Embed Size (px)
Citation preview
DEFENSE IN DEPTH Collaboration Among Risk Management, Internal Audit and Compliance
SEPTEMBER 9, 2013
Speaker
• Chief Operating Officer, CaseWare RCM
• Over 20 years experience in IT audit, data analytics
and forensics
• Previously at Ernst & Young
• Founded in 1988
• An industry leader in providing technology solutions
for finance, accounting, governance, risk and audit
professionals
• Over 400,000 users of our technologies across 130
countries and 16 languages
• Customers include Fortune 500 and Global 500
companies
CaseWare International
Today’s Topics
1. The Three Lines of Defense Model
2. Continuous Controls Monitoring (CCM)
3. Case Studies of CCM at Each Line of Defense
4. Q & A
OPERATIONAL
MANAGEMENT
• Own and manage risks
• Design and implement internal controls
• Responsible for maintaining effective
controls
1st Line of Defense
RISK MANAGEMENT
& COMPLIANCE
• Help build and monitor first line of
defense
• Ensure compliance with regulations
• Financial risks and reporting
requirements
• Identify changes in risk appetite
2nd Line of Defense
INTERNAL AUDIT
• Provide senior management with
assurance
• Monitors the effectiveness of the first
and second lines of defense
• Independent
3rd Line of Defense
What is CCM?
An audacious vision for CCM:
• Know the state of any control in the business
• Resolve identified breaches before impact
• Provide an unparalleled ROI
COSO Guidance
(effective controls
systems must
include monitoring)
The Importance of Monitoring
• Independent monitoring of automated and partially
automated controls
• Continuous detection of breaches
• Transparency in detection and remediation
• Address IT concerns
• Collaborative approach to timely remediation
Role of CCM
RISK: Invoices may not be valid and/or properly authorized
CONTROL ACTIVITY: Matching invoices to goods receipt
OWNER: Category Management
METHOD: Partially Automated
TYPE: Preventative
FREQUENCY: Recurring
COSO COMPONENT: Control Activities
An Example
Properties of the CCM Test
FREQUENCY: Daily
DETECT: Any non-compliance over and below the threshold
ASSIGNMENT: Category Management
DEADLINE: Resolve same day
EVIDENCE: Due diligence performed on those over the threshold and any other exceptions detected
VALUE: Ensure that the control effectiveness is sustained at a high level
• Effectively monitor internal controls at the 1st and 2nd lines of
defense
• Allows the 3rd line of defense to be confident in its
assurance role
• Create a remediation process that minimizes the impact of
a control breakdown
• Provide evidence of due diligence for external auditors and
regulators
CCM at Each Lines of Defense
• Canadian Energy Company since 1917
• Third largest in Ontario
• Over 200,000 residential and commercial
customers
• Provides electrical infrastructure design,
construction, operations support and maintenance.
• Reputational risk is the primary concern
• Was using an in-house MS Excel system to verify the
accuracy of bills
• Upgraded to smart meters in 2009
• Challenges
– Took 5 hours to process a batch of bills
– Exceptions manually circulated by e-mail
– Impossible to track resolution
– Labour intensive to make changes
Verification of Bills
• Independently calculate bills and identify inaccuracies
• Extract data from other sources – not just billing system
• Sent exceptions in XML format to bill print system for
those bills not to be printed
• Engaged users in the Billing Department to resolve
issues
• Validate corrections made in core systems
• Maintain history of exceptions and actions taken to
resolve them
The CCM Solution
• Has not had a single public incident
• Accuracy of billing improved significantly
• Billing anomalies automatically distributed
• Bills verified in less than 5 minutes (not 5 hours)
• Bills sent out same day – improving cash flow
• Evidence retained for regulators/auditors
• Labor-intensive manual reviews were eliminated
Results
Christies Auction House
• Founded in 1766 by James Christie
• 53 offices in 32 countries
• Prices range from $200 to $80M
• Risk and Compliance Group mandated to review
100% of transactions
• Primary area of concern is client accounting
• Needed to ensure that fees and charges are
accurate
• Needed to involve the business in timely
remediation
Challenges
• Implemented for 40 key controls
• Monitor transactions near real time
• Covering multiple locations (UK and New York)
• Phase I started in Risk and Compliance then
rolled out to the business.
The CCM Solution
Phase II – Customer Screening
• Important to meet regulatory requirements
• AML and KYC Compliance
• Integrate with World-Check sanction list data for
screening
• A leading marketing and distribution company
• Operating in the grocery, liquor and hardware
wholesale industries
• Turnover of $12Bn
• 5,000+ Employees
• Market cap $3.2Bn
Metcash
• Several disparate systems
• Many audit scripts
• Emailing exceptions in Excel
• SAP generating many exception reports
• Business struggling to cope
Challenges
• All analytics built in-house by CM Team
• Covered 30 key controls to start
• CCM implemented for Purchase to Payment in Phase I
• Expanded to the retail business processes in Phase II
• Adopted as central exception management system
(including SAP reports)
The CCM Solution
• Started in Internal Audit
• Rolled out to business users
• Use action/reason codes to facilitate root cause
analysis
• Daily examination of processes
• First year results:
– 5.5 billion transaction covered
– $1.8M in savings
Results
Conclusion
• Internal Control effectiveness is positively
impacted by collaboration.
• That covers collaboration at all three levels.
• CCM is a compelling vehicle to facilitate a
collaborative process.
Andrew Simpson, MBA
Chief Operating Officer
CaseWare RCM Inc.
613.842.9233 ext. 2144
CONTACT
