Continuous Monitoring: The future of Fraud and Financial Integrity Risk Mitigation

Over the last two decades of performing forensic accounting engagements, we have found that the electronic data captured in organizations’ information systems often contained the evidence that showed wrongdoing, error or mismanagement. Generally, the evidence came from a pattern in the data, from comparing data in two or more disparate systems, or from comparison of data to expected results. If investigations can detect this evidence after the fact, why can’t organizations institute systems to look for evidence of potential wrongdoing before the fact, and thereby mitigate the damage?

A few issues have prevented this proactive approach in the past. The sheer volume of transactions through most information systems, information from disparate systems with different data formats, and not really understanding what to look for, were some of the problems.

Today, great progress has been made in automating the types of analysis we have successfully utilized in our investigations. This has resulted in an automated approach, known as continuous monitoring. Luminescent has teamed with Oversight Systems (http://www.oversightsystems.com), the premier provider of Continuous Monitoring solutions, to bring the future of fraud and financial integrity risk mitigation to organizations in the Twin Cities.

Why are we such strong believers in Continuous Monitoring? For a few reasons.

• Traditional audit or other periodic review procedures may uncover the issue. However, these procedures are done after the fact. Today, it is well recognized that the timeliness of uncovering a fraud is hugely important. Uncovering a fraud that impacts the financial statements after a quarterly filing has serious implications for a public company. Continuous monitoring is basically done in real time thereby increasing the chance of detecting the fraud before financial statements are filed in the 10Q.
• The number of transactions through a company’s information system means that only a tiny proportion of transactions can be examined without an automated solution. Using an automated Continuous Monitoring solution, 100% of transactions can be examined at each step of the transaction process.
• Traditional audit procedures generally are focused on larger dollar transactions. Frauds are often evidenced in smaller transactions, or at least start in them. Continuous Monitoring is able to examine each transaction in the same manner.
• Reliance is often placed on automated controls intended to prevent certain transactions. However, in some instances, the controls may be overridden or otherwise not be effective. Continuous Monitoring provides assurance and evidence that those preventive controls are indeed working continuously and effectively and provides additional checks that go beyond traditional controls. .
• Frauds are often missed because the information necessary to identify them is housed in different systems. One of the simplest examples would be an employee who sets up a fictitious vendor. Both have the same address but those addresses are in different databases. As new employees or new vendors are added to their respective systems, the Continuous Monitoring system immediately identifies the anomaly and appropriate action is taken.
• Anomalies represented by high risk transactions or entries can be identified, including irregular timing or amounts. Some examples might include:
  • A higher per cent of revenue than normally recorded at period end.
  • A higher per cent of revenue recorded by non-standard journal entries rather than system generated entries.
  • Entries made in unexpected time periods such as weekends or overnight.
  • Entries moving amounts between reserves or from expense to asset accounts.
• The Continuous Monitoring system is objective. It examines all transactions, regardless of who initiated or approved the transactions. An AICPA study refers to Management Override as the Achilles Heel of internal control. Continuous Monitoring examines management transactions as well as all others.
• The Continuous Monitoring system can examine transactions done by system administrators where evidence of the transaction has been erased. For instance, a change to a payee master file name followed by a change back might be done to have a check issued in a name other than that recorded in the accounting records. The monitoring system keeps an auditable record of all transactions at each point in time.
• The system provides a workflow process that can accommodate different risk levels. For instance, exceptions that appear to be fraud or mistake can be routed differently. A mistake can be reported to the process owner for correction whereas a potential fraudulent transaction can be reported to audit or security or others designated.
• An audit record is developed and maintained that can be used later to document what transactions were flagged and what actions were taken.
• Since transactions are examined by the system, audit professionals can be directed to areas that are identified as needing additional examination and investigation, rather than doing routine audit procedures on the test sample.
• The Continuous Monitoring system can be customized to examine most types of transactions and to provide reports for any level of management or to the Audit Committee.
• Continuous Monitoring can also be used to monitor metrics that may indicate problems, whether of a fraudulent nature or not. For instance, most financial systems can report a business unit’s sales by customer, but the devil may be in the details. The total amount of the sale may seem reasonable, but the important detail may be the unit price a product is being sold at. There isn’t enough staff in most organizations to be able to review what makes up those reported sales. But one unit sold at $1,000 vs. 1,000 units of the same product sold at $1 would be a detail you would probably want to know, on an exception basis.
• The trending of unit price or volume also can be monitored on a continuous basis, providing valuable predictive intelligence to management.