View
1.550
Download
0
Category
Preview:
DESCRIPTION
IACON 2010 Presentation on Continuous Audit and Continuous Controls Monitoring
Citation preview
2010 Approva Corporation and Consider Solutions Limited. All rights reserved. 1 2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Dan French - Consider Solutions
Consider Solutions are the European distribution operation for Approva
IACON 2010Taking the Internal Audit Profession Forward
Continuous Auditing:Technology Enabled Continuous Assurance
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.2
www.iloveagoodaudit.com/
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
The value in developing a continuous auditing framework
Why is continuous auditing important for auditors?
How does technology aid continuous auditing?
Monitoring for management use or internal audit?
Interpreting and reacting on your results
Learning Points
3
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Continuous Auditing & Continuous Controls Monitoring
The Controls Challenge for Management and Audit
Continuous Auditing in Practice
Challenges and Best Practices
Questions and feedback
Structure
4
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Continuous auditing is the application of automated tools to provide assurance on financial and non-financial data within a company
Continuous auditing uses a set of tools to check whether internal controls are functioning to prevent errors and fraud
A generally accepted definition of "continuous auditing remains elusive, and expert practitioners remain rare
32% of 305 organizations have told the Institute of Internal Auditors in the past year that they perform continuous auditing
In a 2006 PWC survey, 81% of 392 companies said they at least aspired to continuous auditing
Continuous Controls Monitoring seeks to assure the effectiveness of internal controls, reduce fraud and meet regulatory requirements.
Continuous Auditing (CA) & Continuous Controls Monitoring (CCM)
5
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
There is much debate on the semantics !
No, not all risks can be effectively monitored using automation
Monitoring data and transactions does not necessarily prove that the control is working But it helps!
Emerging Continuous Monitoring definitions Application configuration (CCM-AC) Do our systems allow anyone to . . .?
User access (CCM-SOD) Can anyone . . . . ?
Master data (CCM-MD) Is the critical static data correct and controlled?
Transactions (CCM-T) Did anyone . . . ? What was the impact?
Consistent, Continuous, Complete
Continuous Auditing (CA) & Continuous Controls Monitoring (CCM) What is the difference?
6
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Audit & Internal Controlscourtesy BMW AG
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
8
An Audit Committee Perspective
The pace of business change continues to increase
The demands for more rapid and robust reporting will increase
Technology risk will continue to increase
The patience of the public, investors and regulators to accept fraud risks will continue to grow thin
The demand for independent, rapid assurance will continue to grow
We are entering a new Age We need constant, not periodic, visibility
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
9
Drivers for Change Maintenance of continuous state of audit requires:
Provide immediate insight into control violations
Increase audit scope and frequency while reducing costs
From manual to fully automated control testing with integrated view on risks
Reduce recurrent testing/review cost significantly, while focusing on more added value areas
Enterprise risk and controls coverage across all processes and applications
Increasing complexity and integration of systems requires new control methods and tools
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
10
VisionCurrent approach New approach
Periodic, mainly manual reviews and audits of systems and processes
Continuous testing via predefined rules and toolsBroader and deeper scope of testing
Sample based manual and computer aided testing
Exception based automated monitoring
Multiple controls and tools to cover one control objective or risk
Optimisation of controls and testing in integrated tool set
Inconsistent, decentralized tools and testing
Local controls and testing derived from common consistent global rules
Mainly focused on regulatory control objectives
Extension to other risk areas (operational risks, extend fraud detection, other compliance risks)Further business improvement opportunities
Global centralized, standardized and integrated controls management and testing that helps:
Realize efficiency gains through automated and continuous control monitoring Increase coverage and scope of controls to areas not sufficiently covered today Embed controls in business processes
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.11
Over the Last 5 Years Risk Management Has Jumped to the Top of the CFOs Agenda
Which of These Company-Wide Initiatives Are Very Important or Critically Important to CFOs?
