Upload
david-fernandes
View
387
Download
1
Embed Size (px)
Citation preview
Overcoming Small Department Challenges
Session G4
Wednesday, April 30th, 2014
10:45 – 11:45
David Fernandes
Implementing ACL - A Strategy For Success
ACL Workpapers & GRC Project
Case Study
Implementing ACL - A Strategy For Success
Session G4 Slide # 2
TOPICS YOUR EXPECTATIONS
GOALS & CHALLENGES
ACL WORKPAPERS
GRC OVERVIEW
ACL RISK OVERVIEW
Q&A
Implementing ACL - A Strategy For Success
Session G4 Slide # 3
YOUR EXPECTATIONS
How many in Audit Department ? <5 < 10
What are you using now ? Excel / Word / TeamMate
What do you want to accomplish with a Workpapers / GRC
solution ?
When do you want to have a Workpapers / GRC solution in place ?
Session G4 Slide # 4
Implementing ACL - A Strategy For Success
• Fraud Detection
• Segregation of Duties
• Automation of Data Mining
• Compliance Issues
• Regulatory Issues
• Commission Payments
But wait…there is more ……
• Identify fraud, misuse, and errors
• Identify compliance issues
• Flag exceptions in real time
• Automate manual processes for continuous monitoring
What issues do you want to solve ??
Session G4 Slide # 5
Implementing ACL - A Strategy For Success
TOPICS YOUR EXPECTATIONS
GOALS & CHALLENGES
ACL WORKPAPERS
GRC OVERVIEW
ACL RISK OVERVIEW
Q&A Session G4 Slide # 6
Implementing ACL - A Strategy For Success
Goals - Do More - With Less
Develop a framework for assessing different levels of audit analytic techniques and
associated benefits.
Define progressive levels to evolve its use of Data / Business Analytics.
Identify the building blocks: People, Process and Technology that must be in place to
optimize benefits.
Understand, plan and communicate design criteria to achieve timely implementation.
Establish a proactive and comprehensive view for effective ERA and ERM.
Session G4 Slide # 7
Goals & Challenges
Process
Location
Revenue
& Receivables
Purchasing
&
Payables
InventoryHR &
Payroll
Fixed
Assets
Financial
Close
&
Reporting
SECEquity &
TreasuryTaxes
Entity
Level
Controls
IT
General
Controls
TOTAL
Chelmsford16 8 17 10 12 15 7 15 18 32 17 167
Colorado2 1 3 2 1 9
Petaluma2 1 3 2 1 9
Jena9 7 11 5 11 2 3 48
Korea7 4 4 5 2 1 23
Poway9 7 11 5 11 2 45
Manchester9 7 11 5 11 2 3 48
Japan8 5 5 5 2 3 28
Taiwan2 2 3 5 4 2 18
TOTAL 64 42 68 44 47 29 7 27 18 32 17 395
Session G4 Slide # 8
Goals & Challenges
BLSS - Manchester Revenue - 2013 SOX CYCLE CONTROLS
Section Control Objective 2013 Control ActivityControl
Owner
Control
Frequency
Control
Type
Manual
/ System
Population
Sample /
Ratio
Test
Reference
Tab # Name
Rollforward
Test Status
New
Customers
Authorization is required
prior to setting up or
modifying customer
account within the ERP
system.
R&R
CA 01
A- All new customer accounts must be approved for
credit & have an account set up in system before any
work commences or shipments are made.
B- The AR department assesses customer credit
worthiness for new & existing customers at time of PO
receipt / acceptance. Credit personnel perform the initial
assessment, but obtain the applicable approvals based
upon the Credit Limit Matrix. Additionally, credit
personnel may solicit input from Manager of Credit &
Collections and/or Corporate Controller in assessing
credit worthiness.
Stephen
HurstDaily Detective Manual 0
R&R CA
01N/A
Customer
Purchase
Order
Customer Purchase
Order (CPO) and
verified, validated,
reviewed and approved.
R&R
CA 02
Upon receipt of a customer purchase order (CPO), order
administration shall match the CPO to the approved
quotation or sales proposal, and shall verify that all
elements including terms and conditions and line item
detail on the CPO match the associated quotation,
proposal, or sales contract.
