kpmg ema cacm survey (2012)
TRANSCRIPT
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
Continuous auditing and continuous
monitoring: The current status and
the road ahead
KPMG’s EMA region survey
December 2012
2 | Continuous auditing and continuous monitoring: The current status and the road ahead
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
Introduction 4
Executive Summary 5
About the survey 6
Are the potential benefits of CA/CM well understood? 8
Which processes benefit most from CA/CM? 10
Who are the initiators and beneficiaries? 12
Current and future state of adoption 14
Barriers to adoption 16
Past and future investments 18
Do technology and tooling provide adequate support? 20
How KPMG can help 22
Contacts 23
Contents
Continuous auditing and continuous monitoring: The current status and the road ahead | 3
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
4 | Continuous auditing and continuous monitoring: The current status and the road ahead
Introduction
In general, CA/CM seeks to add value by improving compliance and supporting business goals. From a technology perspective, CA/CM enables a high degree of automation to monitor systems and data, and implements closed-loop mechanisms for any exceptions detected. As a monitoring mechanism, CA/CM helps to detect irregularities in system configurations, processes and data, either from a risk or a performance perspective. Potential benefits of CA/CM include:
• Enhanced and more timely oversight of compliance across the enterprise;
• Improved efficiency and effectiveness of the control environment through automation, leading to cost-reduction opportunities;
• Business improvement through reduced errors and improved error remediation, allowing reallocation of resources to value-adding activities;
• The ability to report more comprehensively on compliance with internal and regulatory requirements.
The purpose of this document is to summarise the results of a survey conducted in 2012 across Europe, the Middle East and Africa. It explores the potential benefits of employing
CA/CM in the current economic climate and gauges how advanced their implementation is. The target group consisted primarily of company officials whose daily activities are currently supported by CA/CM- related tools, or officials who hold functions in which CA/CM may play an important role in the future. Examples of these types of functions are boards of directors, finance, operational/line management, internal control and internal audit.
A word of thanksWe would like to thank all the different parties involved in this paper. We would especially like to thank all the participants in this survey, whose valuable insight into the current and future status of CA/CM within their organisations forms the basis of this white paper. Special thanks are also due to Koen Rombauts, Bert Scherrenburg, Barbara Legg, Maurice op het Veld and Peter Paul Brouwers, all from KPMG the Netherlands, for conducting the survey and drafting this white paper.
Defining CA and CM
Continuous auditing (CA) is the collection of audit evidence and indicators by either the external auditor or the internal auditor in information technology (IT) systems, processes, transactions and controls on a frequent or continuous basis throughout a period.
Continuous monitoring (CM) is a feedback mechanism used by management to ensure that controls operate as designed and that transactions are processed as described. This monitoring method is the responsibility of management and can form an important component of the internal control structure. Definitions taken from KPMG LLP’s Continuous Auditing and Continuous Monitoring: Transforming Internal Audit and Management Monitoring to Create Value, 2008
New board and regulatory pressures, cost and efficiency considerations and the emergence of new business risks are helping to change the scope of risk and performance management. In this shifting scope, continuous auditing (‘CA’) and continuous monitoring (‘CM’) will have an increasing role to play.
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
Continuous auditing and continuous monitoring: The current status and the road ahead | 5
Executive Summary
CA/CM is winning ground within organisations that aim for continuous control and continuous performance. The level of awareness, the increasing availability of tools and the aim for greater efficiency in assurance are important drivers for further investigation into what CA/CM can bring to the organisation.
