SERIOUSLY REDUCING THE BURDEN OF ICFR/ SOX/A-123 COMPLIANCE

Transcription

1 ACL EBOOK The essential guide to SERIOUSLY REDUCING THE BURDEN OF ICFR/ SOX/A-123 COMPLIANCE 7 steps for improving compliance processes

2 CONTENTS Seriously Reducing the Burden of ICFR/SOX/A-123 Compliance...3 ICFR, SOX, A-123: Whatever you call it, technology can help...4 ICFR: Reducing the Burden....5 Always be testing...6 Automate your workflow Steps to Automate Your ICFR Compliance Program...8 1: Document your processes : Identify and assess risks : Identify risk mitigation procedures and controls : Test and monitor : Manage red flags : Reporting and ongoing assessment : Certification and assurance Conclusion How much room for improvement is there in your ICFR processes? ICFR Software Shopping Checklist About the Author Making ICFR/SOX/A-123 (almost) as easy as ABC

3 SERIOUSLY REDUCING THE BURDEN OF ICFR/SOX/A-123 COMPLIANCE In response to the corporate financial scandals of the beginning of this century, regulatory authorities in many countries brought in requirements for stricter monitoring of key controls over the integrity of financial reporting. Regulations such as the Sarbanes-Oxley Act (SOX) and Circular A-123 from the Office of Management and Budget (A-123) in the United States, together with similar requirements in countries such as Canada, the UK, Germany, France and Japan, resulted in affected commercial organizations and federal agencies spending substantial amounts in order to achieve compliance. At the same time, some private companies to whom SOX does not apply are increasingly looking to improve processes for ICFR for a variety of reasons, including reduced external audit fees, greater assurance over the reliability of financial statements, or in preparation for an IPO or acquisition. There has also been increasing pressure for public companies to transition to the COSO 2013 Integrated Framework for Internal Controls and map the principles to SOX testing processes and control assessments. Similarly, government bodies are expected to comply with Green Book or local equivalents for internal control standards. The entire process can easily become complex and burdensome to manage and document, as companies need to clearly demonstrate to regulators and external auditors how they have applied control frameworks. Although the initial efforts to meet the standards for Internal Controls Over Financial Reporting (ICFR) have slowly reduced for most organizations, many are still feeling a financial burden of the total costs associated with ongoing management of ICFR programs. The overall result is that many organizations are putting great effort into ICFR, but often not in the most efficient way. In this ebook, we ll look at how you can use technology to improve processes and seriously reduce the financial and resource burden of ICFR. The cost of SOX compliance 39% of companies are spending more than US$500,000 per year (with some, of course, spending many millions) 41% of companies incurred recent annual cost increases of 20% (Protiviti, 2014 SOX Compliance Survey) How much does your organization spend on ICFR? 7 steps for improving compliance processes - 3

4 ICFR, SOX, A-123: WHATEVER YOU CALL IT, TECHNOLOGY CAN HELP Much has been written about SOX and A-123 compliance, as with similar legislation around the world, and there are some excellent resources available. This ebook does not seek to inform you about the detailed regulatory requirements or how to comply with them. Instead we will focus on some of the primary ways in which ICFR-related processes can be made more efficient and less costly through the use of modern technology. For many, it makes sense to work on improvements in ICFR compliance processes alongside changes to other related processes for risk management, internal audit and regulatory compliance. There are often opportunities to rethink the ways things have ended up working in the past often more by happenstance than design and move ahead with approaches that are more integrated, collaborative and less duplicative. Many organizations are still relying extensively on spreadsheets and general purpose tools to try to manage all aspects of ICFR processes. This is where the use of appropriate technology can be a big differentiator in reducing overall cost and effort. 4 - Making ICFR/SOX/A-123 (almost) as easy as ABC

