Select Page

3 myths about continuous control monitoring

Nonie Dalton

Nonie Dalton

Director of Product Management, Galvanize

You might be hesitant to implement CCM given some myths about its practicality or affordability. We untangle three of these myths here.

When you hear the term “continuous control monitoring” (CCM), do you find yourself thinking any of the following?

  1. I don’t need CCM because my ERP system has built-in automated controls and I’m already protected.
  2. It sounds great in theory, but in reality, it’s not practical or affordable to implement.
  3. Isn’t this the job of our auditors?

I hear these comments from senior executives and managers all the time. But we need to challenge these commonly held assumptions. So, let’s break them down to understand how these myths might be holding you back.

Myth 1: My ERP system has built-in automated controls, so I don’t need CCM because I’m already protected

There is truth to this statement—ERP systems use built-in controls that prevent erroneous or invalid transactions. The myth here is that your ERP’s embedded system controls eliminate risk and the controls are 100% effective.

But ERP controls were not designed to prevent fraud. It’s important to note that no control is actually foolproof, and worse yet, the stricter your ERP controls become, the greater the risk of employees finding workarounds to simply to “get their jobs done.”

Consider purchase orders (POs) and goods receipts. A PO is needed to purchase goods or services. When the job is done and an invoice comes in, an employee references the PO and a payment is made. But what if they never made a PO in the first place? Nothing stops them from requesting a PO after the job is done and the goods or services have been received.

A PO now exists so it meets your control criteria to issue a goods receipt and kick off the payment process. Your ERP might be happy, but your business processes are open to exploitation.

Workarounds are just one risk. Consider these other common risk exposures in your ERP system:

  • Missed controls from your initial implementation, control settings that weren’t enabled on implementation, or controls that are out of date with new policies. Keeping your ERP controls up to date is like playing a frustrating game of whack-a-mole.
  • Multiple ERP systems or instances hiding weaknesses and control gaps. The result is data mismatches and errors that make reconciliation a challenge for year-end reporting. This scenario can lead to issues enforcing segregation of duties, increasing the potential for fraud, waste, and abuse.
  • Data entry errors not caught by controls. These errors are almost impossible to eliminate, leaving you vulnerable to undetected fraud and errors. However, these are easily caught by control monitoring.
  • ERP systems that are part of shared service implementations and likely don’t take your organization’s unique policies and processes into account.
  • Abuse of policies that can’t be detected by point-in-time checks in ERP configuration controls. For example, if you have a policy that receipts are not required for purchases under $25, these transactions appear valid. But over time, monitoring the trends and frequencies in these transactions can indicate patterns of abuse.

CCM helps to reveal where your business processes are being undermined.

“Successful implementations start lean and take an agile, iterative approach to build out areas that will show value quickly. The focus should be on realizing smaller, achievable results.”

Myth 2: It sounds great in theory, but in reality, it’s not practical or affordable to implement

When I hear people say CCM is not practical, with a little more digging, I learn that part of the challenge is understanding how to implement CCM in their complex environments. They view the costs of implementation and change management as prohibitive because they’re thinking about implementing monitoring for every control within their organization at once.

To be fair, that approach would be challenging, and you would be stuck in the planning and building phase for years before seeing any value.

Successful implementations start lean and take an agile, iterative approach to build out areas that will show value quickly. The focus should be on realizing smaller, achievable results in areas that are both high risk and high value. Some great examples of where to start are in financial transactions:

  1. Find areas where you’re spending considerable time on manual monitoring. This might be purchase card expenses, phone bills, or other simple, but high-volume financial transactions.
  2. Look at a single high-risk area in your financial controls where your auditors have raised concerns. This approach allows you to build a roadmap of prioritized objectives that you can progressively implement.

By keeping the scope narrow, you can focus on designing the workflow, and then seek to replicate as you add in new areas.

Automation also plays a key role in creating sustainable and scalable CCM programs. The tools that are most effective not only help identify control exceptions, but also support remediation and follow-up workflows, and provide complete transparency with dashboards.

Myth 3: Isn’t that the job of our auditors?

So, whose responsibility is it to ensure controls are working? In government, there’s often a heavy reliance on auditors to do this job. To some extent, yes, your auditors will look at how successful your controls are. However, their role is to provide independent assurance that controls are working, not to be accountable for control creation and management.

For example, as a financial manager, you own and manage the financial risks for the organization. CCM isn’t about the existence and effective operation of controls, it’s truly about managing risk.

When an auditor tests your controls, they’re likely looking at a small sample of data and testing to assess if your system or process controls function as intended. They will then provide confirmation that a control is working—but it’s only been proven for 0.01% of your total revenues (thanks to sample testing).

Continuous monitoring will find the exceptions that don’t get found through ad hoc analytics or sample-based testing. In fact, an ACFE report revealed proactive data monitoring was associated with 54% lower losses and frauds detected in half of the time.

CCM: What are you waiting for?

I’ve covered three of the more common myths here in an effort to highlight some of the inaccuracies surrounding CCM. Hopefully, this has given you some insights and inspiration, and will help you along your own journey to implementing CCM. With the right approach and technology, your organization can realize the many benefits of CCM.

eBook:

Using Analytics to Balance Risk and Control Productivity

You’ll learn:

  • How to illuminate risks in finance and accounting systems
  • 7 Performance Hacks to improve risk management and performance
  • A Technology Buying Guide for risk and control management and analytic monitoring
  • How to understand the gaps in your ERP Systems.

Download eBook

Related Articles

Find us in Gartner MQ for IT Risk Management

Gartner names Galvanize (formerly ACL and Rsam)* a Leader in the 2019 Magic Quadrant for IT Risk Management

Learn what you should be looking for when selecting an ITRM solution.

Download the report