This report summarises the outcome of a survey which examined the awareness about and the current and future status of CA/CM across Europe, the Middle East and Africa. The key observations are:
• Respondents do understand the benefits of CA and CM. They realise that CA aims to bring comprehensive assurance with greater coverage across the organisation (89% of the respondents). Many believe CA will also facilitate real-time operational assurance (81%) and a reduced burden for line management (74%). CM is set up to detect and correct process irregularities and helps to identify process improvements (90%);
Page 8
• CA/CM is considered to be most valuable in scenarios where processes are repetitive and susceptible to risk e.g. financial management reporting (82%). These processes are often transaction-based supported by applications with structured data;
Page 10
• Eighty five percent of the respondents stated that the
internal auditors introduced CA/CM into the organisation and that they are also seen as its main beneficiary (87%). Operational/ line management is not often the initiator (59%) of CA/CM but certainly enjoys its benefits (87%);
Page 12
• The current state of adoption is low. Only 9% of respondents have both CA and CM embedded across their organisation. However, a remarkable 83% have at least considered implementing CA/CM;
Page 14
• Respondents consider the limited insight into the CA/CM tooling available on the market as the largest barrier to the adoption of CA/CM (69%). It is not always clear what suitable CA/CM tooling should consist of;
Page 16
• Organisations are changing position from just being interested in CA/CM to actually investing in CA/CM-related projects. In the next two years, the percentage of organisations that are not investing in CA/CM will decline from 37% to 19%, while 62% expect to commence projects valued at up to €250,000.
Page 18
KPMG’s vision
Organisations should realise that effective implementation of CA/CM can take time and effort. A variety of challenges can be expected along the way. No matter how they choose to launch the effort, organisations should look to define the desired end-state for their CA/CM efforts.
Organisations should understand that CA/CM is not only about implementing tooling, it is a change in the way of working where you have to redefine your objectives, roles and responsibilities and the way to handle the outcome. Moreover, implementing CA/CM is about understanding the extent to which CA/CM can transform processes, risk and controls, technology, and people in an integrated way. When implementing CA/CM, organisations typically follow several stages of maturity, starting with the introduction of data analytics techniques to support existing manual procedures. Depending on the drivers behind CA/CM, the end state may be CA/CM systems that are fully embedded and used throughout organisations.
Together, CA and CM provide insight and transparency for continuous control and performance improvement. Therefore CA and CM must be perceived as long-term, systematic approaches rather than short-term measures.
Based on our practical experiences with supporting the implementation of several CA/CM frameworks we at KPMG strongly believe that this will definitely be a way forward to create greater transparency in an efficient and sustainable way.
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
About the survey
6 | Continuous auditing and continuous monitoring: The current status and the road ahead
Within these regions, the respondents were from the 32 following countries:
Western Europe Eastern Europe Middle East Africa
- Andorra- Austria- Belgium- Finland- France- Germany- Italy- Luxembourg- The Netherlands- Norway- Portugal- Spain- Switzerland- United Kingdom
- Bulgaria- Greece- Hungary- Moldova- Poland- Romania- Slovakia- Turkey
- Bahrain- India- Qatar- Saudi Arabia- United Arab Emirates- Yemen
- Guinea-Bissau- Kenya- Nigeria- South Africa
Western Europe
Eastern Europe incl Turkey
Middle East
Africa
68%
4%4%
24%
Survey questions included the following:• What are the benefits of CA/CM?• Who are the initiators of CA/CM
and who benefits most?• How much capital needs to be
invested? • What are the barriers to adoption?• What future does CA/CM have?
Representation of regions and countriesMost of the respondents by far were from Western Europe (68%) and Eastern Europe including Turkey (24%). Nevertheless, respondents from the Middle East and Africa (both 4%) are also included in the survey results.
Analysis of the survey results showed that there are not many significant differences between the various regions. As a result of this, the outcome of the survey and analysis as included in this white paper represents the whole EMA region.
The KPMG online survey was rolled out across the EMA region (Europe, Middle East, and Africa) in 2012 and contains responses from 718 individuals. The respondents are primarily from internal audit as well as from boards of directors, CFOs, operational/line management, finance and risk management professionals.
Continuous auditing and continuous monitoring: The current status and the road ahead | 7
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
Less than € 50 million€ 50 million - € 250 million€ 250 million - € 1 billionGreater than € 1 billion
36%
24%
21%
19%
Financial services Industrial markets Infrastructure, government, healthConsumer markets Technology, media, telecoms
29%
26%
20%
15%
10%
First line Second line Third line
37%
13%
50%
Size of organisations responding to the surveyThirty six percent of respondents were from organisations with a turnover exceeding €1 billion and 24% from organisations with a turnover ranging between €250 million and €1 billion.
