1. Continuous Control Monitoring and Data Analytics AIA SOX
Conference May 11, 2009
2. Continuous Controls Monitoring (CCM)
3. Continuous monitoring vs. audit vs. assurance Continuous
monitoring refers to the processes that management puts in place to
ensure that the policies, procedures, and business processes are
operating effectively. Continuous assurance Audit Results of
continuous auditing and continuous monitoring process Audit testing
of CM Continuous auditing Management Continuous monitoring
Activities, transactions and events Business systems and processes
Source: The IIA Global Technology Audit Guide - Continuous
Auditing: Implications for Assurance, Monitoring, and Risk
Assessment Page 3 May 11, 2009 CCM and Data Analytics
4. What is continuous control monitoring (CCM)? Continuous
Controls Monitoring (CCM) is an integrated set of processes and
techniques, enabled by technology, which is designed to help an
organization: Automate the monitoring of the control environment
Identify control exceptions continuously based upon pre- defined
business rules Identify process improvement opportunities and
underlying root causes Reduce risk spend Page 4 May 11, 2009 CCM
and Data Analytics
5. Trends in the deployment of CCM Key trends: RISKS H Many CCM
deployments are focused mainly on access (SoD) and application
controls interest in Impact transaction monitoring is increasing
Budget and ownership of CCM is coming from Internal L Likelihood H
Audit long-term ownership Day-to-Day risks may be acceptable or
require some resides in the business form of self assessment
functions CCMMid-level risk areas may be suitable for automated
analytics on data that is IT dependent Software tools to extract
and/or processed manually data and monitor controls Internal
AuditMore judgmental risks and estimation processes may require
more rigorous analytics and are maturing manually intensive
assessment procedures Page 5 May 11, 2009 CCM and Data
Analytics
6. Areas of Focus Segregation of Duties Internal control
environment Key Stakeholders Segregation Configurable Master file
and of duties controls transaction data Detect and/or prevent user
access and segregation of duties violations Identify and monitor
users with access to sensitive areas within the application
Facilitate user access provisioning and periodic access review
process related to IT general controls Page 6 May 11, 2009 CCM and
Data Analytics
7. Areas of Focus Configurable Controls Internal control
environment Key Stakeholders Segregation Configurable Master file
and of duties controls transaction data Detect changes made to
critical configurable controls settings Verify that system patches
and program changes do not impact the integrity of configurable
controls Enable comparison of configurable controls across business
units and against leading practices Page 7 May 11, 2009 CCM and
Data Analytics
8. Areas of Focus Master File and Transaction Data Internal
control environment Key Stakeholders Segregation Configurable
Master file and of duties controls transaction data Monitor master
file data and architecture for unauthorized or unusual changes
Monitor transaction data for control exceptions based on
pre-defined business rules Page 8 May 11, 2009 CCM and Data
Analytics
9. Optimizing the value of CCM deployments To harvest the
greatest value from a CCM deployment, the strategy should encompass
security, controls, and process improvement objectives and
sufficiently cover end-to-end processes. Business Improvement CCM
capabilities are repeatable and holistic Value of CCM Initiative
Process Improvement Focus: automated transactional analysis
Controls Improvement Focus: automated application Current State
controls testing for Many Organisations Compliance management
Focus: monitoring of access controls / SoD requirements Maturity of
CCM Competency Page 9 May 11, 2009 CCM and Data Analytics
10. CCM process flow Page 10 May 11, 2009 CCM and Data
Analytics
11. Continuous control monitoring - exception management
approach Business Process Management / Exceptions Internal Audit /
Compliance / Shared Services Center Risk Management Functions
Priority risk Segregation General Routine Potential Sensitive areas
for of duties policy transaction fraudulent transactions monitoring
conflicts violations exceptions activity activities Control owner
notified Filter through of exception Blended approach: exceptions
Operational SOX controls controls Shared ownership of exception
management Review and validate process Validate exceptions
exceptions with business owners Prioritized approach based on
nature of Remediate and exceptions and sensitivity Remediate and
address root cause of what is being address root cause monitored
Document results of Increased accountability Document results of
exception review and for controls exception review and remediation
remediation Post review activities Monitor controls Trending
analysis Process improvement dashboards Page 11 May 11, 2009 CCM
and Data Analytics
12. The importance of a proper CCM road map A proper
methodology is key to ensure that CCM objectives are properly
captured, incorporated, and sustained. Executive Sponsorship
Planning CCM Road Map & Design Rollout Identify Process
Training on Define Perform Application Assess and Configure
Reengineering Solution, Evaluate On-Going the CCM CCM &
Remediate CCM & Define Reengineered Results Support Vision
Diagnostic Automated Controls Solution Supporting Processes &
Controls Policies Policies ROI Analysis Project Management Page 12
May 11, 2009 CCM and Data Analytics
13. Select CCM tools in the market Monitoring Capabilities CCM
Tools Master File & Segregation of Configurable Transaction
Duties Controls Data ACL (Continuous Controls Monitoring Solution)
Approva Aveksa Blackline (Financial Statement Close Process) IDEA
Oracle GRC (formerly Logical Apps) Oversight SAP GRC (formerly
Virsa) Ernst & Young does not endorse any of these vendors or
products listed above. Page 13 May 11, 2009 CCM and Data
Analytics
14. CCM screenshot illustrative example Page 14 May 11, 2009
CCM and Data Analytics
15. Data Analytics
16. Data analytics maturity model Optimizing Managed Defined
Repeatable Initial Level 1 Level 2 Level 3 Level 4 Level 5 No
formal data analytics Recognized as a value- Established data
Methodology is Practices evolved in approach, procedures or add to
the audit analytics methodology institutionalized level 1 through 4
are methodology Use of analytics is Management involved in used to
continually Not yet institutionalized improve data Performed
occasionally championed by mgmt. the on-going data Relies on a
central analysis efforts analytical processes, at best group or
single person Creation of data procedures and results Tools are not
readily analysis models Management Tools are at a disposal,
understands business Use of data analysis available Understanding
of the however not applied issues and root cause for continuous
controls Dependant on skills of consistently or correctly business
meaning of monitoring limited number of SMRs data analytic
Re-performance of data procedures and results analytic procedures
Increased proficiency in Advanced tools are used use of tools
effectively Page 16 May 11, 2009 CCM and Data Analytics
17. Data analytics framework Business What will Predictive Data
Modeling Intelligence Happen? Statistical, Econometric,
Scenario-Based Why did it Modeling and Validation Knowledge happen?
