Continuous Auditing D.French

2010 Approva Corporation and Consider Solutions Limited. All rights reserved. 1 2010 Approva Corporation and Consider Solutions Limited. All rights reserved.

Dan French - Consider Solutions

Consider Solutions are the European distribution operation for Approva

IACON 2010Taking the Internal Audit Profession Forward

Continuous Auditing:Technology Enabled Continuous Assurance

2010 Approva Corporation and Consider Solutions Limited. All rights reserved.2

www.iloveagoodaudit.com/

2010 Approva Corporation and Consider Solutions Limited. All rights reserved.

The value in developing a continuous auditing framework

Why is continuous auditing important for auditors?

How does technology aid continuous auditing?

Monitoring for management use or internal audit?

Interpreting and reacting on your results

Learning Points

3


Continuous Auditing & Continuous Controls Monitoring

The Controls Challenge for Management and Audit

Continuous Auditing in Practice

Challenges and Best Practices

Questions and feedback

Structure

4


Continuous auditing is the application of automated tools to provide assurance on financial and non-financial data within a company

Continuous auditing uses a set of tools to check whether internal controls are functioning to prevent errors and fraud

A generally accepted definition of "continuous auditing remains elusive, and expert practitioners remain rare

32% of 305 organizations have told the Institute of Internal Auditors in the past year that they perform continuous auditing

In a 2006 PWC survey, 81% of 392 companies said they at least aspired to continuous auditing

Continuous Controls Monitoring seeks to assure the effectiveness of internal controls, reduce fraud and meet regulatory requirements.

Continuous Auditing (CA) & Continuous Controls Monitoring (CCM)

5


There is much debate on the semantics !

No, not all risks can be effectively monitored using automation

Monitoring data and transactions does not necessarily prove that the control is working But it helps!

Emerging Continuous Monitoring definitions Application configuration (CCM-AC) Do our systems allow anyone to . . .?

User access (CCM-SOD) Can anyone . . . . ?

Master data (CCM-MD) Is the critical static data correct and controlled?

Transactions (CCM-T) Did anyone . . . ? What was the impact?

Consistent, Continuous, Complete

Continuous Auditing (CA) & Continuous Controls Monitoring (CCM) What is the difference?

6


Audit & Internal Controlscourtesy BMW AG


8

An Audit Committee Perspective

The pace of business change continues to increase

The demands for more rapid and robust reporting will increase

Technology risk will continue to increase

The patience of the public, investors and regulators to accept fraud risks will continue to grow thin

The demand for independent, rapid assurance will continue to grow

We are entering a new Age We need constant, not periodic, visibility


9

Drivers for Change Maintenance of continuous state of audit requires:

Provide immediate insight into control violations

Increase audit scope and frequency while reducing costs

From manual to fully automated control testing with integrated view on risks

Reduce recurrent testing/review cost significantly, while focusing on more added value areas

Enterprise risk and controls coverage across all processes and applications

Increasing complexity and integration of systems requires new control methods and tools


10

VisionCurrent approach New approach

Periodic, mainly manual reviews and audits of systems and processes

Continuous testing via predefined rules and toolsBroader and deeper scope of testing

Sample based manual and computer aided testing

Exception based automated monitoring

Multiple controls and tools to cover one control objective or risk

Optimisation of controls and testing in integrated tool set

Inconsistent, decentralized tools and testing

Local controls and testing derived from common consistent global rules

Mainly focused on regulatory control objectives

Extension to other risk areas (operational risks, extend fraud detection, other compliance risks)Further business improvement opportunities

Global centralized, standardized and integrated controls management and testing that helps:

Realize efficiency gains through automated and continuous control monitoring Increase coverage and scope of controls to areas not sufficiently covered today Embed controls in business processes


Over the Last 5 Years Risk Management Has Jumped to the Top of the CFOs Agenda

Which of These Company-Wide Initiatives Are Very Important or Critically Important to CFOs?

20102005

Measuring/ monitoring business

performance

Providing inputs into enterprise

strategy

Driving enterprise cost reduction

Supporting/ managing/ mitigating

enterprise risk

Driving integration of information

across the enterprise

93% increase

Source: IBM CFO Survey, 2010


But CFOs Say a Significant Gap Remains Between the Effectiveness & Importance of Internal Controls

How Would You Rate the Importance vs. the Effectiveness of These Cross-Enterprise Activities?

Executing continuous finance process improvements

Strengthening compliance programs

& internal controls

Driving Finance cost reduction

Supporting/ managing / mitigating enterprise

risk

Importance Effectiveness

28% Gap 16% Gap23% Gap

Source: IBM CFO Survey, 2010


The Vast Majority of Organizations Rely on Manual Methods to Validate The Effectiveness of Their Controls

13

Mostly periodic manual checks/ standard reports

Mix of regular manual & automated checks

Mix of real-time, manual & automated checks

Mostly real-time automated checks & dashboards

Others/not sure

What Methods Do You Useto Provide Management Assurance of Your Controls?