Cross section of sectorsThe respondents represented a cross section of industry sectors, including: financial services (29%), industrial markets (26%), infrastructure, government and health (20%), consumer markets (15%), and technology, media, telecoms (10%).
Representation of lines of defence Of the respondents, 37% were from the first line of defence (boards of directors, CEO, CFO, finance, operational/line management, IT); 13% were from the second line of defence (risk management, internal control and compliance); 50% of the respondents were from internal audit (third line of defence).
Business owners: first line of defence
Compliance regulators: second line of defence
Assurance providers: third line of defence
Business owners have risk content ownership. They are responsible for identifying and managing risks incurred over the course of daily business. Such risks can be operational in nature or may be associated with finance and compliance. The risks may represent discrete events rather than ongoing exposure. In addition to complying with risk-management policies, business owners are expected to identify and assess emerging exposure.
Standard setters own risk processes and specific monitoring responsibilities. They establish policies and procedures handling risk; provide guidance and coordination among all stakeholders; identify enterprise trends, synergies, and opportunities for a change; and operationalize new events. In addition to facilitating critical liaison betweenbusiness owners and assurance providers, standard setters provide oversight within specific risk areas (such as credit), and in terms of specific enterprise objectives(such as compliance).
Assurance providers ensure that the company is achieving business objectives, mitigating and managing risks, and optimizing risk management process effectiveness. Internal Audit often serves as the primary assurance provider in the third line of defense for many companies. Assurance providers are responsible for setting standards for risk management, ensuring that these are well understood, broadly embraced, and adequate for the company’s needs. Assurance providers liaise with senior management or the corporate board to enable visibility into enterprise risk management activities.
Source: KPMG.com – Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness and efficiency.
8 | Continuous auditing and continuous monitoring: The current status and the road ahead
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
CA is designed to result in comprehensive assurance with greater coverage across the organisation. CM detects and corrects process irregularities and helps implement process improvements. Many believe CA will also facilitate real-time operational assurance and reduce the burden for line management.
Based on the survey:Respondents do understand the benefits of CA and CM. They realise that CA provides more assurance with greater coverage and depth and that it enables real-time operational assurance. However, organisations are less likely to take into consideration that CA can also lower costs. This
Are the potential benefits of CA/CM well understood?
8 | Continuous auditing and continuous monitoring: The current status and the road ahead
Provides more assurance with greater coverage and depth
Enables real-time operational assurance to be obtained regarding business processes/activities
Reduces burden for line management to facilitate audit activities (e.g. no or limited interviews, walkthroughs etc.)
Reduces internal audit costs
Reduces external audit costs
CA is not/will not be adopted, so this question is not relevant for my organisation
Main drivers of CA adoption for an organisation
89%
81%
74%
56%
53%
41%
Enables identification of process irregularities and implementation of process improvements on a continuous basis
Improves transparency/reporting requirements from board/management
Transfers the responsibility regarding detecting and correcting of irregularities to the business processes itself
Complies with applicable legislation and regulations (e.g. anti-bribery, export controls)
Reduces compliance costs
Achieves competitive advantages
Main drivers of CM adoption for an organisation
indicates a short-term perception that relatively high up-front investments are needed while the long-term benefits of CA are not yet fully understood. Overall, the survey results reflect that respondents understand what CM can bring to the organisation i.e. it enables identification of process irregularities
on a continuous basis. Moreover, it transfers the responsibility regarding detecting and correcting irregularities onto the business itself. However, only 64% of respondents believed that CM will result in the organisation achieving competitive advantages.
90%
84%
84%
78%
69%
64%
Clearly, many organisations are aware of the drivers of CA/CM. However, understanding the benefits of CA/CM alone cannot drive it forward. Strategic drivers include the pressure to strengthen governance, enhance performance and accountability and the ability to improve visibility over global operations. Operational drivers include the occurrence or risk of fraud and misconduct and process improvement through the identification of irregularities on a continuous basis. External drivers include the expanding regulatory and risk environment, scrutiny from rating agencies, and an uncertain economic environment.
