Super Strategies 2014 ACL Presentation

Overcoming Small Department Challenges

Session G4

Wednesday, April 30th, 2014

10:45 – 11:45

David Fernandes

Implementing ACL - A Strategy For Success

ACL Workpapers & GRC Project

Case Study


Session G4 Slide # 2

TOPICS YOUR EXPECTATIONS

GOALS & CHALLENGES

ACL WORKPAPERS

GRC OVERVIEW

ACL RISK OVERVIEW

Q&A



YOUR EXPECTATIONS

How many in Audit Department ? <5 < 10

What are you using now ? Excel / Word / TeamMate

What do you want to accomplish with a Workpapers / GRC

solution ?

When do you want to have a Workpapers / GRC solution in place ?



• Fraud Detection

• Segregation of Duties

• Automation of Data Mining

• Compliance Issues

• Regulatory Issues

• Commission Payments

But wait…there is more ……

• Identify fraud, misuse, and errors

• Identify compliance issues

• Flag exceptions in real time

• Automate manual processes for continuous monitoring

What issues do you want to solve ??




GOALS & CHALLENGES

ACL WORKPAPERS

GRC OVERVIEW

ACL RISK OVERVIEW

Q&A Session G4 Slide # 6


Goals - Do More - With Less

Develop a framework for assessing different levels of audit analytic techniques and

associated benefits.

Define progressive levels to evolve its use of Data / Business Analytics.

Identify the building blocks: People, Process and Technology that must be in place to

optimize benefits.

Understand, plan and communicate design criteria to achieve timely implementation.

Establish a proactive and comprehensive view for effective ERA and ERM.


Goals & Challenges

Process

Location

Revenue

& Receivables

Purchasing

&

Payables

InventoryHR &

Payroll

Fixed

Assets

Financial

Close

&

Reporting

SECEquity &

TreasuryTaxes

Entity

Level

Controls

IT

General

Controls

TOTAL

Chelmsford16 8 17 10 12 15 7 15 18 32 17 167

Colorado2 1 3 2 1 9

Petaluma2 1 3 2 1 9

Jena9 7 11 5 11 2 3 48

Korea7 4 4 5 2 1 23

Poway9 7 11 5 11 2 45

Manchester9 7 11 5 11 2 3 48

Japan8 5 5 5 2 3 28

Taiwan2 2 3 5 4 2 18

TOTAL 64 42 68 44 47 29 7 27 18 32 17 395


Goals & Challenges

BLSS - Manchester Revenue - 2013 SOX CYCLE CONTROLS

Section Control Objective 2013 Control ActivityControl

Owner

Control

Frequency

Control

Type

Manual

/ System

Population

Sample /

Ratio

Test

Reference

Tab # Name

Rollforward

Test Status

New

Customers

Authorization is required

prior to setting up or

modifying customer

account within the ERP

system.

R&R

CA 01

A- All new customer accounts must be approved for

credit & have an account set up in system before any

work commences or shipments are made.

B- The AR department assesses customer credit

worthiness for new & existing customers at time of PO

receipt / acceptance. Credit personnel perform the initial

assessment, but obtain the applicable approvals based

upon the Credit Limit Matrix. Additionally, credit

personnel may solicit input from Manager of Credit &

Collections and/or Corporate Controller in assessing

credit worthiness.

Stephen

HurstDaily Detective Manual 0

R&R CA

01N/A

Customer

Purchase

Order

Customer Purchase

Order (CPO) and

verified, validated,

reviewed and approved.

R&R

CA 02

Upon receipt of a customer purchase order (CPO), order

administration shall match the CPO to the approved

quotation or sales proposal, and shall verify that all

elements including terms and conditions and line item

detail on the CPO match the associated quotation,

proposal, or sales contract.

Stephen

HurstDaily Detective Manual

30 of 72 /

42% /

$900k of

$3.7M /

24%

R&R CA

02Ineffective

Invoicing

Invoices for orders

which do/not require

physical shipment are

reviewed for period

revenue recognition.

