Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integrating CA and CM into Audit, Risk and Compliance processes

Published byHeli Kähkönen Modified over 6 years ago

Similar presentations

Presentation on theme: "Integrating CA and CM into Audit, Risk and Compliance processes"— Presentation transcript:

1 Integrating CA and CM into Audit, Risk and Compliance processes
26th WCARS Rutgers University January, 2013 John Verver VP, Product Strategy & Alliances ACL

2 CA and CM – Integration with A, R & C
section title CA and CM – Integration with A, R & C Enterprise Risk Management gaining momentum Increasing trend towards continuous risk and control assessment Internal Audit increasingly involved in assessment of effectiveness of ERM Technology is critical but under-utilized in Internal Audit and Risk Management

3 Audit & Risk Management
For almost four years now, I have been advocating that the internal audit profession embrace the challenge of providing assurance on the effectiveness of risk management. I believe it is the most significant opportunity for our profession in a generation. Richard Chambers, President & CEO Institute of Internal Auditors

4 CA and CM - An Integrated Approach
IIA Global Technology Audit Guide #3

5 CA and CM: Why is progress limited?
section title CA and CM: Why is progress limited? Consistent challenges Data access and acquisition Skills and knowledge of how to apply data analysis for audit objectives Alignment with risk management and control assessment

6 section title Best Practices An integrated approach for technology in Audit, Risk and Control Technology and data analysis as an integral part of audit, risk and control strategy Risk and controls management systems in place CA and CM in operation Risk and controls management systems integrate with audit risk assessment and planning

7 Transforming Audit Data-Focused Risk assessment and Audit Process
Corporate risks become visible in ACTUAL transactional corporate data Core Value (Auditor) Corporate Risks Audits Objectives “What Could Go Wrongs” Controls Data analysis tests Exceptions Findings Audit findings and transactional exceptions link DIRECTLY AND VISUALLY to corporate risks Core Value (Executive)

8 Transforming Audit High-Impact, Data-Focused Audit Process
Strategic corporate risks become visible in ACTUAL transactional corporate data Core Value (Auditor) FCPA Violation FCPA Audit(s 1. Awareness 2. Policies 3. Spending Approvals 1. Policies ignored 2. Ineffective approvals 3. Disguised payments 1. Approval l authorization 2. Approval limits 3. System controls 1. Test for suspicious key words 2. Unusual payment patterns 3. Check to politically exposed persons database 250 exceptions identified, 23 exceptions confirmed Finding noted of 23 transactions totaling $4.5M Lets use an example: A strategic corporate risk may be that over-spending on travel and expenses causes a blown budget and threatens earning targets Therefore, an audit (or audits) will be conducted to validate T&E expenditures against the corporate policy Within the T&E Audit, the auditor will identify multiple objectives for the audit. For instance: 1) cards are issued and managed appropriately, 2) Employee spending is within policy, and 3) Spending requires appropriate approvals Multiple tactical-level risks (or “what could go wrongs”) threaten the achievement of each objective. For instance, for the “Employee spending within policy” objective, “what could go wrongs” may include: 1) T&E transactions could exceed policy limits, 2) T&E transactions may be duplicative, 3) T&E transactions may be fraudulent in nature, 4) T&E transactions may be improper or abusive in nature, and 5) T&E transactions may not relate to a valid or authorized business event. For each “what could go wrong”, controls must be in place to prevent occurrence of the WCGW. For instance, for the “T&E transactions could exceed policy limits” WCGW, controls in place may include: 1) expense application prevents transactions that exceed the spending limits specified in policies, 2) Sum of monthly expenses are not allowed to exceed established monthly spending limits, and 3) reports are reviewed for attempts to submit split transaction to subvert spending limits For each control, the auditor must design tests to test the control. For instance, for the control “Employee should not be able to submit split transaction to subvert spending limits”, the test(s) performed by the auditor may include: Obtain all T&E transaction files for the audit period and merge the transaction files into one file then summarize all employees transactions by vendor and date, extract any instances where the transaction count is > 1.  Join the newly-extracted file to the single transaction limit file, and filter on any instances where the sum of transactions exceeds the daily limit.  Conducting the designed tests will lead to a set of exceptions – potential violations of the control. For instance, the tests above may identify 2500 instances where there were multiple payments to a vendor on a single day, of which in 1800 the total vendor/day amount exceeds the transaction limit, a total of 1800 exceptions The auditor will then investigate the 1800 exceptions, perhaps writing off 300 as false positives or appropriate single-instance scenarios, leaving 1500 confirmed exceptions. These 1500 exceptions will be aggregated into one audit Finding. The finding will be reported to management and the audit committee stating there were 1500 cases where split payments were utilized to avoid spending limits leading to $150,000 in authorized/inappropriate spending. The KEY POINT OF VALUE FOR THE AUDITOR is that the integrated process made 1500 transactions that indicate occurrence of a strategic corporate risk VISIBLE within the corporate expense data. Without the contextualization process, the auditor would not have seen these transactions in the data as problematic. The KEY POINT OF VALUE FOR EXECUTIVE MANAGEMENT AND THE AUDIT COMMITTEE is that the integrated process and technology created a scenario where they can visually see the indication of the occurrence of a strategic corporate risk within actual corporate data, bringing context to the related audit finding. With a visual representation of all such findings within the scope of a given strategic corporate risk, all in one central place, it become instantly possible to understand where significant risk “hotspots” lie within the organization. Therefore, the auditor is both PROVIDING VALUE and COMMUNICATING THAT VALUE IN THE CONTEXT OF THE EXECUTIVE AGENDA. This brings the auditor relevance and the “seat at the table” Audit findings and transactional exceptions link DIRECTLY AND VISUALLY to strategic corporate risks Core Value (Executive)

