continuous auditing / monitoring - transforming ... · continuous auditing / monitoring -...

53
Continuous Auditing / Monitoring - Transforming Technologies IIA & ISACA NYC Oct 26 2012 Michael P. Cangemi CPA Former CFO-CEO Aigner & CEO of FEI Only Past President IIA NY & ISACA NY

Upload: buikien

Post on 27-May-2018

225 views

Category:

Documents


0 download

TRANSCRIPT

Continuous Auditing / Monitoring - Transforming Technologies IIA & ISACA NYC Oct 26 2012

Michael P. Cangemi CPA Former CFO-CEO Aigner & CEO of FEI Only Past President IIA NY & ISACA NY

Why is a former CFO -CEO

l Here talking about IA & monitoring??? l Main focus is business success –

satisfying customers; efficiently+ROI ! l CPA -Early involvement in IT Audit &

ISACA Journal; and computerization for efficiency

l Career moved on CAE-CFO-CEO; but the value of leading by using technology innovation stayed in focus

Management Perspective

A slow economy – “Great” recession High unemployment, lower consumer

spending – lower USA – GDP Difficult business environment l Cut costs – no revenue growth –cut

more l Keep lots of Cash on hand

Management Perspective IA-ITA

Regulatory:....SOX wave came and went...increased business cost l  Expanded IA and Compliance and Risk

Management efforts – some benefits l  Now focus on lowering cost of Compliance -

IC Systems costs sometimes with automated CA and embedding controls l  Trend? -- Job’s act rolls back SOX for small caps

World Class Audit – One View

Former CAE: What makes a world class audit organization?

l Good people (an organization) l Following well thought out procedures l Focused on significant issues and positive

deliverables to the business l Book- Managing the Audit Function

Management, IT, Financial Governance 5 Cangemi Company, LLC

Align IA with management focus

l Difficult Business environment – should lead to innovation – lots of changes

Lower cost – higher imagination

l Get in the flow with management l  Innovate/Reinvent – Respond l  MAF: Periodic Audit Mgt Change

What are you changing?

Suggestion for Audit –IT Audit

1.  IA - greater coverage lower cost! automate low value tasks,... better, faster, cheaper

1.  Continuous Audit & Monitoring 2.  Analitics and automated GRC

2.  Drive bottom line impact.... "advise the business, embed CM controls in operations” 1.  - Reduce costs, improve margins, prevent fraud,

recover dupe payments and lost revenue; review J/Es etc.

2013 --COSO Refresh

l  Operations -opportunity to build in controls and other verifications; expand coverage; find errors early: recover $$$

l  Expanded use of

automation !!

EDPACS – IA’S Role in CM

l  Published 2010 View at www.canco.us l  selected as #16 best article in last decade

l  Continuous Monitoring (CM) is a business operational issue swirling around in the auditing and accounting professions

Recommendations: 1.  CA is very valuable expand your usage 2.  Recommend CM to the business

Management Focus -IT Trends

l Expansion of IT-all aspects of operations

l Connectivity- networks - Internet - Cloud

l  IT Security ----- and Social Media l Recent -BIG DATA – structured and

unstructured

IT Trends leading to CA-CM

l Questions BIG DATA: 1.  accuracy - need for BD

integrity or GIGO- How to clean up BIG Data

2.  How to better manage the business with BIG DATA

IT Trends – Big Data and leveraging IT investments

l  First clean up data with CM-Continuous Analysis

l  Improve efficiency & effectiveness with BPI-

Continuous Business Process Improvement

l  Better manage of business with BA Buisness Analitics; BI- Buisness Inteligence;

Continuous Monitoring- 25 years

l Time to move the chains – using CM l Time for a “Revolution”

Continuous Monitoring Macro

l Automation – computers, new communications and surveillance devices leads to expansion of monitoring

l  I see an ever expanding “Orwellian” interest in monitoring

l Pace may be an issue BUT automated monitoring is expanding in Business; Government; Medical Practices

Apollo 13 – CM is everywhere

Monitoring is everywhere

Federal Express created New Standard l Lost cell Phone – letter To NY Times

CM New Frontiers

Mercedes Benz M-Class SUV l  ATTENTION ASSIST system continuously monitors

over 70 different parameters of driving behavior in the first minutes of a drive to establish a pattern, and can automatically alert the driver with both visual and audible warnings.

