Transaction Controls Monitoring Can Improve Productivity and Financial Governance
Transaction controls monitoring can lower the costs of compliance, increase the productivity of internal auditors and improve financial governance. TCM also supports continuous monitoring and continuous audit.
- Transaction controls monitoring (TCM) is a governance, risk and compliance (GRC) technology that monitors ERP and financial application transaction controls to improve financial governance and automate audit processes.
- TCM ensures that business rules and policies are effective, reduces compliance and audit costs, monitors for fraud, and supports risk management. TCM is a subset of continuous controls monitoring (CCM), which also includes segregation of duties, and master data and application configuration controls monitoring.
- TCM can produce a measurable ROI by identifying failures of internal controls. TCM also supports continuous monitoring (CM) and continuous audit (CA).
- TCM can be applied in both homogeneous and heterogeneous financial application environments. TCM is simplest and least expensive to apply in a homogeneous ERP environment for which the vendor has a preconfigured controls library.
- Enterprises should consider TCM if they want to lower compliance and audit costs, improve financial governance, or improve financial organization operational performance.
- In a homogeneous ERP environment, consider the ERP vendor's TCM solution and compare it to other TCM vendors that have solutions for that ERP vendor.
- In a heterogeneous ERP environment, if a financial process involves more than one ERP system — for instance, invoices are in one and payments in another — compare the costs of extending one of the ERP vendors' TCM solutions to the other ERPs with other TCM vendors that have solutions that are not specific to a given ERP vendor.
Table of Contents
Financial processes have many business rules and policies governing transactions that are well-suited for automation. ERP financial applications enable automation of these rules as controls, but not their automated monitoring. TCM technologies are applied automatically and periodically to monitor the automated controls for processes that are repeatable, consistent and predictable. TCM can produce a financial ROI by identifying exceptions or failures of internal controls for transactions, which, in turn, may be due to operational deficiencies or control gaps.
Critical financial processes — such as travel expense management, order to cash and procure to pay — have many business rules or policies associated with them that address accounting, reliability and anti-fraud issues. To ensure that policies and rules are followed, many ERP and financial applications have built-in internal controls with simple gated logic (see Note 1 for an example of an internal control). However, the existence of these built-in automated controls does not ensure that they are turned on, that they are configured appropriately, and that they are not regularly overridden or bypassed — thus establishing the need for a solution that can monitor these controls.
TCM is a GRC technology that monitors ERP and financial application transaction controls to improve financial governance and automate audit processes. TCM ensures that business rules and policies are effective, reduce compliance and audit costs, monitor for fraud, and support risk management.
TCM assists in reducing business losses through continuous monitoring and reducing the cost of auditing through continuous audit of the controls in financial applications. TCM is applied automatically and periodically to support controls monitoring processes that are repeatable, consistent and predictable.
TCM provides for broader visibility into all transactions, eliminating the need for manual sampling of transactions. The traditional method to monitor that policies and rules are being followed is manual sampling of transactions. However, manual sampling is labor-intensive and expensive, lacks timeliness, represents a tiny fraction of the transactions, and will often not find a singular event, such as an instance of fraud. Manual sampling also makes it difficult to identify trends that can develop across audit cycles. Trends have the potential to provide foresight into emerging risks that may not be identified through individual data points with their respective time stamps.
TCM solutions often are based on the same technology as data analysis for auditors (DAA) — which is the tool, sometimes called audit analytics, used by auditors during the course of periodic audits to manually run standard or ad hoc queries against sets of transactional data (see "Data Analytics Is a Must-Have Technology for Internal Auditors"). Essentially, TCM is DAA preconfigured with a set of standard queries for transactions that are run in batch mode automatically on a frequent, near-real-time basis — often nightly.
TCM falls within the broader GRC marketplace. (For more information on the GRC marketplace, see "A Comparison Model for the GRC Marketplace, 2011 to 2013.") TCM is a subset of CCM, which includes segregation of duties (SOD) as well (see Note 2).
TCM software analyzes ERP and other financial application transactions to identify exceptions to policies, business rules and built-in application controls. TCM software can also be used to enable controls as well as monitor them. TCM software has several functions, including transaction monitoring, exception and remediation management, reporting and analytics, and workflow:
- Transaction monitoring functions automatically, periodically imports transaction data from ERP and financial applications, and applies a set of predefined rules to identify control exceptions.
