continuous auditing / continuous monitoring to · pdf filecontinuous auditing / continuous...
TRANSCRIPT
The full scope of services within the Continuous Auditing / Continuous Monitoring (CACM) Methodology Guide is not permissible for SEC audit clients and IFAC PIE clients and their affiliates. CACM services are generally permissible for IFAC non-PIE audit clients subject to evaluating engagement circumstances using the conceptual framework (i.e. threats and safeguards approach) as outlined in the Global Quality & Risk Management Manual Chapter 11. Refer to the contents of the Independence guidance on slides 11-20 of the CACM Methodology Guide for detailed guidance. The Independence guidance was updated in 2013. The remaining content is unchanged.
Continuous Auditing /Continuous Monitoring
to Manage Risk and Performance
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.
KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.
1© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Agenda
Appetite for CA/CMBackground on CA/CMCA/CM OverviewDrivers Influencing CA/CM StrategiesAn Illustration of CA/CMWhy implement CA/CM?–Challenges and Requirements for Implementation–How do we get Started?–Implementation of CA/CMDimensions of CA/CMEnabling with TechnologySample Implementation ModelThe Value PropositionKey Success Factors of CA/CMHow can KPMG help?
2© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Appetite for CA/CMSurvey Data – Risk and Control Innovations – Next Three Years
Survey of 435 Senior Executives
What risk and control innovation themes exist in your organization?
3© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Background on CA/CMWhat is different this time?
“Historical”• theoretical concept –
“Mostly Academic View”
• lacked executive support
• technologically cumbersome
• too costly to implement
• lack skills
• compliance-based auditing.
“Current”• significant advances in
technology
• practical and realistic –aligning frequency to risks
• business and value drivers more evident
• technology options are becoming cost effective
• evolving skills in internal audit function.
What is different for you – is the concept becoming a reality?
4© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
CA/CM OverviewDefinitions
How is your organization defining the CA/CM initiative?
Continuous MonitoringAn automated feedback mechanism used by management to help
ensure that systems and controls operate as designed and transactions are processed as prescribed
Continuous AuditingThe collection of audit evidence and indicators, by an internal or external
auditor, on IT systems, processes, transactions, and controls on a frequent or continuous basis throughout a period
Continuous AssuranceProviding a continuous or on-demand assurance
opinion on systems or transactions
5© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
CA/CM Overview Objectives
Continuous AuditingPerformed by Internal Audit
Continuous MonitoringResponsibility of Management
• gain audit evidence more effectively and efficiently
• react more timely to business risks
• leverage technology to perform more efficient internal audits
• focus audits more specifically
• help monitor compliance with policies, procedures, and regulations
• become more valuable to the business.
• improved governance
• increase visibility into operations
• obtain better information for day-to-day decision making
• strive to reduce cost of controls
• leverage technology to create efficiencies.
6© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Drivers Influencing CA/CM Strategies
CA/CM strategy is influenced by a variety of strategic, operational and external drivers . . .
Uncertain economic environment
increasing business risk
Expanding regulatory and
legal risk environment
Pressure to improve
governance
Need to improve performance/ accountability
Strategic Drivers
Improve leverage of IT Investments
ERP conversion
Occurrence or risk of fraud
OperationalDrivers
CA/CM Strategies
Scrutiny from rating
agencies/listing standards
External Drivers
Desire to reduce SOX
costs
What are the drivers influencing CA/CM in your organization?
Globalization
7© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
An Illustration of CA/CMLet’s Put This Into Perspective - Quick example
Risk – quality of customer balances
Continuous Auditing–Alert the internal audit department when:• credit limit exceeded by more than 10 percent AND• credit limit has been exceeded for more than 15 days AND• no payments made by the customer, AND• new shipment made to customer.
Continuous Monitoring–alert when credit limit exceeded by 5 percent–alert when changes made to customer limits in master file.
