and change, and sometimes they do so in subtle ways that are not obvious.
Suppose a regulatory requirement was to report every financial transaction over $10,000 to the Department of the Treasury. By systemically making transactions under the $10,000 parameter, the transactions in question would be “correct.” The controls would be working as designed. But the intent of the control, to alert the government to potential money laundering, as regulated by The Patriot Act, would have been circumvented and ineffective. This is known as gaming the system.
As mentioned earlier, two elements are always present in cases of fraud: a transaction and a perpetrator. Perpetrators adapt their methods to defeat controls. Transaction monitoring can alert you to the adaptation after the fact. Control monitoring has the capability to catch the transaction (and the perpetrator) in the act. And with the help of emerging advanced analytical techniques and more powerful computers, CCM offers predictive modeling capabilities that can essentially “game the perpetrators” before they game the system.
Take, for example, a large company faced with reviewing hundreds of thousands of expense transactions made by thousands of employees. Advanced analytics can gather data from multiple systems, far outpacing any “needle in the haystack” approach to sampling and reviewing reports and transactions manually.
Combining data from Human Resources, expense tracking, credit card vendors, accounts payable, and PCards would facilitate the development of an “expense profile” on each employee. Rule-based analytics can flag high-risk transactions and out-of-policy exceptions, and trending analytics can detail expenditures such as mileage reimbursement. In addition, advanced analytics can match duplicate payments between data sets such as accounts payable and PCards to quantify fraudulent or out-of-policy purchases, including gift cards and event tickets. In this example, CTM and CCM solutions help prevent the abuse of expense privileges, reform policies, and identify opportunities for cost-effective travel solutions.
Another way that perpetrators game the system is through the use of split purchase orders. Dishonest employees use them to circumvent the approval of purchases exceeding a designated amount. Split purchase orders can be difficult to detect and prevent, especially within large companies. One company that discovered this type of fraudulent activity realized it had no controls in place to monitor the purchase order process. So, the company developed advanced analytics using its transactional data to monitor the approval of purchases and look for transactions that appeared to be split in order to bypass the need for approval. As a result, its purchasing and internal audit departments were able to ensure compliance with policies and procedures, establish the appropriate controls, monitor potential suspicious transactions, and save their company time and money by helping reduce the risk of fraudulent purchases.
Internal controls monitoring, whether CCM or CTM, is an ongoing activity. It never stops, but neither does fraud nor other transaction based risk, if it goes unchecked. To ease the enormity of the task, you can automate using CCM and CTM with your ERP system or other standalone systems within your business. With automation, you can gain substantial increases in effectiveness (looking at the right transactions and patterns) and efficiency (doing so in a real-time and cost effective manner). The real benefit comes in mitigating your company’s risk.
About the Authors
Michael Baccala, PwC’s National Oracle GRC, Application Security and Controls Leader, is a principal who works with clients to develop, maintain and drive business success through the best use of technology and to leverage technology to solve compliance and risk management challenges. Michael is known for cultivating high-performing talent and developing teams who will consistently deliver exceptional value and service to clients.
Robert H. Clark is the Philadelphia-based lead partner in PricewaterhouseCoopers’ US SAP Controls Solutions practice and is PwC’s Global Alliance Partner for SAP in Governance, Risk and Compliance (GRC) solutions. In this capacity, Bob directs our global teams in the development of tools, methodologies, marketing and training for SAP GRC solutions.