- Exception and remediation management supports tracking the response to identified control failures and other deficiencies, along with the process of addressing exceptions.
- Reporting and analytics supports trending and audit analysis, audit trails, dashboards, and the generation of reports.
- Workflow supports the notifications and alerts, reviews, approvals, and other process automation needs.
When implementing TCM, many organizations start with the procure-to-pay process. Procure to pay is a focus for anti-fraud, and it also provides an opportunity for immediate ROI — for example, by reducing payment of duplicate invoices. Next steps can include travel and entertainment (T&E) and order-to-cash processes. TCM and the other CCM subsegments support both continuous audit (CA) for internal auditors and continuous monitoring (CM) for management (see Note 3 for definitions of CA and CM).
Despite the benefits of TCM, too little attention has been given by chief financial officers, internal auditors, and corporate risk management and compliance leaders to the automation of financial controls monitoring (see Note 4). This approach contrasts sharply with IT risk and compliance managers who invested significantly in infrastructure controls automation tools, such as vulnerability scanning, and access controls like SOD. Their objectives were to hold down compliance costs associated with manual process controls, while at the same time addressing audit findings. In large measure, those objectives have been met.
The most common use cases for TCM are:
- Financial Reporting Integrity Compliance — Sarbanes-Oxley and similar regulations globally require companies to maintain effective internal controls for financial reporting. The U.S. Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 encourages controls automation as a means to lower audit costs and improve controls reliability. While most of the focus has been on automation of SOD monitoring, some companies also have started to use TCM to automate transaction controls monitoring and reduce the need for manual controls sampling.
- Anti-Bribery and Anti-Corruption Compliance — TCM can be applied to monitor transactions for improper payments, as well as the misuse of gifts and entertainment or travel and expense accounts. Regulators are aggressively enforcing anti-bribery and anti-corruption regulations, such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act. There are also industry-specific regulations that affect sales and marketing activities. For example, many life science companies have come under corporate integrity agreements whereby their sales and marketing operations face direct regulatory supervision for a period of years.
- Entitlements Fraud — Public-sector organizations are increasingly concerned about the abuse of pension and healthcare entitlements.
- Financial Governance — TCM can be applied to accounts payable and accounts receivable processes to enforce business rules, and to improve cash flow and the availability of working capital. It can also be applied to the "last mile of finance" to improve the governance of financial processes, such as financial close management, reconciliation management and disclosure management. The ease of monitoring transactions in an integrated financial application can be achieved by implementing TCM technology in multiple instances of the same financial application or disparate financial systems.
- Internal Auditor Productivity — TCM enables auditors to look at control performance trends without having to manually perform individual queries. Internal auditors increase productivity by saving significant time on interaction with IT, extracting raw data, identifying various scripts that reflect required control performance logic and — most importantly — trending the outcome of the scripts.
Within the GRC marketplace, TCM assists in reducing business losses from fraud or failure to follow the rules governing financial transactions. TCM also assists in improving performance through CM and reducing the cost of auditing through CA of the automated controls in ERP systems or other financial applications. TCM contributes value to risk management and compliance initiatives in three ways:
- Lowering Compliance Costs — A TCM solution can reduce the cost of audits by eliminating much manual sampling and minimizing the time it takes to gather documentation. When controls are automated, auditors can test the automated control, which is less labor-intensive. Furthermore, in accordance with the PCAOB Auditing Standard No. 5, which governs Sarbanes-Oxley audits, as long as the general computing controls are determined to be effective, an automated control only needs to be tested again when there is a change to the control.
- Improving Financial Governance — TCM can increase the reliability of transaction controls, improve auditor trust and increase the effectiveness of anti-fraud controls. When the general computing controls are determined to be effective, auditors will consider automated controls to be lower-risk than manual controls. Furthermore, TCM monitors all transactions relevant to the control rather than a sample, and it operates frequently, often nightly or weekly. If configured properly, it is not subject to human error, which can occur when reviewing large numbers of data and logs.
