With great trepidation I’m stepping into the Continuous Control Monitoring debate.
In March Gartner issued their “Magic Quadrant for Continuous Controls Monitoring” report. Following their pattern of Magic Quadrant reports, Gartner in this report analyzes the CMM market and assesses the leading vendors in the space.
I don’t have the right to distribute the Gartner report. Among the sites where it is posted is the Approva web site at http://www.approva.net/ .
I am accepting the report and its conclusions at face value. I am not endorsing or criticizing any vendors. I think the report is clear and compelling.
As long as I have been in the GRC field, Continuous Control Monitoring has been sort of a holy grail for auditors. If I recall correctly, as a CAE I authorized the purchase of ACL for my audit staff back in the mid 1980’s. The theory was, I recall, that if we had early warning of control failure we could fix the problems before they grew. (Thinking about it now it’s kind of like saying if we had good speedometers in our cars, we wouldn’t speed.)
Control Monitoring was even the subject of a COSO report (COSO Guidance on Monitoring Internal Control Systems) in 2009. I have not seen clients jumping to implement that reports recommendations either. An earlier blog states my opinion of that study.
Let me quote the section of Gartner’s report that caught my attention. “The CMM market is relatively small and immature”. More particularly, Gartner reports the market penetration for CCM products designed to monitor ERM and financial application transaction information to improve performance and automate audit processes is estimated to be 10%.
In the year 2010, given the financial crises we have experienced, this is incredibly low.
My question is this. Why is market penetration for CMM not 90%? What is blocking the implementation and maturation of CMM technology?
Is it because companies do not rely on automated systems to process transactions? In other words, is it because there is nothing to continuously monitor? The answer to that must be no, businesses today are highly automated. Relevant information is certainly available for monitoring using CMM’
Is it because the current CMM technology doesn’t work? Gartner has listed only a few players in the coveted Magic Quadrant, (and that is surprising as well) but they rate most of the CMM vendors I am familiar with at or near the “Ability to Execute” threshold. To varying degrees, the technology does work. I have seen it work. It is possible to monitor certain controls continuously and some people do so. Is it because the market is saying rather resoundingly “we don’t want or don’t need CMM”? The environment exists to use CMM. Adequate CMM technology exists and to varying degrees works. Clearly we have control failures, some of them massive and devastating. But CMM it is not penetrating the market. Is it because management already has a good handle on the state of controls and doesn’t need more help?
Is it because we are using the technology to do the wrong thing? Is there something more useful to look at than controls?
I have some suspicions as to the answer to some of these questions. And I have some thoughts about what to do.
But before I do so I want to hear from you. I’d like to hear some success stories about CMM. I know there are some. I’d like to hear experiences from people who have looked at and rejected CMM. I’d like to hear alternatives to CMM. I’ll hold off offering my insights until I hear a few stories and experiences from you.
Please respond with a comment.
Bruce,
A good article asking some great questions. Let me too step in with a bit of trepidation. Why aren’t more on the CCM band-wagon? It’s my personal belief that many out there today just don’t believe that monitoring controls is either a.) necessary (head in the sand syndrome) or b.) their responsibility. Some don’t even have it on their radar. I’ve heard that some don’t embark on CCM because they don’t want the extra work load to deal with issues that arise!
I do believe however that the use of data analysis technology to evaluate the operating effectiveness of internal controls on a repetitive/continual is far more widespread than many believe. The space defined by Gartner is quite broad. It includes a number of technologies that have different approaches to how controls are monitored: CCM-SOD, CCM-T, CCM-MD, CCM-AC. True, some of these technologies are relatively new to the market (read “immature”). But others, like ACL, have been around for more than 20 years. Over the past several years, hundreds of ACL customers have deployed CCM-T solutions, most often championed by Internal Audit leaders as a means to provide greater insight into the quality and transparency of business transactions in discrete areas. It isn’t organization-wide CCM, or continuous monitoring of their entire ERP system, but it is happening. I think those that are doing CCM-T are the ones who are striving for higher quality assurance (in audit and in management) and are likely the sort of organization that would also see the great value technology-based solutions such as yours and mine.
Could this article be used as reference on a newsletter?
Many thanks,
Bernardo.