continuous monitoring - houston cpa - what is continuous... · continuous monitoring ... “it...

© 2017 Property of Corporate Compliance Seminars www.compliance.seminars.com 1

Continuous Monitoring

A Practical Implementation for All Organizations

Corporate Compliance Seminars

John C. Blackshire, CPA 479-200-4373 / [email protected]

1

Corporate Compliance Seminars 2

“I don’t want any &*$%#@ outsider

monitoring what I do!!!”

“I can manage without leaving my office!”

“It costs too much to

implement a continuous

monitoring approach.” “Our employees love us, so why

would we need to monitor fraud?”

“We can’t monitor IT processes. They’re

too complex.”

Overheard in the Hallway…

Accountant, Auditor, IT Project Manager, Compliance Assessor, System Implementer, Sales Director, Trainer

• Co-Founder of Corporate Compliance Seminars

• Founder and CEO of The Application Support Company (TASC)

• Consultant to Executives and Boards of Directors

• Walker Interactive Products

• Insurance Systems of America

• KPMG

• Past Meeting Coordinator - IIA International Conference

3 Property of Corporate Compliance Seminars www.compliance.seminars.com

4

Internet search:

Alerts of web content

Property of Corporate Compliance Seminars www.compliance.seminars.com

5

Continuous Monitoring:

“The ongoing monitoring of financial and operational objectives, governance, risk and regulatory compliance by management.”

Why is it needed by Management? • Increased performance pressure from global competition

• International terrorism and political unrest

• Economic instability

• Increased regulatory environment

• Security breaches

• Rapid pace of technological change

• Reliance on suppliers

Property of Corporate Compliance Seminars

www.compliance.seminars.com

Examples of CM - Budget-to-actual variance - Sales activity - Inventory turnover - Order fulfillment - Quarterly financial reviews - Production schedule

Continuous monitoring success comes from understanding…..

How does the “business model” work?

What and how does management monitor day-to-day?

What are the components of the Key Performance Indicators (KPIs)?

Is there Segregation of Duties with KPSs?

What does management not want to talk about?

What are the biggest risks to future performance?

Ability to start defining a continuous monitoring program!!!

Property of Corporate Compliance Seminars www.compliance.seminars.com 6

“A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding achievement of objectives in the following categories: operations, financial reporting and compliance.”

7

Components of Internal Control

Definition of Internal Control

Layers of Internal Control


“Control Environment”

“Risk Assessment”

“Control Activities”

“Information & Communication”

“Monitoring Activities”

1. Demonstrates commitment to integrity and ethical values

2. Exercises oversight responsibility

3. Establishes structure, authority and responsibility

4. Demonstrates commitment to competence

5. Enforces accountability

6. Specifies relevant objectives

7. Identifies and analyzes risk

8. Assesses fraud risk

9. Identifies and analyzes significant change

10. Selects and develops control activities

11. Selects and develops general controls over technology

12. Deploys through policies and procedures

13. Uses relevant information

14. Communicates internally

15. Communicates externally

16. Conducts ongoing and/or separate evaluations

17. Evaluates and communicates deficiencies

8

Property of Corporate Compliance Seminars 9

1. Mission Statement and Explicate Corporate Values

2. Business Model – Factors – Metrics - Measurements

3. Codes: Ethics – Employee Conduct – Customer Conduct – Supplier Conduct

4. Simple Corporate Policy Statements

Six Layers of Control

5. Procedures are kept separate from Corporate Policy

6. Monitoring – Continuous Monitoring - MBWA – Testing – I/A – E/A


10

Onboard Vehicle Management System


11

Continuous monitoring success comes from understanding…..

How many items can a human handle? Millers 7 Plus or Minus 2

Logical comparisons – The Calendar does on work.

Establish a floor and a ceiling.

Exception handling for all floor / ceiling issues

How is Pareto’s Law at work here? The 80/15/5 Rule

The impact of “Monitoring” itself.

Ability to using and prosper with a continuous monitoring program!!!


• Monitors in real time; immediate knowledge of potential problems

• Initiate quick action and reduce risk

• Forward looking with “predictive analytics”

CAUTION:

Use Continuous Monitoring to supplement your traditional management activities, not replace it.

