VideoInternal auditors are used to walking fine lines, but championing a "continuous controls monitoring" program requires extra balancing skill. That's because designing controls, such as those aimed at preventing financial fraud, is typically defined as an activity performed by company management or business units. And under internal auditing standards, internal audit departments must be independent from management.
But that doesn't mean internal auditors can't have any role in CCM, an automated process of examining 100% of transactions that are subject to any particular control being tested. "We can't help [management] design controls or tell them that a control is the right one to have in place, but we can help them monitor it," says Mary Ann Tourney, director of internal audit for Talecris Biotherapeutics, a $1.4 billion provider of injectionable medical treatments. "We don't troubleshoot what goes wrong; we send them a note saying, here's what came out of testing, can you please explain it?"
Tourney has been providing a lot of that help, using off-the-shelf tools from ACL Services, one of the largest vendors of audit, finance, and compliance technology. The Talecris CCM program — the subject of a recent case study by the Center for Continuous Auditing at Rutgers University Business School — was launched in 2007 as the company got going on an effort to do an initial public offering. The need for strong internal controls is heightened at public companies, of course, because of the Sarbanes-Oxley requirement that external auditors attest to the soundness of the controls.
The IPO finally happened just over a month ago, on October 1, four and a half years after the company was founded when private investors purchased the plasma business of Bayer Biological Products, a unit of Bayer Health Care. By then Talecris had implemented five of ACL's six CCM modules: Purchase to Payment, Purchasing Card, Travel and Entertainment, General Ledger, and Payroll. Installation of the final module, Order to Pay (for monitoring controls over receivables), was at press time slated to be completed soon.
It was Tourney, who was familiar with ACL from prior jobs, who selected the technology for continuous auditing and also recommended it to management for continuous controls monitoring. Those two processes observe essentially the same data sets; the difference between "monitoring" and "auditing" is subtle and lies mostly in who has ownership of the process and its purpose, she notes.
In the former case, management designs controls in order to fulfill a fiduciary and regulatory obligation and win an attestation to the effectiveness of the controls from its external auditors. Internal audit departments, meanwhile, conduct their audits to actually root out fraud and error in high-risk transactional areas. "Our technology tool is powerful enough to kill the two birds with one stone," says Tourney. "But we control the program in internal audit so the parameters of the tests don't get changed without our knowledge."
All Together Now
Miklos Vasarhelyi, a Rutgers professor and co-author of the case study, says he became interested in the Talecris program because he wanted to see how a CCM program worked using prepackaged software tools. The school's Center for Continuous Auditing had previously written code tailored for continuous auditing and monitoring programs at specific companies it worked with, including Siemens Financial Services, HCA Corp., and MetLife.
But as Vasarhelyi observed the program in action, he also became very interested in what he saw as a high degree of end-user involvement in the software implementation. It's not surprising, he says, that an internal audit department would drive the use of tools to improve auditing and controls monitoring. But at Talecris, people from organizations across the company displayed an "impressive" level of ownership over the application. "I don't know if that was just Talecris, or whether any company might do that, but I want to study it further," the professor says.
Tourney says the results of the business units' close involvement in the program have been "a greater focus by management on controls, an increase in dialogue on controls, and internal audit being treated more as a business partner and less as a police force."
Both those and other benefits of the program are either purely qualitative or their impact on the bottom line cannot be quantified, according to both Tourney and Vasarhelyi. Those benefits include, for example, elimination of 88,000 inactive vendors from the company's vendor database, new limits on the use of procurement cards, and recording with purchase orders $12 million worth of purchases that previously had not been recorded as such.
"My difficulty in giving [bottom-line] numbers is that there were so many moving parts," says Tourney. "There were a lot of people, not just internal audit, working on a lot of projects concurrently." She also declines to say how much Talecris has spent on the software.
For his part, Vasarhelyi says that what can be expected to result from a continuous monitoring or auditing program is "basically a lot of quality improvement that will eventually make for better client service and give you more reliable numbers and fewer errors. But those things are very difficult to quantify, and I find it a bit flaky to try to do too much quantification."
Reader Comments» Post a comment