Angsuman Dutta and Bobby Koritala
In the post-US-Sarbanes-Oxley-Act era, many organizations consolidated and integrated corporate governance, risk management and compliance (GRC) activities into a single domain to ensure alignment of all activities. A robust internal control system is used as the primary vehicle for achieving the objectives of GRC. While designed to manage risks, detect and prevent errors, and ensure compliance, existing internal control systems are costly due to reliance on manual controls1 and nonstandard automated controls.
Recent trends, including an expanding array of compliance requirements, enhanced focus on operational excellence and increased awareness of continuous controls monitoring (CCM), are forcing organizations to take a fresh look at their internal control environments. Many organizations have, or are now in the process of developing, strategies to replace their manual and costly internal controls with automated, reliable and cost-effective controls and controls solutions to effectively mitigate risk.2 In addition to creating sustainable financial returns, automated controls enable organizations to continuously monitor and audit control activities.
The concept of CCM and continuous auditing has been around for the last several years,3 but has been adopted by few organizations to monitor their critical business information and controls. While these organizations have demonstrated progressive thought leadership in managing financial data, the adoption of CCM solutions in broader market sectors has been somewhat limited due to reliance on manual controls and to lack of awareness, spending and leadership support.
Recent releases concerning monitoring internal controls by ISACA®4 and the Committee of Sponsoring Organizations of the Treadway Commission (COSO)5 and the advances made in automated controls have renewed interest in CCM solutions in a large number of organizations, the media and the analyst community.6, 7 Many organizations are now seeking to further optimize their GRC efforts through the effective use of automated controls and CCM solutions. As organizations review various features and functionalities of CCM solutions, they need to evaluate the short-term goals and long-term objectives. For example, a Fortune 500 organization procured and implemented niche CCM solutions for its payroll application to increase visibility and governance activities following the recommendations of its external auditors. However, this solution was not usable the following year when the external auditor recommended the need for additional oversight of the organization’s billing process and credit card settlement process. As a result, the organization had to go through the CCM solution evaluation process again. To achieve alignment with their GRC objectives, organizations need to utilize structured evaluation criteria that meet their GRC automation and optimization objectives.
This article outlines a 10-factor model that may be considered during the CCM solution evaluation process.
While CCM solutions open up new possibilities and opportunities to improve GRC processes through control automation, monitoring and exception management, organizations must evaluate their options through the lens of both short-term goals and long-term objectives.
Short-term goals normally revolve around solving a problem that has recently surfaced and cannot be easily mitigated. While it is tempting to achieve a short-term goal through the use of a niche solution specifically designed to solve a particular problem, such an approach is neither scalable nor sustainable. Without a long-term vision, short-term goals may address only immediate needs and may not be cost-effective as the scope of CCM increases.
As the CCM space continues to be defined with respect to features and functionalities, appropriate consideration must be given to assessing the needs of organizations. Because of the immense risk and business pressure facing them, organizations can no longer assume that just any market solution can be customized to meet their specific needs, but must instead take a strategic approach to evaluating CCM solutions in the context of their needs and goals. The most effective CCM solutions for a GRC approach should optimize an organization’s business and regulatory environments and mitigate risk.
1 Aguilar, Melissa Klein; “404 Study Shows Little Automation Yet,” Compliance Week, 3 November 2009, www.complianceweek.com/article/5654/404-study-showslittle-automation-yet2 Tucci, Linda; “Is Continuous Controls Monitoring at the Top of Your GRC Agenda?,” IT Knowledge Exchange, 19 February 2010, http://itknowledgeexchange.techtarget.com/it-compliance/is-continuous-controls-monitoring-atthe-top-of-your-grc-agenda3 ISACA Standards Board; “Continuous Auditing: Is It Fantasy or Reality?,” Information Systems Control Journal, ISACA, vol. 5, 20024 ISACA, Monitoring Internal Control Systems and IT, USA, 2010, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Monitoring-of-Internal-Controls-and-IT-(Exposure-Draft).aspx5 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Guidance on Monitoring Internal Control Systems, USA, January 20096 Caldwell, French; Paul E. Proctor; “Magic Quadrant for Continuous Controls Monitoring,” Gartner, March 20107 Caldwell, French; Paul E. Proctor; “Continuous Controls Monitoring for Transactions: The Next Frontier for GRC Automation,” Gartner, January 2009
Angsuman Duttais unit leader of the Customer Acquisition Support Team at Infogix. Since 2001, he has assisted numerous industry-leading enterprises in their implementation of automated information controls by providing assessment, advisory, implementation and support services for Infogix clients.
Bobby Koritalaleads the Product Development Group at Infogix. He previously served as the director of risk technology solutions at Protiviti, director of applied technology at Blue Cross Blue Shield, director of product development at Lexis Nexis and senior manager of software development at SPSS.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2010 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.