For a company that executes complex commercial financing transactions, one of U.S.-based Siemens Financial Services, Inc.'s primary governance, risk management, and compliance (GRC) programs can be described in refreshingly simple terms:
Continuous monitoring + continuous auditing = continuous assurance
The monitoring in this equation refers to the method that the business process owner and management uses to ensure that crucial internal controls related to business activities and financial reporting are working as intended -- and improving and changing as needed. Auditing refers to the process by which the corporate internal audit team independently confirms that the internal controls are working as intended. And the assurance? Well, this refers to the confidence that well-rested managers experience when they're able to keep daily tabs on all of the internal controls and risks that might otherwise keep them awake at night.
"Continuous assurance is the best of both worlds," reports Jason Gross, vice president, controls management, for Siemens Financial Services, Inc. "We view this continuous monitoring program as a control. It ensures accurate financial reporting and also helps to safeguard all of the assets in our business portfolio." Now see Jason explain how to transition to continuous monitoring.
Like continuous auditing technology, continuous monitoring tools scour massive amounts of systems transactions and spit out red flags when data does not conform to business rules and/or internal controls. If the phrase "continuous monitoring" sounds a tad too vendor-generated for your tastes, consider this a case study about GRC ownership.
Siemens Financial Services is using technology, processes, and a team of former internal auditors to empower management and business process owners to assume greater control of ensuring that the internal controls in their area are effective, executed properly, and, when necessary, adapted to reflect changing business conditions.
Monitoring vs. Auditing
Siemens Financial Services, Inc. (SFS), is one of the U.S.-based operating companies of Siemens AG, the German-based electronics and engineering giant. SFS's commercial financing solutions serve client companies in the healthcare, energy, and manufacturing industries.
Gross headed SFS's internal audit department until a restructuring in which Siemens AG's corporate internal audit department took over internal audit responsibilities at the U.S. operating company. The shift enabled Gross, a 7-year veteran of the company, and his team to take responsibility for a new function: controls management. Gross emphasizes the last word of his new function. "Our role is different from internal audit in that we are now part of management,and therefore a part of the execution process" he notes.
Therein lies the difference between continuous auditing -- which Gross and his team had used as internal auditors, at times, to help automate certain elements of the annual audit -- and continuous monitoring (see "Upclose: What's the difference?"). Internal audit owns and executes continuous auditing. Business process owners are responsible for overseeing and executing continuous monitoring.
Technology enables business process owners to monitor the controls supporting their system transactions and processes. In SFS's case, the technology is from ACL Services, whose "business assurance" tools support continuous auditing and continuous monitoring activities. The business process owners, in collaboration with Gross's controls management staff, identify which controls and transactions it needs to monitor based on the magnitude of risk associated with each control. Monitoring, Gross points out, is more proactive than auditing.
"The powerful thing about this continuous controls monitoring approach is that it contains a preventative component," he explains. "Issues within a system can be detected and corrected before the erroneous transaction becomes live."
For example, when an SFS lease administrator books a transaction into the system, this transaction may not "go live" for 24 hours. The manager responsible for overseeing lease transactions receives a daily report based on the routines the ACL continuous monitoring application runs each evening. If any issues -- data mismatches, entry errors, or other internal controls red flags -- crop up, the manager is informed of the problem and can correct it immediately ... rather than deal with it during a quarterly review or (worse) after hearing from the controller or (still worse) internal auditor that the numbers don't add up.
"I think that some people do get confused about where the line is between continuous auditing and continuous monitoring," says Gross, who has spoken on the topic at corporate finance and software conferences. "It's an important distinction. It's a matter of ownership, and it's a matter of not stepping over that line of independence."
Harald Will, ACL Services president and CEO, agrees. He notes that continuous auditing is used by internal audit to perform control and risk assessments frequently and automatically, while continuous monitoring is conducted by management as part of its responsibility to implement and maintain effective control systems.
"Since management is responsible for the effectiveness of internal controls, continuous monitoring provides the means to determine whether the controls are operating as designed and intended," Will continues. "By being able to identify and correct control systems quickly, the overall effectiveness of the system can be improved."
Upclose: What's the difference?
| Continuous Auditing | Continuous Monitoring |
| Owned and performed by internal audit | Owned and performed by management |
| Primarily detective in nature (may also be corrective) | Can be preventative, detective, and/or corrective in nature |
| Internal audit is responsible for evaluating continuous monitoring activities | Qualifies as an internal control |
Getting It to Work
Continuous monitoring tends to takes root within companies that already use continuous auditing. At these companies, business process owners see the value of timely motivations of control weaknesses and transaction errors and want a similar capability.
To some degree, this is how the process worked at SFS: Gross saw the value in continuous auditing and, freed from the independence requirements of the internal audit function, he and his team were able to implement continuous monitoring.
Many publicly listed companies may find themselves in a ripe "post-Sarbanes" position to consider continuous monitoring. At most companies, compliance and internal controls monitoring (of the manual variety) has largely been handed off by internal audit to business process owners. Continuous monitoring represents an attempt to make this work more efficient and more effective.
The procure-to-pay cycle, Will says, represents a common area in which to begin continuous monitoring. Procure-to-pay represents "one area of the organization where both audit and management have the need to review transactions for anomalies, and therefore both approaches add value," he explains. "Whether checking for supplier fraud, internal fraud, or simple errors, P-to-P is a good place to start and usually yields results." Gross and Will say that continuous monitoring also can be applied to the revenue cycle (billing through accounts receivable).
