Creating a risk management strategy is a must for any financial business. However, executing this strategy will only be as effective as the tools you use & the processes you put into place to ensure minimal errors. Choosing the right tools will help to reduce the complexity of risk management and so in this blog, we explore:
What are 7 ways in which Financial Assurance processes and controls can fail?
- Standard controls are turned off during uploads and then forgotten.
- Human intervention and errors as simple as typos.
- Processes change over time and the changes aren’t followed or understood or communicated.
- Existing re-assurance processes and checks tend to rely on static and superficial checks.
- There is no visibility as to the legitimacy of exceptions or movement to refine the output.
- There is no follow through to see if exceptions have been truly addressed.
- The person approving invoices is also the vendor.
For further insight, take a look at our full CCM resources here.
Introducing Automated Control Testing (CCM)
Both Audit and Risk Management have an interest in ensuring that controls are “effective” (well designed, in place and operating consistently) – that is, are controls “in effect”?-. There is an overlap between performing risk diagnostics and automated control testing. The auditors often perform these diagnostics during their audit planning. Many of the diagnostic algorithms (and the related code) can be reused for automating control testing.
The reality is that it is often impractical to directly test controls for effectiveness. Even automated controls rarely produce transactions logs that can be reviewed. Manual controls, such as review, are always beyond the scope of automated testing. As a result, automated control testing (or CCM) is usually inferential. That is, transactions are tested for evidence that controls are not achieving the objectives for which they were designed and implemented. If the testing identifies transactions that exceed policy norms or raise other concerns then that may provide evidence that the control structure is weak or not operating consistently.
A simple example is stock adjustments. All stockholding business experience stock adjustments. A statistical analysis may establish a mean and standard deviation for a stock type. Automated and regular comparison of stock adjustments can identify large or unusual adjustments falling outside predetermined standard deviation limits (i.e. “outliers) that signal that key stock controls are inadequate or breaking down.
CCM can be very powerful. Like most tools, however, it must be well designed. As an example, it is very easy to produce “telephone books” of exceptions that will never be reviewed. Further, important exceptions should be captured and followed through to resolution to allow conclusions about control design and operation to be reached. CCM operations will require a means to automatically capture and process the transactions of interest.
In short, CCM design and implementation can be challenging. A functioning, “high impact”, CCM regime requires an investment in resources. Internal Audit and Risk may be able to collaborate and share resources in the development of a CCM framework.
Be sure to Watch our Intro to CCM Video below to better understand how to move from loss recovery to loss prevention.
Gavin Steinberg is the Managing Director of Satori Group and an industry expert in Data Analytics, Budgeting, Forecasting and Financial Consolidation, and Continuous Control Monitoring. Gavin’s passion is helping companies to see the value that can be achieved through automation, understanding their data, and bringing this to life through visual communication and assurance.