Adding up the key benefits of comprehensive monitoring
By Steve Stanek, KnowledgeLeader contributing writer
It is easier to solve a small problem rather than a big one. In business, fraud is a big problem that shows no sign of going away.
In August 2007, for example, Dell Inc. announced it was restating earnings for the fiscal years 2003 through 2006 because results had been manipulated to meet quarterly financing targets. That month also saw John Rigas, the founder and former chairman of Adelphia Communications, and his son Timothy, the company’s former chief financial officer, report to federal prison in North Carolina after being convicted of one of the largest corporate frauds in history.
Thanks to comprehensive fraud monitoring technology, though, fraud problems can be diminished. This technology gives companies the ability to detect fraud early, usually while there is time to stop it from doing serious harm to an organization’s finances, reputation, or both.
“Comprehensive fraud monitoring uses forensic data analysis techniques on a regular basis to find problems,” says Oversight Systems founder and CEO Patrick Taylor.
Despite the documentation and reporting requirements of the Sarbanes-Oxley Act (SOX) and Securities and Exchange Commission (SEC) regulations aimed at obtaining integrity in financial reporting, government and financial market regulators recognize there is no way to create perfect controls to stop fraud.
Nearly one year ago, the Public Company Accounting Oversight Board (PCAOB) issued a report that said organizations are doing too little analysis of general ledgers. The report pointed to the override of controls by management as a significant risk area.
The SEC issued a similar statement in July 2007 that said organizations need to design programs to cover the risk of management override. An effective way to do that is to analyze transactions comprehensively.
Comprehensive monitoring
Comprehensive fraud monitoring automates forensic analysis of a company's financial data, leveraging advanced statistical analysis techniques to comprehensively inspect transactions for fraud, misuse, and errors.
“How continuously you need to do something depends on the pace and frequency of the process being monitored,” Taylor says. “Depending on the company and the general ledger, it could be once a week or once a month. If you are looking at accounts payable and trying to find a potentially fraudulent wire transfer, you need to do that before someone pushes the payment button.”
“Now that we are monitoring, what are we monitoring for? This is what comprehensive fraud monitoring aims to accomplish. Continuous monitoring and comprehensive fraud monitoring are different perspectives on the same process.”
Automated monitoring applies the manual control process to every transaction, strengthening the control environment while eliminating costs associated with manual reviews, according to Taylor.
Taylor acknowledges, however, that complaints about comprehensive fraud monitoring sometimes arise.
One common complaint is the impact on the performance of the systems being monitored. “Nobody says slow down my ERP system,” Taylor says.
Another problem could be false negatives and false positives as well as the remediation and resolution process. “We have to fix the problem, whether it is fraud or errors,” Taylor says.
Comprehensive fraud monitoring can be done without buying special technology.
“You are doing queries and analyzing data,” he says. “We will find people downloading information into Excel, sorting, writing formulas, etc. ACL (which provides business analytics software) can do pieces of this. But what you find is the more you invest in a commercial package, the more you can start addressing the common complaints about the monitoring process. You can run into sophisticated analytics doing it yourself. This can get complicated in a hurry.”
Areas of improvement
Whether an organization decides to develop its own comprehensive fraud monitoring process or to buy a commercial package, it can expect improvements in two areas: compliance and operations, according to Taylor.
SOX compliance results should improve because the organization will have more confidence in the integrity of the financial numbers and controls over financial reporting. Also, compliance costs often drop by reducing control testing.
Operations also can improve as a result of monitoring that quickly catches errors and misuse unrelated to fraud. Correcting those problems will result in process efficiencies and, over time, can drive business process re-engineering for more value-added activities, Taylor notes.
Even relatively small companies should consider comprehensive fraud monitoring, according to Taylor.
“People start thinking they need this when the company reaches a scope and scale where the CFO no longer believes he or she knows everything that is going on,” Taylor says, “This certainly occurs in the $400 million to $500 million (annual revenue) range. At $100 million to $200 million, the CFO often believes he or she knows what is going on, but the error rate is remarkably consistent across companies regardless of size.”
Before taking the plunge, companies need to carefully consider how the comprehensive fraud monitoring technology would fit into the organization’s existing IT infrastructure. If the company can automate data acquisition, that will help minimize the labor required of the process. Taylor also warns against making monitoring an integral part of IT operations. He suggests parallel and independent operations.
“That is the nature of looking for fraud,” he says. “What if someone in IT is involved in fraud? If you make the monitoring process too integral a part of IT, you have a significant weakness.”
Following through
Once an organization decides to use comprehensive fraud monitoring technology in its operations, follow-through is important. Taylor says the nature of the information that a monitoring program generates lends itself to use in performance dashboards—things like issuing warnings if there appears be fraud, and reports on efficiency of processes and effectiveness in terms of error rates.
“You should have good information that is meaningful to executives,” Taylor says. “You can provide that same information to the audit committee. Other information available can pertain to errors that have been found and resolved. We have the ability with comprehensive fraud monitoring to move errors through workflows to describe what is happening to resolve them. If you give yourself a range of choices—human error, system interface error, other causes—tracking the resolution state of the exceptions can give us great information for root-cause analysis.”
Ideally, says Taylor, an organization should study all exceptions all the time and use the monitoring information to improve processes to avoid future exceptions. For instance, if the issue is duplicate payments, instead of being satisfied that duplicate payments have been stopped, the company needs to move upstream in the process to stop duplicate invoices.
“Nip the errors at their inception,” Taylor says. “That is always the cheapest place to fix a problem. Taking appropriate action to investigate troubling trends relies on keeping relevant data at your fingertips. You want to define root causes and address them. The challenge would be keeping relevant information at hand and linked to problems over time.”
Article from Protiviti KnowledgeLeader – www.knowledgleader.com.
KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk, and add value. Free 30-day trials available.
|
Protiviti is a leading provider of truly independent internal audit and business and technology risk consulting services. We help clients identify, measure and manage operational and technology-related risks they face within their industries and throughout their systems and processes. And we offer a full spectrum of audit services, technologies and skills for business risk management and the continual transformation of internal audit functions.
Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. |