Revenue-Sharing Models, Root Cause Analysis, Legal Compliance What
Descriptive Data Analysis Forensic Evidence , Queries, Profiling,
MDA, Data/ Text Mining, Information What happened? Benchmarking,
Surveys Is your Information Management Data data reliable? Data
Governance, Data Conversion, Data Integrity Page 17 May 11, 2009
CCM and Data Analytics
18. Comparison of data analytics to traditional audit methods
Traditional method Typically Labor-intensive manual collection /
evaluation Limited samples / relatively infrequent tests Narrow
time period / stressful remediation Test procedures are limited in
scope Capability / benefit tends to lessen with complexity and as
the organization evolves Data analytics Increased insight Typically
automated collection / evaluation High sample sizes / decreased
false positives Frees up resources to focus on other high-risk
areas Frequent, faster and more accurate analysis Decrease in
opportunity for human error Incremental and more extensive testing
is practical Investment required Benefits earned Capability /
benefit tends to increase with complexity and as the organization
evolves Relatively higher initial costs for analytics can yield
significantly more long-term benefit. Page 18 May 11, 2009 CCM and
Data Analytics
19. Enhancing the audit process using data analytics Create
sustainable methods for risk assessment and monitoring of the
control environment Deploy resources effectively to accomplish
audit plan objectives Quantify impact of identified issues in terms
of dollars and frequency Increase focus on fraud detection
procedures Gain valuable insight into business process and
improvement opportunities Respond quickly to changing business
needs and compliance requirements with flexible and repeatable
procedures Forms the basis of continuous controls Page 19 May 11,
2009 CCM and Data Analytics
20. Applying analytics across the audit process Audit activity
Example opportunities to use data analytics Identify risk
assessment priorities by using information gathered from Risk
assessment trend analysis, financial ratios and comparisons Assist
with determining scope of audit plan activities (by size/relevance)
Provide a preliminary scan of relevant audit information to drive
project Audit planning scope, sampling and fieldwork procedures
Support testing of controls in an efficient and comprehensive
manner Fieldwork Identify anomalies, trends and potential fraud
indicators procedures Supplement sample testing approaches with
full-coverage data analytics Provide quantifiable, fact-based
information for reportable issues and exceptions Reporting
Supplement reporting with statistical and graphical information
gathered during the audit Automate the ongoing monitoring of the
control environment to a Monitoring and sustainable effort through
timely exception notification and review trending Analyze trends in
the companys risk profile and identify opportunities for
improvement Page 20 May 11, 2009 CCM and Data Analytics
21. Example data analytics Access monitoring analytics
Segregation of duties assessment Key configuration changes
Financial statement computer assisted audit techniques Journal
entry analytics Accounts receivable analytics Contract audit
analytics Royalty payment recalculations (incorrect sales figures,
royalty rates) Invoicing inaccuracies (overpayments, duplicate
transactions) Page 21 May 11, 2009 CCM and Data Analytics
22. Speakers Bio Peter Rosenzweig has more than 17 years of
experience in the assessment, design, and implementation of complex
risk management and internal control frameworks, including IT risk
and control structures. Peter serves as regional subject matter
resource in the application of Ernst & Youngs Enterprise Risk
Management methodology and he has assisted various large
organizations with the implementation or transformation of
enterprise-wide risk management capabilities. Phone: 213.977.5849
[email protected] Paul de Guzman is a Los Angeles-based
Senior Manager with nine years of experience serving a variety of
clients in both an assurance and advisory capacity. Services
rendered by Paul to his clients include IT General Controls audit
support, IT and business process and controls enhancement, SAS 70
audits, and system pre- and post- implementation reviews. In
addition, Paul also provides data analytics in support of assurance
services, contract risk services, fraud reviews, and continuous
controls monitoring initiatives. Phone: 213.977.7692
[email protected]