John Harrison, Protiviti Managing Director
Since the internal audit profession began, the fundamental approach has been the periodic, representative sampling of an organization's or a unit's processes, controls and management practices to verify the effectiveness of controls or to uncover issues that need to be addressed.
The key word is "periodic." While the process has proven itself repeatedly, it has inherent limitations in a high-transaction environment, such as a retail operation or financial institution. What if costly errors or fraudulent activities begin shortly after the latest audit has been completed? How long will it be until they are discovered and how much damage may be done in the interim?
Having the means to monitor specific processes on a continuous basis has long been the vision of academics and many progressive internal auditors. The culmination of this vision is the concept of “transaction monitoring.” This can be defined as the activity associated with the continuous observance of a company’s transactions, with the purpose of identifying risks linked to data anomalies, exceeded thresholds, unexpected fluctuations, and various types of sensitive activities.
From a historical standpoint, Computer Assisted Audit Techniques (CAATs) have been adjuncts to the internal audit process for more than two decades. However, thanks to an increasing number of emerging technologies, continuous transaction monitoring is now clearly coming into its own. It is a process that is being accelerated by a number of factors in the compliance and governance arenas.
Seeking benefits beyond SOX compliance
Compliance requirements have intensified in recent years as a result of Sarbanes-Oxley, HIPAA and other regulatory regimes. However, it is well know that many CFO's believe that the costs of Sarbanes-Oxley compliance have outweighed the benefits to their organizations. Financial executives and audit managers are increasingly looking for compliance options that will satisfy regulators while delivering greater intrinsic benefits to the enterprise. Transaction monitoring is widely viewed as just the sort of non-intrusive, self-documenting technique that can provide those ancillary benefits beyond simple compliance.
Now that the initial crush of Sarbanes-Oxley has leveled out, auditors formerly consumed by Sarbanes-Oxley are shifting their attention back to more robust forensic audits. Five years ago, auditors occasionally performed forensic audits using after-the-fact approaches and methodologies. Now, the maturing monitoring software market is making continuous monitoring more practical and cost effective—hence, the increased focus in forensic audits.
New tools coming online
In conjunction with the evolution of technology, a growing number of tools are emerging to help organizations develop and implement various continuous monitoring and auditing functions. ACL, IDEA, Cognos, Business Objects, Oversight, and others are sources for a variety of data mining and business intelligence needs, several of which are well known to the auditing profession. The major Enterprise Resource Planning (ERP) vendors have recently launched Governance Risk & Compliance (GRC) modules to aid in continuous monitoring, including SAP GRC (formerly Virsa) and Oracle GRC. A number of third-party ERP products are also available from Approva, Logical Apps and D2C, to name a few, while database and file level management tools include products such as Oracle’s Audit Vault, Lumigent, and Infogix.
These tools can be remarkably effective in identifying errors, trends, or fraud indicators across a variety of transaction types. These include: duplicate payments; vendor payments to an employee's bank account; unusually large payments; repeat payments to otherwise "one-time" vendors; payments without invoice references; payment terms on invoices that differ from those on the vendor record; and many more. A particularly interesting analytic is the application of Benford's Law analysis to invoices, which can suggest irregularities and/or fraud in payments based on "first-digit" analysis of invoice amounts.
With regard to fraud, it has been suggested that the very knowledge that continuous transaction monitoring is occurring within the organization will deter fraud. If fraud prevention is a goal, it behooves the organization not to publish a list of the processes and transactions being monitored. It is better to keep potential fraud perpetrators guessing.
Start by looking for easy wins
So where do you begin? The most effective first step in developing and implementing a transaction monitoring program is to seek instances where processes normally audited on a periodic basis are repeatable and predictable enough to be translated into a frequent or continuous cycle. Start with processes that have the potential for immediate and relatable impacts in the eyes of management. Look for opportunities offering quick-win, bottom-line results, as well as items that are significant within the risk-based, top-down priorities of compliance and control functions. Other criteria would include concentrating on controls that are normally time consuming and difficult to monitor manually, as well as areas that have generated issues in the past. Finally, focus on areas more prone to fraud. These areas may be especially good candidates for transaction monitoring and yield some of the most compelling and measurable results.
If the organization is just starting to experiment with transaction monitoring, it should begin by looking for simple comparisons that will deliver early results. Try to avoid business rules or patterns generating data that will be overly complex to interpret or analyze. Also, keep in mind that some continuous monitoring tools can have pre-defined queries and rules that will already map to some of the most common systems.
Do not attempt to roll-out a transaction monitoring program that is intended to "watch the world." Allow risk significance and potential-for-benefits drive a rational, progressive roll-out of additional rules over time.
One of the important success criteria for a program of this sort is to ensure that the appropriate person has been assigned responsibility and trained to investigate and respond to the results your transaction monitoring system. Part of operationalizing the monitoring program is to determine the relative urgency of a “hit” and the frequency of reporting. Some items, such as certain fraud indicators may warrant an immediate e-mail to a designated owner. Other instances can be collected for daily or weekly review. Regardless of the timetable and no matter how sophisticated the radar, this process is only as effective as the diligence and knowledge of the “look-outs” at their station.
Ultimately, it is imperative that everyone truly understands the data being generated to build an effective, sustainable response plan. Without comprehensive understanding, these efforts are futile at best.
Check and double-check
Do not underestimate the time it takes to get it right. Launching an effective continuous monitoring process requires the team to confirm the data, validate the assumptions, configure the technology, and prepare the participants. This suggests that the best approach is to recruit a multi-disciplinary team of individuals from IT, key business units, and audit functions. Draw upon that knowledge base to define the parameters and success measures of the monitoring programs, and determine who will own the data. Define criteria specific enough so that data owners will be able to respond to the output without neglecting other important responsibilities.
In addition, be sure to check and double-check your assumptions about your continuous monitoring processes to ensure that you are making proper use of your source data. For example, make sure you are looking at the right data points in the right ways, and that you are receiving the benefits of a rational, meaningful interpretation of the results.
Hard work, but worth it
Although there is clearly an investment involved in launching a sound transaction monitoring program off the ground, it is worth it. For most organizations, transaction monitoring represents a new frontier of real-time auditing effectiveness and cost savings. Many audit executives are tired of hearing the complaint that they can only point out mistakes in the past, rather than helping the company in the present. The untapped potential of this type of monitoring is almost too great to estimate, considering the ability to directly benefit business practices and the bottom line. The key to tapping those benefits for your organization is to leverage technology and take a methodical approach to its implementation. Begin where you can reap significant, early benefits and build on that foundation over time.
(3 pages, 42 KB)
Continuous Transaction Monitoring Poll