Often a staple within external fraud and compliance operations, continuous control monitoring is fast becoming a key element for internal audit, compliance, and risk management processes within financial institutions.
New regulations, the rise of big data, growing transaction volumes, and tighter internal/external reporting requirements are driving this shift. Yet it’s the demand for cost savings, operational efficiency, and better resource utilization that is defining exactly how improved control monitoring will take shape. Above all, it prioritizes automation, data management, and intelligent decision-making abilities.
Defining internal continuous control monitoring
The practice of continuous control monitoring entails:
- The identification and creation of key controls within an organization, which will need to be tested and measured
- The automatic, continuous sourcing of data from a wide variety of internal/external sources across the business
- Continuous tracking and validation of actions against pre-defined benchmarks and metrics, such as Control Tests, Key Performance Indicators (KPIs), or Key Risk Indicators (KRIs)
- Creation of issues and associated action plans based on pre-defined business rules and their associated violations
Over the past few years, the application of continuous control monitoring primarily took place within external trade/transaction fraud and risk management processes. However, the latest wave of regulation is casting a spotlight on the level of control and monitoring that institutions apply to their internal processes. Not only are regulations becoming more complex, but there are more of them for compliance, risk, and audit managers to follow.
Additionally, the days of being able to stand behind a "random sampling" of data as evidence of compliance appears to be disappearing, replaced by a stringent requirement to assess and analyze all available data elements.
Why automation matters
Addressing these internal requirements with resources currently at hand is taxing for financial institutions. It’s little wonder then that many major consultancies are reporting a focus on internal controls as a top operational priority for banks in 2014.
Without continuous control monitoring, internal auditors face a cumbersome process, which, at a minimum, entails:
- Manually extracting data from the system(s) that handled the transaction or process
- Pulling up a database of authorized users to cross-reference the transaction data against
- Verifying that the transaction/process fits within pre-authorized limits
- Deciding whether any remediation is needed and who it will be handled by
- Ensuring that remediation activity is being carried out
The first step in the process alone -- data collection -- presents its own set of challenges. In addition to the sheer volume of data being created, there’s the issue of knowing where to pull data from, getting it from a variety of sources in a common format, and having tools to analyze it. The inability to use this data also means that financial institutions are missing out on the potential value it can unlock for the business.
Automation addresses many of these issues. Yet, timing is just as critical. Monitoring that is done after trades are executed denies firms the ability to react to potential problems and stop them before they happen. Continuous control monitoring must be, as the name implies, taking place in real-time to achieve the maximum impact. A continuous control monitoring solution that ties into live transactional data will allow real-time results and warnings to be generated to help avoid as many negative cases as possible.
Identifying events is just half the battle -- they need to be addressed as well. Issue and action tracking mechanisms are essential for ensuring that remedial activities are seen through. A continuous-control monitoring framework will ensure that actions are automatically created and assigned to the responsible party for review and remediation. In addition, action plans can verify whether there were any additional errors or problems along the way and that they were dealt with and tracked to completion in order to strengthen the environment going forward.
The case for internal continuous control monitoring is a solid one. Yet in their current state, many internal auditing, risk management, and compliance processes are not nimble enough to manage the thousands, if not millions, of transactions that financial institutions handle daily.
Going far and wide
In light of this, firms are recognizing the need to give their internal processes the same level of automation, control, and efficiency that they have put into place for external processes. This is encompassing a wide variety of internal processes.
On the transaction side, for example, the use of continuous monitoring in overdraft management and control is helping reduce credit risk. Here, data is automatically sourced from internal/external transaction databases, translated into a common language and matched to credit limits. Once a decision is made, an automated, rules-based process is triggered, where actions are instantly allocated and continuously tracked. As each activity is validated, a new action is set in motion until the process is complete and a resolution has been reached.
This process can be followed for a variety of transaction-related activities, including payment approvals, ACH/check processing, and trade confirmations.
Another less obvious but similarly important internal process that can benefit is AML training. It’s common for new employees at financial institutions to be required to undergo AML training courses within 45 to 60 days of their start date. Applied here, continuous monitoring can automatically extract data from employee databases and training records, match hire dates with course dates, and, if an issue arises, alert senior managers to the event while assigning next steps.
In all cases, the benefits are identical:
- Information is automatically pulled and summarized for users, saving time.
- All data is considered, not just a sample, thus providing better coverage.
- Risk/audit/compliance managers can more quickly uncover suspicious/risky activity.
- Senior management has clear insight into the status and resolution of a risk/audit activity as well as the overall performance of its teams.
- Results can be measured against KPIs/KRIs, which can uncover wider gaps and deficiencies within the overall risk/audit/compliance process.
- Violations can be communicated to people immediately and remediation activities automatically createdi.
- Warnings can be communicated to avoid improper activity prior to it actually happening.
As oversight and scrutiny of operations have intensified, financial institutions are expected to place the same rigorous controls on their internal activities as they do on their trading business. Continuous control monitoring provides the ability to define the necessary controls, extract and analyze data continuously, create alerts and warnings, and provide the remediation tracking tools required for today’s complex and increasingly regulated markets.Dave Pinder is a Vice President at Dion Global Solutions. He has over 10 years' experience in Governance, Risk and Compliance and has worked closely with major North America financial institutions to address internal audit lifecycle and issues lifecycle management ... View Full Bio