The keys to successful implementation mirror same steps that most process-improvement and system implementation efforts also require: strong executive support; healthy communications between the implementers (in SFS's case, the controls management function) and end users (business process owners); and a start-small approach.
Gross credits SFS CFO Matthias Grossman with providing the vision and executive support behind the continuous monitoring effort. "You need a clear strategy and a strong sponsor to move this forward," Gross explains, "but you also need the strong partnership and ongoing communications with the business process owners throughout the organization."
To that end, Gross and his team had an advantage: Their previous experience as internal auditors had enabled them to forge relationships with business process owners over the years. They interviewed their business colleagues to find out which internal controls they wanted to know about on a real-time basis. "We asked them, 'What do you want to know the following morning about the data that was processed last night?,'" Gross recalls.
The responses helped Gross and his team to focus on the key risks and controls in each business process.
"I think that it's important to start small and then show the results," Gross notes. "You tell the business process owner, 'We went through this area, and here's what we found' -- a key-punching error, for example, or some factors that were changed but were not supposed to change."
This iterative approach helps cultivate buy-in at the process level, Gross reports. He also notes that the technology needs to be customized to each area's unique business and workflow rules. On the first few dry runs, it is inevitable that the "false positives" will be flagged -- issues that look like errors or inaccuracies but that are not actually problems.
"You will always forget to filter out something," Gross explains. "It might look like an exception, but you have to filter it out. This is why you want to be in close coordination with process owners, to help minimize the false positives."
Red Flags Blueprint
Once the false positives have been eliminated, the continuous monitoring technology is customized to scrutinize targeted areas and raise red flags (exception alerts) whenever an internal control (1) is not properly designed or (2) is not being executed (correctly or at all).
The technology accomplishes this by evaluating the following system attributes on a regular (often daily) basis:
• Authorization: Do the people entering transactions into the system possess the authority to make transactions at that level?
For example, a red flag would be raised if a manager who is not authorized to approve a loan enters a new loan into the system. Similarly, a red flag would be raised if a manager -- one who is authorized to approve loans up to a certain dollar amount -- enters a new loan that exceeds that dollar amount. A business process owner "can examine the transactions that have been processed and work backwards," says Gross. "If you have a list of authorized users and authorized limits, you can automatically ensure that there have been no violations." If this is the case, the controls in this area are functioning as intended. If not, either the control needs to be redesigned or its execution needs to be improved.
• Data completeness: Have all of the necessary data elements required for a specific transaction been entered into the system?
The completion of commercial loans and leases requires numerous pieces of detailed data -- customer information, loan amounts, interest amounts, payment terms, other contractual information, etc. -- to be entered into SFS's system. If any single piece of data is missing, this could lead to accounting and financial reporting errors down the road.
• Table maintenance: Have any unauthorized changes been made to the tables in the system?
Tables hold a variety of values used to perform calculations and evaluations that affect other determinations. For example, loss provisions are determined by a customer's risk ranking. If the risk-ranking table has been improperly changed, the loss provisions will be affected.
• Edit checks: Are the system's preventative controls functioning as intended?
Most systems have internal controls that help to ensure that users enter a reasonable range of information. These safety features help to alert end users if they punch in $10,000 when they intended to enter $100.00. The continuous monitoring technology ensures that these controls are in place and operating as intended.
• Calculation verification: Are the calculations that the system is performing correct?
These continuous monitoring operations simply recalculate specific transactions to confirm their accuracy. "On the surface, you might think, 'Well, shouldn't this check always produce the same end result that the system produces?,'" acknowledges Gross, harkening back to his internal audit work prior to the advent of continuous auditing. "But I will tell you, when you verify 100 percent of the calculations, you will find things that you don't find when you look at a much smaller sample size. This is why this form of monitoring is so powerful."
• Data integrity: Was data entered in a way that conforms to business rules?
For example, if "40" was entered in a field that requires a digit between one and 10, why did that occur? Is there a need for a new control within the system to prevent this error?
Monitoring Controls Help to Manage Change
These monitoring activities can be applied and customized to a variety of business processes in any organization. There is another reason why continuous monitoring can be powerful: Over time, the results of the evaluation of all of these attributes can help to alert companies to change management problems and provide grist for more consultative trending and analysis.
For example, if a large volume of red flags suddenly appears, this may be a sign that changes in the business have not been reflected within the systems that support the business. "This can be a very good indicator that some of the company's change management mechanisms are not working as intended," Gross notes.
Also, by looking at the data as it accumulates over time, SFS's controls management team can spot trends. A risk position within a portfolio might be trending upward or downward, for example. This and other trend information can be very useful to management.
Gross remains excited about his function becoming more consultative in this respect. Emphasizing that the operating company's continuous monitoring capabilities are a journey, he says that the complex work that the technology conducts can translate into straightforward benefits.
"We believe that once we fully roll this out," he adds, "we will ultimately be able to help the business by spotting specific process-improvement opportunities."
Fast Track: How to Get Cracking with Continuous Monitoring
- Establish highly visible executive support (ideally, the CFO or CEO).
- Communicate with business process owners to identify areas of greatest need (i.e., most important risks).
- Start small in a specific area with receptive business process owners; the procure-to-pay cycle and revenue cycle (billing through receivables) often are ripe areas for pilot programs.
- Understand that the technology will likely identify "false positives" on the first several cuts; weed these out as the application is iteratively customized.
- Communicate the errors and issues the tool identified to business process owners in a consultative manner (i.e., offer potential solutions for them to consider).