Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Continous auditing and risk monitoring 9 23-09
1. Emerging Practices AroundEmerging Practices Around
Continuous Auditing and RiskContinuous Auditing and Risk
Monitoring: A RoundtableMonitoring: A Roundtable
Jim DeLoach, Protiviti Managing DirectorJim DeLoach, Protiviti Managing Director
Norman Marks, SAP Vice PresidentNorman Marks, SAP Vice President
September 23, 2009
2. 1
1
Introductions and expectations
What the market is doing:
A framework for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
Our Agenda TodayOur Agenda Today
3. 2
2
Our Agenda TodayOur Agenda Today
Introductions and expectations
What the market is doing: A framework
for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
4. 3
3
Our Agenda TodayOur Agenda Today
Introductions and expectations
What the market is doing: A framework
for discussion
The Role of Automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
5. 4
• Continuous - All the time, never ending, more than periodic, more than
frequent, uninterrupted…
• Auditing - Derived for the word “to listen” in Latin, but more pragmatically…
“objective or secondary review, testing and evidence gathering about a
topic, item, issue, process, location transaction, control, risk etc.”
• Monitoring - Ongoing or separate evaluations of internal processes, internal
control systems or risk management capabilities to ensure they are
performing as designed or intended
“Monitoring ensures that internal control continues to operate effectively.”
Is “continuous” really what you want to do?
LetLet’’s Clarify Some Terminologys Clarify Some Terminology
6. 5
CTAGCTAG –– On Continuous AuditingOn Continuous Auditing
• “Continuous Auditing is a method used to perform control and risk
assessments automatically on a more frequent basis.”
• This leaves open the question as to the frequency that is appropriate
• Technology is key to enabling such an approach, changing the audit
paradigm from periodic reviews of a sample of transactions to ongoing audit
testing of 100% of transactions
• “With automated, frequent analyses of data, they (the auditors) are able to
perform control and risk assessments in real time or near real time.”
Is this really just the concept of using CAATs more frequently?
7. 6
GTAGGTAG –– On Continuous AuditingOn Continuous Auditing
• A combined strategy of continuous auditing and continuous monitoring is
ideal
• Continuous monitoring encompasses the processes that management puts
in place to ensure that the policies, procedures and business processes are
operating effectively
• Many of the techniques of continuous monitoring of risks and controls by
management are similar to those that may be performed in continuous
auditing by internal auditors
Where should continuous “activities” be embedded? In the business
processes themselves or in the internal audit function?
Would you want any overlap or duplication?
If something is monitored everyday, why would you audit it
continuously?
8. 7
Continuous Auditing and Continuous MonitoringContinuous Auditing and Continuous Monitoring
should be RISKshould be RISK--BASEDBASED
• Which items needs true “continuous” monitoring or auditing – that is, more
frequent attention?
• Should there be a process to determine the appropriate “frequency” of
auditing and monitoring activity, locations, transactions, processes, etc. in an
organization?
Are “Continuous Auditing” and “Continuous Monitoring” techniques
that should be used only in areas that warrant such attention levels?
If so, how do you determine such areas?
9. 8
Take a Lesson from SOX onTake a Lesson from SOX on ““FrequencyFrequency””
• Continuously, uninterrupted, real-time
• More than daily
• Daily
• Weekly
• Monthly
• Quarterly
• Semi-annually
• Annually
• As needed
• Never
10. 9
Conceptual Relationship Between Risk and FrequencyConceptual Relationship Between Risk and Frequency
Frequency of
Audit/Review
H
HL
Not at all?
Level of
Risk/Criticality
of Real Time
Information and
Analysis
Annually
Semi
Annually
Quarterly
Monthly
Weekly
Daily
More Than
Daily
11. “Continuous Auditing” can mean a lot of things along the
auditing/ monitoring frequency continuum
10
The ChoiceThe Choice –– How Often You ActHow Often You Act
Not at All, Never
Less than
Annually
Annually
Semi-Annually
Monthly
Weekly
Daily
More than Daily
Quarterly
All of the Time,
Uninterrupted
Not worth it?
Frequency of Auditing/Monitoring
Key Point
12. 11
Possible Continuous Auditing/Monitoring NeedsPossible Continuous Auditing/Monitoring Needs
• IT Systems “up-time”
• Breaches of IT Security
• Power supply failure
• “Critical parts” delivery status
• Loss of key personnel
• Data leakage and fraud
• $100 million wire transfers
What does your organization need to know about on a frequent basis?
