Continuous Auditing/Continuous Monitoring KPMG FORENSICSM Continuous Auditing/Continuous Monitoring Using Technology to Drive Value by Managing Risk and Improving Performance September 2010 ADVISORY

Introduction In the current complex business environment, organizations are increasingly exposed to new risks, growing compliance regulations, fraud schemes, operational inefficiencies and errors that can lead to financial loss or reputational damage There is an increased focus on adopting progressive ways of assessing and managing risk while enhancing performance Advances in technology have paved the way for increased use of Continuous Auditing and Continuous Monitoring (CA/CM) of organizational processes, transactions, systems and controls Organizations are leveraging technologies to change how they evaluate the effectiveness of controls and monitor performance CA/CM provides deeper insight into areas of risk and opportunity, while strengthening governance structures

CA/CM Overview Definitions Continuous Auditing The collection of audit evidence and indicators, by an internal or external auditor, on IT systems, processes, transactions and controls on a frequent or continuous basis throughout a period Continuous Monitoring An automated feedback mechanism used by management to help ensure that systems and controls operate as designed and transactions are processed as prescribed How is your organization defining the CA/CM initiative?

CA/CM Overview Objectives Continuous Auditing Performed by Internal Audit Continuous Monitoring Responsibility of Management Gain audit evidence more effectively and efficiently React more timely to business risks Leverage technology to perform more efficient internal audits Focus audits more specifically Help monitor compliance with policies, procedures and regulations Become more valuable to the business Improved governance Increase visibility into operations Obtain better information for day-to-day decision making Strive to reduce cost of controls Leverage technology to create efficiencies

Integrating CA and CM Organizations that draw the maximum value from CA/CM tend to use a combination of both CA and CM throughout the business It is common to successfully implement CA without a CM process in place Often CA techniques lead to management adopting specific procedures as CM Leading organizations tend to use a variety of analytic techniques across a combination of three areas of monitoring, based on a cost-benefit analysis

Dimensions of CA/CM Integrating the Types of Tools and Analytics Macro-Level Trends and Results Monitoring (Days Sales Outstanding (DSO), Days Payments Outstanding (DPO), working capital requirements, etc.) Risk/ Performance Continuous Transaction Monitoring (predefined business rules and exception analysis) Continuous Controls Monitoring (changed or deleted controls) Risk and Performance Monitoring is enhanced when all three dimensions are implemented

Linking CA/CM with Risk Management and Operations Improvement No matter how an organization chooses to launch the CA/CM effort, they should take steps to define the desired end-state to effectively build a road map and measure success A key to achieving the desired state is integrating an enterprise risk management (ERM) program, monitoring capabilities from a CA and CM perspective, and an exception-based remediation and control improvement program Based on the monitoring insights obtained, a range of exceptions or areas for improvement can be identified over time, communicated and corrected – leading to process enhancement Source: CA/CM Using Technology to Drive Value by Managing Risk and Improving Performance, 2008

Business Imperatives Driving CA/CM Complexity of the business environment Lack of transparency Increased regulatory compliance requirements Need for timely information to drive effective decision making Technology innovations Increased fraud and misconduct risk Cost pressures Stakeholder expectations

Building the Business Case The business case for implementing CA/CM varies with each organization and depends on numerous business drivers Source: CA/CM Using Technology to Drive Value by Managing Risk and Improving Performance, 2008

Building the Business Case (cont.) Visualizing the potential for use of CA/CM throughout an organization is both useful and important. Focus on “quick wins” to assist in demonstrating business value. A CA and/or CM implementation can be successful regardless of whether management or internal audit takes the first step Efforts to align business objectives and risks for both stakeholders can allow for quick initial wins that build momentum

How CA/CM Can Be Deployed and Measured User Potential Business Need Possible Measurements Chief Financial Officer Obtaining measures on risk and performance Rationalizing control self-assessments Continuous risk assessment Fraud and misconduct prevention Reduced Sarbanes-Oxley (S-O) costs Business continuity Accountability refinement Decreased variability in key performance indicators (KPIs) Results more consistent with plan/forecast Lower incidence of fines/fraud events, fraud fees Reduced professional fees Fewer audit adjustments Reduced S-O costs Chief Information Officer Systems performance Access controls Security / Privacy / Capacity Technology leveraging Reduced system downtime Improved performance/response time Fewer violations of software licensing agreements Increased number of automated controls Reduced IT cost of ownership Chief Audit Executive Continuous risk and control assessment Focused audit plan Data integrity Trend identification and categorization Efficiently expanded coverage Identification and reporting of errors and noncompliance sooner Improved utilization Reduced time to conduct risk assessment Reduced time required at each auditee Reduced travel costs Reduced cost for bulk data analysis Improved speed of reporting Chief Compliance Officer Rationalizing compliance function Regulatory compliance Reduced duplication of work Streamlined reporting processes Improved compliance statistics Improved ability to assign accountability Lower incidence of fines

Key Implementation Considerations The level of effort to implement a partial or fully integrated CA/CM program depends on the extent and maturity of existing organizational capabilities A maturity assessment should focus on the following: Source: CA/CM Using Technology to Drive Value by Managing Risk and Improving Performance, 2008

Process Optimization – Questions to Consider How will the organization implement a CA/CM discipline? Will the approach be comprehensive or phased in by, for example, risk area, process, business unit, geographic area, or system? How will the organization actively manage process improvement changes with the tools and techniques used to monitor risk and performance? Has the organization aligned the monitoring and auditing frequencies with the respective risk and performance issues to be monitored to provide the necessary transparency to enable prevention or early detection?

