Released by the Financial Executives Research Foundation, and sponsored by Infogix, this study on the Benefits of Continuous Monitoring is by individuals with excellent credentials in the area. I have known Professor Sri Ramamoorti for a long time, and as a partner with Grant Thornton he was one of the team that wrote the COSO Guidance on Monitoring Internal Control Systems. Michael Cangemi has been a board member of COSO, representing the Financial Executives International. The third author of this study on continuous monitoring is William M. Sinnett, Director of Research at the Financial Executives Research Foundation.
I recommend the study for its several case studies, examples of companies who have used continuous monitoring techniques to advantage.
The study also drew a number of valuable conclusions about what makes the practice successful.
However, I admit to having some serious reservations about the study:
1. There is a major difference between the monitoring of internal controls, to ensure they function as intended - as described in the COSO Internal Controls Framework (ICF)- and the monitoring of transactions and other activity to detect errors, higher levels of risk, or potential fraud. Each has value, but they are different. (See links to further discussions at the end of this post).
2. It is interesting that the authors have used definitions from Deloitte rather than COSO.
COSO: “Internal control systems need to be monitored--a process that assesses the quality of the system's performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two. Ongoing monitoring occurs in the course of operations. It includes regular management and supervisory activities, and other actions personnel take in performing their duties. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Internal control deficiencies should be reported upstream, with serious matters reported to top management and the board.”
Deloitte: “Continuous monitoring enables management to continually review business processes for adherence to and deviations from their intended levels of performance and effectiveness.
“CM is an automated, ongoing process that enables management to:
- Assess the effectiveness of controls and detect associated risk issues;
- Improve business processes and activities while adhering to ethical and compliance standards;
- Execute more timely quantitative and qualitative risk-related decisions; and
- Increase the cost-effectiveness of controls and monitoring through IT solutions.”
3. This paper studies the monitoring of transactions and activity, not so much the performance or reliability of internal controls. Frankly, this form of monitoring is not an activity in the COSO Monitoring component of ICF; these are (pure and simple) detective controls in the Controls Activity component. The value in the discussion is that improvements in technology have made detective controls more powerful as well as easier to deploy and use.
4. A study on monitoring that refers to COSO should, in my opinion, include more examples and discussion of how monitoring of controls can be improved.
5. Any deployment of resources to monitor transactions and activity should be risk-based. While the observations in the report that continuous monitoring technology is often applied to payment activity, this is (in my opinion) more because it is easier to deploy the technology in that area than to build a risk-based monitoring program designed to monitor areas of greater risk to the organization. In other words, I advocate use of this technique where it matters.
For more on this topic, check out these posts: