Continuous Monitoring for Corporate Card Compliance
April 20, 2014
For about half a decade in the early 2000s, I was responsible for Credit Card Acquisition strategies at Bank of America. My responsibilities included assessing and approving requests for consumer and corporate card applications, while evaluating and implementing proposals for fraud prevention. These were very exciting times and I saw first-hand the convenience provided by credit cards.
However, the benefits and cost synergies created by empowering employees to make direct purchases can also pose new risks. Risks, which, if not monitored properly, can lead to considerable monetary losses and a culture conducive to fraudulent behavior.
One of the keys to a successful corporate card program is performing ongoing assessments. More often than not, I find companies do this using Excel or Access which can be tedious and inefficient. Also, some applications produce reports but these reports may not factor in other data sources that interact with the Purchasing Card process such as HR, Payables, Travel and Expense, etc.
Continuous Monitoring can help provide organizations with an ongoing assessment of their P-Card process while providing key insights. Here is a list of key Continuous Controls Monitoring (CCM) capabilities:
1. Analyze 100% of data from disparate sources
Critical business controls extend across multiple applications systems and databases. For example, looking at a possible conflict of interest would require data from the purchasing system and the HR system. So it is important that the CCM solution is able to take data from all these sources with relative ease.
2. Automate detection of non-compliant activities
The CCM solution should allow business stakeholders to gain insights about non-compliant activities without engaging in any laborious manual process. The detection process should be ongoing and automated.
3. Automate resolution process via dynamic workflow
Resolving control failures should not be perceived by the business as another job or the CCM is likely to fail. The best approach is to create automated remediation workflows that mirror the day-to-day operations of the business. The CCM solution should allow the customer to create any remediation workflow consisting of follow-ups, resolution guidelines, escalation paths, metrics, etc. and the ability to add supporting documentation.
4. Facilitate collaboration for data analysts and business users
There is often a misconception that a CCM solution is only about finding what went wrong, but the greater value is in being able to collaborate across the business and implement effective controls. The collaboration should not just be at the business level but it should allow Data Analysts to collaborate while building these analytics to monitor the controls.
5. Pre-configured analytics for standard risk and controls
To accelerate the implementation and value added, the CCM vendor should provide pre-configure analytics content for common business processes. This allows customers to get up and running faster and start to demonstrate the ROI in a timely fashion. The analytics performed by CCM solutions should have functionality geared to finding control deficiencies and accelerates the customer ability to detect and manage these anomalies.
6. Allow the user to create new and continuous analytics
While most vendors provide a standard package of analytics for common processes such as P-Cards, P2P, T&E, etc. there is also a need to expand that catalog and implement controls unique to the company. Comprehensive risk and controls assessment workshops with the key individuals are vital in creating tests which results in metrics relevant to your business. We recommend these workshops as the first step to implementing a successful CCM solution.
7. Capture intelligence from control deficiencies to facilitate root cause analysis
Addressing root cause is the only way to see major improvements in the effectiveness of internal controls. To achieve this, the CCM solution should not just report on deficiencies but also capture critical metrics at the source of the internal controls failure. This includes, why the control failed, what actions were taken, the impact on the business, etc.
8. Track metrics to demonstrate ROI
If a company can demonstrate that they detected $2M in duplicate and over payments in a year, they should be able to calculate an ROI. The CCM should allow for the creation and tracking of all types of metrics.
9. Interoperable with the organization’s existing IT infrastructure and guidelines, data capture and analytics platforms
The CCM solution should also be read-access so it does not interfere with the existing IT infrastructure, and the solution should rest behind the organization’s firewall i.e. no data is taken off-site. Since most companies have already invested in some form of ETL, data warehouse, reporting tools etc., the CCM should be able to leverage these investments as opposed to asking the company to replicate the infrastructure.
10. A single CCM portal with user managed dashboards and panels
There is significant value in having controls across several business processes being monitored in a single platform. Coupled with the tagging of the controls by geography, divisions, departments, etc. creates great insights into what business units and processes have effective internal controls.
For example, you could have major break downs in controls in 6 of 10 locations. Comparing the processes in the other 4 will yield improvements. Today, every user is accustomed to seeing results being visualized and they want the ability to make it relevant to them. The CCM should provide proper dashboards and panels for the user to see trends and be able to explore into them for details.