Continuous Auditing / Continuous Monitoring to Manage Risk and Performance

Transcription

1 The full scope of services within the Continuous Auditing / Continuous Monitoring (CACM) Methodology Guide is not permissible for SEC audit clients and IFAC PIE clients and their affiliates. CACM services are generally permissible for IFAC non-pie audit clients subject to evaluating engagement circumstances using the conceptual framework (i.e. threats and safeguards approach) as outlined in the Global Quality & Risk Management Manual Chapter 11. Refer to the contents of the Independence guidance on slides of the CACM Methodology Guide for detailed guidance. The Independence guidance was updated in The remaining content is unchanged. Continuous Auditing / Continuous Monitoring to Manage Risk and Performance The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative ( KPMG International ), a Swiss entity.

2 Agenda Appetite for CA/CM Background on CA/CM CA/CM Overview Drivers Influencing CA/CM Strategies An Illustration of CA/CM Why implement CA/CM? Challenges and Requirements for Implementation How do we get Started? Implementation of CA/CM Dimensions of CA/CM Enabling with Technology Sample Implementation Model The Value Proposition Key Success Factors of CA/CM How can KPMG help? 1

3 Appetite for CA/CM Survey Data Risk and Control Innovations Next Three Years Survey of 435 Senior Executives What risk and control innovation themes exist in your organization? 2

4 Background on CA/CM What is different this time? Historical theoretical concept Mostly Academic View lacked executive support technologically cumbersome too costly to implement lack skills compliance-based auditing. Current significant advances in technology practical and realistic aligning frequency to risks business and value drivers more evident technology options are becoming cost effective evolving skills in internal audit function. What is different for you is the concept becoming a reality? 3

5 CA/CM Overview Definitions Continuous Assurance Providing a continuous or on-demand assurance opinion on systems or transactions Continuous Auditing The collection of audit evidence and indicators, by an internal or external auditor, on IT systems, processes, transactions, and controls on a frequent or continuous basis throughout a period Continuous Monitoring An automated feedback mechanism used by management to help ensure that systems and controls operate as designed and transactions are processed as prescribed How is your organization defining the CA/CM initiative? 4

6 CA/CM Overview Objectives Continuous Auditing Performed by Internal Audit gain audit evidence more effectively and efficiently react more timely to business risks leverage technology to perform more efficient internal audits focus audits more specifically help monitor compliance with policies, procedures, and regulations Continuous Monitoring Responsibility of Management improved governance increase visibility into operations obtain better information for day-today decision making strive to reduce cost of controls leverage technology to create efficiencies. become more valuable to the business. 5

7 Drivers Influencing CA/CM Strategies CA/CM strategy is influenced by a variety of strategic, operational and external drivers... Occurrence or risk of fraud Pressure to improve governance Need to improve performance/ accountability Strategic Drivers Globalization Scrutiny from rating agencies/listing standards ERP conversion Operational Drivers CA/CM Strategies External Drivers Expanding regulatory and legal risk environment Desire to reduce SOX costs Improve leverage of IT Investments Uncertain economic environment increasing business risk What are the drivers influencing CA/CM in your organization? 6

8 An Illustration of CA/CM Let s Put This Into Perspective - Quick example Risk quality of customer balances Continuous Auditing Alert the internal audit department when: credit limit exceeded by more than 10 percent AND credit limit has been exceeded for more than 15 days AND no payments made by the customer, AND new shipment made to customer. Continuous Monitoring alert when credit limit exceeded by 5 percent alert when changes made to customer limits in master file. Both strategies give management indicators of issues that are arising, allowing for pro-active, rather than reactive actions 7

9 Let s Put This Into Perspective Quick examples Risk Possible Fictitious Vendor Continuous Monitoring vendor address matches a commercial mail receiving agency multiple, similar vendor names with different vendor IDs in vendor master file vendor Taxpayer ID matches an Employee Social Security Number (SSN) vendor telephone number appears to be a mobile telephone number. Continuous Auditing alert the internal audit department when: address matching risk profile (seasonal, prison, CMRA, etc.), AND/OR labeled as a one-time vendor, AND/OR taxpayer ID matches employee SSN, AND/OR telephone number matches an employee. 8

