Home' Charter : 1011 Charter Contents October 2011 I Charter 57
audit procedures, consider the following: if
there are 1 million transactions for the period,
how does management identify which are
the top 50 exceptions that need investigation
now? What were the causes and how does
management ensure these do not recur
(by way of change control, improve policy,
training and so on)?
A key change to traditional audit reporting is
the management of exceptions until resolved,
not by audit but by the business owners. It is
all about allocating the exception to the right
person and ensuring an effective follow-up
on a timely basis. The auditor can then draw
intelligence from the follow-up to identify
emerging trends in control breakdowns and
opportunities for process improvement. The
auditor knows that the controls are being
checked and mitigated instantly, instead of
having to wait for a board meeting to table
Most managers are aware that hard-copy
exception reports often languish under desks.
The absence of a means to monitor the
management of the identifed exceptions often
means that lengthy periods elapse before
exceptions are reviewed and actioned – if
ever! All exceptions should be managed to
completion irrespective of from where they are
sourced (business intelligence, ERP, log fles
or even active directory). The ability to gather
exception data and manage its progress
marks an evolutionary step from continuous
monitoring to total exception management.
Continuous monitoring of controls is not the
same as inspecting the integrity of transactions.
SO WHAT IS CCM?
Confusion in the use of terminology can
contribute to organisations avoiding the
issue. Only rarely can controls be directly
tested for effectiveness using technology
solutions. Continuous control monitoring
(CCM) reviews all transactional data sets for
evidence of control effectiveness. A typical
test is for a duplicated invoice entry. If the
exceptions reveal few genuine duplicates
over time, then a reviewer can infer that the
key controls are operating effectively. In
contrast, regular genuine duplicates may
indicate either potential fraud or control
ineffectiveness. CCM is usually an inferential
process. It could infer that no-one has yet
circumvented the controls, but what about
To successfully implement a CCM
application, you would need to have:
> Data accessibility and availability
> Political support at a senior level within
> Suffcient resources, expertise and technology
to make CCM robust and sustainable
> Manageable output – not too many
exceptions that the task becomes onerous.
Implementing CCM applications can
be straightforward providing the tools
are available. The challenge arises in
accessing the data (permission) and then
gathering the data (availability) as the IT
landscape can be populated with legacy
(older) systems which have been made to
work with more recent applications. CCM
applications require data from more than
one platform, eg matching vendor details
with employee details.
A CCM CASE STUDY
An Australian wholesaler has developed a
robust and fully automated CCM infrastructure
that touches on most points of key processes.
The business tests the daily invoice transaction
fles for potential duplicates. The business
purchases some $10 billion of trade items
annually and processes more than 5 million
accounts payable transactions.
The duplicate invoices CCM application runs
daily and tests the previous 18 months’ invoices
for various duplicate combinations. The results
are automatically forwarded to nominated
individuals via specialist workfow software. The
workfow software monitors the closures of
the items and gathers data on the root causes
and actions taken. Higher risk transactions are
reviewed by internal audit and the trends and
exception performance are measured.
The major beneft is that management can
gain assurance that all the exceptions are
being tracked to completion and resolved. A
secondary beneft is that the legacy exception
reports, once gathered into CCM, can be
modifed and improved without having to
involve IT or programming. A third potential
beneft is in the nature, timing and extent of
work the external auditor may view as being
necessary. In situations where strong controls
are implemented and are operating effectively,
the external auditor is more likely to be able
to reduce the amount of detailed testing they
consider appropriate in the circumstances.
CONCLUSION AND BENEFITS
Once CCM is established (and continues to be
developed), it takes on elements of a production
application and must be managed as such with
adequate controls and systems in place, for
example back-ups and support, especially as
the user base and related reliance grows.
In the above case study, once the potential
was fully understood, the business has
strongly adopted CCM and it has more than
repaid any development costs through cost
savings, improved accounting and the timely
identifcation of control breakdowns.
Once a critical mass is achieved, however,
CCM has the potential to add substantial
value across an organisation.
External audit can now rely on the CCM
process and have greater assurance and
reliance that the controls are sound.
At its core, data analytics and CCM
operate to give management and the board
greater assurance about their businesses. It
helps foster an attitudinal shift from “I think…
I hope there isn’t any” to a state of “I know”.
The adoption of a proactive stance on
ensuring transactional integrity improves the
confdence a business and its board has in
key organisational processes.
Glen Laslett FCA is group audit manager at Metcash.
Gavin Steinberg is managing director at Satori Group.
Value-add for client
Increased contribution to business improvement
(AP + Employee MF)
(AP, AR, Vedors, etc.)
ASIC, D&B lists)
TOTAL EXCEPTION MANAGEMENT
Links Archive 0911 Charter Sept 1111 Charter Navigation Previous Page Next Page