Criteria for Evaluating and Selecting Continuous Controls Monitoring Solutions 

 
Download Article Article in Digital Form

In the post-US-Sarbanes-Oxley-Act era, many organizations consolidated and integrated corporate governance, risk management and compliance (GRC) activities into a single domain to ensure alignment of all activities. A robust internal control system is used as the primary vehicle for achieving the objectives of GRC. While designed to manage risks, detect and prevent errors, and ensure compliance, existing internal control systems are costly due to reliance on manual controls1 and nonstandard automated controls.

Recent trends, including an expanding array of compliance requirements, enhanced focus on operational excellence and increased awareness of continuous controls monitoring (CCM), are forcing organizations to take a fresh look at their internal control environments. Many organizations have, or are now in the process of developing, strategies to replace their manual and costly internal controls with automated, reliable and cost-effective controls and controls solutions to effectively mitigate risk.2 In addition to creating sustainable financial returns, automated controls enable organizations to continuously monitor and audit control activities.

The concept of CCM and continuous auditing has been around for the last several years,3 but has been adopted by few organizations to monitor their critical business information and controls. While these organizations have demonstrated progressive thought leadership in managing financial data, the adoption of CCM solutions in broader market sectors has been somewhat limited due to reliance on manual controls and to lack of awareness, spending and leadership support.

Recent releases concerning monitoring internal controls by ISACA®4 and the Committee of Sponsoring Organizations of the Treadway Commission (COSO)5 and the advances made in automated controls have renewed interest in CCM solutions in a large number of organizations, the media and the analyst community.6, 7 Many organizations are now seeking to further optimize their GRC efforts through the effective use of automated controls and CCM solutions. As organizations review various features and functionalities of CCM solutions, they need to evaluate the short-term goals and long-term objectives. For example, a Fortune 500 organization procured and implemented niche CCM solutions for its payroll application to increase visibility and governance activities following the recommendations of its external auditors. However, this solution was not usable the following year when the external auditor recommended the need for additional oversight of the organization’s billing process and credit card settlement process. As a result, the organization had to go through the CCM solution evaluation process again. To achieve alignment with their GRC objectives, organizations need to utilize structured evaluation criteria that meet their GRC automation and optimization objectives.

This article outlines a 10-factor model that may be considered during the CCM solution evaluation process.

  1. Scope of the solution—The scope of CCM solutions should, at minimum, be aligned with the scope of internal controls systems. Internal controls span financial operations, business operations and technology operations of organizations. Many current market offerings narrowly focus on five to six expense-related financial processes, such as procure to pay, payroll or order management. Others focus on providing monitoring capabilities for the key enterprise resource planning (ERP) system controls. An inability to add new controls as a supplement to ERP controls severely limits the value of a CCM solution. In addition, a narrow focus on ERP controls misses a large portion of the enterprise that uses third-party systems and homegrown applications. The scope of the selected solution must align with the organization’s short-term goals (i.e., controls that the organization wants to monitor in the next four to six months) and long-term strategies.
  2. Capability of the solution—The best-in-class CCM solution goes beyond controls monitoring by providing robust automated control, controls monitoring and exception management capability. Control capabilities should include the ability to automate transaction, segregation-of-duties and security controls. Controls monitoring capabilities should enable organizations to monitor and manage key controls in real time. In addition, control monitoring capabilities should focus on discovering trends and patterns to gain insight about the underlying process that is being controlled. For example, a transaction processing company not only controls its automated clearinghouse (ACH) payment process to prevent errors, it also trends the total volume of ACH payments and different types of exceptions to understand underlying changes in the business. Controls exception management capabilities should provide workflow to research, resolve the issues identified by the controls, and capture the complete audit trail of the issue resolution process for audit and compliance.
  3. Technical support—Despite increased adoption of the distributed platform across industries, many critical business applications are still on the mainframe environment. Organizations should assess their critical business processes and opt for solutions that closely align with their technology environment. Controls solutions that focus on only one environment ignore a true enterprise reach, failing to deliver the comprehensive solution to mitigate end-to-end risk. Organizations that have real-time applications should evaluate the ability of the CCM solution to capture and control real-time transactions.
  4. Data processing solution—Organizations are information-driven, and as organizations continue to experience growth, the data volume will grow in proportion. A best-in-class CCM solution must support processing of high data volume. The technology of the solution should be robust enough to handle current and future transaction loads. Multicompany, multidivision and multicurrency environments should be supported without restrictions, but with historical trends of reliability.
  5. Support for multiple systems—Finance, operations and technology departments will continue to use myriad applications to support business needs. An enterprise-class CCM solution should provide support for all applications and systems.
  6. Nonintrusiveness—An ideal CCM solution will seamlessly support enterprise processes and data without requiring any significant changes. Solutions that require changes in data format usually result in longer implementation times and are often costlier to maintain.
  7. Usability of the solution—Organizations should evaluate the ease-of-use factors of proposed CCM solutions. The following factors must be considered in determining usability:
    • Is the product too complex or sophisticated for the average user?
    • Is a context-based help menu available? Is the menu structure simple to use?
    • Are the results easily accessible for reporting, researching and analyzing?
    • Does the product provide template controls that can be used throughout the organization without any significant changes?
  8. Technology and architecture—Organizations should also consider aligning the technology architecture and scalability of the solution with their internal standards for ongoing support and maintenance of the solution. In addition, organizations should consider integration of the solution with their security infrastructure and disaster recovery framework.
  9. Product innovation—With increased adoption and use of CCM solutions, the need for additional features and functions of CCM solutions will continue to evolve. Organizations should continuously evaluate a vendor’s ability and willingness to support the product in the long term. In evaluating the organization’s commitment to enhanced products, the following factors need to be considered:
    • Percentage of revenue invested in product development
    • Number of major and minor product releases each year, including enhancements and fixes
  10. Return on investment—Return on investment is vital in any major investment, and a good CCM solution can offer quick payback. The total cost of ownership for a CCM solution includes the cost of implementation and the cost of maintenance. Balance needs to be established between license costs and the functionality offered. A true “implementation services to software” ratio for comparably sized organizations should be established to determine the best value.