What do it do about those items now (i.e., monitoring and auditing)?
Is there a need to change the Approach to and Frequency of oversight?
13. 12
• What information, activities, etc. are so critical that they need to be
monitored on a frequent basis?
• Is there key information that needs to be monitored frequently? What are
those items? What monitoring is done currently? What is the current
frequency?
• Is the monitoring effective? Does the business unit, process, area, etc.
monitor such items at the appropriate frequency?
• Does internal audit need to change the frequency of its audit process related
to these items? Are there monitoring gaps, i.e., things which should be
monitored, but aren’t?
Ask these questions…
One Way to Start is by Tweaking the Audit Approach to FocusOne Way to Start is by Tweaking the Audit Approach to Focus
on the Concept of Frequencyon the Concept of Frequency
14. 13
Consider the nature of the risks…
A RiskA Risk--Based Assessment Can Be UsefulBased Assessment Can Be Useful
• Lower likelihood but could
have significant adverse
effect if risk is realized
• Some monitoring needed
to assess changing
conditions
• Critical risk potentially
threatens achievement of
company-wide objectives
• High monitoring activity
• Overall business impact
not deemed significant
• Significant monitoring
unnecessary unless
change occurs in risk
classification
• May be indicative of
budding operational
issues
• Some monitoring needed
to assess changing
conditions
Secondary RisksSecondary RisksSecondary RisksSecondary Risks
Low Priority RisksLow Priority RisksLow Priority RisksLow Priority Risks Secondary RisksSecondary RisksSecondary RisksSecondary Risks
Key RisksKey RisksKey RisksKey Risks
15. 14
• Is the technology in place being exploited in critical areas to provide
transparency into how well critical processes / controls are performing?
• Has IA considered the use of data mining techniques?
• Will the available technology provide dashboard reporting on what matters?
Ask these questions…
Consider the TechnologyConsider the Technology……
16. 15
• Do you expect the Board to change its expectations of the IA function? Is it
likely to ask for assurances IA has not provided in the past?
• Is executive management likely to change its expectations?
• What will be the impact of increased transparency about risk and risk
management in public disclosures?
• Will rating agencies incorporating an assessment of “ERM quality” have an
impact on the need for continuous auditing and risk monitoring?
• Is the organization prepared to deal with the increasing cost of
noncompliance and surprise?
• Has the organization considered the recent COSO guidance on the
monitoring component of internal control?
Ask these questions…
Consider the EnvironmentConsider the Environment……
17. 16
A Point of ViewA Point of View –– 1 of 21 of 2
• The concept of identifying the optimal frequency of monitoring and auditing
makes good sense
• The actual frequency of monitoring and auditing should be risk-based and
consider criticality, need to know and the degree of change
• In many cases, it is preferable for the business units and processes to imbed
frequency-based monitoring than for internal audit to solely audit more
frequently
• Technology can be used frequently or infrequently
• 100% of all transactions do not have to be necessarily evaluated or tested
depending on objectives, risks, controls and other constraints
• Given the increasing pace of change globally in business and industry, it
makes sense that the frequency of monitoring could also likely increase
18. 17
A Point of ViewA Point of View –– 2 of 22 of 2
• Complexity, volatility and the susceptibility to error are other factors to
consider
• Internal audit should work with management and the Audit committee to
determine the appropriate scope and frequency of monitoring and auditing
• “Assurance mapping” may be an appropriate analytical technique for
evaluating who does what and determining where internal audit fits
• If you have to audit “a high frequency”, is that an indication that there is
something wrong with the control design?
• Technology is a clear enabler to achieving efficiency and is a leading
practice
19. 18
ContinuousContinuous MonitoringMonitoring Considerations and ApproachConsiderations and Approach
• Give preference to monitoring before auditing as it leverages people and the
control environment more effectively
• Adjust the audit approach based on an evaluation of continuous monitoring
by area, business unit, process, location, etc.
• Consider developing management and employee training on monitoring to
help drive in the concept of “frequency of monitoring” across the
organization, thus “building in” quality (as opposed to “inspecting in”)
• When issuing audit reports, make recommendations regarding opportunities
to use monitoring in the business, at the appropriate frequency, based on
risk, value added and degree of expected change
• The idea is to make some progress ahead of any audits to address the issue
of “How often should we monitor what information, controls, etc.?”
