Embed Size (px)
Citation preview
Risk & Continuous Controls Monitoring:How to implement issue remediation workflows
the business will love
Jason A. Gross, CPA, CIA, CFE, CISA, ACDA
Vice President, Controls Management, Siemens Financial Services, Inc.
Robert Luu
Senior Solutions Consultant, ACL
Presenters
Jason A. GrossCPA, CIA, CFE, CISA, ACDA
Vice President, Controls Management, Siemens Financial Services, Inc.
Robert LuuACDA
Senior Solutions ConsultantACL
Agenda
Methodologies and Concepts Supporting Continuous Controls Monitoring(CCM)
Strategies for Implementing a Successful CCM Program
Use of ACL Technology in Developing and Sustaining Issue Workflow Resolution
Q & A
Methodologies & Concepts Supporting CCM
Elevating the Level of Control Assurance
Limited Assurance
• Self Assessments• Periodic reviews• Interview based w/o
testing
Absolute Assurance
No such thing as absolute assurance, ‘Continuous’ techniques can move the needle as far as possible
Reasonable Assurance
• Internal control testing• SOX testing• Internal audits• External audits
Opportunity to Elevate Control Assurance Level
• Continuous Monitoring• Continuous Auditing• Continuous Assurance
How to elevate the level of control assurance?
Manual Sample Testing
Audit Risk
Sampling Risk
Materiality
Lowers Control Assurance
Automated Universe Monitoring
Audit Risk
Sampling Risk
Materiality
Raises Control Assurance
Process Flow of a Continuous Controls Monitoring (CCM) Program
Data imported from source systems into
ACL Analytics or Exchange
ACL Data Analytics evaluate against
established rules and criteria (policies, guidelines, etc.)
Exception alerts identified, generated
and routed to process and control owners
Correction of errors performed by owners in the source systems
ACL CCM system validates accuracy of
corrections
3 Key Techniques of Continuous Monitoring
Anticipated Level of Sophistication
Potential for False Positives
Specific Identification/Rules Based
Trending and patterns
Heuristic and predictive
Careful consideration of the mix to
satisfy targeted objectives!
Continuous Assurance Attributes
Change Management
Trending & Analysis
AuthorizationData
CompletenessTable
MaintenanceEdit
ChecksCalculationVerification
DataIntegrity
CCM Control Types
Detective Control
Corrective Control
CCM Program
CCM Control Types
Detective Control
Corrective Control
Preventative Control
CCM Program
How Can CCM Become a Preventative Control?
Detect Errors in Sub-Ledger
Correct Errors in Sub-Ledger
Prevent Misstatements
to General Ledger
Improving the controls in the Accounting Closing Process:
Daily Daily Daily
Month-End
Reduce Need for Correcting
Journal Entries
Strategies for Implementing a
Successful CCM Program
Foundational Pillars Enabling Continuous Assurance
Pe
op
le
Pro
cess
Tech
no
log
y
Cu
ltu
ral A
wa
ren
ess
Continuous Monitoring
Continuous Auditing
Continuous Assurance
Build the Bridge to Continuous Assurance
Continuous Assurance
Sp
on
sors
hip
Str
ate
gy
Pa
rtn
ers
hip
Co
ord
ina
tio
n
Te
chn
olo
gy
Inte
gra
tio
n
Co
mm
un
ica
tio
n
Ov
ers
igh
t
Continuous Monitoring
• Owned by Management
• Is a Management activity
• May be preventive, detective and corrective in nature
• CM is a control itself
Continuous Auditing
• Owned by Internal Audit
• Is an Audit activity and responsibility
• Independent of the control; therefore should not be preventive in nature
• IA should evaluate CM activities, trending and change management
Continuous Assurance
Built upon the integration of continuous monitoring and continuous auditing
ACL CCM Program at Siemens Financial Services, Inc.
Data imported from source systems into
ACL Analytics or Exchange
ACL Data Analytics evaluate against
established rules and criteria (policies, guidelines, etc.)