l  TV Drama – A Person of Interest – Monitors Data and

surveillance cameras

l Even George Orwell would be surprised

Government Monitoring

l Government in addition to space travel l  National Security

l  Terrorist – airport screening

l  Red Lights traffic CM– cameras vs. police l  compliance –tax W-2; 1099; property tax; l  motor vehicle monitoring; l  EZPass – expectation – no duplicate

charges

CM Example – Medical Claims Per Forbes Magazine 5-10-10

l Medicare “questionable claims” 10% - $47 Billion of the $480 Billion processed

l Private Insurers health claims, computer systems checks ie: CM – reduce rate on $600 Billion results in fraud rate 1.5%

l Recommendation – US Gov should adopt the private sectors “pre claim adjudication processes” ie CM

Monitoring Macro - Summary

l Business Monitoring: l  To some degree started with IT Auditing

l Extensive IT Security Monitoring l  IT people use automation!!

l Expanding into Finance and operations – l  PtoP, T&E & telecom = cash recoveries l  FERF Research confirms and expands our

understanding

2011 – CM Research

Financial Executives International 2011FERF

Research The Benefits of CM

FERF 2011 research: The Benefits of Continuous Monitoring

l C-Level focus – for CFOs l Started with a Literature Search l 11 company interviews: IBM, UTC, Intel,

JC Penney, Microsoft, Wells Fargo, HP...

l KEY FINDING: Leading companies recognize the importance of and use CM

FERF 2011 research: Benefits of CM ----------------Findings

l CM programs require a company focus and commitment of resources: l  Some focus on ROI l  Others focus on operational effectiveness

and risk reduction- (Intel Quote; Dow SAP) l CM programs need a champion

l  IA Evangelists – they get CA and CM l  Emerging CFO & Compliance Departments

Research Observations

Company types: l Where automation drives operations, CM

is indispensible – banks, CME, JCP (POS)

l  Implementation is a process l  Important to work with experts who can help

set the pace l  Take a CM project from initial

implementation to full maturity

FERF 2011 research: Benefits of CM ----------------Findings

l CM often starts with Payment Systems l  A/P or Claims Payments – due to cash

recoveries and ROI

l CM software products available with: l  Improved capabilities and low cost l  Experience with implementation l  Secret Sauce - intelligent monitoring

CM Software Intelligence

l Collaborative Reasoning Engines l  Including and beyond basis data exceptions l  Artificial intelligence (IBM Watson) l  Benford’s law l  Weighted scoring l  Inference l  Pattern and relationship recognition l  Statistical methods

CM Maturity Model per D&T

CM Software & Secret Sauce!!

CM software company expertise l  build analytics “secret sauce”

Implementation experience l Assurance and SME Focus: CaseWare-

Idea, CaseWare Monitor and ACL l BIG Data SAP level; Oversight Systems

l  PtoP; T&E; JEs; GP – margin optimization; Pricing – revenue recognition; FCPA

CM Software – reporting and tracking

l  threshold-oriented reports automatically alert BUSINESS MANAGERS l  New product CaseWare Monitor

l Knowledge to manage outliers l built-in report and dashboard features

that present continuous risk reports with color-coded risk ratings (i.e., red, yellow, and green) for all key control objectives.

FEI Research -Best Practices

l Continuous Audit – 100% l  P to P (UTC); l Order to Cash (IBM) l A/P; T&E; Payroll (MSFT- JCPenny) l Health Insurance Claims (Blue Cross/

Blue Shield of North Carolina) l Financial Surveillance (CME) l Apps configurations; IT Risks- plus (HP)

FERF Case Study - UTC

l Finance leading– recognized value – has compliance, IA and IT involved

l Large volume of transactions to be CM l Using Oversight Systems P2P l Selected 4 major points to CM;

manageable # of exceptions l Large dollar recoveries excellent ROI

More Best Practices

l  GL--JEs; l  Retail POS for fraud - Aigner l  Physical Inventory - Aigner l  GP – margin optimization l  Pricing – revenue recognition Old Favorites:

Deterrents Updated Policies

FERF Research and IA

l Many good examples of IA leading the way with CM recommendations (page 13)

l  Independence issues are addressed at AEP, HP, IBM and JCP

l  CM can change the scope of internal and external audits

l  IBM uses bi-directional design with CM process leading to Enhanced Audit (EA)

CA-CM is a Process

CM is a process & foundation technology l  Process - it can be manual; l  Technology -can use existing software tools Like Excel – once you have it – you will

expand the usage

CM Example: CaseWare- IDEA

l Major worldwide presence l  Initial focus on audit accounting firms l  Now addressing finance Departments

l Built in modules for duplicate payments l  threshold-oriented reports automatically

alert – and expansion-CaseWare Monitor

l Knowledge to manage outliers l built-in report and dashboard features

Healthcare – Revenue

l Hospital – all different contracts on reimbursement – all have fee schedules defining revenue with many variables

l developed scripts on what revenue should be based on provisions

l Using CaseWare Idea compared calculated revenue with actual –

l Added revenue up to 3% - plus

In  the  Driver’s  Seat  of  Running  a  Script  

In  the  Driver’s  Seat  of  Running  the  Script  

Extract data from ERPs, Health Information Systems, Purchasing, etc. 100% of transactions No more blind spots

Send Issues to Patient Financial Services, Medical Records, Finance, Audit, etc.

