1. Continuous Control Monitoring and Data Analytics AIA SOX Conference May 11, 2009

2. Continuous Controls Monitoring (CCM)

3. Continuous monitoring vs. audit vs. assurance Continuous monitoring refers to the processes that management puts in place to ensure that the policies, procedures, and business processes are operating effectively. Continuous assurance Audit Results of continuous auditing and continuous monitoring process Audit testing of CM Continuous auditing Management Continuous monitoring Activities, transactions and events Business systems and processes Source: The IIA Global Technology Audit Guide - Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment Page 3 May 11, 2009 CCM and Data Analytics

4. What is continuous control monitoring (CCM)? Continuous Controls Monitoring (CCM) is an integrated set of processes and techniques, enabled by technology, which is designed to help an organization: Automate the monitoring of the control environment Identify control exceptions continuously based upon pre- defined business rules Identify process improvement opportunities and underlying root causes Reduce risk spend Page 4 May 11, 2009 CCM and Data Analytics

5. Trends in the deployment of CCM Key trends: RISKS H Many CCM deployments are focused mainly on access (SoD) and application controls interest in Impact transaction monitoring is increasing Budget and ownership of CCM is coming from Internal L Likelihood H Audit long-term ownership Day-to-Day risks may be acceptable or require some resides in the business form of self assessment functions CCMMid-level risk areas may be suitable for automated analytics on data that is IT dependent Software tools to extract and/or processed manually data and monitor controls Internal AuditMore judgmental risks and estimation processes may require more rigorous analytics and are maturing manually intensive assessment procedures Page 5 May 11, 2009 CCM and Data Analytics

6. Areas of Focus Segregation of Duties Internal control environment Key Stakeholders Segregation Configurable Master file and of duties controls transaction data Detect and/or prevent user access and segregation of duties violations Identify and monitor users with access to sensitive areas within the application Facilitate user access provisioning and periodic access review process related to IT general controls Page 6 May 11, 2009 CCM and Data Analytics

7. Areas of Focus Configurable Controls Internal control environment Key Stakeholders Segregation Configurable Master file and of duties controls transaction data Detect changes made to critical configurable controls settings Verify that system patches and program changes do not impact the integrity of configurable controls Enable comparison of configurable controls across business units and against leading practices Page 7 May 11, 2009 CCM and Data Analytics

8. Areas of Focus Master File and Transaction Data Internal control environment Key Stakeholders Segregation Configurable Master file and of duties controls transaction data Monitor master file data and architecture for unauthorized or unusual changes Monitor transaction data for control exceptions based on pre-defined business rules Page 8 May 11, 2009 CCM and Data Analytics

9. Optimizing the value of CCM deployments To harvest the greatest value from a CCM deployment, the strategy should encompass security, controls, and process improvement objectives and sufficiently cover end-to-end processes. Business Improvement CCM capabilities are repeatable and holistic Value of CCM Initiative Process Improvement Focus: automated transactional analysis Controls Improvement Focus: automated application Current State controls testing for Many Organisations Compliance management Focus: monitoring of access controls / SoD requirements Maturity of CCM Competency Page 9 May 11, 2009 CCM and Data Analytics

10. CCM process flow Page 10 May 11, 2009 CCM and Data Analytics

11. Continuous control monitoring - exception management approach Business Process Management / Exceptions Internal Audit / Compliance / Shared Services Center Risk Management Functions Priority risk Segregation General Routine Potential Sensitive areas for of duties policy transaction fraudulent transactions monitoring conflicts violations exceptions activity activities Control owner notified Filter through of exception Blended approach: exceptions Operational SOX controls controls Shared ownership of exception management Review and validate process Validate exceptions exceptions with business owners Prioritized approach based on nature of Remediate and exceptions and sensitivity Remediate and address root cause of what is being address root cause monitored Document results of Increased accountability Document results of exception review and for controls exception review and remediation remediation Post review activities Monitor controls Trending analysis Process improvement dashboards Page 11 May 11, 2009 CCM and Data Analytics

12. The importance of a proper CCM road map A proper methodology is key to ensure that CCM objectives are properly captured, incorporated, and sustained. Executive Sponsorship Planning CCM Road Map & Design Rollout Identify Process Training on Define Perform Application Assess and Configure Reengineering Solution, Evaluate On-Going the CCM CCM & Remediate CCM & Define Reengineered Results Support Vision Diagnostic Automated Controls Solution Supporting Processes & Controls Policies Policies ROI Analysis Project Management Page 12 May 11, 2009 CCM and Data Analytics

13. Select CCM tools in the market Monitoring Capabilities CCM Tools Master File & Segregation of Configurable Transaction Duties Controls Data ACL (Continuous Controls Monitoring Solution) Approva Aveksa Blackline (Financial Statement Close Process) IDEA Oracle GRC (formerly Logical Apps) Oversight SAP GRC (formerly Virsa) Ernst & Young does not endorse any of these vendors or products listed above. Page 13 May 11, 2009 CCM and Data Analytics

