Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction In the current complex business environment, organizations are increasingly exposed to new risks, growing compliance regulations, fraud schemes,

Published byClyde Conley Modified over 7 years ago

Similar presentations

Presentation on theme: "Introduction In the current complex business environment, organizations are increasingly exposed to new risks, growing compliance regulations, fraud schemes,"— Presentation transcript:

0 Continuous Auditing/Continuous Monitoring
KPMG FORENSICSM Continuous Auditing/Continuous Monitoring Using Technology to Drive Value by Managing Risk and Improving Performance September 2010 ADVISORY

1 Introduction In the current complex business environment, organizations are increasingly exposed to new risks, growing compliance regulations, fraud schemes, operational inefficiencies and errors that can lead to financial loss or reputational damage There is an increased focus on adopting progressive ways of assessing and managing risk while enhancing performance Advances in technology have paved the way for increased use of Continuous Auditing and Continuous Monitoring (CA/CM) of organizational processes, transactions, systems and controls Organizations are leveraging technologies to change how they evaluate the effectiveness of controls and monitor performance CA/CM provides deeper insight into areas of risk and opportunity, while strengthening governance structures

2 CA/CM Overview Definitions
Continuous Auditing The collection of audit evidence and indicators, by an internal or external auditor, on IT systems, processes, transactions and controls on a frequent or continuous basis throughout a period Continuous Monitoring An automated feedback mechanism used by management to help ensure that systems and controls operate as designed and transactions are processed as prescribed How is your organization defining the CA/CM initiative?

3 CA/CM Overview Objectives
Continuous Auditing Performed by Internal Audit Continuous Monitoring Responsibility of Management Gain audit evidence more effectively and efficiently React more timely to business risks Leverage technology to perform more efficient internal audits Focus audits more specifically Help monitor compliance with policies, procedures and regulations Become more valuable to the business Improved governance Increase visibility into operations Obtain better information for day-to-day decision making Strive to reduce cost of controls Leverage technology to create efficiencies

4 Integrating CA and CM Organizations that draw the maximum value from CA/CM tend to use a combination of both CA and CM throughout the business It is common to successfully implement CA without a CM process in place Often CA techniques lead to management adopting specific procedures as CM Leading organizations tend to use a variety of analytic techniques across a combination of three areas of monitoring, based on a cost-benefit analysis

5 Dimensions of CA/CM Integrating the Types of Tools and Analytics
Macro-Level Trends and Results Monitoring (Days Sales Outstanding (DSO), Days Payments Outstanding (DPO), working capital requirements, etc.) Risk/ Performance Continuous Transaction Monitoring (predefined business rules and exception analysis) Continuous Controls Monitoring (changed or deleted controls) Risk and Performance Monitoring is enhanced when all three dimensions are implemented

6 Linking CA/CM with Risk Management and Operations Improvement
No matter how an organization chooses to launch the CA/CM effort, they should take steps to define the desired end-state to effectively build a road map and measure success A key to achieving the desired state is integrating an enterprise risk management (ERM) program, monitoring capabilities from a CA and CM perspective, and an exception-based remediation and control improvement program Based on the monitoring insights obtained, a range of exceptions or areas for improvement can be identified over time, communicated and corrected – leading to process enhancement Source: CA/CM Using Technology to Drive Value by Managing Risk and Improving Performance, 2008

7 Business Imperatives Driving CA/CM
Complexity of the business environment Lack of transparency Increased regulatory compliance requirements Need for timely information to drive effective decision making Technology innovations Increased fraud and misconduct risk Cost pressures Stakeholder expectations

8 Building the Business Case
The business case for implementing CA/CM varies with each organization and depends on numerous business drivers Source: CA/CM Using Technology to Drive Value by Managing Risk and Improving Performance, 2008

9 Building the Business Case (cont.)
Visualizing the potential for use of CA/CM throughout an organization is both useful and important. Focus on “quick wins” to assist in demonstrating business value. A CA and/or CM implementation can be successful regardless of whether management or internal audit takes the first step Efforts to align business objectives and risks for both stakeholders can allow for quick initial wins that build momentum

