EBOOK SERIES VOL 1

You can call us Control Freaks. We call it Good Business.

Official

eHandbook
LEARN HOW CONTINUOUS CONTROLS MONITORING APPLICATIONS ARE CHANGING THE REPUTATION OF CONTROL FREAKS EVERYWHERE.

TABLE OF CONTENTS

eHandbook

TABLE OF CONTENTS
4 6 9 14 18 20 22 24 26 27 Chapter 1: Why are Control Freaks good for business? Chapter 2: How can you tell when you need a little more control? Chapter 3: Where does continuous controls monitoring (CCM) software fit in? Chapter 4: How do you get started with CCM? Chapter 5: What can CCM offer you? Chapter 6: Charting your progress Chapter 7: Why it pays to be a Control Freak Chapter 8: Staying in peak shape Afterword: Own it, Control Freaks! Additional Resources

ABOUT

eHandbook

About the Control Freak eHandbook

In case you cant tell, at Approva were passionate about the possibilities for continuous controls monitoring (CCM). Weve been called Control Freaks once or twice... and were OK with that. We just call it good business. The goal of this eHandbook is to explain and explore how CCM technology and the people who use it are driving positive change in all sorts of situations. Because our world is full of circumstances crying out for a good old-fashioned Control Freak not just to monitor financial anomalies and track down fraud at the office but in relationships and in line at the coffee shop too. Were here to reclaim the Control Freak mantle on behalf of the conscientious individuals on whom our society relies to keep the financial results accurate and the trains running on time. If we happen to inspire your inner Control Freak in the process, so much the better.

Looking to learn more? Click over to www.ilovecontrolfreaks.com.

3

CHAPTER 1

eHandbook

Why are Control Freaks Good for Business?

It sounds strange. Freedom to do one thing often relies on tight control of another usually in ways that seem a bit paradoxical. We dont often think of it, but what makes it possible for cars to drive 60 or 70 miles per hour on the highway? Safe brakes, of course. Imagine how quickly people would drive if they werent sure they could safely slow down.

Embrace Your Organizations Control Freaks!

Hear the term Control Freak and youll likely imagine some unfortunate variation of a sniveling, pocket-protected loner who spends his or her free time on giddy i-dotting and t-crossing. But Control Freaks get a bad wrap. They play a key role in our daily lives landing our planes, designing our intersections and staffing our hospitals, to name just a few. The order on which Control Freaks rely, whether in the form of rules, guidelines or regulations, exists for a reason. Its the same reason that the oft-repeated axiom about good fences make good neighbors is so true. Borders exist to clearly define boundaries and, ideally, behavior that respects them. At the end of the day, most companies want to maximize revenue, minimize cost and satisfy their customers. And they want to give their employees maximum freedom to achieve those objectives. But given the size, complexity and risk that most organizations face, they need to ensure that they have the proper controls in place to protect against the varied risks they face while giving their employees as much freedom as possible. Whether youre worried about whats going on in corporate boardrooms or cubicles, finding the right place for your Control Freaks both real and virtual is critical.

Control Freaks You Know & Love

Air Traffic Controllers: Managing the more than 5,000 planes in flight at any moment during an average day some 64 million take-offs and landings a year. The Army Corp of Engineers: Thanks for all the lakes! 67% of the goods consumed by Americans and more than half of the nations oil imports are processed through deepwater ports maintained by the Corps of Engineers. Restaurant Inspectors: Visiting kitchens so you dont have to.

Famous Control Freaks

Pilot Chesley Sullenburger, who famously landed US Airways Flight 1549 on the Hudson and who logged more than 19,000 hours flying prior to that. Steve Jobs, CEO of Apple, who took the reins of the company when it was on the ropes and grew it to deliver all of the i-things millions of people cant imagine living without.

THE KEY TRADEOFF: Ensuring you have the right controls in place without strangling productivity and placing unnecessary burdens on employees. 4

CHAPTER 1

eHandbook

Pointing Your Control Freaks in the Right Direction

The key to making the most of your controlophiles is to ensure that you point them in the right direction. Organizations face myriad risks that threaten their operations on a daily basis not to mention their impact on the bottom line. While they go by different names corporate policies, regulations, standard operating procedures, etc. companies have controls for one of three main reasons: Operational Controls: These are controls designed to ensure that standard business processes are adhered to. Did you buy from the approved vendor? Was the purchasing process circumvented? Did the product ship on time? Finding the right balance between enforcing and constricting the process is key here. Financial Controls: These controls are designed to prevent and monitor key risks. Is the customers credit rating being checked on a regular basis before we process a sales order? The key challenge here is monitoring those controls in a cost-effective way. Compliance Controls: These are the must have controls that the auditors are checking. Whether because of Sarbanes-Oxley, HIPPA, FCPA or some other regulation you must be able to demonstrate that you are toeing the line. Given limited resources, finding the balance between these three types of controls is a big challenge for most organizations. All too often the focus is heavily skewed towards the must have compliance-related controls. And thats where controls and Control Freaks get a bad wrap.

Living With a Control Freak

We know. The prospect of living with a Control Freak doesnt sound so enticing, does it? If the prospect of sharing a home with someone who calorie-counts snacks and doles them out in precisely measured portions sounds less than fun... maybe you just need to steer your Control Freak elsewhere and keep them busy on more important things. Because when it comes to some areas, a Control freak is just what you need. Like, say: Tax time Vacation planning Carpool Getting that funny-looking mole checked Making sure somebody is talking with your mother-in-law

Control Freaks across the world are poised to finally receive the appreciation they deserve. Now is their time.

THE OPPORTUNITY: Most organizations have a tremendous opportunity to redistribute their resources from compliance-related controls to value-adding operational controls by using automated technology such as continuous controls monitoring (CCM). 5

CHAPTER 2

eHandbook

How Can You Tell When You Need a Little More Control?
So how do you tell that you need a bit more control? There are the obvious signs. Your auditor dinged you. You had to restate your financial statements. Or maybe you just had a close call. But there are many more subtle signs that youre driving closer to the edge on that mountain pass than you think... or that at least you have a good bit of room for improvement. In this chapter, well help you assess where you stand.