Both strategies give management indicators of issues that arearising, allowing for pro-active, rather than reactive actions
8© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Let’s Put This Into PerspectiveQuick examples
Risk – Possible Fictitious Vendor
Continuous Monitoring–vendor address matches a commercial mail receiving agency
–multiple, similar vendor names with different vendor IDs in vendor master file
–vendor Taxpayer ID matches an Employee Social Security Number (SSN)
–vendor telephone number appears to be a mobile telephone number.
Continuous Auditing–alert the internal audit department when: • address matching risk profile (seasonal, prison, CMRA, etc.), AND/OR• labeled as a “one-time” vendor, AND/OR• taxpayer ID matches employee SSN, AND/OR • telephone number matches an employee.
9© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
An Illustration End-to-End CA/CM Process from technical perspective
Data servers
Tool ManagerLine Manager
Database
Database
Mailserver
Auditor
Audit Work
papers
CA/CM tool
Web server
CM Dashboard
CA DashboardCreaterules
1
4
5
3
2
1. Rules created in CA/CM tool2. Rules run against databases3. E-mail alerts to auditors/management4. CA/CM tool populates web server5. Dashboard provides summary and drill down capability for auditors/management
5 3
3
10© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Why implement Continuous Auditing?
… which will help Internal Audit to add more value to the business
Reduced Complexity• reduction of complexity through global process
standardization, thereby easing review• appropriate setting and consistency of
materiality thresholds• automated exception report production – focus
on the real issues• regulatory compliance can be audited.
Enhanced Controls• corrections of errors moved closer to the “source”• enhanced visibility of Internal Audit within the
business and improved deterrence effect• assist in providing valuable insight to controls
effectiveness and business process risks associated with outsourced business processes
• ability to audit the “monitoring” function from an Internal Audit perspective, providing an additional layer of governance.
Earlier Information• improved speed of reporting to the business• reduced surprises, problems do not build up• enhanced leverage of system functionality • identification of misuse and misconduct• identification of errors earlier and when issues
are fresh • ability to proceed with root cause analysis for
errors, policy violations, fraud and misconduct in a more timely manner.
Greater Efficiency• audit by exception• automate components of the audit program,
audit tests or review procedures• known control gaps and deficiencies can be
continuously audited• reduced wait times for data• reduction of low value-added work• improved maintenance of a dynamic and relevant
risk profile• automate manual processes• reduced travel costs by automation of testing.
CA can help enhance organizational value and offers a broad range of potential benefits . . .
11© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Why implement Continuous Monitoring?
… which results in more focused time to add value to the business
Reduced Complexity• greater visibility as to how processes are
functioning• appropriate setting and consistency of
thresholds• regulatory compliance can be monitored• ability to standardize process measures across
locations• demonstrate good governance – use leading
edge approach.
Enhanced Controls• corrections of errors moved closer to the
“source”• automated controls• control gaps and deficiencies can be
monitored for circumvention and/or exploitation
• ERP system and/or business process limitations and deficiencies can be addressed
• automated fraud prevention and detection activities.
Earlier Information• improved speed of information delivery to the
business• reduced surprises, problems do not build up• netter information for decision making • ability to progress with root cause analysis for
errors, policy violations, fraud and misconduct in a more timely manner.
Greater Efficiency• reduction of work duplication • increased use of automation • enhanced ability to identify and correct errors• more time for value adding analysis instead of
error correction• reduced manual SOX testing• reduced travel costs by automation of testing
and remote monitoring.
CM can help enhance organizational value and offers a broad range of potential benefits . . .
12© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Challenges and Requirements for Implementation
Challenges• thought Leadership - lack of content (e.g.,
business process specific, industry specific)
• people - lack of deep industry and functional specialization (e.g., Governance, Risk and Compliance specialization; Fraud and Forensic Investigative specialization)
• reliability, accessibility, and availability of data
• consistency of business processes
• change management - impact of changing embedded processes, resistance to change.
Requirements• technology intensive - virtual real time
monitoring requires sophisticated technology
• thorough business process and industry content knowledge
• knowledge of and linkage to enterprise risk exposures
• senior management sponsorship.
The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide.
13© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Implementation of CA/CM – How do we get started?KPMG Framework
14© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Implementation of CA/CMKPMG Framework
The implementation model
Plan and scope the
engagement
Perform the auditing or monitoring
Plan Design ImplementAssess Execute Evaluate
Revisit the process
according to results
produced
To be removed before printing: Services provided within the “Design” phase are prohibited for SEC audit clients. Services provided within the “Implement”, “Execute” and “Evaluate” phases are restricted for SEC audit clients. Refer to the CA/CM Methodology Guide for further
information as well as local office risk management policies and guidelines.
The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide.
15© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Our approach is designed to provide an efficient, consistent and repeatable process…
Plan Design ImplementAssess Execute Evaluate
Current state assessment
CA/CM implementation plan
Needs and requirements
summaryINITIATIVES
FUTURE – DO WELL
• Working in partnership with the business we will define and deliver Vodafone’s management information requirements, implementing a robust governance process to ensure continuous business information integrity, relevance and value
• < 1 per month per OpCo• 100%• Real time• 100% commonality• Milestones achieved on time and to budget
TARGETS
REQUIREDPLANNED
• Creation of MI function• Definition and communication
of role of finance in management information
• Define data ownership/source/ policy
• Define group, global and OpCo data and info needs
• Effective MI governance function
• Clarification and effective communication of matrix management roles and responsibilities
• Select IT infrastructure and platform
• Build solution
• Group Technology single billing system
• Common chart of accounts
• Many country based piecemeal projects
• Global Performance Management project
• Global HR Scorecards• Spend analysis vendor • One Vodafone• DCC (Data Centre
Consolidation)
• Hyperion committee• Local OpCo data
warehouses
CURRENTTODAY’S ENVIRONMENT
MEASURES
• Reduced level of ad hoc reporting• New report requests referred to MI
function• Speed of data delivery• Commonality of data definitions across
Vodafone• Execution of plan to deliver
People• Dedicated management information function• Clearly defined role for finance in management informationContent and governance• Strong governance process for management information• Linked to strategic value drivers• Agreed criteria for content• Content optimised on cost and value• Single, trusted view of performanceSystems• Single group wide, global data warehouse• Automated extraction, transformation and loading of dataFunctionality• Delivery of product/segment/customer profitability reporting• Delivery of real time management information (daily/weekly/monthly)
CRITICAL OBJECTIVE:-
INSIGHTFUL MANAGEMENT INFORMATION
INITIATIVES
FUTURE – DO WELL
• Working in partnership with the business we will define and deliver Vodafone’s management information requirements, implementing a robust governance process to ensure continuous business information integrity, relevance and value
• < 1 per month per OpCo• 100%• Real time• 100% commonality• Milestones achieved on time and to budget
TARGETS
REQUIREDPLANNED
• Creation of MI function• Definition and communication
of role of finance in management information
• Define data ownership/source/ policy
• Define group, global and OpCo data and info needs
• Effective MI governance function
• Clarification and effective communication of matrix management roles and responsibilities
• Select IT infrastructure and platform
• Build solution
• Group Technology single billing system
• Common chart of accounts
• Many country based piecemeal projects
• Global Performance Management project
• Global HR Scorecards• Spend analysis vendor • One Vodafone• DCC (Data Centre
Consolidation)
• Hyperion committee• Local OpCo data
warehouses
CURRENTTODAY’S ENVIRONMENT
MEASURES
• Reduced level of ad hoc reporting• New report requests referred to MI
function• Speed of data delivery• Commonality of data definitions across
Vodafone• Execution of plan to deliver
