THE THREE LINES OF DEFENSE MODEL & CONTINUOUS CONTROLS MONITORING

DEFENSE IN DEPTH

AGENDA

• The Three Lines of Defense model• Continuous Controls Monitoring (CCM)• Case studies of CCM at each line of defense

THREE LINES OF DEFENSE MODEL

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

FIRST LINE OF DEFENSE

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

OPERATIONAL MANAGEMENT

• Own and manage risks

• Design and implement internal controls

• Responsible for maintaining effective controls

SECOND LINE OF DEFENSE

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

RISK MANAGEMENT & COMPLIANCE

• Help build and monitor first line of defense

• Ensure compliance with regulations

• Financial risks and reporting requirements

• Identify changes in risk appetite

THIRD LINE OF DEFENSE

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

INTERNAL AUDIT

• Provide senior management with assurance

• Monitor the effectiveness of the first and second lines of defense

• Independent

COORDINATING THE THREE LINES

First Line of Defense Second Line of Defense Third Line of Defense

Risk Owners/Managers Risk Control and Compliance Risk Assurance

• Operating management

• Limited independence• Reports primarily to

management

• Internal audit• Greater independence• Reports to governing

body

AGENDA

• The Three Lines of Defense model• Continuous Controls Monitoring (CCM)• Case studies of CCM at each line of defense

VISION FOR CCM

• Know the state of any control in the business• Resolve identified breaches before impact• Provide an unparalleled ROI

THE IMPORTANCE OF MONITORING

COSO Guidance (effective controls

systems must include monitoring)

ROLE OF CCM

• Independent monitoring of automated and partially automated controls

• Continuous detection of breaches• Transparency in detection and remediation• Address IT concerns• Collaborative approach to timely remediation

EXAMPLERisk: Invoices may not be valid and/or properly authorized

Control Activity: Matching invoices to goods receipt

Owner: Category Management

Method: Partially automated

Type: Preventative

Frequency: Recurring

COSO Component: Control activities

PROPERTIES OF CCM TESTINGFrequency: Daily

Detect: Any non-compliance over and below the threshold

Assignment: Category Management

Deadline: Resolve same day

Evidence: Due diligence performed on those over the threshold and any other exceptions detected

Value: Ensure that control effectiveness is sustained at a high level

CCM AT EACH LINE OF DEFENSE

• Effectively monitor internal controls at the first and second lines of defense

• Allow the third line of defense to be confident in its assurance role

• Create a remediation process that minimizes the impact of a control breakdown

• Provide evidence of due diligence for external auditors and regulators

AGENDA

• The Three Lines of Defense model• Continuous Controls Monitoring (CCM)• Case studies of CCM at each line of defense

FIRST LINE OF DEFENSE

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

ENERSOURCE

• Canadian Energy Company since 1917• Third largest in Ontario• Over 200,000 residential and commercial customers• Provides electrical infrastructure design, construction,

operations support, and maintenance

REPUTATIONAL RISKS

FINANCIAL RISKS

VERIFICATION OF BILLS

• Reputational risk is the primary concern• Was using an in-house MS Excel system to verify the

accuracy of bills• Upgraded to smart meters in 2009• Challenges

• Took 5 hours to process a batch of bills

• Exceptions manually circulated by email

• Impossible to track resolution

• Labor intensive to make changes

THE CCM SOLUTION

• Independently calculate bills and identify inaccuracies• Extract data from other sources—not just billing system• Sent exceptions in XML format to bill print system for those

bills not to be printed• Engaged users in the Billing Department to resolve issues• Validate corrections made in core systems• Maintain history of exceptions and actions taken to resolve

them

RESULTS

• Has not had a single public incident• Accuracy of billing improved significantly• Billing anomalies automatically distributed • Bills verified in less than 5 minutes (not 5 hours)• Bills sent out same day—improving cash flow• Evidence retained for regulators/auditors• Labor-intensive manual reviews were eliminated

SECOND LINE OF DEFENSE

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

CHRISTIES AUCTION HOUSE

• Founded in 1766 by James Christie• 53 offices in 32 countries • Prices range from $200 to $80 million

CHALLENGES

• Risk and compliance group mandated to review 100% of transactions

• Primary area of concern is client accounting• Need to ensure that fees and charges are accurate• Need to involve the business in timely remediation

THE CCM SOLUTION

• Implemented for 40 key controls• Monitor transactions near real time• Covering multiple locations (UK and New York)• Phase I started in risk and compliance then rolled out to

the business

PHASE II—CUSTOMER SCREENING

• Important to meet regulatory requirements• AML and KYC compliance• Integrate with World-Check sanction list data for screening

THIRD LINE OF DEFENSE

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

METCASH

• A leading marketing and distribution company• Operating in the grocery, liquor, and hardware

wholesale industries• Turnover of $12 billion• 5,000+ employees • Market cap $3.2 billion

CHALLENGES

• Several disparate systems• Many audit scripts • Emailing exceptions in Excel• SAP generating many exception reports• Business struggling to cope

THE CCM SOLUTION

• All analytics built in-house by CM Team• Covered 30 key controls to start• CCM implemented for Purchase to Payment in Phase I• Expanded to the retail business processes in Phase II• Adopted as central exception management system

(including SAP reports)

RESULTS

• Started in internal audit • Rolled out to business users• Use action/reason codes to facilitate root cause analysis• Daily examination of processes• First-year results:

• 5.5 billion transaction covered

• $1.8 million in savings

CONCLUSION

• Internal control effectiveness is positively impacted by collaboration

• That covers collaboration at all three levels• CCM is a compelling vehicle to facilitate a collaborative

process

THE THREE LINES OF DEFENSE MODEL & CONTINUOUS CONTROLS MONITORING

DEFENSE IN DEPTH

Visit casewareanalytics.com Email connect@caseware.com