Within organizations it is not uncommon for there to be some confusion between the ownership and need for Continuous Auditing (CA) and Continuous Monitoring (CM).
CA is dealt with in greater detail in its own section. It relates to a unifying structure that embraces risk assessment, control assessment, audit planning and other audit tools and techniques.
CM on the other hand, is a process that operational management puts in place to ensure that its polices, processes and procedures are operating effectively.
Critical control metrics are identified and automated tests are put in place to ensure that these are working properly and within tolerance. They are performed on an ongoing basis at a frequency determined by management in order to meet its requirement to assess the effectiveness of its controls. CM is often used in association with Key Performance Indicators (KPIs) in order to track performance.
Unlike reactive, backward-looking systems that simply identify that a KPI has or has not been achieved, Categoric's solutions enable ongoing performance management and correction if things are moving off track or out of tolerance. From a management perspective it is much better to find out that things need sorting out while there is still time to correct them and bring them back under control...
CM therefore is a management responsibility where as CA sits within audit. In many instances CA is a key element used in management around Governance, Risk and Compliance (GRC).
A solution that Audit would like the business to use
It has been our experience that Categoric's solutions are sometimes sponsored by the Internal Audit department to the business units (in the nicest possible way) as a method of implementing their necessary controls within those areas.
Where as they may have started off looking for a solution in the GRC space, audit subsequently realized that Categoric's solutions could also be enjoyed by operations while still serving their own particular needs. Where it is adopted by the business the internal audit function is able to significantly reduce their testing and, after evaluating the management monitoring process, from that point onwards can rely on the output from the CM system for their own purposes.
One rule can spawn many processes
A key benefit of Categoric's solutions are that detection of a business event can be decoupled from the various actions that may be executed as a result. This means that from one simple event many different processes can be subsequently executed, each one performing a different function relevant to the intended recipients business role.
For example, if Goods Inwards have received components and through sample testing detect out of tolerance components they will usually issue a non-conformance report and reject the components. One business rule could be to look for non-conformance or rejected goods reports being added to the system. There are then likely to be at least four parties that may be interested in this event:
- Purchasing, they may now have to investigate alternative suppliers if the parts are totally rejected.
- Manufacturing may have to replan their schedules in order to keep the production lines busy.
- Transportation may have to replan delivery schedules to accommodate any new manufacturing completion dates.
- Account managers may have to manage the customers delivery expectations or liaise with them to accept a lesser number of manufactured goods within the originally agreed time frame.
Categoric's solutions will provide all of the interested parties with sufficient information to allow them to make the most informed choices and in many instances can automatically perform additional steps on their behalf.
Another example would be using Categoric's solutions to detect a system control being "turned off" or having it adjusted. In this situation a detailed summary can be automatically sent to the audit team informing them of this. In addition, perhaps a specific fraud officer might be informed while simultaneously a form could be sent by email to the operational area asking if the change was deliberate -–how long is it expected to be turned off for etc. Responses to these messages can be solicited and tracked for audit purposes.
So, Categoric's solutions provides the basis for an overall Unified Framework that links the various stakeholder areas together and allows a "joined up" view of assurances made towards effective and efficient operations, internal financial control and compliance with laws and regulations.
In this way the solution could knit together management systems and help deliver:
- Visibility and control of information around KPIs which allows management to automatically monitor the key organizational and financial activities and risks.
- Monitor progress towards financial objectives, and to identify developments that require intervention (e.g. real Vs predicted performance against forecasts and budgets).
- Ongoing Monitoring and evaluation of risks identified from the control environment;
- Consolidate of information from disparate systems which provides ongoing identification and capture of relevant, reliable and up-to-date financial and other information from internal and external sources
- A system which communicates relevant information to the right people at the right time in the format they want and which allows a prompt response to any exposed variances.
|
