Upload
patricia-watkins
View
215
Download
1
Embed Size (px)
Citation preview
1
Emerging Emerging CARLAB workCARLAB workMiklos A. VasarhelyiMiklos A. Vasarhelyi
2
OutlineOutline
•Continuous Control Monitoring
•Simulating Continuous Auditing
•Control Tags
3
Ongoing CA/R/Lab Projects Ongoing CA/R/Lab Projects CA = Continuous Control + Continuous
Assurance1. Continuous Control Monitoring (CCM)
• Siemens SALT project
• KPMG next generation control assessment
• Control tags
2. Continuous Assurance• Advanced analytics at HCA (and Siemens)
• Liberty CA Simulator (and integrating with CCM)
4
CCMCCM
5
Distributed And Inter-networked Distributed And Inter-networked Systems: A New Control ParadigmSystems: A New Control Paradigm
Auditeesystems
Auditeesystems Auditee
systems
Auditeesystems
Auditeesystems
ControlMonitoringDevice
MonitoringProbes
ControlAgent
residentanalytics
residentanalytics
residentanalytics
residentanalytics
metrics
CA MonitoringAudit by
exception
6
Levels Of AssuranceLevels Of Assurance• Data Level Assurance (DLA)
– Develop innovative tools: control tags, cookie crumbs, control paths, aggregate estimates
• Process Level Assurance (PLA)– Create a model that allows for the process by process
estimate of control effectiveness• Opinion Level Assurance (OLA)
– Develop temporal related continuous control effectiveness assessments
• Evergreen opinions• Exception frames• Probabilistic opinions
7
Simulating Simulating Continuous Continuous
AuditingAuditingMiklos A. VasarhelyiMiklos A. Vasarhelyi
Rutgers UniversityRutgers University
8
OutlineOutline
•The problem•Structure of the simulation•Demo•Conclusions
9
The problemThe problem• Progressively a large set of solutions is
emerging in the CA arena• Many of them have been theoretical and
have no empirical basis• It is very difficult to get transactional
and/or control data from real-life companies
• Companies will give little entry to real-life situations
10
Structure of the SimulationStructure of the Simulation• Distributional data drawn from real
life data• The control structure is symbolic of a
wide set of companies / processes• We will vary the control structure
and nature of data stream to compare
11
12
13
14
System ArchitectureSystem Architecture
15
16
ConclusionsConclusions• A tool for continuous audit simulation
through transaction replication and control evaluation
• Used real company distributions• ARENA is a constricting tool• There is much potential for its use• Next step is results of simulations
17
Control TagsControl TagsMiklos A. VasarhelyiMiklos A. Vasarhelyi
18
DefinitionDefinition• XML derivative tagging with a new
type of tag, the control tags that incorporate specific control information on items of information.
19
Types of Control TagsTypes of Control Tags• 1) tags that specify the reliability of the
control process that has generated the transaction
• 2) tags that serve to leave behind tracer information on the datum processing (cookie crumbs),
• 3) tags that record processes that the transaction was submitted,
• 4) tags that contain other control information, and
• 5) a mixture of the above.
20
Reliability control tagsReliability control tags• An ongoing assessment of the
reliability of the control processes that generate a transaction is made.
• This measurement is carried with the transaction
• If it is subject to other processes, this reliability assessment is changed
21
Control tags, cookie crumbs Control tags, cookie crumbs and digital IDsand digital IDs
ConsolidationFinancial statements
Subsidiary 2Financial statements
Subsidiary 3Financial statements
Subsidiary 1Financial statements
Assurance station
DID1
DID6
DID5DID4
DID2
DID3 Financial IntermediaryFinancial statements
analysis
DID7DID8
DID9
Dynamic control spots with cookie crumb
collection
22
Tracer related control tags Tracer related control tags (cookie crumbs)(cookie crumbs)
• Tags carry a unique identifier of the transaction that is encrypted
• This identifier is deposited in tracer receptacles across the transaction path
• Public x private encrypting schema are used to verify transaction paths
23
Path recording control tagsPath recording control tags• Transactions record its path by
collecting process DIDs and carrying them encrypted
• Alternatively these may be deposited in a third party safe Web site and a pointer carried
• Information about the crypt decoding key / method is carried by the transaction as a tag
24
Information Control TagsInformation Control Tags• Contain other control related
information that could entail– Organizational placement and
hierarchies– Reliability change related information– Name of the DLA assuror, e.g. KPMG– Outsource related agreements
25
ConclusionsConclusions• The balkanization financial information
distribution creates serious integrity concerns
• Control tags associated to XML derivative transactions can deal with many of these problems
• Substantial investments on the standards, their implementation into software, and their conceptualization must be made