As Corporate America settles into 2010, it may want to put stronger monitoring controls on its list of things to do this year.
In an increasingly complex global operating environment, automated monitoring controls—that is, a system that continuously monitors a business process and automatically flags any deviation from the norm—can help to drive down costs, mitigate risk (especially compliance risk), and assist management in making more informed business decisions, experts say.
Compliance and internal audit departments do seem to be warming up to the idea. In a recent poll of 150 public companies conducted by AMR Research, continuous monitoring software ranked third on respondents’ priority list for IT investments in 2010. Overall, 16 percent of respondents said they plan to invest in such solutions, ranking behind only compliance management (18 percent) and business process management (17 percent).
In addition, nearly 60 percent of companies indicated that monitoring either already is or soon will be part of their overall approach—largely compelled by cost, risk, compliance, and policy and procedure needs. And within that group, nearly two-thirds say they have automated monitoring to some extent.
Moghe
That’s not to say compliance can be improved overnight by slapping a fresh coat of continuous monitoring onto IT systems. Prat Moghe, general manager at Netezza, a maker of data management software, says companies must first assess where their most sensitive data resides, and start by monitoring that. “If you start doing continuous monitoring of everything, it can overwhelm you very quickly,” he warns.
For example, Moghe says, a credit-card business may have thousands of computer servers, but only 10 percent of them might actually hold sensitive customer data. “Through data discovery, you’ll find out where your most critical data assets are,” he says. Then a company can narrow its continuous monitoring program to the most important areas—which reduces the cost.
Specifically, continuous monitoring can help to improve compliance with Section 404 of Sarbanes-Oxley, which requires effective internal control over financial reporting. Imagine an employee sneaking into the accounts payable system on a Tuesday and diverting a payment to his old college roommate. In the world of periodic controls and testing, outside auditors might test transactions to see whether any suspicious activity happened on a Monday or a Wednesday—and miss the fraud that happened on Tuesday. When properly implemented, continuous monitoring catches every deviation from the norm, including the Tuesday fraud, and automatically reports it.
The appeal of monitoring every transaction is obvious; the problem is the sheer volume of the transaction logs. “Obviously, you can’t stick a human on these logs,” Moghe says. “In some cases, we’ve seen people actually trying to go through these logs and manually spending hours and hours every day. It’s just not productive.”
Capobianco
John Capobianco, CEO of Lumigent, which makes software for continuous monitoring of databases, says continuous monitoring is also “a very good way to do preventive medicine on applications” since it spotlights which applications might need more security.
MONITORING VENDORS
Following is a select list of vendors that provide solutions in the continuous monitoring arena. Click on the company name to access the Website.
ACL Services
Oversight Systems
Oracle
SAP
Approva
Security Weaver
Infogix
Netezza
Lumigent
Lieberman Software
Capobianco makes a distinction between continuous monitoring of transactions, which provides the privacy and security controls IT departments want, and continuous monitoring of data, which reduces the operational risks and costs that the compliance department seeks. Both are correct and useful, he says, “but you get two different outcomes with the two different views.”
Continuous monitoring at the database level can also prove that data has not changed—a valuable fact to have in the compliance world, Capobianco says, because it provides a complete and trusted audit trail that can be considered persuasive evidence for auditors to rely on. That saves companies the expense of manually testing and reviewing unchanged data to prove its integrity.
Along With the Control
And if a company is going to monitor access to sensitive data or systems constantly, it would also do well to have a clear policy in place spelling out who has access to that part of the business, experts warn. James Quin, a senior analyst with Info-Tech Research, says such a policy should indicate “how access is to be provided, how access is to be validated, how access will be checked, and what will happen if inappropriate access occurs,” he says.
Quin
Without that policy, companies may be hard pressed to take disciplinary action against an employee who does something wrong, Quinn says. What’s more, lack of an access policy can also make it difficult for compliance officers to demonstrate to boards or external auditors (or, worst of all, regulators) that the company has a strong compliance program with all appropriate controls in place. “It all comes down to best practices,” Quinn says.
Companies also should invest in monitoring that has built-in intelligence to identify performance gaps or unusual transactions that may suggest control failures, Moghe advises; the lack of such analytics is like having a security camera in a store with nobody behind the monitors. “Unless you have someone behind the camera, just collecting that feed doesn’t help you,” he says.
Jim Littley, a continuous auditing and continuous monitoring principal at KPMG, calls that analytics “seeing the forest through the trees.” The most effective monitoring systems, he says, allow management to find emerging trends and link them to various business performance issues—say, connecting changes in working capital requirements to billing errors, inventory management, or supply-chain problems.
Leading organizations tend to use a combination of three types of continuous monitoring and continuous auditing analytics: continuous controls monitoring, continuous transaction monitoring, and macro-level trends and results monitoring.
INVESTMENT MOTIVATORS
What drives investments in GRC?
Drivers
Companies with less
than 5,000 employees
Companies with 5,000
or more employees
Better manage and mitigate
risks in the business
38%
28%
Risk/cost of non-compliance
9%
17%
Reduction in overall
cost of GRC
5%
21%
Automation, efficiency, and
repeatability of GRC activities
14%
14%
Establishment of a
legally defensible
information environment
16%
20%
Provide internal and external
transparency of financial and
operational performance
16%
9%
AMR Research: GRC in 2010 (November 2009)
“Nothing is foolproof,” Littley says. “Monitoring is optimized when you have all three dimensions in place.”
Many companies also struggle with who should oversee continuous monitoring controls. “They’re not sure who the responsibility should fall to,” Quin says.
In general, IT departments can handle the daily administration of access monitoring systems (that is, running the system and generating standard activity reports), while internal audit performs the oversight of the internal reporting capabilities.
“We don’t want to put too much responsibility in the hands of one individual, or in the hands of one group of individuals,” Quin says. “If they have the ability to institute the controls, as well as to generate and review the reports on the controls, it gives them the ability to sneak things through the system.”
As a final word of advice: Be prepared to convey quality information in a timely manner to show internal and external stakeholder parties why continuous monitoring is important, and how achieving it can drive better behavior and business results, Littley says.
No comments yet