A technology that monitors ERP and financial application transaction controls is an emerging tool in the governance, risk and compliance (GRC) market, according to Gartner.
Continuous controls monitoring for transactions can help lower compliance costs by eliminating a lot of manual sampling of transactions and improve financial governance and operational performance, Gartner analysts Paul Proctor and French Caldwell wrote in a report earlier this year. Continuous controls monitoring for transactions, they said, was the "next frontier for GRC automation."
Auditors use the technology to verify that controls are working inside of ERP systems, Proctor said in an interview. For example, a company may require two signatures on a check for more than $50,000; the control to enforce that policy may be in the ERP system or it may just be a procedural control. Continuous controls monitoring for transactions can help auditors verify the control in the system is working properly, he said. Management, meanwhile, can use the technology to catch accidental or fraudulent duplicate payments.
"The whole idea of continuous controls monitoring is that we're watching these things on an ongoing basis," Proctor said.
Although the technology has been around for a while, an organization needs to be at a higher level of maturity to have interest in it, he said. "It's not a big market yet, but organizations are moving towards being more proactive and they're always improving their maturity so I would call this 'the future', not 'the today'."
San Francisco-based Union Bank then may be a little ahead of the curve. The bank, which has more than 10,000 employees and 321 branch offices, started implementing continuous controls monitoring as part of its audit program about six years ago, said Dave Hanson, professional practices manager at Union Bank.
"The idea was to be more responsive to the risk environment at the bank," he said. "The initial implementation was to look at risk factors we thought might be indicators of what was happening and might drive where our audit work should be going."
Union Bank uses software from Vancouver, British Columbia.-based ACL Services Ltd., which helps auditors take data from completely different systems to compare data and develop reports, Hanson said. The software's flexibility helps auditors find issues quickly, he said.
For example, ACL makes it easy for bank auditors to take all the payroll checks issued during the period under review and analyze the data for duplicate transactions, said Stephen Sinclair, audit relationship manager at Union Bank.
The software is useful in conducting "database reconnaissance," and helps auditors quickly direct their focus on anomalies, said Shane Schultz, computer-assisted audit techniques applications leader at the bank. For instance, an analysis of fee reversals revealed control weaknesses; some customer deposits were erroneously coded as a fee reversal.
"We plowed through two billion transactions and identified customers where it looked like there were more fees reversed than fees collected… We were able to bring that to management's attention," Schultz said.
ACL also helps monitor possible employee fraud by allowing the bank to link suspicious deposit account activity to employees via addresses and phone numbers, Hanson said. Those "fuzzy logic" capabilities also are beneficial for Bank Secrecy Act compliance, Sinclair said. The BSA includes requirements to report transactions involving foreign consulates; the bank has coding to identify high-risk accounts, but with ACL, it was able to compare a list of foreign consulate employees and addresses to its customer database and identify accounts that weren't properly coded, he said.
"The fuzzy logic capabilities facilitate matching addresses that may not be character for character the same," he said.
Proctor said ACL takes more of an auditor perspective to CCM-T. Another vendor, Atlanta-based Oversight Systems Inc., takes more of the business management approach, he said. Other vendors in the space include Oracle, SAP, Approva Corp., Security Weaver, and Infogix Inc., according to Gartner.