Upload
nguyendieu
View
224
Download
3
Embed Size (px)
Citation preview
Presented by: Andrew Simpson
Chief Operating Officer, CaseWare Analytics
Defense in Depth The Role of Continuous Controls Monitoring in the Three Lines of Defense Model
CaseWare International
• Founded in 1988
• An industry leader in providing technology solutions for
finance, accounting, governance, risk, and audit
professionals
• Over 400,000 users of our technologies across 130
countries and 16 languages
• Customers include Fortune 500 and Global 500
companies
Agenda
• The Three Lines of Defense Model
• Continuous Controls Monitoring (CCM)
• Case Studies of CCM at Each Line of Defense
• Q & A
Drivers of Risk Management
Risk is high on the agenda for boards today due to:
• A focus on cost reduction
• A desire for added value
• An evolving regulatory environment
• Technological changes and availability of data
High Performers
Source: Experis, Top 5 Characteristics of a High Functioning Internal Audit Organization
Exploring Opportunity Minimizing Business
Uncertainty
Managing Compliance
and Crisis
• Complying with
corporate governance
standards
• Avoiding personal
liability failure
• Owning company crisis
• Achieving global best
practices
• Understanding and
evaluating business
risks
• Understanding full range
of risks facing business
today
• Improving returns
through value-based
management
• Enhancing capital
allocation
• Protecting corporate
reputation
Where Do You Want to Be?
THE THREE LINES OF DEFENSE
MODEL
Risk-Based Audit Methodologies:
Three Line of Defense Model
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
The 1st Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
The 1st Line of Defense
OPERATIONAL MANAGEMENT
• Own and manage risks
• Design and implement internal controls
• Responsible for maintaining effective controls
The 2nd Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
The 2nd Line of Defense
RISK MANAGEMENT & COMPLIANCE
• Help build and monitor first line of defense
• Ensure compliance with regulations
• Financial risks and reporting requirements
• Identify changes in risk appetite
The 3rd Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
The 3rd Line of Defense
INTERNAL AUDIT
• Provide senior management with assurance
• Monitor the effectiveness of the first and second lines of
defense
• Independent
Coordinating the Three Lines
First Line of Defense Second Line of Defense Third Line of Defense
Risk Owners/Managers Risk Control and Compliance Risk Assurance
• Operating management
• Limited independence • Reports primarily to
management
• Internal audit • Greater independence • Reports to governing
body
CONTINUOUS CONTROLS
MONITORING (CCM)
Risk-Based Analytics:
What Is CCM?
An audacious vision for CCM:
• Know the state of any control in the business
• Resolve identified breaches before impact
• Provide an unparalleled ROI
The Importance of Monitoring
COSO Guidance
(effective controls
systems must include
monitoring)
Role of CCM
• Independent monitoring of automated and partially
automated controls
• Continuous detection of breaches
• Transparency in detection and remediation
• Address IT concerns
• Collaborative approach to timely remediation
CCM at Each Line of Defense
• Effectively monitor internal controls at the 1st and 2nd
lines of defense
• Allow the 3rd line of defense to be confident in its
assurance role
• Create a remediation process that minimizes the impact
of a control breakdown
• Provide evidence of due diligence for external auditors
and regulators
CASE STUDIES OF CCM AT EACH
LINE OF DEFENSE
Analytics in Action:
The 1st Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
Enersource
• Canadian Energy Company since 1917
• Third largest in Ontario
• Over 200,000 residential and commercial customers
• Provides electrical infrastructure design, construction,
operations support, and maintenance
Reputational Risks
Financial Risks
Verification of Bills
• Reputational risk is the primary concern
• Was using an in-house MS Excel system to verify the
accuracy of bills
o Upgraded to smart meters in 2009
o Challenges
o Took 5 hours to process a batch of bills
o Exceptions manually circulated by email
o Impossible to track resolution
o Labor intensive to make changes
The CCM Solution
• Independently calculate bills and identify inaccuracies
• Extract data from other sources—not just billing system
• Sent exceptions in XML format to bill print system for
those bills not to be printed
• Engaged users in the Billing Department to resolve
issues
• Validate corrections made in core systems
• Maintain history of exceptions and actions taken to
resolve them
Results
• Has not had a single public incident
• Accuracy of billing improved significantly
• Billing anomalies automatically distributed
• Bills verified in less than 5 minutes (not 5 hours)
• Bills sent out same day—improving cash flow
• Evidence retained for regulators/auditors
• Labor-intensive manual reviews were eliminated
The 2nd Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
Christies Auction House
• Founded in 1766 by James Christie
• 53 offices in 32 countries
• Prices range from $200 to $80 million
Challenges
• Risk and compliance group mandated to review 100% of
transactions
• Primary area of concern is client accounting
• Need to ensure that fees and charges are accurate
• Need to involve the business in timely remediation
The CCM Solution
• Implemented for 40 key controls
• Monitor transactions near real time
• Covering multiple locations (UK and New York)
• Phase I started in risk and compliance then rolled out to
the business
Phase II—Customer Screening
• Important to meet regulatory requirements
• AML and KYC compliance
• Integrate with World-Check sanction list data for
screening
The 3rd Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
Metcash
• A leading marketing and distribution company
• Operating in the grocery, liquor, and hardware wholesale industries
• Turnover of $12 billion
• 5,000+ employees
• Market cap $3.2 billion
Challenges
• Several disparate systems
• Many audit scripts
• Emailing exceptions in Excel
• SAP generating many exception reports
• Business struggling to cope
The CCM Solution
• All analytics built in-house by CM Team
• Covered 30 key controls to start
• CCM implemented for Purchase to Payment in Phase I
• Expanded to the retail business processes in Phase II
• Adopted as central exception management system
(including SAP reports)
Results
• Started in internal audit
• Rolled out to business users
• Use action/reason codes to facilitate root cause analysis
• Daily examination of processes
• First-year results:
o 5.5 billion transaction covered
o $1.8 million in savings
Conclusion
• Internal control effectiveness is positively impacted by
collaboration
• That covers collaboration at all three levels
• CCM is a compelling vehicle to facilitate a collaborative
process
Contact
Andrew Simpson
Chief Operating Officer
CaseWare Analytics
613.824.9233 ext. 2144