The monitoring of companies with regard to the regularity of financial reporting and risks that pose a danger to the ongoing existence of the company is one of the statutory duties of the boards of directors and managing directors of large corporations. The size and complexity of globally operating companies presents management with the problem of effective and structured monitoring of the entire company. Find out more about the concept of Continuous Business Monitoring in this blog post.
In addition to the members of the Management Board and managing directors, the Supervisory Board is also legally obliged to supervise the management of the company. Particularly in view of the past financial crisis in 2008, the feasibility and effectiveness of the Supervisory Board’s control over the management of the company is currently the subject of intense public debate. This article provides an overview of the possibility of continuous business monitoring by automating audit services as a response to the control obligations described above. It is assumed that business processes are largely handled by supporting information technology (Enterprise Resource Planning systems) and that monitoring these systems therefore efficiently covers a significant part of the control obligations. The article describes how such monitoring can be carried out, what the target groups for such monitoring are within a company and for which companies it is relevant. The audit services described above are particularly relevant for consulting services provided by auditing firms.
This blog post describes a framework for the monitoring and control of businesses. The main motivation for taking an interest in the topic can be derived from past compliance and accounting scandals, such as those that have occurred, for example, at Enron, Worldcom or Siemens in the recent past. Due to the high level of integration of business processes and information systems, an efficient IT-supported approach to monitoring is being developed. This efficiency is achieved by a high degree of automation, as the data already available in the company’s Enterprise Resource Planning systems (ERP systems) can be evaluated and prepared with regard to control functions. The framework presented here is referred to as “Continuous Business Monitoring” in what follows, since the aim is to achieve a state of affairs where IT systems perform auditing functions on a continuous basis. Of course, not all monitoring functions in a company can be covered by IT-based methods. Manual control procedures and the work of Internal Audit can never be completely replaced. However, a continuous IT-supported monitoring system can perform a significant part of monitoring tasks. The blog post answers the following questions:
- How can Continuous Business Monitoring (CBM) be defined?
- What are the legal and business motives for using CBM?
- What are the benefits of CBM for the parties involved?
- For which companies is CBM relevant?
- How can a CBM system be set up and what components does it consist of?
Definition of Continuous Business Monitoring (CBM)
Before we look at the topic of CBM in more detail, we first need to define it. A brief definition of the concept can be proposed as follows: “Continuous business monitoring is a management instrument for the continuous, IT-supported control and monitoring of processes taking place within the company. It is based on (partially) automated, structured analyses of the data available in the company’s information systems. By automating the analyses, analysis cycles can be repeated as frequently as one wishes, enabling continuous control and monitoring of business processes. This means that the status of the processes under consideration can be determined almost in real time. Continuous business monitoring extends from the identification of monitoring points to the implementation of analyses and the interpretation of results, as well as the derivation and implementation of suitable measures “(see also [Co09], p. 72).
Motivations and justification for Continuous Business Monitoring
The motivations and justification for using CBM can be found in reasons of a legal and business nature. There are various points in German and international law that require that the parties involved carry out checks:
|Section 91 (2) of the German Stock Corporation Act [Aktiengesetz – AktG]Addressee: Management||Early identification of risks that could jeopardize the continued existence of the company as a management task[Early risk warning system] [Lü98, pp. 8-14]|
|Section 238 of the German Commercial Code [Handelsgesetzbuch – HGB] in conjunction with Sections 140 – 148 of the Fiscal Code of Germany [Abgabenordnung – AO],Principles of proper IT-supportedaccounting systems [Grundsätze ordnungsmäßiger DV-gestützter Buchführungssysteme – GoBS][Go95, subsection 4],Addressee: Management||Compliance with and assurance of the regularity of financial reporting|
|Sarbanes-Oxley Act [SOX], Sections 404 and 302,Addressee: Management||Installation & Testing, Internal Control System [SR07, p. 44]|
|Section 25a para. 1 of the German Banking Act [Gesetz über das Kreditwesen – KWG],Addressee: Management||Internal control system for banks|
|Section 111 of the German Stock Corporation Act [Aktiengesetz – AktG],Addressee: Supervisory Board||Control of management by the Supervisory Board|
|Section 107 para. 3 sentence 2 of the German Act on the Modernization of Accounting Law [AktG-E (Gesetz zur Modernisierung des Bilanzrechts – BilMog),Addressee: Supervisory Board||Possibilities of control by the Supervisory Board|
Table 1: Legal provisions relating to control obligations
Here, we will discuss the position of the Supervisory Board in particular. According to Section 111 of the German Stock Corporation Act (AktG), one quite problematic control function has been transferred to the supervisory boards of stock corporations. They thus are obliged to control management. This monitoring function is difficult to perform insofar as supervisory boards do not necessarily work in the company to be monitored and they lack the detailed information they need to perform monitoring. Furthermore, in the context of the draft of the Act on the Modernization of Accounting Law (BilMog), the German legislator specifies the supervisory function of the Supervisory Board, which underscores the increasing importance of this control function. Section 107 para. 3 sentence 2 of the updated draft of German Stock Corporation Act clarifies the possibilities open to the Supervisory Board by granting the possibility of setting up an audit committee. Jurisprudence requires not only the establishment of a risk management system in accordance with Section 92 para. 2 of the German Stock Corporation Act (AktG), but also its documentation and, for these reasons if nothing else, the method of CBM used in combination with a correspondingly high level of aggregation in the presentation of results should be of interest to Supervisory Board members. Furthermore, the methodology of monitoring by CBM always delivers results on time and is thus able to meet supervisory boards’ sometimes rather on-the-spot needs for information. There are however not only legal obligations which provide motivating reasons for the use of CBM. The following business reasons also speak in favor of using CBM:
- Increased integration of business processes in ERP systems (“digital tracking” of business processes).
- Substitution of manual control actions by system controls, thus saving time and money.
- Significant increase in monitoring frequency (near real-time) / Low variable costs of monitoring.
Benefits of Continuous Business Monitoring
The benefits of CBM for those involved in the monitoring process can be outlined as follows. For the CFO:
- Increased degree of structuring of the internal control system.
- Automated monitoring saves costs and time in terms of control measures.
- Reduction of management testing in Sarbanes-Oxley (SOX) companies through automation (for management testing see [PC04, subsection 40]).
- Reduction of the auditor’s workload and thus a reduction in the audit fee, provided that the auditor supports the introduction of CBM during the project.
For the Head of Information Technology (CIO):
- Knowledge of compliant-relevant system settings (Customization).
- Transparency with regard to system changes to the internal control system.
- Defined system settings for all systems / possibility of harmonization of systems.
For internal auditing (see also [Br08]):
- Less cumbersome and time-consuming data processing.
- Concentration on core competences (testing) thanks to reduced workload due to automation.
- Higher-quality and more in-depth audit inspection tests
- Better communication of results of the audit inspections.
For External Auditors or the Auditor:
- More efficient auditing of the internal control system.
- Greater reliability of the internal control system, since internal controls are built into the system.
For the Board of Directors:
- Highly aggregated reporting enables Supervisory Boards to assess the control system.
- Real-time monitoring capability.
- Comparison of key monitoring figures over time.
Drivers for the implementation of Continuous Business Monitoring
Now that we have presented the benefits of CBM, we should examine for which companies the concept can be relevant. The implementation of CBM should be seen as an investment. In this respect, an amount of investment must first be estimated for the implementation, which will be amortized in following years thanks to the cost savings achieved. It is possible to identify a certain set of technical and economic drivers that may or may not support the implementation of CBM. Technical drivers for the implementation of CBM [Ne03] include:
- Low number of systems (number of installations)
- Homogeneity of the application landscape (number of different manufacturers)
- High degree of integration of business processes through applications
- Degree of integration between applications; media disruptions
- Size of the relevant systems (number of users) / High degree of division of labor.
Economic drivers for CBM include:
- High degree of publicity for the company (e.g. DAX companies)
- High number of subsidiaries / High complexity of monitoring
In the next blog post on Continuous Business Monitoring, we will present the different components of a CBM system, a procedure for implementing CBM and some examples of applications. The complete scientific paper will also be available for download.
First published in: Gehrke, N.: Zur Automatisierung von Revisionsdienstleistungen zwecks Unternehmensüberwachung – Ein Überblick, Lecture Notes in Informatics, Proceedings der Jahrestagung Informatik 2009, Lübeck, 2009
[Br08] Brennan, G.: Continuous Auditing Comes of Age, in: Information Systems Control Journal 2008, Vol. 1.
[Co09] Coderre, D. G: Internal audit. Efficiency through automation. Hoboken, NJ: Wiley, 2009.
[Go95] Bundesministerium der Finanzen: Grundsätze ordnungsmäßiger DV-gestützter Buchführungssysteme (GoBS), 7. November 1995 – IV A 8 – S 0316 – 52/95- BStBl 1995 I S. 738, 1995.
[Lü98] Lück, W.: Elemente eines Risiko-Managementsystems, DB vom 09.01.1998, Heft 01/02, Seite 8-14, 1998.
[Ne03] Nehmer , R.: Continuous Audits: Taking the Plunge, in: Information Systems Control Journal 2003, Vol. 1., 2003.
[PC04] PCAOB, Auditing Standard No. 2 – An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements, 2004, Nachfolgeversion: 2008.
[SR07] Status: Law of 26/01/2007, Book 02, pp. 44-44, 2007.