Conclusion

While CCM solutions open up new possibilities and opportunities to improve GRC processes through control automation, monitoring and exception management, organizations must evaluate their options through the lens of both short-term goals and long-term objectives.

Short-term goals normally revolve around solving a problem that has recently surfaced and cannot be easily mitigated. While it is tempting to achieve a short-term goal through the use of a niche solution specifically designed to solve a particular problem, such an approach is neither scalable nor sustainable. Without a long-term vision, short-term goals may address only immediate needs and may not be cost-effective as the scope of CCM increases.

As the CCM space continues to be defined with respect to features and functionalities, appropriate consideration must be given to assessing the needs of organizations. Because of the immense risk and business pressure facing them, organizations can no longer assume that just any market solution can be customized to meet their specific needs, but must instead take a strategic approach to evaluating CCM solutions in the context of their needs and goals. The most effective CCM solutions for a GRC approach should optimize an organization’s business and regulatory environments and mitigate risk.

Endnotes

1 Aguilar, Melissa Klein; “404 Study Shows Little Automation Yet,” Compliance Week, 3 November 2009, www.complianceweek.com/article/5654/404-study-showslittle-automation-yet
2 Tucci, Linda; “Is Continuous Controls Monitoring at the Top of Your GRC Agenda?,” IT Knowledge Exchange, 19 February 2010, http://itknowledgeexchange.techtarget.com/it-compliance/is-continuous-controls-monitoring-atthe-top-of-your-grc-agenda
3 ISACA Standards Board; “Continuous Auditing: Is It Fantasy or Reality?,” Information Systems Control Journal, ISACA, vol. 5, 2002
4 ISACA, Monitoring Internal Control Systems and IT, USA, 2010, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Monitoring-of-Internal-Controls-and-IT-(Exposure-Draft).aspx
5 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Guidance on Monitoring Internal Control Systems, USA, January 2009
6 Caldwell, French; Paul E. Proctor; “Magic Quadrant for Continuous Controls Monitoring,” Gartner, March 2010
7 Caldwell, French; Paul E. Proctor; “Continuous Controls Monitoring for Transactions: The Next Frontier for GRC Automation,” Gartner, January 2009

Angsuman Dutta
is unit leader of the Customer Acquisition Support Team at Infogix. Since 2001, he has assisted numerous industry-leading enterprises in their implementation of automated information controls by providing assessment, advisory, implementation and support services for Infogix clients.

Bobby Koritala
leads the Product Development Group at Infogix. He previously served as the director of risk technology solutions at Protiviti, director of applied technology at Blue Cross Blue Shield, director of product development at Lexis Nexis and senior manager of software development at SPSS.


Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2010 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.