Date post: | 16-Jan-2017 |
Category: |
Technology |
Upload: | gaiani-carncorpaudit |
View: | 147 times |
Download: | 1 times |
Emerging Practices Around Emerging Practices Around Continuous Auditing and Risk Continuous Auditing and Risk Monitoring: A RoundtableMonitoring: A Roundtable
Jim DeLoach, Protiviti Managing DirectorJim DeLoach, Protiviti Managing Director
Norman Marks, SAP Vice PresidentNorman Marks, SAP Vice President
September 23, 2009
1
1
Introductions and expectations
What the market is doing: A framework for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
Our Agenda TodayOur Agenda Today
2
2
Our Agenda Today Our Agenda Today
Introductions and expectations
What the market is doing: A framework for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
3
3
Our Agenda Today Our Agenda Today
Introductions and expectations
What the market is doing: A framework for discussion
The Role of Automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
4
• Continuous - All the time, never ending, more than periodic, more than frequent, uninterrupted…
• Auditing - Derived for the word “to listen” in Latin, but more pragmatically…
“objective or secondary review, testing and evidence gathering about a
topic, item, issue, process, location transaction, control, risk etc.”
• Monitoring - Ongoing or separate evaluations of internal processes, internalcontrol systems or risk management capabilities to ensure they are performing as designed or intended
“Monitoring ensures that internal control continues to operate effectively.”
Is “continuous” really what you want to do?
LetLet’’s Clarify Some Terminologys Clarify Some Terminology
5
CTAG CTAG –– On Continuous Auditing On Continuous Auditing
• “Continuous Auditing is a method used to perform control and riskassessments automatically on a more frequent basis.”
• This leaves open the question as to the frequency that is appropriate
• Technology is key to enabling such an approach, changing the audit paradigm from periodic reviews of a sample of transactions to ongoing audit testing of 100% of transactions
• “With automated, frequent analyses of data, they (the auditors) are able to perform control and risk assessments in real time or near real time.”
Is this really just the concept of using CAATs more frequently?
6
GTAG GTAG –– On Continuous Auditing On Continuous Auditing
• A combined strategy of continuous auditing and continuous monitoring is ideal
• Continuous monitoring encompasses the processes that management puts in place to ensure that the policies, procedures and business processes are operating effectively
• Many of the techniques of continuous monitoring of risks and controls by management are similar to those that may be performed in continuous auditing by internal auditors
Where should continuous “activities” be embedded? In the business processes themselves or in the internal audit function?
Would you want any overlap or duplication?
If something is monitored everyday, why would you audit it continuously?
7
Continuous Auditing and Continuous Monitoring Continuous Auditing and Continuous Monitoring
should be RISKshould be RISK--BASEDBASED
• Which items needs true “continuous” monitoring or auditing – that is, more frequent attention?
• Should there be a process to determine the appropriate “frequency” of auditing and monitoring activity, locations, transactions, processes, etc. in an organization?
Are “Continuous Auditing” and “Continuous Monitoring” techniques that should be used only in areas that warrant such attention levels?
If so, how do you determine such areas?
8
Take a Lesson from SOX on Take a Lesson from SOX on ““FrequencyFrequency””
• Continuously, uninterrupted, real-time
• More than daily
• Daily
• Weekly
• Monthly
• Quarterly
• Semi-annually
• Annually
• As needed
• Never
9
Conceptual Relationship Between Risk and FrequencyConceptual Relationship Between Risk and Frequency
Frequency of
Audit/Review
H
HL
Not at all?
Level of Risk/Criticality of Real Time
Information and Analysis
Annually
SemiAnnually
Quarterly
Monthly
Weekly
Daily
More Than Daily
“Continuous Auditing” can mean a lot of things along the auditing/ monitoring frequency continuum
10
The Choice The Choice –– How Often You ActHow Often You Act
Not at All, Never
Less than Annually
Annually
Semi-Annually
Monthly
Weekly
Daily
More than Daily
Quarterly
All of the Time, Uninterrupted
Not worth it?
Frequency of Auditing/Monitoring
Key Point
11
Possible Continuous Auditing/Monitoring NeedsPossible Continuous Auditing/Monitoring Needs
• IT Systems “up-time”
• Breaches of IT Security
• Power supply failure
• “Critical parts” delivery status
• Loss of key personnel
• Data leakage and fraud
• $100 million wire transfers
What does your organization need to know about on a frequent basis?