5 ICFR: REDUCING THE BURDEN Goals and processes for ICFR compliance and improvement have a lot in common with those for other risk management, control testing and assessment areas. Although ICFR compliance is a legal requirement for many organizations and often seen as just one more regulatory burden, the fundamental objectives of ICRF indeed make good sense. The risk of fraud or error in financial statement reporting is certainly something that must be managed. Appropriate controls throughout financial processes are the answer but the challenge is how to make it economical to implement and maintain them, as well as to continually assess their effectiveness. This challenge is virtually the same one that applies to any control process, whether you re addressing financial reporting risks or any other risk among the large number that any organization faces. The process of documenting systems and repeatedly having to assess risks and test controls can easily become very time consuming and costly. Coordinating and reporting on the activities of multiple control owners and others involved in assessment and testing can be a complex task, particularly if methods used are primarily manual or involve spreadsheets or other general purpose software. Taming the burden of ICFR with automation The solution to all this complexity is to harness the power of dedicated technology to perform and manage the whole process in as efficient and painless a way as possible. A modern, centralized system supports all aspects of what should be a straightforward series of workflow activities to: There needs to be a common way of identifying all risks and then supporting a workflow process for each risk in terms of: Enter your risk (items listed below) categorization by entity and type impact assessment ranking mitigation activities and controls residual risk identification (if needed) testing and monitoring activities results and exceptions management dashboards and reporting of status at overall and detail levels 1. DOCUMENT PROCESSES, NARRATIVES, RISKS AND CONTROLS, AND TEST PLANS 2. EVALUATE AND TEST CONTROLS 3. REPORT 4. CERTIFY Of course, there are multiple levels of detail in the workflow that must also be supported. For example, as SOX and A-123 compliance involves taking a top-down risk assessment (TDRA) approach, software can support the identification of: Significant financial reporting elements and accounts Material financial statement risks within these accounts Entity level controls that address the risks Transaction level controls that address risks where entity level controls are insufficient Nature, extent and timing of evidence that impacts the assessment of controls The objective is to share data across the organization (with the appropriate management of systems access, of course), wherever multiple stakeholders are involved. 7 steps for improving compliance processes - 5

6 ALWAYS BE TESTING Testing and monitoring are often the most labor-intensive activities. Data analysis technology deserves a special call-out for its crucial role in ICFR processes. Data analysis software has been well proven in the audit and risk world as a means to test entire populations of transactions and balances in order to determine their integrity as well as the effectiveness of related controls. Data analysis can also provide indicators of new and changing risks for which no specific internal control has been established. Example ICFR tests using data analysis Examine all GL journal entries to identify: Statistical outliers Journal entries processed without adequate segregation of duties Journal entries posted outside of authorization limits Multiple journal entries posted just under an authorization limit ( split entries ) Postings to unusual account combinations Postings made at unusual times Temporary over-rides/changes of authorization limits Unusual patterns of journal entry reversals This form of testing and analysis can be performed as required usually automated so that testing can take place on a repeated or continual basis. Automated testing leads to reduced costs, as well as the ability to be rapidly notified of control problems and anomalies with transactions, before they escalate into a more serious problem. When testing becomes a control While data analysis can be used for objective testing purposes, the same form of analysis can also become the control mechanism itself. For example, testing can take place to determine on a daily or weekly basis whether general ledger entries that have been processed are suspect due to, for example, lack of segregation of duties or proper approval, postings to unusual accounts, or being made at unusual times. In cases where it is not realistic or cost effective to maintain traditional internal control procedures, transaction monitoring can become its own highly effective alternate control mechanism. Questionnaires as testing? Another area in which technology can play a valuable role in reducing costs and improving efficiency is in the use of automated questionnaires and surveys to collect information from individuals as part of ICFR compliance. Their use and the related concept of human analytics can become an important part of the controls testing and assessment process. A self-assessment is a good example: you need input from a control owner on control effectiveness. Send a questionnaire, get the response. Likewise, if you find an anomaly, it does not necessarily mean there is a control gap until after someone does a review and provides evidence to support or to the contrary. There are many instances when business thresholds are exceeded for valid reasons and no control gap exists. Questionnaires help you get to the bottom of it, whatever the case. Each of these approaches can not only be applied specifically to SOX, A-123 compliance and ICFR testing and assessment, but also to a wide range of other controls and compliance requirements throughout the organization. 6 - Making ICFR/SOX/A-123 (almost) as easy as ABC