BIG RED Warning Signs That You Might Need Stronger Controls
FINANCE
P You feel like youre spending more than you should on controls & compliance and getting less value than youd like for the money being spent P Youre concerned about risk but have no automated way to identify and monitor your key risk areas P Your staff spends more time running basic accounting activities than they do providing insights into how you run your business P Your finance gurus arent focusing explicitly on risk

DANGER
GET A GRIP ON YOUR CONTROLS
Top 10 Signs Your Personal Life Could Use a Bit More Control
10. Your car registration expired in 2005 9. 8. 7. 6. 5. 4. 3. 2. 1. Two words: Farmville addiction Youve bought new clothes to avoid doing laundry. And not just in college What happened in Vegas doesnt seem to be staying there Youve got a bookie on speed-dial And lately hes been calling you. Regularly You can fall asleep at your desk But you have a hard time sleeping in your bed Your kids teachers dont recognize you But your Starbucks barista knows your order by heart

AUDIT
P Youre spending the majority of your time on compliance-related tasks rather than focusing on emerging risks and ways you can add value to finance and business managers P You rely primarily on manual auditing and sampling to ensure that corporate controls are effective P You have not recommended how the finance organization can save money by eliminating controls P Your organization goes into full-scale red alert crisis mode before and during an audit

IT
P You spend more time than you would like with auditors P Managing who has access to applications is seen as your problem by business users P Youre relying on point-in-time assessments of access rights to protect yourself against insider threats P Finally, if youre manually configuring controls, or your controls arent scalable across your enterprise, you definitely need more control

CHAPTER 2

eHandbook

How Do You Measure Up?

Control, like so much else in life, is relative. One way to assess the state of your controls is to see how you compare to your competitors and peers. Have you covered every base? Are you covering too many bases? Are you doing it efficiently?

Typical Finance Resource Allocation1 Percent of Finance Budget

Control & Risk Mgmt 11% Planning & Strategy 20% Management & Admin 7% Transaction Processing 61%

Here are a few questions you can ask yourself in order to gauge how you measure up: How much of your budget are you spending on controls & risk management? How much time does your organization spend on financial reporting and audit prep? What percent of your controls are automated?

What Methods Do You Use to Provide Management Assurance of Your Controls?2

Mix of Regular Manual & Automated Checks 12% Mostly Real-time Automated Checks & Dashboards 1%

As the charts on the right show, most companies spend just over 10% of their budget on controls and risk management. But most companies 86% to be exact rely primarily on manual methods to validate the effectiveness of their controls. The fact is, companies have spent millions of dollars designing and implementing policies, processes, procedures... and controls. But not even 2 in 10 organizations can tell you on a daily basis if those well-documented processes are actually being followed. With budgets tight, most businesses are taking a broader look at the way they ensure the accuracy and integrity of the information they use to run their business and report results.

Others/Not Sure 1%

Mostly Periodic Manual Checks/Standard Reports 40%

THE KEY POINT: Its not just about whether you are spending enough its about how you spend it and what youre getting for that investment.

Mix of Regular Manual & Automated Checks 46%

1 2

Hackett Group KPMG Continuous Monitoring & Continuous Auditing Survey, 2010

CHAPTER 2

eHandbook

Accounting for Risk

How are you managing risk if you cant monitor it? More important, who is managing your risks? If risk is keeping you up at night, here are some questions to consider. Once youve got solid answers, we think you may sleep a little better. How do you monitor your key risks? How often do you monitor your key risks? Annually? Monthly? Daily? Do you have objective measures about whether risks are going up or down during the year? Enter continuous monitoring. By defining objective measurements of acceptable risk and by baking risk management into day-to-day activities, managers across functions can reduce risk while increasing the efficiency of their operations. % of CFOs That Say Supporting, Managing & Mitigating Enterprise Risk is a Very Important or Critically Important Company-Wide Initiative1
80% 93% INCREASE 60% 40% 20% 0% 2005 2010 40% 77%

Here are a few examples of some companies we happen to know, who knitted risk management right into their daily business, with some pretty impressive results:
A midwestern chemical company that invested time to categorize risks according to their likelihood and impact used its CCM system to create and monitor several key risk indicators on a daily basis, to indicate process breakdowns or early warning signs of potential revenue recognition risks. A $1B Texas-based software company that used a CCM solution to save their external auditor serious time testing their controls. Now, in addition to cutting audit costs, the company also achieves greater assurance since their controls are monitored continuously, not just spot checked once a quarter. A midwest manufacturer implemented a CCM solution to monitor financial reporting anomalies. By finding and correcting errors at the source, they were able to reduce the number of financial errors requiring manual follow-up and investigation by more than 50 percent, while significantly increasing their confidence in the accuracy of their financial reports. An equipment manufacturer deployed a CCM system to continuously monitor key risks in its procurement process. By routing exceptions indicating abnormal risks to the appropriate business manager, the manager was able to address the risk immediately and make sure that procurement ran smoothly and without error.

RISK AND THE CFO: Over the last 5 years risk management has jumped to the top of the CFOs agenda, with nearly 1 in 2 CFOs saying they are not doing an effective job managing enterprise risk.
1

The New Value Integrator, Insights from the Global Chief Financial Officer Survey, IBM (2010)

CHAPTER 3

eHandbook

Where Does Continuous Controls Monitoring (CCM) Software Fit In?

The first step is recognizing you need more control. The next step a crucial one is figuring out what do to about the situation. In this chapter, well introduce you to the many wonders of Continuous Controls Monitoring, which is handy like nothing else for helping folks manage out-of-control businesses processes (among other things).