20102005
Measuring/ monitoring business
performance
Providing inputs into enterprise
strategy
Driving enterprise cost reduction
Supporting/ managing/ mitigating
enterprise risk
Driving integration of information
across the enterprise
93% increase
Source: IBM CFO Survey, 2010
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.12
But CFOs Say a Significant Gap Remains Between the Effectiveness & Importance of Internal Controls
How Would You Rate the Importance vs. the Effectiveness of These Cross-Enterprise Activities?
Executing continuous finance process improvements
Strengthening compliance programs
& internal controls
Driving Finance cost reduction
Supporting/ managing / mitigating enterprise
risk
Importance Effectiveness
28% Gap 16% Gap23% Gap
Source: IBM CFO Survey, 2010
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
The Vast Majority of Organizations Rely on Manual Methods to Validate The Effectiveness of Their Controls
13
Mostly periodic manual checks/ standard reports
Mix of regular manual & automated checks
Mix of real-time, manual & automated checks
Mostly real-time automated checks & dashboards
Others/not sure
What Methods Do You Useto Provide Management Assurance of Your Controls?
Source: KPMG Continuous Monitoring & Continuous Auditing Survey, 2010
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.14
The Controls Challenge for Management & Audit
P
r
o
c
e
s
s
e
s
Multiple Risks, Multiple Data Sources
What is What is supposedsupposed to happen?to happen?
What actually What actually doesdoes happen?happen?
Processes are ignoredor circumvented
Processes are ignoredor circumvented
Policies cannot be cost-effectively enforced
Policies cannot be cost-effectively enforced
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
CFOs have invested tens of millions in ERP / Finance Systems to drive:
Process and control standardisation Business efficiency Economies of scale
However, only some of the value has been released . . . Many businesses have implemented ERP and achieved;
A standard data input process and control
BUT NOT
A standard business process or control
The myth of standardisation & control in systems
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Example standard business process
4. GR is created against PO
3. Purchasing creates PO for Shipment
1. Truck drops off shipment, but no PO exists
2. Warehouse worker calls up purchasing to create a PO
ERP is configured to only allow GR if PO exists, however
The myth of automated business controls in ERP
2010 Approva Corporation and Consider Solutions Limited. All rights reserved. 17
Neither management nor audit can rely on system configured controls (automated business controls) alone;
For key controls of high risk or high impact, we need; Monitoring and Prevention of high risk Segregation of Duties issues
Monitoring of configured control, where it exists
Monitoring of related master data for specific changes
Monitoring of specific business activities/transactions outside accepted or expected boundaries
This gives 360 degree business control visibility for management and audit Consistent, Continuous, Complete
Fixing the myth of standardisation & control in systems
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Continuous monitoring catches things that just dont typically get found in entirety including; Changes to Bank Account details
Change in payment terms or prices on specific orders
Approvals to key changes (such as terms and prices)
SoD checks at the individual level e.g., POs created and released by same person, GR created by same person as approved the PO.
Deliveries with no reference to a Sales Order
Over deliveries
Sales Orders for Customers over Credit Limit
Duplicate payments
Unusual GL postings
Multiple POs to avoid signoff limits
Nominal value PRs to make the process work
Consistent, Continuous, Complete Testing
18
2010 Approva Corporation and Consider Solutions Limited. All rights reserved. 19
CA/CCM Landscape is Confusing
GRC Components & Related ServicesGRC Components & Related Services
Governance Layer
Risk/Compliance Layer
IT Infrastructure Layer
Align Performance With Corporate Objectives
Establish The Rules For Business Operations
Assure That Information Is Properly Controlled
Continuous Control Monitoring (CCM), Testing & Enforcement
Business/Performance Layer
Continuous Monitoring LayerProvide Insight & Perform
Specialized Functions
Assure That Operations Follow Set Policies and Expectations
ERP Finance HR Sales Supply ChainManuf. Ops. LOB
Pharma Retail Health-careTransp-ortation
Manuf-acturing
Financial Services Energy
SOX Basel II HIPPA FCPA J-SOX PCI Others.