- Improving Financial Organization Operational Performance — TCM controls, such as those that monitor duplicate payments, incorrect discounts or misapplied warranties, go beyond what most people consider compliance. By preventing these violations of business rules, TCM can improve key financial processes and increase the availability of working capital. By providing assurance that business rules are being followed, TCM can also reduce the frequency of supervisory reviews and approvals, alerting managers when there is a need to do a review or approve a transaction.
The TCM market is in its early stages, and many vendors don't offer a complete solution, or they offer solutions that are targeted at specific ERP applications, but don't work as well in heterogeneous financial application environments.
TCM is simplest and least expensive to apply in a homogeneous ERP environment for which the vendor has a preconfigured integration link and controls library.
When financial processes are spread across multiple instances, and especially when there is a mix of ERP financial applications and/or other non-ERP financial applications, customizing controls and application integration add expense. The costs of customization should be balanced against what it would cost to migrate to a common ERP. TCM in combination with other integration technologies, such as business process management systems, which can automate the data collection across multiple platforms and reporting, could mitigate the need to move to a common ERP.
Because TCM can be an expensive proposition requiring considerable implementation services, to get full value, implementation should focus not only on compliance and audit needs, but also on business performance benefits and improving financial governance. Returning money to the office of the CFO — for example, by preventing duplicate payments, ensuring that invoices are not paid too early, making sure travel and expense rules are followed, and matching goods received to purchase orders and payments — is a great way to demonstrate value.
The primary alternatives are:
- Business Activity Monitoring (BAM) — General purpose BAM tools can be configured to monitor transactional rules. In fact, TCM products are essentially special purpose BAM tools.
- Data Analysis for Auditors (DAA) — These special purpose business analytics tools can be used by auditors to extract data from ERP and other financial applications on an ad hoc basis, and can write scripts to run queries against the data (see "Data Analytics Is a Must-Have Technology for Internal Auditors").
- Manual Sampling and Reviews — Samples of transactions and logs can be manually reviewed for violations of rules. Workflows can also be put in place for supervisory approval of high-risk transactions.
Consider these common functional criteria when selecting a TCM solution:
- ERP Compatibility — Is the solution compatible "out of the box" with the organization's version of the ERP financial application? Some solutions may not be compatible with older versions, and some focus on just one or two ERP vendors. If they are not compatible out of the box, then a significant amount of custom integration is required.
- Controls Library Coverage — Does the solution come with a predefined set of controls for your financial applications? Some vendors have controls libraries for many types and versions of ERP financial applications, while others are more limited.
- Business Rule Engine and Analytics-Processing Capability — Are there sufficient facilities for reducing false positives? Does the capability support the flexibility to build custom controls analytics for your environment? Organizations should also consider how often they want to run their analytics, because some products are better suited to run weekly, monthly or quarterly than in near real time.
- Remediation Workflow — Does it support the necessary scalability, flexibility and delegated administration to automate detection and remediation processes end to end?
- Cross-Platform and Multiplatform Application Support — Will the solution work for organizations that have multiple versions of ERP financial applications from multiple vendors? Can it import transaction data from all of your required applications (cross-platform)? Can it correlate transactions from multiple applications (multiplatform)?
- Continuous Audit Support — Does your external or statutory auditor use the same vendor for DAA? While this criterion should not be a major one, many organizations like to consider a TCM solution that is based on the data analysis solution that their audit firm uses.
Besides these functional criteria, another major consideration is the services required to implement and tune the TCM solution. In a multi-business-unit environment, where TCM is implemented across many different financial applications, customization service costs can be many times the license fee.
The following are examples of vendors offering TCM solutions:
- ACL Services — The ACL AuditExchange platform supports TCM and DAA. ACL also has the largest market share in DAA.
- BWise — BWise is an enterprise GRC platform vendor that offers a TCM module.
- CaseWare International — CaseWare Monitor can be applied in heterogeneous environments, and also has SAP-specific monitoring capabilities. CaseWare offers a DAA product called IDEA.
- Infor — Infor Approva has TCM for Lawson, Oracle, SAP and several other ERP applications. Approva also offers DAA.
- Security Weaver — Security Weaver's Process Auditor enables TCM for SAP and can be extended to other environments. Security Weaver also offers DAA.
