June 1, 20011 A Continuous Assurance Platform using SAP G. Paolo Voarino

June 1, 2001 1

A Continuous Assurance A Continuous Assurance Platform using SAPPlatform using SAP

G. Paolo Voarino

June 1, 2001 G.Paolo Voarino 2

Objective

The Bipop Internal Auditing System aims to provide Management and Stakeholders with qualitative and quantitative assurance of reliability of financial and operating information relating to the corporate operating environment.


Principles

Internal Control System (ICS) at Bipop:a) An Internal Control System based on a general theoretical model

and a robust data infrastructure must be maintained;b) All line controls, including accounting practices, must be

integrated, in documented µprocesses, which are communicated over the internet;

c) 4-augen-prinzip must be applied according to predefined criteria;d) All risks must be measured and integrated with the µprocesses

system;e) All limits must be related to quantified risks and administrated

accordingly;f) ICS information must be continuously assured and communicated

over the internet to Process Owners, Users, and Stakeholders (including Supervisors), by means of specialized views (on need-to-know basis).


Criteria

1. The ICS must be regularly submitted to Extended to risk Process Auditing (EPA), for µprocesses with higher risks monitoring and auditing action should be continuous;

2. 4-augen-prinzip must be applied both within senior management processes, and by activating conflicting duties when feasible;

3. Risk management process is realized with top-down models for market-interest rate risk (partially for credit risk) and with a bottom-up approach for operational and credit risk;

4. Limits will have to be fixed on a risk basis and revised annually upon EPA and loss accounting results;

5. All permanent µprocesses must be grouped into an operating manual (TUNE©), covering also ICS processes, including risk management. TUNE© is communicated on the web;

6. Each µprocess includes a Process Owner risk assessment, and at least one audit trail, which not only for accounting transactions must allow to trace-back all reconciliations and synthetic information

7.7. The statistical information provided to Supervisors, to senior management The statistical information provided to Supervisors, to senior management and to stakeholders (KPIs i.e. Key Performance Indicators) can be assured and to stakeholders (KPIs i.e. Key Performance Indicators) can be assured by the auditing performed on related risk indicators (RAIs i.e. Risk Analytical by the auditing performed on related risk indicators (RAIs i.e. Risk Analytical Indicators) within µprocessesIndicators) within µprocesses.


Service-Level Agreements (SLA)

The consolidated ICS is subject to an EPA action aiming to assure within all µprocesses:

1. Compliance;

2. Availability of assigned resources, including back-up and recovery activities;

3. Security, including privacy;

4. Integrity;

5. Maintainability, including system scalability;

6. Auditability.


Basel Committee Operational Risk at Bipop

Foundations;

Internal Control System;

Bipop Continuous Assurance ProcessBipop Continuous Assurance Process;

Risk management process;

Capital buffer.


Basel Committee Operational Risk Internal Control System at Bipop

Level 0, automated controls;

Level 1, line controls;

Level 2, Level 2, risk controls risk controls (KPIs, RAIs, POIs)(KPIs, RAIs, POIs);

Level 3, internal auditing controls (EPA);

Level 4, Supervisory controls.


Basel Committee Operational Risk BiCAP (Bipop Continuous Assurance Process)

Operational Risk Management Process as part of BiCAP;

On Feb 28, 2001 Bipop-Carire Board of Directors, stated the general rules

for risk tolerances, boundaries, and limits, which will be soon specified and administrated using the automated platforms set forth risk control processes (e.g. VAR, Internal Ratings, Internal Measurement Approach).


Basel Committee Operational Risk Operational Risk Management Process

Self-assessment of all risks;

Validation;

Quantification;Assurance=Insurance (A=I) Project and Partners;Operational Risk Indicators;Risk authorities/limits;Loss Log©/Claims Log;Information hub.


Basel Committee Operational Risk Capital Buffers

the Loss Database (Loss Log©);the Pooled Internal Loss Database;the Public External Loss Data

gross risk unit values.


KPIs, RAIs, POIs concepts are linked to their mathematical relevance.

Key Performance Indicators (KPIs), requested by Supervisors and Stakeholders, are part of BiCAP. Their relevance is linked to Supervisor’s authority;

RRisk isk AAnalytical nalytical IIndicatorndicatorss (RAIs i.e. mathematical mathematical

derivative concept computed on µprocess-risk cellsderivative concept computed on µprocess-risk cells) ) are are supported by audit trails and subject to supported by audit trails and subject to EPA;EPA;Process Owner Indicators (POIs), based on historical experience, are part of BiCAP. Their relevance is linked to the PO’s Budget ($).


AuditingAuditing MediumMedium

Internal Auditor

µprocess Assessmentµprocess Assessment LowLow

Process Owner

HighHigh

SAP BW

Continuous AssuranceContinuous Assurance

Obiettivi

Reliability factors


ODS

ODS 2nd level

INFOCUBE

Base elementsRisk Indicators model for data analysis is based the 1st level OOperational DData SStore ODS.

ODS was developed for always being able to retrieve all attributes of all historical analysis (auditability).

PPersistent SStaging AArea PSA is a structure for storing permanently in the system all flat file data.

All data are normalized and formally correct.Flat files

PSA

General Architecture


1st Level ODS - MANDATI

07 08 09 14 15Normalized data are consolidated in the 1st level ODSs.

Further they are aggregated in 2nd level ODSs.

Last step is the generation of InfoCubes where Indicators are created.

Inside InfocCubes data are tailored, resident and consistent.

1st Level ODS - MOVIMENTI

2nd Level ODS

Mandati MovimentiCdg-Clienti Promotori Cdg

Anagrafiche

Data Target


04

2nd Level ODS

07

10

15

14Clienti con almeno 5 PAC sottoscritti

05 06

08 09

11 12 13

16 17

18Mandati con sottoscrizione iniziale di almeno 20 rate

Mandati con altri PAC sospesi, sottoscritti o con CDG comuni

Mandati sospesi o rimborsati

Età sottoscrittore o più mandati per fondo

Movimenti switch e con RID insolute

Indicators


Data Flow Mandati

Data flow by ODS object


ExternalData orInformationProvider

Ext

ract

ion

MasterData

ETL Tools

Meta Data

PSAPersistantStagingArea

BW OperationalData Store

ODS Objects

Bu

sin

essR

ule

s

Cle

ansi

ng &

Tra

nsf

orm

atio

n

Bu

sin

essR

ule

s

Granularity

Integration

•Portals•Analytical Applications

•Supply ChainIntelligence

•Customer RelationshipIntelligence

•EnterpriseIntelligence

InfoCubes

Applications•Financials•Logistics•Human Capital•Supply Chain•Customer Relationship

•BBP•....

Scheduling Monitoring ChangeManagement

ServiceManagement

InformationDistribution

Populating Data Modeling Information Modeling Information Accessing

Legacy &ExternalData

3 rd Party Access

Continuous Assurance

auditable RAIsRAIs based on µicroprocess (TUNE) using the META DATA tools:

Why SAP?

Documents

June 1, 20011 A Continuous Assurance Platform using SAP G. Paolo Voarino