10 An Illustration End-to-End CA/CM Process from technical perspective 3 Database Auditor 3 Mailserver Database Data servers CA/CM tool Audit Work papers CA Dashboard Web server Create rules CM Dashboard Line Manager Tool Manager 1 1. Rules created in CA/CM tool 2. Rules run against databases 3. alerts to auditors/management 4. CA/CM tool populates web server 5. Dashboard provides summary and drill down capability for auditors/management 9

11 Why implement Continuous Auditing? CA can help enhance organizational value and offers a broad range of potential benefits... Greater Efficiency audit by exception automate components of the audit program, audit tests or review procedures known control gaps and deficiencies can be continuously audited reduced wait times for data reduction of low value-added work improved maintenance of a dynamic and relevant risk profile automate manual processes reduced travel costs by automation of testing. Earlier Information improved speed of reporting to the business reduced surprises, problems do not build up enhanced leverage of system functionality identification of misuse and misconduct identification of errors earlier and when issues are fresh ability to proceed with root cause analysis for errors, policy violations, fraud and misconduct in a more timely manner. Enhanced Controls corrections of errors moved closer to the source enhanced visibility of Internal Audit within the business and improved deterrence effect assist in providing valuable insight to controls effectiveness and business process risks associated with outsourced business processes ability to audit the monitoring function from an Internal Audit perspective, providing an additional layer of governance. Reduced Complexity reduction of complexity through global process standardization, thereby easing review appropriate setting and consistency of materiality thresholds automated exception report production focus on the real issues regulatory compliance can be audited. which will help Internal Audit to add more value to the business 10

12 Why implement Continuous Monitoring? CM can help enhance organizational value and offers a broad range of potential benefits... Greater Efficiency reduction of work duplication increased use of automation enhanced ability to identify and correct errors more time for value adding analysis instead of error correction reduced manual SOX testing reduced travel costs by automation of testing and remote monitoring. Earlier Information improved speed of information delivery to the business reduced surprises, problems do not build up netter information for decision making ability to progress with root cause analysis for errors, policy violations, fraud and misconduct in a more timely manner. Enhanced Controls corrections of errors moved closer to the source automated controls control gaps and deficiencies can be monitored for circumvention and/or exploitation ERP system and/or business process limitations and deficiencies can be addressed automated fraud prevention and detection activities. Reduced Complexity greater visibility as to how processes are functioning appropriate setting and consistency of thresholds regulatory compliance can be monitored ability to standardize process measures across locations demonstrate good governance use leading edge approach. which results in more focused time to add value to the business 11

13 Challenges and Requirements for Implementation The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide. Challenges thought Leadership - lack of content (e.g., business process specific, industry specific) people - lack of deep industry and functional specialization (e.g., Governance, Risk and Compliance specialization; Fraud and Forensic Investigative specialization) reliability, accessibility, and availability of data consistency of business processes change management - impact of changing embedded processes, resistance to change. Requirements technology intensive - virtual real time monitoring requires sophisticated technology thorough business process and industry content knowledge knowledge of and linkage to enterprise risk exposures senior management sponsorship. 12

14 Implementation of CA/CM How do we get started? KPMG Framework 13

15 Implementation of CA/CM KPMG Framework The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide. Plan Assess Design Implement Execute Evaluate Plan and scope the engagement Perform the auditing or monitoring Revisit the process according to results produced The implementation model To be removed before printing: Services provided within the Design phase are prohibited for SEC audit clients. Services provided within the Implement, Execute and Evaluate phases are restricted for SEC audit clients. Refer to the CA/CM Methodology Guide for further information as well as local office risk management policies and guidelines. 14

