continuous auditing / continuous monitoring to · pdf filecontinuous auditing / continuous...

27
The full scope of services within the Continuous Auditing / Continuous Monitoring (CACM) Methodology Guide is not permissible for SEC audit clients and IFAC PIE clients and their affiliates. CACM services are generally permissible for IFAC non-PIE audit clients subject to evaluating engagement circumstances using the conceptual framework (i.e. threats and safeguards approach) as outlined in the Global Quality & Risk Management Manual Chapter 11. Refer to the contents of the Independence guidance on slides 11-20 of the CACM Methodology Guide for detailed guidance. The Independence guidance was updated in 2013. The remaining content is unchanged. Continuous Auditing / Continuous Monitoring to Manage Risk and Performance The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.

Upload: vantram

Post on 08-Mar-2018

227 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

The full scope of services within the Continuous Auditing / Continuous Monitoring (CACM) Methodology Guide is not permissible for SEC audit clients and IFAC PIE clients and their affiliates. CACM services are generally permissible for IFAC non-PIE audit clients subject to evaluating engagement circumstances using the conceptual framework (i.e. threats and safeguards approach) as outlined in the Global Quality & Risk Management Manual Chapter 11. Refer to the contents of the Independence guidance on slides 11-20 of the CACM Methodology Guide for detailed guidance. The Independence guidance was updated in 2013. The remaining content is unchanged.

Continuous Auditing /Continuous Monitoring

to Manage Risk and Performance

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation.

KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.

Page 2: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

1© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Agenda

Appetite for CA/CMBackground on CA/CMCA/CM OverviewDrivers Influencing CA/CM StrategiesAn Illustration of CA/CMWhy implement CA/CM?–Challenges and Requirements for Implementation–How do we get Started?–Implementation of CA/CMDimensions of CA/CMEnabling with TechnologySample Implementation ModelThe Value PropositionKey Success Factors of CA/CMHow can KPMG help?

Page 3: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

2© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Appetite for CA/CMSurvey Data – Risk and Control Innovations – Next Three Years

Survey of 435 Senior Executives

What risk and control innovation themes exist in your organization?

Page 4: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

3© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Background on CA/CMWhat is different this time?

“Historical”• theoretical concept –

“Mostly Academic View”

• lacked executive support

• technologically cumbersome

• too costly to implement

• lack skills

• compliance-based auditing.

“Current”• significant advances in

technology

• practical and realistic –aligning frequency to risks

• business and value drivers more evident

• technology options are becoming cost effective

• evolving skills in internal audit function.

What is different for you – is the concept becoming a reality?

Page 5: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

4© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

CA/CM OverviewDefinitions

How is your organization defining the CA/CM initiative?

Continuous MonitoringAn automated feedback mechanism used by management to help

ensure that systems and controls operate as designed and transactions are processed as prescribed

Continuous AuditingThe collection of audit evidence and indicators, by an internal or external

auditor, on IT systems, processes, transactions, and controls on a frequent or continuous basis throughout a period

Continuous AssuranceProviding a continuous or on-demand assurance

opinion on systems or transactions

Page 6: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

5© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

CA/CM Overview Objectives

Continuous AuditingPerformed by Internal Audit

Continuous MonitoringResponsibility of Management

• gain audit evidence more effectively and efficiently

• react more timely to business risks

• leverage technology to perform more efficient internal audits

• focus audits more specifically

• help monitor compliance with policies, procedures, and regulations

• become more valuable to the business.

• improved governance

• increase visibility into operations

• obtain better information for day-to-day decision making

• strive to reduce cost of controls

• leverage technology to create efficiencies.

Page 7: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

6© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Drivers Influencing CA/CM Strategies

CA/CM strategy is influenced by a variety of strategic, operational and external drivers . . .

Uncertain economic environment

increasing business risk

Expanding regulatory and

legal risk environment

Pressure to improve

governance

Need to improve performance/ accountability

Strategic Drivers

Improve leverage of IT Investments

ERP conversion

Occurrence or risk of fraud

OperationalDrivers

CA/CM Strategies

Scrutiny from rating

agencies/listing standards

External Drivers

Desire to reduce SOX

costs

What are the drivers influencing CA/CM in your organization?