People• Dedicated management information function• Clearly defined role for finance in management informationContent and governance• Strong governance process for management information• Linked to strategic value drivers• Agreed criteria for content• Content optimised on cost and value• Single, trusted view of performanceSystems• Single group wide, global data warehouse• Automated extraction, transformation and loading of dataFunctionality• Delivery of product/segment/customer profitability reporting• Delivery of real time management information (daily/weekly/monthly)
CRITICAL OBJECTIVE:-
INSIGHTFUL MANAGEMENT INFORMATION
Gap analysis
5) Standardize systems including implementing global ERP
31.3.10
6) Sarbanes Oxley
4) Finance shared services
3) Developing a great team
2) Simplify business planning
1) Management information
31.3.1131.3.0931.3.0831.3.0731.3.06
5) Standardize systems including implementing global ERP
31.3.10
6) Sarbanes Oxley
4) Finance shared services
3) Developing a great team
2) Simplify business planning
1) Management information
31.3.1131.3.0931.3.0831.3.0731.3.06
GPM Value Drivers
Feasibility Study incl Tool
Selection
ContentRe-engineering
Group Planning Tool
Selection
Common IntegratedGlobal Planning Tool
Implement CommonOperating Model including
Business partners
Feasibility Study
ImplementGovernance
Process
AppointmentsFinance Transformation DirectorFinance People Lead
Design
AppointmentChief Information Officer
Review & Improve
Talent Mgmt
Career Paths
Op-CoPlanning Tool
Implementation
Op-CoPlanning Tool
Implementation
Op-CoPlanning Tool
Implementation
AppointmentsGlobal Lead TeamsBenchmarking/ Revenue Assurance/ Investment Appraisal
AppointmentSingle OwnerBusiness Planning
Build
Integrate &Test Pilot
LargeOp-CoPlan
1st Large Op-Co
Migration
1st SmallOp-Co
Migration
2nd LargeOp-Co
Migration
3rd Large Op-Co
Migration
4th LargeOp-Co
Migration
2nd SmallOp-Co
Migration
3rd SmallOp-Co
Migration
5thSmall
Migration
6thSmall
Migration
7thSmall
Migration
8thSmall
Migration
9thSmall
Migration
AppointmentProcess owners
SoXRemediation
SoXTesting
SoXDocumentation& Walkthroughs
ERP Design
ERP Build
Integration Test
PartnerSelection
Migration& Go Live
ImpStrategy
Migration& Go LivePilot
SSC SoXCompliance
Full SoX SSCCompliance
Define Common Reporting Library
SourceData
Build Global MIEnvironment
Migrate GPM & HyperionInto
Common Environment
Improve Amount, Frequency
& Sophistication Of MI
Data maps and dictionaries
Set-up for data extraction activities
Selected CA/CM tools
Exception reports
Reluctance to use high savings tools
30%
40%
50%
60%
70%
80%
90%
Domesticoutsourcing
Off shoring
Shared service centres
Process optimisation
Service channels
% s
eein
g as
impo
rtan
t
Average savings
% seeing as importantAverage savings
9.50
9.00
8.50
8.00
7.50
7.00
6.50
6.00
5.50
5.00
Risk assessment
Insignificant
Minor
Moderate
Major
Remote Unlikely Possible Likely Almost certain
1f3e
4c
4e4f
4j
1c
1d1e
2b
3g
3b 3d3f
3a
3h
4b
4d
4g
4h
4i
5a
5c
1a2c
2a
5b
3j
3i3c
1b
4a
Catastrophic
Risk Con
sequence
Insignificant
Minor
Moderate
Major
Remote Unlikely Possible Likely Almost certain
1f3e
4c
4e4f
4j
1c
1d1e
2b
3g
3b 3d3f
3a
3h
4b
4d
4g
4h
4i
5a
5c
1a2c
2a
5b
3j
3i3c
1b
4a
Catastrophic
Risk Con
sequence
Risk SCANA ServicesSCE&GPSNC EnergySEMI SCPC SCANA CommPrime SouthInappropriate credit measurement-Financial losses can result from counterparty failure to meet financial or operational contract terms.
Periodic monitoring of credit exposures; Credit guidelines approved by RMCPeriodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Netting agreements; Collateral and letters of credit; Credit reserves
Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Netting agreements; Collateral and letters of credit; Credit reserves
Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Netting agreements; Collateral and letters of credit; Credit reserves
Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Netting agreements; Collateral and letters of credit; Credit reserves
Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Collateral and letters of credit; Credit reserves
Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Collateral and letters of credit; Credit reserves
Excessive concentration risk-Financial losses can result from excessive concentration of credit exposure to a specific counterparty, region or market segment.