Since CA/CM does not always necessarily result in immediate and direct operational/strategic results, organisations find it hard to appreciate the competitive advantage of CA/CM.
KPMG analysis
PastAssurance mainly
delivered by internal audit
Current/futureHigher level of management
assurance via effective internal control framework
No surprises
Managementassessment(1st line of defence)
Managementassessment(1st line of defence)
Internal control / Risk management(2nd line of defence)
Internal control / Risk management(2nd line of defence)
Internal audit (3rd line of defence) Internal audit (3rd line of defence)
• Basedonrealfacts• Lessmanualinterpretation/
intervention• Flexiblereporting(overview & detailed reporting)
• Automaticof(data)analysis• Re-usablebyinternal/external
audit• Reducingmanualprocedures
• Realtimeinsights• Highlevelofdetail• Lesshuman interpretation
&
Increased transparency
Reducing cost of compliance
Continuous auditing and continuous monitoring: The current status and the road ahead | 9
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
10 | Continuous auditing and continuous monitoring: The current status and the road ahead
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
10 | Continuous auditing and continuous monitoring: The current status and the road ahead
Typically, CA/CM is most valuable in scenarios where processes are repetitive and susceptible to risk (e.g. financial management reporting). These processes are often transaction-based supported by applications that run on structured data.
Which processes benefit most from CA/CM?
Based on the survey:In the first place most respondents believe that CA/CM is best suited to support processes such as ‘Financial management reporting’ and ‘Treasury and cash management’.
82%
Financial management reporting
Treasury and cash management
Purchase to payment
IT management
Sales order to cash receipt
HR/payroll
Travel and expenses
Fixed asset management
Inventory
Industry-specific processes (retail, insurance, telecoms, production)
Other
Processes that benefit most from CA and CM
80%
82%
77%
72%
71%
66%
65%
62%
61%
59%
4%
KPMG analysis
On the whole, CA/CM helps to foster a culture focussed on efficiency. For example, organisations can use CM to help align components of the procure-to-pay cycle so vendors are not paid too early but in line with the terms of the contract. CM enables an organisation to evaluate the date of purchase, the due date of the invoice and the date of payment. Automating manual processes to detect issues early and prevent escalation can save retrospective remediation costs.
Obviously, preventing errors from occurring improves the overall business process efficiency as well.
Typically, areas that tend to have the greatest return on investment (ROI) in an initial CA/CM implementation include: • Manual journal entries;• Time and expense;• Purchase to pay;• Purchasing cards (P-cards);• Order to cash;• Inventory management.
CA/CM can add most value to organisations where processes are repetitive and susceptible to risk. It can improve the organisation’s risk management and control activities. For example, internal audit’s approach to audit planning tends to be largely risk-based. Expanding this approach to include CA can enhance internal audit’s coverage, regardless of how much risk is expected in those additional areas. CM can also help to allocate risk-management resources effectively.
Continuous auditing and continuous monitoring: The current status and the road ahead | 11
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
12 | Continuous auditing and continuous monitoring: The current status and the road ahead
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
12 | Continuous auditing and continuous monitoring: The current status and the road ahead
Internal Audit, supported by the CFO, often introduces CA/CM within the organisation and is also seen as its main beneficiary. Operational/line management is not often the initiator of CA/CM but does enjoy its benefits.
Who are the initiators and beneficiaries?
Based on the survey:Overall, the survey shows that functions across the organisation gain value from CA/CM – even if they are not the initiators. Internal audit is
considered both the main initiator and also the main beneficiary of CA/CM. Many respondents also believe that the CFO or the finance department are initiators. Once presented with
a strong business case, operational/line management and the board of directors tend to be easily convinced of the benefits of CA/CM.
Internal audit
CFO/Finance
Internal control
Risk management
Compliance
Board of directors
IT
Legal
Other
Initiators and beneficiaries of CA and CM
85%
69%87%
87%
87%
68%
82%
67%81%
59%77%
59%
59%
56%83%
55%69%
39%
4%2%
Operational/line management
Initiators of CA and CM Beneficiaries of CA and CM
KPMG analysis
Internal audit often triggers CA/CM initiatives because it has experience with data analytics from a control testing perspective and CA constitutes the next logical step. Operational/line management is not often the first initiator of CA/CM but does benefit from it. This may be due to the fact that operational/line management does
not solely act from a risk perspective – it is primarily responsible for the organisation’s core business processes. However, operational/line management realises that its responsibilities extend further and include internal controls, which are often closely linked to CA/CM.