CCM 101
Gartner defines Continuous Controls Monitoring as an emerging governance, risk and compliance technology that monitors controls in ERP and other financial applications to improve financial governance, monitor and verify access and transactional rules, and automate audit processes. Its a mouthful, but its thorough. Put a bit more simply, CCM systems ensure the integrity and accuracy of the information you use to run your business by enabling you to identify and respond to risks, accounting errors, policy violations, fraud or just about any business exception that is impacting your performance. CCM solutions work by enabling finance and audit departments to implement both preventive and detective controls. This means that managers define at the outset who has permission to complete varied tasks and they are alerted in real time if any of the rules they set are broken. CCM empowers businesses to establish both who can do what tasks (through application configuration and user access controls) and to visualize what employees have actually done (through master data and transaction controls). Were not saying that this approach is the new skinny jean, or that itll get you a date, but its hard to ignore the momentum in the marketplace towards CCM systems. A recent study by KPMG found that more than 50% of organizations were considering or piloting continuous monitoring and auditing tools.

You could think of a CCM system as a home security system for your business that:
Makes sure all of the doors and windows to the building are locked Makes sure only the right people have the keys Monitors what people are doing once they are inside the building

KPMG Continuous Monitoring & Continuous Auditing Survey, 2010

CHAPTER 3

eHandbook

Too little attention has been placed on continuous controls monitoring by chief financial officers, internal auditors, and corporate risk management and compliance leaders. By automating financial controls monitoring, CCM solutions can increase operational efficiency for critical financial processes, reduce fraud and improve financial governance resulting in a substantial return on investment.

10

French Caldwell Research Vice President, Gartner Inc.

CHAPTER 3

eHandbook

OK... I Admit It... Im a Control Freak. Tell Me What I Can Control.

Now lets take it down a level and see what you can actually control

Monitoring Multiple Controls & Applications for Multiple Stakeholders

Multiple Stakeholders
Outsourcing Partners Finance/ CFO CIO/IT Risk Management Human Resources External Audit

Making sure the doors and windows are locked:

Travel & Expense Management

Multiple Controls

Access to Applications Can anyone ? Application/Process Configuration Do our systems allow anyone to ?

Controlling who gets to hold the keys: Application controls address the question of who has the keys. Can a single employee both create a vendor and execute a payment to that vendor? Who is able to access personal information stored on company servers? You need control over Who Drives Where.

Financial Systems

Purchasing Systems

SAP Oracle PeopleSoft CGI

ERP Applications

CRM Systems

HR Systems

Monitoring what people are doing: Transaction and master data controls operate more like motion detectors or video cameras, alerting management as appropriate to breaches in established rules. With CCM, you can see, via real-time alerts, just Who is Doing What, and unusual activity or breaches in established rules are flagged for you. So, for instance, if a non-approved employee takes a peek at confidential employment records, tries to override existing controls, or alters master data, youre notified, so you can step in then and there to see whats what.

Multiple Applications

CCM systems ship with rules designed to monitor and correlate all four types of controls across multiple systems and a range of processes including the core financial processes illustrated above.

Purchasing Cards

Procure-to-Pay

Order-to-Cash

Master Data Is the underlying data accurate?

Manage & Certify User Access

Account-to-Report

Most financial applications come with a basic set of configuration settings designed to govern Who Can Do What and set up the official processes (i.e. the doors and windows). With CCM, you can continuously monitor those settings to make sure the windows stay shut and the doors stay locked. So if anyone tries to get around the rules you set, youll hear about it.

Transactions Did anyone

11

CHAPTER 3

eHandbook

How CCM Works: A Day in the Life of an Exception

Now that weve explained what you can control, lets do a deep dive on the how. We said before that CCM systems let you identify and respond to business exceptions. Thats important, because the only way you get a return on your CCM investment is if you can do something about the anomalies you uncover. Heres how that happens. Identifying exceptions: With CCM, you decide beforehand what transactions are risky for your business, so that youre alerted right away when issues pop up. Viewing the context: This lets you dive into the situation at hand, to get a sense of whether a transaction is a No-Go or something that wont come back to haunt you. Investigating: CCMs risk scoring and analytics capabilities let you understand the financial impact of each exception (or group of exceptions) and flag things youll want to follow up on. Taking action: Remember those grade school Check Yes or No romantic offers? This is like that, only with business exceptions. Want to approve this exception? Click Yes or No. Tracking results & trends: Want to make a rule for the type of transaction you just reviewed? Or to see how many more like it come across the transom? Thats what we call tracking results and trends. Its pretty handy come audit time.

Typical Process for Identifying & Responding to Business Exceptions With Continuous Controls Monitoring
KPIs, Dashboards & Reporting Track KPIs and automate management reporting with configurable dashboards and reports personalized for each role or user. Exception Identification Inspect 100% of your data and transactions. Automatically identify exceptions as they occur. Alerts ensure issues are addressed immediately.

Track Results & Trends

Identify Exceptions

Take Action Exception Management Manage exceptions, assign them and collaborate with others via email from within the CCM system. Track progress and follow-up via dashboards and reports.

View Context 360o View of Exceptions Drill down to view related information and quickly identify the root cause of each exception.

Investigate Risk Scoring & Analytics Quickly understand the financial impact and risk of each exception so you can prioritize follow-up.

12

CHAPTER 3

eHandbook

Moving Beyond the Snapshot: Continuous Auditing and Continuous Monitoring

In the days before Enron, Tyco, WorldCom and Sarbanes-Oxley, audit time came just once a year. Books were closed at the end of the fiscal year either balanced or in the red and that was that. What a difference financial crises (and dramatic improvements in technology) make. Today few can afford to take a snapshot approach. If somethings wrong or out of place you want to know so you can fix it. And everybody IT, audit, finance and even HR has a role to play in mitigating risk. CCM provides a single platform that functions across the organization from finance to IT to audit and beyond that enables you to reduce risk in your business. Our number-crunching friends in finance are smitten by the way CCM continuously monitors key risks and uncovers accounting errors right away. Audit loves it because it (finally) lets them do true continuous auditing, replace manual sampling and enable point-in-time snapshots. And IT can finally say bye-bye to time consuming user access and certification tasks since CCM pushes accountability for access controls out to the business users who can understand the risks. (It does not, however, julienne fries).