What do it do about those items now (i.e., monitoring and auditing)?
Is there a need to change the Approach to and Frequency of oversight?
12
• What information, activities, etc. are so critical that they need to be monitored on a frequent basis?
• Is there key information that needs to be monitored frequently? What are those items? What monitoring is done currently? What is the current frequency?
• Is the monitoring effective? Does the business unit, process, area, etc. monitor such items at the appropriate frequency?
• Does internal audit need to change the frequency of its audit process related to these items? Are there monitoring gaps, i.e., things which should be monitored, but aren’t?
Ask these questions…
One Way to Start is by Tweaking the Audit Approach to Focus One Way to Start is by Tweaking the Audit Approach to Focus
on the Concept of Frequencyon the Concept of Frequency
13
Consider the nature of the risks…
A RiskA Risk--Based Assessment Can Be UsefulBased Assessment Can Be Useful
• Lower likelihood but could have significant adverse effect if risk is realized
• Some monitoring needed to assess changing conditions
• Critical risk potentially threatens achievement of company-wide objectives
• High monitoring activity
• Overall business impact not deemed significant
• Significant monitoring unnecessary unless change occurs in risk classification
• May be indicative of budding operational issues
• Some monitoring needed to assess changing conditions
Secondary RisksSecondary RisksSecondary RisksSecondary Risks
Low Priority RisksLow Priority RisksLow Priority RisksLow Priority Risks Secondary RisksSecondary RisksSecondary RisksSecondary Risks
Key RisksKey RisksKey RisksKey Risks
14
• Is the technology in place being exploited in critical areas to provide transparency into how well critical processes / controls are performing?
• Has IA considered the use of data mining techniques?
• Will the available technology provide dashboard reporting on what matters?
Ask these questions…
Consider the TechnologyConsider the Technology……
15
• Do you expect the Board to change its expectations of the IA function? Is it likely to ask for assurances IA has not provided in the past?
• Is executive management likely to change its expectations?
• What will be the impact of increased transparency about risk and risk management in public disclosures?
• Will rating agencies incorporating an assessment of “ERM quality” have an impact on the need for continuous auditing and risk monitoring?
• Is the organization prepared to deal with the increasing cost ofnoncompliance and surprise?
• Has the organization considered the recent COSO guidance on the monitoring component of internal control?
Ask these questions…
Consider the EnvironmentConsider the Environment……
16
A Point of View A Point of View –– 1 of 21 of 2
• The concept of identifying the optimal frequency of monitoring and auditing makes good sense
• The actual frequency of monitoring and auditing should be risk-based and consider criticality, need to know and the degree of change
• In many cases, it is preferable for the business units and processes to imbed frequency-based monitoring than for internal audit to solely audit more frequently
• Technology can be used frequently or infrequently
• 100% of all transactions do not have to be necessarily evaluated or tested depending on objectives, risks, controls and other constraints
• Given the increasing pace of change globally in business and industry, it makes sense that the frequency of monitoring could also likely increase
17
A Point of View A Point of View –– 2 of 22 of 2
• Complexity, volatility and the susceptibility to error are other factors to consider
• Internal audit should work with management and the Audit committee to determine the appropriate scope and frequency of monitoring and auditing
• “Assurance mapping” may be an appropriate analytical technique for evaluating who does what and determining where internal audit fits
• If you have to audit “a high frequency”, is that an indication that there is something wrong with the control design?
• Technology is a clear enabler to achieving efficiency and is a leading practice
18
Continuous Continuous MonitoringMonitoring Considerations and ApproachConsiderations and Approach
• Give preference to monitoring before auditing as it leverages people and the control environment more effectively
• Adjust the audit approach based on an evaluation of continuous monitoring by area, business unit, process, location, etc.
• Consider developing management and employee training on monitoring to help drive in the concept of “frequency of monitoring” across the organization, thus “building in” quality (as opposed to “inspecting in”)
• When issuing audit reports, make recommendations regarding opportunities to use monitoring in the business, at the appropriate frequency, based on risk, value added and degree of expected change
• The idea is to make some progress ahead of any audits to address the issue of “How often should we monitor what information, controls, etc.?”
