Download presentation
Presentation is loading. Please wait.
1
Copyright © 2003 Americas’ SAP Users’ Group Compliance and Continuous Monitoring: Achieving Best Practice Standards for Internal Control Michelle Thomson ACL Services Ltd.
2
Agenda Challenges of financial management Challenges of designing effective controls Assessing controls through data analysis The role of continuous monitoring Benefits of continuous monitoring
3
Challenges Increased Business Complexity Accelerating Business Cycles Decreased Time & Resources Competition Fewer People Increased Margin for Error Increased Scope of Responsibilities & Decision Making Partners Audit Committee Stock Exchanges Shareholders Media Public ClientsEnvironment Rating Agencies Board of Directors Increased Regulation, Scrutiny & Accountability CEOGovernment Systems Integration Wealth Creation Strategic Leadership Operational Excellence Financial Control Financial Management Information Quality IT Infrastructure Complex Transactions Global Markets Logistics
4
Challenges of Designing Effective Controls Transactions and transactional data are the lifeblood of organizations Controls over these transactions and the data that record them are critical Financial accountability and assurance depend on the integrity and reliability of the: Transactions Data that records the transactions Financial reports that summarize the transactional data
5
Challenges of Designing Effective Controls Cost vs. benefit of controls Manual controls break down as volumes increase Automated controls within applications are time- consuming to implement, expensive, hard to maintain New system implementations often disregard audit, internal control experts Super users and system administrators can by-pass controls
6
Control Breakdowns “These (improper) payments occur for many reasons including insufficient oversight or monitoring, inadequate eligibility controls, and automated system deficiencies. However, one point is clear – the basic or root cause of improper payments can typically be traced to a lack of or breakdown in internal controls.” GAO Report, Coordinated Approach Needed to Address the Government’s Improper Payments Problems, August 2002
7
Control Layers Within an Organization Determine Risks & Impacts Policies Controls Transactions
8
Controls Assessment Through Data Analysis Key method of testing controls Typical assessments involve: Examination of 100% of transactions to determine compliance with defined controls Determination if transactions exist for which no controls have been implemented Audit processes using data analysis tend to be comprehensive and usually take place long after the transactions occurred
9
Continuous Monitoring Using Data Analysis Convert audit analytical procedures into a monitoring process for all transactional data Test transactional data against defined control rules and parameters Run automatically on a regular basis Generate exception reports or alerts automatically
10
Value of Continuous Monitoring Independent of the underlying business application system Improved timeliness of response to problems A detective control – but can also be preventative An additional level of control by identifying problems in early stages
11
Continuous Monitoring Checklist Monitors data from disparate systems to provide holistic view of transaction Identifies rogue transactions in a timely manner Validates effectiveness of controls Mitigates deficient control structures Identifies further process improvement opportunities Provides independent assurance
12
Controls Review Methods Ad Hoc Analysis Repeated Control Review Continuous Monitoring Confidence Trust
13
Anatomy of Continuous Monitoring CM Applications DATA Specific data from multiple data sources and data formats are compiled, indexed and prepared for analysis RULES DATA Contains business rules, control policies, or test requirements of the organization ANALYSIS Complex technology applies the rules to the data to identify transaction anomalies
14
DATA RULES ANALYSIS Continuous Monitoring Reporting Medium Transaction Monitoring Process Primary Data Source Sources: Financial Systems HR Systems CRM Systems Others Data Output
15
Common Applications of Continuous Monitoring General business processes Purchase / payments cycle Vendor fraud Expense claims Payroll Industry-specific (particularly regulatory compliance) Chemical/ Pharmaceutical – FDA regulations Medicare/Medicaid compliance
16
Benefits of Continuous Monitoring Systems Validation that controls built into application systems are operating effectively Compensate for poor controls in application systems Transaction systems cannot ensure integrity across disparate systems Comprehensive analysis of transactions is not practical in large transaction systems Independence from the transaction system
17
Continuous Monitoring & Audit Fastest growing area within audit and control community Significant role as a response to increased focus on controls and assurance CEO & CFO requirements around Sarbanes-Oxley Act Acts as a supplemental control level, strengthening overall internal controls Provides increased assurance over the effectiveness of controls