- Infogix — Infogix offers a broad-based TCM solution that is often used in high-volume transactional systems and heterogeneous environments.
- Oversight Systems — Oversight's TCM may be run in near real time and is available as software as a service (SaaS). Oversight also offers a DAA. It is an SAP Endorsed Business Solution and an Oracle partner.
- Oracle — Oracle's enterprise GRC platform includes TCM for Oracle E-Business Suite, PeopleSoft and JD Edwards EnterpriseOne, and can be extended to third-party applications.
- Greenlight Technologies — Greenlight offers a TCM solution that supports heterogeneous environments. It also offers a preventive controls capability in cases where financial application controls may not be adequate.
- MetricStream — MetricStream is an enterprise GRC platform vendor that offers a TCM module.
- Runbook Company International — Runbook offers several financial governance solutions for financial closing and balance sheet account reconciliation, including Safe Controls, an SAP-specific TCM solution.
- SAP — SAP Process Control includes TCM, and is also a core component of SAP's enterprise GRC platform offering.
- SAS — As a business analytics vendor, SAS has focused on applying its functionality to many transactional analysis use cases, including TCM.
- Software AG — Software AG positions its webMethods Business Events offering for TCM use cases.
- ControlPanelGRC — ControlPanelGRC's Process Analyzer provides TCM functionality for SAP environments. ControlPanelGRC also offers DAA for SAP.
"Benchmarking of Automated Controls," Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5, Appendix B (http://pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_5_Appendix_B.aspx#benchmarkingofautomatedcontrols)
A common internal control is a "three-way match." It prevents payment for goods that have not been received, but for which the supplier has submitted an invoice. With a three-way match, the business rule logic requires that, for payment to be made, the following three items match:
- The original purchase order
- The vendor's invoice
- The receipt record for the items that were received
If the rule is not met, then the controls within the accounts payable process will block payment. The problem is that many of these automated controls are overridden — often for very good reasons, but without documentation and identification of compensating controls. For instance, perhaps it is common for an in-house supplier not to submit an invoice, but instead an inventory record is reconciled with receipts monthly — but payment is made on receipt. If the three-way match is turned off for this legitimate exception, then it could open a path for fraud. Over time, the exceptions can proliferate and become the norm.
Continuous controls monitoring (CCM) is a set of technologies designed to reduce business losses through continuous monitoring, and to lower the cost of audits by continuously auditing the controls in financial and other transactional applications. CCM technologies are applied automatically and periodically to support financial processes to ensure that they are repeatable, consistent and predictable.
Two primary technologies make up CCM:
- Segregation of Duties (SOD) — Used to manage a number of access conflicts present in ERP and financial applications.
- Transaction Controls Monitoring (TCM) — Used to continuously monitor ERP and financial application transaction information to improve governance and automate audit processes. TCM is the focus of this research.
Two supporting CCM technologies enable and are incorporated within TCM and SOD:
- CCM for Master Data (CCM-MD) — Automates controls related to ERP and financial application data. It is an element of many data quality products (see "Magic Quadrant for Data Quality Tools").
- CCM for Application Configuration (CCM-AC) — Used to monitor the presence, appropriate configuration and modification of built-in application controls. CCM-AC is used in conjunction with each of the other three CCM technologies.
- Continuous monitoring (CM) is a business management monitoring function used to ensure that controls operate as designed and that transactions are processed appropriately. CM uses control automation to reduce fraud and improve financial governance, typically resulting in an immediate ROI. It improves the reliability of the controls as well as the management oversight, policy enforcement and operational efficiency of critical financial processes, often producing hard-dollar savings.
- Continuous audit (CA) is the periodic collection of audit evidence and indicators for the benefit of internal audit. CA reduces audit costs by automating the audit process and eliminating the cost of manual sampling. To avoid audit deficiencies, it is important that policies are being followed demonstrably, and that exceptions are documented and proved to be within the boundaries of good practice.
CFOs are starting to become involved in IT investment decisions, as noted in "FEI CFO Technology Study Shows CFOs Increasing Their Influence on IT." As a result, investments in technology to automate many manual activities associated with compliance and risk management could increase.