CCM Systems Enable Finance & Audit to Share a Single Solution for Continuous Auditing & Continuous Monitoring

KPIs, Dashboards & Reporting Risk Scoring & Analysis 360 View of Exceptions Exception Management Audit Trail

Exception Identification

Automated Testing
Continuous Monitoring

Continuous Controls Monitoring (CCM) System

Continuous Auditing

CFO/Finance/ Controller

Internal Audit

Financial Systems

Purchasing Systems

ERP Applications

CRM Systems

HR Systems

Continuous Monitoring: A CFOs Right Hand

With continuous monitoring, businesses can react quickly to address the mistakes, miscalculations even the typos that could prove costly if left to stand. This improves the reliability of controls and improves management oversight, policy enforcement and operational efficiency. Line managers across functions gain visibility into process breakdowns and errors right away so they can make crucial decisions about acceptable risk and mitigation strategies before mistakes become costly, before fraud goes on the books, before errors become losses (and CFOs start to get nervous).

Continuous Audit: The Number-Crunchers Best Friend

Automated continuous audits bring real cost savings, and they also eliminate the limitations associated with manual sampling. By automating the tasks that keep so many audit teams busy with yearly audits, CCM improves the frequency of tests performed and expands the breadth of data tested, freeing auditors to spend time investigating true exceptions, rather than gathering data.

13

CHAPTER 4

eHandbook

How Do You Get Started with CCM?

Starting to appreciate the value that some fine-tuned (and automated) controls testing could add to your organization? In this chapter we talk about just how folks typically go from the realization that they need more control to embracing their inner Control Freaks and reaping the business benefits.

Different Starting Points for Different Parts of the Organization

There are three main functions within organizations that generally drive CCM adoption: finance, internal audit and IT. Each of these organizations uses CCM to address unique challenges solely within their own domain. But one of the largest strengths of CCM systems lie in their ability to address common business challenges that span these three organizations. Financial Governance: Are you doing what you should be for SOX, HIPAA, FCPA, and HCR? Is there an acronym youve left out? Are you ready in the event regulators pass entirely new acronyms? Internal Audit Efficiency: How can you automate more of your audit process and reduce the need for manual checks? Any chance you could save a little money and manpower in the process? Improved Security: You want to be sure all the information youre entrusted with is locked down, and that youre tightly controlling access. Fraud Prevention & Monitoring: You know how costly fraud can be and how prevalent it is. You need visibility into your daily business operations to make sure nothing gets by you. Risk Management: Have you got a holistic way to monitor key risks across your enterprise, to understand where youre vulnerable and monitor changes on a daily or weekly basis? Audit Findings: Bee stings have nothing on the burn of dings from an auditor. Make sure it doesnt happen again.

Common Buying Drivers for Continuous Controls Monitoring by Organization

Internal Audit
Fraud Prevention & Monitoring Improved Audit Finding Financial Audit Governance Efficiency Reduced Risk

Finance

Improved Security

IT
See all the overlap here? Thats one of the big reasons the first step in a CCM initiative is to bring key functions together to talk. CCM isnt a single functions domain, and it relies on a collaborative approach to be truly successful.

ONE STONE. MUlTIPlE BIRDS. Everybody comes to CCM with their own motivations. The great thing about CCM is that it can accomplish so many goals across supervaried functions.

14

CHAPTER 4

eHandbook

One Common Approach

Whether you come at your CCM project from finance, internal audit or IT, successful projects start with a common approach that includes some very specific short-term goals and a long-term vision. What are the common drivers for CCM implementation? Usually there are pretty clear pain points. For some, procurement costs are out of control. Others are desperate to fix order accuracy issues or skyrocketing audit costs. Just about everyone particularly the folks whove had some dealings with it (and most people have) has an eye toward reducing risks from fraud. So where to start? Two things. You want to consider early on your primary goals for implementation across the organization whether thats reduced risk or fostering a culture of compliance or reigning in costs. Then choose some urgent pain points to tackle. Set short-term, measurable goals, knowing that once youve got the hang of things, you can quickly transition to delivering on your long-term vision. Successful projects share a common approach that typically includes some form of the following steps:

Whats Your Primary Objective: Want to improve your financial governance? Reduce audit fees? Pass your next audit? You should keep your primary needs front and center in designing your CCM approach. Whats Your Long Term Vision: Where do you want to be two years into your CCM initiative? Ten years in? Its good to be mindful of the kind of cross-functional collaboration youd like to see, as well as the overall culture youd like to encourage in your business. Approach your CCM implementation mindful of where you want to steer it. Assemble the Right Team: Make sure youve got buy-in from people who can make a CCM initiative succeed. Err on the side of inclusion when you invite various functions to the CCM table, and make sure youve got process experts involved early-on. Start With a Small Project & Expand: Start with a few controls that achieve your primary objective but validate the long-term vision.

Common Starting Points for a Control Freak Outside the Office

love. It might not sound romantic, but the better you manage your time in the office, the more youll have for loved ones in your life. Finances. No more relying on the ATM to tell you your cash stash. Balance that checkbook! Friends. Leave work at the office so your personal time can be spent really engaging with your friends. Keep friends birthdays in a calendar, and listen while youre with them throughout the year for things they really admire or enjoy. Keep those in a list, and come gift time, youre set.

