Continuous Auditing at Siemens

Gerard (Rod) BrennanDir. IT Audit Siemens Corp

Eighth Continuous Auditing & Reporting Symposium Meeting 11/5/2004

Operational Audit CFFA Team Meeting

Agenda

•Why continuous auditing at Siemens?

•Two Models for CA at Siemens?

•Purchase to Pay for SAP - Using ACL

•SAP Preventative controls model –

Rutgers Car-Lab

•Next Steps

•What we need from CA Vendors

Operational Audit Why CA at Siemens?

• Improve Governance (Fraud Detection,

SOX Compliance, Monitoring, etc)

•Reduce Compliance Costs

• Improve skill level and quality of work life

for auditing and compliance Associates

•Move closer to real time reporting

capabilities

•ETC….

Operational Audit

Value Proposition“Value = Quality + Cost”

COST:

• Consider a large multinational corporation with 400 auditors (internal & external), each with a fully absorbed (sal./fee, benefits, travel, etc.) $200,000/yr cost for a total annual compliance cost of $80 million dollars. Assume further that the proposed continuous auditing model cost $1 million dollars to develop and implement and only reduced manual compliance effort by 25% in the firm. The annual net estimated savings or cost avoidance of this project for the firm defined above would be:

$19 Million dollars (Or nearly $100 million dollars over 5 years)!

Note: Leverage the model further by increasing the percentage of impact or in support of other assurance or monitoring functions and the value proposition grows.

Operational Audit Models for CA at Siemens?

1. Purchase to Pay Process using ACL’s

Direct Link and CCM CA model on a large

SAP system at one of our SOC’s – Nov.

2004 go live. Population transactional

CA. Already saving $$$.

2. SAP Preventive Controls CA model

developed with Rutgers Car-Lab. – Sept.

2005 go live. Flexibility to add business

rules and alerts is critical for this

application!

Common –“E -Audit” Extractions on a request basis.

Operational Audit Current SAP Audit Model

Company ASAP SYS.

PD2

Company BSAP SYS.

P88

Company CSAP SYS.

P51

Company DSAP SYS.

P40

Text FileStore

Text FileStore

Text FileStore

Text FileStore

• Use text file output and transaction checks on line to audit SAP• Report findings and recommendations for remediation• Use follow-up audits to assure appropriate controls are in place

and remain in place

Operational Audit

Rutgers CAR-Lab & Siemens Adding Intelligence

Company ASAP SYS.

PD2

Company BSAP SYS.

P88

Company CSAP SYS.

P51

Company DSAP SYS.

P40

Relational Data Store

CA Analyzer•Check AAS 1.02.00 – IF XX = 0 send alert 4•Check AAS 1.02. 10 – IF Y =X send alert 5

•etc….

Bus. Rules CO. A•Sys = PD2•Co = W001 & W103•COA – WX01•etc….

Bus. Rules CO. D•Sys = P40•Co = 001•COA – 1000•etc….

Communications Workflow / PortalAlert 1 : Dist = XXX, Message = YYYAlert 2 : Dist = HHH, Message= KKK

Alert 3 : Dist = OOO, Message = AAAAlert 4 : Dist = GGG, Message = LLL

Common – Extractions on a continuous basis.

Data for analysis

Alerts

Alerts To:•Mgmt.•Audit•etc.

Alerts Backto Companies

Operational Audit CA Model at Siemens

Note: the summary screen identifies the data range for the selected data. This is critical to assuring the data is meaningful for certain types of data. Latency and range determine if an identified anomaly in the data set is meaningful and should generate an alert.

Operational Audit CA Model at Siemens

Provides a scripting model allowing the user to define a specific criterion for a control variable or score. This provides flexibility for the auditor to further formalize the evaluation and scoring process without making hard-coded programming changes

Operational Audit CA Model at Siemens

If / Then logic allows multiple control reviews elements and can determine an action or specific score based on the outcomes.

Operational Audit CA Model at Siemens

A strict average, or weighted average can be used to weight particular outcomes based on risk or for purposes of scoring outcomes.

Operational Audit

Rutgers CAR-Lab & Siemens Adding Intelligence

Company ASAP SYS.

PD2

Company BSAP SYS.

P88

Company CSAP SYS.

P51

Company DSAP SYS.

P40

Relational Data Store

CA Analyzer•Check AAS 1.02.00 – IF XX = 0 send alert 4•Check AAS 1.02. 10 – IF Y =X send alert 5

•etc….

Bus. Rules CO. A•Sys = PD2•Co = W001 & W103•COA – WX01•etc….

Bus. Rules CO. D•Sys = P40•Co = 001•COA – 1000•etc….

Communications Workflow / PortalAlert 1 : Dist = XXX, Message = YYYAlert 2 : Dist = HHH, Message= KKK

Alert 3 : Dist = OOO, Message = AAAAlert 4 : Dist = GGG, Message = LLL

Common – Extractions on a continuous basis.

Data for analysis

Alerts

Alerts To:•Mgmt.•Audit•etc.

Alerts Backto Companies

Operational Audit

Next StepsFor SAP Preventive Controls review

QTR 4 QTR 1 ………..QTR 2 ……. QTR 3 04 05 05 05

•Complete Audit Plan formalization of actions which can be identified with CA.

•Complete coding of model and add workflow alerting. Identify multiple SAP ERP system environment for product ional model

•Implement a limited Scope Productional CA Model on multiple Siemens ERP Systems. Demonstrate value proposition

•Migrate CA analyzer to more robust software if needed and implement

more & more complex control reviews. (diverse platforms, with more agile software intelligence and tagging (i.e. XML, XBRL, etc).)

Operational Audit Message to Vendors

Help!!

§We need agile CA software focused on preventive controls with business rules engines that allow users to add and modify rules. (understanding that agility and level of complexity are conflicting objectives).

§We need intelligent software that can monitor data from multiple systems, delivered in multiple formats.

§We need alerting (workflow) with dashboards and alert management capabilities.

Operational Audit Questions?

Thank You!

Questions!