In recent years, we have observed a consistent trend towards the standardization and centralization of IT. Furthermore, Data Analytics (DA) is increasingly shaping our world. Complex analytics are supporting better and faster decisions which is driving rapid investments across all business sectors ([KPMG16]). Now after years of talking, writing and rare implementations we are currently in the midst of an era where Continuous Monitoring (CM) should also finally come to full fruition, benefiting from investments in systems and data. We expect to see more and more CM implementations in the coming years. Especially when supporters of such initiatives can convince decision makers to invest in technology for which the return on investment is difficult to determine. This article will describe a practical model which can help supporters to quantify the possible added value of CM.
It is both ironic and disappointing that the hopeful benefits of Continuous Monitoring (CM) have still not come true. In the early years of this decade multiple articles have been written about this new and promising monitoring methodology. Advancements in information technology (IT), new laws and regulations and rapidly changing business conditions are the drivers for more timely and ongoing assurance on effectively working controls. CM was, and we think still is, a methodology which can make this possible. It enables organizations to review whether controls and system functions are working as intended on an ongoing basis.
The best has yet to come
The primary objective of any CM solution is to provide constant surveillance of data (controls and transactions) on a real or near real-time basis against a set of predetermined rule sets ([Sche13]). In case of an unexpected situation, an alarm will be triggered and a stakeholder will be notified. Such timely data enhances better oversight across the organization, it improves the efficiency of the control environment, can reduce errors and it can enhance error remediation. Unfortunately however, concrete implementations do not pop up out of the ground ([KPMG12]), ([Hill16]), ([SANS16]).
CM should not be confused with another evolving technology: Continuous Auditing (CA). CA can be used to perform audit activities on a frequent basis to provide ongoing assurance and more timely insight into risk and control issues. The main difference between these two concepts is the person responsible. CA is, as its name implies, owned by the audit function, whereas CM is a process owned by management. This article will only zoom in on CM.
The added value is acknowledged, but hard to quantify
The benefits of CM are widely analyzed in the academic literature. Not only scientists, but also organizations are aware of the possible benefits. But why are organizations still reluctant to implement CM? According to the conducted surveys and literature the major barrier relates to the quantification of the costs and returns ([KPMG12]), ([Hill16]), ([KPMG13]). Organizations are eager to learn, but shy away from high up-front investments ([Sche13]). In many risk management initiatives the costs are more apparent than the benefits. Besides that, risks are indistinct and prevented failures are barely visible.
Well this is one of the problems initiators of CM are facing when defending their business case to decisions makers. We hope that this article can help them to strengthen their business case. In the remainder of this article we will describe a systematic approach to investigate and present the added value of CM.
A first step in automating the control environment
We described that CM can be used to test the effectiveness of controls on a continuous basis. But when talking about controls we should first distinguish the different types of controls, as CM is not in all cases the best solution to perform and assess them.
Controls can be broken down into two categories: manual and automated controls. Manual controls are controls that are initiated and performed by people. Automated controls are fully implemented and performed automated systems, without the intervention of humans.
When writing about CM we need a further distinction between preventive and detective controls. Preventive controls are in place to prevent errors and inconsistencies from occurring. They are proactive and designed to keep problems away in the first place. Detective controls, on the other hand, are in place to detect errors and inconsistencies after they have happened and have been missed by preventive controls (Figure 1).
Figure 1. Matrix with type of controls.
Preventative and automated controls are favored ([CAPG16]), which can be illustrated by the example of a new car. Would you prefer to have a car which automatically detects a mechanical problem and that prevents you from starting the car to avoid further damage (preventative-automated control); or a car that grinds to a sudden halt when a mechanical problem is detected, ending up with high maintenance costs (manual-detective control)?
Automating controls, especially when they are preventive, will increase both the efficiency and reliability of an organization’s control environments. However, some controls cannot be turned from manual and detective, to automated and preventive. This is the point where CM enters the picture as an instrument organizations can use to further improve the effectiveness of their internal control environment (Figure 1).
CM will continuously analyze a certain behavior and will trigger an alert to the control owner in case of an exception. This control is by nature detective. However CM is able to detect anomalies automatically and can monitor this on a (near) real-time basis. We can for example shift the manual detective control of monitoring possible duplicate vendor invoices to an automated detective control. This is illustrated in the example below, where a distinction is made between the control execution and the control testing activities.
Table 1. Example of a manual detective control versus an automated detective control. [Click on the image for a larger image]
It sounds logical when people state that a mix of automated preventive controls together with (real-time) automated detective controls would be the optimal state for organizations. However, in almost every organization some manual controls will remain.
A supporting model that contributes to your business case
Now we have explained in which control area CM is most valuable the question arises whether and when organizations should embrace it. In order to get better insights into this question we have developed a model that assesses its potential added value, compared to the traditional approach of executing and testing controls manually.
Table 2 shows at a high level the differences between a manual detective control and an automated detective control (CM). Within a manual control environment, control owners have to perform eleven steps to execute and test this particular control. In contrast to this traditional approach, CM reduces the number of steps to four. Instead of performing all manual actions, the control owner only receives a notification when an exception has occurred or a business rule is violated.
Table 2. Manual detective versus automated detective.
This all seems attractive, but how can we assess the added value to support the business case? The model presented in Table 2 can help decision makers in answering the most important questions when deciding to redesign their existing manual controls: Can we save money by making use of automated detective controls? Can we improve the assurance level of our organization and does the quality of our control environment increase?
Table 3. Quantifying Continuous Monitoring Model.
This model categorizes the potential benefits of a CM initiative into three different domains:
Performing a manual control mostly contains three activities: Executing the control, testing the control and reviewing its effectiveness. Efficiency benefits can be assessed by comparing the time it takes to perform the traditional control and the expected time to perform the redesigned automated detective control. If you multiply this with the costs of your resources, it will indicate the efficiency gains.
