1
Continuous Auditing or
Continuous Monitoring?
Drs. Arie Pronk RE RA CISA CAMS
VUrORE Themaavond Continuous Auditing(Dynamisering van de Audit)5 september 2006, Amsterdam
2/30
Biography
Arie Pronk is Head of Group Audit Operations / Operations & Services within ABN AMRO. He is responsible for worldwide Group Audit Communications, CAATs Services, Audit Systems Support and Audit Issue Tracking. As Global Project Manager CAATs Implementation, he is responsible for delivering a global CAATs infrastructure and methodology to Group Audit.
3/30
Agenda
1. Introduction
3. Current Environment & Developments
5. Challenge & Solution
7. Proof of Concept Continuous Monitoring
4/30
Introduction
5/30
IIA’s Global Technology Audit Guide 3
GTAG 3 Continuous Auditing? Implications for Assurance, Monitoring, and Risk Assessment
Continuous Auditing Method used to perform auditrelated activities on a continuous basis –
includes control and risk assessment Performed by Internal Audit
Continuous Monitoring Processes to ensure policies/processes are operating effectively and to
assess adequacy/effectiveness of controls Performed by operational/financial management; audit independently
evaluates adequacy of management activitiesContinuous Assurance
Combination of continuous auditing and audit oversight of continuous monitoring
“The power of continuous auditing lies in the intelligent and efficient continuous testing of controls and risks that result in timely notification of gaps and weaknesses to allow immediate followup and remediation”
6/30
IIA’s Global Technology Audit Guide 3
“The business and regulatory environment and emerging audit standards are driving auditors and management to make more effective use of information and data analysis technologies as a fundamental enabler of continuous auditing and continuous monitoring”
“Pressure to perform ongoing evaluation of internal controls”
“Many of the techniques of continuous monitoring of controls by management are similar to those that may be performed in continuous auditing by the internal audit department”
“The outcomes of continuous auditing and monitoring (by management) are similar and involve notifications or alerts indicating control deficiencies or higher risk levels”
7/30
IIA’s Global Technology Audit Guide 3
8/30
Current Environment & Developments
9/30
Our Environment
A turbulent period with hours and money being spent on SOXA testing, Compliance investigations,
preparations for Basel II etc.SOX
Cost Reduction
Synergies
Internal Control
Audit
Risk Management
Basel II
ROB
WID
Compliance
Tabaksblat
Outsourcing
Offshoring
Insourcing
Globalization
AssuranceTakeovers
Back to Basics
10/30
Our Environment
Turbulent period with increasing regulatory demands, more disclosure of procedures and controls, extensive testing of internal controls (e.g. SOXA, Basel2, Corporate Governance)
Growing claim on business and audit resources for internal control and compliance related activities
Business and Corporate Functions both focus on: Increasing Economic Profit Adhere to internal control and compliance regulations Lower costs to improve efficiency ratio
11/30
See SOXA etc. as an opportunity !
Try to reduce costs and increase benefits !Steps:3. Think of control as a process
“Control needs to be viewed as a process model, not just a series of checklists to be completed” *
7. It’s a Business responsibility but Audit can add value !“The motivation to implement better controls should come from a desire to improve operations, risk management processes, and governance” *
11. Shift from extensive testing to monitoring & active risk management“Companies need to develop better monitoring procedures
that will help them identify when a process has suffered a decrease in control” *
* Rittenberg, There is No Shortcut to Good Controls; Internal Auditor, August 2005
Global Guideline Activity: 12 Determine data application needed, extraction date and location of data Introduction Once the request is completed and all appropriate testing parameters are
included, the CAAT team will determine the data application needed, cutoff date and location of data. (Activity 12)
Objective The objective is to determine if the data can be independently obtained by the CAATs Team or the CAATs Team needs to request a 3rd party like IT to deliver the data to them.
Responsible CAATs Expert Conditions A complete data request including all appropriate testing parameters in the
CAATs Knowledge Database. Resources/Tools CAATs Knowledge Database Activities Determine entity involved, application, hardware platform, required
tables and fields, extraction date etc. Verify whether the CAATs Team is able to technically interface with
the hardware platform, application and data Verify if the required authorization is already granted by the business
owner and request authorization for access, if needed Determine tables and fields needed by using the data dictionary Verify if data access and extraction is indeed possible Verify if data with the required extraction date is available
Comments Next Instruction Decision 13 Can data be independently obtained by CAATs?
Activity 16 Get needed data via approved extraction methods Interdependencies More information
12/30
See SOXA etc. as an opportunity ! (cntd)
Steps (cntd):2. Integrate control into basic operating activities
and avoid unnecessary costs & procedures
5. Synergize by having Business and
Corporate Functions work together! Business, Audit, Compliance, Risk Management, IT, Finance, etc. are
all looking for the same data on risks and controls!
Go from control checklists to control monitoring
Go from reactive through detective to proactive
13/30
Challenge & Solution
14/30
Our Challenge
Business needs & challenges Keep up with the changing organization & (control) environment Identify and manage risks across the enterprise Increase level of internal control Implement monitoring processes that signal impending control
deficiencies and take corrective action immediately
Audit needs & challenges Enhance audit assurance to internal and external stakeholders Assess control effectiveness and compliance with standards over
time Proactive audit planning and approach More efficient and effective SOXA testing
15/30
Required Solution?