7 THE BENEFITS OF WORKFLOW AUTOMATION While data analysis is critical for testing, it is through using technology to improve and automate the workflow of ICFR compliance where much of the process pain can be greatly reduced especially when data analysis is automatically linked into your workflow. Organizations that have successfully implemented a technology-driven approach to ICFR compliance can point to a wide range of benefits, including: Avoiding duplication of effort among the teams responsible for maintaining and assessing controls. This may include issues that are significant or material to financial reporting and could have a seriously detrimental impact on corporate reputation. Or it may simply be a matter of having better control systems that reduce the waste, leakage and abuse that can occur in many of the systems that flow through into overall financial reporting. This in itself often pays for the investment in implementing new controls and compliance testing approaches. Reduced external audit fees in cases where firms are prepared to rely on the evidence of automated testing and monitoring procedures. Improved ability to address and coordinate remediation requirements for weak or ineffective controls. Greater executive visibility into the current status of SOX and A-123 compliance and outstanding issues that may impact certification. Reduced resource requirements for control testing procedures. Reduced risks and less fraud and error. Improved quality of testing procedures and greater confidence obtained from testing 100% of populations instead of sampling. Standardized risk management, controls and compliance processes across the organization. Many larger organizations still struggle with the issue of various internal silos performing essentially similar procedures in a range of different ways using a mix of approached and technologies. This makes it very difficult to obtain one consistent enterprisewide view of the status of risk and control activities, even though there are clear benefits from doing so. 7 steps for improving compliance processes - 7

8 7 STEPS TO AUTOMATE YOUR ICFR COMPLIANCE PROGRAM There are several stages in moving to a technology-driven approach to ICFR regulations compliance. As mentioned, these stages have a lot in common with any process to manage and monitor risks and the effectiveness of internal controls, as part of a broader organizational approach to GRC. Ideally, the same software should be able to support not only ICFR compliance but any other of the multiple risk and compliance processes that may exist within an organization. 8 - Making ICFR/SOX/A-123 (almost) as easy as ABC

9 DOCUMENT YOUR PROCESSES 1Adequate documentation of the systems and workflow that support financial statement components and accounts is an essential starting point for any ICFR compliance program. This usually involves a narrative and diagrams for the workflow within processes and sub-processes. Since ICFR compliance is an ongoing process, all documentation needs to be reviewed and updated regularly to reflect changes that occur in underlying systems and processes. Process owners should sign-off to confirm the current accuracy of documentation. Technology requirements checklist: Support of workflow narratives Flowcharts Version control and management of updates Sign-off capture 7 steps for improving compliance processes - 9

10 2IDENTIFY AND ASSESS RISKS While the specifics of financial reporting risks will vary from one organization to another, there are many common elements that apply to financial statement reporting in general, as well as to the various business process areas that feed into the general ledger and systems for financial statement preparation. Compliance with SOX 404 and A-123 involves a top-down risk assessment approach (TDRA) in which specific risk factors are considered to determine the scope and evidence required in the assessment of internal control. This approach begins with an identification of the significant financial reporting elements or accounts that make up the financial statements. The next step is to identify material risks within these accounts. At a high level, risks can usually be identified in terms of factors such as employee and senior management fraud, errors, system miscalculations, and incorrect accounting treatment. The next risk level down can include all the things that could go wrong within a business process, but it is usually best to consider these risks in terms of the risk mitigation efforts and controls that should be in place. De-duplicate your efforts If a formalized ERM process exists within an organization, then the SOX 404 or OMB A-123 risk and control assessment process should ideally be carried out as a component within a larger ERM framework. However, in many organizations the overall risk management process is fragmented and ICFR testing responsibilities fall to a combination of roles in financial management and controls, compliance and internal audit. One of the potential benefits of using technology to transform the ICFR testing process is to look at the risks and the control testing procedures in a more holistic way and reduce inefficiencies and duplication of efforts Making ICFR/SOX/A-123 (almost) as easy as ABC