9 Transforming Audit An End-to-End Integrated Product
Knowledge Content Strategic Corporate Risks Audits Objectives “What Could Go Wrongs” Controls Tests Exceptions Findings Corporate Risks Audits Objectives “What Could Go Wrongs” Controls Tests Exceptions Findings Specialized, Problem-Specific Knowledge Risk Assessment Audit Management Audit Analytics

10 Technology-enabled Audit “Puzzle”
Risk Assessment Audit Management Specialized Knowledge Audit Analytics

11 Technology-enabled Risk Management “Puzzle”
Strategic Risk Assessment Risk Assessment Control Management Audit Management Specialized Knowledge Specialized Knowledge Risk & Control Analytics Audit Analytics

12 ACL Technology Solution
ACL Risk Spring 2013 ACL Technology Solution Purpose-built, all-in-one cloud-based audit management designed for simple use, instantly increases productivity. ADD-ONS for ACL DESKTOP Audit & Compliance Teams Visualize, widely share and act on information uncovered in analysis testing across the business Enables secure, direct and seamless data selection and extraction capabilities for your SAP® ERP Audit, Finance, Risk, Compliance & Line of Business Executives TRANSFORMING AUDIT & RISK Automatically distribute exceptions found during data analysis testing to multiple business stakeholders Enhances ability to analyze data trapped in static reports, PDF files, XML files and other content-rich data sources Analytic Specialists Audit, Finance, Risk & Compliance Teams An add-in for Microsoft Excel® designed for working with data results produced by analytic systems Access and analyze complete data populations with easy and 100% coverage for superior assurance Server-based technology that lays the foundation to implement automated analytics and data sharing, remediation, reporting and continuous transaction monitoring

13 ACL RISK Risk Scoring

14 ACL RISK Risk Heatmapping

15 ACL WORKPAPERS Report Builders

16 ACL WORKPAPERS iPad Dashboard

17 ACL EXCEPTION Define Trigger

18 ACL EXCEPTION Exception Inbox

19 ACL EXCEPTION Action Exceptions

20 Contacts and information
section title Contacts and information IIA GTAG’s #3 and #16

Download ppt "Integrating CA and CM into Audit, Risk and Compliance processes"

Similar presentations

Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Www.theiia.org Continuous Auditing Global Technology Auditing Guide 3 Twelfth Continuous Auditing and Reporting Symposium Rutgers Business School November.

Continuous Auditing Global Technology Auditing Guide 3 Twelfth Continuous Auditing and Reporting Symposium Rutgers Business School November.
Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.

Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.
Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.

Validata Release Coordinator Accelerated application delivery through automated end-to-end release management.
Travel and Expense Management Scenario Overview

Travel and Expense Management Scenario Overview
Practical Issues of Implementing Continuous Assurance Systems Presented by John Verver CA, CISA, CMC to the 5 th Continuous Assurance Symposium November.

Practical Issues of Implementing Continuous Assurance Systems Presented by John Verver CA, CISA, CMC to the 5 th Continuous Assurance Symposium November.
Planning and Strategic Management

Planning and Strategic Management
PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.
Navision Business Analytics Joyce Leung, Partner Technology Specialist.

Navision Business Analytics Joyce Leung, Partner Technology Specialist.
Project Portfolio Management Technology Analysis Russ Hopler IBM Rational Software.

Project Portfolio Management Technology Analysis Russ Hopler IBM Rational Software.
Planning and Strategic Management

Planning and Strategic Management
The Premier Software Usage Analysis and Reporting Toolset Maximizing Value for Software Users.

The Premier Software Usage Analysis and Reporting Toolset Maximizing Value for Software Users.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Continuous Monitoring as a tool for Fraud Detection Anton Bouwer CQS Technology Holdings

Continuous Monitoring as a tool for Fraud Detection Anton Bouwer CQS Technology Holdings
ACL Solutions for Continuous Auditing and Monitoring John Verver CA, CISA, CMC Vice President, Professional Services & Product Strategy ACL Services Ltd.

ACL Solutions for Continuous Auditing and Monitoring John Verver CA, CISA, CMC Vice President, Professional Services & Product Strategy ACL Services Ltd.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Effectively applying ISO9001:2000 clauses 5 and 8

Effectively applying ISO9001:2000 clauses 5 and 8
ACL Risk Introduction St. Louis ACL User Group Chad Wood – Audit Management Specialist 604-646-4279.

ACL Risk Introduction St. Louis ACL User Group Chad Wood – Audit Management Specialist
“Business Performance Management” Corporate Performance Management “The Importance of Integrity” Facilitated by: Warren White VP – Change Acceleration.

“Business Performance Management” Corporate Performance Management “The Importance of Integrity” Facilitated by: Warren White VP – Change Acceleration.

Similar presentations

Ads by Google