16 INITIATIVES CRITICAL OBJECTIVE:- INSIGHTFUL MANAGEMENT INFORMATION TODAY S ENVIRONMENT CURRENT PLANNED REQUIRED Working in partnership with the business we will define Hyperion committee Common chart of Group Technology single Creation of MI function and deliver Vodafone s management information Local OpCo data accounts billing system Definition and communication requirements, implementing a robust governance process warehouses Many country based of role of finance in to ensure continuous business information integrity, piecemeal projects management information relevance and value Global Performance Define data ownership/source/ Management project policy Global HR Scorecards Define group, global and OpCo Spend analysis vendor data and info needs One Vodafone Effective MI governance DCC (Data Centre function Consolidation) Clarification and effective communication of matrix management roles and responsibilities Select IT infrastructure and platform Build solution FUTURE DO WELL MEASURES TARGETS People Reduced level of ad hoc reporting < 1 per month per OpCo Dedicated management information function New report requests referred to MI 100% Clearly defined role for finance in management information function Real time Content and governance Speed of data delivery 100% commonality Strong governance process for management information Commonality of data definitions across Milestones achieved on time and to budget Linked to strategic value drivers Vodafone Agreed criteria for content Execution of plan to deliver Content optimised on cost and value Single, trusted view of performance Systems Single group wide, global data warehouse Automated extraction, transformation and loading of data Functionality Delivery of product/segment/customer profitability reporting Delivery of real time management information (daily/weekly/monthly) ) Management information Value GPM Drivers Appointment Chief Information Define Common Officer Reporting Library Group 2) Simplify business Content Planning Tool Re-engineering planning Selection Appointment Single Owner Business Planning 3) Developing a great team 4) Finance shared services 5) Standardize systems including implementing global ERP 6) Sarbanes Oxley Catastrophic Major Moderate Minor Insignificant Appointments Finance Transformation Director Finance People Lead Op-Co Planning Tool Implementation Op-Co Planning Tool Implementation Appointments Global Lead Teams Benchmarking/ Revenue Assurance/ Investment Appraisal Implement Common Operating Model including Business partners Op-Co Planning Tool Implementation Common Integrated Global Planning Tool Review & Career Improve Paths Talent Mgmt Large 1 st Large 2 nd Large 3rd Large 4th Large Feasibility Study Design Build Op-Co Op-Co Op-Co Op-Co Op-Co Plan Migration Migration Migration Migration Appointment Process owners 1 Integrate & st Small 2nd Small 3rd Small 5th 6th 7th 8th 9th Pilot Op-Co Op-Co Op-Co Small Small Small Small Small Test Migration Migration Migration Migration Migration Migration Migration Migration Feasibility ERP ERP Integration Migration Migration Study incl Tool Pilot Design Build Test & Go Live & Go Live Selection Implement Partner Imp Governance Selection Strategy Process SoX SoX Documentation SoX Testing & Walkthroughs Remediation Improve Amount, Migrate GPM & Hyperion Build Global MI Frequency Into Environment & Sophistication Of MI Common Environment Source Data SSC SoX Compliance Full SoX SSC Compliance 3j 5a 1b 1c 4d 3h 5b 5c 3g 4e 3a 4g 1f 1d 2b 4f 1a 2a 3e 1e 4b 2c 4a 4c 4j 4i 3f 3c 3i 3b 3d 4h Remote Unlikely Possible Likely Almost certain 90% 80% 70% 60% 50% 40% 30% Domestic outsourcing Off shoring Shared service centres Process Service optimisation channels % seeing as important Average savings Catastrophic Major Moderate Minor Insignificant 3a 1d 1e 4d 4g 2b 4b 3h 5c 3g 4e 1f 4f 1a 2a 2c 3e 4c 4j 4i 5a 1c 3f 3c 3i 3b 3d 4h Remote Unlikely Possible Likely Almost certain INITIATIVES CRITICAL OBJECTIVE:- INSIGHTFUL MANAGEMENT INFORMATION TODAY S ENVIRONMENT CURRENT PLANNED REQUIRED Working in partnership with the business we will define Hyperion committee Common chart of Group Technology single Creation of MI function and deliver Vodafone s management information Local OpCo data accounts billing system Definition and communication requirements, implementing a robust governance process warehouses Many country based of role of finance in to ensure continuous business information integrity, piecemeal projects management information relevance and value Global Performance Define data ownership/source/ Management project policy Global HR Scorecards Define group, global and OpCo Spend analysis vendor data and info needs One Vodafone Effective MI governance DCC (Data Centre function Consolidation) Clarification and effective communication of matrix management roles and responsibilities Select IT infrastructure and platform Build solution FUTURE DO WELL MEASURES TARGETS People Reduced level of ad hoc reporting < 1 per month per OpCo Dedicated management information function New report requests referred to MI 100% Clearly defined role for finance in management information function Real time Content and governance Speed of data delivery 100% commonality Strong governance process for management information Commonality of data definitions across Milestones achieved on time and to budget Linked to strategic value drivers Vodafone Agreed criteria for content Execution of plan to deliver Content optimised on cost and value Single, trusted view of performance Systems Single group wide, global data warehouse Automated extraction, transformation and loading of data Functionality Delivery of product/segment/customer profitability reporting Delivery of real time management information (daily/weekly/monthly) 3j 1b 5b 4a Our