11 Risk Heat Map As with many risk assessment processes, a desired outcome is often to produce a heat-map or graphical matrix report that ranks the risks by likelihood and extent of impact, as well as an estimate of the costs of managing the risks to an acceptable level. It often makes sense to identify the residual risk : the extent of risk that remains after taking account of risk mitigation efforts such as internal controls. The use of a heat-map or matrix enables the different types of ICFR compliance risks to be more easily put into context against each other, as well as other risks across the organization. Spreadsheets threat level: High The use of spreadsheet technology for risk identification and assessment can itself be risky, due to the inherent problems of maintaining control over the integrity of information recorded, avoiding errors and accidental changes and being able to share and compile information in an efficient way. Technology requirements checklist: Ability to record, assess and rank a range of risks in a structured and consistent way that provides sufficient detailed information for comparison and reference purposes Ability to provide sufficient structured documentation to demonstrate for ICFR compliance purposes how management has interpreted and applied a TDRA and arrived at the scope of controls tested Support of questionnaires and surveys as part of the risk assessment process 7 steps for improving compliance processes - 11

12 3IDENTIFY RISK MITIGATION PROCEDURES AND CONTROLS For SOX 404 and A-123 compliance purposes, a Top-Down Risk Assessment (TDRA) or Top-Down Focus process involves a determination of two primary levels of controls. The first level includes those entity level controls that would address the risks that have been identified. The next level includes transaction level controls which mitigate risks in cases where there are no effective entitylevel controls. Examples of entity-level controls include areas such as the overall control environment, tone at the top, formalized codes of conduct, policy and procedure documentation, corporate risk assessment and risk management processes, internal audit activities, whistle-blower hotlines, board and audit committee oversight, and segregation of duties overall. Transaction level controls are more specific and typically involve processes for approval, authorization, and review of transactions that take place in the general ledger and sub-processes, such as purchase-to pay, payroll and order-to-cash. Transaction level controls can also include automated testing and monitoring procedures that are either built into business applications or run independently Making ICFR/SOX/A-123 (almost) as easy as ABC

13 Technology requirements checklist: Ability to clearly identify the relevant internal control procedures and their links to the underlying risks Ability to assess the effectiveness of each mitigation procedure or control 7 steps for improving compliance processes - 13

14 4TEST AND MONITOR Once the risks and corresponding controls have been defined, the next stage is to determine whether the controls are actually working as intended. Depending on the nature of the control, testing can involve walkthroughs to test the design of the control, observation, or the use of automated transaction analysis. While testing can take place at specific points in time, there are also benefits of ongoing testing procedures. Automated testing routines provide the ability to continuously monitor transactions and the effectiveness of controls. This allows control breakdowns to be identified and remedied before they escalate into a serious problem. Data analysis also allows data to be compared between systems in ways that indicate control problems, something that is very difficult to achieve through conventional testing techniques. Since financial processes and systems are seldom static, it also makes sense to continue to try and determine if any new risks have risen from, say, some organizational and procedural changes that have taken place. Monitoring of transactions and controls can take place across the range of financial business process areas that feed into corporate financial reporting systems. These areas typically include the revenue cycle and primary purchasing, payment and payroll expense areas, as well as the general ledger itself. The human behavior aspect of internal controls can also be monitored through what can be described as human analytics, such as by automatically surveying employees around their understanding of internal control processes. Their responses can be assessed and triggers set up to flag, notify or escalate issues as required automatically. The most effective method of monitoring is to examine every transaction that flows through a particular system and apply a range of tests to determine whether specific controls are being followed. This form of detailed testing of transactions and controls, based on data analysis, is used widely by internal auditors and quality assurance teams in many of their assurance activities. This approach is even more effective when used by those directly responsible for maintaining effective financial control systems. Entire populations of payment transactions, across disparate business systems, are examined in detail to look for indicators of problems. Click to Learn More on the ACL Blog >> What is human analytics? In its simplest form, human analytics involve input from individuals to make a determination or to provide evidence. For example, control owners can complete surveys or questionnaires on control effectiveness. The results of all questionnaires can be automatically compiled and analyzed to provide greater insight on the current state of controls. The possibilities of addressing risk and control issues are wideranging with human analytics Making ICFR/SOX/A-123 (almost) as easy as ABC