• Coordinate with IT on any possible/needed technology applications
20. 19
ContinuousContinuous AuditingAuditing Considerations and ApproachConsiderations and Approach
• Leverage continuous monitoring activity, challenge continuous monitoring
efforts by management and business units to ensure its appropriate
application and effectiveness
• Determine more frequent auditing needs, and evaluate and implement as
needed
• Use technology to increase accuracy and population of transactions audited
and to decrease cost
• Critically evaluate control design for any area where very frequent auditing is
considered or applied
• Should frequent auditing be a last resort? Should more frequent monitoring
be a first resort?
21. 20
SummarySummary
• While continuous auditing and continuous monitoring are powerful and
important concepts, the terminology must be understood
• The changing environment is driving a need for effective monitoring and for
IA to upgrade its capabilities
• The desired “frequency” of how items are monitored or audited needs to be
evaluated using a top-down, risk-based approach
It’s all about “How often, how much and why”
22. 21
Introductions and expectations
What the market is doing: A framework
for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
Our Agenda TodayOur Agenda Today
23. Internal Auditing …
… provides independent, objective assurance and consulting services
…helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes
Institute of Internal Auditors (IIA) Standards:Institute of Internal Auditors (IIA) Standards:
Definition of Internal AuditingDefinition of Internal Auditing
24. 23
As this occurs, internal audit leaders must adopt risk-
centric mindsets if they want to remain key players in
assurance and risk management.”
“
Throughout the next five years, the value of the controls-
focused approach that has dominated internal audit is
expected to diminish”
“
Why Continuous Monitoring?Why Continuous Monitoring?
One of the five key trends that will drive this reshaping of
internal audit by 2012 is technological advancement.”
“
Source: PricewaterhouseCoopers “Internal Audit 2012”
25. Historic Internal
Audit
Mainstream Internal
Audit
Cutting Edge
Audit
Focus
Audit entities based
on rotational plan
Prioritize audit entities
based on risk
Focus on strategic, business
and process risk
Perspective Historic Historic Future
Style Corporate police Father knows best Consultant and advisor
Mandate
Compliance with policies
and procedures
Assurance on financial
control, compliance
Business assurance
Risk Focus Financial Financial plus Enterprise risks
Toolkit
Compliance work
programs
Audit work programs for
key processes / controls
Risk frameworks,
self-assessments
Technology None Automated workpapers
Automated testing and
continuous monitoring
Results Small “findings”
Assurance; key audit
entities
Proactive risk management;
dynamic reporting
Historic Internal
Audit
Mainstream Internal
Audit
Cutting Edge
Audit
Focus
Audit entities based
on rotational plan
Prioritize audit entities
based on risk
Focus on strategic, business
and process risk
Perspective Historic Historic Future
Style Corporate police Father knows best Consultant and advisor
Mandate
Compliance with policies
and procedures
Assurance on financial
control, compliance
Business assurance
Risk Focus Financial Financial plus Enterprise risks
Toolkit
Compliance work
programs
Audit work programs for
key processes / controls
Risk frameworks,
self-assessments
Technology None Automated workpapers
Automated testing and
continuous monitoring
Results Small “findings”
Assurance; key audit
entities
Proactive risk management;
dynamic reporting
Why Continuous Monitoring?Why Continuous Monitoring?
Source: Deloitte and Touche LLP: Patty Miller, IIA Chairman 2008-2009
26. 25
Continuous risk and controls assurance is:
* Stakeholders typically include the board (or one or more committees of the
board) and executive management
The ability to provide stakeholders* with assurance
on a continuing basis that the more significant risks
are managed and related controls are operating
effectively.”
