Practical Issues of Implementing Continuous Assurance Systems

Presented by John Verver CA, CISA, CMC to the 5th

Continuous Assurance SymposiumNovember 22-23 2002

Status of use of continuous assurance implementations.

What is meant by “continuous”?

The practical issues of integrating continuous auditing/monitoring procedures to the data and the underlying application.

Defining the control parameters to be tested.

Setting the thresholds for reporting and priorities for notifications.

Softwarefunctionality required to support continuous monitoring

Implementing Continuous Assurance Systems

Status of continuous assurance implementations within the ACL user base:

ACL user base includes over 150,000 licensed users: The Final 4

89 of the Fortune 100

44% of the Global 500

30+ national governments and virtually all US state governments

Very few organizations have fully embedded and automated continuous auditing/monitoring applications

Most “Continuous Monitoring applications” are simply series of automated data analysis tests that are run on a regular basis, and are manually initiated - not true continuous applications e.g: Detecting indicators of fraud

Identifying duplicate and other overpayments

Continuous Assurance Systems

“Continuous” Assurance Applications: Automated analyses that test transactional data

against defined control parameters/rules

Generally independent of the underlying business application system

Run automatically on a daily / weekly basis – (occasionally more frequently)

Automatically generate exception reports / alerts

Detective more than preventative

Continuous Assurance Systems

Most common application areas among ACL user base:

General business process:

Purchase / Payments cycle

Vendor fraud

Expense claims

Industry-specific

Money laundering, anti-terrorist legislation

Insurance claims

Medicare/Medicaid compliance

Continuous Assurance Systems

Continuous Monitoring Application

Independent, comprehensiv

e series of control tests

Payments system Continuous Monitoring system

Why are they needed?: Confirmation that controls built into application

systems are operating effectively

Make up for lack of controls in application systems

Continuous Assurance Systems

Getting to the data: Direct access vs extract

Direct access to mainframe / server data usually preferable

Data extract may be preferable to minimise processing impact

Define the “data slice”

Decide on the point at which to take the slice (Time-based? Process-based? – depends on underlying application system and timing of CA process)

Ensure that all transactions are captured since the last test process

Continuous Assurance Systems

Continuous Assurance Systems

DDA Files

(DB/2)

Money-laundering application

ACL for OS/390

Client Server

ACL for Windows

Client

Control parametersdefined within

ACL “rules-engine”

Customer names,Account Master

Daily Account History

Adjust alert sensitivity

File of suspect

transactions

Reports and alertsDistributedby e-mail

Lower Priorityreports High

priority alerts

Processing log

ACL daily extract /

monitoring process

launched by JCL and Windows

Schedulers

Additional analysis by ACL of

suspect transactions

Establishing the control parameters: Identify specific control exposures

Identify indicators of risk

Use transactional analysis to determine if conditions exist for which no controls designed/risks indentified

Define specific control parameters / tests

Establish sensitivity thresholds for reporting and alerts

“Scoring/weighting” of events dependent upon combination of control parameters that are failed and indicators of risk

Continuous Assurance Systems

ACL functionality that supports Continuous Assurance applications:

Analytical and inquiry processes that support audit and control procedures

Direct data access e.g. ACL OS/390 Client Server

Direct Link for SAP R/3

ODBC-compliant databases

NOTIFY – e-mail notification of reports and alerts

Complete logging of processes

Definition of control parameters (“rules-engine”)

Development of interactive and automated applications

Continuous Assurance Systems

Example of interface for tuning monitoring parameters

Note: This amount can be modified from the parameters menu.

Example of interface for tuning monitoring parameters

Example of ACL Notify command