Of the 7 steps you can take to reduce compliance cost and minimize financial loss I recommended in my last blog, perhaps the most important to consider is the continuous monitoring of risks and controls as part of your business processes.
Organizations are exposed to considerable risk of fraud and error due to complex business environments, greater use of technology, and increased globalization. As part of technology solutions, ERPs are widely used in almost every organization which bring certain unique risks. For example, in the Procure to pay process, any unauthorized changes to critical fields like ‘vendor bank payee’ may result in fraudulent payments; and in the Credit to Cash process, any unauthorized changes to the ‘customer credit limit’ field may lead to potential bad debts. Similarly, any unauthorized changes to the configuration of customer billing settings may generate incorrect revenue leading to revenue leakage for the company.
Unfortunately, traditional periodic audits are no longer adequate to identify and control these potential issues and losses. With such factors at play, organizations more than ever need to be able to identify potential risks and take timely corrective action to avoid heavy losses for the company and minimize damage to its reputation. This requires monitoring key financial controls on a continuous basis and providing the right information to the right people on a near-real time basis.
While continuous monitoring is important, it does not mean that organizations should start monitoring each and every risk and control on continuous basis. Having implemented continuous monitoring programs for a number of clients, I’d offer the following recommendations:
- Perform a risk assessment and rate each risk / control on the basis of severity of risk
- Test your controls on a rotation to minimize the cost where low and medium rated controls are tested less frequently and high rated controls are tested more frequently
- Ensure you have a robust technology solution and review critical transactions beyond a threshold rather than as sample transactions
- Place more reliance on automated controls and change management rather than manual controls
- Perform a Root Cause Analysis (RCA) of the exceptions noted and take corrective actions to address the RCA
- Track all exceptions to closure and provide a dashboard of the exceptions to key stakeholders.
While the increased frequency of testing may bring additional costs, the price to pay may be far greater if the risk isn’t addressed in time.