continous auditing and risk monitoring 9 23-09

Emerging Practices Around Emerging Practices Around Continuous Auditing and Risk Continuous Auditing and Risk Monitoring: A RoundtableMonitoring: A Roundtable

Jim DeLoach, Protiviti Managing DirectorJim DeLoach, Protiviti Managing Director

Norman Marks, SAP Vice PresidentNorman Marks, SAP Vice President

September 23, 2009

1

1

Introductions and expectations

What the market is doing: A framework for discussion

The role of automation

Roundtable discussion

Summary and final observations

Group

Jim DeLoach

Norman Marks

Group

Group

Our Agenda TodayOur Agenda Today

2

2

Our Agenda Today Our Agenda Today






Group

Jim DeLoach

Norman Marks

Group

Group

3

3




The Role of Automation



Group

Jim DeLoach

Norman Marks

Group

Group

4

• Continuous - All the time, never ending, more than periodic, more than frequent, uninterrupted…

• Auditing - Derived for the word “to listen” in Latin, but more pragmatically…

“objective or secondary review, testing and evidence gathering about a

topic, item, issue, process, location transaction, control, risk etc.”

• Monitoring - Ongoing or separate evaluations of internal processes, internalcontrol systems or risk management capabilities to ensure they are performing as designed or intended

“Monitoring ensures that internal control continues to operate effectively.”

Is “continuous” really what you want to do?

LetLet’’s Clarify Some Terminologys Clarify Some Terminology

5

CTAG CTAG –– On Continuous Auditing On Continuous Auditing

• “Continuous Auditing is a method used to perform control and riskassessments automatically on a more frequent basis.”

• This leaves open the question as to the frequency that is appropriate

• Technology is key to enabling such an approach, changing the audit paradigm from periodic reviews of a sample of transactions to ongoing audit testing of 100% of transactions

• “With automated, frequent analyses of data, they (the auditors) are able to perform control and risk assessments in real time or near real time.”

Is this really just the concept of using CAATs more frequently?

6

GTAG GTAG –– On Continuous Auditing On Continuous Auditing

• A combined strategy of continuous auditing and continuous monitoring is ideal

• Continuous monitoring encompasses the processes that management puts in place to ensure that the policies, procedures and business processes are operating effectively

• Many of the techniques of continuous monitoring of risks and controls by management are similar to those that may be performed in continuous auditing by internal auditors

Where should continuous “activities” be embedded? In the business processes themselves or in the internal audit function?

Would you want any overlap or duplication?

If something is monitored everyday, why would you audit it continuously?

7

Continuous Auditing and Continuous Monitoring Continuous Auditing and Continuous Monitoring

should be RISKshould be RISK--BASEDBASED

• Which items needs true “continuous” monitoring or auditing – that is, more frequent attention?

• Should there be a process to determine the appropriate “frequency” of auditing and monitoring activity, locations, transactions, processes, etc. in an organization?

Are “Continuous Auditing” and “Continuous Monitoring” techniques that should be used only in areas that warrant such attention levels?

If so, how do you determine such areas?

8

Take a Lesson from SOX on Take a Lesson from SOX on ““FrequencyFrequency””

• Continuously, uninterrupted, real-time

• More than daily

• Daily

• Weekly

• Monthly

• Quarterly

• Semi-annually

• Annually

• As needed

• Never

9

Conceptual Relationship Between Risk and FrequencyConceptual Relationship Between Risk and Frequency

Frequency of

Audit/Review

H

HL

Not at all?

Level of Risk/Criticality of Real Time

Information and Analysis

Annually

SemiAnnually

Quarterly

Monthly

Weekly

Daily

More Than Daily

“Continuous Auditing” can mean a lot of things along the auditing/ monitoring frequency continuum

10

The Choice The Choice –– How Often You ActHow Often You Act

Not at All, Never

Less than Annually

Annually

Semi-Annually

Monthly

Weekly

Daily

More than Daily

Quarterly

All of the Time, Uninterrupted

Not worth it?

