Test every transaction. Not a sample.
Continuous controls monitoring (CCM) is the automated testing of internal controls against every transaction, as it happens. It replaces the periodic, sample-based testing that statutory audits and internal control frameworks have relied on for decades. RiskForge brings CCM to SAP-running Mittelstand companies and extends it with something no monitoring tool offers: the ability to act before a transaction posts.
Why sampling fails.
Sample-based control testing examines a fraction of one percent of transactions, weeks or months after the fact. The mathematics is unforgiving. A control tested on 25 samples out of 400,000 postings tells you almost nothing about the 399,975 untested ones, and fraud does not volunteer for the sample. Every major corporate fraud of the past two decades happened in a company whose controls were tested, on samples, and found effective.
Continuous monitoring works the other way round. Every transaction is evaluated against the control logic at the moment it occurs. Coverage is 100% by construction, and the time between violation and detection collapses from weeks to seconds.
What RiskForge monitors continuously.
- Payment runs and disbursements, against behavioural baselines per user, vendor population and time pattern
- Journal entries: out-of-hours postings, unusual account combinations, period-end anomalies
- Vendor master changes, including bank-detail changes followed by payments and payment-term manipulation
- Segregation of duties, evaluated on actual transactions rather than role theory
- The classic GRC baseline, included: access risk analysis, SoD rule matrix, critical authorisations, emergency-access monitoring. Everything a GRC suite checks, RiskForge checks too.
- IT general controls: access management, change management and IT operations, correlated across SAP GRC, Jira, ServiceNow and server deployment logs
- Cyber events with financial reach, such as privileged access anomalies on payment-capable accounts
Monitoring detects. Enforcement prevents.
Detection alone still loses the race against a same-day payment. RiskForge therefore offers an enforcement mode per process. Transactions in the highest confidence band are held before they commit and routed to the responsible manager for release or rejection, while normal business posts untouched. Companies typically begin in monitoring mode and move their riskiest processes to enforcement once the confidence bands have earned trust.
Frequently asked questions
What is continuous controls monitoring (CCM)?
Continuous controls monitoring is the automated, ongoing testing of internal controls against 100% of transactions as they occur, instead of periodic manual testing of samples. A CCM system detects control violations within seconds or minutes of the event, rather than weeks later during an audit.
How is CCM different from a classic GRC tool?
Classic GRC suites focus on access risk, meaning who could do something wrong, and on periodic control testing. CCM evaluates actual transactions continuously, meaning what actually happened. RiskForge adds a third layer both miss: real-time intervention that holds a high-risk transaction before it posts.
Does continuous monitoring slow down SAP?
No. RiskForge reads a change-data copy of SAP activity, so monitoring adds zero load. Only the optional real-time intervention path touches SAP, through a minimal hook that answers in under 200 milliseconds.
How long until CCM delivers value?
Rule-based checks such as segregation of duties conflicts, missing approvals and out-of-hours postings produce findings from the first week. Behavioural baselines mature over roughly 90 to 180 days and keep sharpening afterwards.
See RiskForge on your own processes.
A 30-minute walkthrough against realistic SAP scenarios: payment runs, journal entries, transports. No slides, just the actual product.