10 How CA/CM Can Be Deployed and Measured
User Potential Business Need Possible Measurements Chief Financial Officer Obtaining measures on risk and performance Rationalizing control self-assessments Continuous risk assessment Fraud and misconduct prevention Reduced Sarbanes-Oxley (S-O) costs Business continuity Accountability refinement Decreased variability in key performance indicators (KPIs) Results more consistent with plan/forecast Lower incidence of fines/fraud events, fraud fees Reduced professional fees Fewer audit adjustments Reduced S-O costs Chief Information Officer Systems performance Access controls Security / Privacy / Capacity Technology leveraging Reduced system downtime Improved performance/response time Fewer violations of software licensing agreements Increased number of automated controls Reduced IT cost of ownership Chief Audit Executive Continuous risk and control assessment Focused audit plan Data integrity Trend identification and categorization Efficiently expanded coverage Identification and reporting of errors and noncompliance sooner Improved utilization Reduced time to conduct risk assessment Reduced time required at each auditee Reduced travel costs Reduced cost for bulk data analysis Improved speed of reporting Chief Compliance Officer Rationalizing compliance function Regulatory compliance Reduced duplication of work Streamlined reporting processes Improved compliance statistics Improved ability to assign accountability Lower incidence of fines

11 Key Implementation Considerations
The level of effort to implement a partial or fully integrated CA/CM program depends on the extent and maturity of existing organizational capabilities A maturity assessment should focus on the following: Source: CA/CM Using Technology to Drive Value by Managing Risk and Improving Performance, 2008

12 Process Optimization – Questions to Consider
How will the organization implement a CA/CM discipline? Will the approach be comprehensive or phased in by, for example, risk area, process, business unit, geographic area, or system? How will the organization actively manage process improvement changes with the tools and techniques used to monitor risk and performance? Has the organization aligned the monitoring and auditing frequencies with the respective risk and performance issues to be monitored to provide the necessary transparency to enable prevention or early detection?

13 Risks and Controls – Questions to Consider
How is risk currently managed and monitored? What is the driver for the CA/CM initiative – fraud and misconduct prevention, regularity compliance, or performance improvement? Is there agreement between CA/CM on key risks and controls? Does the organization have a single view of financial, regulatory and operations risks? How mature are the change management protocols? Is management monitoring the right controls and what is the process for refining such monitoring as processes, technology and people change? How does the organization monitor performance for processes outsourced to others (e.g., payroll)? Does it have access to process–specific data? Has the organization implemented, to the extent practical, the necessary automated controls to prevent unwarranted errors and to avoid inefficient use of resources to rework or correct such errors?

14 Technology – Questions to Consider
What systems and monitoring functions currently exist and what is the organization’s use experience? What CA/CM implementation model makes sense based on the system architecture? Does the organization use existing monitoring capabilities within the ERP system, third-party bolt-on solutions, or a combination of both? Will tools reside internally or will the organization batch data to send to an external service provider to evaluate, detect and report business rule exceptions and other anomalies? How will the tools affect the performance of business systems? Will the organization monitor against production data or a production copy? What data management practices are appropriate? How will these decisions affect monitoring real-time activity? What is the required frequency and sophistication of analysis? How will exceptions be reported, assigned, resolved and documented?

15 Technology – Questions to Consider (cont.)
What technology will be shared (or not shared) between management and internal audit? Has the organization considered the security and privacy requirements of implementing a CA/CM solution? How has it limited access within these tools to information on a need-to-know basis? What is the organization’s license cost across technologies and has it optimized this investment?

16 Organization and People – Questions to Consider
Who is the sponsor (owner) of the CA/CM initiative and does he/she have the necessary senior management support? What functional knowledge (e.g., fraud risk management) and skill sets exist and what level of training will be needed to deploy process and technology changes? How have roles and responsibilities been defined? Does the organization have the business insight into how processes and controls function so it can challenge the effectiveness and efficiency of processes and perform the necessary root case analysis for exceptions? How effectively does the organization manage through change?

17 Implementation Challenges
Expect challenges and barriers along the implementation route: Resistance to change/corporate culture Existing IT solutions and source data Uncertain budgetary resources to implement CA/CM tools and disciplines Inadequate business process and systems Lack of internal resources or skills to implement and manage

18 Measuring CA/CM Success
A number of indicators point to the success of a CA/CM effort: Financial Return-On-Investment (ROI) Non-financial ROI (e.g., regulatory compliance) Potential to reduce S-O compliance costs Enhanced governance, risk mitigation and compliance outcomes Increased detection and prevention of fraud and misconduct Reduction in time needed to conduct audits and investigations Increase in audit scope and coverage

19 Conclusion Implementing CA/CM is not just a technology exercise
CA/CM can change the type, speed and visibility of information on risk and performance that should significantly impact how business decisions are made and monitored A variety of implementation challenges can be expected along the way Building a business case and roadmap for how to achieve the objectives of the CA/CM implementation is critical

20 Anti-Money Laundering Transaction Monitoring

21 Transaction Monitoring
A financial services organization must have systems to identify transactions that may be high risk for money laundering or that exhibit indicia of unusual or suspicious activity reportable through a Suspicious Activity Report Transaction Monitoring systems assist financial services organizations in identifying and analyzing potentially suspicious activity Transaction Monitoring systems typically consider: Geography Risk level of a customer Linked accounts Type of transactions Velocity and frequency of transactions Changes in transactional behavior