Continuous auditing and continuous monitoring: The current status and the road ahead | 13
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
14 | Continuous auditing and continuous monitoring: The current status and the road ahead
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
Adoption continues to be low despite awareness around the benefits of CA/CM. The main reason is that organisations find it difficult to quantify the benefits of CA/CM which are needed to justify the business case for its implementation. As a result organisations are taking small steps in embedding CA/CM, for example by experimenting with tools on pilot projects.
Current and future state of adoption
Based on the survey:The current state of adoption is low. A remarkable 17% of respondents have never considered implementing CA/CM and 14% have only considered it but have not yet taken any action. Only 10% of respondents are running pilots on either CA or CM and another 12% are actually implementing CA or CM. A mere 16% of the respondents
What is the current status of CA/CM within the organisation
indicated they have already embedded CA within their internal audit function but only 9% have both CA and CM embedded across their respective organisations.
The number of organisations with CA/CM fully embedded is likely to rise slightly in the very near future however. A quarter of respondents revealed that
they plan to investigate the added value of CA/CM to their organisations. The number of organisations running pilots remains stable, but the survey shows that the number of organisations planning to embed both CA and CM in the next two years is expected to increase significantly (from 9% today to 23% two years from now).
CA and CM are embedded across the organisation and integrated operationally
CM is embedded within line management responsibilities
CA is embedded within internal audit
Currently implementing CA and/or CM
CA and/or CM pilot is currently being run
Currently busy drawing up business case and/or obtaining budget for CM
Have considered, but not yet taken any action
Have not considered CA or CM / don’t know
9%
12%
16%
12%
10%
10%
14%
17%
Where organisations would like to be in two years time with respect to CA and CM
CA and CM are embedded across the organisation
CM is embedded in monitoring activities of line management
CA is embedded in internal audit
Pilot project(s) underway in various parts of the organisation
Business case is completed and budget is obtained
An investigation is conducted into the added value of CA/CM for our organisation
Will not consider CA/CM
23%
10%
15%
8%
4%
25%
15%
14 | Continuous auditing and continuous monitoring: The current status and the road ahead
KPMG analysis
Although organisations do realise the benefits of CA/CM, there is still some reluctance to fully adopt either CA or CM. However, with the need for continued risk assurance growing, this is likely to improve and more businesses can be expected to invest in CA/CM in the near future. Like any transformation process, the adoption and implementation of CA/CM will take time and effort.
The first step towards adoption is to build a business case to secure support from senior management and to outline the objectives, scope, expected costs and projected benefits of CA/CM. Starting on a small scale allows management or internal audit to
test the CA/CM concept first. The next step is to draw up a road map to be able to fully achieve the objectives of the CA/CM implementation.
Before significant resources are allocated to monitoring controls and transactions, management will need to consider whether the existing controls are the most effective to be able to address the underlying risks. In addition, management should give careful consideration to what should be measured, where the necessary data resides, and the quality of the data.
Simply ‘switching on’ rules that may exist within a standard technology tool without refining them could result in an
unmanageable number of ‘exceptions’ or ‘false positives’ requiring attention, in turn resulting in increased inefficiencies as well as a false sense of assurance. Similarly, ‘switching on’ poorly designed rules may also result in a false sense of assurance.
Continuous auditing and continuous monitoring: The current status and the road ahead | 15
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
16 | Continuous auditing and continuous monitoring: The current status and the road ahead
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
Limited insight and understanding of available technology tools is the largest barrier for organisations to tackle when considering CA/CM. This is caused by a lack of clarity about what kind of functionality CA/CM tooling actually consists of.
