Clyde Rogers clyde.rogers@sympaClyde Rogers clyde.rogers@sympatico.catico.ca

11

Continuous Continuous Monitoring Monitoring

Continuous AuditingContinuous Auditing

Organizational Readiness Organizational Readiness

What Needs To Be Done What Needs To Be Done

Making It Happen Making It Happen

22

Research & Information Research & Information Sources Sources

Professional Experience – Senior Professional Experience – Senior Director, Continuous Auditing at Major Director, Continuous Auditing at Major BankBank

Industry – Barclay’s, RBS, Wells Fargo, Industry – Barclay’s, RBS, Wells Fargo, Citigroup, RBC, FleetCitigroup, RBC, Fleet

Organizations – IIA & ADROrganizations – IIA & ADR External Firms – Deloitte, KPMG, E&YExternal Firms – Deloitte, KPMG, E&Y Academic – Centre for Continuous Academic – Centre for Continuous

Auditing – Rutgers, U of WaterlooAuditing – Rutgers, U of Waterloo

33

Guiding Principles - MindsetGuiding Principles - Mindset Improve Efficiency and/or Effectiveness – Improve Efficiency and/or Effectiveness –

Needs to Business Case, Be Important, Needs to Business Case, Be Important, $’s, Benefits $’s, Benefits

COSO/COCO Frameworks, Enterprise COSO/COCO Frameworks, Enterprise Wide Risk Management, Control Self-Wide Risk Management, Control Self-AssessmentAssessment

Changing Regulatory Requirements – Changing Regulatory Requirements – SOX, BaselSOX, Basel

Partner with Client & Governance GroupsPartner with Client & Governance Groups Validate - Cross Organization Roles & Validate - Cross Organization Roles &

Responsibilities & Acceptance Responsibilities & Acceptance

44

Guiding Principles – MindsetGuiding Principles – Mindset

Client Monitors & Manages Risk and Client Monitors & Manages Risk and ComplianceCompliance

Audit Gets Assurance From Client & Audit Gets Assurance From Client & Partner Processes as well as Partner Processes as well as Independent Testing Independent Testing

Information Technology is an Enabler – Information Technology is an Enabler – Larger Than ThatLarger Than That

Staged and Incremental Staged and Incremental Implementation – Business Line & Implementation – Business Line & PhasesPhases

55

Success DriversSuccess Drivers

Promoted/Championed by Senior Promoted/Championed by Senior Executive – Chief Auditor & Business Executive – Chief Auditor & Business Line Executive Line Executive

Focus On a “Quick Win” – Business Line Focus On a “Quick Win” – Business Line Readiness – Operating ModelsReadiness – Operating Models

Business Line Buy-In also Influences Business Line Buy-In also Influences Governance and Support Groups Governance and Support Groups

Leverage/Benchmark to Industry & Non-Leverage/Benchmark to Industry & Non-Industry Leaders and Best Practices Industry Leaders and Best Practices

66

CM – CA Model/ProcessesCM – CA Model/Processes

Traditional Auditing

Risk and Frequency Model

Continuous Auditing Warehouse

Traditional Auditing

Risk and Frequency Model

Continuous Auditing Warehouse

Proceed with audit

As scheduled

Suggested

Action

External/

Regulatory

Early

Warning Systems

Staffing

Issues

Whistle

Blower

Operational

Losses

Key

Performance

RiskTeams

NIAP

Advisory

Support

Lines

Prior Audit

Results

Operational

Risk

Inherent

Risk

Strong

or Satisfactory

Requires

Improvement

Accelerate audit activity

Unsatisfactory

Quarterly Audit

Planning and

Reporting

No Action

77

Business Line ProfileBusiness Line Profile Standard Operating Environment – Standard Operating Environment –

1,000 locations – National – 4 1,000 locations – National – 4 Segmented Client OffersSegmented Client Offers

Confusion/Duplication Between Confusion/Duplication Between Functions in Roles & Responsibilities Functions in Roles & Responsibilities – 4 Major Risk Teams– 4 Major Risk Teams

Quick Win – Risk Teams – Duplication Quick Win – Risk Teams – Duplication & Costs& Costs

Conflicting Reporting to Clients & Conflicting Reporting to Clients & StakeholdersStakeholders

88

Benefits – Phase I – Risk Benefits – Phase I – Risk TeamsTeams

Align Risk Teams Coverage to Meet the Needs Align Risk Teams Coverage to Meet the Needs of all Groups – 1 Group – Audit Leverages (QA)of all Groups – 1 Group – Audit Leverages (QA)

Roles & Responsibilities Defined and Aligned to Roles & Responsibilities Defined and Aligned to Changing and Emerging Regulatory Changing and Emerging Regulatory Requirements – SOX, BaselRequirements – SOX, Basel

Improve Effectiveness & Efficiency – Less Improve Effectiveness & Efficiency – Less Branch Disruption – Also $2 million SavingsBranch Disruption – Also $2 million Savings

Move to Continuous Monitoring/Auditing Model Move to Continuous Monitoring/Auditing Model – Foundational to Phase II – Further Benefits– Foundational to Phase II – Further Benefits

99

Phase IPhase I

Q1 2005

Q1 2006Q2 2005

Reduced On-site Testing Through:

• Inventorying current on-site testing activities

• Changing/adding/deleting tested activities

• Identifying duplication

• Migrating duplicated testing to FRS

• Eliminating migrated testing from groups

• Developing process to audit FRS

• Focusing on routine activities

• Processes review with product groups

Basel

Compliance

Internal Audit

Business Risk

SOX

On-

site

tes

ting

SOX

Basel

Compliance

Business Risk

W/M

W/M

Internal Audit

Internal Audit

1010

Benefits – Phase II - EWSBenefits – Phase II - EWS Leverage Information Technology - Consists of Leverage Information Technology - Consists of

Data Mining and AnalyticsData Mining and Analytics Whole Portfolios – Holistic View – Real TimeWhole Portfolios – Holistic View – Real Time Additional Efficiencies - $5 millionAdditional Efficiencies - $5 million Major Step Towards Continuous Major Step Towards Continuous

Monitoring/Auditing ModelMonitoring/Auditing Model Monitoring Capability Enhanced:Monitoring Capability Enhanced:

- Reduces Onsite Testing- Reduces Onsite Testing- Risk Indicators/Trends To Support On-site - Risk Indicators/Trends To Support On-site TestingTesting- Improves Earlier Identification – More - Improves Earlier Identification – More PredictivePredictive

1111

Phase IIPhase IIQ1 ‘07

On

-sit

e te

stin

g

SOX

BaselW/M

Business Risk

Compliance

SOX

Basel

W/M

Compliance

Internal Audit

Business Risk

Reduced On-site Testing Through:

• Develop central monitoring capability

• Enhanced technology platform

• Leverage existing knowledge (NRM/EWS/CRS)

• Central monitoring for select activities

• Further on-site testing eliminated

• Majority of on-site testing migrated to FRS

Internal Audit

Internal Audit/Basel

1212