continuous auditing at siemens -...
TRANSCRIPT
Continuous Auditing at Siemens
Gerard (Rod) BrennanDir. IT Audit Siemens Corp
Eighth Continuous Auditing & Reporting Symposium Meeting 11/5/2004
Operational Audit CFFA Team Meeting
Agenda
•Why continuous auditing at Siemens?
•Two Models for CA at Siemens?
•Purchase to Pay for SAP - Using ACL
•SAP Preventative controls model –
Rutgers Car-Lab
•Next Steps
•What we need from CA Vendors
Operational Audit Why CA at Siemens?
• Improve Governance (Fraud Detection,
SOX Compliance, Monitoring, etc)
•Reduce Compliance Costs
• Improve skill level and quality of work life
for auditing and compliance Associates
•Move closer to real time reporting
capabilities
•ETC….
Operational Audit
Value Proposition“Value = Quality + Cost”
COST:
• Consider a large multinational corporation with 400 auditors (internal & external), each with a fully absorbed (sal./fee, benefits, travel, etc.) $200,000/yr cost for a total annual compliance cost of $80 million dollars. Assume further that the proposed continuous auditing model cost $1 million dollars to develop and implement and only reduced manual compliance effort by 25% in the firm. The annual net estimated savings or cost avoidance of this project for the firm defined above would be:
$19 Million dollars (Or nearly $100 million dollars over 5 years)!
Note: Leverage the model further by increasing the percentage of impact or in support of other assurance or monitoring functions and the value proposition grows.
Operational Audit Models for CA at Siemens?
1. Purchase to Pay Process using ACL’s
Direct Link and CCM CA model on a large
SAP system at one of our SOC’s – Nov.
2004 go live. Population transactional
CA. Already saving $$$.
2. SAP Preventive Controls CA model
developed with Rutgers Car-Lab. – Sept.
2005 go live. Flexibility to add business
rules and alerts is critical for this
application!
Common –“E -Audit” Extractions on a request basis.
Operational Audit Current SAP Audit Model
Company ASAP SYS.
PD2
Company BSAP SYS.
P88
Company CSAP SYS.
P51
Company DSAP SYS.
P40
Text FileStore
Text FileStore
Text FileStore
Text FileStore
• Use text file output and transaction checks on line to audit SAP• Report findings and recommendations for remediation• Use follow-up audits to assure appropriate controls are in place
and remain in place
Operational Audit
Rutgers CAR-Lab & Siemens Adding Intelligence
Company ASAP SYS.
PD2
Company BSAP SYS.
P88
Company CSAP SYS.
P51
Company DSAP SYS.
P40
Relational Data Store
CA Analyzer•Check AAS 1.02.00 – IF XX = 0 send alert 4•Check AAS 1.02. 10 – IF Y =X send alert 5
•etc….
Bus. Rules CO. A•Sys = PD2•Co = W001 & W103•COA – WX01•etc….
Bus. Rules CO. D•Sys = P40•Co = 001•COA – 1000•etc….
Communications Workflow / PortalAlert 1 : Dist = XXX, Message = YYYAlert 2 : Dist = HHH, Message= KKK
Alert 3 : Dist = OOO, Message = AAAAlert 4 : Dist = GGG, Message = LLL
Common – Extractions on a continuous basis.
Data for analysis
Alerts
Alerts To:•Mgmt.•Audit•etc.
Alerts Backto Companies
Operational Audit CA Model at Siemens
Note: the summary screen identifies the data range for the selected data. This is critical to assuring the data is meaningful for certain types of data. Latency and range determine if an identified anomaly in the data set is meaningful and should generate an alert.
Operational Audit CA Model at Siemens
Provides a scripting model allowing the user to define a specific criterion for a control variable or score. This provides flexibility for the auditor to further formalize the evaluation and scoring process without making hard-coded programming changes
Operational Audit CA Model at Siemens
If / Then logic allows multiple control reviews elements and can determine an action or specific score based on the outcomes.
Operational Audit CA Model at Siemens
A strict average, or weighted average can be used to weight particular outcomes based on risk or for purposes of scoring outcomes.
Operational Audit
Rutgers CAR-Lab & Siemens Adding Intelligence
Company ASAP SYS.
PD2
Company BSAP SYS.
P88
Company CSAP SYS.
P51
Company DSAP SYS.
P40
Relational Data Store
CA Analyzer•Check AAS 1.02.00 – IF XX = 0 send alert 4•Check AAS 1.02. 10 – IF Y =X send alert 5
•etc….
Bus. Rules CO. A•Sys = PD2•Co = W001 & W103•COA – WX01•etc….
Bus. Rules CO. D•Sys = P40•Co = 001•COA – 1000•etc….
Communications Workflow / PortalAlert 1 : Dist = XXX, Message = YYYAlert 2 : Dist = HHH, Message= KKK
Alert 3 : Dist = OOO, Message = AAAAlert 4 : Dist = GGG, Message = LLL
Common – Extractions on a continuous basis.
Data for analysis
Alerts
Alerts To:•Mgmt.•Audit•etc.
Alerts Backto Companies
Operational Audit
Next StepsFor SAP Preventive Controls review
QTR 4 QTR 1 ………..QTR 2 ……. QTR 3 04 05 05 05
•Complete Audit Plan formalization of actions which can be identified with CA.
•Complete coding of model and add workflow alerting. Identify multiple SAP ERP system environment for product ional model
•Implement a limited Scope Productional CA Model on multiple Siemens ERP Systems. Demonstrate value proposition
•Migrate CA analyzer to more robust software if needed and implement
more & more complex control reviews. (diverse platforms, with more agile software intelligence and tagging (i.e. XML, XBRL, etc).)
Operational Audit Message to Vendors
Help!!
§We need agile CA software focused on preventive controls with business rules engines that allow users to add and modify rules. (understanding that agility and level of complexity are conflicting objectives).
§We need intelligent software that can monitor data from multiple systems, delivered in multiple formats.
§We need alerting (workflow) with dashboards and alert management capabilities.
Operational Audit Questions?
Thank You!
Questions!