Globalization

Page 8: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

7© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

An Illustration of CA/CMLet’s Put This Into Perspective - Quick example

Risk – quality of customer balances

Continuous Auditing–Alert the internal audit department when:• credit limit exceeded by more than 10 percent AND• credit limit has been exceeded for more than 15 days AND• no payments made by the customer, AND• new shipment made to customer.

Continuous Monitoring–alert when credit limit exceeded by 5 percent–alert when changes made to customer limits in master file.

Both strategies give management indicators of issues that arearising, allowing for pro-active, rather than reactive actions

Page 9: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

8© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Let’s Put This Into PerspectiveQuick examples

Risk – Possible Fictitious Vendor

Continuous Monitoring–vendor address matches a commercial mail receiving agency

–multiple, similar vendor names with different vendor IDs in vendor master file

–vendor Taxpayer ID matches an Employee Social Security Number (SSN)

–vendor telephone number appears to be a mobile telephone number.

Continuous Auditing–alert the internal audit department when: • address matching risk profile (seasonal, prison, CMRA, etc.), AND/OR• labeled as a “one-time” vendor, AND/OR• taxpayer ID matches employee SSN, AND/OR • telephone number matches an employee.

Page 10: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

9© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

An Illustration End-to-End CA/CM Process from technical perspective

Data servers

Tool ManagerLine Manager

Database

Database

Mailserver

Auditor

Audit Work

papers

CA/CM tool

Web server

CM Dashboard

CA DashboardCreaterules

1

4

5

3

2

1. Rules created in CA/CM tool2. Rules run against databases3. E-mail alerts to auditors/management4. CA/CM tool populates web server5. Dashboard provides summary and drill down capability for auditors/management

5 3

3

Page 11: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

10© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Why implement Continuous Auditing?

… which will help Internal Audit to add more value to the business

Reduced Complexity• reduction of complexity through global process

standardization, thereby easing review• appropriate setting and consistency of

materiality thresholds• automated exception report production – focus

on the real issues• regulatory compliance can be audited.

Enhanced Controls• corrections of errors moved closer to the “source”• enhanced visibility of Internal Audit within the

business and improved deterrence effect• assist in providing valuable insight to controls

effectiveness and business process risks associated with outsourced business processes

• ability to audit the “monitoring” function from an Internal Audit perspective, providing an additional layer of governance.

Earlier Information• improved speed of reporting to the business• reduced surprises, problems do not build up• enhanced leverage of system functionality • identification of misuse and misconduct• identification of errors earlier and when issues

are fresh • ability to proceed with root cause analysis for

errors, policy violations, fraud and misconduct in a more timely manner.

Greater Efficiency• audit by exception• automate components of the audit program,

audit tests or review procedures• known control gaps and deficiencies can be

continuously audited• reduced wait times for data• reduction of low value-added work• improved maintenance of a dynamic and relevant

risk profile• automate manual processes• reduced travel costs by automation of testing.

CA can help enhance organizational value and offers a broad range of potential benefits . . .

Page 12: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

11© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Why implement Continuous Monitoring?

… which results in more focused time to add value to the business

Reduced Complexity• greater visibility as to how processes are

functioning• appropriate setting and consistency of

thresholds• regulatory compliance can be monitored• ability to standardize process measures across

locations• demonstrate good governance – use leading

edge approach.

Enhanced Controls• corrections of errors moved closer to the

“source”• automated controls• control gaps and deficiencies can be

monitored for circumvention and/or exploitation

• ERP system and/or business process limitations and deficiencies can be addressed

• automated fraud prevention and detection activities.

Earlier Information• improved speed of information delivery to the

business• reduced surprises, problems do not build up• netter information for decision making • ability to progress with root cause analysis for

errors, policy violations, fraud and misconduct in a more timely manner.

Greater Efficiency• reduction of work duplication • increased use of automation • enhanced ability to identify and correct errors• more time for value adding analysis instead of

error correction• reduced manual SOX testing• reduced travel costs by automation of testing

and remote monitoring.

CM can help enhance organizational value and offers a broad range of potential benefits . . .

Page 13: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

12© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Challenges and Requirements for Implementation

Challenges• thought Leadership - lack of content (e.g.,

business process specific, industry specific)

• people - lack of deep industry and functional specialization (e.g., Governance, Risk and Compliance specialization; Fraud and Forensic Investigative specialization)

• reliability, accessibility, and availability of data

• consistency of business processes

• change management - impact of changing embedded processes, resistance to change.