18
In Conclusion Continuous Monitoring provides an opportunity for significantly improved levels of control and assurance The accounting and control profession has discussed it for years – the time is now ideal for implementation Technology is available to enable continuous monitoring Businesses can’t afford to miss the issues
19
Copyright © 2003 Americas’ SAP Users’ Group Using ACL to Continuously Monitor SAP Accounts Payable Gene Scheckel ConocoPhillips
20
Why Continuously Monitor AP? To keep tabs on items beyond the scheduled audit plan outside normal controls Do not continuously monitor normal controls within SAP BUT Do continuously monitor items where there is no specific control within SAP
21
What We Monitor Duplicate payments between SAP and other financial systems Unusually large payments Payments to employees as outside vendors Duplicate vendors in the Vendor Master
22
Continuous Monitoring Duplicate payments between SAP and other financial systems The Challenges Convert new acquisition from legacy financial system to SAP Legacy system and SAP both have duplicate payment controls But duplicate payment controls do not exist between the two systems
23
The Results Duplicate payments between SAP and legacy financial system Approximately 150,000 payments per month
24
Continuous Monitoring Unusually large vendor payments The Challenge… Uncover overpayments due to data entry errors
25
The Results Invoice Amount = 20,725.00 Approver noted invoice error and manually entered new amount to be paid. Data entry clerk ignored the note. Amount Paid = $43,803.31 Recovered $23,078.31
26
Continuous Monitoring Payments to employees as outside vendors Not employee reimbursements The Challenge… Uncover potential conflicts of interest and employee fraud
27
The Results A supervisor who approved invoices paid to the small business he owned A purchasing agent doing business with a company owned by her husband
28
Continuous Monitoring Findings Discovery of duplicate payments, overpayments and possible fraud Preservation of the reliability of SAP preventive controls
29
Next Steps Apply continuous monitoring methodology to other areas of the business Procurement Cards Long Distance Phone Bills Validate User IDs
30
Copyright © 2003 Americas’ SAP Users’ Group Implementing Continuous Monitoring Derek Warburton ACL Services Ltd.
31
Agenda Success factors Reactive vs. proactive approach When to get help Continuous Monitoring methodology Practical implementation issues Next steps
32
Effective Continuous Monitoring Success is a function of People: expertise, availability Process: applying proven methodology Technology: right tools for the job
33
Continuous Monitoring Checklist Monitors data from disparate systems to provide holistic view of transaction Identifies rogue transactions in a timely manner Validates effectiveness of controls Mitigates deficient control structures Identifies further process improvement opportunities Provides independent assurance
34
Continuous Monitoring Approach Reactive Implement Continuous Monitoring after experiencing a significant loss Proactive Strategic Identify high risk business areas, and implement Continuous Monitoring before loss is material
35
Continuous Monitoring Notifications
36
Implementation Assistance Considerations Independence (optics, regulatory) Scale/scope Complexity of business area or analysis Availability of skilled resources Disparate systems (all data not in SAP) Opportunity cost or risk of time delay
37
Implementation Methodology Increased Shareholder Value Implement Continuous Monitoring Build Functioning Application Assess Preliminary SDD Design Solutions Design Document
38
Practical Implementation Issues Direct access to the data vs. an extract? Direct access to source data preferred Is all data in SAP? How to access other systems? Time- or processed-based data testing range? Ensure that all transactions are captured since the last test process
39
Practical Implementation Issues Set priorities for findings Identifying specific control exposures and risk indicators Define specific control tests for transactional data Risk of high volumes of exceptions = ignore reports Establish sensitivity thresholds for reporting and alerts “Scoring/weighting” of events dependent upon combination of control parameters that are failed and indicators of risk Allow “tuning” of application sensitivity Prioritize alerts High score events trigger immediate alert with management
40
Interface Example for Tuning Monitoring Parameters Note: This amount can be modified from the parameters menu.
41
Interface Example for Tuning Monitoring Parameters
42
Continuous Monitoring Application
43
Example of Alert Notification
44
Conclusion Will Continuous Monitoring reduce risk and costs at your company? What’s stopping you from moving forward? Don’t be shy to ask for help
45
Copyright © 2003 Americas’ SAP Users’ Group Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: 504
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.