Copyright © 2003 Americas’ SAP Users’ Group Compliance and Continuous Monitoring: Achieving...
-
date post
21-Dec-2015 -
Category
Documents
-
view
215 -
download
0
Transcript of Copyright © 2003 Americas’ SAP Users’ Group Compliance and Continuous Monitoring: Achieving...
Copyright © 2003 Americas’ SAP Users’ Group
Compliance and Continuous Monitoring: Achieving Best Practice Standards for Internal Control
Michelle Thomson
ACL Services Ltd.
Agenda
Challenges of financial management
Challenges of designing effective controls
Assessing controls through data analysis
The role of continuous monitoring
Benefits of continuous monitoring
Challenges
Increased Business
Complexity
Accelerating Business Cycles
Decreased Time &
Resources Competition
Fewer People
Increased Margin for
Error
Increased Scope ofResponsibilities & Decision Making
PartnersAudit
Committee
Stock Exchanges
Shareholders
Media
Public
Clients EnvironmentRating
AgenciesBoard of Directors
Increased Regulation, Scrutiny & Accountability
CEOGovernment
Systems Integration
Wealth Creation
Strategic Leadership
Operational Excellence
Financial Control
Financial Manageme
nt
Information Quality
IT Infrastructur
e
ComplexTransactions
Global Markets
Logistics
Challenges of Designing Effective Controls
Transactions and transactional data are the lifeblood of organizations
Controls over these transactions and the data that record them are critical
Financial accountability and assurance depend on the integrity and reliability of the:
Transactions
Data that records the transactions
Financial reports that summarize the transactional data
Challenges of Designing Effective Controls
Cost vs. benefit of controls
Manual controls break down as volumes increase
Automated controls within applications are time-consuming to implement, expensive, hard to maintain
New system implementations often disregard audit, internal control experts
Super users and system administrators can by-pass controls
Control Breakdowns
“These (improper) payments occur for many reasons including insufficient oversight or monitoring, inadequate eligibility controls, and automated system deficiencies. However, one point is clear – the basic or root cause of improper payments can typically be traced to a lack of or breakdown in internal controls.”
GAO Report, Coordinated Approach Needed to Address the Government’s Improper Payments Problems,August 2002
Control Layers Within an Organization
DetermineDetermine
Risks & ImpactsRisks & Impacts
PoliciesPolicies
ControlsControls
TransactionsTransactions
Controls Assessment Through Data Analysis
Key method of testing controls
Typical assessments involve:
Examination of 100% of transactions to determine compliance with defined controls
Determination if transactions exist for which no controls have been implemented
Audit processes using data analysis tend to be comprehensive and usually take place long after the transactions occurred
Continuous Monitoring Using Data Analysis
Convert audit analytical procedures into a monitoring process for all transactional data
Test transactional data against defined control rules and parameters
Run automatically on a regular basis
Generate exception reports or alerts automatically
Value of Continuous Monitoring
Independent of the underlying business application system
Improved timeliness of response to problems
A detective control – but can also be preventative
An additional level of control by identifying problems in early stages
Continuous Monitoring Checklist
Monitors data from disparate systems to provide holistic view of transaction
Identifies rogue transactions in a timely manner
Validates effectiveness of controls
Mitigates deficient control structures
Identifies further process improvement opportunities
Provides independent assurance
Controls Review Methods
Ad Hoc Analysis
RepeatedControlReview
ContinuousMonitoring
Con
fid
en
ce
Trust
Anatomy of Continuous Monitoring
CM Applications
DATADATA
Specific data from multiple data sources and data formats are compiled, indexed and prepared for analysis
Specific data from multiple data sources and data formats are compiled, indexed and prepared for analysis
RULESRULES DATA DATA
Contains business rules, control policies, or test requirements of the organization
Contains business rules, control policies, or test requirements of the organization
ANALYSIS
Complex technology applies the rules to the data to identify transaction anomalies
Complex technology applies the rules to the data to identify transaction anomalies
DATADATARULESRULES
ANALYSIS
Continuous Monitoring
Reporting Medium
Transaction Monitoring Process
Primary DataSource
Sources:•Financial Systems•HR Systems•CRM Systems•Others
Data OutputData Output
Common Applications of Continuous Monitoring
General business processes
Purchase / payments cycle
Vendor fraud
Expense claims
Payroll
Industry-specific (particularly regulatory compliance)
Chemical/ Pharmaceutical – FDA regulations
Medicare/Medicaid compliance
Benefits of Continuous Monitoring Systems
Validation that controls built into application systems are operating effectively
Compensate for poor controls in application systems
Transaction systems cannot ensure integrity across disparate systems
Comprehensive analysis of transactions is not practical in large transaction systems
Independence from the transaction system
Continuous Monitoring & Audit
Fastest growing area within audit and control community
Significant role as a response to increased focus on controls and assurance
CEO & CFO requirements around Sarbanes-Oxley Act
Acts as a supplemental control level, strengthening overall internal controls
Provides increased assurance over the effectiveness of controls
In Conclusion
Continuous Monitoring provides an opportunity for significantly improved levels of control and assurance
The accounting and control profession has discussed it for years – the time is now ideal for implementation
Technology is available to enable continuous monitoring
Businesses can’t afford to miss the issues
Copyright © 2003 Americas’ SAP Users’ Group
Using ACL to Continuously Monitor SAP Accounts Payable
Gene Scheckel
ConocoPhillips
Why Continuously Monitor AP?