Stephen
HurstDaily Detective Manual
30 of 72 /
42% /
$900k of
$3.7M /
24%
R&R CA
02Ineffective
Invoicing
Invoices for orders
which do/not require
physical shipment are
reviewed for period
revenue recognition.
R&R
CA 03
a. Invoices should provide a reference to the customer
purchase order or contract to which it references…
b. Invoices should only be posted for hardware that is
shipped and services that have been provided (unless
other invoicing arrangements are agreed to with the
customer and a process to ensure deferral of un-earned
revenue is implemented)
Stephen
HurstDaily Detective Manual
6.095m of
6.861m /
89% /
25 of 47 /
53%
R&R CA
03Effective
Session G4 Slide # 9
Goals & Challenges
IInntteerrnnaall AAuuddiitt RReeppoorrtt
BBLLSSSS MMaanncchheesstteerr,, UUKK
Field Work Dates September 30th – November 29th
Final Report Date: December 2nd
Table of Contents Audit Key Steps ......................................................................................................... 2 Executive Summary ................................................................................................... 2 Appendix I – Summary of Key Controls by Process ........................................ 5
Appendix II – Deficiencies ................................................................................... 6
Appendix III – SOX Enterprise Scoping ............................................................. 10
Appendix IV – Background ................................................................................. 11 Appendix V – Organization Charts .................................................................... 12 Appendix VI – Distribution .................................................................................. 16
The team responsible for this audit, comprised of David Fernandes and Alex Byrne, would like to thank those individuals who contributed to this project, and particularly, employees who provided insights and comments as part of this audit.
PPrriivviilleeggeedd aanndd CCoonnffiiddeennttiiaall
Session G4 Slide # 10
Goals & Challenges
Very little time to
complete report
Challenges
Building blocks of processes, roles and technologies were not properly established.
Management does not fully understand or accept their critical role and responsibilities.
Risks that the project will not achieve the desired outcomes.
Business owners fail to see the value of the process and terminate the audit program.
Understanding what data is required to support a specific test and
Obtaining a complete and controlled population of that data.
Decision Making & Communication
Data Analysis tools represent tremendous change for an organization :
Could be a very significant change for your team.
Effective communication of your vision for the change – and how it will impact the entire
organization – is essential.
Be sure to include:
the right people,
the right time,
the right levels.
Session G4 Slide # 11
Goals & Challenges
Optimized
ControlsOpportunities to
improve and
automate controls
for continuous
monitoring
Session G4 Slide # 12
Goals & Challenges
Design a Sustainable Controls Framework
Senior Management view controls as a necessary nuisance, making it difficult for CFO’s / VP Finance or
Compliance Officers and their teams to demonstrate how controls can add value to the business.
Businesses typically agrees with the accounting group about “why” controls are necessary, but disagrees
about “how” to best implement them.
Large company control frameworks usually improve on a linear scale, but business complexity at small to
midsized companies often increases exponentially.
Leverage Experience Update FrequentlyEngage Business Leaders
Pair finance leaders with
business leaders to ensure
sufficient knowledge of the
business and the risk
environment.
Articulate the benefits of
increased assurance to
persuade business leaders
to participate in controls
updates.
Revisit the framework at least
twice a year (Interim & Roll
Forward) or during periods of
significant business change.
13Session G4 Slide #
Goals & Challenges
TOPICS YOUR EXPECTATIONS
GOALS & CHALLENGES
WHY ACL?
IMPLEMENTATION OVERVIEW
ACL GRC OVERVIEW
Implementing ACL - A Strategy For Success
Session G4 Slide # 14
is purpose built for data analytics with proven experience.
can analyze 100% of the available data no matter how much.
is read only ensuring data integrity and security.
can read all data types no matter the source.
has a log file that records every step.
does not require users to be programmers.
Why ACL ?
Session G4 Slide # 16
IT Audit Benchmark
Study 2009 The Gold Standard in Audit & Compliance Technology
Data Analysis Software
Other: Access, Business
Objects, Crystal Reports,
IDEA, Showcase, and
internally developed software.
Data Extraction Software Continuous AuditingFraud Detection / Investigation
Other: Excel, Idea, In-house,
Oracle, PeopleSoft,
Proprietary, Showcase
Query
Other: Active Data,
DCMS, Hyperion, SAP,
and SAS.
Other: Access, ActiveData,
Crystal Reports, DCMS,
DISSCO, Focus, Patriot
Officer, PeopleSoft Queries,
SAS, Showcase Query, and
VIPs.