R&R

CA 03

a. Invoices should provide a reference to the customer

purchase order or contract to which it references…

b. Invoices should only be posted for hardware that is

shipped and services that have been provided (unless

other invoicing arrangements are agreed to with the

customer and a process to ensure deferral of un-earned

revenue is implemented)

Stephen

HurstDaily Detective Manual

6.095m of

6.861m /

89% /

25 of 47 /

53%

R&R CA

03Effective


Goals & Challenges

IInntteerrnnaall AAuuddiitt RReeppoorrtt

BBLLSSSS MMaanncchheesstteerr,, UUKK

Field Work Dates September 30th – November 29th

Final Report Date: December 2nd

Table of Contents Audit Key Steps ......................................................................................................... 2 Executive Summary ................................................................................................... 2 Appendix I – Summary of Key Controls by Process ........................................ 5

Appendix II – Deficiencies ................................................................................... 6

Appendix III – SOX Enterprise Scoping ............................................................. 10

Appendix IV – Background ................................................................................. 11 Appendix V – Organization Charts .................................................................... 12 Appendix VI – Distribution .................................................................................. 16

The team responsible for this audit, comprised of David Fernandes and Alex Byrne, would like to thank those individuals who contributed to this project, and particularly, employees who provided insights and comments as part of this audit.

PPrriivviilleeggeedd aanndd CCoonnffiiddeennttiiaall


Goals & Challenges

Very little time to

complete report

Challenges

Building blocks of processes, roles and technologies were not properly established.

Management does not fully understand or accept their critical role and responsibilities.

Risks that the project will not achieve the desired outcomes.

Business owners fail to see the value of the process and terminate the audit program.

Understanding what data is required to support a specific test and

Obtaining a complete and controlled population of that data.

Decision Making & Communication

Data Analysis tools represent tremendous change for an organization :

Could be a very significant change for your team.

Effective communication of your vision for the change – and how it will impact the entire

organization – is essential.

Be sure to include:

the right people,

the right time,

the right levels.


Goals & Challenges

Optimized

ControlsOpportunities to

improve and

automate controls

for continuous

monitoring


Goals & Challenges

Design a Sustainable Controls Framework

Senior Management view controls as a necessary nuisance, making it difficult for CFO’s / VP Finance or

Compliance Officers and their teams to demonstrate how controls can add value to the business.

Businesses typically agrees with the accounting group about “why” controls are necessary, but disagrees

about “how” to best implement them.

Large company control frameworks usually improve on a linear scale, but business complexity at small to

midsized companies often increases exponentially.

Leverage Experience Update FrequentlyEngage Business Leaders

Pair finance leaders with

business leaders to ensure

sufficient knowledge of the

business and the risk

environment.

Articulate the benefits of

increased assurance to

persuade business leaders

to participate in controls

updates.

Revisit the framework at least

twice a year (Interim & Roll

Forward) or during periods of

significant business change.

13Session G4 Slide #

Goals & Challenges


GOALS & CHALLENGES

WHY ACL?

IMPLEMENTATION OVERVIEW

ACL GRC OVERVIEW



Data

Analytic

Software


Why ACL ?

is purpose built for data analytics with proven experience.

can analyze 100% of the available data no matter how much.

is read only ensuring data integrity and security.

can read all data types no matter the source.

has a log file that records every step.

does not require users to be programmers.

Why ACL ?


IT Audit Benchmark

Study 2009 The Gold Standard in Audit & Compliance Technology

Data Analysis Software

Other: Access, Business

Objects, Crystal Reports,

IDEA, Showcase, and

internally developed software.

Data Extraction Software Continuous AuditingFraud Detection / Investigation

Other: Excel, Idea, In-house,

Oracle, PeopleSoft,

Proprietary, Showcase

Query

Other: Active Data,

DCMS, Hyperion, SAP,

and SAS.