To keep tabs on items
beyond the scheduled audit plan
outside normal controls
Do not continuously monitor normal controls within SAP
BUT
Do continuously monitor items where there is no specific control within SAP
What We Monitor
Duplicate payments between SAP and other financial systems
Unusually large payments
Payments to employees as outside vendors
Duplicate vendors in the Vendor Master
Continuous Monitoring
Duplicate payments between SAP and other financial systems
The Challenges
Convert new acquisition from legacy financial system to SAP
Legacy system and SAP both have duplicate payment controls
But duplicate payment controls do not exist between the two systems
The Results
Duplicate payments between SAP and legacy financial system
93
64
2720
12
0
20
40
60
80
100
May Jun July Aug Sept
Number of Duplicates
Approximately 150,000 payments per month
Continuous Monitoring
Unusually large vendor payments
The Challenge…
Uncover overpayments due to data entry errors
The Results
Invoice Amount = 20,725.00 Approver noted invoice error and manually entered new amount to
be paid.
Data entry clerk ignored the note.Amount Paid = $43,803.31 Recovered $23,078.31
Continuous Monitoring
Payments to employees as outside vendorsNot employee reimbursements
The Challenge…
Uncover potential conflicts of interest and employee fraud
The Results
A supervisor who approved invoices paid to the small business he owned
A purchasing agent doing business with a company owned by her husband
Continuous Monitoring Findings
Discovery of duplicate payments, overpayments and possible fraud
Preservation of the reliability of SAP preventive controls
Next Steps
Apply continuous monitoring methodology to other areas of the business
Procurement Cards
Long Distance Phone Bills
Validate User IDs
Copyright © 2003 Americas’ SAP Users’ Group
Implementing Continuous Monitoring
Derek Warburton
ACL Services Ltd.
Agenda
Success factors
Reactive vs. proactive approach
When to get help
Continuous Monitoring methodology
Practical implementation issues
Next steps
Effective Continuous Monitoring
Success is a function of
People: expertise, availability
Process: applying proven methodology
Technology: right tools for the job
Continuous Monitoring Checklist
Monitors data from disparate systems to provide holistic view of transaction
Identifies rogue transactions in a timely manner
Validates effectiveness of controls
Mitigates deficient control structures
Identifies further process improvement opportunities
Provides independent assurance
Continuous Monitoring Approach
Reactive
Implement Continuous Monitoring after experiencing a significant loss
Proactive Strategic
Identify high risk business areas, and implement Continuous Monitoring before loss is material
Implementation Assistance
Considerations
Independence (optics, regulatory)
Scale/scope
Complexity of business area or analysis
Availability of skilled resources
Disparate systems (all data not in SAP)
Opportunity cost or risk of time delay
Implementation Methodology
Increased Shareholder ValueIncreased Shareholder Value
ImplementImplementContinuousMonitoring
BuildBuild Functioning Application
AssessAssess Preliminary SDD
DesignDesign Solutions Design Document
Practical Implementation Issues
Direct access to the data vs. an extract?
Direct access to source data preferred
Is all data in SAP? How to access other systems?
Time- or processed-based data testing range?
Ensure that all transactions are captured since the last test process
Practical Implementation Issues
Set priorities for findings
Identifying specific control exposures and risk indicators
Define specific control tests for transactional data
Risk of high volumes of exceptions = ignore reports
Establish sensitivity thresholds for reporting and alerts
“Scoring/weighting” of events dependent upon combination of control parameters that are failed and indicators of risk
Allow “tuning” of application sensitivity
Prioritize alerts
High score events trigger immediate alert with management
Interface Example for Tuning Monitoring Parameters
Note: This amount can be modified from the parameters menu.
Conclusion
Will Continuous Monitoring reduce risk and costs at your company?
What’s stopping you from moving forward?
Don’t be shy to ask for help