We Need to Reign In Procurement Costs

Our Business Needs

to Get Control of Our Fraud Risks

Weve Got to Ensure

Order Accuracy & On-Time Shipments

Its Time to Reduce our Audit and Compliance Costs

15

CHAPTER 4

eHandbook

Picking a Starting Point

That all makes sense, you think. But where do most other people start? Its a frequent question for those who are new to CCM. If you look broadly across most companies who have implemented CCM systems there are two common characteristics of where they focused their initial deployment:

Which Specific Process/Activity Areas Do You Expect to See the Most Significant Benefits?1
Purchase to Payment Fraud Risk Management Treasury & Cash Management Sales Order to Cash Receipt 62% 54% 46% 38% 37%

Processes with the greatest risk and/or monetary impact

large volumes of transactions and number of users

Third Party/Contract Management

Put another way, they invest based on where they can get the most bang for their CCM buck, and where theyve got the most to lose without a CCM solution in place. In our experience the top five starting points are: Procure-to-Pay Process Account-to-Report Purchasing Card Programs Travel & Expense Process Order-to-Cash Process One very common starting point is financial reporting itself. Its a polite secret among those in finance that reported financial results are a rough approximation of the amount of money made or lost in a given period. The trick is to make sure youre within a defensible margin of error, so that any mistakes on the books arent biggies. Since financial reporting is so open to automation and so handy in rooting out problems as they happen (as in, before they cost a business serious bank), its an especially popular place to kick-start a CCM program.

Focus on Fraud
Fraud is on the rise, affecting 75% of U.S. organizations* and costing U.S. companies some $700 billion annually. Unfortunately, fraud seems to be one of those things people assume wont happen to them until it does, at which point they throw money at the problem. Trust us when we say thats not the best approach. Since most fraud is the result of ineffective controls, a CCM solution that monitors the effectiveness of controls is a great (and more affordable) way to tackle it.
*

Association for Certified Fraud Examiners

KPMG Continuous Monitoring & Continuous Auditing Survey, 2010

16

CHAPTER 4

eHandbook

Start Small... and GROW

Remember when you were a kid and everyone used to say youve grown so much? The strongest CCM initiatives go the same way starting small and quickly growing over time. Start with a strong team. Once youve decided where to start your CCM initiative, its crucial to bring each key stakeholder together to answer some key questions and make decisions on key issues. While building a cross-functional team can be a challenge, the organizational benefits cost-savings, increased efficiency, streamlined audits, and reduced risk make the initial investment more than worth the effort. Agree on what gets monitored. Once youve leveraged your Control Freak capabilities to bring your stakeholders together, the first step is to identify and agree to a set of controls to be monitored. Is your priority to get the most for your CCM buck, or to aim quickly for your biggest vulnerabilities? Agree on a strategy, and try to start by developing some rules that will demonstrate value to multiple parts of the organization. By focusing at the outset on achievable, measurable goals, youll start yourselves out on a positive note as you get your CCM initiative off the ground. Who owns the exceptions? Whose job is it to fix the problems you find? Trust us when we say you want to figure this part out early. Define your metrics for success. The final issue in developing your CCM initiative is to decide how to monitor the progress of exceptions and how they are being remediated. Dashboards are great for providing a consistent view of overall business performance, such as key performance indicators or key risk indicators. Youll also want to seriously consider how youre delivering progress reports. Often, management will want to see aggregated data in dashboards, while lines of business will want to see the details of their transactions.

Categorizing Control Freaks Outside of the Office

Beginners Youre not great about calling people back. Or remembering birthdays. Or showing up for meetings. Maybe its time to see what that calendar on your phone is all about. Intermediate Youre remembering all your commitments and showing up on time, even. Prepared! Your friends are delighted to actually talk with you instead of voicemail. Advanced Youre getting rave reviews. The folks at the Container Store know you by name, and David Allen calls you for organization tips. The idea of planning an event gives you neither heart palpitations nor hives.

17

CHAPTER 5

eHandbook

What Can CCM Offer You?

Weve talked a good bit here about risk, fraud, accounting errors and audits all nasty things that CCM can help prevent. Hopefully by this point its clear that theres a lot for organizations to gain from CCM. But lets take a shortcut to one of the questions we know youre thinking . . . even if youre not asking it. Whats in it for me?

So Whats In It for Me?

We cant guarantee a ticker-tape parade or cash prizes for those who kick off a CCM initiative... but were pretty confident in saying that it can change your life for the better. Handy Byproducts of CCM Involvement: Time: CCM gives you more time to focus on what you enjoy doing, and less on the... well, were just going to go out there and say it: more monotonous aspects of your job. Sure, some people enjoy tracking down accounting errors under the pressure of the financial close or executing an audit plan for the umpteenth time. But for the rest of us, there are big-time advantages to the ways that CCM automates repetitive tasks, leaving more time to spend on the parts of your job that provide real rewards. Speaking of fun, for anyone keeping track we can say with authority that it is much more fun to focus on emerging threats than to worry about existing ones you might be missing. Fame: OK. Aiming for the cover of People magazine may be a bit of a stretch, but CCM done right will make people stand up and take notice. One sure-fire way to make a name with the C-suite? Go find a control that you can eliminate, or some money thats being wasted, or use analytics to show managers metrics on their business they havent seen before. Maybe recommend a way to simplify a process instead of adding new tasks on top of a process. Using CCM to save your organization time, money and resources is a great way to earn respect and its not a bad way to do business. Experience: Remember when ERP systems were a novel concept? When telecommuting sounded crazy? When SOX was scary and new? CCM isnt so different. The skills you build implementing a CCM project are the skills and experience that are going to be in high demand in your company and across the marketplace. Because the more businesses can control, the more they will be expected to control.

Ten Things We Cannot, Unfortunately, Offer You Through CCM. (Though We Would If We Could!)

1. A pony

2. Or a puppy

3. iPad

4. Candy

5. Cash prizes

6. World Peace

7. A cure for the common cold

8. A fountain of youth

9 A Get out of Jail Free card

(though we fervently hope youd be less likely to need it for biz-related reasons)

10. The perfect Fathers Day gift for your dad.

(unless hes a CFO, in which case you are golden)

18

CHAPTER 5

eHandbook

CCM Makes It Easier to Do Your Job. Well.