15 Examples of the types of test that are typically applied include: Determining if critical payment approval processes are being followed by testing whether transaction approval IDs are in an authorized approver list and the transaction approved is within defined authorization limits»» Tests can also be performed to determine if controls were circumvented by using split transactions in which a payment above an approver s authorization limit is processed as a series of smaller payments Analysis of large sales transactions and credits around period ends to determine if false sales have been booked in order to inflate results Automated analyses of reconciliations between sub-ledgers and the general ledger Examination of journal entries to identify postings to unusual accounts, suspect reversing of journal entries around period ends, posting and approval of journal entries in which proper segregation of duties is missing Testing of master file data, in order to identify, for example, cases in which a journal entry approver s authorization limit is changed to a very high amount and then immediately reversed to the correct approval limit Technology requirements checklist: Links between individual controls and the tests used to examine transactions and other data Ability to perform a wide range of data analysis tests on an automatic basis and link the results back to the description of the control Visual analysis of testing results Support of surveys and questionnaires used by control owners in control testing procedures 7 steps for improving compliance processes - 15

16 5 The MANAGE RED FLAGS transaction monitoring process can produce a varied number of red flagged exceptions, depending on the thresholds and parameters used in the data analysis tests. In order for an automated controls testing and monitoring approach to be effective, it is important to have a strong process for dealing with flagged exceptions. Not all exceptions necessarily mean that an internal control failure has occurred. Depending on the exact nature of the test and the way the monitoring system is implemented, an exception should mean that there is a reasonable probability that there is a problem that needs investigation and follow-up. The result of the follow-up may be an understanding that the exception was a false positive in which case the test can be modified to reduce the chances of future false positives. The result could also be a conclusion that a control, such as an approval process where the controller needs to review all high value transactions, is not working as intended in which case the situation must be addressed. Of course, the exception could turn out to be an actual fraudulent or erroneous transaction in which case, depending on the circumstances, a series of critical notifications and actions may need to be performed. Such problems in, say, the procure-to-pay system, can easily accumulate into significant losses, which may not be material for financial statement reporting purposes but still represent very significant monetary amounts. Typically the exception management process involves specific workflow that will vary considerably from one organization to another and will also vary depending on the nature of the exception that is identified. For example, certain high risk exceptions may always be routed directly to a senior manager. In the event that a response is idle or there is no satisfactory resolution within a given timeframe, a notification would be sent to the CFO and CRO Making ICFR/SOX/A-123 (almost) as easy as ABC

17 Technology requirements checklist: Flexible workflow capabilities that can accommodate a range of alternate actions depending on the nature of exceptions generated Comprehensive visual reporting on the status of exception management activities, in summary and at a detailed level Ability to collaborate in a secure way with a variety of roles and departments within of the organization in order to request confirmation or evidence for the validity of a suspect transaction or control breakdown Human analytics capabilities, meaning the ability to assess and combine survey/ questionnaire responses from individuals to follow-up on exceptions 7 steps for improving compliance processes - 17