“
DefinitionDefinition
27. 26
ValueValue
Continuous risk and control assurance has tremendous
value to an organization …
It reduces the likelihood of SURPRISES to the board and
executive management
28. – Provide assurance on significant risks across the organization
• Integrate with enterprise risk management
• Select which risks to address
– Provide assurance on related controls
• Identify the key controls for significant risks
• Leverage work of other assurance providers (“GRC convergence”)
– Provide assurance on a continuing basis
• Continuous risk monitoring
• Continuous control and data auditing
Risks and Controls AssuranceRisks and Controls Assurance
31. – Hypothetical organization
– Risk: Finished goods inventory theft
– Controls shown in example are not a complete list
Continuous Assurance ExampleContinuous Assurance Example
32. – Continuously monitor KPI of actual losses reported
– Continuously monitor risk through reports of inventory levels, actual losses
reported, reports from Corporate Security (following their audits), and
monitoring of employee morale statistics
Continuous Assurance Example:Continuous Assurance Example:
G&O and Risk MonitoringG&O and Risk Monitoring
33. Objective: Safeguard Enterprise AssetsObjective: Safeguard Enterprise Assets
Risk: Theft of Finished Goods InventoryRisk: Theft of Finished Goods Inventory
IT general controlAll inventory program changes are approved by the inventory manager in Remedy
Business process
Only the inventory manager can approve the posting of inventory adjustments
(e.g., write-offs following the inventory count)
Business process
After inventory counts are entered, the inventory module provides reports showing
inventory variances. Each report shows the inventory per the system, the inventory
counted, and the calculated variances.
Business process
Finished goods inventories are physically secured by doors, cameras, and monitored by
guards
Business processPhysical access to finished goods inventories is restricted based on business need
Entity-level
Hiring procedures include background checks, with records maintained in the HR
system
Entity-level
All employees sign a code of conduct certification annually and records are maintained
in the HR system
Entity-level
New employees are required to confirm their understanding of the code of conduct.
Records are maintained in the HR system.
Entity-levelThe organization has a code of business conduct
Type of ControlControls
34. Continuous Assurance Example:Continuous Assurance Example:
Controls StrategyControls Strategy
On a periodic basis,
validate that HR records
are updated accurately
and on a timely basis
Periodic auditing of HR system
maintenance procedures
Identify any employees
who have not certified the
code of conduct as
required
Continuous data auditing of HR
records
All employees sign a code of conduct
certification annually and records are
maintained in the HR system
On a periodic basis,
validate that HR records
are updated accurately
and on a timely basis
Periodic auditing of HR system
maintenance procedures
Identify any employees
who have not confirmed
the code of conduct within
3 months of hire,
according to HR records
Continuous data auditing of HR
records
New employees are required to confirm their
understanding of the code of conduct.
Records are maintained in the HR system.
n/aIncluded in test of certificationsThe organization has a code of business
conduct
Assurance
Procedure
Assurance StrategyControls
35. Continuous Assurance Example:Continuous Assurance Example:
Controls Strategy (cont.)Controls Strategy (cont.)
Identify any delays in
filing the results of
security audits (required
at least quarterly)
Continuous data auditing
Obtain an alert whenever
a security audit report is
filed by exceptions
Reliance on physical security audits
by Corporate Security, together with
monitoring of security audits
Finished goods inventories are physically
secured by doors, cameras, and monitored
by guards
Identify any individual
whose badge grants
access to finished goods
inventory but who does
not have a business need
based on job function
(per HR system)
Continuous data auditingPhysical access to finished goods
inventories is restricted based on
business need
On a periodic basis,
validate that HR records
are updated accurately
and on a timely basis
Periodic auditing of HR system
maintenance procedures
n/aContinuous data auditing of HR
records
Hiring procedures include background
checks, with records maintained in the HR
system
Assurance
Procedure
Assurance StrategyControls
36. Continuous Assurance Example:Continuous Assurance Example:
Controls Strategy (cont.)Controls Strategy (cont.)
Etc.
SOX testing includes
continuous data testing
that only inventory
manager approves
program changes
Reliance on annual SOX testing of IT
general controls
All inventory program changes are approved
by the inventory manager in Remedy
Continuous testing of
Access Control
procedures, including that
no changes are made to
authority to approve
inventory adjustments
(exception report is sent
to IT Security and internal
audit if there are changes)
Continuous control and data auditingOnly the inventory manager can approve the
posting of inventory adjustments (e.g., write-
offs following the inventory count)
SOX testing includes
reperformance of the
inventory variance
calculation
Reliance on annual SOX
reperformance of application controls
After inventory counts are entered, the
inventory module provides reports showing
inventory variances. Each report shows the
inventory per the system, the inventory
counted, and the calculated variances.
Assurance
Procedure
Assurance StrategyControls
37. – Not all the “testing” is automated
– Not all the assurance work is continuous, depending on risk, etc.