CCM brings serious value to the work that you do. Automation means that youre freed up to spend your time on your actual job, rather than ever-increasing risk management, audit and access issues and it gives you security that your business is insulated from fraud, errors and waste. Whether Youre In Finance... Tracking down accounting errors. Audit prep. Collections calls. The finance pros we know have a lot theyd rather be doing with their time. Whether youre itching to strategize about emerging risks, or making sure youre keeping audit and IT focused on the highest priority risks, or brainstorming where best to use your limited resources, CCM brings time savings that let you focus on the work you want to do the kind that grows your business and makes for happy boards and investors. Or Risk Management... Getting an organization to address risk across an enterprise can be like herding cats easier said than done. To be honest, getting crossfunctional buy-in that goes beyond the buzzwords to actual behavioral change isnt easy. CCM helps risk managers to make a convincing case for prioritizing risk, by showing how systematically addressing risk in everyday business processes brings wide-ranging business value, through greatly increased efficiency and invaluable visibility that improves performance across the enterprise. Or Audit... This is not your grandfathers auditor. To effectively audit business processes, todays auditors must go beyond number-crunching to become experts in the processes theyre auditing. Thats what CCM does. By enabling business users to continously monitor high-risk activities, audit gains a partner in figuring out whats legit and whats cause for alarm. Since CCMs continuous audits give an evolving picture of the health of a business, auditors are liberated from Chicken Little-ing and have time to invest in known and emerging risks. Or IT... We dont know many IT pros who went into the business for the joys of configuring laptops, setting passwords and locking down access. CCM pushes ownership of user access controls to actual business owners, so that overburdened IT staff get to handle more demanding (okay, and more interesting) issues more quickly.

Quiz Time: How Should You Spend The Time You Save with CCM? A) LAvISH HOLIDAY pArTY pLANNING B) FANTASY FOOTBALL DrAFT C) THAT NOvEL YOuvE ALWAYS WANTED TO WOrk ON D) MEMOIrS OF A WELL-rESTED FINANCE prO/ AuDITOr/rISk MANAGEr E) YOur ACTuAL jOB
(if you answered anything but E, you may be a key risk yourself)

19

CHAPTER 6

eHandbook

Charting Your progress

We talked earlier about CCM 101 and a little bit, too, about the importance of starting small and growing with a CCM initiative. In this chapter, were going to go a little deeper and take a look at just how CCM programs progress from those first baby steps to where they impact the culture and operation of an entire organization.

The Controls Automation Adoption Curve

Its pretty cute, actually, the way that these things develop. We get a little sniffly, thinking of companies we know who started with those baby-steps into CCM, and how they went from no automated monitoring at all and then progressed process-by-process up the adoption curve. Like so much else in life, what starts with baby steps can lead to seriously impressive transformation, and its pretty gratifying to watch that happen especially when your job gets easier at every step.

Control Freak Development

Just like regular people, Control Freaks follow very predictable patterns of development. Common stages are marked as follows: Infant Youre thinking a list or two might help you manage your tasks. Toddler And maybe a calendar as well? Teen Nobody even understands what youre dealing with OMG! Young Adult Acceptance that you need all-the-time access to task lists, calendars and contacts. Blackberry, iPhone, Droid, whatever you need something. Bad. Middle Age Folks are coming to you asking how you manage to get it all done. You make it look easy! Seniors Your Alaskan cruise is the absolutely most meticulously planned, Norwalk-Virus resistant cruise in the history of retirement. 20

While CCM initiatives can start at several different points as organizations move up the controls automation curve they generally mature along a consistent trajectory:

What are you monitoring? Who is monitoring it? Why are you monitoring it? How are you monitoring it? How are you measuring success?

CHAPTER 6

eHandbook

From Baby Steps to the Big League Returns...

In the beginning...
Most organizations arent doing formal monitoring before they start their CCM initiative. Generally, internal audit is performing audits to meet external requirements, with finance performing spot checks here and there usually during or around the audit itself. Anything fishy gets manually sampled or investigated, and there arent any real ways to measure success. For the most part its a brute force exercise and often a race against the clock, too.

Soon (if all goes according to plan)...

As a CCM program starts to take shape, we see how those baby-steps impact the organization. The procure-to-pay process is often where companies focus first often in combination with looking at related changes to the general ledger. Usually one organization takes the lead either finance or internal audit and the primary focus is on improving the efficiency of the testing process itself. Monitoring is often still eventdriven at this point, and success is measured in terms of the amount of time required to test controls and prepare for audits.

A bit later...
Once theyve got the hang of monitoring, organizations are ready to check out the CCM systems road-worthiness. Think that bad boy can make mincemeat of those key risk indicators the same way it slashes audit preparation time? At this point, automated monitoring is old hat. If finance wasnt driving the project initially, they are now fully in the drivers seat. They are finding and fixing accounting errors, analyzing the risk and impact of exceptions the CCM system finds and assigning ownership for follow-up. High-priority exceptions are being routed for quicker review. At this stage, success is measured by cash leaks and increased efficiency in addition to the time savings already being tracked.

Now were talking... Heres the whole enchilada!

Before too long, youre looking at all sorts of different processes order-to-cash, travel and expense, p-card programs, you name it. Finance, internal audit and executive management are each using the system to support their unique needs, and CCM is even supporting your enterprise risk management (ERM) program by monitoring trends in key risks. At this phase, we measure success by diminished risk and cash leaks prevented, and process owners are accountable for how quickly they are closing high-risk exceptions.

CCM Adoption Curve

Level 1
What Are You Monitoring? Whos Monitoring? Why Are You Monitoring? How Are You Monitoring?

Level 2

Level 3
Procure-to-Pay AND General Ledger Finance AND Internal Audit

Level 4
Procure-to-Pay, General Ledger & Order-to-Cash Finance, Internal Audit & Exec. Mgmt. Automate Testing, Prevent Errors & Monitor Risks Review Weekly w/ Exceptions Routed to Process Owners

Level 5
Procure-to-Pay, General Ledger, Orderto-Cash, T&E/P-Cards & Other Processes Finance, Internal Audit, Exec. Mgmt & Bus. Managers Automate Testing, Prevent Errors, Monitor Risks & Monitor KPIs/KRIs Daily Reviews & Remediation; KPIs/KRIs Tracked Using Dashboards

No Formal Monitoring. Ad Hoc Reviews Procure-to-Pay OR Only. Often Prior To or During Audits General Ledger Audit Organization Performs Audits. Finance Performs Spot Checks To Comply with External Audit Requirements Manual Sampling and Spot Checks Finance OR Internal Audit

Automate Testing

Automate Testing Prevent Errors Review Monthly/Weekly; High-Priority Exceptions Routed for Review

Review Quarterly to Prepare Audit-Related Reports

How Are You Measuring Success?