Requirements• technology intensive - virtual real time

monitoring requires sophisticated technology

• thorough business process and industry content knowledge

• knowledge of and linkage to enterprise risk exposures

• senior management sponsorship.

The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide.

Page 14: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

13© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Implementation of CA/CM – How do we get started?KPMG Framework

Page 15: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

14© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Implementation of CA/CMKPMG Framework

The implementation model

Plan and scope the

engagement

Perform the auditing or monitoring

Plan Design ImplementAssess Execute Evaluate

Revisit the process

according to results

produced

To be removed before printing: Services provided within the “Design” phase are prohibited for SEC audit clients. Services provided within the “Implement”, “Execute” and “Evaluate” phases are restricted for SEC audit clients. Refer to the CA/CM Methodology Guide for further

information as well as local office risk management policies and guidelines.

The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide.

Page 16: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

15© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Our approach is designed to provide an efficient, consistent and repeatable process…

Plan Design ImplementAssess Execute Evaluate

Current state assessment

CA/CM implementation plan

Needs and requirements

summaryINITIATIVES

FUTURE – DO WELL

• Working in partnership with the business we will define and deliver Vodafone’s management information requirements, implementing a robust governance process to ensure continuous business information integrity, relevance and value

• < 1 per month per OpCo• 100%• Real time• 100% commonality• Milestones achieved on time and to budget

TARGETS

REQUIREDPLANNED

• Creation of MI function• Definition and communication

of role of finance in management information

• Define data ownership/source/ policy

• Define group, global and OpCo data and info needs

• Effective MI governance function

• Clarification and effective communication of matrix management roles and responsibilities

• Select IT infrastructure and platform

• Build solution

• Group Technology single billing system

• Common chart of accounts

• Many country based piecemeal projects

• Global Performance Management project

• Global HR Scorecards• Spend analysis vendor • One Vodafone• DCC (Data Centre

Consolidation)

• Hyperion committee• Local OpCo data

warehouses

CURRENTTODAY’S ENVIRONMENT

MEASURES

• Reduced level of ad hoc reporting• New report requests referred to MI

function• Speed of data delivery• Commonality of data definitions across

Vodafone• Execution of plan to deliver

People• Dedicated management information function• Clearly defined role for finance in management informationContent and governance• Strong governance process for management information• Linked to strategic value drivers• Agreed criteria for content• Content optimised on cost and value• Single, trusted view of performanceSystems• Single group wide, global data warehouse• Automated extraction, transformation and loading of dataFunctionality• Delivery of product/segment/customer profitability reporting• Delivery of real time management information (daily/weekly/monthly)

CRITICAL OBJECTIVE:-

INSIGHTFUL MANAGEMENT INFORMATION

INITIATIVES

FUTURE – DO WELL

• Working in partnership with the business we will define and deliver Vodafone’s management information requirements, implementing a robust governance process to ensure continuous business information integrity, relevance and value

• < 1 per month per OpCo• 100%• Real time• 100% commonality• Milestones achieved on time and to budget

TARGETS

REQUIREDPLANNED

• Creation of MI function• Definition and communication

of role of finance in management information

• Define data ownership/source/ policy

• Define group, global and OpCo data and info needs

• Effective MI governance function

• Clarification and effective communication of matrix management roles and responsibilities

• Select IT infrastructure and platform

• Build solution

• Group Technology single billing system

• Common chart of accounts

• Many country based piecemeal projects

• Global Performance Management project

• Global HR Scorecards• Spend analysis vendor • One Vodafone• DCC (Data Centre

Consolidation)

• Hyperion committee• Local OpCo data

warehouses

CURRENTTODAY’S ENVIRONMENT

MEASURES

• Reduced level of ad hoc reporting• New report requests referred to MI

function• Speed of data delivery• Commonality of data definitions across

Vodafone• Execution of plan to deliver

People• Dedicated management information function• Clearly defined role for finance in management informationContent and governance• Strong governance process for management information• Linked to strategic value drivers• Agreed criteria for content• Content optimised on cost and value• Single, trusted view of performanceSystems• Single group wide, global data warehouse• Automated extraction, transformation and loading of dataFunctionality• Delivery of product/segment/customer profitability reporting• Delivery of real time management information (daily/weekly/monthly)