Periodic measurement of counterparty credit exposures for all companies by the CDD; Credit guidelines approved by RMC; Reporting of exposures to RMC
N/A N/A Periodic measurement of counterparty credit exposures for all companies by the CDD; Credit guidelines approved by RMC; Reporting of exposures to RMC
N/A Periodic measurement of counterparty credit exposures for all companies by the CDD; Credit guidelines approved by RMC; Reporting of exposures to RMC
Periodic measurement of counterparty credit exposures for all companies by the CDD; Credit guidelines approved by RMC; Reporting of exposures to RMCInappropriate credit collateral management-Financial losses can result from failure to collect adequate collateral or to recall posted collateral.
None Management by credit & collections group based on credit scoring and arrearsManagement by credit & collections group based on credit scoring and arrears
Management by credit & collections group based on credit scoring and arrearsManagement by credit & collections group based on credit scoring and arrears
Management by credit & collections group based on credit scoring and arrearsManagement by credit & collections group based on credit scoring and arrears
Inappropriate credit contract terms and conditions- Financial losses can result from failure to develop, review and maintain adequate contract credit provisions.
CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions
CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions
CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions
CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions
CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions
CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions
CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions
Controls Assessment
• confirm and prioritize areas to be addressed
• define measures and thresholds
• assist client with selecting the best CA/CM tool(s)
• confirm implementation plan.
• roll out implementation plan
• set-up for data extraction activities
• assist with other ongoing program activities through the implementation.
• run queries and routines
• assist with identification of root cause of exceptions/results
• assist with training available resources.
Activ
ities
Phas
ePo
tent
ial D
eliv
erab
les
• gather relevant information
• perform risk assessment
• perform current state assessment
• perform gap analysis
• assist with drafting the desired state.
• conduct a post implementation assessment
• identify potential improvements
•Discuss control gaps and weaknesses.
Post implementation
assessment
Insignificant
Minor
Moderate
Major
Remote Unlikely Possible Likely Almost certain
1f
3e4c
4e4f
4j
1c
1d1e
2b
3g
3b 3d3f
3a
3h
4b
4d
4g
4h
4i
5a
5c
1a2c
2a
5b
3j
3i3c
1b
4a
Catastrophic
Risk
Con
sequ
ence
Insignificant
Minor
Moderate
Major
Remote Unlikely Possible Likely Almost certain
1f
3e4c
4e4f
4j
1c
1d1e
2b
3g
3b 3d3f
3a
3h
4b
4d
4g
4h
4i
5a
5c
1a2c
2a
5b
3j
3i3c
1b
4a
Catastrophic
Risk
Con
sequ
ence
Engagement letter Lessons learned
INITIATIVES
FUTURE – DO WELL
• Working in partnership with the business we will define and deliver Vodafone’s management information requirements, implementing a robust governance process to ensure continuous business information integrity, relevance and value
• < 1 per month per OpCo• 100%• Real time• 100% commonality• Milestones achieved on time and to budget
TARGETS
REQUIREDPLANNED
• Creation of MI function• Definition and communication
of role of finance in management information
• Define data ownership/source/ policy
• Define group, global and OpCo data and info needs
• Effective MI governance function
• Clarification and effective communication of matrix management roles and responsibilities
• Select IT infrastructure and platform
• Build solution
• Group Technology single billing system
• Common chart of accounts
• Many country based piecemeal projects
• Global Performance Management project
• Global HR Scorecards• Spend analysis vendor • One Vodafone• DCC (Data Centre
Consolidation)
• Hyperion committee• Local OpCo data
warehouses
CURRENTTODAY’S ENVIRONMENT
MEASURES
• Reduced level of ad hoc reporting• New report requests referred to MI
function• Speed of data delivery• Commonality of data definitions across
Vodafone• Execution of plan to deliver
