Upload
ciara-oneil
View
51
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Practical Issues of Implementing Continuous Assurance Systems. Presented by John Verver CA, CISA, CMC to the 5 th Continuous Assurance Symposium November 22-23 2002. Implementing Continuous Assurance Systems. Status of use of continuous assurance implementations. - PowerPoint PPT Presentation
Citation preview
Practical Issues of Implementing Continuous Assurance Systems
Presented by John Verver CA, CISA, CMC to the 5th
Continuous Assurance SymposiumNovember 22-23 2002
Status of use of continuous assurance implementations.
What is meant by “continuous”?
The practical issues of integrating continuous auditing/monitoring procedures to the data and the underlying application.
Defining the control parameters to be tested.
Setting the thresholds for reporting and priorities for notifications.
Softwarefunctionality required to support continuous monitoring
Implementing Continuous Assurance Systems
Status of continuous assurance implementations within the ACL user base:
ACL user base includes over 150,000 licensed users: The Final 4
89 of the Fortune 100
44% of the Global 500
30+ national governments and virtually all US state governments
Very few organizations have fully embedded and automated continuous auditing/monitoring applications
Most “Continuous Monitoring applications” are simply series of automated data analysis tests that are run on a regular basis, and are manually initiated - not true continuous applications e.g: Detecting indicators of fraud
Identifying duplicate and other overpayments
Continuous Assurance Systems
“Continuous” Assurance Applications: Automated analyses that test transactional data
against defined control parameters/rules
Generally independent of the underlying business application system
Run automatically on a daily / weekly basis – (occasionally more frequently)
Automatically generate exception reports / alerts
Detective more than preventative
Continuous Assurance Systems
Most common application areas among ACL user base:
General business process:
Purchase / Payments cycle
Vendor fraud
Expense claims
Industry-specific
Money laundering, anti-terrorist legislation
Insurance claims
Medicare/Medicaid compliance
Continuous Assurance Systems
Continuous Monitoring Application
Independent, comprehensiv
e series of control tests
Payments system Continuous Monitoring system
Why are they needed?: Confirmation that controls built into application
systems are operating effectively
Make up for lack of controls in application systems
Continuous Assurance Systems
Getting to the data: Direct access vs extract
Direct access to mainframe / server data usually preferable
Data extract may be preferable to minimise processing impact
Define the “data slice”
Decide on the point at which to take the slice (Time-based? Process-based? – depends on underlying application system and timing of CA process)
Ensure that all transactions are captured since the last test process
Continuous Assurance Systems
Continuous Assurance Systems
DDA Files
(DB/2)
Money-laundering application
ACL for OS/390
Client Server
ACL for Windows
Client
Control parametersdefined within
ACL “rules-engine”
Customer names,Account Master
Daily Account History
Adjust alert sensitivity
File of suspect
transactions
Reports and alertsDistributedby e-mail
Lower Priorityreports High
priority alerts
Processing log
ACL daily extract /
monitoring process
launched by JCL and Windows
Schedulers
Additional analysis by ACL of
suspect transactions
Establishing the control parameters: Identify specific control exposures
Identify indicators of risk
Use transactional analysis to determine if conditions exist for which no controls designed/risks indentified
Define specific control parameters / tests
Establish sensitivity thresholds for reporting and alerts
“Scoring/weighting” of events dependent upon combination of control parameters that are failed and indicators of risk
Continuous Assurance Systems
ACL functionality that supports Continuous Assurance applications:
Analytical and inquiry processes that support audit and control procedures
Direct data access e.g. ACL OS/390 Client Server
Direct Link for SAP R/3
ODBC-compliant databases
NOTIFY – e-mail notification of reports and alerts
Complete logging of processes
Definition of control parameters (“rules-engine”)
Development of interactive and automated applications
Continuous Assurance Systems
Example of interface for tuning monitoring parameters
Note: This amount can be modified from the parameters menu.