Further improve risk management and control systems Enhance cooperation/synergies between Business and
Corporate Functions Monitor (key) controls more continuously Integrate control monitoring in daytoday business activities Install information systems infrastructure to access, analyze and
report relevant information on (key) controls Address documenting requirements
16/30
Continuous Control Monitoring
17/30
Continuous Control Monitoring (cntd)
We need to make sure that monitoring processes signal impending control deficiencies
and that corrective action is taken in a timely fashion*
* Rittenberg, There is No Shortcut to Good Controls; Internal Auditor, August 2005
The challenge for business management and corporate functions is to process and refine large volumes of data into actionable information**
This challenge is met by establishing an information systems infrastructure to source, capture, process, analyze and report relevant information**
** COSO ERM
18/30
IIA’s Global Technology Audit Guide 3
19/30
What is the link with Audit?
“The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management
and control systems.” IIA Performance Standard 2110
“Internal audit functions need to keep up with the changing competitive organisation environment and provide audit coverage aligned with the key
risk areas of the organisation”
“The challenge is to work smarter not harder; for internal audit to cover expanding exposures more efficiently and deliver more value through ideas that generate cost savings, revenue enhancements and process
improvements”
E&Y Internal Audit Benchmarking Survey; April 2004
20/30
What is the link with Audit? (cntd)
Enhanced assurance to internal and external stakeholders by better assessing control effectiveness and compliance with standards over time through (continuous) monitoring a larger number of controls with less resources
Improved quality of audits, more efficient and more effective audits by gathering more audit evidence and testing larger populations/data sets
Flexibility in allocating audit resources to higher risk areas and allowing to be responsive to changes in the control environment by using CAATs on a regular basis to provide continuous auditing or monitoring of key controls or performance indicators
Not only:1. Test reliability of data and transactions2. Acquire audit evidence and fact finding
But also:1. Identify trends, pinpoint exceptions, and highlight potential areas of concern
in our audit objects/universe2. (continuous) monitor controls and identify control issues and ensure
compliance with standards
21/30
3. Proof of Concept Continuous Monitoring
22/30
HP’s Continuous Control Modelling and Monitoring (CCMM)
Note: “The challenge for business management and corporate functions is to process and refine large volumes of data into actionable information” (COSO ERM)
Possible solution for providing the information systems infrastructure for documenting and monitoring (key) controls
New assessment approach that systematically isolates and predicts emerging risks in a dynamic control environment to give ongoing visibility to compliance
23/30
CCMM Lifecycle
3. Present Real-time Dashboards (Controls, KRI’s, KPI’s)
1. (re-)Model the Business Environment into (key) controls
2. Collect and Analyse data
AnalysisEngine
AAB Accounts Payable
Controls (Excel
Spreadsheet)
AAB Accounts Payable
Controls (Excel
Spreadsheet)
AAB Accounts Payable
Controls (Excel
Spreadsheet)
AAB Accounts Payable
Controls (Excel
Spreadsheet)
SOXA Templates
Business Processes
Controls & Metrics
Tailored Loops for:
-CISO organization
-CFO organization
-Business Units
-G roup Audit
-G roup Functions
-SOX Compliance
Infrastructure
Database
Application
Business Processes
Controls Modeling Application KPIs Financial KRIs Infrastructure KRIs
4. Make decisions upon Reporting and Alerts
24/30
Objective Proof of Concept
Scope: Accounts Payable process ABN AMRO BU Netherlands (Q1 2006)
3 tracks1. Accounts Payable SAP system access controls2. Accounts Payable financial process controls3. Accounts Payable process and SOXA testing template/audit
program modellingObjective
• Assess usability of CCMM toolbox in an ABN AMRO environment (processes and IT infrastructure)
Questions for ABN AMRO• Do CCMM tools offer added value in addition to already
existing tools and techniques?• And if so, where can we gain most?
25/30
Benefits identified
Model Customizable and flexible
control environment model Ability to document and maintain
SOXA templates and audit programs Dashboards
Dashboards based on exception reporting with drilldown functionality
Reporting Historical data and trend analysis; Benchmark across multiple applications
26/30
Value adding components
Runtime insight in key controls and impending areas of concern Multilocation/system comparisons Offsite monitoring Automate repetitive tasks Process/risk/control/test repository
27/30
Next steps
Enough positive feedback for next phase Build Business Case for pilot project Get Management buyin; Business and Corporate Functions
collaboration Focus on SOXA relevant processes implemented in multiple
locations
28/30
Possible Showstoppers ....
Availability of data and cooperation of IT personnel Required knowledge of systems and data dictionaries Tooling, Education, Support Budget, Commitment ....
“The underuse of CAATS may be due to a shortage of skills in internal audit functions to perform the testing, investment constraints, setup time, or not seeing the benefits to be gained from CAATs” E&Y Internal Audit Benchmarking Survey;
April 2004
29/30
Final note
Goal Continuous Monitoring
Provide comfort to management on control over, and performance of, processes
31/30
Annex
32/30
International bank with origins going back to 1824 8th biggest bank in Europe and 13th in the world Over 3,000 branches in almost 60 countries and territories A staff of about 97,000 fulltime equivalents worldwide Focusing on:
consumer and commercial clients in our home markets of the Netherlands, the US Midwest, Brazil and in selected growth markets around the world
selected wholesale clients with an emphasis on Europe, and financial institutions
private clients
Introduction ABN AMRO
33/30
Introduction Group Audit
Internal audit function of ABN AMRO Holding N.V., encompasses all majority and wholly owned subsidiary companies
Global Head of Group Audit: Peter Diekman
About 850 employees worldwide (auditors and support staff)
Assurance services and Consulting services: Operational Audits, ITAudits, Financial Audits, Compliance Audits, Project Audits, Inspections, Consultancy and Special Investigations
FTE Region spreadAsia15%
Europe16%
Latin America22%
North America10%
Netherlands37%