Internal auditors are used to walking fine lines, but championing a “continuous controls monitoring” program requires extra balancing skill. That’s because designing controls, such as those aimed at preventing financial fraud, is typically defined as an activity performed by company management or business units. And under internal auditing standards, internal audit departments must be independent from management.
But that doesn’t mean internal auditors can’t have any role in CCM, an automated process of examining 100% of transactions that are subject to any particular control being tested. “We can’t help [management] design controls or tell them that a control is the right one to have in place, but we can help them monitor it,” says Mary Ann Tourney, director of internal audit for Talecris Biotherapeutics, a $1.4 billion provider of injectionable medical treatments. “We don’t troubleshoot what goes wrong; we send them a note saying, here’s what came out of testing, can you please explain it?”
Tourney has been providing a lot of that help, using off-the-shelf tools from ACL Services, one of the largest vendors of audit, finance, and compliance technology. The Talecris CCM program — the subject of a recent case study by the Center for Continuous Auditing at Rutgers University Business School — was launched in 2007 as the company got going on an effort to do an initial public offering. The need for strong internal controls is heightened at public companies, of course, because of the Sarbanes-Oxley requirement that external auditors attest to the soundness of the controls.
The IPO finally happened just over a month ago, on October 1, four and a half years after the company was founded when private investors purchased the plasma business of Bayer Biological Products, a unit of Bayer Health Care. By then Talecris had implemented five of ACL’s six CCM modules: Purchase to Payment, Purchasing Card, Travel and Entertainment, General Ledger, and Payroll. Installation of the final module, Order to Pay (for monitoring controls over receivables), was at press time slated to be completed soon.
It was Tourney, who was familiar with ACL from prior jobs, who selected the technology for continuous auditing and also recommended it to management for continuous controls monitoring. Those two processes observe essentially the same data sets; the difference between “monitoring” and “auditing” is subtle and lies mostly in who has ownership of the process and its purpose, she notes.
In the former case, management designs controls in order to fulfill a fiduciary and regulatory obligation and win an attestation to the effectiveness of the controls from its external auditors. Internal audit departments, meanwhile, conduct their audits to actually root out fraud and error in high-risk transactional areas. “Our technology tool is powerful enough to kill the two birds with one stone,” says Tourney. “But we control the program in internal audit so the parameters of the tests don’t get changed without our knowledge.”
All Together Now
Miklos Vasarhelyi, a Rutgers professor and co-author of the case study, says he became interested in the Talecris program because he wanted to see how a CCM program worked using prepackaged software tools. The school’s Center for Continuous Auditing had previously written code tailored for continuous auditing and monitoring programs at specific companies it worked with, including Siemens Financial Services, HCA Corp., and MetLife.