approach is designed to provide an efficient, consistent and repeatable process The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide. Activities Phase Potential Deliverables Plan Assess Design Implement Execute Evaluate determine client objectives with key stakeholders prepare engagement approach with team kick-off the project. Needs and requirements summary Engagement letter gather relevant information perform risk assessment perform current state assessment perform gap analysis assist with drafting the desired state. Risk Consequence Gap analysis Risk assessment Current state assessment confirm and prioritize areas to be addressed define measures and thresholds assist client with selecting the best CA/CM tool(s) confirm implementation plan. CA/CM implementation plan Selected CA/CM tools roll out implementation plan set-up for data extraction activities assist with other ongoing program activities through the implementation. Set-up for data extraction activities Data maps and dictionaries run queries and routines assist with identification of root cause of exceptions/results assist with training available resources. Exception reports Reluctance to use high savings tools % seeing as important Risk SCANA Services SCE&GPSNC Energy Controls SEMI Assessment Inappropriate credit SCPC SCANA Comm Prime South measurement Financial - Periodic credit result from losses exposures; monitoring Periodic of Credit counterparty guidelines can credit exposures, monitoring Periodic of failure or operational to meet approved Credit contract financial approved by RMC guidelines credit exposures, monitoring Periodic of Credit Regulatory by rules; RMC; guidelines credit exposures, monitoring Periodic of approved Credit by RMC; guidelines credit exposures, monitoring Periodic of terms. Standard Regulatory approved Credit terms; Netting Standard contact contact rules; by RMC; guidelines credit exposures, monitoring Periodic of Regulatory approved Credit rules; by RMC; guidelines credit monitoring of agreements; terms; Netting Standard Regulatory approved Credit exposures, contact Collateral agreements; terms; Netting Standard Regulatory rules; approved by RMC; guidelines contact of credit; Credit Collateral and letters agreements; terms; Netting Standard Regulatory rules; by RMC; contact and letters reserves of reserves credit; Credit Collateral agreements; terms; Collateral Standard rules; and of credit; Collateral Credit and letters letters and letters of terms; credit; Collateral contact Credit and reserves of reserves credit; Credit reserves letters reserves of credit; Credit Excessive concentration Financial - Periodic measurement losses risk N/A result from excessive can of N/A Periodic counterparty credit measurement N/A of Periodic concentration exposures exposure companies to a specific of credit for by all counterparty credit measurement Periodic the exposures for all counterparty measurement of counterparty, CDD; market segment. guidelines region Credit companies by the exposures counterparty credit of by RMC; Reporting or approved CDD; Credit companies exposures for all credit by the exposures to RMC of guidelines by RMC; Reporting approved CDD; guidelines Credit companies for all CDD; by the exposures to RMC by of RMC; guidelines Reporting approved Credit exposures by to RMC; RMC Reporting of approved exposures to RMC of Inappropriate collateral - None management credit Management Financial result from losses failure can & collections Management by credit collect adequate to based on & credit collections group Management by credit scoring and based arrears on & credit collections group Management by credit scoring and based arrears on & credit collections group Management by credit scoring and based arrears on & credit collections group Management by credit scoring and based arrears on & credit collections group group by credit scoring and scoring based arrears on and credit arrears collateral posted collateral. or to recall Inappropriate contract terms CCD credit conditions - Financial procurement and reviews CCD losses failure to can sales develop, result contract procurement and reviews CCD for all companies; from sales terms contract procurement and reviews CCD review adequate and Legal licensing maintain contract for all companies; sales terms contract procurement and reviews CCD Legal group contract for all companies; sales terms contract procurement and reviews CCD tracks credit provisions. contract Use of standardized legal licensing Legal contract terms; legal group contract for all companies; sales terms contract procurement and reviews CCD licensing terms; tracks Legal group contract for all companies; sales terms contract procurement and reviews tracks contracts Use approved contracts with of standardized contract Use legal licensing Legal terms; group contract for all companies; sales terms and tracks with of standardized contract legal licensing Legal terms; group contract for contract terms tracks creditworthiness approved contracts Use with of standardized contract legal licensing Legal all companies; terms; clause provisions creditworthiness approved contracts Use with of standardized contract legal licensing group contract terms; tracks clause provisions creditworthiness approved contracts Use with of standardized contract group tracks clause provisions creditworthiness approved contracts Use legal terms; with clause provisions creditworthiness approved contracts of standardized with clause provisions creditworthiness approved clause provisions clause creditworthiness provisions Average savings conduct a post implementation assessment identify potential improvements Discuss control gaps and weaknesses. Post implementation assessment Risk Consequence Lessons learned 12 AM 4 AM 8 AM 12 PM 4 PM 8 PM 15

