Chatted with freelance writer and former CFO of one of our clients Chris McKittrick this week. Chris writes for Big Fat Finance Blog on a variety of topics, including CCM-T, which Forrester Research calls Internal Controls Monitoring. Chris pointed us to a CFO Magazine article earlier this year about CCM-T, which states the simple and profound:
“Internal controls monitoring. Technologies in this area so far have demonstrated a low level of success, or business value-add, and are on a trajectory for minimal success over their lifespan, according to Forrester. There is potential payback in error reductions, efficiency, and risk avoidance, but most installations have yet to prove what they will ultimately be worth. And while internal controls monitoring is important because of Sarbanes-Oxley and other compliance directives, "many of the solutions just raise red flags," Paul Hamerman, vice president of enterprise applications for Forrester, tells CFO.com. "Somebody has to go through these flags to figure out what they mean. If the application doesn't have the built-in intelligence to do that, it's value is diminished."
Going through the red flags is a real business challenge, and requires knowledge of technology, enterprise data, policies, business rules, and fraud. Unfortunately, many organizations who have invested in this technology do not put enough emphasis on the on-going care and feeding of the systems, and it's common for the number of red flags identified in a period to exceed the number of red flags that are fully researched and resolved. As a result, the business value add for the systems can fail to reach its potential.
Even for organizations that are managing the work queues well, it is rare to see organizations modify their rules and add more red flags for checking. Opportunities to help CCM-T users with post-implementation support, whether the tool of choice is Oversight, Approva, ACL Audit Exchange 2, or SymSure / IDEA, would seem to be a growth area.
* * * * * * * * * * *
Are you attending the Rutgers Continuous Auditing Symposium on November 6 and 7? We are. Look for us at the Conference or on a Panel at 4:00 on Day 1, and let's compare notes on the above. We're interested to share experiences with others...
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Subscribe to:
Post Comments (Atom)
2 comments:
We are beginning an continuous audit for p-cards at my company - can you share some best practices with me?
Sure - happy to help. There are a number of p-card tests that we'd suggest. Probably phone or email is best. What's a good way to reach you? Can we set a time for early next week?
Post a Comment