CONTINUOUS CONTROL MONITORING
A recent global fraud study indicated 50 percent of fraud cases are related to corruption
within the sales and procurement function with average losses of $1 million. Many firms
currently implement hotlines for employees to report suspicious activities, have a company-wide
code of conduct, and receive external and internal audit support to help detect indicators of fraud.
However, a new trend is taking shape in which firms are steadily coming to recognize the use of
technology for automated and monitoring controls to further reduce operational and financial
risks. This presentation focuses on the growing trend of commercial and public entities’ concerns
with improving internal controls and addressing procurement concerns of potential fraud in
Central and Eastern Europe.
ZACHARY ROSEN, CFE, CIA
Manager, Enterprise Risk Services
Deloitte Advisory S.R.O.
Prague, Czech Republic
Zachary Rosen is Manager of Forensic Services at Deloitte Advisory in Prague, Czech
Republic. He is responsible for conducting fraud investigations, risk assessments and client
corporate training whilst implementing anti-fraud and ethical compliance programs. His 15+
years of expertise include accounting, IT and operational audits, corporate finance, and
operations management for multinational firms in the United States, Europe, and Russia.
Zachary has worked on several notable projects, including Sarbanes-Oxley (SOX) 404
implementation for the largest U.S. mortgage lender, assisting management with process review
and improvement of internal controls. He acted as regional controller and auditor for a
multinational consulting firm regularly conducting contract procurement and financial statement
audits in Africa, Russia and the former CIS. His industry-related experience includes two years
in sales, operations, and managerial roles for a multinational chemical distribution and
manufacturing firm in the United States.
Zachary has a masters of accounting and fraud investigation from Florida Atlantic University
and a masters of business administration from Case Western Reserve University. He is Cofounder and President of the Association of Certified Fraud Examiners (ACFE) Czech Republic
Chapter. He is a Certified Fraud Examiner (CFE), Certified Internal Auditor (CIA), and
CPA candidate 2011.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
©2012
CONTINUOUS CONTROL MONITORING
Introduction
A recent global fraud study indicated 50 percent of fraud
cases in the private sector are related to corruption within
the sales and procurement function with average losses in
excess of $1 million. Many firms implement hotlines for
employees to report suspicious activities, have a companywide code of conduct, and receive external and internal
audit support to help detect the indicators of fraud.
On a macro level, fraud and corruption in public
procurement is a major problem. A recent World Bank
study estimates public procurement to be approximately
15–20 percent of a country’s GDP and 45 percent in
government spending with losses close to $1 trillion
worldwide in 20–30 percent of the cases. All phases in the
procurement planning, tender, and contract administration
processes are susceptible to fraudulent activities.
International and local frameworks have been put into place
focusing on international cooperation, technical assistance,
accountability and proper management of public affairs and
property. The United Nations Convention against
Corruption (UNCAC) also provides an international
framework for public tender processes. In Eastern Europe,
business communities continue to advocate the fight
against procurement corruption as is the case in the Czech
and Slovak Republics.
New Initiatives: Public and Private Procurement
Monitoring
A new trend is taking shape for public and private sectors
in Eastern Europe. Government e-procurement helps to
promote and establish greater transparency for tender
processes with the goal of encouraging more businesses to
solicit their services in a competitive manner. Within the
private sector, firms are steadily coming to recognize the
©2012
2012 ACFE European Fraud Conference
1
NOTES
CONTINUOUS CONTROL MONITORING
use of technology for automation and monitoring of
controls to further reduce operational and financial risks.
This session focuses on the following areas:
 Commonly used anti-fraud initiatives within public and
private procurement and their limitations in Eastern
Europe
 Increased utilization of government e-procurement as
well as implementation of new laws within the public
sector

Continuous controls monitoring in the private sector for
better operational efficiencies, reduction of fraud risks,
increased shareholder value, and local regulatory
compliance
Public Procurement: Then and Now
Government funds have limited financial resources to
support citizens with health and social services, national
security, and in natural disasters. Procurement spending for
countries can take up a sizable amount of the GDP and
governmental budget, particularly in Eastern Europe. In the
Czech and Slovak Republics, procurement spending as an
overall percentage of GDP ranges between 5–7 percent. In
terms of international transparency, both countries rank in
the top one-third of 182 countries surveyed. However, the
occurrences of corrupt practices are very prevalent
throughout the region.