17 Dimensions of CA/CM Interrelationship of CCM, CTM and Macro Analysis Analytical Dimension Macro Analysis (e.g., Number of Purchase Orders per week) Controls Dimension (Continuous Controls Monitoring) Changed or Deleted Controls Risk/ Performance Types of Analysis (e.g., rules, statistical, link mining, etc.) Transactions Dimension (Continuous Transaction Monitoring) Risk and Performance Monitoring is optimized when all three dimensions are implemented 16

18 Enabling with Technology Considerations Types of Technology Tools (Evolving) Continuous Control Monitoring (CCM) Application configuration parameters User access and segregation of duty analysis Examples of available tools Continuous Transaction Monitoring (CTM) transaction attribute analysis transaction pattern analysis examples of available tools. Technology Selection Considerations Technical infrastructure limitations availability of data and number of sources level of sophistication of IT personnel. End User Requirements transaction monitoring control and configuration monitoring case management/remediation tracking master data monitoring. 17

19 Enabling with Technology Additional Considerations What are the objectives? IA, IA for Mgt or both Strengthen IA data analytics. What are the anticipated areas of focus? ERP? Non-ERP? Both? Controls, transactions, macro analysis Risk types? (e.g., fraud, performance, waste, regulatory compliance). How will the analysis be performed? Embedded, extracted Frequency: regular, repeatable, near real-time. Required sophistication of analytic functionality Rules, statistical, temporal, artificial intelligence. Exception handling Alerts Aggregation, prioritization, scoring Assignment, investigation, resolution, documentation. Reporting and dashboard capabilities Impact on system performance (extraction) Required speed of analysis and hardware requirements (daily analytics) Cost 18