Frequency of Auditing/Monitoring

Key Point

11

Possible Continuous Auditing/Monitoring NeedsPossible Continuous Auditing/Monitoring Needs

• IT Systems “up-time”

• Breaches of IT Security

• Power supply failure

• “Critical parts” delivery status

• Loss of key personnel

• Data leakage and fraud

• $100 million wire transfers

What does your organization need to know about on a frequent basis?

What do it do about those items now (i.e., monitoring and auditing)?

Is there a need to change the Approach to and Frequency of oversight?

12

• What information, activities, etc. are so critical that they need to be monitored on a frequent basis?

• Is there key information that needs to be monitored frequently? What are those items? What monitoring is done currently? What is the current frequency?

• Is the monitoring effective? Does the business unit, process, area, etc. monitor such items at the appropriate frequency?

• Does internal audit need to change the frequency of its audit process related to these items? Are there monitoring gaps, i.e., things which should be monitored, but aren’t?

Ask these questions…

One Way to Start is by Tweaking the Audit Approach to Focus One Way to Start is by Tweaking the Audit Approach to Focus

on the Concept of Frequencyon the Concept of Frequency

13

Consider the nature of the risks…

A RiskA Risk--Based Assessment Can Be UsefulBased Assessment Can Be Useful

• Lower likelihood but could have significant adverse effect if risk is realized

• Some monitoring needed to assess changing conditions

• Critical risk potentially threatens achievement of company-wide objectives

• High monitoring activity

• Overall business impact not deemed significant

• Significant monitoring unnecessary unless change occurs in risk classification

• May be indicative of budding operational issues

• Some monitoring needed to assess changing conditions

Secondary RisksSecondary RisksSecondary RisksSecondary Risks

Low Priority RisksLow Priority RisksLow Priority RisksLow Priority Risks Secondary RisksSecondary RisksSecondary RisksSecondary Risks

Key RisksKey RisksKey RisksKey Risks

14

• Is the technology in place being exploited in critical areas to provide transparency into how well critical processes / controls are performing?

• Has IA considered the use of data mining techniques?

• Will the available technology provide dashboard reporting on what matters?


Consider the TechnologyConsider the Technology……

15

• Do you expect the Board to change its expectations of the IA function? Is it likely to ask for assurances IA has not provided in the past?

• Is executive management likely to change its expectations?

• What will be the impact of increased transparency about risk and risk management in public disclosures?

• Will rating agencies incorporating an assessment of “ERM quality” have an impact on the need for continuous auditing and risk monitoring?

• Is the organization prepared to deal with the increasing cost ofnoncompliance and surprise?

• Has the organization considered the recent COSO guidance on the monitoring component of internal control?


Consider the EnvironmentConsider the Environment……

16

A Point of View A Point of View –– 1 of 21 of 2

• The concept of identifying the optimal frequency of monitoring and auditing makes good sense

• The actual frequency of monitoring and auditing should be risk-based and consider criticality, need to know and the degree of change

• In many cases, it is preferable for the business units and processes to imbed frequency-based monitoring than for internal audit to solely audit more frequently

• Technology can be used frequently or infrequently

• 100% of all transactions do not have to be necessarily evaluated or tested depending on objectives, risks, controls and other constraints

• Given the increasing pace of change globally in business and industry, it makes sense that the frequency of monitoring could also likely increase

17

A Point of View A Point of View –– 2 of 22 of 2

• Complexity, volatility and the susceptibility to error are other factors to consider

• Internal audit should work with management and the Audit committee to determine the appropriate scope and frequency of monitoring and auditing

• “Assurance mapping” may be an appropriate analytical technique for evaluating who does what and determining where internal audit fits

• If you have to audit “a high frequency”, is that an indication that there is something wrong with the control design?

• Technology is a clear enabler to achieving efficiency and is a leading practice

18

Continuous Continuous MonitoringMonitoring Considerations and ApproachConsiderations and Approach

• Give preference to monitoring before auditing as it leverages people and the control environment more effectively

• Adjust the audit approach based on an evaluation of continuous monitoring by area, business unit, process, location, etc.

