For a company that executes complex commercial financing transactions, one of U.S.-based Siemens Financial Services, Inc.'s primary governance, risk management, and compliance (GRC) programs can be described in refreshingly simple terms:

Continuous monitoring + continuous auditing = continuous assurance

The monitoring in this equation refers to the method that the business process owner and management uses to ensure that crucial internal controls related to business activities and financial reporting are working as intended -- and improving and changing as needed. Auditing refers to the process by which the corporate internal audit team independently confirms that the internal controls are working as intended. And the assurance? Well, this refers to the confidence that well-rested managers experience when they're able to keep daily tabs on all of the internal controls and risks that might otherwise keep them awake at night.

"Continuous assurance is the best of both worlds," reports Jason Gross, vice president, controls management, for Siemens Financial Services, Inc. "We view this continuous monitoring program as a control. It ensures accurate financial reporting and also helps to safeguard all of the assets in our business portfolio." Now see Jason explain how to transition to continuous monitoring.

Like continuous auditing technology, continuous monitoring tools scour massive amounts of systems transactions and spit out red flags when data does not conform to business rules and/or internal controls. If the phrase "continuous monitoring" sounds a tad too vendor-generated for your tastes, consider this a case study about GRC ownership.

Siemens Financial Services is using technology, processes, and a team of former internal auditors to empower management and business process owners to assume greater control of ensuring that the internal controls in their area are effective, executed properly, and, when necessary, adapted to reflect changing business conditions.

Monitoring vs. Auditing

Siemens Financial Services, Inc. (SFS), is one of the U.S.-based operating companies of Siemens AG, the German-based electronics and engineering giant. SFS's commercial financing solutions serve client companies in the healthcare, energy, and manufacturing industries.

Gross headed SFS's internal audit department until a restructuring in which Siemens AG's corporate internal audit department took over internal audit responsibilities at the U.S. operating company. The shift enabled Gross, a 7-year veteran of the company, and his team to take responsibility for a new function: controls management. Gross emphasizes the last word of his new function. "Our role is different from internal audit in that we are now part of management,and therefore a part of the execution process" he notes.

Therein lies the difference between continuous auditing -- which Gross and his team had used as internal auditors, at times, to help automate certain elements of the annual audit -- and continuous monitoring (see "Upclose: What's the difference?"). Internal audit owns and executes continuous auditing. Business process owners are responsible for overseeing and executing continuous monitoring.