18 6 REPORTING AND ONGOING ASSESSMENT Reporting is one of the most important steps in a technology-driven approach to ICFR testing. This is where all stakeholders can really get visibility into the status and results of the controls testing process. Users of the system should be able to go from a top level overview of control effectiveness, all the way down to the detail of specific red flags of control breakdowns and problem transactions, including the resolution of each issue that was identified. It is a critical part of the ongoing risk and controls assessment process. One of the benefits of using data analysis is that the monitoring and assessment process can be accurately quantified, which is an important component of determining whether financial reporting risks are material for ICFR compliance purposes. A report or visual dashboard could show, for example: that a total equivalent of across US$15.4B operating units and of payments regions 18 - Making ICFR/SOX/A-123 (almost) as easy as ABC were analyzed and tested for compliance with Of these transactions, 25 totaling key internal controls 210, US$50.8M, in two units, were flagged as exceptions 75% of these were satisfactorily resolved but 10 transactions, totaling US$25M, are in the process of investigation and appear to be very high-risk items

19 Technology requirements checklist: Ability to quickly and easily get an overview of the status of the entire controls assessment and testing process, as well as to drill down to an appropriate level of detail Provide an executive storyboard that shows all material issues identified in the organization, across all risk mitigation programs, as it relates specifically to testing of ICFR Multiple levels of access control and Effective reporting means that you can see both the forest and, where necessary, all of the trees. By reviewing the results of the analysis and monitoring process over time, it is easy to see whether and where there is an increasing or an improving problem with the effectiveness of internal controls over financial reporting. security in order to ensure that sensitive data is only available to those who should be involved in a particular part of the process Visual reporting capabilities that, where needed, are fully integrated into an overall risk management dashboard Reporting that can be accessed from a range of technologies, including smart phones, tablets and laptops 7 steps for improving compliance processes - 19

20 7 The CERTIFICATION AND ASSURANCE certification and Statement of Assurance processes are critical elements of SOX 302 and A-123 compliance, respectively. A large number of process and control owners are often involved in the roll-up reporting process that ultimately supports CFO certification and completion of assurance statements. Automation of aspects of this process through the use of questionnaires and sign-offs, combined with aggregated reporting of responses provides major improvements over traditional non-automated procedures. Responses by process and control owners need to be reviewed and escalated where needed. Technology requirements checklist: Ability to deploy certification and assurance requests via questionnaires Support of review and escalation of request responses Aggregation of responses through multiple levels Automated triggers to initiate certification and assurance requests on a quarterly basis Support of a comprehensive audit trail of changes, comments and attachments Reporting of outstanding requests 20 - Making ICFR/SOX/A-123 (almost) as easy as ABC

21 CONCLUSION The use of appropriate technology can have a dramatic impact on the ICFR compliance process overall and lead to significant reductions in the effort and costs involved. However, not all technology is effective in providing material improvements. Generalized spreadsheet and word processing technology, for example, is simply not designed to provide the levels of automation and ease-of-use that is essential for optimizing ICFR processes. The use of modern specialized technology simplifies and accelerates all aspects of ICFR compliance in a way that more traditional approaches and technologies are unable to achieve. Integration of automated control testing into the compliance process by means of transaction monitoring provides benefits that not only positively impact SOX and A-123 compliance but also help improve controls and reduce risk. HOW MUCH ROOM FOR IMPROVEMENT IS THERE IN YOUR ICFR PROCESSES? Are you tasked with safeguarding your organization? Let us help. ACL s comprehensive compliance platform reduces the burden of ICFR with a data-driven approach to managing end-to-end compliance processes. We ve drawn upon two decades of experience working with thousands of customers worldwide to develop detailed methodologies and best practices. For a free assessment of how your organization can integrate technology into your ICFR program, call or info@acl.com 7 steps for improving compliance processes - 21