Application Configuration
(CCM-AC)User Access (CCM-SOD)
Master Data (CCM-MD)
Transactions (CCM-T)
Policy, procedure & control definition
Automated testing
IT Control Monitoring, Testing & EnforcementIT Control Monitoring, Testing & EnforcementNetworks Web E-mail Servers Storage
Corporate ReportingCorporate Reporting
Documentation / Alignment / RationalizationDocumentation / Alignment / Rationalization
Enterprise Risk E-Discovery
Issue & Resolution
Management.Audit
Management
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Continuous Auditing in Practice
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
User Access Exceptions
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Business Process Exceptions
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Process Exceptions drilldown into specific issues
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Process Exceptions drilldown duplicate vendor
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Continuous Monitoring helps Risk Assessment
Value of Returned Goods by LocationValue of Returned Goods by Location
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
. . . and helps drive Business Improvement
Open Sales Orders Not ShippedOpen Sales Orders Not Shipped
2009 Approva Corporation. All rights reserved.
2
Case Study:Continuous Auditing Approach
25% Automated WithOut-of-the-Box Rules25% Automated WithOut-of-the-Box Rules
25% Automated byConfiguring New CCM/CA Rules
25% Automated byConfiguring New CCM/CA Rules
25% Automated byRe-Engineering Audit Plan
Controls
25% Automated byRe-Engineering Audit Plan
Controls
25% Not Possible to Automate25% Not Possible to Automate
Systematically examine each Audit Action Sheet, the audit approach, and the audit objectives
Design an automation and continuous monitoring method, achieving the same audit objectives while leveraging CCM/CA
Identify and validate automation opportunities in 4 key areas:
1. CCM/CA out-of-the-box rules2. Configure new rules3. Re-engineer manual AAS tests4. Not possible to automate
Approach
75% Automation of Audit Tests
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Continuous Auditing / Continuous Controls Monitoring Can target up to 60-70% of key controls
But, it can be complex
Many Moving Parts, including . . . Technology
Potentially broad controls and data scope
Multiple systems and processes
Geography, Lines of Business, Organisations & Plants
Managing Stakeholders & Expectations
Reporting and actioning exceptions and issues
Human impact of continuous monitoring
Invariably involves change!
2008 Approva Corporation. All rights reserved
30
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Some Specific Recommendations (1)
Be clear and get agreement on ownership and sponsorship
Start simple, narrow risk focussed scope with quantifiable value
Prioritise based on business risk and suitability for automation ... HIGH / HIGHs are the sweet spot
Develop a plan for iterative refinement of entire process. Deploy ... use ... learn ... review ... refine ... extend. Increase breadth in controlled stages.
Review current beliefs and practices in light of each iteration. Is there a better way to test this control or manage this risk?
Deeply engage the business / control owners as part of the assessment / development / testing processes
Be aware that continuous monitoring WILL find more exceptions than periodic sampling. Communicate well and often.
2006 Approva Corporation. All rights reserved
31
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Some Specific Recommendations (2)
Implement a robust rule configuration methodology involving required skills. Structured but iterative approach works well.
Define a robust rule testing strategy which closely involves thebusiness / control owners.
Define and agree business deployment strategy before rolling out. e.g. practical information dissemination and alerting strategy that makes it easy for the stakeholders. Work out how the stakeholders will use the output, confirm priority of exceptions, and agree types of actions needed.
Reporting: Ensure the content is filtered appropriately for the target community so they only see relevant information. Ensure report output is appropriate for the target community.
2006 Approva Corporation. All rights reserved
32
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
Work Streams to consider when Planning
CCM/CA Project
Vision & objectives setting and stakeholder buy-in
Narrow Path Pilot to develop and test full cycle controls testing from control confirmation to business action and remediation
Extend to next LOB, geography, control set
Iterate
Dont invest in technology until you have proven the value in a Narrow Path Pilot . . .