Source: KPMG Continuous Monitoring & Continuous Auditing Survey, 2010


The Controls Challenge for Management & Audit

P

r

o

c

e

s

s

e

s

Multiple Risks, Multiple Data Sources

What is What is supposedsupposed to happen?to happen?

What actually What actually doesdoes happen?happen?

Processes are ignoredor circumvented

Processes are ignoredor circumvented

Policies cannot be cost-effectively enforced

Policies cannot be cost-effectively enforced


CFOs have invested tens of millions in ERP / Finance Systems to drive:

Process and control standardisation Business efficiency Economies of scale

However, only some of the value has been released . . . Many businesses have implemented ERP and achieved;

A standard data input process and control

BUT NOT

A standard business process or control

The myth of standardisation & control in systems


Example standard business process

4. GR is created against PO

3. Purchasing creates PO for Shipment

1. Truck drops off shipment, but no PO exists

2. Warehouse worker calls up purchasing to create a PO

ERP is configured to only allow GR if PO exists, however

The myth of automated business controls in ERP

2010 Approva Corporation and Consider Solutions Limited. All rights reserved. 17

Neither management nor audit can rely on system configured controls (automated business controls) alone;

For key controls of high risk or high impact, we need; Monitoring and Prevention of high risk Segregation of Duties issues

Monitoring of configured control, where it exists

Monitoring of related master data for specific changes

Monitoring of specific business activities/transactions outside accepted or expected boundaries

This gives 360 degree business control visibility for management and audit Consistent, Continuous, Complete

Fixing the myth of standardisation & control in systems


Continuous monitoring catches things that just dont typically get found in entirety including; Changes to Bank Account details

Change in payment terms or prices on specific orders

Approvals to key changes (such as terms and prices)

SoD checks at the individual level e.g., POs created and released by same person, GR created by same person as approved the PO.

Deliveries with no reference to a Sales Order

Over deliveries

Sales Orders for Customers over Credit Limit

Duplicate payments

Unusual GL postings

Multiple POs to avoid signoff limits

Nominal value PRs to make the process work

Consistent, Continuous, Complete Testing

18

2010 Approva Corporation and Consider Solutions Limited. All rights reserved. 19

CA/CCM Landscape is Confusing

GRC Components & Related ServicesGRC Components & Related Services

Governance Layer

Risk/Compliance Layer

IT Infrastructure Layer

Align Performance With Corporate Objectives

Establish The Rules For Business Operations

Assure That Information Is Properly Controlled

Continuous Control Monitoring (CCM), Testing & Enforcement

Business/Performance Layer

Continuous Monitoring LayerProvide Insight & Perform

Specialized Functions

Assure That Operations Follow Set Policies and Expectations

ERP Finance HR Sales Supply ChainManuf. Ops. LOB

Pharma Retail Health-careTransp-ortation

Manuf-acturing

Financial Services Energy

SOX Basel II HIPPA FCPA J-SOX PCI Others.

Application Configuration

(CCM-AC)User Access (CCM-SOD)

Master Data (CCM-MD)

Transactions (CCM-T)

Policy, procedure & control definition

Automated testing

IT Control Monitoring, Testing & EnforcementIT Control Monitoring, Testing & EnforcementNetworks Web E-mail Servers Storage

Corporate ReportingCorporate Reporting

Documentation / Alignment / RationalizationDocumentation / Alignment / Rationalization

Enterprise Risk E-Discovery

Issue & Resolution

Management.Audit

Management


Continuous Auditing in Practice


User Access Exceptions


Business Process Exceptions


Process Exceptions drilldown into specific issues


Process Exceptions drilldown duplicate vendor


Continuous Monitoring helps Risk Assessment

Value of Returned Goods by LocationValue of Returned Goods by Location


. . . and helps drive Business Improvement

Open Sales Orders Not ShippedOpen Sales Orders Not Shipped

2009 Approva Corporation. All rights reserved.

2

Case Study:Continuous Auditing Approach

25% Automated WithOut-of-the-Box Rules25% Automated WithOut-of-the-Box Rules

25% Automated byConfiguring New CCM/CA Rules

25% Automated byConfiguring New CCM/CA Rules

25% Automated byRe-Engineering Audit Plan

Controls

25% Automated byRe-Engineering Audit Plan

Controls

25% Not Possible to Automate25% Not Possible to Automate

Systematically examine each Audit Action Sheet, the audit approach, and the audit objectives

Design an automation and continuous monitoring method, achieving the same audit objectives while leveraging CCM/CA

Identify and validate automation opportunities in 4 key areas:

1. CCM/CA out-of-the-box rules2. Configure new rules3. Re-engineer manual AAS tests4. Not possible to automate

Approach

75% Automation of Audit Tests


Continuous Auditing / Continuous Controls Monitoring Can target up to 60-70% of key controls

But, it can be complex

Many Moving Parts, including . . . Technology

Potentially broad controls and data scope

Multiple systems and processes

Geography, Lines of Business, Organisations & Plants

Managing Stakeholders & Expectations

Reporting and actioning exceptions and issues

Human impact of continuous monitoring

Invariably involves change!