Exception alerts identified, generated
and routed to process and control owners
Correction of errors performed by owners in the source systems
ACL CCM system validates accuracy of
corrections
•CCM Program Implemented in 2010; Currently
100+ users and ~ 300 analytics running daily
covering financial reporting, operational , IT and
compliance topics
•Proven instrumental to remediation solutions of
deficiency topics of the past with quick
implementation
•Demonstrated as an effective detective control to
identify errors, but also as a preventative
mechanism to ensure errors corrected before
month-end accounting closing
•Utilized in SOX/ICFR program & by External
Audit in their audits
Timeline of our Journey Towards Continuous
2002 2004 2008 2010 2012 2014 2016Level of Assurance
Good Better Ideal
2018
CCM Maturity Model
Ad-hoc
Repeatable
Sustainable
Use of ACL Technology in Developing and Sustaining Issue Workflow Resolution
Our ACL CCM Implementation
ACL Results
ACL Analytics Exchange (AX)
ACL Analytics
• CCM engine• Importing of
systems data• Performance of
analytics
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management• Triggers• Questionnaires
Fundamental Steps of the CCM Program
ACL Results
ACL Analytics Exchange (AX)
ACL Analytics
• CCM engine• Importing of
systems data• Performance of
analytics
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
ACL Results
ACL Analytics Exchange (AX)
ACL Analytics
• CCM engine• Importing of
systems data• Performance of
analytics
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Key Concepts for Continuous Monitoring (e.g. Daily):•Imports of source data used in analytics required each day to re-analyze the data
•Establish means of discerning data between different days using variables
•Each table name ends with a 3 digit Run #: Today = %v_RUN_SEQ_T%
•Establish consistent naming conventions for tables and paths for storing data
•Use SET FOLDER to organize ACL project to keep tables organized and by Run#
•SET FOLDER /CCM_RUN_SEQ_%v_RUN_SEQ_T%/A_IMPORTS_SAP_%v_RUN_SEQ_T
Fundamental Steps of the CCM Program
ACL Results
ACL Analytics Exchange (AX)
ACL Analytics
• CCM engine• Importing of
systems data• Performance of
analytics
• Scheduling of theACL routine
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Key Concepts for Continuous Monitoring (e.g. Daily):
•Aggregate data to large extracts tables to offer most flexibility for analytics to use as a base
•Invest more effort in holistic extract tables for quicker access to analytics
•Maintain principle of appending each table with Run# Today = %v_RUN_SEQ_T%
EXTRACT_TABLE_1
Analytic#1
Analytic#2
Analytic#3
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
ACL Analytics Exchange (AX)
ACL Analytics
Standard ACL Processes Adaptation to CCM processes (3-way comparison)
Source Import Tables Extract Tables (EX_)Daily Testing Tables (PZ_)Universe Being Tested
IMPORT_TABLE_1
IMPORT_TABLE_2
IMPORT_TABLE_3
IMPORT_TABLE_4
EX_TABLE_1
EX_TABLE_2
PZ_Analytic1_852
RX+RC = 100%
RX_Analytic1_852
Total ExceptionsRC_Analytic1_852
Total Clean
PZ_Analytic1_852(Today)
PZ_Analytic1_851(Yesterday)
PI_Analytic1_852
Publish=“YES” to Results!
PPP_Results_Analytic1_852
(Today)
Determines what needs to be published to Results:•New exceptions for Today•Improperly Closed Exceptions from Results•Does not re-publish same Open items in Results
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
ACL Analytics Exchange (AX)
ACL Analytics
Adaptation to CCM Process (3-way comparison)
PZ_Analytic1_852(Today)
PZ_Analytic1_851(Yesterday)
PI_Analytic1_852Publish=“YES” to Results!
PPP_Results_Analytic1_852(Today)
Use Standard Scripts to Assign Unique ExceptionID’s to All Exceptions:
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
ACL Analytics Exchange (AX)
ACL Analytics
Adaptation to CCM Process (3-way comparison)
PZ_Analytic1_852(Today)
PZ_Analytic1_851(Yesterday)
PI_Analytic1_852Publish=“YES” to Results!
