Subscribe to our newsletter
Blog

#takeaways Risk webinar 4: How internal audit contributes to continuous control monitoring

20 November 2024
Main takeaways
  • Improved compliance with regulatory requirements and internal policies
  • Enhanced real-time oversights and quicker identification of anomalies or irregularities
  • Increased operational efficiency through automated monitoring and reporting

As the world becomes more fast-paced, risks continue to evolve, and the demand for resilience grows. The functions of internal audit, internal control, and risk management must be more proactive than ever. They must keep up with emerging risks, navigate shifting regulatory landscapes, and leverage new technologies that offer greater insight into risk through advanced analytics.

To assist organizations in addressing these challenges and requirements, TriFinance is organizing a series of webinars on related topics to share meaningful insights and best practices.

The fourth webinar, 'How internal audit contributes to continuous control monitoring’, featured insights from TriFinance experts Annemie Pelgrims and Steve van der Steen, who shared their knowledge with participants from various companies. They discussed trends, best practices and how Internal Audit contributes to the development and implementation of continuous control monitoring dashboards. Vicky Posthumus, Expert at TriFinance, hosted the session.

Challenges and areas of risk

Understanding the challenges and risks is essential to successfully developing continuous control monitoring dashboards that address these pain points effectively. These are some of the key challenges and areas of risk we face when it comes to internal controls and compliance in today’s fast-paced financial and regulatory environment.

Challenges

  • The need to reduce internal control costs. Internal controls are essential, but they can also be resource-intensive, making it crucial to find ways to minimize costs without compromising effectiveness.
  • Ensure that managers across the organization have proper internal controls in place. This requires a consistent and transparent approach to control monitoring, ensuring alignment with the organization’s strategy & objectives.
  • Compliance with tax and financial requirements. The complexity of tax regulations and financial reporting standards means that internal controls must be both comprehensive and adaptable to changes in regulatory environments.
  • Tailor internal controls to specific financial issues. Every organization faces unique financial risks, and controls need to be customized to address those effectively.

Areas of risk

  • Excessive confidence in embedded systems. Many organizations rely heavily on their ERP systems, believing they inherently ensure compliance. However, embedded systems alone can create a false sense of security, leading to gaps in actual control enforcement.
  • The manual and post-control adjustments made in ERP systems. These manual interventions can introduce errors, inefficiencies, and compliance risks, especially if they are not tracked or documented properly.
  • Internal control systems being difficult to modify. Systems can quickly become inadequate, especially as businesses grow or regulations evolve. The inability to rapidly adjust controls can leave organizations exposed to unnecessary risks.

What is continuous control monitoring?

The Continuous Control Monitoring (CCM) dashboard is built on the existing internal control system, to enhance what’s already in place. CCM dashboards consist of internal controls that mitigate process weaknesses identified through process mining exercises, ensuring that we address key risks effectively. 

What sets CCM apart is its ability to continuously monitor controls, ensuring they are executed correctly, completely, and on time. This ongoing oversight reduces the need for manual checks or post-control adjustments, allowing us to anticipate and fix issues in real time rather than react later. By keeping internal controls adaptive and flexible, CCM helps organizations stay ahead of risks and regulatory changes while maintaining operational efficiency.

Continuous control monitoring empowers organizations to reduce costs, improve compliance, and drive operational efficiency by providing real-time oversight and proactive risk management.

Annemie Pelgrims

Three levels of internal control maturity

We distinguish three levels of internal control maturity, which help us understand where an organization currently stands and where it can improve in terms of internal control effectiveness.

  1. At the basic level, controls are siloed. This means internal controls exist but are often isolated within specific departments or processes, with little coordination across the organization. While they may address certain risks, this approach can lead to inefficiencies and blind spots since controls are not integrated or aligned with broader organizational goals.
  2. The next step up is the managed level. Here, there is ad hoc monitoring of internal controls. This means controls are monitored occasionally, often in response to specific issues or audits, but the process lacks consistency and a comprehensive approach. While better than basic controls, it still leaves room for errors and missed risks due to inconsistent oversight. Based on our experience, we’ve observed that most organizations are operating at this managed level. While some controls are in place, they tend to be reactive rather than proactive, with opportunities to improve monitoring.
  3. Finally, we have the directed level, where organizations use continuous and comprehensive tools like the Continuous Control Monitoring (CCM) dashboards. At this level, internal controls are actively monitored in real-time, providing a proactive approach to identifying and managing risks. This is where organizations can truly optimize their control environment, achieving not only compliance but also improved efficiency and risk mitigation.