• Coordinate with IT on any possible/needed technology applications
19
Continuous Continuous AuditingAuditing Considerations and ApproachConsiderations and Approach
• Leverage continuous monitoring activity, challenge continuous monitoring efforts by management and business units to ensure its appropriate application and effectiveness
• Determine more frequent auditing needs, and evaluate and implement as needed
• Use technology to increase accuracy and population of transactions audited and to decrease cost
• Critically evaluate control design for any area where very frequent auditing is considered or applied
• Should frequent auditing be a last resort? Should more frequent monitoring be a first resort?
20
Summary Summary
• While continuous auditing and continuous monitoring are powerful and important concepts, the terminology must be understood
• The changing environment is driving a need for effective monitoring and for IA to upgrade its capabilities
• The desired “frequency” of how items are monitored or audited needs to be evaluated using a top-down, risk-based approach
It’s all about “How often, how much and why”
21
Introductions and expectations
What the market is doing: A framework for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
Our Agenda Today Our Agenda Today
Internal Auditing …
… provides independent, objective assurance and consulting services
…helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes
Institute of Internal Auditors (IIA) Standards:Institute of Internal Auditors (IIA) Standards:
Definition of Internal AuditingDefinition of Internal Auditing
23
As this occurs, internal audit leaders must adopt risk-centric mindsets if they want to remain key players in assurance and risk management.”
“
Throughout the next five years, the value of the controls-focused approach that has dominated internal audit is expected to diminish”
“
Why Continuous Monitoring?Why Continuous Monitoring?
One of the five key trends that will drive this reshaping of internal audit by 2012 is technological advancement.”
“
Source: PricewaterhouseCoopers “Internal Audit 2012”
Historic InternalAudit
Mainstream Internal Audit
Cutting EdgeAudit
FocusAudit entities basedon rotational plan
Prioritize audit entitiesbased on risk
Focus on strategic, business and process risk
Perspective Historic Historic Future
Style Corporate police Father knows best Consultant and advisor
MandateCompliance with policiesand procedures
Assurance on financial control, compliance
Business assurance
Risk Focus Financial Financial plus Enterprise risks
ToolkitCompliance workprograms
Audit work programs forkey processes / controls
Risk frameworks,self-assessments
Technology None Automated workpapersAutomated testing andcontinuous monitoring
Results Small “findings”Assurance; key audit entities
Proactive risk management; dynamic reporting
Historic InternalAudit
Mainstream Internal Audit
Cutting EdgeAudit
FocusAudit entities basedon rotational plan
Prioritize audit entitiesbased on risk
Focus on strategic, business and process risk
Perspective Historic Historic Future
Style Corporate police Father knows best Consultant and advisor
MandateCompliance with policiesand procedures
Assurance on financial control, compliance
Business assurance
Risk Focus Financial Financial plus Enterprise risks
ToolkitCompliance workprograms
Audit work programs forkey processes / controls
Risk frameworks,self-assessments
Technology None Automated workpapersAutomated testing andcontinuous monitoring
Results Small “findings”Assurance; key audit entities
Proactive risk management; dynamic reporting
Why Continuous Monitoring?Why Continuous Monitoring?
Source: Deloitte and Touche LLP: Patty Miller, IIA Chairman 2008-2009
25
Continuous risk and controls assurance is:
* Stakeholders typically include the board (or one or more committees of the board) and executive management
The ability to provide stakeholders* with assurance on a continuing basis that the more significant risks are managed and related controls are operating effectively.”
“
DefinitionDefinition
26
ValueValue
Continuous risk and control assurance has tremendous
value to an organization …
It reduces the likelihood of SURPRISES to the board and executive management
– Provide assurance on significant risks across the organization
• Integrate with enterprise risk management
• Select which risks to address
– Provide assurance on related controls
• Identify the key controls for significant risks
• Leverage work of other assurance providers (“GRC convergence”)
– Provide assurance on a continuing basis
• Continuous risk monitoring
• Continuous control and data auditing
Risks and Controls AssuranceRisks and Controls Assurance
Continuous Assurance ModelContinuous Assurance Model
Combination of Key ControlsCombination of Key Controls
– Hypothetical organization
– Risk: Finished goods inventory theft
– Controls shown in example are not a complete list
Continuous Assurance ExampleContinuous Assurance Example
– Continuously monitor KPI of actual losses reported
– Continuously monitor risk through reports of inventory levels, actual losses reported, reports from Corporate Security (following their audits), and monitoring of employee morale statistics
Continuous Assurance Example: Continuous Assurance Example:
G&O and Risk MonitoringG&O and Risk Monitoring
Objective: Safeguard Enterprise AssetsObjective: Safeguard Enterprise Assets
Risk: Theft of Finished Goods InventoryRisk: Theft of Finished Goods Inventory
IT general controlAll inventory program changes are approved by the inventory manager in Remedy
Business processOnly the inventory manager can approve the posting of inventory adjustments(e.g., write-offs following the inventory count)
Business processAfter inventory counts are entered, the inventory module provides reports showing inventory variances. Each report shows the inventory per the system, the inventory counted, and the calculated variances.