No Measurement System in Place

Time Testing Controls Audit Preparation Time

Time Testing Controls Audit Preparation Time Cash Leaks Process Efficiency

Time Testing Controls Audit Preparation Time Cash Leaks Process Efficiency Risk Likelihood/Impact

Time Testing Controls Audit Preparation Time Cash Leaks Process Efficiency Risk Likelihood/Impact

21

CHAPTER 7

eHandbook

Why it pays to Be a Control Freak

While being a Control Freak can bring all kinds of benefits from the personal (friends won! people influenced! job improved!) to the professional (goals achieved! execs impressed!) at the end of the day someones going to want to boil it all down to DOllARS & CENTS. In this chapter well help you add those pennies up and lay out all the hard and soft benefits a CCM system provides.

Lets Talk CCM ROI

Albert Einstein & CCM Remember Einsteins famous theory of relativity (stage whisper: all motion is relative)? Well... 100 years later the same principle applies to measuring the ROI of CCM: people measure value from different perspectives. What gets a Controller excited about CCM is not necessarily the same as whats going to jazz up a Chief Compliance Officer. The one thing everyone can agree on, however, is simply put CCM initiatives pay off. And no matter where you sit, the benefits of a CCM project typically fall into one of the following three categories: Cash Leaks: These are hard dollar savings guaranteed to please the CFO. They can include everything from unnecessary or inappropriate payments to missed discounts to (shhh) fraud. Improved Efficiency: Here were talking about reducing good, old fashioned hard work. Save that elbow grease for something that adds a bit more value. With CCM, you can eliminate manual effort by automating control tests and reducing the time spent investigating and resolving exceptions and all of the busy-work that goes into supporting audit and compliance requirements. Reduced Risk: Wouldnt it be horrible if? Thats what this category of CCM benefits is all about. Preventing bad things from happening. By monitoring controls on a regular basis you can find problems when they happen and reduce the likelihood of adverse events, such as an audit finding or financial restatement.

CFO/Finance Hard-dollar savings from preventing and reducing cash leaks Reduced risk from improved assurance and effectiveness of internal controls Reduced cost of risk & compliance monitoring Compliance/ Risk Reduced risk of adverse audit findings & fraud Reduced cost of compliance Reduced cost of monitoring key risks CIO/ IT Improved security and integrity of financial applications & data Reduced time supporting audit & compliance requirements Reduced IT cost of ownership Internal Audit Reduced time spent testing routine controls Improved effectiveness and quality of audits due to increased breadth and depth Reduced cost of audit

CONTINUOUS = 100% With continuous controls monitoring youre looking at 100% of your applications, 100% of your users, 100% of your transactions, 100% of the time. 22

CHAPTER 7

eHandbook

Show Me the Money!

We talked earlier about how companies choose to start their CCM initiatives on a particular process or problem and then quickly expand. Your own business case will depend in large part on where you get started. Here we offer a framework for you to use when building your business case as well as some rules of thumb when adding up the numbers. Of course, if youve worked in more than one organization you know that no two companies do things exactly the same so remember what that guy says at the end of all of the car commercials: your mileage may vary. Your actual benefits will depend on what your processes look like, what your application landscape looks like and what your key risks are. Preparing Your Business Case While its by no means a hard and fast rule, many CCM business cases follow an interesting path. Often, the business challenge companies want to address is focused on reducing risk. Whether its
Summary of Benefits Achieved by Using CCM
User Access Procure-to-Pay Order-to-Cash Record-to-Report Travel & Expense P-Card Programs

catching accounting errors and mistakes that creep into their financial statements, addressing an audit finding or responding to fraud, they know they have unwanted risk. But when it comes time to send the business case up the ladder for approval they need to show hard numbers like hours saved or dollars found. The good news is that you can have that cake and eat it too. The chart below uses a relative scale to show for each process how CCM can both reduce risk and save time and money. As youd suspect, each process has a different mix of benefits. For example, a CCM project focused on the procure-to-pay process will have benefits more heavily weighted toward cash leaks and improved efficiency while the benefits of a project focused on monitoring general ledger transactions will be comprised primarily of reduced risk and improved efficiency.

Improved Efficiency Reduced time and cost to test controls Reduced travel costs for internal audit staff Reduced audit preparation time Reduced external audit testing time Reduced time establishing control policies Improved utilization & retention of internal audit staff Reduced Risk Reduced risk of accounting errors and mistakes Reduced risk and cost of audit findings Reduced risk of financial misstatement or delayed 10-K filing Cash leaks, Waste & Fraud Reduced losses from fraudulent payment and billings Reduced time spent finding & correcting accounting errors Reduced inappropriate payments Increased working capital Reduced unwanted purchases Improved cash flow from better enforcing payment terms

$$$ $ $$$ $$ $$ $

$$$ $ $$$ $ $ $

$$$ $ $$$ $ $ $

$$$ $ $$$ $ $ $

$$ $ $$ $ $$ $

$$ $ $$ $ $$ $

80%
Reduction in audit and compliance costs for each manual control or policy automated with CCM

90%
Reduction in likelihood and impact of risks monitored by using CCM

$$$ $ $$ $ $

$$$ $$$ $$$ $$ $$ $$$

$$$ $$ $$$

$$$

$$ $$ $$ $$

$$ $$ $$ $$

2-4%
Portion of monitored expenses recovered or prevented by using CCM

23

CHAPTER 8

eHandbook

Staying in peak Shape

Way back in Chapter 1 (and if youve gotten this far, you deserve some sort of prize) we talked about how at the end of the day pretty much every company wants to maximize revenue, minimize cost and satisfy their customers while ensuring that they are protecting against the risks they face and giving their employees the maximum amount of freedom. The problem is that we live in a world where change is a constant, and its challenging to predict what risks are going to impact your business and in what ways.

