Continuous Controls Monitoring: A Cost-Effective Way to Ensure Compliance

  • by Richard Hunt, Managing Director
  • Marc Jackson, Consultant, Turnkey Consulting
  • November 1, 2010
Continuous controls monitoring (CCM) can help reduce compliance costs, strengthen the control environment, and reduce the risk of unintentional errors and fraud. Learn how using CCM in your GRC activities can improve business process operations in an efficient, cost-effective manner.
Key Concept
Automated continuous control monitoring (CCM) can provide a wealth of benefits to a control and compliance framework including: automating previously manual controls, eliminating excessive control testing, enabling organizations to make control self-assessments more accessible, sustaining compliance with one or more regulations, enabling test results to be reusable across multiple compliance frameworks, minimizing the risk of business losses via errors or fraudulent activities by reporting control breakdowns as they happen, and delivering a return on investment by improving business process operations. Other less obvious benefits include using CCM as a central repository for documenting, scheduling, executing, and recording results of controls operation and testing.

The current economic climate has presented many major headaches for employers. One that is discussed less often than reduced sales and higher operating costs is the increased risk of employee fraud. The elevated risk of being made redundant, or the frustration of having salaries frozen (or even reduced) for the foreseeable future, can make previously loyal staff search for control gaps in a business process that can be exploited for their financial gain. In addition, poor security and inappropriate levels of system access can lead to increased opportunities for users to perform fraudulent activities that can ultimately result in inaccurate financial reporting, or even material misstatements.

In striving for compliance with regulatory requirements such as Sarbanes-Oxley, many enterprises have already made significant strides in mapping their financial processes. These include identifying risks to the accuracy of financial reporting, documenting the internal controls (both business process and IT) necessary to mitigate these risks, and operating these controls as required to ensure compliance. However, the path to compliance is not without cost. The extensive resources needed to design, develop, operate, test, and assess compliance control points have resulted in significant financial burdens for most organizations.

The initial achievement of compliance is just the beginning. Compliance is a continuous journey and after attaining an acceptable level of compliance through the implementation of a compliance and control framework, significant ongoing resource costs are often required to maintain compliance and ensure that internal controls are operating effectively. Often, many companies lack the internal resources or skill sets to maintain compliance, and they must continue to rely on external facilities to support on-going compliance activities, which further increases cost. However, it remains a necessary evil to meet regulatory requirements and prevent fraudulent activities from affecting the financial statements. The answer lies in finding a way to streamline this process.

Richard Hunt

Richard Hunt is managing director of Turnkey Consulting (, a global IT security company specializing in combining business consulting with technical implementation to deliver information security solutions for SAP systems. He has worked in the IT security industry for more than a decade. His career began as a security consultant at PricewaterhouseCoopers (PwC), where he specialized in SAP security implementations and IT security reviews. He has been involved in more than 20 IT security projects working across a range of business processes and industry sectors across the UK, Asia, and Australasia.

See more by this author

Marc Jackson

Marc Jackson is a consultant at Turnkey Consulting. He has worked in the IT security and audit industry for the past decade. His career began as a security consultant at PwC, where he specialized in SAP security implementations before moving into systems assurance work. He provided audit support services for statutory financial audits as well as Sarbanes-Oxley compliance engagements, focusing both on SAP and non-SAP systems. Throughout his career, he has been involved in a number of security implementations and audit engagements working across a range of business processes and industry sectors across Europe and Asia.

Marc will be presenting at the upcoming SAPinsider GRC 2017 conference, June 14-16, 2017, in Amsterdam. For information on the event, click here.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.