Both governments use various types of contract
procurement methods to purchase materials and services
from vendors. Public procurement contracts generally fall
into two types, fixed price and cost reimbursement.
Fixed-price contracts are used when an agreed-upon cost
for goods or services has been determined. From a
government’s perspective, fixed contracts are preferable
©2012
2012 ACFE European Fraud Conference
2
NOTES
CONTINUOUS CONTROL MONITORING
because the contractor accepts more of the risk to conduct
the work in a timely manner to meet their profit margin
expectations. The contractor is paid the agreed-upon
amount regardless of the final costs and has an incentive to
perform the work efficiently and to control costs.
Cost-reimbursement contracts are suitable when
uncertainties exist about contract performance and there is
an inability to estimate costs. A cost-reimbursable contract
results in the government assuming more risk because
payments might increase if the contractor spends more than
initially projected. A cost-reimbursement contract is also
best utilized when the contractor has an accounting system
that determines costs applicable to the contract and the
government will review not only the performance, but also
cost estimates used.
The procurement process usually begins with a
governmental request for acquisition of goods or services.
The main procurement method used in both countries is
through competitive or advertised bidding when the exact
specifications of the product or service required has been
identified. When evaluating bids, consideration is given to
price and other factors, such as experience, past
performance, project planning, or methodological approach
based on the initial governmental solicitation. In the
competitive-bidding process, requests for tender must
specify the procurement requirements clearly, accurately,
and completely. There is no negotiation between the
government and the responding bidders. This procurement
method helps promote competition with fair consideration
given to all bidders.
Bid rigging schemes have occurred in both countries during
last several years, thereby discouraging potential vendors
from preparing and participating in government tenders.
©2012
2012 ACFE European Fraud Conference
3
NOTES
CONTINUOUS CONTROL MONITORING
There have been many cases where one vendor had an
inside influence in the government or with procurement
employees who helped the vendor win contracts. In the
Czech and Slovak Republics, many of the bid-rigging
schemes have taken place during the pre-solicitation phase
through need recognition and specification schemes,
similar to the ACFE’s fraud classifications and often times
discussed by forensic, legal, and audit professionals. Within
a need-recognition scheme, there is usually a relationship
by a government procurement employee and vendor in
which the employee receives something of value in return
for recognizing a need for a certain product or service. The
outcome of this type of scheme is an organization
purchasing unnecessary goods or services from a supplier
due to the request of the procurement employee. One
notable example in Eastern Europe was a vendor’s
participation in a medical procurement tender. Medical
respiratory equipment was purchased from an international
manufacturer, despite a government-subsidized hospital
already having an existing line of working equipment.
Thus, the hospital procured more fixed assets than required
and placed the existing line in storage. In general, fraud
indicators usually include requirements for unusually high
stock or equipment purchases or when an employee tries to
write-off inventory to create a need for new purchases.
In specification schemes, a contract has very specific
elements and requirements for completion of a project. In
general, specifications are prepared to assist vendors in the
bidding process, telling them what they are required to do.
One scheme related to this manner is the tailoring of
specifications to a particular vendor. In this situation, the
vendor pays off an employee of the buyer involved in
preparing specifications for the contract. In return, the
employee tailors the specifications to accommodate that
vendor’s capabilities so they have a very high likelihood of
©2012
2012 ACFE European Fraud Conference
4
NOTES
CONTINUOUS CONTROL MONITORING
winning the procurement. The solicitation phase has been
problematic for potential procurement vendors in both
countries. Fraudsters from the government procurement
side attempt to influence the selection of a contractor by
restricting the pool of competitors. To increase the chance
of a vendor to wining a specific job, a government
procurement employee might receive kickbacks to prevent
other potential suppliers from participating in the tender.