CRITICAL OBJECTIVE:-

INSIGHTFUL MANAGEMENT INFORMATION

Gap analysis

5) Standardize systems including implementing global ERP

31.3.10

6) Sarbanes Oxley

4) Finance shared services

3) Developing a great team

2) Simplify business planning

1) Management information

31.3.1131.3.0931.3.0831.3.0731.3.06

5) Standardize systems including implementing global ERP

31.3.10

6) Sarbanes Oxley

4) Finance shared services

3) Developing a great team

2) Simplify business planning

1) Management information

31.3.1131.3.0931.3.0831.3.0731.3.06

GPM Value Drivers

Feasibility Study incl Tool

Selection

ContentRe-engineering

Group Planning Tool

Selection

Common IntegratedGlobal Planning Tool

Implement CommonOperating Model including

Business partners

Feasibility Study

ImplementGovernance

Process

AppointmentsFinance Transformation DirectorFinance People Lead

Design

AppointmentChief Information Officer

Review & Improve

Talent Mgmt

Career Paths

Op-CoPlanning Tool

Implementation

Op-CoPlanning Tool

Implementation

Op-CoPlanning Tool

Implementation

AppointmentsGlobal Lead TeamsBenchmarking/ Revenue Assurance/ Investment Appraisal

AppointmentSingle OwnerBusiness Planning

Build

Integrate &Test Pilot

LargeOp-CoPlan

1st Large Op-Co

Migration

1st SmallOp-Co

Migration

2nd LargeOp-Co

Migration

3rd Large Op-Co

Migration

4th LargeOp-Co

Migration

2nd SmallOp-Co

Migration

3rd SmallOp-Co

Migration

5thSmall

Migration

6thSmall

Migration

7thSmall

Migration

8thSmall

Migration

9thSmall

Migration

AppointmentProcess owners

SoXRemediation

SoXTesting

SoXDocumentation& Walkthroughs

ERP Design

ERP Build

Integration Test

PartnerSelection

Migration& Go Live

ImpStrategy

Migration& Go LivePilot

SSC SoXCompliance

Full SoX SSCCompliance

Define Common Reporting Library

SourceData

Build Global MIEnvironment

Migrate GPM & HyperionInto

Common Environment

Improve Amount, Frequency

& Sophistication Of MI

Data maps and dictionaries

Set-up for data extraction activities

Selected CA/CM tools

Exception reports

Reluctance to use high savings tools

30%

40%

50%

60%

70%

80%

90%

Domesticoutsourcing

Off shoring

Shared service centres

Process optimisation

Service channels

% s

eein

g as

impo

rtan

t

Average savings

% seeing as importantAverage savings

9.50

9.00

8.50

8.00

7.50

7.00

6.50

6.00

5.50

5.00

Risk assessment

Insignificant

Minor

Moderate

Major

Remote Unlikely Possible Likely Almost certain

1f3e

4c

4e4f

4j

1c

1d1e

2b

3g

3b 3d3f

3a

3h

4b

4d

4g

4h

4i

5a

5c

1a2c

2a

5b

3j

3i3c

1b

4a

Catastrophic

Risk Con

sequence

Insignificant

Minor

Moderate

Major

Remote Unlikely Possible Likely Almost certain

1f3e

4c

4e4f

4j

1c

1d1e

2b

3g

3b 3d3f

3a

3h

4b

4d

4g

4h

4i

5a

5c

1a2c

2a

5b

3j

3i3c

1b

4a

Catastrophic

Risk Con

sequence

Risk SCANA ServicesSCE&GPSNC EnergySEMI SCPC SCANA CommPrime SouthInappropriate credit measurement-Financial losses can result from counterparty failure to meet financial or operational contract terms.

Periodic monitoring of credit exposures; Credit guidelines approved by RMCPeriodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Netting agreements; Collateral and letters of credit; Credit reserves

Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Netting agreements; Collateral and letters of credit; Credit reserves

Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Netting agreements; Collateral and letters of credit; Credit reserves

Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Netting agreements; Collateral and letters of credit; Credit reserves

Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Collateral and letters of credit; Credit reserves

Periodic monitoring of credit exposures, Credit guidelines approved by RMC; Regulatory rules; Standard contact terms; Collateral and letters of credit; Credit reserves

Excessive concentration risk-Financial losses can result from excessive concentration of credit exposure to a specific counterparty, region or market segment.