PPP_Results_Analytic1_852(Today)
Use Standard Scripts to flag Exceptions needing to be published to Results:
Status Codes
Improper Closure; Must re-publish
New Exception; Must re-publish
Improper Closure; Must re-publish
New Exception; Must re-publish
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
ACL Analytics Exchange (AX)
ACL Analytics
How to Import Exceptions from Results into ACL Analytics
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
ACL Analytics Exchange (AX)
ACL Analytics
How to Import Exceptions from Results into
ACL Analytics :
Import metadata for status and publish information as well as key fields for data to perform 3-way comparison!
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
ACL Analytics Exchange (AX)
ACL Analytics
How to Export Exceptions to Results into ACL Analytics :
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
ACL Analytics Exchange (AX)
ACL AnalyticsHow to Export Exceptions to Results into ACL Analytics :
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
Two reconciliations are performed each day:
1) Ensures all of today’s exceptions were properly published in Results
2) Cumulative reconciliation ensures all unresolved exceptions are still open in Results>>Improper closures will re-publish!
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
Various methods are possible to notify Analytic Owners of New Exceptions:
1. GRC Notifications and Custom Triggers
2. NOTIFY command within AN
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Fundamental Steps of the CCM Program
Each day CCM Program examines all open exceptions on Results and auto-closes those that have been resolved (no longer exceptions from the analytic).
Each day, Exceptions deemed corrected by the 3-Way compare, are flagged with AC/DC Status and AC/DC Comments and re-Exported from AN to Results for the ExceptionID to ‘refresh’ these fields. Then a Trigger automatically Closes the Exceptions!
Return on Investment (ROI) with ACL
ROI with ACL
ACL Results
ACL Analytics Exchange (AX)
ACL Analytics
• CCM engine• Importing of
systems data• Performance of
analytics
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management
Control Assurance:
• Converted ~ 30% manual SOX/ICFR controls to become automated controls via CCM Program (97 analytics)
•CCM controls drives higher degree of control precision by removing sampling risk (population testing & monitoring)
•Daily CCM identifies exceptions before they impact the financial reporting at EOM.
•Controls monitoring possible in an automated and comprehensive fashion
•Proves that controls are working while at same time illustrates exceptions to be remediated
Process Improvement:
• Process owners utilize CCM analytics that prevent issues (i.e. pre-bill verification before loading IT system)
•The CCM analytic becomes an automated control replacing manual controls
•SOX/ICFR Program saving hundreds of hours of avoided testing of manual controls (ACL analytic ‘test of one’)
•External and internal audit reliance on analytics saving valuable audit hours
Next Steps in our Journey
Developing Questionnaires Guided by Triggers for Enhancing Workflows
ACL Results
ACL Analytics Exchange (AX)
• CCM engine• Importing of
systems data• Performance of
analytics
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management
Developing Questionnaires Guided by Triggers for Enhancing Workflows
ACL Results
ACL Analytics Exchange (AX)
• CCM engine• Importing of
systems data• Performance of
analytics
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management
Developing Questionnaires Guided by Triggers for Enhancing Workflows
ACL Results
ACL Analytics Exchange (AX)
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management
Developing Questionnaires Guided by Triggers for Enhancing Workflows
ACL Results
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management
Questionnaire responses populate Exception tables for driving Analysis and Triggered Actions…
Fields from the Questionnaire…
Siemens Financial Services, Inc. in AICPA Publication
ACL Results
ACL Analytics Exchange (AX)
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management
Case Study A: Developing Continuous Assurance at Siemens
Siemens has been recognized in the CCM community by Rutgers University & AICPA as noted in the Case Study published by the AICPA
Source:
http://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/auditanalytics_lookingtowardfuture.pdf#page=172
Questions
Fundamental Steps of the CCM Program
ACL Results
ACL Analytics Exchange (AX)
ACL Analytics
• CCM engine• Importing of
systems data• Performance of
analytics
• Scheduling of theACL routine
• Website• Repository of exceptions
and alerts• Workflow management
Import Data from Source Systems
into ACL Analytics
Perform JOINs and EXTRACTs
Perform Data Analytics
Publish Exceptions to
Results Manager
Perform Publishing
Reconciliations
NOTIFY Control Owners of New
Exceptions
Auto Close Remediated Exceptions
Thank You!
Jason A. Gross, CPA, CIA, CFE, CISA, ACDA
Robert Luu, ACDA