People• Dedicated management information function• Clearly defined role for finance in management informationContent and governance• Strong governance process for management information• Linked to strategic value drivers• Agreed criteria for content• Content optimised on cost and value• Single, trusted view of performanceSystems• Single group wide, global data warehouse• Automated extraction, transformation and loading of dataFunctionality• Delivery of product/segment/customer profitability reporting• Delivery of real time management information (daily/weekly/monthly)
CRITICAL OBJECTIVE:-
INSIGHTFUL MANAGEMENT INFORMATION
INITIATIVES
FUTURE – DO WELL
• Working in partnership with the business we will define and deliver Vodafone’s management information requirements, implementing a robust governance process to ensure continuous business information integrity, relevance and value
• < 1 per month per OpCo• 100%• Real time• 100% commonality• Milestones achieved on time and to budget
TARGETS
REQUIREDPLANNED
• Creation of MI function• Definition and communication
of role of finance in management information
• Define data ownership/source/ policy
• Define group, global and OpCo data and info needs
• Effective MI governance function
• Clarification and effective communication of matrix management roles and responsibilities
• Select IT infrastructure and platform
• Build solution
• Group Technology single billing system
• Common chart of accounts
• Many country based piecemeal projects
• Global Performance Management project
• Global HR Scorecards• Spend analysis vendor • One Vodafone• DCC (Data Centre
Consolidation)
• Hyperion committee• Local OpCo data
warehouses
CURRENTTODAY’S ENVIRONMENT
MEASURES
• Reduced level of ad hoc reporting• New report requests referred to MI
function• Speed of data delivery• Commonality of data definitions across
Vodafone• Execution of plan to deliver
People• Dedicated management information function• Clearly defined role for finance in management informationContent and governance• Strong governance process for management information• Linked to strategic value drivers• Agreed criteria for content• Content optimised on cost and value• Single, trusted view of performanceSystems• Single group wide, global data warehouse• Automated extraction, transformation and loading of dataFunctionality• Delivery of product/segment/customer profitability reporting• Delivery of real time management information (daily/weekly/monthly)
CRITICAL OBJECTIVE:-
INSIGHTFUL MANAGEMENT INFORMATION
12 A
M
4 A
M
8 A
M
12 P
M
4 P
M
8 P
M
• determine client objectives with key stakeholders
• prepare engagement approach with team
• kick-off the project.
The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide.
16© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Dimensions of CA/CM Interrelationship of CCM, CTM and Macro Analysis
Controls Dimension(Continuous Controls Monitoring)
Transactions Dimension
(Continuous Transaction Monitoring)
Analytical Dimension
Risk and Performance Monitoring is optimized when all three dimensions are implemented
Macro Analysis(e.g., Number of Purchase Orders
per week)
Changed or Deleted Controls
Types of Analysis (e.g., rules, statistical, link mining, etc.)
Risk/Performance
17© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Enabling with TechnologyConsiderations
• Continuous Control Monitoring (CCM)−Application configuration parameters−User access and segregation of duty analysis−Examples of available tools
• Technical
– infrastructure limitations– availability of data and number of
sources– level of sophistication of IT
personnel.
• End User Requirements
– transaction monitoring– control and configuration
monitoring– case management/remediation
tracking– master data monitoring.
• Continuous Transaction Monitoring (CTM)
− transaction attribute analysis− transaction pattern analysis− examples of available tools.
Technology Selection Considerations
Types of Technology Tools (Evolving)
18© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Enabling with TechnologyAdditional Considerations
What are the objectives? –IA, IA for Mgt or both–Strengthen IA data analytics.What are the anticipated areas of focus? –ERP? Non-ERP? Both?–Controls, transactions, macro analysis –Risk types? (e.g., fraud, performance, waste, regulatory compliance).How will the analysis be performed?–Embedded, extracted–Frequency: regular, repeatable, near real-time.