Barriers to adoption
16 | Continuous auditing and continuous monitoring: The current status and the road ahead
Based on the survey:The key barrier for an organisation to adopt CA/CM is limited insight into the availability of suitable CA/CM tools. 75% of respondents are using IT tools, with only 13% of them using business intelligence dashboards and
Barriers to CA and CM adoption
Limited insight in availability of proper CA/CM tools
Organisation is not familiar with or does not understand the possibilities of CA/CM sufficiently
Lack of knowledge and experience regarding data analysis and/or continuous maintenance of tooling
Lack of staff to support CA/CM implementation
Limited commitment and/or awareness at board and senior management level
Limited suitability of IT infrastructure to apply CA/CM
Business case, including budget, has not been finalised and approved
Limited suitability to apply CA/CM in your type of organisation
69%
65%
64%
63%
55%
46%
45%
38%
10% using dedicated CA/CM tools. Unfamilarity and lack of knowledge or experience also ranked high amongst the responses. Lack of staff and limited commitment or awareness at a senior level within an organisation were also mentioned.
KPMG analysis
CA/CM is partly a technology solution and this obviously requires expert knowledge. At the same time there appears to be uncertainty about what functionality CA/CM tooling actually provides. From a KPMG perspective, CA/CM functionality includes at least: data extraction (from source systems), data analysis, case management (to make exceptions actionable) and reporting (e.g. via dashboards). Organisations should take steps to increase their knowledge and become more familiar with the concepts of CA/CM in order to overcome specific barriers to the implementation of CA/CM. There can also be resistance
to change and the focus on communication throughout the process is key to overcome this. Other barriers may include a highly scattered and diverse IT landscape and inferior quality source data, lack of internal resources and skills to manage CA/CM, or a lack of resources to implement CA/CM tools. If these risks can be mitigated, a successful implementation of CA/CM will generally translate into reduced reporting costs, enhanced governance, risk mitigation and compliance outcomes, financial and non-financial ROI, as well as increased detection and prevention of fraud.
Continuous auditing and continuous monitoring: The current status and the road ahead | 17
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
18 | Continuous auditing and continuous monitoring: The current status and the road ahead
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
The number of organisations with embedded CA/CM is likely to grow gradually. CA/CM will evolve naturally, from starting on a small scale to a mature capability.
Past and future investments
18 | Continuous auditing and continuous monitoring: The current status and the road ahead
Based on the survey:The potential benefits of CA/CM are widely understood, yet a gap between understanding CA/CM and the willingness to invest in it continues to exist. Only a few companies have implemented CA/CM so far. The survey shows that organisations are gradually changing position from just being interested in CA/CM to actually investing in CA/CM-related projects. The number of organisations
€ 0 (no investment)Less than € 100,000€ 100,000 - € 250,000
€ 250,000 - € 500,000€ 500,000 - € 1 milliongreater than € 1 million
37%
37%
7% 7%
7%
10%
3%19%
16%
8%
4%
46%
Investment in CA/CM over the last two years
€ 0 (no investment)Less than € 100,000€ 100,000 - € 250,000
€ 250,000 - € 500,000€ 500,000 - € 1 milliongreater than € 1 million
37%
37%
7% 7%
7%
10%
3%19%
16%
8%
4%
46%
Investment in CA/CM in the next two years
surveyed that are not investing in CA/CM will decline by almost 50% over the next two years (from 37% to 19%), while 46% expect to start small projects and invest up to €100,000 in this period. However, the survey also shows that organisations are reluctant to commit to high investments – the number of companies investing more than €250,000 will remain quite stable and below 20%.
KPMG analysis
Organisations are eager to learn but shy away from high up-front investments. This sentiment can be attributed to various factors. Driven by limited discretionary spending and the need for heightened accountability, management must focus on achieving healthy ROIs while also lowering exposure to risk. Consequently, CA/CM must be allowed to evolve naturally, from starting small to a mature capability. Nevertheless, organisations should be able to fit investments within
budgets on a sustainable basis and start by composing a business case.
Furthermore, CA/CM tools are still at a stage of development. Many organisations are waiting for enhanced tools before they consider adoption. However, growing interest in CA/CM is increasingly prompting organisations to test CA/CM through pilot projects.
