The financial services industry is experiencing seismic change with increased regulation, coupled with customer expectation for services to be delivered faster. Unfortunately, the shorter the customer journey, the less time is available to detect irregularities which may indicate fraud. Therefore, the objective is to identify potential issues as early as possible to allow corrective action. Continuous monitoring and auditing make effective use of data within an organisation to achieve this objective.
Companies undertake periodically to satisfy regulatory requirements or to adhere to internal policies. With vast amounts of data available in a multitude of different systems throughout an organisation, data can be collected and processed daily or real-time with dashboards, and report detail to auditors to verify the level of compliance. Where the data indicates that one or more processes have failed, the business can take corrective action.
Problems identified during official audits undertaken by regulators and authorities can have serious consequences such as revocation of licences or imposed financial sanctions. The following three lines of defence mitigate this risk:
- Departmental monitoring and auditing – performed within the department checking their adherence to standards and procedures; including other monitoring which forms part of standard processes such as security monitoring and fraud detection.
- Internal audit – undertaken by an internal team that looks at the business – results from internal audits influence the creation and adaptation of standards, procedures and controls to strengthen and protect the company.
- External audits – as with internal audit, the results influence standards, procedures and controls. However, external audits can be statutory or voluntary, and undertaken by a third party.
With traditional auditing, controls are identified manually, performed cyclically such as every six months or annually depending on the risks, and assessed and tested based on a sample of data. With continuous auditing, the process is automated, repeatable and provides greater insight into potential threats.
- The more data sources available, the greater the reporting capability. Every new data point adds an extra dimension of reporting and insight.
- Continuous monitoring, auditing and exception reporting will increase operational efficiency and reduce risks
- Data sources can be used efficiently with ad hoc reporting to support audit activities and quickly investigate specific incidents
- Ad hoc reporting can be adapted to become part of continuous monitoring and auditing activities
- Data can be analysed to identify potential problems and determine where standards and procedures are missing
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.