14. CCM screenshot illustrative example Page 14 May 11, 2009 CCM and Data Analytics

15. Data Analytics

16. Data analytics maturity model Optimizing Managed Defined Repeatable Initial Level 1 Level 2 Level 3 Level 4 Level 5 No formal data analytics Recognized as a value- Established data Methodology is Practices evolved in approach, procedures or add to the audit analytics methodology institutionalized level 1 through 4 are methodology Use of analytics is Management involved in used to continually Not yet institutionalized improve data Performed occasionally championed by mgmt. the on-going data Relies on a central analysis efforts analytical processes, at best group or single person Creation of data procedures and results Tools are not readily analysis models Management Tools are at a disposal, understands business Use of data analysis available Understanding of the however not applied issues and root cause for continuous controls Dependant on skills of consistently or correctly business meaning of monitoring limited number of SMRs data analytic Re-performance of data procedures and results analytic procedures Increased proficiency in Advanced tools are used use of tools effectively Page 16 May 11, 2009 CCM and Data Analytics

17. Data analytics framework Business What will Predictive Data Modeling Intelligence Happen? Statistical, Econometric, Scenario-Based Why did it Modeling and Validation Knowledge happen? Revenue-Sharing Models, Root Cause Analysis, Legal Compliance What Descriptive Data Analysis Forensic Evidence , Queries, Profiling, MDA, Data/ Text Mining, Information What happened? Benchmarking, Surveys Is your Information Management Data data reliable? Data Governance, Data Conversion, Data Integrity Page 17 May 11, 2009 CCM and Data Analytics

18. Comparison of data analytics to traditional audit methods Traditional method Typically Labor-intensive manual collection / evaluation Limited samples / relatively infrequent tests Narrow time period / stressful remediation Test procedures are limited in scope Capability / benefit tends to lessen with complexity and as the organization evolves Data analytics Increased insight Typically automated collection / evaluation High sample sizes / decreased false positives Frees up resources to focus on other high-risk areas Frequent, faster and more accurate analysis Decrease in opportunity for human error Incremental and more extensive testing is practical Investment required Benefits earned Capability / benefit tends to increase with complexity and as the organization evolves Relatively higher initial costs for analytics can yield significantly more long-term benefit. Page 18 May 11, 2009 CCM and Data Analytics

19. Enhancing the audit process using data analytics Create sustainable methods for risk assessment and monitoring of the control environment Deploy resources effectively to accomplish audit plan objectives Quantify impact of identified issues in terms of dollars and frequency Increase focus on fraud detection procedures Gain valuable insight into business process and improvement opportunities Respond quickly to changing business needs and compliance requirements with flexible and repeatable procedures Forms the basis of continuous controls Page 19 May 11, 2009 CCM and Data Analytics

20. Applying analytics across the audit process Audit activity Example opportunities to use data analytics Identify risk assessment priorities by using information gathered from Risk assessment trend analysis, financial ratios and comparisons Assist with determining scope of audit plan activities (by size/relevance) Provide a preliminary scan of relevant audit information to drive project Audit planning scope, sampling and fieldwork procedures Support testing of controls in an efficient and comprehensive manner Fieldwork Identify anomalies, trends and potential fraud indicators procedures Supplement sample testing approaches with full-coverage data analytics Provide quantifiable, fact-based information for reportable issues and exceptions Reporting Supplement reporting with statistical and graphical information gathered during the audit Automate the ongoing monitoring of the control environment to a Monitoring and sustainable effort through timely exception notification and review trending Analyze trends in the companys risk profile and identify opportunities for improvement Page 20 May 11, 2009 CCM and Data Analytics

21. Example data analytics Access monitoring analytics Segregation of duties assessment Key configuration changes Financial statement computer assisted audit techniques Journal entry analytics Accounts receivable analytics Contract audit analytics Royalty payment recalculations (incorrect sales figures, royalty rates) Invoicing inaccuracies (overpayments, duplicate transactions) Page 21 May 11, 2009 CCM and Data Analytics

22. Speakers Bio Peter Rosenzweig has more than 17 years of experience in the assessment, design, and implementation of complex risk management and internal control frameworks, including IT risk and control structures. Peter serves as regional subject matter resource in the application of Ernst & Youngs Enterprise Risk Management methodology and he has assisted various large organizations with the implementation or transformation of enterprise-wide risk management capabilities. Phone: 213.977.5849 peter.rosenzweig@ey.com Paul de Guzman is a Los Angeles-based Senior Manager with nine years of experience serving a variety of clients in both an assurance and advisory capacity. Services rendered by Paul to his clients include IT General Controls audit support, IT and business process and controls enhancement, SAS 70 audits, and system pre- and post- implementation reviews. In addition, Paul also provides data analytics in support of assurance services, contract risk services, fraud reviews, and continuous controls monitoring initiatives. Phone: 213.977.7692 paul.deguzman@ey.com

23. Thank you