February 10, 2009, 3:21 PM — Using software to perform compliance tasks that would otherwise be done by hand may be an obvious way to drive down the costs of regulatory compliance. Less obvious, however, is what that software must do to maximize those savings — continuously monitor the source data of primary business applications. It may sound like a minor item on a systems requirement checklist, but that continuous monitoring of source data (or “continuous monitoring,” for short) lies at the heart of compliance cost reductions.
Continuous monitoring lets companies prove that something did not happen, that no change was made to the source data during the monitoring period. Of course, continuous monitoring also lets a company demonstrate what did happen to its source data. In fact, continuous monitoring can also reveal who or what made the change, the before and after values, and the remediation. But by giving companies a way to prove no change, continuous monitoring prevents the costly, manual testing and review of unchanged data and controls that inflate compliance costs.
Say a company has a maximum check approval amount of $80,000. Continuous monitoring can confirm if that amount has ever changed and if the control was continuously in place for the entire monitoring period. How? Through the change records generated by the continuous monitoring system. No record of change means no change in the source data, no change in the control, and ultimately, no check was written for over $80,000 without the appropriate approvals.
Tracking what is happening to source data — even when what is “happening” is that everything is staying the same — is unique to continuous monitoring. Transaction monitoring, even continuous transaction monitoring, simply cannot perform that task. Transaction monitors look at transaction logs to prove a transaction did take place or was attempted. They are not designed to prove something did not happen. Continuous monitoring of the underlying source data relies on database log records to prove that something either did or did not happen.
Remember, transactions are only one path to the source data. There are other authorized and unauthorized ways to change that data, including batch job, privileged user access, hacker, etc. Continuous monitoring will identify all of those changes and issue alerts on changes that fall outside of policy. So if that $80,000 check approval amount is changed to $120,000 at 8:00 a.m. and is changed back to $80,000 at 8:01 a.m., continuous monitoring will catch the changes regardless of who or what made those changes.
Continuous monitoring nuts and bolts. In a nutshell, continuous monitoring uses non-invasive agents to monitor database activities. This includes create, alter, drop, insert, update, and delete operations. To harness its compliance cost reduction value, that activity is collected from the database transaction log and pulled into a secure, central repository for analysis and reporting.
The monitor activity is run through a policy engine to elevate key events considered suspicious or outside of policy, helping to minimize the volume of reported information to events that need review and reconciliation. Events are prioritized and color coded, from low to medium, high, and critical, so that the most important events can be identified and reviewed immediately.
To deliver what the Committee of Sponsoring Organizations considers persuasive information, continuous monitoring cannot be turned off, resulting in a complete and trusted audit trail. This always-on approach stands in contrast to other systems that can miss activity when network packets are dropped or connections are down. Moreover, audit sources cannot be disabled without an alert, and the repository provides read-only access to audit information so critical history cannot be altered.
The curious thing about most internal and regulatory audits is how much time and money is spent proving that nothing happened since the last audit, proving that controls are in place and working properly. Without the automated systems that provide continuous monitoring, companies must test their controls and data by hand to verify their “no change” status. It’s a painful, expensive process that more companies are beginning to streamline with the right systems.