20 Enabling with Technology Two Main Technology Types Type 1 Embedded Monitor at Source Examples : SAP GRC, Oracle GRC, Approva Auditee Auditor Database Oracle Monitor Report Follow up SAP 19

21 Enabling with Technology Two Main Technology Types Type 2 Data Analytics Examples : ACL, IDEA, SAS, Approva, Business Objects Auditee Auditor Database Oracle Extract Upload Test Review Follow up SAP 20

22 Sample Implementation Model Combination CA/CM Approach Organization ERP Systems Operations Financial Applications CA Application Management CM Application (Mgmt) Internal Audit 21

23 The Value Proposition Benefits of Implementing CA/CM CA brings greater efficiency, enhanced controls, earlier information, and reduced complexity Board of Directors Management Internal Audit Improved insight into the business risks across the enterprise Improved corporate governance Potential for improved reporting to the board Allows senior management to have greater visibility into the organization enhancing its oversight capabilities Improved corporate governance Improved information for dayto-day decision making Reduction of work duplication Improved leverage of IT investment Reducing surprises Identification of issues closer to occurrence Better able to test a broader range of controls, including security, segregation of duties, and process level controls at a reduced cost and on a timely basis Improved speed of reporting to the business Improved information to focus audit efforts Improved maintenance of risk profile 22

24 Key Success Factors of Continuous Monitoring Critical success factors Senior executive support Technology tools and experienced resources Established approach to CM KPMG s response addresses these vital issues executive involvement at all stages of the project including opportunity identification, selection, prioritization and sign-off clear CM leadership roles to drive cultural change identification of control owners to report failures, escalate issues, etc. fact-based approach to identification, quantification and prioritization of CM opportunities selection of appropriate CM tools to contain costs and speed up communication experienced staff who can commence fieldwork immediately. global continuous monitoring framework and approach identification of key control check points methodology emphasizes risk and continuous improvement. Well planned approach Organizational alignment detailed project initiation and work plan documents knowledge of and linkage to enterprise risk exposures organization s risk profile is fundamental to the assessment and design of the CM approach. incorporation of key line management within the CM project partnering with team members to help enable knowledge transfer senior industry and functional practitioners. 23

25 Key Success Factors of Continuous Auditing Critical success factors Senior executive support Experienced resources and technology tools Established approach to CA Well planned approach Organizational alignment Transition Planning KPMG s response addresses these vital issues Executive education on the development of a business case Obtain buy-in by the Chief Audit Executive regarding approach Commitment to train internal resources Experienced staff who hit the ground running Thorough business process and industry content knowledge Selection of appropriate CA tools to contain costs and speed up communication Provide root cause analysis capabilities for errors, policy violations, fraud and misconduct Identification of key control check points Methodology emphasizes continuous improvement Detailed project initiation and work plan documents Organization s risk profile is fundamental to the assessment and design of the CM approach Knowledge of and linkage to enterprise risk exposures Partnering with internal team members to help enable knowledge transfer Consistent alignment of goals, measures and incentives Audit the monitoring function from an Internal Audit perspective Balancing existing internal audit practices with CA Managing independence 24

26 How can KPMG help? Design and implement CA/CM approaches including risk-based: - Dashboards - Scorecards - Analytics (including fraud and regulatory risk specific) - Reports (area and transaction based) - Management Protocols Notification Reporting Response Investigation Execute individual CA projects Evaluate anti-fraud processes that are part of the CA/CM approach. Controls automation Integration with governance, risk and compliance initiatives Coordination with business intelligence initiatives Design/incorporate with more sophisticated data analysis initiatives (e.g., predictive modeling, social network analysis) Tool/application evaluation and recommendation Training Risk assessment/scoping. 25

27 Contact information John W. Doe KPMG LLP (201) Copyrights and Disclaimers may vary between applications. Please consult the GB&RC MicroWeb for specific policies. Please delete this message prior to printing or presenting.