2008 Approva Corporation. All rights reserved

30


Some Specific Recommendations (1)

Be clear and get agreement on ownership and sponsorship

Start simple, narrow risk focussed scope with quantifiable value

Prioritise based on business risk and suitability for automation ... HIGH / HIGHs are the sweet spot

Develop a plan for iterative refinement of entire process. Deploy ... use ... learn ... review ... refine ... extend. Increase breadth in controlled stages.

Review current beliefs and practices in light of each iteration. Is there a better way to test this control or manage this risk?

Deeply engage the business / control owners as part of the assessment / development / testing processes

Be aware that continuous monitoring WILL find more exceptions than periodic sampling. Communicate well and often.


31


Some Specific Recommendations (2)

Implement a robust rule configuration methodology involving required skills. Structured but iterative approach works well.

Define a robust rule testing strategy which closely involves thebusiness / control owners.

Define and agree business deployment strategy before rolling out. e.g. practical information dissemination and alerting strategy that makes it easy for the stakeholders. Work out how the stakeholders will use the output, confirm priority of exceptions, and agree types of actions needed.

Reporting: Ensure the content is filtered appropriately for the target community so they only see relevant information. Ensure report output is appropriate for the target community.


32


Work Streams to consider when Planning

CCM/CA Project

Vision & objectives setting and stakeholder buy-in

Narrow Path Pilot to develop and test full cycle controls testing from control confirmation to business action and remediation

Extend to next LOB, geography, control set

Iterate

Dont invest in technology until you have proven the value in a Narrow Path Pilot . . .


33


ImplementationConsiderations

Planning & Management

Roll-Out & Follow-On Planning

Controls Definition & Optimization

IT Planning & Operability

Information Dissemination & Exception Action Planning

Pilot Business As Usualon Narrow Path Scope


The Business Case The vision and rationale

Enable a comprehensive controls testing environment for optimised risk coverage, visibility of control effectiveness, elimination of fraud and waste and process (& system) simplification and standardisation

Tangible benefits of Continuous Audit Cost savings OR Cost avoidance

Internal Audit Effort

External Audit Effort

Finance Effort

IT Effort

Other External effort

Both centrally and locally (often disguised in other activities)

Improved risk profile 100% control testing

Efficiencies and cost savings in core business processes

Operational intelligence for business exceptions

Driving process standardisation and economies of scale 2009 Approva Corporation and Consider Solutions Limited. All rights reserved.

2009 Approva Corporation. All rights reserved. 36

Companies Expect to See Significant Benefits From Their Deployment of CCM Applications

In What Areas Do You Expect to See the Most Significant Benefits With CCM Applications?

Source: AMR Research, 2009


Stakeholder views on CCM/CA

CFO / Finance

Internal Audit

CIO/IT

Compliance/ Risk

Increased business efficiency

Reduced risk of adverse audit findings & fraud

Reduced testing time for routine controls

Improved internal auditor utilization

Reduced time to support audits

Reduced IT cost of ownership

Improved visibility into key risks

Reduced time and cost for monitoring controls


Continuous Auditing & Continuous MonitoringComplementary Business Goals of

Continuous Auditing & Continuous Monitoring

O

p

e

r

a

t

i

o

n

a

l

B

e

n

e

f

i

t

s

(

c

o

n

t

i

n

u

o

u

s

m

o

n

i

t

o

r

i

n

g

)

Audit Benefits(continuous auditing)

Reduced Audit Costs

Automated Audit Testing

Reduced Audit Preparation Costs

Improved Audit Quality &

Effectiveness

Business Process Optimization

FinancialReporting Accuracy

Fraud Prevention

Performance Management

Transaction Processing Costs

Performance Improvement

Performance& Strategy

RegulatoryCompliance

Risk Management &Operational Improvement

Cash Leaks

Value


More than 50% of Organizations Are Considering or Piloting Continuous Auditing & Monitoring Tools

Not at all or dont know

How Widespread Is the Use of Technology to Support Continuous Auditing & Continuous Monitoring?

Use standard reporting (e.g. from ERP system)

Considering the use of dedicated auditing & monitoring tools

Limited/pilot use of dedicated auditing & monitoring tools

Widespread use of dedicated auditing & monitoring tools

Source: KPMG Continuous Monitoring & Continuous Auditing Survey, 2010


The Value of Effective, Assured Controls

Better risk identification, mitigation and management

Knowledge that the business runs as advertised

Revenue is solid, cash is collected, expenses are valid, tax position is correct, accrual values are fair, waste & fraud is eliminated

Stakeholders (internal and external) have greater confidence in results, operations, controls and management

So the question remains;

is continuous, automated testing more cost effective? 2009 Approva Corporation and Consider Solutions Limited. All rights reserved.


Everyone else gets (continuously) audited!

In God we trust . . . .

41


Contact Details

[email protected]

Questions?

www.iloveagoodaudit.com/

2009 Approva Corporation. All rights reserved. 2009 Approva Corporation. All rights reserved. 43

Dan French - Consider Solutions

Consider Solutions are the European distribution operation for Approva

IACON 2010Taking the Internal Audit Profession Forward

Continuous Auditing:Technology Enabled Continuous Assurance

Documents

Continuous Auditing D.French