GRC Tuesdays: Do Auditors Rely on CCM?
What’s Wrong with This Picture?!
SAP customers often raise the topic of audit firms’ reliance on the results of continuous control monitoring (CCM) and automated testing. The concern was that many audit firms—even if they have practices involving continuous control monitoring–are very hesitant to use that information to positively influence the nature and extent of their testing.
So, imagine some of our customers who have spent a significant amount of time trying to understand how they can best benefit from automation. They busily build business rules that will route identified exceptions to appropriate business users for review and potential correction. As part of that effort they have harmonized controls and business rules so that they can count on consistent and reliable control performance with supporting reports to back it up. They are finding and correcting issues sooner, and their processes are stronger and their internal auditors are singing in the hallways.
When it’s time for the external auditors to arrive, the customers are excited. Well, perhaps not excited exactly, but they are expecting things will begin to get easier and less expensive—perhaps not in the first year they’ve introduced new practices but thereafter. They are met with blank stares, hesitation, and skepticism from their auditors, and are asked to start taking screenshots of the different configurations in their systems so their auditors can test the same way they always have.
I get it – I really do! Audit firms work in a litigious world and need to carefully manage their risks. In addition, audit firms may operate in silos, and auditors may not realize that others in their firm have extensive knowledge of how the CCM software works and the benefits from using continuous control monitoring or automated testing. For that matter, audits are based upon not just firm practices but also judgment, and that must consider history with the company being audited (have they had significant deficiencies before perhaps?).
Also, to be fair, it may well be that their client (our customer) hasn’t dotted all the i’s and crossed all the t’s. So, what are some ways you can help avoid the pain of finding out that the reduced audit fees you promised your management are never going to materialize?
Auditors usually do not like surprises, so communicate and coordinate early and often.
- Discuss your plans with them and give them a chance to raise their concerns in advance.
- Explain how you selected controls for automation, and ask them what types of documentation they would need for the audit.
- Make sure your own expectations of them are reasonable, and give them a chance to explain how implementation of CCM might impact the first-year audit (hint: expect higher fees in the first year because they would need to do more work, not less).
- Ask what you might reasonably expect in future years if CCM and related procedures are working as intended. And should you just happen to be in the middle of selecting a new audit firm, by all means raise this as a key concern for your company.
Document and Share
Let the auditors review samples of your documentation, especially those items they identified as important for the audit. Chances are, your documentation may need a bit of revision here and there to make it useful for your business users, management, internal auditors, and external auditors. Be sure to consider, at a minimum:
- What you are automating and why
- How you designed, created, tested, and approved your business rules
- Processes for handling exceptions, who is involved, and how you ensure consistency and timely resolution
- How to ensure completeness of the data population and the exceptions, while minimizing false positives
- Change control over both your CCM system as well as the configurations and processes that control the nature of your data
- How to ensure that your CCM system itself is operating as designed—that is, are jobs running, are exceptions results being returned, are errors being resolved?
- That this likely causes your CCM application to be considered an in-scope application for purposes of SOX and similar regulations
Train Your Auditors—Internal and External
While CCM can provide many benefits to business users and compliance/control teams, it’s important that auditors have a good feel for what it does and how it does it. So DO include your internal auditors in whatever training you might provide to other key users. They need to understand it to be able to audit it.
As for your external auditors, the same holds true. Current wisdom among many of our SAP Process Control customers is that giving external auditors read-only roles to selected aspects of the product and providing targeted training for them can reap benefits down the line. Not only does it make them more comfortable and hence more likely to consider CCM information and procedures, but it also enables them to pull reports for themselves which can make audits easier for business users and internal auditors.
A Word about SAP Process Control
If you’ve read my blogs before, you may be wondering why I didn’t make this specific to SAP Process Control (“my” solution). Well, I had started to do exactly that, but I realized a lot of my comments were general enough to apply to ANY continuous control monitoring solution. In addition, Ralph Aboujaoude Diaz has already written a blog on that topic: “Automated monitoring in SAP Process Control: what you must do to get the buy-in from your auditors (and you can’t hide from them!)”
- Join us at SAPinsider GRC2017 in Amsterdam in June. (Register by May 12 and save €300)
- Read our other blogs on the Three Lines of Defense and GRC topics.