Risks and Controls – Questions to Consider How is risk currently managed and monitored? What is the driver for the CA/CM initiative – fraud and misconduct prevention, regularity compliance, or performance improvement? Is there agreement between CA/CM on key risks and controls? Does the organization have a single view of financial, regulatory and operations risks? How mature are the change management protocols? Is management monitoring the right controls and what is the process for refining such monitoring as processes, technology and people change? How does the organization monitor performance for processes outsourced to others (e.g., payroll)? Does it have access to process–specific data? Has the organization implemented, to the extent practical, the necessary automated controls to prevent unwarranted errors and to avoid inefficient use of resources to rework or correct such errors?

Technology – Questions to Consider What systems and monitoring functions currently exist and what is the organization’s use experience? What CA/CM implementation model makes sense based on the system architecture? Does the organization use existing monitoring capabilities within the ERP system, third-party bolt-on solutions, or a combination of both? Will tools reside internally or will the organization batch data to send to an external service provider to evaluate, detect and report business rule exceptions and other anomalies? How will the tools affect the performance of business systems? Will the organization monitor against production data or a production copy? What data management practices are appropriate? How will these decisions affect monitoring real-time activity? What is the required frequency and sophistication of analysis? How will exceptions be reported, assigned, resolved and documented?

Technology – Questions to Consider (cont.) What technology will be shared (or not shared) between management and internal audit? Has the organization considered the security and privacy requirements of implementing a CA/CM solution? How has it limited access within these tools to information on a need-to-know basis? What is the organization’s license cost across technologies and has it optimized this investment?

Organization and People – Questions to Consider Who is the sponsor (owner) of the CA/CM initiative and does he/she have the necessary senior management support? What functional knowledge (e.g., fraud risk management) and skill sets exist and what level of training will be needed to deploy process and technology changes? How have roles and responsibilities been defined? Does the organization have the business insight into how processes and controls function so it can challenge the effectiveness and efficiency of processes and perform the necessary root case analysis for exceptions? How effectively does the organization manage through change?

Implementation Challenges Expect challenges and barriers along the implementation route: Resistance to change/corporate culture Existing IT solutions and source data Uncertain budgetary resources to implement CA/CM tools and disciplines Inadequate business process and systems Lack of internal resources or skills to implement and manage

Measuring CA/CM Success A number of indicators point to the success of a CA/CM effort: Financial Return-On-Investment (ROI) Non-financial ROI (e.g., regulatory compliance) Potential to reduce S-O compliance costs Enhanced governance, risk mitigation and compliance outcomes Increased detection and prevention of fraud and misconduct Reduction in time needed to conduct audits and investigations Increase in audit scope and coverage

Conclusion Implementing CA/CM is not just a technology exercise CA/CM can change the type, speed and visibility of information on risk and performance that should significantly impact how business decisions are made and monitored A variety of implementation challenges can be expected along the way Building a business case and roadmap for how to achieve the objectives of the CA/CM implementation is critical

Anti-Money Laundering Transaction Monitoring

Transaction Monitoring A financial services organization must have systems to identify transactions that may be high risk for money laundering or that exhibit indicia of unusual or suspicious activity reportable through a Suspicious Activity Report Transaction Monitoring systems assist financial services organizations in identifying and analyzing potentially suspicious activity Transaction Monitoring systems typically consider: Geography Risk level of a customer Linked accounts Type of transactions Velocity and frequency of transactions Changes in transactional behavior

Transaction Monitoring Systems No Universal Solution Build vs. Buy “People who design these systems should use them. Although I've said systems are not sophisticated, they are sometimes too much so for our own good” Switzerland respondent* “We need more intelligence-based transaction monitoring with the capability to detect transactions not noted by human scrutiny” Russia respondent “I would like to have a system that can track both behavioral and statistical transactions based on a transaction pattern (e.g. volume, country, business)” Hong Kong respondent “We should focus on updating the enterprise-wide system, rather than different ones in different areas of the bank” Taiwan respondent *Source: KPMG Global Anti-Money Laundering Survey 2007

Transaction Monitoring Systems No Universal Solution Analysis to understand the universe of all transaction types the institution utilizes *** A critical step Assessment to determine the risks certain products and product groups pose for money laundering and terrorist financing Assessment to determine the risk related to the customer base Assessment of global operations / overseas branches Integration with CRM / RM applications

Transaction Monitoring Systems No Universal Solution Data gathering and normalization Fragmented systems in various formats and locations Legacy systems and systems acquired through M&A Outsourced data hosting Third party vendors Monitoring “tool” Scenario development beyond real time monitoring Appropriate tuning of scenarios Case creation Appropriate scoring (risk ranking transactions per your business requirements) Case management system and investigation Investigative file Audit trail

Transaction Monitoring Systems No Universal Solution Continuous Re-assessment Customer

Transaction Monitoring Systems No Universal Solution Detection Scenario Tuning Scenario tuning Risk based approach High quality alerts vs. tuning to numbers Deployment documentation Analysis as to why certain scenarios were chosen Documenting tuning process for regulatory review Analysis of the tuning process Review of the outputs to see “true” picture of customer activity.

Transaction Monitoring Systems No Universal Solution Continuous Assessment INDEPENDENT TEST

Transaction Monitoring Systems Considerations when choosing a commercial system Coverage of lines of business / size of financial institution Level of customization Integration with CRM / RM applications “Release” based AML monitoring system Post implementation support Continuity

Thank You Sven Stumbauer Director, KPMG LLP sstumbauer@kpmg.com +1-305-913-2772 All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.