Along with preventive elements such as codes of conduct, hotlines, and whistleblower mechanisms, continuous auditing and continuous monitoring can be a key component of an effective fraud risk management process. In addition, CA/CM shifts management's and internal audit's focus and review from a traditional retrospective/detective approach to a proactive/preventive stance.
Many indicators of fraud and misconduct - both actual and potential - reside within an organization's financial, operational and transactional data, and can be identified using forensic-based CA/CM tools and techniques. These include sophisticated analytical tests, computer-based cross-matching, and non-obvious-relationship identification to highlight potential fraud and misconduct that can go unnoticed by traditional review techniques. Some benefits of forensic-based CA/CM strategies include:
* Identification of hidden relationships between people, organizations and events;
* Identification and analysis of suspicious transactions;
* Assessment of the effectiveness of internal controls for preventing or detecting fraud;
* Continual monitoring of fraud threats and vulnerabilities; and,
* Efficient and cost-effective consideration and analysis of thousands of transactions.
Retrospective-based continuous monitoring applied in the detection of fraud and misconduct can allow organizations to analyze transactions in monthly, quarterly or annual increments, enabling them to discern patterns not visible with shorter-term analyses. More real-time monitoring, however, can help an organization identify potential fraud on a daily, weekly or monthly basis.
CA/CM OBJECTIVES
The goal of CA/CM, however defined, is to ensure greater transparency, effectively managed risk (including fraud and misconduct risk), and greater performance.
Organizations that work to draw maximum value from CA/CM tend to use a combination of both elements throughout the business. Companies that combine them tend to coordinate the efforts of internal audit with management to avoid duplication of efforts and unproductive use of resources.
Some organizations that have successfully implemented continuous auditing without having a continuous monitoring process in place did so to better understand risks to the enterprise, assess control effectiveness, support compliance efforts, and better manage and utilize their internal audit resources. Often, continuous auditing techniques lead management to ultimately adopt select procedures as continuous monitoring.
To better monitor their fraud and misconduct risks, leading organizations tend to use the three dimensions of CA/CM. The three dimensions are based on a number of factors, including current IT systems, fraud and misconduct risk areas to be monitored, ease of implementation, and cost:
Continuous controls monitoring includes monitoring a system's global configuration settings, access controls, and rules that define the parameters of how an event or transaction can be initiated, processed and recorded. CCM focuses on monitoring for unauthorized users trying to perform "authorized" activities.
Continuous transaction monitoring includes the creation of rules and tests that run against the actual flow of transactions, identifying exceptions, anomalous patterns and trends, or other outliers that represent risk or are contrary to expected measures of performance. CTM focuses on monitoring for authorized users performing "unauthorized" activities.
Macro-level trends and results monitoring requires evaluation of analyses measuring historical or emerging trends to identify potential fraud and misconduct issues with underlying changes in the organization's people, processes and technology.
LEVERAGING TECHNOLOGY
The success of CA/CM is dependent upon the effective use of technology tools that provide users the means to structure, document and manage risk; monitor internal control effectiveness and performance; and detect and correct controls gaps while making timely performance improvement adjustments.
The value of the tools lies in the ability to translate a business rule to a configurable control and then assess the transactions' performance against expected results. When a configurable control or transaction does not conform to a predefined, risk-based, business-rule pattern or trend, an alert can be automatically generated. Such an alert could be as simple as an e-mail to a supervisor, or it could be a summary dashboard by control points, process area, and operating unit, providing useful business insights.
CONCLUSION
Implementing CA/CM is not just a technology exercise. It is changing the type, speed and visibility of information on risk and performance that should have a significant impact on how business decisions are made and monitored, providing management current and relevant information to manage fraud and misconduct risks.
James R. Littley is a principal in the forensic practice and Americas co-leader for continuous auditing and continuous monitoring services at KPMG LLP in Philadelphia. Reach him at jlittley@kpmg.com. Andrew M. Costello, CPA, CFF, CFE, is a director in the forensic practice at KPMG. Reach him at acostello@kpmg.com. Reprinted with permission from The Pennsylvania CPA Journal.