Business processFinished goods inventories are physically secured by doors, cameras, and monitored by guards
Business processPhysical access to finished goods inventories is restricted based on business need
Entity-levelHiring procedures include background checks, with records maintained in the HR system
Entity-levelAll employees sign a code of conduct certification annually and records are maintainedin the HR system
Entity-levelNew employees are required to confirm their understanding of the code of conduct. Records are maintained in the HR system.
Entity-levelThe organization has a code of business conduct
Type of ControlControls
Continuous Assurance Example: Continuous Assurance Example:
Controls StrategyControls Strategy
On a periodic basis, validate that HR records are updated accurately and on a timely basis
Periodic auditing of HR system maintenance procedures
Identify any employees who have not certified the code of conduct as required
Continuous data auditing of HR records
All employees sign a code of conduct certification annually and records are maintained in the HR system
On a periodic basis, validate that HR records are updated accurately and on a timely basis
Periodic auditing of HR system maintenance procedures
Identify any employees who have not confirmed the code of conduct within 3 months of hire, according to HR records
Continuous data auditing of HR records
New employees are required to confirm their understanding of the code of conduct. Records are maintained in the HR system.
n/aIncluded in test of certificationsThe organization has a code of business conduct
AssuranceProcedure
Assurance StrategyControls
Continuous Assurance Example: Continuous Assurance Example:
Controls Strategy (cont.)Controls Strategy (cont.)
Identify any delays in filing the results of security audits (required at least quarterly)
Continuous data auditing
Obtain an alert whenever a security audit report is filed by exceptions
Reliance on physical security audits by Corporate Security, together with monitoring of security audits
Finished goods inventories are physically secured by doors, cameras, and monitored by guards
Identify any individual whose badge grants access to finished goods inventory but who does not have a business need based on job function (per HR system)
Continuous data auditingPhysical access to finished goods inventories is restricted based on business need
On a periodic basis, validate that HR records are updated accurately and on a timely basis
Periodic auditing of HR system maintenance procedures
n/aContinuous data auditing of HR records
Hiring procedures include background checks, with records maintained in the HR system
AssuranceProcedure
Assurance StrategyControls
Continuous Assurance Example: Continuous Assurance Example:
Controls Strategy (cont.)Controls Strategy (cont.)
Etc.
SOX testing includes continuous data testing that only inventory manager approves program changes
Reliance on annual SOX testing of IT general controls
All inventory program changes are approved by the inventory manager in Remedy
Continuous testing of Access Control procedures, including that no changes are made to authority to approve inventory adjustments (exception report is sent to IT Security and internal audit if there are changes)
Continuous control and data auditingOnly the inventory manager can approve the posting of inventory adjustments (e.g., write-offs following the inventory count)
SOX testing includes reperformance of the inventory variance calculation
Reliance on annual SOX reperformance of application controls
After inventory counts are entered, the inventory module provides reports showing inventory variances. Each report shows the inventory per the system, the inventory counted, and the calculated variances.
AssuranceProcedure
Assurance StrategyControls
– Not all the “testing” is automated
– Not all the assurance work is continuous, depending on risk, etc.
