Continuous Internal Control Monitoring Gets Big Backing

Continuous monitoring of internal controls is quickly winning some big supporters.

When the U.S. Department of Justice prosecuted a Morgan Stanley managing director last year for circumventing internal controls to violate the Foreign Corrupt Practices Act, it tipped its hat to the bank for Morgan Stanley's efforts to prevent such actions. It was practically an endorsement for the up-and-coming practice of continuous monitoring, says Patrick Taylor, CEO of Oversight Systems.

The Justice Department imposed the maximum penalty on Garth Peterson, who admitted to paying off Chinese officials as part of a real-estate scam, but brought no action against the firm, citing its extensive policies, internal control, and training meant to prevent FCPA violations. The Justice Department even noted: “Morgan Stanley's compliance personnel regularly monitored transactions, randomly audited particular employees, transactions and business units, and tested to identify illicit payments.”

That got the attention of compliance and corporate governance professionals, says Taylor. Companies tune in to new laws and regulations, but they pay even closer attention when an enforcement agency describes specific factors in a decision not to pursue charges against a company. “In the last three to four quarters, we're seeing some recognition of the power that continuous monitoring can add to the compliance domain,” says Taylor. “The DoJ specifically recognized Morgan Stanley for its ongoing transaction monitoring.”

Taylor, whose company sells continuous monitoring solutions, says he has noticed a change in how companies react to the idea of implementing continuous monitoring. The benefits are straightforward enough—that continuously monitoring controls and transactions provides greater assurance that data and dollars are protected. “The challenge is getting on that short list of projects that people are going to implement,” he says. The Morgan Stanley case “has made it easier to get on that list,” Taylor says.

Other regulatory developments are giving companies additional reasons to take a closer look at continuous monitoring, says Bob Hirth, managing director at consulting firm Protiviti. The Committee of Sponsoring Organizations, or COSO, is nearly finished with an update of its Internal Control - Integrated Framework, which companies heavily rely on to achieve compliance with the Sarbanes-Oxley Act. COSO updated the framework in large part to better reflect advances in technology since the document was written in 1992.

Hirth says the new framework specifically directs companies to consider ongoing evaluations to monitor the presence and functioning of the components of internal control as a part of everyday business activity. “Technology offers an opportunity to use computerized monitoring, which has a very high standard of objectivity (once programmed and tested) and allows for efficient review of large volumes of data at a low cost,” the new framework says. “Advances in automated activities have made continuous monitoring computer applications available, and these should be considered when selecting ongoing evaluations.”

In Hirth's view, the new framework is telling companies that using technology to monitor controls provides more coverage and less error. “It's objective, so it doesn't make mistakes,” he says. “And it goes from 30 to 30,000 activities that it is monitoring.” COSO is expected to finalize the framework in early 2013 so that companies can review it and consider how they might need to adjust their approach to internal controls in time for 2013 year-end reporting.

“The challenge is getting on that short list of projects that people are going to implement. [The Morgan Stanley case] has made it easier to get on that list.”

—Patrick Taylor,

CEO,

Oversight Systems

As companies go through their internal controls refresh following the new COSO guidance, it's a perfect opportunity to look at continuous monitoring as a way to capitalize on the data it captures, increase monitoring overall, improve the effectiveness of controls, and even lower costs, says Hirth.

The Federal Reserve recently gave financial institutions another reason to look more closely at continuous monitoring when it issued a policy statement on internal audit, calling on banks to consider their monitoring activities in relation to their risk analysis.

Norman Marks, vice president at SAP and a frequent blogger on control and risk issues, says companies paying only casual attention to continuous monitoring will be surprised by the advances in technology in the last year or two. “Essentially, the tools and techniques that are available enable practitioners to do continuous monitoring faster, more effectively, and with greater flexibility,” he says.

Bang for the Buck

JUSTICE DEPARTMENT ANNOUNCEMENT

Below is an excerpt from the Justice Department's press release regarding the Morgan Stanley case.