Why ACL ?
Session G4 Slide # 17
Data Analytics for ….
• Purchase to Payment: Duplicate payments, segregation of duties, requisition & purchasing limits, vendor master, etc.
• Purchasing Card: Invalid employees, duplicate purchasing cards, exceed transaction limit, etc.
• Travel & Entertainment: Transaction limits, split transactions, prohibited merchants, weekend & holiday transactions, etc.
• General Ledger: Validation of trial balance, duplicate journal entries, suspicious journal entries, reversed journal entries, etc.
• Payroll: Invalid/Unauthorized employees, overtime approval, retirement & termination, etc.
• Order to Cash: Prohibited customer, unauthorized discounts, credit limits, missing sales order, etc.
Why ACL ?
Session G4 Slide # 18
TOPICS YOUR EXPECTATIONS
GOALS & CHALLENGES
WHY ACL?
IMPLEMENTATION OVERVIEW
ACL GRC OVERVIEW
Implementing ACL - A Strategy For Success
Session G4 Slide # 19
20
Pre - Implementation
• Quantify the need for the software (scope, size, cost benefit).
• Decisions around platforms, vendors and timing .
• Engage Senior Management for support and sponsorship.
• Establish the framework of business requirements.
• Plan a smooth transition from research, testing to implementation.
IMPLEMENTATION OVERVIEW
Session G4 Slide #
Planning Document Requests
Data Analysis Tools
Current Working Papers
Document
Results
Fieldwork
The Audit Cycle
Review
Reporting
Follow-up
Organize Supporting Evidence
Identify Findings
Review &
Sign-off
Track Status
Track Finding
Remediation
Roll-forward
Risk Assessment
Audit Plan
Review Notes21Session G4 Slide #
IMPLEMENTATION OVERVIEW
Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage
CATEGORY FULL WRITE READ
System Administrators
Audit Manager
Auditor
Business Partner / Process Owners : Request List Findings.
Executive Planning Findings
To Do List Results
Requests
External Reviewer: Planning Results
Findings
.
Flow of Information | Design Access Criteria
22
IMPLEMENTATION OVERVIEW
Session G4 Slide #
Flow of Information | Workpapers
BROOKS
Findings
Processes
Quality
NarrativesRisks & Controls Narratives
Walkthrough
Walkthrough
Walkthrough
TestingTestingTestingFindingsFindingsFindings
NarrativesNarrativesNarrativesOverview
Audit Risks Procedures & Plan
NarrativesWalkthroughWalkthroughExecute Audit
PlanFindingsFindingsFindings
Internal Control Audits:
Controls are identified and tested within processes - Identify Risk & Key Controls -Risk Control Matrix SOX,
Financial, IT General Controls
Audits:
SOX Classification or Process Operational
Capital / Fixed Assets Travel & Entertainment
Financial Reporting / SEC Excess & Obsolescence
Inventory / PI FCPA / Compliance
Human Resources and Payroll Entity Level Control
Purchasing & Payables ITGC
Revenue & Receivables
23Session G4 Slide #
IMPLEMENTATION OVERVIEW
24Session G4 Slide #
IMPLEMENTATION OVERVIEW
Issues
• Cost / Scope Creep
• Data Mining Knowledge
• IT Support
• Cost / Scope Creep Costs Escalation
Services
Training
Modules
• Limited Data Mining Knowledge IA knowledge and experience with data mining was very limited.
Difficult to allocate training time for new software.
• IT Support How do we sustain the system after implementation? Leverage IT, make them a partner.
Who owns the system? IT
Who are the stakeholders? Finance, Operations, IT
Pace of implementation ?
25
Implementation
• Ensure you have effective management of the effort , consider using a Project Manager
• Conflict Management : Resolve issues – planned and unplanned as they arise.
• Take the time to adequately manage the….
i. Project - Data management.
ii. Timeframe - Change management and training.
iii. Budget – Watch for Scope Creep.
IMPLEMENTATION OVERVIEW
Session G4 Slide #
Pitfalls• Identify your key business areas that requires data analysis and your key audit objectives.
a) Involve your business partners.
b) Set up a data warehouse for testing.
• Converting operational audit objectives into information systems objectives.
• Converting application system files to ACL readable format Audit program design specification.
