CONTINUOUS AUDITING - UPDATE Travis S. Moser, CISA
CONTINUOUS ASSURANCE FRAMEWORK Third Line of Defense: IA provides independent assurance Second Line of Defense: Functions oversee risks First Line of Defense: Management owns and manages risks Audit Testing of Continuous Monitoring (First and Second Lines of Defense) Continuous Monitoring Continuous Auditing Business Processes and Transactions 2
KEY ASSUMPTIONS Global SAP instance Global business process owners Tool SAP GRC Suite Process Control 3
TERMINOLOGY Configuration Control settings, security levels, parameters, and reference data that enforce authorization, accuracy, and completeness of transaction processing. affects system function, performance, and automated controls 4
CA / CTM AT TIMKEN WHAT STHEDIFFERENCE? Continuous Auditing A method used to perform control and risk assessments automatically on a more frequent basis. includes monitoring a system s global configuration settings, access controls, and rules that define the parameters of how an event or transaction can be initiated, processed, and recorded. Continuous Transaction Monitoring A management process that monitors on an ongoing basis whether internal controls are operating effectively includes the creation of rules and tests run against the actual flow of transactions 5
Preventive Automated preventive Real-time detective Detective Per transaction Low effort to operate 100% coverage on transactions Daily/ multiple times per day Low effort to operate 100% coverage on transactions CONTROLS Manual approvals Physical access Segregation of duties System calculations Workflow (SAP)- based approvals Workflow (Oversight)- based alerts Physical counts & checks Detective report reviews Spreadsheet reconciliations 6
CA TIMKEN S NEED Increase frequency of control testing Evaluate SAP configuration globally Ensure controls applied consistently Ensure future implementations are configured consistently 7
ADVANTAGES TO PROCESS CONTROL Reduces monitoring and resource effort for manual control testing Monitors Global SAP configuration Issues identified in real-time (or close thereto) Enables moving to standardized key controls for Global SAP entities by Business Process Performs automated controls testing on a continuous basis at the process level 8
PROCESS CONTROL BIG PICTURE 9 Source: http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/b04161e6-5cfe-2e10-4b90-815a3a2027c2?quicklink=index&overridelayout=true&53051436052091
CONTINUOUS AUDITING Define Data Source and Business Rules Data Source Business Rule 10
PROCESS CONTROL Data Source Type Configurable ABAP Report SAP Query SoD Integration External Partner Process Integration BW Query Event Programmed Usage Defines a query against tables in the monitored SAP backend system. Leverage suitable ABAP Reports already available Leverage query results to gather and present information from an SAP system to PC Use to invoke Access Control risk analysis in the context of PC controls Web Services based to monitor SAP backend applications from SAP partners and other vendors Use to query directly against the underlying databases of non-sap applications via JDBC/ODBC, or even integrate Use to invoke queries against SAP Business Warehouse Use to respond to messages that external systems send to Process Control Use to call ABAP programs for complex processing 11
CONTINUOUS AUDITING (INTERNAL AUDIT S ROADMAP- 2016) 2011 Configuration assessment 2013 Walkthrough 2015 CA / CTM alignment 2015 Application Controls 2016 PTP Configuration 12
CA 2016 Processes Risks Controls Rules Fixed Assets 2 2 8 Inventory Management 2 7 11 Order to Cash 7 12 21 Purchase to Pay Record to Report 5 5 10 4 4 7 IT General Controls 2 4 8 Total 22 34 65 13
CONTINUOUS AUDITING (INTERNAL AUDIT S ROADMAP- UPDATED) 2016 External Audit 2017 SAP Application Controls 2017 External Audit 2018 Application Controls 2018 PTP Configuration 14
CA WHAT TIMKEN DOES Processes Risks Controls Rules Fixed Assets 3 4 11 Inventory Management 3 11 16 Order to Cash 8 15 24 Purchase to Pay Record to Report 5 6 13 3 6 16 IT General Controls 2 3 8 Total 24 45 88 15
CONTINUOUS AUDITING Automated Test Rules Facilitate Continuous Monitoring of controls Rule Script Rule Criteria http://help.sap.com/saphelp_grcpc25/helpdata/en/06/ded8d06faf487ba348dde612c2760c/content.htm 16
CONTINUOUS AUDITING Process Control Monitoring Business Rule Data Source Business Rules Business Rules 17
CONTINUOUS AUDITING EXAMPLE Risk: Accounts Payable may be inaccurate if cash disbursements are inaccurate or not recorded timely. Control: An invoice is prevented from being entered more than once into the system. Rule: The rule verifies that the duplicate invoice verification check is performed based on vendor reference number. 18
CONTINUOUS AUDITING EXAMPLE Set Check for Duplicate Invoices OMRDC Logistics Invoice Configuration Vendor Currency Gross Invoice Amount Company Code Invoice Date Reference document number 19
CONTINUOUS AUDITING EXAMPLE Set Check for Duplicate Invoices OMRDC 20
21 CONTINUOUS AUDITING EXAMPLE
22 CONTINUOUS AUDITING EXAMPLE
23 CONTINUOUS AUDITING EXAMPLE
24 CONTINUOUS AUDITING EXAMPLE
25 CONTINUOUS AUDITING EXAMPLE
26 CONTINUOUS AUDITING EXAMPLE
27 CONTINUOUS AUDITING EXAMPLE
28 CONTINUOUS AUDITING EXAMPLE
FREQUENCY OF CA Annually Semi Annually Quarterly Monthly Weekly Daily More than Daily
30 ISSUE WORKFLOW
31 ISSUE WORKFLOW
SUMMARY Continuous Auditing Framework Increasing frequency of control testing Monitoring Global SAP configuration changes 32
CHALLENGES / LESSONS LEARNED Change Logging activated SCU3 Leverage and confirm prior year workpapers when automating application controls Value Check vs. Change Log Check Mirror Timken s SAP change management process Contacts Contacts - Contacts 33
OPPORTUNITIES / WHERE ARE WE GOING? Analyze and implement SAP s delivered rules Expand into other company systems Complete automated controls from Configuration assessment Continue to improve / challenge risk and control matrix Leverage existing SAP queries and reports 34