22 Transaction Monitoring Systems No Universal Solution
Build vs. Buy “People who design these systems should use them. Although I've said systems are not sophisticated, they are sometimes too much so for our own good” Switzerland respondent* “We need more intelligence-based transaction monitoring with the capability to detect transactions not noted by human scrutiny” Russia respondent “I would like to have a system that can track both behavioral and statistical transactions based on a transaction pattern (e.g. volume, country, business)” Hong Kong respondent “We should focus on updating the enterprise-wide system, rather than different ones in different areas of the bank” Taiwan respondent *Source: KPMG Global Anti-Money Laundering Survey 2007

23 Transaction Monitoring Systems No Universal Solution
Analysis to understand the universe of all transaction types the institution utilizes *** A critical step Assessment to determine the risks certain products and product groups pose for money laundering and terrorist financing Assessment to determine the risk related to the customer base Assessment of global operations / overseas branches Integration with CRM / RM applications

24 Transaction Monitoring Systems No Universal Solution
Data gathering and normalization Fragmented systems in various formats and locations Legacy systems and systems acquired through M&A Outsourced data hosting Third party vendors Monitoring “tool” Scenario development beyond real time monitoring Appropriate tuning of scenarios Case creation Appropriate scoring (risk ranking transactions per your business requirements) Case management system and investigation Investigative file Audit trail

25 Transaction Monitoring Systems No Universal Solution
Continuous Re-assessment Customer

26 Transaction Monitoring Systems No Universal Solution
Detection Scenario Tuning Scenario tuning Risk based approach High quality alerts vs. tuning to numbers Deployment documentation Analysis as to why certain scenarios were chosen Documenting tuning process for regulatory review Analysis of the tuning process Review of the outputs to see “true” picture of customer activity.

27 Transaction Monitoring Systems No Universal Solution
Continuous Assessment INDEPENDENT TEST

28 Transaction Monitoring Systems
Considerations when choosing a commercial system Coverage of lines of business / size of financial institution Level of customization Integration with CRM / RM applications “Release” based AML monitoring system Post implementation support Continuity

29 Thank You Sven Stumbauer Director, KPMG LLP sstumbauer@kpmg.com
All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

Download ppt "Introduction In the current complex business environment, organizations are increasingly exposed to new risks, growing compliance regulations, fraud schemes,"

Similar presentations

1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,

1 K P M G L L P A D V I S O R Y Changes in the IT Audit Profession Stephen G. Hasty, Jr. National Partner in Charge IT Advisory Savannah, GA January 4,
Options appraisal, the business case & procurement

Options appraisal, the business case & procurement
Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.

Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.
TECHNICAL VOCATIONAL EDUCATIONAL AND TRAINING COLLEGES AN INTRODUCTION TO THE IMPEMENTATION OF A COMPLIANT RISK MANAGEMENT PROCESS July 2014.

TECHNICAL VOCATIONAL EDUCATIONAL AND TRAINING COLLEGES AN INTRODUCTION TO THE IMPEMENTATION OF A COMPLIANT RISK MANAGEMENT PROCESS July 2014.
“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”

“High Performing Financial Institutions and the Keys to Success in an Uncertain Environment”
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
The Information Systems Audit Process

The Information Systems Audit Process
Purpose of the Standards

Purpose of the Standards
“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.

“The Impact of Sarbanes Oxley, An Evolving Best Practice” Ellen C. Wolf Senior Vice President & Chief Financial Officer American Water National Association.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
V. Conferencia Internacional Antilavado de dinero y Contra el Financiamiento al Terrorismo Anti-Money Laundering Compliance for Broker/Dealers Current.

V. Conferencia Internacional Antilavado de dinero y Contra el Financiamiento al Terrorismo Anti-Money Laundering Compliance for Broker/Dealers Current.
Information Technology Audit

Information Technology Audit
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
How Will Continuous Auditing and XBRL-GL Work Together to Provide Improved Business Value? Nigel J. R. Matthews, BASc, CA ACL Services Ltd.

How Will Continuous Auditing and XBRL-GL Work Together to Provide Improved Business Value? Nigel J. R. Matthews, BASc, CA ACL Services Ltd.
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Risk Management Reconstructed Implementing fraud risk intelligence practices July 2011 KPMG FORENSIC SM.

Risk Management Reconstructed Implementing fraud risk intelligence practices July 2011 KPMG FORENSIC SM.
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.

CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
Service Transition & Planning Service Validation & Testing

Service Transition & Planning Service Validation & Testing
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the Preface to the Standards on Internal.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.

The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.

Similar presentations

Ads by Google