Why are Continuous Control Monitoring (CCM) dashboards essential for modern organizations, especially in managing internal controls? We see three main reasons:

  • Quantify risks more effectively. By continuously monitoring control activities, we can assign specific metrics to risk factors, helping us understand not just where risks exist, but also their potential impact and likelihood. CCM dashboards also improve compliance by automating and monitoring controls. Instead of relying on manual processes that are prone to error, we can use automation to ensure that controls are consistently applied, reducing the risk of non-compliance with regulations. Another key benefit is the ability to continuously monitor controls and correct segregation of duties. This ensures that controls are functioning properly and that responsibilities are appropriately divided to prevent fraud or misuse of resources.
  • In terms of efficiency, CCM helps reduce costs by streamlining processes and minimizing manual interventions. By automating tasks like monitoring and testing, we reduce the resources and time required to manage internal controls. Additionally, CCM dashboards help improve operational efficiency by automating not only control monitoring but also the testing of those controls. This reduces the execution time needed to test and document system-designed controls, allowing the organization to move faster while staying compliant. By developing and exploiting central or shared data sources, we ensure that key control information is available in one place, making it easier to analyze and manage across departments.
  • CCM dashboards promote process efficiencies, which are key to smoother operations. They allow us to get real-time notifications of anomalies, so any issues can be addressed immediately, reducing delays and risks. Lastly, CCM dashboards help organizations develop reliable and consistent business processes. By standardizing control activities and ensuring real-time oversight, we can ensure that processes run smoothly, with fewer surprises and greater predictability.

In short, the use of CCM dashboards leads to more reliable, efficient, and cost-effective control environments, enabling organizations to not only meet compliance standards but also drive operational excellence.

How to develop continuous control monitoring?

We see different phases when developing continuous control monitoring in your organization. The starting point is an open discussion with your stakeholders: what are the minimum internal controls they want to implement?

Different phases when developing continuous control monitoring
Different phases when developing continuous control monitoring

Some examples of continuous controls

  • Customer and supplier invoicing control: comparison of names, descriptions, dates, amounts, number sequences, etc., consistency control in the "order, delivery, invoicing, payment"sequence, …
  • Financial accounting controls: verification of segregation of duties, reconciliation of the sub-accounts and general ledger accounts, …
  • VAT controls: no VAT on taxable invoices, code verification on purchases of goods, …
  • Sales movement controls: verification of financials discounts by comparison, ratios of number of credit notes vs. invoices

Adopting a CCM mindset allows you to monitor daily operations closely, flagging potential anomalies before payments leave the company and identifying root causes. This proactive approach enhances overall performance and positively impacts the bottom line.

Steve van der Steen

The role of internal audit in the development of CCM dashboards

The trends show an increased focus on operational risks and the evolving role of Internal Audit as a business partner. Internal auditors are now more than just compliance checkers. They support management with decision-making by providing insights into risk management, process improvement, and control effectiveness.

However, internal auditors face significant obstacles. These include resource limitations and the need for in-depth knowledge of ERP systems. The volume of business transactions makes it difficult to keep track of all activities, and there are communication challenges across different departments and functions.

Despite these obstacles, there are several analytics enablers that can help internal auditors overcome these challenges. By leveraging automated controls, particularly around segregation of duties and IT management controls, auditors can enhance their coverage and reduce the time spent on internal control testing. This is where the CCM dashboards come into play.

The CCM dashboard allows auditors to perform continuous internal control monitoring, meaning they no longer have to rely solely on periodic checks. Instead, they can monitor controls in real-time, which supports a more proactive risk assessment and enables the detection of red flags automatically. This not only enhances audit coverage but also significantly improves the speed and accuracy of audits.

Additionally, by integrating data analytics into their work, internal auditors can increase their analysis of unstructured data through the deployment of text analytics, which further improves their ability to assess risks and control effectiveness.

In short, the internal auditor's role is evolving into that of a strategic partner, leveraging technology to support continuous control monitoring, improve efficiency, and ensure that risks are managed more effectively in real-time.

Each department within your organization can benefit from the analytics of continuous control monitoring. For example: finance gains insights in master data anomalies and irregular postings; supply chain and operations can follow up if suppliers' expenditure complies with contractual conditions.

In conclusion, we highlighted the main advantages of continuous control monitoring:

  • Improved compliance with regulatory requirements and internal policies
    • Less anomalies noted by the statutory auditors and tax inspectors.
    • Reduced audit and compliance costs.
  • Enhanced real-time oversights and quicker identification of anomalies or irregularities
    • Rapid response to fraud, errors and inefficiencies.
    • Increased business ownership.
  • Increased operational efficiency through automated monitoring and reporting
    • Improved operational performance
    • Generated cash savings & revenue opportunities

Related content