View
219
Download
1
Tags:
Embed Size (px)
Citation preview
June 1, 2001 1
A Continuous Assurance A Continuous Assurance Platform using SAPPlatform using SAP
G. Paolo Voarino
June 1, 2001 G.Paolo Voarino 2
Objective
The Bipop Internal Auditing System aims to provide Management and Stakeholders with qualitative and quantitative assurance of reliability of financial and operating information relating to the corporate operating environment.
June 1, 2001 G.Paolo Voarino 3
Principles
Internal Control System (ICS) at Bipop:a) An Internal Control System based on a general theoretical model
and a robust data infrastructure must be maintained;b) All line controls, including accounting practices, must be
integrated, in documented µprocesses, which are communicated over the internet;
c) 4-augen-prinzip must be applied according to predefined criteria;d) All risks must be measured and integrated with the µprocesses
system;e) All limits must be related to quantified risks and administrated
accordingly;f) ICS information must be continuously assured and communicated
over the internet to Process Owners, Users, and Stakeholders (including Supervisors), by means of specialized views (on need-to-know basis).
June 1, 2001 G.Paolo Voarino 4
Criteria
1. The ICS must be regularly submitted to Extended to risk Process Auditing (EPA), for µprocesses with higher risks monitoring and auditing action should be continuous;
2. 4-augen-prinzip must be applied both within senior management processes, and by activating conflicting duties when feasible;
3. Risk management process is realized with top-down models for market-interest rate risk (partially for credit risk) and with a bottom-up approach for operational and credit risk;
4. Limits will have to be fixed on a risk basis and revised annually upon EPA and loss accounting results;
5. All permanent µprocesses must be grouped into an operating manual (TUNE©), covering also ICS processes, including risk management. TUNE© is communicated on the web;
6. Each µprocess includes a Process Owner risk assessment, and at least one audit trail, which not only for accounting transactions must allow to trace-back all reconciliations and synthetic information
7.7. The statistical information provided to Supervisors, to senior management The statistical information provided to Supervisors, to senior management and to stakeholders (KPIs i.e. Key Performance Indicators) can be assured and to stakeholders (KPIs i.e. Key Performance Indicators) can be assured by the auditing performed on related risk indicators (RAIs i.e. Risk Analytical by the auditing performed on related risk indicators (RAIs i.e. Risk Analytical Indicators) within µprocessesIndicators) within µprocesses.
June 1, 2001 G.Paolo Voarino 5
Service-Level Agreements (SLA)
The consolidated ICS is subject to an EPA action aiming to assure within all µprocesses:
1. Compliance;
2. Availability of assigned resources, including back-up and recovery activities;
3. Security, including privacy;
4. Integrity;
5. Maintainability, including system scalability;
6. Auditability.
June 1, 2001 G.Paolo Voarino 6
Basel Committee Operational Risk at Bipop
Foundations;
Internal Control System;
Bipop Continuous Assurance ProcessBipop Continuous Assurance Process;
Risk management process;
Capital buffer.
June 1, 2001 G.Paolo Voarino 7
Basel Committee Operational Risk Internal Control System at Bipop
Level 0, automated controls;
Level 1, line controls;
Level 2, Level 2, risk controls risk controls (KPIs, RAIs, POIs)(KPIs, RAIs, POIs);
Level 3, internal auditing controls (EPA);
Level 4, Supervisory controls.
June 1, 2001 G.Paolo Voarino 8
Basel Committee Operational Risk BiCAP (Bipop Continuous Assurance Process)
Operational Risk Management Process as part of BiCAP;
On Feb 28, 2001 Bipop-Carire Board of Directors, stated the general rules
for risk tolerances, boundaries, and limits, which will be soon specified and administrated using the automated platforms set forth risk control processes (e.g. VAR, Internal Ratings, Internal Measurement Approach).
June 1, 2001 G.Paolo Voarino 9
Basel Committee Operational Risk Operational Risk Management Process
Self-assessment of all risks;
Validation;
Quantification;Assurance=Insurance (A=I) Project and Partners;Operational Risk Indicators;Risk authorities/limits;Loss Log©/Claims Log;Information hub.
June 1, 2001 G.Paolo Voarino 10
Basel Committee Operational Risk Capital Buffers
the Loss Database (Loss Log©);the Pooled Internal Loss Database;the Public External Loss Data
gross risk unit values.
June 1, 2001 G.Paolo Voarino 11
KPIs, RAIs, POIs concepts are linked to their mathematical relevance.
Key Performance Indicators (KPIs), requested by Supervisors and Stakeholders, are part of BiCAP. Their relevance is linked to Supervisor’s authority;
RRisk isk AAnalytical nalytical IIndicatorndicatorss (RAIs i.e. mathematical mathematical
derivative concept computed on µprocess-risk cellsderivative concept computed on µprocess-risk cells) ) are are supported by audit trails and subject to supported by audit trails and subject to EPA;EPA;Process Owner Indicators (POIs), based on historical experience, are part of BiCAP. Their relevance is linked to the PO’s Budget ($).
June 1, 2001 G.Paolo Voarino 12
AuditingAuditing MediumMedium
Internal Auditor
µprocess Assessmentµprocess Assessment LowLow
Process Owner
HighHigh
SAP BW
Continuous AssuranceContinuous Assurance
Obiettivi
Reliability factors
June 1, 2001 G.Paolo Voarino 13
ODS
ODS 2nd level
INFOCUBE
Base elementsRisk Indicators model for data analysis is based the 1st level OOperational DData SStore ODS.
ODS was developed for always being able to retrieve all attributes of all historical analysis (auditability).
PPersistent SStaging AArea PSA is a structure for storing permanently in the system all flat file data.
All data are normalized and formally correct.Flat files
PSA
General Architecture
June 1, 2001 G.Paolo Voarino 14
1st Level ODS - MANDATI
07 08 09 14 15Normalized data are consolidated in the 1st level ODSs.
Further they are aggregated in 2nd level ODSs.
Last step is the generation of InfoCubes where Indicators are created.
Inside InfocCubes data are tailored, resident and consistent.
1st Level ODS - MOVIMENTI
2nd Level ODS
Mandati MovimentiCdg-Clienti Promotori Cdg
Anagrafiche
Data Target
June 1, 2001 G.Paolo Voarino 15
04
2nd Level ODS
07
10
15
14Clienti con almeno 5 PAC sottoscritti
05 06
08 09
11 12 13
16 17
18Mandati con sottoscrizione iniziale di almeno 20 rate
Mandati con altri PAC sospesi, sottoscritti o con CDG comuni
Mandati sospesi o rimborsati
Età sottoscrittore o più mandati per fondo
Movimenti switch e con RID insolute
Indicators
June 1, 2001 G.Paolo Voarino 17
ExternalData orInformationProvider
Ext
ract
ion
MasterData
ETL Tools
Meta Data
PSAPersistantStagingArea
BW OperationalData Store
ODS Objects
Bu
sin
essR
ule
s
Cle
ansi
ng &
Tra
nsf
orm
atio
n
Bu
sin
essR
ule
s
Granularity
Integration
•Portals•Analytical Applications
•Supply ChainIntelligence
•Customer RelationshipIntelligence
•EnterpriseIntelligence
InfoCubes
Applications•Financials•Logistics•Human Capital•Supply Chain•Customer Relationship
•BBP•....
Scheduling Monitoring ChangeManagement
ServiceManagement
InformationDistribution
Populating Data Modeling Information Modeling Information Accessing
Legacy &ExternalData
3 rd Party Access
Continuous Assurance
auditable RAIsRAIs based on µicroprocess (TUNE) using the META DATA tools:
Why SAP?