• Consider developing management and employee training on monitoring to help drive in the concept of “frequency of monitoring” across the organization, thus “building in” quality (as opposed to “inspecting in”)

• When issuing audit reports, make recommendations regarding opportunities to use monitoring in the business, at the appropriate frequency, based on risk, value added and degree of expected change

• The idea is to make some progress ahead of any audits to address the issue of “How often should we monitor what information, controls, etc.?”

• Coordinate with IT on any possible/needed technology applications

19

Continuous Continuous AuditingAuditing Considerations and ApproachConsiderations and Approach

• Leverage continuous monitoring activity, challenge continuous monitoring efforts by management and business units to ensure its appropriate application and effectiveness

• Determine more frequent auditing needs, and evaluate and implement as needed

• Use technology to increase accuracy and population of transactions audited and to decrease cost

• Critically evaluate control design for any area where very frequent auditing is considered or applied

• Should frequent auditing be a last resort? Should more frequent monitoring be a first resort?

20

Summary Summary

• While continuous auditing and continuous monitoring are powerful and important concepts, the terminology must be understood

• The changing environment is driving a need for effective monitoring and for IA to upgrade its capabilities

• The desired “frequency” of how items are monitored or audited needs to be evaluated using a top-down, risk-based approach

It’s all about “How often, how much and why”

21






Group

Jim DeLoach

Norman Marks

Group

Group


Internal Auditing …

… provides independent, objective assurance and consulting services

…helps an organization accomplish its objectives by bringing a systematic,

disciplined approach to evaluate and improve the effectiveness of risk

management, control, and governance processes

Institute of Internal Auditors (IIA) Standards:Institute of Internal Auditors (IIA) Standards:

Definition of Internal AuditingDefinition of Internal Auditing

23

As this occurs, internal audit leaders must adopt risk-centric mindsets if they want to remain key players in assurance and risk management.”

“

Throughout the next five years, the value of the controls-focused approach that has dominated internal audit is expected to diminish”

“

Why Continuous Monitoring?Why Continuous Monitoring?

One of the five key trends that will drive this reshaping of internal audit by 2012 is technological advancement.”

“

Source: PricewaterhouseCoopers “Internal Audit 2012”

Historic InternalAudit

Mainstream Internal Audit

Cutting EdgeAudit

FocusAudit entities basedon rotational plan

Prioritize audit entitiesbased on risk

Focus on strategic, business and process risk

Perspective Historic Historic Future

Style Corporate police Father knows best Consultant and advisor

MandateCompliance with policiesand procedures

Assurance on financial control, compliance

Business assurance

Risk Focus Financial Financial plus Enterprise risks

ToolkitCompliance workprograms

Audit work programs forkey processes / controls

Risk frameworks,self-assessments

Technology None Automated workpapersAutomated testing andcontinuous monitoring

Results Small “findings”Assurance; key audit entities

Proactive risk management; dynamic reporting

Historic InternalAudit

Mainstream Internal Audit

Cutting EdgeAudit

FocusAudit entities basedon rotational plan

Prioritize audit entitiesbased on risk

Focus on strategic, business and process risk

Perspective Historic Historic Future

Style Corporate police Father knows best Consultant and advisor

MandateCompliance with policiesand procedures

Assurance on financial control, compliance

Business assurance

Risk Focus Financial Financial plus Enterprise risks

ToolkitCompliance workprograms

Audit work programs forkey processes / controls

Risk frameworks,self-assessments

Technology None Automated workpapersAutomated testing andcontinuous monitoring

Results Small “findings”Assurance; key audit entities

Proactive risk management; dynamic reporting

Why Continuous Monitoring?Why Continuous Monitoring?

Source: Deloitte and Touche LLP: Patty Miller, IIA Chairman 2008-2009

25

Continuous risk and controls assurance is:

* Stakeholders typically include the board (or one or more committees of the board) and executive management

The ability to provide stakeholders* with assurance on a continuing basis that the more significant risks are managed and related controls are operating effectively.”

