Thursday, November 10, 2005
Continuous Controls Monitoring: Where To Start?
Where do I start?
With CCM, a good place to start is in areas of high exposure where you know or suspect violations are occurring. After you install the software, run it and see what the testing process comes up with.
Are there a disproportionately high number of errors in a particular process?
Are there any patterns that have emerged that can pinpoint source(s) of errors?
Another strategy: start from the outside and work your way back in. For example, examine your customer- or supplier-facing processes first, and then examine your internal processes that support them. Spotting a fraudulent invoice from a vendor or sniffing out duplicate payments is significantly more straightforward and can have a quicker Return on Investment (ROI), especially when compared to an internal process of managing security settings in an ERP system. Much of the security work in support of segregation of duties requirements requires companies to untangle some snarly situations. Examining these outward-facing processes and transactions first can point to basic flaws in your internal processes. It’s tough to see where the security violations are happening in your ERP system if you can’t see what results they are producing or allowing.
Q. Where is the ROI for CCM?
Continuous controls monitoring software provides two kinds of ROI:
Soft dollars come from time saved manually testing controls. Once the software is up and running, companies spend fewer hours testing for their internal audit.
Hard dollars come when companies find errors or fraud and recoup money. In turn, the software can quickly pay for itself, and this helps buyers create a strong business case for implementing the software in even more areas of the business, even outside traditional financial processes.
Each panel participant presented several good case studies on how companies recouped the cost of the software quickly, sometimes within weeks, usually within months. Oversight Systems presented a particularly compelling example: a supplier was billing two divisions of the same company, one in the United States and the other in Mexico. Because the two divisions’ ERP systems didn’t talk to each other, they both paid the supplier because there was no way to check across divisions. The company implemented the Oversight software and within minutes found the duplicate payments that nearly paid for the Oversight software immediately. That’s a textbook definition of quick ROI.
posted by Brian Moran @ 9:46 AM