22 # # ICFR SOFTWARE SHOPPING CHECKLIST 01: Document your processes Technology requirements checklist: Support of workflow narratives Flowcharts Version control and management of updates Sign-off capture 02: Identify and assess risks Technology requirements checklist: Ability to record, assess and rank a range of risks in a structured and consistent way that provides sufficient detailed information for comparison and reference purposes Ability to provide sufficient structured documentation to demonstrate for ICFR compliance purposes how management has interpreted and applied a TDRA and arrived at the scope of controls tested Support of questionnaires and surveys as part of the risk assessment process 03: Identify risk mitigation procedures and controls Technology requirements checklist: Ability to clearly identify the relevant internal control procedures and their links to the underlying risks Ability to assess the effectiveness of each mitigation procedure or control 04: Test and monitor Technology requirements checklist: Links between individual controls and the tests used to examine transactions and other data Ability to perform a wide range of data analysis tests on an automatic basis and link the results back to the description of the control Visual analysis of testing results Support of surveys and questionnaires used by control owners in control testing procedures 22 - Making ICFR/SOX/A-123 (almost) as easy as ABC

23 # # 05: Manage red flags Technology requirements checklist: Flexible workflow capabilities that can accommodate a range of alternate actions depending on the nature of exceptions generated Comprehensive visual reporting on the status of exception management activities, in summary and at a detailed level Ability to collaborate in a secure way with a variety of roles and departments within of the organization in order to request confirmation or evidence for the validity of a suspect transaction or control breakdown Human analytics capabilities, meaning the ability to assess and combine survey/questionnaire responses from individuals to follow-up on exceptions 06: Reporting and ongoing assessment Technology requirements checklist: Ability to quickly and easily get an overview of the status of the entire controls assessment and testing process, as well as to drill down to an appropriate level of detail Provide an executive storyboard that shows all material issues identified in the organization, across all risk mitigation programs, as it relates specifically to testing of ICFR Multiple levels of access control and security in order to ensure that sensitive data is only available to those who should be involved in a particular part of the process Visual reporting capabilities that, where needed, are fully integrated into an overall risk management dashboard Reporting that can be accessed from a range of technologies, including smart phones, tablets and laptops 07: Certification and assurance Technology requirements checklist: Ability to deploy certification and assurance requests via questionnaires Support of review and escalation of request responses Aggregation of responses through multiple levels Automated triggers to initiate certification and assurance requests on a quarterly basis Support of a comprehensive audit trail of changes, comments and attachments Reporting of outstanding requests 7 steps for improving compliance processes - 23

24 About ACL About the Author: John Verver John Verver, CPA, CISA, CMC is an acknowledged thought leader, writer and speaker on the application of technology, particularly, data analysis, in audit, fraud detection, risk management and compliance. He is recognized internationally as a leading innovator in continuous controls monitoring and continuous auditing and as a contributor to professional publications. He is currently a strategic advisor to ACL, where he has also held vice president responsibilities for product strategy, as well as ACL s professional services organization. Previously, John was a principal with Deloitte in Canada ACL delivers technology solutions that are transforming audit, compliance, and risk management. Through a combination of software and expert content, ACL enables powerful internal controls that identify and mitigate risk, protect profits, and accelerate performance. Driven by a desire to expand the horizons of audit and risk management so they can deliver greater strategic business value, we develop and advocate technology that strengthens results, simplifies adoption, and improves usability. ACL s integrated family of products including our cloud-based governance, risk management, and compliance (GRC) solution and flagship data analytics products combine all vital components of audit and risk, and are used seamlessly at all levels of the organization, from the C-suite to front line audit and risk professionals and the business managers they interface with. Enhanced reporting and dashboards provide transparency and business context that allows organizations to focus on what matters. And, thanks to 25 years of experience and our consultative approach, we ensure fast, effective implementation, so customers realize concrete business results fast at low risk. Our actively engaged community of more than 14,000 customers around the globe including 89% of the Fortune 500 tells our story best. Here are just a few. Visit us online at ACL Services Ltd. ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners.