Applying Continuous Controls Monitoring for achieving compliance and business improvement: Continuous Controls Monitoring has emerged as a solution that organizations can use to automate repetitive, time-consuming tasks to reduce compliance costs. It can simultaneously improve coverage and ensure the timeliness of reporting.

• Author: Huffman, Arnold
• Position: Compliance

With most companies having met their initial deadlines for Sarbanes-Oxley Section 404 compliance, they are deep into the even more challenging task of institutionalizing their compliance programs. For many, this aspect of their implementation process will be daunting. As they recognize the implications and requirements for maintaining compliance, Continuous Controls Monitoring (CCM) has emerged as a key approach for meeting this critical objective.

[ILLUSTRATION OMITTED]

What makes CCM intriguing--beyond its being a comprehensive solution for Sarbanes-Oxley compliance and other regulatory requirements--is its potential to deliver significant business process improvements as well.

In charting the steps for achieving long-term compliance with Sarbanes-Oxley, it is important to remember how far companies have come since the law was enacted in 2002. Led by armies of auditors, most enterprises have made significant strides mapping their financial processes, identifying potentially "at risk" procedures and documenting the control points necessary to ensure compliance. Through these efforts, enterprises have been able to avoid the most draconian predictions of compliance failure; most were able to achieve this milestone with minimal disruption to their operations.

However, the process has not been a complete success. The extensive resources needed to manually test and assess compliance control points have resulted in significant cost burdens for most. According to a Financial Executives International (FEI) March 2005 survey, the total cost for ensuring year-one compliance with Sarbanes-Oxley Section 404 averaged $4.36 million per company.

Despite the expenditures for auditors and other support services and infrastructure, many CFOs still lack complete confidence in their ability to pass subsequent testing. In reality, few have the resources needed to fully assess the status of their internal controls on a regular basis; instead, they are often more reliant on random "spot-testing" of control points for assurance. The initial attempts to comply with the Act underscore the fact that manual monitoring, analysis and evaluation of internal controls is labor-intensive and costly and often fails to flag issues in time for corrective action.

John Hagerty, an analyst at AMR Research who focuses on enterprise risk management and compliance, summed up the situation, declaring that "making compliance repeatable, sustainable and cost-effective must become the...