Following the wave of adoption of solutions for documenting and assessing internal controls as required by Sarbanes-Oxley Section 404 and OMB Circular A-123, software for ongoing monitoring and optimization of internal controls is rapidly emerging. Whereas testing of controls on a sample basis is labor-intensive and incomplete, continuous controls monitoring solutions can test and validate controls for virtually every transaction. These solutions, in some cases, can also be used to prevent controls violations from occurring by enforcing controls during transaction execution. Approaches by controls monitoring vendors vary from analysis of transactional data to controlling access and monitoring proper application of business rules.
Documenting internal controls is only a first step
Many companies have been through their first round of compliance under Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) to document and assess internal controls related to financial reporting. While the SOX effort proved to be labor-intensive and expensive for many companies, it generally promoted a better understanding of the controls environment, leading to the correction of some deficiencies and better standardization of the controls and related business processes.
The general approach to SOX 404 compliance has been to respond based on the periodic timing of the financial reporting cycle. Going forward, continuous – rather than periodic – monitoring of internal controls will be necessary to optimize the controls environment and provide better assurance of reducing errors and discouraging fraud.
Continuous controls monitoring implies automation
To assess the effectiveness of internal controls that are documented as part of the SOX compliance process, auditors periodically apply tests of transactions on a sample basis. Sampling, of course, cannot be expected to detect fraud and errors since the vast majority of transactions go untested.
Rather than test periodically using a limited sample, what if every transaction could be used to detect errors and controls violations? Better yet, what if the controls monitoring occurred on a real-time or near-real-time basis and included measures to prevent controls from breaking down?
Detection and prevention are the goals of continuous controls monitoring solutions. Accomplishing these goals requires tools that can handle large volumes of transactions and built-in intelligence to apply rules to the information.
Continuous controls monitoring is an emerging market
Many companies that have survived the initial hurdle of meeting the SOX compliance deadline are looking for ways to further automate and improve controls. Several vendors have emerged to help companies meet the controls automation and monitoring challenge. In fact, the number of software vendors attempting to address this need is expanding rapidly, due to SOX’s strong bandwagon effect.
Continuous monitoring capabilities may be analytical or embedded
From a SOX internal controls perspective, the following continuous monitoring capabilities are relevant to consider:
• Applications access and segregation of duties (SoD) controls. Access control and SoD monitoring ensure that business users have appropriate access privileges in order to limit opportunities for fraud (e.g. paying oneself or a related party) and to ensure that transactions are properly authorized and approved. ERP systems have some of these capabilities built in, but additional controls monitoring capabilities may be needed.
• Transactional controls data analysis. Data is extracted from transactional systems and analyzed against predefined criteria to detect potential controls issues, such as duplicate payments, timing issues, and other errors or anomalies.
• Business process execution controls. As business processes are being carried out, controls can be applied to enforce specific business policies or to detect unusual transactions that fall outside normal tolerances (e.g. dollar amounts). The controls monitoring capability can provide alerts, notifications or reports based on predefined thresholds or conditions, which can result in remediation actions or prevention before the transaction occurs.
Software solutions for continuous controls monitoring may provide one or more of these capabilities. Approaches differ from vendor to vendor, and it may be worth considering multiple solutions that complement one another, such as solutions in access controls and analytics.
Solution leaders are starting to emerge
To date, Virsa Systems and ACL Services provide the most traction in continuous controls monitoring. SAP resells Virsa’s Compliance Calibrator product, providing access control and segregation of duties assurance with SAP’s applications. ACL builds on its heritage in audit software to provide an analytics solution for monitoring controls in the context of financial transactions.
In addition to the varying approaches being taken by these vendors and the technologies used, the levels of business content (e.g. controls and SoD libraries) and process context (e.g. accounts payable) are differentiators.
For SOX, focus on relevant financial controls
The umbrella of risk management and IT security is broader and, in some cases, out of scope for what is necessary to meet SOX compliance obligations. The goal of internal controls is to provide reasonable assurance to minimize errors and reduce fraud related to financial reporting.
To optimize and monitor internal controls to support SOX compliance efforts, focus on solutions that support the business context. This includes solutions that address key business processes, including those related to payments, revenue recognition, cash, and fixed assets. It also includes access and use controls related to enterprise applications (including ERP). Beware of vendors touting SOX-related silver bullets for controls compliance whose solutions are unproven or so narrowly focused that they do not address the key material risks related to financial reporting.
Internal controls evaluation and monitoring will merge
SOX compliance vendors focused on documenting and evaluating internal controls will need to acquire, build, or partner to deliver continuous controls monitoring capabilities in order to stay viable in the market. The recent announcement of a partnership between OpenPages and Oversight Systems reflects this trend. We expect more partnerships of this type to develop, and we also foresee potential acquisitions of continuous monitoring technology by established SOX documentation vendors. Building a continuous controls capability from scratch will likely take too long due to the fast-moving pace of this emerging market, making acquisitions and partnerships a more viable option. SAP is in a good position to take advantage of the complementary controls evaluation and monitoring relationship with its own SOX documentation product (MIC) and its close ties to Virsa Systems.