Garth Peterson, 42, an American citizen living in Singapore, pleaded guilty to one-count criminal information charging him with conspiring to evade internal accounting controls that Morgan Stanley was required to maintain under the Foreign Corrupt Practices Act (FCPA). Peterson pleaded guilty in Brooklyn, N.Y., before Senior U.S. District Judge Jack B. Weinstein …

… According to court documents, Morgan Stanley maintained a system of internal controls meant to ensure accountability for its assets and to prevent employees from offering, promising or paying anything of value to foreign government officials. Morgan Stanley's internal policies, which were updated regularly to reflect regulatory developments and specific risks, prohibited bribery and addressed corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment. Morgan Stanley frequently trained its employees on its internal policies, the FCPA and other anti-corruption laws. Between 2002 and 2008, Morgan Stanley trained various groups of Asia-based personnel on anti-corruption policies 54 times. During the same period, Morgan Stanley trained Peterson on the FCPA seven times and reminded him to comply with the FCPA at least 35 times. Morgan Stanley's compliance personnel regularly monitored transactions, randomly audited particular employees, transactions and business units, and tested to identify illicit payments. Moreover, Morgan Stanley conducted extensive due diligence on all new business partners and imposed stringent controls on payments made to business partners.

According to court documents, Peterson conspired with others to circumvent Morgan Stanley's internal controls in order to transfer a multi-million dollar ownership interest in a Shanghai building to himself and a Chinese public official with whom he had a personal friendship. The corruption scheme began when Peterson encouraged Morgan Stanley to sell an interest in a Shanghai real-estate deal to Shanghai Yongye Enterprise (Group) Co. Ltd., a state-owned and state-controlled entity through which Shanghai's Luwan District managed its own property and facilitated outside investment in the district. Peterson falsely represented to others within Morgan Stanley that Yongye was purchasing the real-estate interest, when in fact Peterson knew the interest would be conveyed to a shell company controlled by him, a Chinese public official associated with Yongye and a Canadian attorney. After Peterson and his co-conspirators falsely represented to Morgan Stanley that Yongye owned the shell company, Morgan Stanley sold the real-estate interest in 2006 to the shell company at a discount to the interest's actual 2006 market value. As a result, the conspirators realized an immediate paper profit of more than $2.5 million. Even after the sale, Peterson and his co-conspirators continued to claim falsely that Yongye owned the shell company, which in reality they owned. In the years since Peterson and his co-conspirators gained control of the real-estate interest, they have periodically accepted equity distributions and the real-estate interest has appreciated in value.

Source: Justice Department.

For example, says Marks, technology has advanced considerably around network intrusion attempts and “in memory” analytics to enable virtually 100 percent sampling and much faster reporting, and reports can be delivered to mobile devices. Companies also are beginning to use continuous monitoring to manage and monitor their reputation risk—scanning communications and flagging disturbing remarks for follow up. “The tools are just so much better, faster, and easier to deploy,” he says. “They're not cheap, but the value to return is massive.”

Indeed, cost remains a barrier for many companies, says Nancy Reimer, a partner at law firm LeClairRyan. “If they could come up with a more cost-effective, efficient way to do continuous monitoring, that would be far more welcome,” she says. She says public companies are showing greater interest in continuous monitoring, but are still sensitive to the expense. “If internal monitoring on a continuous basis can lead you to lower costs, then public companies will be more interested in trying it.”

Michael Cangemi, a consultant and frequent speaker and writer on continuous monitoring, says companies are appealing to COSO to recommend a longer phase-in period for the updated control framework based on concerns about costs. There might be some wisdom to the thinking, he says. “This would allow companies to look to automated continuous monitoring processes, enabling a leap forward in coverage at reduced costs,” he says. “Companies are now recognizing that they have a great opportunity to implement continuous monitoring to rationalize or reduce the whole cost of Sarbanes-Oxley compliance.”

Whether the phase-in for the new COSO framework is expeditious or extended, it will represent the most integrated approach companies have seen yet in risk management and audit solutions, says Dipak Shah, CEO of technology vendor Reliant Solutions. “Right now, only 15 percent of the market is using something other than Microsoft Word or Excel,” he says. As technology advances and as younger, more tech-savvy professionals advance in their careers, continuous monitoring tools will continue to drive the integration, he says.