Periodic measurement of counterparty credit exposures for all companies by the CDD; Credit guidelines approved by RMC; Reporting of exposures to RMC

N/A N/A Periodic measurement of counterparty credit exposures for all companies by the CDD; Credit guidelines approved by RMC; Reporting of exposures to RMC

N/A Periodic measurement of counterparty credit exposures for all companies by the CDD; Credit guidelines approved by RMC; Reporting of exposures to RMC

Periodic measurement of counterparty credit exposures for all companies by the CDD; Credit guidelines approved by RMC; Reporting of exposures to RMCInappropriate credit collateral management-Financial losses can result from failure to collect adequate collateral or to recall posted collateral.

None Management by credit & collections group based on credit scoring and arrearsManagement by credit & collections group based on credit scoring and arrears

Management by credit & collections group based on credit scoring and arrearsManagement by credit & collections group based on credit scoring and arrears

Management by credit & collections group based on credit scoring and arrearsManagement by credit & collections group based on credit scoring and arrears

Inappropriate credit contract terms and conditions- Financial losses can result from failure to develop, review and maintain adequate contract credit provisions.

CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions

CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions

CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions

CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions

CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions

CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions

CCD reviews procurement and sales contract terms for all companies; Legal contract licensing group tracks contract legal terms; Use of standardized contracts with approved creditworthiness clause provisions

Controls Assessment

• confirm and prioritize areas to be addressed

• define measures and thresholds

• assist client with selecting the best CA/CM tool(s)

• confirm implementation plan.

• roll out implementation plan

• set-up for data extraction activities

• assist with other ongoing program activities through the implementation.

• run queries and routines

• assist with identification of root cause of exceptions/results

• assist with training available resources.

Activ

ities

Phas

ePo

tent

ial D

eliv

erab

les

• gather relevant information

• perform risk assessment

• perform current state assessment

• perform gap analysis

• assist with drafting the desired state.

• conduct a post implementation assessment

• identify potential improvements

•Discuss control gaps and weaknesses.

Post implementation

assessment

Insignificant

Minor

Moderate

Major

Remote Unlikely Possible Likely Almost certain

1f

3e4c

4e4f

4j

1c

1d1e

2b

3g

3b 3d3f

3a

3h

4b

4d

4g

4h

4i

5a

5c

1a2c

2a

5b

3j

3i3c

1b

4a

Catastrophic

Risk

Con

sequ

ence

Insignificant

Minor

Moderate

Major

Remote Unlikely Possible Likely Almost certain

1f

3e4c

4e4f

4j

1c

1d1e

2b

3g

3b 3d3f

3a

3h

4b

4d

4g

4h

4i

5a

5c

1a2c

2a

5b

3j

3i3c

1b

4a

Catastrophic

Risk

Con

sequ

ence

Engagement letter Lessons learned

INITIATIVES

FUTURE – DO WELL

• Working in partnership with the business we will define and deliver Vodafone’s management information requirements, implementing a robust governance process to ensure continuous business information integrity, relevance and value

• < 1 per month per OpCo• 100%• Real time• 100% commonality• Milestones achieved on time and to budget

TARGETS

REQUIREDPLANNED

• Creation of MI function• Definition and communication

of role of finance in management information

• Define data ownership/source/ policy

• Define group, global and OpCo data and info needs

• Effective MI governance function

• Clarification and effective communication of matrix management roles and responsibilities

• Select IT infrastructure and platform

• Build solution

• Group Technology single billing system

• Common chart of accounts

• Many country based piecemeal projects

• Global Performance Management project

• Global HR Scorecards• Spend analysis vendor • One Vodafone• DCC (Data Centre

Consolidation)

• Hyperion committee• Local OpCo data

warehouses

CURRENTTODAY’S ENVIRONMENT

MEASURES

• Reduced level of ad hoc reporting• New report requests referred to MI

function• Speed of data delivery• Commonality of data definitions across

Vodafone• Execution of plan to deliver

People• Dedicated management information function• Clearly defined role for finance in management informationContent and governance• Strong governance process for management information• Linked to strategic value drivers• Agreed criteria for content• Content optimised on cost and value• Single, trusted view of performanceSystems• Single group wide, global data warehouse• Automated extraction, transformation and loading of dataFunctionality• Delivery of product/segment/customer profitability reporting• Delivery of real time management information (daily/weekly/monthly)