– The debate on continuous monitoring (i.e., by management) and
continuous auditing (by internal audit)
• Organization needs effective controls monitoring
• Internal audit is one potential source (COSO Monitoring)
• Each organization will decide who does what
• IA needs assurance on management monitoring
Continuous Assurance Example:Continuous Assurance Example:
ObservationsObservations
38. – Continuous fraud risk and control assurance is an integral part of the
continuous assurance model:
• Fraud risk monitoring
• Fraud controls assurance
• Fraud detection
Continuous Fraud DetectionContinuous Fraud Detection
39. – Management of organizational goals and objectives
– Risk management
– Continuous risk monitoring
– Continuous controls and data auditing
– On demand data auditing
– Assurance dashboards
The Role of AutomationThe Role of Automation
40. Continuous Assurance and SAP Solutions
– SAP BusinessObjects Strategy Management
– SAP BusinessObjects Risk Management
– SAP BusinessObjects Process Control
– SAP BusinessObjects Access Control
– SAP BusinessObjects Business Intelligence
Role of Automation Enabled by:
Management of organizational goals and
objectives
SAP BusinessObjects Strategy Management
Risk management SAP BusinessObjects Risk Management
Continuous risk monitoring
SAP BusinessObjects Risk Management, Process Control,
and Access Control
Continuous controls and data auditing
SAP BusinessObjects Process Control, Access Control, and
Business Intelligence (BI)
On demand data auditing
SAP BusinessObjects Process Control and Business
Warehouse
Assurance dashboards
SAP BusinessObjects Risk Management, Process Control,
and BI
Role of Automation Enabled by:
Management of organizational goals and
objectives
SAP BusinessObjects Strategy Management
Risk management SAP BusinessObjects Risk Management
Continuous risk monitoring
SAP BusinessObjects Risk Management, Process Control,
and Access Control
Continuous controls and data auditing
SAP BusinessObjects Process Control, Access Control, and
Business Intelligence (BI)
On demand data auditing
SAP BusinessObjects Process Control and Business
Warehouse
Assurance dashboards
SAP BusinessObjects Risk Management, Process Control,
and BI
41. – A top-down and risk-based continuous assurance model for internal audit adds
value to the enterprise
– Implementing continuous auditing/monitoring without first identifying the risks to
address, understanding the controls in place, and considering available
assurance techniques is unlikely to achieve risk and controls assurance
objectives
– Continuous assurance techniques are not exclusively automated
– Auditing transactions does not necessarily provide assurance of the
effectiveness of related controls
– A continuous risk and controls assurance program is enabled by technology,
such as SAP BusinessObjects solutions
– There is no solution that should be implemented “out of the box”. The solution
should be flexible, enabling activities to be based on the specific risks and
assurance requirements of the organization.
Key Points to Take HomeKey Points to Take Home
42. 41
Our Agenda TodayOur Agenda Today
Questions
Introductions and expectations
What the market is doing: A framework
for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
43. 42
Roundtable Discussion QuestionsRoundtable Discussion Questions
Continuous auditing – Is it different from, or the same as,
applying computer-assisted audit techniques (CAATs)
more frequently?
45. 44
Roundtable Discussion QuestionsRoundtable Discussion Questions
What areas warrant the intensive focus of continuous
auditing and monitoring, and how is this related to the
execution of a risk-based internal audit plan?
46. 45
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical
that they need to be monitored more frequently and how
does risk enter the picture?
47. 46
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical
that they need to be monitored more frequently and how
does risk enter the picture?
• Is there key information that needs to be monitored frequently?
What are those items? What is the appropriate frequency?
48. 47
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical
that they need to be monitored more frequently and how
does risk enter the picture?
• Does a business unit, process owner, area management, etc.
monitor such items with the appropriate frequency?
49. 48
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical
that they need to be monitored more frequently and how
does risk enter the picture?
• Does the CAE need to change the frequency of audits related to
these items?
50. 49
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical
that they need to be monitored more frequently and how
does risk enter the picture?
• What should be excluded from the scope of continuous
auditing?
51. 50
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical
that they need to be monitored more frequently and how
does risk enter the picture?
• What interest does the CFO take in continuous monitoring and
assurance? The CRO? The CIO? The CLO or CCO? The
Audit Committee?
52. 51
Roundtable Discussion QuestionsRoundtable Discussion Questions
How does a continuous auditing program change the
make-up of the internal audit department, and its
relationships with management?
53. 52
Introductions and expectations
What the market is doing: A framework
for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
Our Agenda TodayOur Agenda Today