One of the important developments in the new King III Report released earlier this year is the fact that it has finally taken into consideration the role of Information Technology from a governance perspective. Its pervasiveness and strategic importance has created the need for IT to be governed like any other corporate asset, as well as introduced new levels of risk to enterprises. On the other hand technology is also providing the means to achieve the heightened levels of control monitoring required to adhere to these new standards.
A large proportion of controls tend to be centred on financial processes, which in turn have many business rules and policies governing transactions. Whereas the traditional approach has been ‘rules-based’ and has value monitoring with more sophisticated tools and analytical capabilities drive much higher value. This has resulted in a proliferation of Financial Applications and Enterprise Resources Planning (ERP) Solutions in recent years, all promising to improve corporate governance and compliance processes through their built- in controls.
Mike Roos, Director at Barnstone Fraud Risk Services explains why although ERPs and financial-based applications are helpful, they are no longer enough when it comes to complying with such stringent GRC requirements such as those imposed by the King III Report.
“ERPs provide intelligent workflows, business processes automation, role-based access and a whole host of features that have clearly added great value when it comes to containing certain risks. However, as IT landscapes become more diverse, their increased complexity makes it almost impossible for businesses to gain the end-to-end view needed for proper decision making and risk assessment. ERP financial applications may enable the automation of controls, but not the automated monitoring of these controls. This creates the opportunity for some things to fall through the cracks, either by accident or by design.”
There is an adage ‘many a slip between the cup and the lip’ and this gap that exists between information silos across the business is one of the most vulnerable areas – a blind spot in the business where fraudulent or even just negligent activity can creep in.
That being said, IT is nothing if not responsive to drivers within the business environment and is moving quickly to assist enterprise in mitigating this risk. Continuous Controls Monitoring for Transactions (or CCM-T) has evolved out of the enterprise’s need to gain a single view that seamlessly and accurately consolidates all available information sources into actionable and reportable data.
Even Gartner, widely acknowledged for the ability to identify IT trends, has recognised CCM-T as an emerging governance, risk and compliance (GRC) technology capable of monitoring ERP and financial application transaction controls to improve financial governance and automate audit processes.
“CCM-T essentially ensures that business rules and policies are effective,” explains Roos. Because they are continually updated and always available in real time, CCM-Ts provide critical monitoring and tracking for good governance and peace of mind, and an almost inherent compliance with the King III code. In addition, they drive down the associated compliance and audit costs, and faithfully support risk management.”
Because of the value they add, CCM-T products the likes of those on offer by SAP, Oracle, Oversight Systems and ACL are now trending in the IT space, aiming to close the gap that has been created by ever-increasing complexity and information excesses.
In many cases, financial processes function across multiple systems and with the advent of Shared Services, multiple geographies as well. This adds incredible complexity to ensuring that the systems and processes are functioning correctly, which CCM-T is ideally suited to.
‘Because continuous controls monitoring simply adds another control layer, providing a virtual ‘safety net’ in terms of controls, it is arguably the simplest and least expensive means of applying a homogeneous ERP environment, while the same time creating an environment that will meet King III’s additional demands“ concludes Roos.
Mike Roos, director at Barnstone’s Fraud & Risk Services