1

Emerging Emerging CARLAB workCARLAB workMiklos A. VasarhelyiMiklos A. Vasarhelyi

2

OutlineOutline

•Continuous Control Monitoring

•Simulating Continuous Auditing

•Control Tags

3

Ongoing CA/R/Lab Projects Ongoing CA/R/Lab Projects CA = Continuous Control + Continuous

Assurance1. Continuous Control Monitoring (CCM)

• Siemens SALT project

• KPMG next generation control assessment

• Control tags

2. Continuous Assurance• Advanced analytics at HCA (and Siemens)

• Liberty CA Simulator (and integrating with CCM)

4

CCMCCM

5

Distributed And Inter-networked Distributed And Inter-networked Systems: A New Control ParadigmSystems: A New Control Paradigm

Auditeesystems

Auditeesystems Auditee

systems

Auditeesystems

Auditeesystems

ControlMonitoringDevice

MonitoringProbes

ControlAgent

residentanalytics

residentanalytics

residentanalytics

residentanalytics

metrics

CA MonitoringAudit by

exception

6

Levels Of AssuranceLevels Of Assurance• Data Level Assurance (DLA)

– Develop innovative tools: control tags, cookie crumbs, control paths, aggregate estimates

• Process Level Assurance (PLA)– Create a model that allows for the process by process

estimate of control effectiveness• Opinion Level Assurance (OLA)

– Develop temporal related continuous control effectiveness assessments

• Evergreen opinions• Exception frames• Probabilistic opinions

7

Simulating Simulating Continuous Continuous

AuditingAuditingMiklos A. VasarhelyiMiklos A. Vasarhelyi

Rutgers UniversityRutgers University

8

OutlineOutline

•The problem•Structure of the simulation•Demo•Conclusions

9

The problemThe problem• Progressively a large set of solutions is

emerging in the CA arena• Many of them have been theoretical and

have no empirical basis• It is very difficult to get transactional

and/or control data from real-life companies

• Companies will give little entry to real-life situations

10

Structure of the SimulationStructure of the Simulation• Distributional data drawn from real

life data• The control structure is symbolic of a

wide set of companies / processes• We will vary the control structure

and nature of data stream to compare

11

12

13

14

System ArchitectureSystem Architecture

15

16

ConclusionsConclusions• A tool for continuous audit simulation

through transaction replication and control evaluation

• Used real company distributions• ARENA is a constricting tool• There is much potential for its use• Next step is results of simulations

17

Control TagsControl TagsMiklos A. VasarhelyiMiklos A. Vasarhelyi

18

DefinitionDefinition• XML derivative tagging with a new

type of tag, the control tags that incorporate specific control information on items of information.

19

Types of Control TagsTypes of Control Tags• 1) tags that specify the reliability of the

control process that has generated the transaction

• 2) tags that serve to leave behind tracer information on the datum processing (cookie crumbs),

• 3) tags that record processes that the transaction was submitted,

• 4) tags that contain other control information, and

• 5) a mixture of the above.

20

Reliability control tagsReliability control tags• An ongoing assessment of the

reliability of the control processes that generate a transaction is made.

• This measurement is carried with the transaction

• If it is subject to other processes, this reliability assessment is changed

21

Control tags, cookie crumbs Control tags, cookie crumbs and digital IDsand digital IDs

ConsolidationFinancial statements

Subsidiary 2Financial statements

Subsidiary 3Financial statements

Subsidiary 1Financial statements

Assurance station

DID1

DID6

DID5DID4

DID2

DID3 Financial IntermediaryFinancial statements

analysis

DID7DID8

DID9

Dynamic control spots with cookie crumb

collection

22

Tracer related control tags Tracer related control tags (cookie crumbs)(cookie crumbs)

• Tags carry a unique identifier of the transaction that is encrypted

• This identifier is deposited in tracer receptacles across the transaction path

• Public x private encrypting schema are used to verify transaction paths

23

Path recording control tagsPath recording control tags• Transactions record its path by

collecting process DIDs and carrying them encrypted

• Alternatively these may be deposited in a third party safe Web site and a pointer carried

• Information about the crypt decoding key / method is carried by the transaction as a tag

24

Information Control TagsInformation Control Tags• Contain other control related

information that could entail– Organizational placement and

hierarchies– Reliability change related information– Name of the DLA assuror, e.g. KPMG– Outsource related agreements

25

ConclusionsConclusions• The balkanization financial information

distribution creates serious integrity concerns

• Control tags associated to XML derivative transactions can deal with many of these problems

• Substantial investments on the standards, their implementation into software, and their conceptualization must be made