“

DefinitionDefinition

26

ValueValue

Continuous risk and control assurance has tremendous

value to an organization …

It reduces the likelihood of SURPRISES to the board and executive management

– Provide assurance on significant risks across the organization

• Integrate with enterprise risk management

• Select which risks to address

– Provide assurance on related controls

• Identify the key controls for significant risks

• Leverage work of other assurance providers (“GRC convergence”)

– Provide assurance on a continuing basis

• Continuous risk monitoring

• Continuous control and data auditing

Risks and Controls AssuranceRisks and Controls Assurance

Continuous Assurance ModelContinuous Assurance Model

Combination of Key ControlsCombination of Key Controls

– Hypothetical organization

– Risk: Finished goods inventory theft

– Controls shown in example are not a complete list

Continuous Assurance ExampleContinuous Assurance Example

– Continuously monitor KPI of actual losses reported

– Continuously monitor risk through reports of inventory levels, actual losses reported, reports from Corporate Security (following their audits), and monitoring of employee morale statistics

Continuous Assurance Example: Continuous Assurance Example:

G&O and Risk MonitoringG&O and Risk Monitoring

Objective: Safeguard Enterprise AssetsObjective: Safeguard Enterprise Assets

Risk: Theft of Finished Goods InventoryRisk: Theft of Finished Goods Inventory

IT general controlAll inventory program changes are approved by the inventory manager in Remedy

Business processOnly the inventory manager can approve the posting of inventory adjustments(e.g., write-offs following the inventory count)

Business processAfter inventory counts are entered, the inventory module provides reports showing inventory variances. Each report shows the inventory per the system, the inventory counted, and the calculated variances.

Business processFinished goods inventories are physically secured by doors, cameras, and monitored by guards

Business processPhysical access to finished goods inventories is restricted based on business need

Entity-levelHiring procedures include background checks, with records maintained in the HR system

Entity-levelAll employees sign a code of conduct certification annually and records are maintainedin the HR system

Entity-levelNew employees are required to confirm their understanding of the code of conduct. Records are maintained in the HR system.

Entity-levelThe organization has a code of business conduct

Type of ControlControls


Controls StrategyControls Strategy

On a periodic basis, validate that HR records are updated accurately and on a timely basis

Periodic auditing of HR system maintenance procedures

Identify any employees who have not certified the code of conduct as required

Continuous data auditing of HR records

All employees sign a code of conduct certification annually and records are maintained in the HR system



Identify any employees who have not confirmed the code of conduct within 3 months of hire, according to HR records

Continuous data auditing of HR records

New employees are required to confirm their understanding of the code of conduct. Records are maintained in the HR system.

n/aIncluded in test of certificationsThe organization has a code of business conduct

AssuranceProcedure

Assurance StrategyControls


Controls Strategy (cont.)Controls Strategy (cont.)

Identify any delays in filing the results of security audits (required at least quarterly)

Continuous data auditing

Obtain an alert whenever a security audit report is filed by exceptions

Reliance on physical security audits by Corporate Security, together with monitoring of security audits

Finished goods inventories are physically secured by doors, cameras, and monitored by guards

Identify any individual whose badge grants access to finished goods inventory but who does not have a business need based on job function (per HR system)

Continuous data auditingPhysical access to finished goods inventories is restricted based on business need



n/aContinuous data auditing of HR records

Hiring procedures include background checks, with records maintained in the HR system

AssuranceProcedure



Controls Strategy (cont.)Controls Strategy (cont.)

Etc.

SOX testing includes continuous data testing that only inventory manager approves program changes

Reliance on annual SOX testing of IT general controls

All inventory program changes are approved by the inventory manager in Remedy

Continuous testing of Access Control procedures, including that no changes are made to authority to approve inventory adjustments (exception report is sent to IT Security and internal audit if there are changes)

Continuous control and data auditingOnly the inventory manager can approve the posting of inventory adjustments (e.g., write-offs following the inventory count)

SOX testing includes reperformance of the inventory variance calculation

Reliance on annual SOX reperformance of application controls

After inventory counts are entered, the inventory module provides reports showing inventory variances. Each report shows the inventory per the system, the inventory counted, and the calculated variances.