Other: Access, ActiveData,

Crystal Reports, DCMS,

DISSCO, Focus, Patriot

Officer, PeopleSoft Queries,

SAS, Showcase Query, and

VIPs.

Why ACL ?


Data Analytics for ….

• Purchase to Payment: Duplicate payments, segregation of duties, requisition & purchasing limits, vendor master, etc.

• Purchasing Card: Invalid employees, duplicate purchasing cards, exceed transaction limit, etc.

• Travel & Entertainment: Transaction limits, split transactions, prohibited merchants, weekend & holiday transactions, etc.

• General Ledger: Validation of trial balance, duplicate journal entries, suspicious journal entries, reversed journal entries, etc.

• Payroll: Invalid/Unauthorized employees, overtime approval, retirement & termination, etc.

• Order to Cash: Prohibited customer, unauthorized discounts, credit limits, missing sales order, etc.

Why ACL ?



GOALS & CHALLENGES

WHY ACL?


ACL GRC OVERVIEW



20

Pre - Implementation

• Quantify the need for the software (scope, size, cost benefit).

• Decisions around platforms, vendors and timing .

• Engage Senior Management for support and sponsorship.

• Establish the framework of business requirements.

• Plan a smooth transition from research, testing to implementation.


Session G4 Slide #

Planning Document Requests

Data Analysis Tools

Current Working Papers

Document

Results

Fieldwork

The Audit Cycle

Review

Reporting

Follow-up

Organize Supporting Evidence

Identify Findings

Review &

Sign-off

Track Status

Track Finding

Remediation

Roll-forward

Risk Assessment

Audit Plan

Review Notes21Session G4 Slide #


Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage

CATEGORY FULL WRITE READ

System Administrators

Audit Manager

Auditor

Business Partner / Process Owners : Request List Findings.

Executive Planning Findings

To Do List Results

Requests

External Reviewer: Planning Results

Findings

.

Flow of Information | Design Access Criteria

22


Session G4 Slide #

Flow of Information | Workpapers

BROOKS

Findings

Processes

Quality

NarrativesRisks & Controls Narratives

Walkthrough

Walkthrough

Walkthrough

TestingTestingTestingFindingsFindingsFindings

NarrativesNarrativesNarrativesOverview

Audit Risks Procedures & Plan

NarrativesWalkthroughWalkthroughExecute Audit

PlanFindingsFindingsFindings

Internal Control Audits:

Controls are identified and tested within processes - Identify Risk & Key Controls -Risk Control Matrix SOX,

Financial, IT General Controls

Audits:

SOX Classification or Process Operational

Capital / Fixed Assets Travel & Entertainment

Financial Reporting / SEC Excess & Obsolescence

Inventory / PI FCPA / Compliance

Human Resources and Payroll Entity Level Control

Purchasing & Payables ITGC

Revenue & Receivables





Issues

• Cost / Scope Creep

• Data Mining Knowledge

• IT Support

• Cost / Scope Creep Costs Escalation

Services

Training

Modules

• Limited Data Mining Knowledge IA knowledge and experience with data mining was very limited.

Difficult to allocate training time for new software.

• IT Support How do we sustain the system after implementation? Leverage IT, make them a partner.

Who owns the system? IT

Who are the stakeholders? Finance, Operations, IT

Pace of implementation ?

25

Implementation

• Ensure you have effective management of the effort , consider using a Project Manager

• Conflict Management : Resolve issues – planned and unplanned as they arise.

• Take the time to adequately manage the….

i. Project - Data management.

ii. Timeframe - Change management and training.

iii. Budget – Watch for Scope Creep.


Session G4 Slide #

Pitfalls• Identify your key business areas that requires data analysis and your key audit objectives.

a) Involve your business partners.

b) Set up a data warehouse for testing.

• Converting operational audit objectives into information systems objectives.

• Converting application system files to ACL readable format Audit program design specification.

• Detailed Audit program design Audit process automation.