In contrast to the monetization of the efficiency domain, the model proposes to quantify potential assurance and quality benefits by making use of scales ranging from 1 to 5.
With CM we can automatically assess the entire population of transactions, while in the traditional approach we normally assess the control effectives based on a sample from of the complete set. Besides that, the reporting frequency can also be enhanced. Due to a continuous working control CM is able to automatically detect anomalies and alert on a near real-time basis. By scaling the scope of transactions and reporting frequency of a traditional control and comparing it to the automated detective control, organizations can indicate possible assurance gains.
As depicted in Table 2, CM can replace human interventions by automated components which has the potential to reduce the amount of mistakes during the execution and testing of this error-prone process. Scaling the error sensitivity of performing manual controls and comparing it to the redesigned automated detective control gives organizations an indication of the quality of their control environment. The same goes for the sensitivity to fraud. By making use of automated detective controls, the opportunity of capturing fraudulent activities will increase.
How it works in practice
Let us show you how this model has been used in practice and how it can contribute to assess the added value of CM. Since 2008 an organization operation in the Consumer Goods industry has been maintaining an Internal Control Framework (ICF) that covers multiple business processes for five entities, all in different countries. In the past, an ICF created in Microsoft Excel was in place to mitigate identified risks by performing mainly manual controls. The evidence of these controls were filed in physical binders within each entity.
A few years ago this organization decided to improve the maturity of their control environment by implementing CM. They selected KPMG as their design and implementation partner and selected ten controls to be implemented in CM. This selection was purely based on the organization’s estimate of the efforts it took to perform the particular controls, but it did not take the assurance and quality aspects into account.
We assessed these controls after the implementation to determine the added value of this change from manual detective controls to automated detective controls through the introduction of CM. Two examples are explained below in Figure 2 and Figure 3. Please note that the criteria of the model in Table 3 are used in these figures. The results are presented in a Waterfall chart to indicate an increase or decrease in either monetary terms or level of the control environment. The grey color depicts the traditional control, where the green color presents the control supported by CM.
We again use the possible duplicate vendor invoices control as an example. Instead of logging on to the ERP-system, starting the program, providing parameters, running the report and analyzing the duplicate vendor invoice reports for all five different entities, CM is able to alert a specific stakeholder within the whole organization after it detects a duplicate invoice. Less man hours are necessary to execute and test this particular control, especially when realizing that the control was tested in five different entities. By using the Quantification CM model we determined that the decrease of these manual activities lead to a reduction of 180 man hours. This leads to a reduction of EUR 5.940 euro on a yearly basis, based on an average hourly wage in the Netherlands of EUR 33.
Besides the cost saving that is quantified in financial terms, the level of assurance and quality has increased. The organization for example performed this control on a weekly basis. CM ensured that the control is now executed on a near real-time basis. Furthermore, the organization has argued that they are less sensitive to errors by reducing the manual actions. Moreover, they are less sensitive to fraud due to a faster detection of possible fraudulent activities. We have summarized these benefits and depicted them in Figure 2. Another example (Figure 3) depicts the added value of CM when automating the changes to vendor master data (bank details) control.
Figure 2. Waterfall chart showing the added value of CM for the possible duplicate vendor invoice control. [Click on the image for a larger image]
Figure 3. Waterfall chart showing the added value of CM for the changes to vendor master data control. [Click on the image for a larger image]
Through the implementation of CM the organization can save EUR 1.386 on labor costs per year. These labor hours can be saved through a similar reduction of manual activities as with the possible duplicate vendor invoices control. The testing of this control in CM is less labor intensive than testing the traditional control. In the past, the generated SAP report contained all modifications such as a changed vendor address, zip code, representative and so on. CM enables the case organization to only assess changed bank account numbers. This has decreased the testing efforts of the control. Additionally, as with the duplicate invoice control the Quality and Assurance has increased. For example, due to more targeted and specified reports the respondent argues that the sensitivity to errors and sensitivity to fraud has decreased.
By making use of the proposed model the organization was able to identify that the change from manual detective to automated detective controls, by the introduction of CM, was successful; in terms of cost efficiencies, the degree of assurance and the quality level of their internal control environment. The organization argued that the model can certainly be of value by the decision on whether and how to implement CM; it would certainly contribute to the business case and control selection process.
The model is a first endeavor that can be used ex-ante, where it can help organizations reviewing whether the change from manual detective to automated detective controls is worthwhile, or ex-post where it can support the organizations in evaluating the implementation of CM.
With the introduction of this model we hope to contribute to the long journey of CM. We strive to remove a piece of the existing implementation barriers. As there are just too many opportunities by the introduction of this technology, it is now time to make these visible and embrace CM!
[CAPG16] Capgemini, Digital Risk – Why Do We Leave the Front Door Open?, 2016.
[Hill16] R. van Hillo, Continuous Auditing and Monitoring: Continuous Value?, 2016.
[KPMG12] KPMG, Continuous Auditing and Monitoring: The Current Status and The Road Ahead, 2012.
[KPMG13] KPMG, Continuous Auditing and Monitoring: Are Promised Benefits Now Being Realized?, 2013.
[KPMG16] KPMG, Building trust in analytics: Breaking the cycle of mistrust in D&A, 2016.
[SANS16] SANS Institute, What Are Their Vulnerabilities: A SANS Survey on Continuous Monitoring, 2016.
[Sche13] B. Scherrenburg, K. Klein Tank en M. op het Veld, Continuous Auditing & Continuous Monitoring (CA/CM): How to Overcome Hesitation and Achieve Success, 2013.