CRITICAL OBJECTIVE:-

INSIGHTFUL MANAGEMENT INFORMATION

INITIATIVES

FUTURE – DO WELL

• Working in partnership with the business we will define and deliver Vodafone’s management information requirements, implementing a robust governance process to ensure continuous business information integrity, relevance and value

• < 1 per month per OpCo• 100%• Real time• 100% commonality• Milestones achieved on time and to budget

TARGETS

REQUIREDPLANNED

• Creation of MI function• Definition and communication

of role of finance in management information

• Define data ownership/source/ policy

• Define group, global and OpCo data and info needs

• Effective MI governance function

• Clarification and effective communication of matrix management roles and responsibilities

• Select IT infrastructure and platform

• Build solution

• Group Technology single billing system

• Common chart of accounts

• Many country based piecemeal projects

• Global Performance Management project

• Global HR Scorecards• Spend analysis vendor • One Vodafone• DCC (Data Centre

Consolidation)

• Hyperion committee• Local OpCo data

warehouses

CURRENTTODAY’S ENVIRONMENT

MEASURES

• Reduced level of ad hoc reporting• New report requests referred to MI

function• Speed of data delivery• Commonality of data definitions across

Vodafone• Execution of plan to deliver

People• Dedicated management information function• Clearly defined role for finance in management informationContent and governance• Strong governance process for management information• Linked to strategic value drivers• Agreed criteria for content• Content optimised on cost and value• Single, trusted view of performanceSystems• Single group wide, global data warehouse• Automated extraction, transformation and loading of dataFunctionality• Delivery of product/segment/customer profitability reporting• Delivery of real time management information (daily/weekly/monthly)

CRITICAL OBJECTIVE:-

INSIGHTFUL MANAGEMENT INFORMATION

12 A

M

4 A

M

8 A

M

12 P

M

4 P

M

8 P

M

• determine client objectives with key stakeholders

• prepare engagement approach with team

• kick-off the project.

The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide.

Page 17: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

16© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Dimensions of CA/CM Interrelationship of CCM, CTM and Macro Analysis

Controls Dimension(Continuous Controls Monitoring)

Transactions Dimension

(Continuous Transaction Monitoring)

Analytical Dimension

Risk and Performance Monitoring is optimized when all three dimensions are implemented

Macro Analysis(e.g., Number of Purchase Orders

per week)

Changed or Deleted Controls

Types of Analysis (e.g., rules, statistical, link mining, etc.)

Risk/Performance

Page 18: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

17© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Enabling with TechnologyConsiderations

• Continuous Control Monitoring (CCM)−Application configuration parameters−User access and segregation of duty analysis−Examples of available tools

• Technical

– infrastructure limitations– availability of data and number of

sources– level of sophistication of IT

personnel.

• End User Requirements

– transaction monitoring– control and configuration

monitoring– case management/remediation

tracking– master data monitoring.

• Continuous Transaction Monitoring (CTM)

− transaction attribute analysis− transaction pattern analysis− examples of available tools.

Technology Selection Considerations

Types of Technology Tools (Evolving)

Page 19: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

18© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Enabling with TechnologyAdditional Considerations

What are the objectives? –IA, IA for Mgt or both–Strengthen IA data analytics.What are the anticipated areas of focus? –ERP? Non-ERP? Both?–Controls, transactions, macro analysis –Risk types? (e.g., fraud, performance, waste, regulatory compliance).How will the analysis be performed?–Embedded, extracted–Frequency: regular, repeatable, near real-time.

Required sophistication of analytic functionality–Rules, statistical, temporal, artificial intelligence.Exception handling–Alerts–Aggregation, prioritization, scoring–Assignment, investigation, resolution, documentation.Reporting and dashboard capabilitiesImpact on system performance (extraction)Required speed of analysis and hardware requirements (daily analytics)Cost

Page 20: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

19© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Enabling with TechnologyTwo Main Technology Types

Auditee Auditor

Monitor Report Followup

Type 1 – Embedded Monitor at Source Examples : SAP® GRC, Oracle® GRC, Approva®

Database

Oracle

SAP

Page 21: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

20© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Enabling with TechnologyTwo Main Technology Types