– The debate on continuous monitoring (i.e., by management) and continuous auditing (by internal audit)
• Organization needs effective controls monitoring
• Internal audit is one potential source (COSO Monitoring)
• Each organization will decide who does what
• IA needs assurance on management monitoring
Continuous Assurance Example: Continuous Assurance Example:
ObservationsObservations
– Continuous fraud risk and control assurance is an integral part of the continuous assurance model:
• Fraud risk monitoring
• Fraud controls assurance
• Fraud detection
Continuous Fraud DetectionContinuous Fraud Detection
– Management of organizational goals and objectives
– Risk management
– Continuous risk monitoring
– Continuous controls and data auditing
– On demand data auditing
– Assurance dashboards
The Role of AutomationThe Role of Automation
Continuous Assurance and SAP Solutions
– SAP BusinessObjects Strategy Management
– SAP BusinessObjects Risk Management
– SAP BusinessObjects Process Control
– SAP BusinessObjects Access Control
– SAP BusinessObjects Business Intelligence
Role of Automation Enabled by:
Management of organizational goals and objectives
SAP BusinessObjects Strategy Management
Risk management SAP BusinessObjects Risk Management
Continuous risk monitoringSAP BusinessObjects Risk Management, Process Control, and Access Control
Continuous controls and data auditingSAP BusinessObjects Process Control, Access Control, and Business Intelligence (BI)
On demand data auditingSAP BusinessObjects Process Control and Business Warehouse
Assurance dashboardsSAP BusinessObjects Risk Management, Process Control, and BI
Role of Automation Enabled by:
Management of organizational goals and objectives
SAP BusinessObjects Strategy Management
Risk management SAP BusinessObjects Risk Management
Continuous risk monitoringSAP BusinessObjects Risk Management, Process Control, and Access Control
Continuous controls and data auditingSAP BusinessObjects Process Control, Access Control, and Business Intelligence (BI)
On demand data auditingSAP BusinessObjects Process Control and Business Warehouse
Assurance dashboardsSAP BusinessObjects Risk Management, Process Control, and BI
– A top-down and risk-based continuous assurance model for internal audit adds value to the enterprise
– Implementing continuous auditing/monitoring without first identifying the risks to address, understanding the controls in place, and considering available assurance techniques is unlikely to achieve risk and controls assurance objectives
– Continuous assurance techniques are not exclusively automated
– Auditing transactions does not necessarily provide assurance of the effectiveness of related controls
– A continuous risk and controls assurance program is enabled by technology, such as SAP BusinessObjects solutions
– There is no solution that should be implemented “out of the box”. The solution should be flexible, enabling activities to be based on the specific risks and assurance requirements of the organization.
Key Points to Take HomeKey Points to Take Home
41
Our Agenda Today Our Agenda Today
Questions
Introductions and expectations
What the market is doing: A framework for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
42
Roundtable Discussion QuestionsRoundtable Discussion Questions
Continuous auditing – Is it different from, or the same as, applying computer-assisted audit techniques (CAATs) more frequently?
43
Roundtable Discussion QuestionsRoundtable Discussion Questions
Is there merit to a combined strategy of continuous auditing and continuous monitoring? How does it work?
44
Roundtable Discussion QuestionsRoundtable Discussion Questions
What areas warrant the intensive focus of continuous auditing and monitoring, and how is this related to the execution of a risk-based internal audit plan?
45
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical that they need to be monitored more frequently and how does risk enter the picture?
46
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical that they need to be monitored more frequently and how does risk enter the picture?
• Is there key information that needs to be monitored frequently? What are those items? What is the appropriate frequency?
47
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical that they need to be monitored more frequently and how does risk enter the picture?
• Does a business unit, process owner, area management, etc. monitor such items with the appropriate frequency?
48
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical that they need to be monitored more frequently and how does risk enter the picture?
• Does the CAE need to change the frequency of audits related to these items?
49
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical that they need to be monitored more frequently and how does risk enter the picture?
• What should be excluded from the scope of continuous auditing?
50
Roundtable Discussion QuestionsRoundtable Discussion Questions
What information, processes and activities are so critical that they need to be monitored more frequently and how does risk enter the picture?
• What interest does the CFO take in continuous monitoring and assurance? The CRO? The CIO? The CLO or CCO? The Audit Committee?
51
Roundtable Discussion QuestionsRoundtable Discussion Questions
How does a continuous auditing program change the make-up of the internal audit department, and its relationships with management?
52
Introductions and expectations
What the market is doing: A framework for discussion
The role of automation
Roundtable discussion
Summary and final observations
Group
Jim DeLoach
Norman Marks
Group
Group
Our Agenda TodayOur Agenda Today