Some companies have successfully managed the cost challenges
associated with CA/CM by integrating these into wider project budgets. For companies looking to implement CA/CM, pilots can deliver results quickly and potentially help CA/CM to become auto-financing. An investment in CA/CM fits in well in the context of a larger business intelligence initiative where CA/CM can provide critical business decision-making capabilities. In most other cases, an incremental approach based on an ROI analysis may be more appropriate.
Continuous auditing and continuous monitoring: The current status and the road ahead | 19
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
20 | Continuous auditing and continuous monitoring: The current status and the road ahead
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
Advances in technology have paved the way for increased use of CA/CM. It is of course vital to opt for technology and tools that are suitable for an organisation’s needs.
Do technology and tooling provide adequate support?
Based on the survey:Many organisations have started to experiment with technology and standard tooling. As for technology, 75% are using IT, with one-third using office automation or standard auditing tools. Only 13% use advanced business intelligence (BI) dashboards,
while 11% use dedicated CA/CM tools from suppliers such as SAP GRC, BWise, Approva, Oversight or Aptean (EMF). In the area of tooling usage, internal audit (78%), finance (63%), internal control (59%) and operational/line management (56%) are using CA/CM tools.
Internal audit
Finance
Internal control
Operational/line management
Risk management
IT
Compliance
CA/CM tools are not implemented, so this question is not relevant for my organisation
Use of CA and CM tools
78%
63%
59%
56%
53%
52%
50%
43%
Not at all or don’t know
Use of office automation (e.g. Microsoft Excel or Access)
Use of standard auditing tools (e.g. IDEA or ACL)
Use standard reporting e.g. from ERP system
Use of Business Intelligence (e.g. dashboards, reports)
Use of dedicated CA/CM monitoring tools (e.g. SAP GRC, BWise, Oversight, EMF, Approva)
Use of technology to support CA/CM
25%
19%
16%
16%
13%
11%
20 | Continuous auditing and continuous monitoring: The current status and the road ahead
KPMG analysis
Organisations that are currently interested in CA/CM need guidance and sufficient information on the benefits and techniques associated with CA/CM. At present, many organisations have started to experiment with standard tooling. However, tools should ideally be customised to meet specific needs within each organisation and are likely to evolve gradually into business intelligence dashboards and eventually into professional CA/CM tooling.
Advances in technology have paved the way for increased use of CA and CM in organisational processes, transactions, systems, and controls. Technology-
enabled control, auditing and monitoring tools integrated into ERP solutions, or built as third-party bolt-on solutions, have and will continue to evolve. They also help organisations to monitor the efficiency of internal controls, identify and correct lapses in controls and strengthen performance.
It is of course vital to opt for technology tools that are viable and suitable to an organisation’s needs. For instance, some organisations may find embedded tools too costly for their purpose. If this is the case then ‘extract and analyse’ software may be a more appropriate alternative. Any technology-dependent initiative
Continuous auditing and continuous monitoring: The current status and the road ahead | 21
– including CA/CM implementation – is bound to face challenges in terms of achieving data accuracy and consistency. Furthermore, as data evolves constantly; formats, protocols and refresh cycles may vary widely across systems.
The success of a CA/CM initiative is highly dependent upon the effective implementation and use of the right technology tools. In the same way, those tools will only be successful if used effectively. Organisations need to evaluate how suitable the features, functions and capabilities of a tool are for their needs before engaging a specific tool provider.
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
22 | Continuous auditing and continuous monitoring: The current status and the road ahead
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
How KPMG can help
Implementing CA/CM is much more than a technology exercise. KPMG has the experience and industry knowledge to help you effectively apply your knowledge of your business risks and internal mechanisms to designing a CA/CM framework that supports strategic management objectives. We also have assisted organisations in building successful business cases to demonstrate Return on Investment (ROI) from CA/CM implementation. Having helped organisations through CA/CM implementation, we understand the pitfalls and have the know-how to navigate the change management process.