2008 Approva Corporation. All rights reserved
33
2010 Approva Corporation and Consider Solutions Limited. All rights reserved.
ImplementationConsiderations
Planning & Management
Roll-Out & Follow-On Planning
Controls Definition & Optimization
IT Planning & Operability
Information Dissemination & Exception Action Planning
Pilot Business As Usualon Narrow Path Scope
2009 Approva Corporation. All rights reserved.
The Business Case The vision and rationale
Enable a comprehensive controls testing environment for optimised risk coverage, visibility of control effectiveness, elimination of fraud and waste and process (& system) simplification and standardisation
Tangible benefits of Continuous Audit Cost savings OR Cost avoidance
Internal Audit Effort
External Audit Effort
Finance Effort
IT Effort
Other External effort
Both centrally and locally (often disguised in other activities)
Improved risk profile 100% control testing
Efficiencies and cost savings in core business processes
Operational intelligence for business exceptions
Driving process standardisation and economies of scale 2009 Approva Corporation and Consider Solutions Limited. All rights reserved.
2009 Approva Corporation. All rights reserved. 36
Companies Expect to See Significant Benefits From Their Deployment of CCM Applications
In What Areas Do You Expect to See the Most Significant Benefits With CCM Applications?
Source: AMR Research, 2009
2009 Approva Corporation. All rights reserved.
Stakeholder views on CCM/CA
CFO / Finance
Internal Audit
CIO/IT
Compliance/ Risk
Increased business efficiency
Reduced risk of adverse audit findings & fraud
Reduced testing time for routine controls
Improved internal auditor utilization
Reduced time to support audits
Reduced IT cost of ownership
Improved visibility into key risks
Reduced time and cost for monitoring controls
2009 Approva Corporation. All rights reserved. 38
Continuous Auditing & Continuous MonitoringComplementary Business Goals of
Continuous Auditing & Continuous Monitoring
O
p
e
r
a
t
i
o
n
a
l
B
e
n
e
f
i
t
s
(
c
o
n
t
i
n
u
o
u
s
m
o
n
i
t
o
r
i
n
g
)
Audit Benefits(continuous auditing)
Reduced Audit Costs
Automated Audit Testing
Reduced Audit Preparation Costs
Improved Audit Quality &
Effectiveness
Business Process Optimization
FinancialReporting Accuracy
Fraud Prevention
Performance Management
Transaction Processing Costs
Performance Improvement
Performance& Strategy
RegulatoryCompliance
Risk Management &Operational Improvement
Cash Leaks
Value
2009 Approva Corporation. All rights reserved. 39
More than 50% of Organizations Are Considering or Piloting Continuous Auditing & Monitoring Tools
Not at all or dont know
How Widespread Is the Use of Technology to Support Continuous Auditing & Continuous Monitoring?
Use standard reporting (e.g. from ERP system)
Considering the use of dedicated auditing & monitoring tools
Limited/pilot use of dedicated auditing & monitoring tools
Widespread use of dedicated auditing & monitoring tools
Source: KPMG Continuous Monitoring & Continuous Auditing Survey, 2010
2009 Approva Corporation. All rights reserved.
The Value of Effective, Assured Controls
Better risk identification, mitigation and management
Knowledge that the business runs as advertised
Revenue is solid, cash is collected, expenses are valid, tax position is correct, accrual values are fair, waste & fraud is eliminated
Stakeholders (internal and external) have greater confidence in results, operations, controls and management
So the question remains;
is continuous, automated testing more cost effective? 2009 Approva Corporation and Consider Solutions Limited. All rights reserved.
2009 Approva Corporation. All rights reserved.
Everyone else gets (continuously) audited!
In God we trust . . . .
41
2009 Approva Corporation. All rights reserved. 42
Contact Details
dfrench@consider.biz
Questions?
www.iloveagoodaudit.com/
2009 Approva Corporation. All rights reserved. 2009 Approva Corporation. All rights reserved. 43
Dan French - Consider Solutions
Consider Solutions are the European distribution operation for Approva
IACON 2010Taking the Internal Audit Profession Forward
Continuous Auditing:Technology Enabled Continuous Assurance
Recommended