Public Procurement and the Czech Republic: AntiFraud Initiatives
The Czech government has been making progress
fighting fraudulent procurements despite recent
scandals. For example, one procurement scandal
involved a governmental defense ministry tender to
purchase military uniforms for $450,000 while there
were accusations about the lack of tender transparency
and favoritism of one vendor. Another scandal drawing
international criticism related to the questionable deal
for the purchase of armored personal carriers for three
times the market price.
In 2006, the government introduced a national plan to
implement electronic procurement. By using the
Internet, potential solicitors would have the ability to
send procurement proposals electronically. The
government set a goal of 50 percent for all tenders to be
awarded and processed electronically by 2010. Eprocurement was estimated to reduce administrative
costs by 5 percent as the strategy would be coordinated
by a steering group comprising representatives from all
relevant public authorities. Specific e-procurement tools
include a portal for publication, statistics on tender
results, and a national commercial register of solicitors.
The government selected an internationally recognized
electronic marketing operator for software selection and
©2012
2012 ACFE European Fraud Conference
5
NOTES
CONTINUOUS CONTROL MONITORING
implementation. The process totaled more than €12
million.
In terms of regulatory compliance, the Czech
government approved amendments to an existing anticorruption law. The amendments include protections
for whistleblowers and greater accountability for both
government agents and suppliers by providing
additional information to the public promoting greater
transparency (e.g., selected supplier, winning price).
Improvements to the law include new disclosure
requirements so the public can have access to the final
price following completion of a contract. Government
officials are required to disclose information relating to
the bidders before the winner is chosen. Also the
government decided to lower the minimum price
threshold of a project that must be tendered by 50
percent. All of these amendments should reduce
potential fraud through the use of e-procurement.
Public Procurement and the Slovak Republic: AntiFraud Initiatives
In Slovakia, the government procurement office has
gone through several evolutionary phases in the last ten
years. In 2001, a law was passed requiring the
government to publish tender announcements online
with the eventual goal of establishing a well-developed
e-procurement system. In recent years, Transparency
International initiated local projects to improve the
availability of governmental data and opened a
procurement reporting site in late 2010. The primary
goal of the site was to allow the public to view
spending activities of governmental institutions (e.g.,
type of expenditures, benefits to the public, recipients
of the funds, type of procurement process used). From a
regulatory standpoint, new laws were adopted in 2011.
©2012
2012 ACFE European Fraud Conference
6
NOTES
CONTINUOUS CONTROL MONITORING
The Anti-Corruption Act requires greater disclosure of
procurement information by governmental authorities
and suppliers. Also, contract agreements cannot be
deemed legal unless and until they are published online.
Private-Sector Procurement: Then and Now
Private companies and shared service centers in Eastern
Europe are increasing their use of technology to monitor
procurement and operational functions. The Czech and
Slovak Republics have been successful attracting
Greenfield investments and relocations for dozens of
shared service centers due to lower costs, tax incentives,
and a highly educated workforce.
Companies and management have put greater reliance on
controls in preventing and detecting fraud. Based on a
recent ACFE study, a typical organization loses 5 percent
of its annual revenue due to fraud. Furthermore, the median
loss based on the presence of anti-fraud controls can be
reduced by almost 50 percent through effective
management review. Internal audit departments worldwide
have faced major overhead cutbacks in staff and audit
scope due to the recent economic recession, international
competition, and the trend of outsourcing the internal audit
function. To combat the trend, companies are focusing
more on the use of technology.
Continuous control monitoring (CCM) started in the late
1990s at a time when manual controls within the workplace
were very fragmented. Following major corporate scandals
(e.g., Enron, WorldCom) and the creation of the SarbanesOxley Act and COSO risk framework, more emphasis was
placed on using technology to monitor segregation of duties
and transaction controls. As of today approximately 70
percent of CCM implementation takes place in North
©2012
2012 ACFE European Fraud Conference
7
NOTES
CONTINUOUS CONTROL MONITORING
America. However, utilization of CCM is increasing
throughout Europe.
Continuous Control Monitoring: Overview and
Specifics
CCM is risk and compliance technology that
proactively monitors controls in enterprise resource
planning (ERP) and other financial applications to
improve financial governance, automate audit
processes, and verify access and transactional rules.