In addition, KPMG can assist in:
• Software selection for CA/CM tool(s)
• Designing and implementing CA/CM risk-based approaches- Dashboards- Scorecards- Analytics- Reports- Management Protocols
• Optimising past CA/CM implementations (e.g. control rationalisation)
• Integrating with governance, risk, and compliance initiatives
• Integrating with business intelligence initiatives
• Integrating with other data analysis initiatives
• Conducting a walk along or post implementation review
• Training
CONTINUOUS AUDITING
CONTINUOUS MONITORING
INDUSTRY & FUNCTIONAL KNOWLEDGE
People
Process
Technology
Implement
DesignAssess
Continuous auditing and continuous monitoring: The current status and the road ahead | 23
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
EMA regionMr. P.P. (Peter Paul) BrouwersPartner KPMG IT AdvisoryT: +31 (0)40 250 23 25E: [email protected]
AustriaMr. T. (Theodor) Demut Director KPMG ForensicT: +43 732 6938 24 22E: [email protected]
Bahrain / QatarMs. J. (Jeyapriya) PartibanHead of Risk Consulting, PartnerT: +973 1722 48 07E: [email protected]
BelgiumMr. P. (Peter) van den SpiegelSenior Manager KPMG IT AdvisoryT: +32 2708 37 79E: [email protected]
FinlandMrs. Anneli Grönfors-KallioDirector KPMG IARCST: +358 20760 36 97E: [email protected]
FranceMr. C. (Cédric) de LavalettePartner KPMG IT AdvisoryT: +33 15568 67 12 E: [email protected]
GermanyMr. T. (Thomas) ErwinPartner KPMG IT AdvisoryT: +49 62 1426-72 49E: [email protected]
HungaryMr. I. (István) MolnárSenior Manager KPMG IT Risk and ComplianceT: +36 1887 74 45E: [email protected]
Contacts
IndiaMr. S. (Sathish) GopalaiahDirector KPMG GRCST: +91 80306 540 52E: [email protected]
ItalyMr. P. (Piermario) BarzaghiPartner KPMG IARCST: +39 0267 64 31E: [email protected]
Kenya/Tanzania/UgandaMr. B. (Brian) D’SouzaPartner KPMG IT AdvisoryT: +2542 9280 61 32E: [email protected]
The NetherlandsMr. M. (Maurice) op ‘t VeldPartner KPMG IT AdvisoryT: +31 10 453 42 14E: [email protected]
NigeriaMr. O. (Olumide) OlayinkaHead of Risk Consulting, PartnerT: +234 1271 89 55E: [email protected]
NorwayMr. K.P. (Karl-Petter) AarskogSenior Manager KPMG IT AdvisoryT: +47 4063 95 63E: [email protected]
PortugalMr. R. (Rui) GomesPartner KPMG IT AdvisoryT: +35 121 011 00 18E: [email protected]
RomaniaMr. R. (Richard) PerrinPartner KPMG AdvisoryT: +40 37237 77 92E: [email protected]
Saudi ArabiaMr. A. (Altaf) DossaDirector KPMG ForensicT: +96 61874 85 00E: [email protected]
South AfricaMr. F. (Frik) CoetzerDirector KPMG IT AdvisoryT: +270 84431 16 64E: [email protected]
SpainMr. A. (Angel) Requena RodriquezPartner KPMG Forensic T: +34 91456 34 15E: [email protected]
SwitzerlandMr. L. (Luka) ZupanDirector KPMG IARCS T: +41 58 249 36 61E: [email protected]
TurkeyMrs. I. (Idil) Gurdil Head of Risk Consulting, PartnerT: +90 (216) 681 90 14E: [email protected]
United KingdomMr. D. (Damien) MargetsonDirector KPMG Forensic T: +44 161 246 46 43E: [email protected]
UAE/MESAMr. K. (Karl) HendricksHead of KPMG RC MESAT: +9714 424 89 00E: [email protected]
We would be happy to share our CA/CM experiences with you and provide insight into the road ahead. Please contact us for more information.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual
or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is
accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information
without appropriate professional advice after a thorough examination of the particular situation.
The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.
© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent
firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to
obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such
authority to obligate or bind any member firm. All rights reserved. Printed in the Netherlands. 1212