Change is Constant
like the Boy Scouts & Girl Scouts... Be Prepared! Theres a reason that scouts have had the Be prepared motto drilled into them for the last 100+ years. Its as applicable today as it was back in 1907 when the first scout recited it. The environment both internal and external that organizations operate in today is so complex that you have to be prepared not only to change how you run your business but how you control it as well.

Internal & External Challenges that Impact Controls Automation

Global Economy Increased Competition Spikes in Demand Emerging Markets Regulatory Changes New Competitors

EXTERNAL CHALLENGES

Controls Governance Layer

Many CCM projects get started by addressing issues or problems that have cropped up in the past. A common pitfall companies fall into is failing to keep one eye on the windshield. To make sure youre prepared for new challenges that come over the horizon you should make sure your CCM system has the following capabilities. 1. 2. 3. 4. Test & Monitor Multiple Applications Perform Advanced Analytics to Find, Measure & Manage Exceptions Provide Ease of Use for Multiple Stakeholders Provide Ability to Tailor Exception Remediation Process

Master Data

Front Office
Demand Data

X-actional Data

Back Office
Historical Data

Analytics & Decision Support

INTERNAL CHALLENGES Complex, Global Organizations Mergers & Acquisitions Integration of New Systems Multiple ERPs & Legacy Systems Thousands of Users Millions of Transactions

24

CHAPTER 8

eHandbook

Staying Ahead in an Era of Rapid Change

So once youve got your CCM system humming, what changes do you need to stay on top of to remain in peak shape? Nearly every function in an organization these days is under tremendous pressure from a variety of sources, whether thats regulators knocking at your door, customers asking for the latest and greatest, competitors breathing down your neck, or shareholders looking to see better return on their investment and to insulate investments from the risks of doing business in todays world. You need to be equally agile in the way you are monitoring controls around those changing processes, and you need to make sure that your CCM system can support you in that fast-changing environment. With that, we leave you with just a few examples of major changes that are going on in your business and which your CCM system must be prepared to address if you want to stay in peak shape.

Customer-Facing Processes
It wasnt all that long ago that standard delivery time was 5 days rather than overnight. And remember when your mother or grandmother used to shush you because someone was calling long distance on the phone? Now that were in the age of insta-everything, customer expectations are increasing exponentially often faster than companies ability to deliver on them. The penalty for poor service has increased, too. In the past, a negative customer experience generated a call to a manager, or at worst, the Better Business Bureau. Now its more likely to lead to an online tirade that everyone can see (and circulate). All of this raises the stakes and requires businesses to identify and resolve issues quickly and thoroughly or risk being left behind (and maybe panned on Facebook, too).

Regulations
To hear the grumbling in 2002, one would have thought that SOX would be the be-all-end-all corporate regulation. And to be sure, SOX did send a number of U.S. businesses scrambling to get processes in place to ensure compliance. But that was far from the end of the story. The financial crisis and ensuing finger-pointing have brought about renewed interest in everything from financial reform to consumer protection and a raft of brand-new regulations to boot. And wed be willing to bet a good bit that more regulation is on the horizon. Businesses today need systems to ensure compliance with an ever-changing regulatory landscape, and those systems need to work to address requirements and vulnerabilities across functions without disrupting business flow.

Cost
All of these challenges staying ahead of innovations, expectations and regulations come at a time of unprecedented demands on business users, who are constantly being asked to do more with less. With raw materials and labor fungible across borders, and with growing competition from emerging economies in India and China, cost pressures are only set to increase. That means that businesses need systems that can cost-effectively meet these increasingly burdensome demands.

25

AFTERWORD

eHandbook

Own it, Control Freaks!

Being a Control Freak can bring all kinds of benefits. For one thing, your friends and colleagues know they can count on you, and having that kind of reputation is good for all kinds of relationships. For another, maintaining a firm handle on your commitments means you can spend your free time on the things you enjoy, rather than catching up or fretting about what youve still got to do. Not to mention that embracing your inner Control Freak leaves you better able to respond when life throws its inevitable curve balls the kind of things that even Felix Unger couldnt plan for. Embracing your inner Control Freak at work owning your need to plan carefully, to account for myriad risks, to streamline the complicated processes that drive so much of business today can be tremendously valuable professionally not just for the Control Freaks desiring accolades for great ideas, but for businesses needing to insulate themselves from risk and improve the ways they do business. Continuous Controls Monitoring enables entire organizations to join the Control Freak bandwagon, so that key risks are identified, assessed and monitored, reducing the fraud, theft, errors and waste that cost companies a fortune every year. CCM enables companies to do business more effectively, to meet compliance and reporting burdens more easily, and to operate with less risk enabling the Control Freaks so crucial to those efforts to sleep well at night. (In a very, very tidy room).

26

ADDITIONAL RESOURCES

eHandbook

Additional resources
Approva One Product Overview Control Freak Central Approva Website Control Freak Blog Gartner CCM Magic Quadrant Onetropolis www.approva.net/one www.ilovecontrolfreaks.com www.approva.net www.approva.net/controlfreak www.approva.net/gartnerccm www.onetropolis.com

27

Approva is the leading provider of continuous controls monitoring software and is the industry standard for the Big 4 audit and advisory firms. Approva prevents fraud and reduces waste by automating and improving the way finance, IT, audit and general managers identify and manage risk throughout their business.
ADDRESS PHONE WEB SITE

Approva Corporation

13454 Sunrise Valley Drive, Suite 500, Herndon, VA 20171

703.956.8300

www.approva.net

2010 Approva Corporation. All rights reserved.