Type 2 – Data Analytics Examples : ACL®, IDEA®, SAS®, Approva, Business

Objects®

Auditee Auditor

Extract Upload Test Review Followup

Database

Oracle

SAP

Page 22: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

21© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Sample Implementation Model Combination CA/CM Approach

CM Application(Mgmt)

Organization

ERP SystemsOperations

Financial Applications

Internal Audit

CA ApplicationManagement

Page 23: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

22© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

The Value PropositionBenefits of Implementing CA/CM

Board of Directors Management Internal AuditImproved insight into the business risks across the enterprise

Improved corporate governance

Potential for improved reporting to the board

Allows senior management to have greater visibility into the organization—enhancing its oversight capabilities

Improved corporate governance

Improved information for day-to-day decision making

Reduction of work duplication

Improved leverage of IT investment

Reducing surprises

Identification of ‘issues’ closer to occurrence

Better able to test a broader range of controls, including security, segregation of duties, and process level controls at a reduced cost and on a timely basis

Improved speed of reporting to the business

Improved information to focus audit efforts

Improved maintenance of risk profile

CA brings greater efficiency, enhanced controls, earlier information, and reduced complexity

Page 24: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

23© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Key Success Factors of Continuous Monitoring

KPMG’s response addresses these vital issues

Senior executive support

executive involvement at all stages of the project including opportunity identification, selection, prioritization and sign-off

clear CM leadership roles to drive cultural change identification of control owners to report failures, escalate issues, etc.

Technology toolsand experienced resources

fact-based approach to identification, quantification and prioritization of CM opportunities selection of appropriate CM tools to contain costs and speed up communication experienced staff who can commence fieldwork immediately.

Establishedapproach to CM

global continuous monitoring framework and approach identification of key control check points methodology emphasizes risk and continuous improvement.

Well planned approach

detailed project initiation and work plan documents knowledge of and linkage to enterprise risk exposures organization’s risk profile is fundamental to the assessment and design of the CM approach.

Organizational alignment

incorporation of key line management within the CM project partnering with team members to help enable knowledge transfer senior industry and functional practitioners.

Critical success factors

Page 25: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

24© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

Key Success Factors of Continuous Auditing

Executive education on the development of a business case Obtain buy-in by the Chief Audit Executive regarding approach Commitment to train internal resources

Provide root cause analysis capabilities for errors, policy violations, fraud and misconduct Identification of key control check points Methodology emphasizes continuous improvement

Detailed project initiation and work plan documents Organization’s risk profile is fundamental to the assessment and design of the CM approach Knowledge of and linkage to enterprise risk exposures

Senior executive support

Experienced resources and technology tools

Experienced staff who hit the ground running Thorough business process and industry content knowledge Selection of appropriate CA tools to contain costs and speed up communication

Established approach to CA

Well planned approach

Organizational alignment

Partnering with internal team members to help enable knowledge transfer Consistent alignment of goals, measures and incentives Audit the “monitoring” function from an Internal Audit perspective

Transition Planning

Balancing existing internal audit practices with CA Managing independence

KPMG’s response addresses these vital issuesCritical successfactors

Page 26: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

25© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.

How can KPMG help?

• Design and implement CA/CM approaches including risk-based:

- Dashboards- Scorecards- Analytics (including fraud and

regulatory risk specific)- Reports (area and transaction

based)- Management Protocols

• Notification• Reporting• Response• Investigation

• Execute individual CA projects

• Evaluate anti-fraud processes that are part of the CA/CM approach.

• Controls automation

• Integration with governance, risk and compliance initiatives

• Coordination with business intelligence initiatives

• Design/incorporate with more sophisticated data analysis initiatives (e.g., predictive modeling, social network analysis)

• Tool/application evaluation and recommendation

• Training

• Risk assessment/scoping.

Page 27: Continuous Auditing / Continuous Monitoring to · PDF fileContinuous Auditing / Continuous Monitoring ... –vendor Taxpayer ID matches an Employee Social Security Number ... • reduced

Contact information

John W. DoeKPMG LLP(201) [email protected]

Copyrights and Disclaimers may vary between applications. Please consult the GB&RC MicroWeb for specific policies. http://www.grm.kworld.kpmg.com/GBRC/resource/default.aspPlease delete this message prior to printing or presenting.