The set of technologies can be applied to controls in
financial applications and can assist companies in
reducing the cost of auditing. CCM technologies are
applied automatically and periodically to support
processes that are repeatable, consistent, and
predictable.
From an efficiency perspective, internal auditors are
under increased pressure to reduce duplicative testing
efforts and the cost of compliance across multiple
regulatory requirements. CCM addresses these
challenges by having the ability to analyze 100 percent
of transactional data across the firm, improving the
quality of audits through timely notification of trends
and exceptions. From a risk perspective, internal
auditors might find that sample testing does not
represent the risk inherent in the population. Also, there
might be an inefficient deployment of resources to test
manual intensive and low-risk transactions. CCM
addresses these challenges through early identification
of risks and trends by designing top-down analyses to
identify higher-risk processes, entities, and locations for
more focused audit procedures. Internal and external
auditors also benefit from CCM as it provides a method
to monitor the accuracy of transactions as well as
evaluate resources by increasing reliability.
©2012
2012 ACFE European Fraud Conference
8
NOTES
CONTINUOUS CONTROL MONITORING
CCM is divided into primary and secondary controls.
The primary controls consist of segregation of duties
(CCM-SOD) and transaction monitoring controls
(CCM-T). The features of CCM-SOD allow users to
monitor changes to user access/roles, identify SOD
violations, and detect executed transactions that violate
SOD rules. The benefits of this control include
detecting unauthorized modifications to user access
roles, monitoring access to sensitive transactions, and
preventing SOD conflicts that increase the risk of fraud
and error.
CCM-T allows users to identify suspicious transactions
for further review, flag anomalies for investigation, and
isolate transactions not in compliance with business
rules. The benefits include the identification and
recovery of inappropriate negative cash flows (e.g.,
duplicate payments), which provides evidence of the
operation of controls in system transactions and quickly
identifies data integrity issues.
Secondary controls focus on automated controls related
to application master data (CCM-MD) and controls
used to monitor the presence, appropriate configuration
and modification of built-in application controls (CCMAC). CCM-MD effectively monitors changes to master
data files for suspicious activity, which helps identify
and address suspicious changes to master data and
detects stale master file records. CCM-AC detects
changes to system setups and control configurations
that might increase risk of fraud and error and
demonstrates the continued effectiveness of application
controls.
CCM provides a high-level dashboard to monitor
critical elements of a company’s operations.
©2012
2012 ACFE European Fraud Conference
9
NOTES
CONTINUOUS CONTROL MONITORING
Specifically the dashboard components might monitor
the following areas.
GENERAL LEDGER MODULE
 Conflict of interest (e.g., mandates versus
customers/suppliers)
 Unusual journal entries or sequence numbering
testing
ACCOUNTS PAYABLE MODULE





Three-way match (PO delivery, notes, invoices)
Vendor invoices booked without tax code
Link between supplier and employees
Long-standing vendor invoices
Vendor invoice paid before invoice date
ACCOUNTS RECEIVABLE MODULE
 Customer invoices booked without tax code
 Customers with multiple tax codes
 Long outstanding customer invoices
 Credit note amounts exceeding invoice amounts
MASTER DATA MODULE
 Duplicate customers or vendors
 Missing critical customer or vendor master data
 Customers or vendors with invalid VAT
numbers
 Transactions booked for customers or vendors
not registered in master data
PAYMENT MODULE
 Payments to bank account numbers not
registered in the master data
 Payments to customers or from vendors
 Cash transactions above legal thresholds
 Payments with reference to publicly exposed
persons
©2012
2012 ACFE European Fraud Conference
10
NOTES
CONTINUOUS CONTROL MONITORING
NOTES
TAX MODULE
 Invalid VAT numbers
 Transactions booked using VAT codes not
registered in master data
 Overview of VAT rates applied including old
and new incorrect rates
INVENTORY MODULE
 Inventory value reclassification
 Stock registration sanity checks
 Lower of cost or market
PAYROLL MODULE
 Falsified salary and hours
 Unauthorized benefits, pension, and insurance
payments
 Expenses and allowance fraud
 Incorrect payroll payments, ghost employees
FOREIGN CORRUPT PRACTICES ACT (FCPA)
MODULE




Customers and suppliers on black lists
Payments to customers in sensitive regions
Cash transactions above legal thresholds
Large amounts posted under M&E expenses
FRAUD MODULE
 Comparison of company mandates of directors
with customer and supplier master data
 Comparison of HR master data with customer
and supplier master data
 Concentrations of manual entries or transfers
between customers’ or suppliers’ accounts
 Concentrations of credit notes, rebates,
discounts, purchase orders below signatory
thresholds
 Reactivation of dormant accounts
©2012
2012 ACFE European Fraud Conference
11
CONTINUOUS CONTROL MONITORING
 Use of deleted or blocked accounts
 Use of accounting codes not registered in the
chart of accounts
 Journal entries reversed after cut off, entered on
weekends or holidays
 Sold to one party and shipped to another party
CCM in Practice with Successful Results
Continuous controls monitoring has resulted in many
successes for companies of various industries. A few
examples follow.