“Desktop” monitoring alone IS NOT as effective as “in person” contact, walkthroughs, interviews, assessments, controls reviews, etc. with the employee in the department


13

• Selling the concept to management and the Board

• Technical competencies to access, manipulate and analyze data

• Validating and improving the current monitoring processes

• Integrating the continuous monitoring into enterprise risk management

• Responding to the results of continuous monitoring and ensuring management action

14 Property of Corporate Compliance Seminars


Are you ready for Continuous Monitoring?

• Do we have a strong, ethical, transparent Control Environment? • Does upper management accept Continuous Monitoring? • Is management effectively monitoring the company?

• Formal Metrics Program? • Formal Risk Management and Compliance function? • Are policies and procedures documented, updated and effectively

communicated? • Do we have mature, effective IT systems and controls?

• Is the technology infrastructure mature and resilient? • Are the application systems stable and accurate? • Are the systems and data secure?

• Do we have the commitment, time, energy, people and funds to implement Continuous Monitoring?

15


• Manual processes and manual controls must be automated

• We must understand the financial systems, the flow of financial transactions, and key reports

• We must identify the risks and controls implemented, including how transactions are classified, initiated, approved, processed reported and reconciled

• We must allocate the resources budget (time, people, money)

• We must obtain access to data to be monitored

• Are you “micromanaging” the controls?



ERM Program – Form a Risk Committee and document organization risks and industry risks. Heat Map the risks. Assess Enterprise Risks at least annually.

Metrics Program – Have each department document their objectives and measurements for success. Assess Key Metrics at least quarterly.

Control Self-Assessment (CSA) Program – Have each department document their internal controls and conduct a CSA at least annually.



1. Define the Objectives

2. Identify the Business Objectives connection to Risks and Controls

3. Establish Data Use Requirements

4. Pilot the System

5. Refine the System

6. Report and Manage Results



Revenue and Receivables (sales revenue does not

match sales transactions)

Treasury/ Investments

(loss on investments)

Purchases and Payables (unauthorized purchases;

invoices do not match PO’s

HR/ Payroll (unauthorized pay increases)

Period End Close (financial consolidation errors)

20

Inventory/ Fixed Assets

(physical to book gap; missing assets)

IT General Controls (insecure systems;

weak change controls; failed backups)

Customer Service (defective products; over/underpayment of warranty returns)

Entity Cycle (weak Board;

ineffective hotline)


ACFE “Report to the Nations”

Continuous Monitoring for Fraud



22

Asset Misappropriation: Theft or Misuse of Assets

Corruption: Wrongfully Influencing a Transaction

Financial Statement: Falsification of FS or Disclosures


23



1. Discipline

2. Standards - Policy

3. Standard Operating Procedures

4. Why?? The requirement i.e. Business – Operational – Control

Attributes of Internal Controls

5. Training on all of the above

6. Monitoring


1. Mission Statement and Explicate Corporate Values

2. Business Model – Factors – Metrics - Measurements

3. Codes: Ethics – Employee Conduct – Customer Conduct – Supplier Conduct

4. Simple Corporate Policy Statements

Six Layers of Control

5. Procedures are kept separate from Corporate Policy

6. Monitoring – Continuous Monitoring - MBWA – Testing – I/A – E/A

1. Continuous Monitoring should supplement your traditional management activities; NOT replace them

2. Obtain management buy-in and budgetary approval

3. Start SMALL with an easy Pilot Project. Demonstrate rapid success!

4. Don’t forget – time spent developing the Continuous Monitoring approach is time away from traditional management, so…leverage existing technology

5. Reduce the false positives for accuracy and to reduce information overload

6. Continuous Monitoring has tremendous benefits of providing real time problem reporting, quick action and RISK REDUCTION!


© 2017 Property of Corporate Compliance Seminars www.compliance.seminars.com

27

John C. Blackshire, CPA

479-200-4373 / [email protected]

continuous monitoring - houston cpa - what is continuous... · continuous monitoring ... “it...

Documents