AssuranceProcedure


– Not all the “testing” is automated

– Not all the assurance work is continuous, depending on risk, etc.

– The debate on continuous monitoring (i.e., by management) and continuous auditing (by internal audit)

• Organization needs effective controls monitoring

• Internal audit is one potential source (COSO Monitoring)

• Each organization will decide who does what

• IA needs assurance on management monitoring


ObservationsObservations

– Continuous fraud risk and control assurance is an integral part of the continuous assurance model:

• Fraud risk monitoring

• Fraud controls assurance

• Fraud detection

Continuous Fraud DetectionContinuous Fraud Detection

– Management of organizational goals and objectives

– Risk management

– Continuous risk monitoring

– Continuous controls and data auditing

– On demand data auditing

– Assurance dashboards

The Role of AutomationThe Role of Automation

Continuous Assurance and SAP Solutions

– SAP BusinessObjects Strategy Management

– SAP BusinessObjects Risk Management

– SAP BusinessObjects Process Control

– SAP BusinessObjects Access Control

– SAP BusinessObjects Business Intelligence

Role of Automation Enabled by:

Management of organizational goals and objectives

SAP BusinessObjects Strategy Management

Risk management SAP BusinessObjects Risk Management

Continuous risk monitoringSAP BusinessObjects Risk Management, Process Control, and Access Control

Continuous controls and data auditingSAP BusinessObjects Process Control, Access Control, and Business Intelligence (BI)

On demand data auditingSAP BusinessObjects Process Control and Business Warehouse

Assurance dashboardsSAP BusinessObjects Risk Management, Process Control, and BI

Role of Automation Enabled by:

Management of organizational goals and objectives

SAP BusinessObjects Strategy Management

Risk management SAP BusinessObjects Risk Management

Continuous risk monitoringSAP BusinessObjects Risk Management, Process Control, and Access Control

Continuous controls and data auditingSAP BusinessObjects Process Control, Access Control, and Business Intelligence (BI)

On demand data auditingSAP BusinessObjects Process Control and Business Warehouse

Assurance dashboardsSAP BusinessObjects Risk Management, Process Control, and BI

– A top-down and risk-based continuous assurance model for internal audit adds value to the enterprise

– Implementing continuous auditing/monitoring without first identifying the risks to address, understanding the controls in place, and considering available assurance techniques is unlikely to achieve risk and controls assurance objectives

– Continuous assurance techniques are not exclusively automated

– Auditing transactions does not necessarily provide assurance of the effectiveness of related controls

– A continuous risk and controls assurance program is enabled by technology, such as SAP BusinessObjects solutions

– There is no solution that should be implemented “out of the box”. The solution should be flexible, enabling activities to be based on the specific risks and assurance requirements of the organization.

Key Points to Take HomeKey Points to Take Home

41


Questions






Group

Jim DeLoach

Norman Marks

Group

Group

42

Roundtable Discussion QuestionsRoundtable Discussion Questions

Continuous auditing – Is it different from, or the same as, applying computer-assisted audit techniques (CAATs) more frequently?

43


Is there merit to a combined strategy of continuous auditing and continuous monitoring? How does it work?

44


What areas warrant the intensive focus of continuous auditing and monitoring, and how is this related to the execution of a risk-based internal audit plan?

45


What information, processes and activities are so critical that they need to be monitored more frequently and how does risk enter the picture?

46



• Is there key information that needs to be monitored frequently? What are those items? What is the appropriate frequency?

47



• Does a business unit, process owner, area management, etc. monitor such items with the appropriate frequency?

48



• Does the CAE need to change the frequency of audits related to these items?

49



• What should be excluded from the scope of continuous auditing?

50



• What interest does the CFO take in continuous monitoring and assurance? The CRO? The CIO? The CLO or CCO? The Audit Committee?

51


How does a continuous auditing program change the make-up of the internal audit department, and its relationships with management?

52






Group

Jim DeLoach

Norman Marks

Group

Group

Our Agenda TodayOur Agenda Today