Regulatory Compliance and Savings
An international bank with branches in 20 countries and
more than $100 billion in assets under management
incorporated CCM. The bank utilizes CCM for
complying with a new Basel 2 Operational Risk
equivalent regulation requiring banks to maintain a
detailed audit trail of user access to customer data,
including all update and query activities. The bank had
a log of some of the update transactions but none of the
query transactions. Thus, implementing a log for all the
transactions required changes in thousands of
mainframe application programs. The bank estimated a
potential requirement of 100 programmer months to
accomplish this task, with a cost of more than $1
million. The bank decided to implement CCM vendor
software and achieved immediate compliance with the
new regulation without changing a single line of code,
saving more than $1 million.
Information Leakage and Internal User Fraud
A credit card company implemented CCM software for
detecting information leakage and internal fraud. The
company used CCM for recording user activity
allowing the internal auditors to replay every screen and
keystroke of every end user. The company utilizes
©2012
2012 ACFE European Fraud Conference
12
NOTES
CONTINUOUS CONTROL MONITORING
CCM business rules for tracking end user behavior
patterns generating alerts on exceptions in real time.
In another instance, a large governmental agency with
11,000 employees implemented CCM for recording
activities of all internal end users, generating a very
detailed audit trail of user access to citizens’ sensitive
data. The agency had informed all of its employees and
contractors that their actions were being recorded in
order to deter potential fraud and information leakage.
CCM has also been successful in detecting internal
fraud in the case of a multinational insurance company.
One of the main operational objectives was to track the
activity of privileged IT users including programmers
and database and system administrators. These users
posed a special threat due to their technical knowledge
and authorized access to internal servers and system
resources. Business rules were implemented within the
CCM system to generate alerts in real time on
suspicious behavior such as an attempt to update data in
a production database by a privileged user using a
database utility that cannot be traced by other means
except for the CCM vendor.
Also, the use of CCM in eliminating segregation of
duty violations and increased efficiency in compliance
has been very successful. A large telecom company
realized a number of key benefits with CCM
implementation, including the elimination of 83,000
SOD violations within their SAP system. Additional
achievements include:


©2012
Ongoing monitoring of changes to SAP access
Reducing effort required for SOX compliance
2012 ACFE European Fraud Conference
13
NOTES
CONTINUOUS CONTROL MONITORING

Automating SAP user access request and approval
process as well as setting an example for other
divisions who are now following suit.
Conclusion
Both public and private sectors are focusing their attention
on technology through government e-procurement and
CCM to mitigate the risk of fraud. CCM is a key
component of the compliance evolution and can enhance
the effectiveness of controls while increasing operational
efficiencies. CCM can also facilitate timely intervention to
decrease risk and increase compliance. Forensic
professionals in Eastern Europe are taking the initiative to
educate the business community and governments on the
risks of fraud and preventive measures in order to provide
greater transparency and guidance for the public, corporate
employees, management, and shareholders.
©2012
2012 ACFE European Fraud Conference
14
NOTES