• Detailed Audit program design Audit process automation.
• Writing ACL Scripts for the audit programs ACL Scripts testing Script documentation.
a) Due to the variety of formats and customized audit files, migration of data must be looked at
carefully.
b) Analyzing data using some of the features of CAAT (e.g., stratify, filter, summarize, reports, logs),
c) Linking data tables - ensure that you have an IT resource to assist you.
d) Using filters, computed fields, and extractions.
e) Modification to the infrastructure may lead to data leakages – identify risk zones within each area.
f) Periodic review of the implemented scripts to assess their ability to meeting audit objectives in the
light of changes in the operating business environment.
g) Reformulating audit objectives to address new and emerging business issues.
h) Identifying the relevant application system files to be used in new batch design.
i) Developing new and testing new scripts, and
j) Implementation of the latest and current batches
Planning and Execution Pitfalls to Avoid
26
IMPLEMENTATION OVERVIEW
Session G4 Slide #
Scope Management 1. Develop a scope management plan :
Effective pre-implementation communication should make the transition a smooth event.
Ensure stakeholders understand the project vision.
2. Implement change management and stick to it as many activities will overlap during the testing and
implementation processes.
3. Ensure effective implementation management ensures that movement from one activity to another is well-
controlled and anticipated:
Define requirements, objectives, deliverables – watch for data integrity, false positives.
Fight the urge to bring in ‘everything’ - Bring in only what you need!
Training1. Ensure that you understand user training requirements, talk to HR and IT.
2. Develop training plan and strategy,
3. Deliver interactive training, use video etc and detailed documents.. Idiots Guide
Transition to Implementation
27
IMPLEMENTATION OVERVIEW
Session G4 Slide #
Enterprise Risks
Mitigation
Efforts Objectives
Risk
Manager Project
Manager
Beta Results
Manager
ProjectsControls
Data
TestsIssues
Map ACL Modules to Processes
Stakeholder Specific Modules.
Authorization Granted based on Need / Security.
28
IMPLEMENTATION OVERVIEW
Session G4 Slide #
29Session G4 Slide #
IMPLEMENTATION OVERVIEW
Actions
• IT Support
IT Participation and involvement.
Joint ownership and encourage staff to take responsibility for influencing the change.
IT Facilitation and support.
Scheduled and automated data extractions at off-peak hours.
• Cost / Scope Creep
Negotiation and agreement.
Involvement of stakeholders.
Tight control of system requirements.
Limited Training.
• Data Mining Knowledge
Focused on in house training.
Pilot demo to ascertain strengths and weaknesses.
Provides a standardized workflow; ensuring consistency across the team.
Audits will be centralized, saving time in one easy-to-find place for everyone to
access, including external auditors.
Automatically rolls up time tracked, status and findings, eliminating manual reporting
Manage Document Request Lists , tracking all requested items and send reminders via
email to clients or business owners.
Manages team collaboration. Review notes and comments between staff and reviewer,
or between team members when multiple staff are assigned to work the same section or
objective.
Each project captures all system activity and is viewable on the project dashboard. The
activity log is viewable in Excel when you backup and download your project.
Each audit has its own structure, milestones and workflow. Each milestone within each
audit has a review and sign-off function. Sign-offs and reviews are tracked.
Sign-off and reviews can be performed at the section level, or the control level.
Implementation Benefits
30
IMPLEMENTATION OVERVIEW
TOPICS YOUR EXPECTATIONS
GOALS & CHALLENGES
WHY ACL?
IMPLEMENTATION OVERVIEW
ACL GRC OVERVIEW
Implementing ACL - A Strategy For Success
Session G4 Slide # 31
Identify and Prioritize your company’s key controls.
Develop a structured way to collect on the impact and effectiveness
Continuous Auditing & MonitoringNo more excuses!
32
Access and analyze complete data
populations with easy and 100% coverage for
superior assurance
Visualize, widely share and act on information uncovered in analysis testing across the
business
Automatically distribute exceptions
found during data analysis testing to
multiple business stakeholders
An add-in for Microsoft Excel® designed
for working with data results
produced by analytic systems
Enterprise Continuous Monitoring
Enterprise Data
SQL
HR / Payroll
Workday ERP
Dashboard
ExceptionsData Warehouse
Add Ons
Session B8 Slide #