Generate the relevant exceptions

Monitoring  Framework  

Email  Noti>ication  

Case – College Grants for loans

l College’s Grants – 7 campuses, government student loans, $3M difference

l Needed proof they distributed funds: BIG match useing CaseWare IDEA

If you look and think of CM you will identify many applications; only limited by your creativity!

Case - Auction House

Need to monitor large volumes of transactions across business processes:

l Accounts Payable l  Vendor Duplicate (two vendors are the same) l  Invoice Duplicate (two invoices to the same client) l  Payment Duplicate (two payments are the same) l  Payment vs. Invoice (ensure invoice and payment amounts

match), etc the solution performs over 50 predefined and customizable tests and

outputs exceptions into a workflow dashboard on a daily basis

Auction House- CM to lists

l  These are blacklisted individuals and organizations complied by major governments. In most jurisdictions it is against the law to be caught doing business in any way, shape or form with these individuals.

l  Office of Foreign Assets Control (OFAC) - http://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-Foreign-Assets-Control.aspx

l  Politically Exposed Person (PEP) - http://en.wikipedia.org/wiki/Politically_exposed_person

45

Challenge – Managing CA findings

•  Uses CM to address associated control weaknesses •  Problem managing the exceptions proved to be

challenging due to the sheer volume of transactions

•  Solution - Used existing tools (ACL scripts) with CaseWare Monitor; 100% of all transactions Automatically distribute exceptions to relevant personnel

Case Study: Metcash

23

New Generations – CA Software

l CaseWare; Oversight; ACL; Approva; l My view use existing software to build

CM in to systems l  Oversight Systems quote: No business

process works perfectly. The sooner an error is identified and corrected the better. Oversight's advanced analytics inspect each step in every transaction in a financial business process to identify fraud, misuse and error.

FCPA – Required IC

l DOJ looking for systems approach l Morgan Stanley – MD conspired with

Chinese public official l Morgan Stanley exonerated l SEC & DOJ praised them for having a

solid compliance program in place using CM

l Wal-Mart in Mexico – who is next?

The Peterson Case – Morgan

Oversight Systems announce its FCPA & National Security Risk solution

l Automated Risk Identification and

Tracking l Global Risk Analysis l Suspicion Index

Closing Thoughts - CM

l Private Equity (PE) firms are investing in it – and good CM-CCM products in pipeline

l As automation spreads and data = BIG DATA need will be greater for CA & CM

l Take Away: Use IA awareness to invest in CA-CM for efficiency; cash recoveries; integrity/controls checking; improving your customer satisfaction !

Questions?

Management, IT, Financial Governance 50 Cangemi Company, LLC

Cangemi Company LLC

l Senior Advisor & Board Member l Consulting –Financial, Technology

Strategic & Governance, Internal Audit l Media -speaking; seminars; web l Book -Managing the Audit Function;

available at Amazon, Wiley l [email protected] l www.canco.us

Management, IT, Financial Governance 51 Cangemi Company, LLC

Bio - Kid from Brooklyn

l  Born Brooklyn N.Y. Early businesses: lawns, newspapers on the

ferry line, greeting cards (H. Ross Perot) – I added holiday gifts (Business Junkie!!)

l  Turning point – high school economics l  Merrill Lynch NYC: High School to Freshman yr

l  Pace University BBA - Accountancy CPA l  Blair & Company – Freshman to Senior years l  Cangemi Co. started 1968

Management, IT, Financial Governance 52 Cangemi Company, LLC

Buisness Career

l Ernst & Young – CPA ( 1970-80) l  Mobil mentor suggested “management”

l Phelps Dodge – (1980 -88) CAE Internal Audit; Financial VP; CIO

l Cangemi Co LLC–ISACA Journal (87-07) & Books – MAF - Wiley

l BDO – (1989-92 IT Audit & IA Services l Etienne Aigner, Inc(92 -2004)CFO -

CEO l CEO (07-8) Financial Exec Intl – Assoc. Management, IT, Financial Governance 53 Cangemi Company,

LLC