The financial services industry is experiencing seismic change with increased regulation coupled with customer expectation for services to be delivered faster. Unfortunately, the shorter the customer journey, the less time is available to detect irregularities which may indicate that fraud is being perpetrated. Therefore, the objective is to detect potential issues as early as possible and to allow corrective action to be taken. Continuous monitoring and auditing is about making effective use of data within an organisation to achieve this objective.
Audits are undertaken on a periodic basis to satisfy regulatory requirements or to adhere to internal policies. With vast amounts of data available in a multitude of different systems throughout an organisation, data can be collected and processed on a daily basis or real-time with dashboards, and report detail available for auditors to verify the level of compliance. Where the data indicates that one or more processes have failed, corrective action can be taken.
Problems identified during official audits undertaken by regulators and authorities can have serious consequences such as licences being revoked or substantial financial sanctions being imposed. Having additional lines of defence mitigate this risk:
- Departmental monitoring and auditing – performed within the department checking their own adherence to standards and procedures. This includes other monitoring which forms part of standard operating procedures such as security monitoring and fraud detection.
- Internal audits – undertaken by an internal team that looks at the entire business. Results from internal audits influence how and what new standards, procedures and controls are created to strengthen and protect the business.
- External audits – as with internal audit, the results will influence how and what new standards, procedures and controls are implemented. External audits can be statutory or voluntary but are undertaken by a third party.
With traditional auditing, controls to be audited are identified manually, performed cyclically such as every six months or annually depending on the risks, and assessed and tested based on a sample of data. With continuous auditing, the process is automated, repeatable and provides greater insight into potential risks.
- The more data sources available, the greater the reporting capability. Every new data point adds an extra dimension of reporting and insight.
- Continuous monitoring, auditing and exception reporting will increase operational efficiency and reduce risks
- Data sources can be used efficiently with ad hoc reporting to support audit activities and quickly investigate specific incidents
- Ad hoc reporting can be adapted to become part of continuous monitoring and auditing activities
- Data can be analysed to identify potential problems and determine where standards and procedures are missing
Information security consultant with over 20 years’ extensive experience gained across a diverse range of private and public industry sectors including insurance, banking, telecommunications, health services, charities and more, both in the UK and internationally. Graduated in 1997 with a software engineering degree and specialising in cyber security, risk analysis, compliance reporting and access management.