Using a computer to automate and implement continuous monitoring (CM) in IT has been around for decades. It was adopted early by IT auditors and IT security specialists, and later used to monitor transactions by operations and financial managers.1 Since the early 1990s, monitoring has been a key component of internal controls systems as defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).2 Consequently, many companies utilize continuous transaction monitoring.
However, there have always been many hurdles to overcome to make it truly effective, including the high cost of software acquisition, getting on the company’s IT platform and the complexity of remediating exceptions within the software itself. These hurdles have made monitoring transactions an uphill battle.3
“Although many companies have made impressive strides in adopting and deriving value from their initial CM efforts, in general, current usage remains slight relative to its potential.”4 Reasons cited include the need for capital investment and building the business case for the capital investment.
Big Data and the Cloud
The growth of big data has added to the interest in and need for more continuous monitoring to advance business processes. To accompany the growth of big data, and uncomplicated continuous transaction monitoring, a star in the software industry has emerged—the cloud.
The cloud computing system is made up of two “ends,” a front and a back end, usually connected by the Internet. The front end is the side the client sees, and the back end is made up of data servers and storage systems. Together, they comprise the total cloud. Since information and applications are stored in one place, cloud computing eliminates the need to load different software systems onto individual computers and allows for greater access and collaboration between employees and team members.
The cloud-based approach is changing the software industry, with many technology companies moving from enterprise resource planning (ERP) to Software as a Service (SaaS) models. Rather than be defeated by changing times, one company, described below, revolutionized its product offering to remain competitive and expand the use of analytics and monitoring.
Oversight Systems, a technology company in Atlanta, Georgia, USA, had been in business for nine years, and pre-2012, the mainstay of its business was providing continuous transaction monitoring for clients on a daily basis. The software was popular, but installation of the software onsite at a client’s office meant a high purchase price and lengthy sales cycle.
In 2013, Oversight decided to change its entire approach for two reasons. First, after many years, the markets had shifted and most clients found they did not need onsite, daily transaction monitoring. Second, this technology shift meant many clients wanted a lower-cost, lower-maintenance solution. Oversight decided to move to a SaaS model instead, and its latest product, Oversight Insights On Demand, is the result of that shift. Insights on Demand is a web-based application with specific monitoring applications designed to deliver analytics quickly and effectively.
For example, spending managers can use the modules to assist them in making better business decisions. The application still monitors 100 percent of training and education (T&E) and payment card (P-card) data, but delivers the analysis of those data at the desired frequency of the company.
While examples of companies making the switch to the cloud and/or adding SaaS modules are rising, a preeminent example of a leader in the trend is Salesforce.com, now the world’s leading cloud-based customer relationship management (CRM) application.5 A tangent benefit of the cloud is the expanding breadth of implementation from very large companies to small and medium-sized entities.
The implementation of CM has been hampered by many hurdles over the years, including, as noted previously, the high cost of software acquisition, hardware costs and annual maintenance, building the related business case for capital expenditures, getting software onto the company system in data centers, and the complexity of remediating issues with the software.6 Clearly, the advantages of the new model based in the cloud are manifold. For example, according to Oversight Chief Executive Officer Patrick Taylor, “The cloud-based model means all data are safely stored and retrievable. Costs are lower because equipment purchases are avoided, and by making the service available on demand, companies can determine frequency of analysis, offering them more flexibility in the costs.”
Major concerns of the cloud-based approach are the obvious privacy and security issues, especially in light of recent data breaches such as the Heartbleed bug in early 2014 and the Target data breach in late 2013. While security and privacy are always concerns with cloud-based software, the monitoring systems can address these concerns by using hashing algorithms that anonymize information that may be considered sensitive and by not asking for nonessential sensitive data, such as full social security and credit card numbers that are not needed for the analytics process.
Convenience and pricing aside, there are additional advantages to the cloud-based model. Since data for multiple customers are stored in one place, algorithms and statistics improve as the customer base enlarges. This allows for ever-improving analytics, which become more refined, benefiting all companies using the system.
“Now we have one cloud auditing another cloud,” Taylor said of Oversight’s Insights On Demand product. “We use everyone’s data to benchmark individual client progress and savings. Having more customers and data means we can better determine the outliers, which allows us to better find risk and fraud. The cloud reduces the gray area while simultaneously making a monitoring system more manageable.”
Insights On Demand early adopters are already reaping the benefits of the new approach. For example, a travel manager in the manufacturing industry knew she needed a better way to develop analytics around her company’s T&E spending, but did not have enough budget to buy a software solution. She knew she would need a business case to prove the solution provided value before she could spend the money. Since Oversight now offers a free trial, where the company analyzes 90 days’ worth of data, she was able to prove return on investment (ROI) before she purchased the product.
Improving Policies for Ongoing Improvement
Digging deeper into policies, one can see the black and white of the travel policy and the inevitable gray area of employee behavior. Fraud is a very small percentage of any T&E program, but there are still many ways a program can lose money, other than blatant fraud. A cloud-based CM system helps shrink the amount found in that gray area by letting employees know someone is watching their spending habits for noncompliance.
Role for Internal and IT Audit
“Although CM is a business operations issue, internal auditors, due to their familiarity with continuous auditing (CA), often become the champions of CM programs.”7
In my time as a chief audit executive, I looked for ways to go beyond audit and add to the control infrastructure of the business. I call these “positive deliverables.”8 Recommending CM is a classic example of a positive deliverable from audit and compliance departments.
The cloud allows improved monitoring for compliance, fraud and independent audit in near-real time with a significant potential savings impact. Even though the security concerns are very real, they can and are being addressed and I have no doubt the cloud is here to stay.
Endnotes
1 Cangemi, Michael P.; “From Continuous Auditing to Continuous Monitoring: You Should Be the Champion,” ISACA Journal, vol. 4, 2012
2 COSO was formed in part to help define internal control after the passage of the US Foreign Corrupt Practices Act.
3 Ramamoorti, Sridhar; Michael P. Cangemi; William M. Sinnett; “The Benefits of Continuous Monitoring,” Financial Executives Research Foundation (FERF), 2011, www.ferf.org or www.canco.us
4 Ibid.
5 Salesforce.com, www.salesforce.com/
6 Op cit, Ramamoorti
7 Ibid.
8 Cangemi, Michael P.; Tommie Singleton; Managing the Audit Function, 3rd Edition, John Wiley & Sons, www.canco.us
Michael P. Cangemi, CISA (retired), CPA, CGMA, is an author and business advisor, with a significant focus on technology for business and specifically continuous monitoring and analytics for governance, risk and compliance (GRC) and business process improvement. He is the former president, CEO and director of Etienne Aigner Group Inc., and president and CEO of Financial Executives International. He is the president of Cangemi Company LLC, which he founded, and through which he serves as senior advisor and director to various companies and manages his other business interests. Cangemi was the editor in chief of the ISACA Journal from 1987 to 2007.