Required sophistication of analytic functionality–Rules, statistical, temporal, artificial intelligence.Exception handling–Alerts–Aggregation, prioritization, scoring–Assignment, investigation, resolution, documentation.Reporting and dashboard capabilitiesImpact on system performance (extraction)Required speed of analysis and hardware requirements (daily analytics)Cost
19© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Enabling with TechnologyTwo Main Technology Types
Auditee Auditor
Monitor Report Followup
Type 1 – Embedded Monitor at Source Examples : SAP® GRC, Oracle® GRC, Approva®
Database
Oracle
SAP
20© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Enabling with TechnologyTwo Main Technology Types
Type 2 – Data Analytics Examples : ACL®, IDEA®, SAS®, Approva, Business
Objects®
Auditee Auditor
Extract Upload Test Review Followup
Database
Oracle
SAP
21© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Sample Implementation Model Combination CA/CM Approach
CM Application(Mgmt)
Organization
ERP SystemsOperations
Financial Applications
Internal Audit
CA ApplicationManagement
22© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
The Value PropositionBenefits of Implementing CA/CM
Board of Directors Management Internal AuditImproved insight into the business risks across the enterprise
Improved corporate governance
Potential for improved reporting to the board
Allows senior management to have greater visibility into the organization—enhancing its oversight capabilities
Improved corporate governance
Improved information for day-to-day decision making
Reduction of work duplication
Improved leverage of IT investment
Reducing surprises
Identification of ‘issues’ closer to occurrence
Better able to test a broader range of controls, including security, segregation of duties, and process level controls at a reduced cost and on a timely basis
Improved speed of reporting to the business
Improved information to focus audit efforts
Improved maintenance of risk profile
CA brings greater efficiency, enhanced controls, earlier information, and reduced complexity
23© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Key Success Factors of Continuous Monitoring
KPMG’s response addresses these vital issues
Senior executive support
executive involvement at all stages of the project including opportunity identification, selection, prioritization and sign-off
clear CM leadership roles to drive cultural change identification of control owners to report failures, escalate issues, etc.
Technology toolsand experienced resources
fact-based approach to identification, quantification and prioritization of CM opportunities selection of appropriate CM tools to contain costs and speed up communication experienced staff who can commence fieldwork immediately.
Establishedapproach to CM
global continuous monitoring framework and approach identification of key control check points methodology emphasizes risk and continuous improvement.
Well planned approach
detailed project initiation and work plan documents knowledge of and linkage to enterprise risk exposures organization’s risk profile is fundamental to the assessment and design of the CM approach.
Organizational alignment
incorporation of key line management within the CM project partnering with team members to help enable knowledge transfer senior industry and functional practitioners.
Critical success factors
24© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Key Success Factors of Continuous Auditing
Executive education on the development of a business case Obtain buy-in by the Chief Audit Executive regarding approach Commitment to train internal resources
Provide root cause analysis capabilities for errors, policy violations, fraud and misconduct Identification of key control check points Methodology emphasizes continuous improvement
Detailed project initiation and work plan documents Organization’s risk profile is fundamental to the assessment and design of the CM approach Knowledge of and linkage to enterprise risk exposures
Senior executive support
Experienced resources and technology tools
Experienced staff who hit the ground running Thorough business process and industry content knowledge Selection of appropriate CA tools to contain costs and speed up communication
Established approach to CA
Well planned approach
Organizational alignment
Partnering with internal team members to help enable knowledge transfer Consistent alignment of goals, measures and incentives Audit the “monitoring” function from an Internal Audit perspective
Transition Planning
Balancing existing internal audit practices with CA Managing independence
KPMG’s response addresses these vital issuesCritical successfactors
25© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
How can KPMG help?
• Design and implement CA/CM approaches including risk-based:
- Dashboards- Scorecards- Analytics (including fraud and
regulatory risk specific)- Reports (area and transaction
based)- Management Protocols
• Notification• Reporting• Response• Investigation
• Execute individual CA projects
• Evaluate anti-fraud processes that are part of the CA/CM approach.
• Controls automation
• Integration with governance, risk and compliance initiatives
• Coordination with business intelligence initiatives
• Design/incorporate with more sophisticated data analysis initiatives (e.g., predictive modeling, social network analysis)
• Tool/application evaluation and recommendation
• Training
• Risk assessment/scoping.
Contact information
John W. DoeKPMG LLP(201) [email protected]
Copyrights and Disclaimers may vary between applications. Please consult the GB&RC MicroWeb for specific policies. http://www.grm.kworld.kpmg.com/GBRC/resource/default.aspPlease delete this message prior to printing or presenting.