• Writing ACL Scripts for the audit programs ACL Scripts testing Script documentation.

a) Due to the variety of formats and customized audit files, migration of data must be looked at

carefully.

b) Analyzing data using some of the features of CAAT (e.g., stratify, filter, summarize, reports, logs),

c) Linking data tables - ensure that you have an IT resource to assist you.

d) Using filters, computed fields, and extractions.

e) Modification to the infrastructure may lead to data leakages – identify risk zones within each area.

f) Periodic review of the implemented scripts to assess their ability to meeting audit objectives in the

light of changes in the operating business environment.

g) Reformulating audit objectives to address new and emerging business issues.

h) Identifying the relevant application system files to be used in new batch design.

i) Developing new and testing new scripts, and

j) Implementation of the latest and current batches

Planning and Execution Pitfalls to Avoid

26


Session G4 Slide #

Scope Management 1. Develop a scope management plan :

Effective pre-implementation communication should make the transition a smooth event.

Ensure stakeholders understand the project vision.

2. Implement change management and stick to it as many activities will overlap during the testing and

implementation processes.

3. Ensure effective implementation management ensures that movement from one activity to another is well-

controlled and anticipated:

Define requirements, objectives, deliverables – watch for data integrity, false positives.

Fight the urge to bring in ‘everything’ - Bring in only what you need!

Training1. Ensure that you understand user training requirements, talk to HR and IT.

2. Develop training plan and strategy,

3. Deliver interactive training, use video etc and detailed documents.. Idiots Guide

Transition to Implementation

27


Session G4 Slide #

Enterprise Risks

Mitigation

Efforts Objectives

Risk

Manager Project

Manager

Beta Results

Manager

ProjectsControls

Data

TestsIssues

Map ACL Modules to Processes

Stakeholder Specific Modules.

Authorization Granted based on Need / Security.

28


Session G4 Slide #



Actions

• IT Support

IT Participation and involvement.

Joint ownership and encourage staff to take responsibility for influencing the change.

IT Facilitation and support.

Scheduled and automated data extractions at off-peak hours.

• Cost / Scope Creep

Negotiation and agreement.

Involvement of stakeholders.

Tight control of system requirements.

Limited Training.

• Data Mining Knowledge

Focused on in house training.

Pilot demo to ascertain strengths and weaknesses.

Provides a standardized workflow; ensuring consistency across the team.

Audits will be centralized, saving time in one easy-to-find place for everyone to

access, including external auditors.

Automatically rolls up time tracked, status and findings, eliminating manual reporting

Manage Document Request Lists , tracking all requested items and send reminders via

email to clients or business owners.

Manages team collaboration. Review notes and comments between staff and reviewer,

or between team members when multiple staff are assigned to work the same section or

objective.

Each project captures all system activity and is viewable on the project dashboard. The

activity log is viewable in Excel when you backup and download your project.

Each audit has its own structure, milestones and workflow. Each milestone within each

audit has a review and sign-off function. Sign-offs and reviews are tracked.

Sign-off and reviews can be performed at the section level, or the control level.

Implementation Benefits

30



GOALS & CHALLENGES

WHY ACL?


ACL GRC OVERVIEW



Identify and Prioritize your company’s key controls.

Develop a structured way to collect on the impact and effectiveness

Continuous Auditing & MonitoringNo more excuses!

32

33

ACL GRC OVERVIEW

Session G4 Slide #

Access and analyze complete data

populations with easy and 100% coverage for

superior assurance

Visualize, widely share and act on information uncovered in analysis testing across the

business

Automatically distribute exceptions

found during data analysis testing to

multiple business stakeholders

An add-in for Microsoft Excel® designed

for working with data results

produced by analytic systems

Enterprise Continuous Monitoring

Enterprise Data

SQL

HR / Payroll

Workday ERP

Dashboard

ExceptionsData Warehouse

Add Ons

Session B8 Slide #

Documents

Super Strategies 2014 ACL Presentation