Copyright © 2003 Americas’ SAP Users’ Group

Compliance and Continuous Monitoring: Achieving Best Practice Standards for Internal Control

Michelle Thomson

ACL Services Ltd.

Agenda

Challenges of financial management

Challenges of designing effective controls

Assessing controls through data analysis

The role of continuous monitoring

Benefits of continuous monitoring

Challenges

Increased Business

Complexity

Accelerating Business Cycles

Decreased Time &

Resources Competition

Fewer People

Increased Margin for

Error

Increased Scope ofResponsibilities & Decision Making

PartnersAudit

Committee

Stock Exchanges

Shareholders

Media

Public

Clients EnvironmentRating

AgenciesBoard of Directors

Increased Regulation, Scrutiny & Accountability

CEOGovernment

Systems Integration

Wealth Creation

Strategic Leadership

Operational Excellence

Financial Control

Financial Manageme

nt

Information Quality

IT Infrastructur

e

ComplexTransactions

Global Markets

Logistics

Challenges of Designing Effective Controls

Transactions and transactional data are the lifeblood of organizations

Controls over these transactions and the data that record them are critical

Financial accountability and assurance depend on the integrity and reliability of the:

Transactions

Data that records the transactions

Financial reports that summarize the transactional data

Challenges of Designing Effective Controls

Cost vs. benefit of controls

Manual controls break down as volumes increase

Automated controls within applications are time-consuming to implement, expensive, hard to maintain

New system implementations often disregard audit, internal control experts

Super users and system administrators can by-pass controls

Control Breakdowns

“These (improper) payments occur for many reasons including insufficient oversight or monitoring, inadequate eligibility controls, and automated system deficiencies. However, one point is clear – the basic or root cause of improper payments can typically be traced to a lack of or breakdown in internal controls.”

GAO Report, Coordinated Approach Needed to Address the Government’s Improper Payments Problems,August 2002

Control Layers Within an Organization

DetermineDetermine

Risks & ImpactsRisks & Impacts

PoliciesPolicies

ControlsControls

TransactionsTransactions

Controls Assessment Through Data Analysis

Key method of testing controls

Typical assessments involve:

Examination of 100% of transactions to determine compliance with defined controls

Determination if transactions exist for which no controls have been implemented

Audit processes using data analysis tend to be comprehensive and usually take place long after the transactions occurred

Continuous Monitoring Using Data Analysis

Convert audit analytical procedures into a monitoring process for all transactional data

Test transactional data against defined control rules and parameters

Run automatically on a regular basis

Generate exception reports or alerts automatically

Value of Continuous Monitoring

Independent of the underlying business application system

Improved timeliness of response to problems

A detective control – but can also be preventative

An additional level of control by identifying problems in early stages

Continuous Monitoring Checklist

Monitors data from disparate systems to provide holistic view of transaction

Identifies rogue transactions in a timely manner

Validates effectiveness of controls

Mitigates deficient control structures

Identifies further process improvement opportunities

Provides independent assurance

Controls Review Methods

Ad Hoc Analysis

RepeatedControlReview

ContinuousMonitoring

Con

fid

en

ce

Trust

Anatomy of Continuous Monitoring

CM Applications

DATADATA

Specific data from multiple data sources and data formats are compiled, indexed and prepared for analysis

Specific data from multiple data sources and data formats are compiled, indexed and prepared for analysis

RULESRULES DATA DATA

Contains business rules, control policies, or test requirements of the organization

Contains business rules, control policies, or test requirements of the organization

ANALYSIS

Complex technology applies the rules to the data to identify transaction anomalies

Complex technology applies the rules to the data to identify transaction anomalies

DATADATARULESRULES

ANALYSIS

Continuous Monitoring

Reporting Medium

Transaction Monitoring Process

Primary DataSource

Sources:•Financial Systems•HR Systems•CRM Systems•Others

Data OutputData Output

Common Applications of Continuous Monitoring

General business processes

Purchase / payments cycle

Vendor fraud

Expense claims

Payroll

Industry-specific (particularly regulatory compliance)

Chemical/ Pharmaceutical – FDA regulations

Medicare/Medicaid compliance

Benefits of Continuous Monitoring Systems

Validation that controls built into application systems are operating effectively

Compensate for poor controls in application systems

Transaction systems cannot ensure integrity across disparate systems

Comprehensive analysis of transactions is not practical in large transaction systems

Independence from the transaction system

Continuous Monitoring & Audit

Fastest growing area within audit and control community

Significant role as a response to increased focus on controls and assurance

CEO & CFO requirements around Sarbanes-Oxley Act

Acts as a supplemental control level, strengthening overall internal controls

Provides increased assurance over the effectiveness of controls

In Conclusion

Continuous Monitoring provides an opportunity for significantly improved levels of control and assurance

The accounting and control profession has discussed it for years – the time is now ideal for implementation

Technology is available to enable continuous monitoring

Businesses can’t afford to miss the issues

Copyright © 2003 Americas’ SAP Users’ Group

Using ACL to Continuously Monitor SAP Accounts Payable

Gene Scheckel

ConocoPhillips

Why Continuously Monitor AP?

To keep tabs on items

beyond the scheduled audit plan

outside normal controls

Do not continuously monitor normal controls within SAP

BUT

Do continuously monitor items where there is no specific control within SAP

What We Monitor

Duplicate payments between SAP and other financial systems

Unusually large payments

Payments to employees as outside vendors

Duplicate vendors in the Vendor Master

Continuous Monitoring

Duplicate payments between SAP and other financial systems

The Challenges

Convert new acquisition from legacy financial system to SAP

Legacy system and SAP both have duplicate payment controls

But duplicate payment controls do not exist between the two systems

The Results

Duplicate payments between SAP and legacy financial system

93

64

2720

12

0

20

40

60

80

100

May Jun July Aug Sept

Number of Duplicates

Approximately 150,000 payments per month

Continuous Monitoring

Unusually large vendor payments

The Challenge…

Uncover overpayments due to data entry errors

The Results

Invoice Amount = 20,725.00 Approver noted invoice error and manually entered new amount to

be paid.

Data entry clerk ignored the note.Amount Paid = $43,803.31 Recovered $23,078.31

 

Continuous Monitoring

Payments to employees as outside vendorsNot employee reimbursements

The Challenge…

Uncover potential conflicts of interest and employee fraud

The Results

A supervisor who approved invoices paid to the small business he owned

A purchasing agent doing business with a company owned by her husband

Continuous Monitoring Findings

Discovery of duplicate payments, overpayments and possible fraud

Preservation of the reliability of SAP preventive controls

Next Steps

Apply continuous monitoring methodology to other areas of the business

Procurement Cards

Long Distance Phone Bills

Validate User IDs

Copyright © 2003 Americas’ SAP Users’ Group

Implementing Continuous Monitoring

Derek Warburton

ACL Services Ltd.

Agenda

Success factors

Reactive vs. proactive approach

When to get help

Continuous Monitoring methodology

Practical implementation issues

Next steps

Effective Continuous Monitoring

Success is a function of

People: expertise, availability

Process: applying proven methodology

Technology: right tools for the job

Continuous Monitoring Checklist

Monitors data from disparate systems to provide holistic view of transaction

Identifies rogue transactions in a timely manner

Validates effectiveness of controls

Mitigates deficient control structures

Identifies further process improvement opportunities

Provides independent assurance

Continuous Monitoring Approach

Reactive

Implement Continuous Monitoring after experiencing a significant loss

Proactive Strategic

Identify high risk business areas, and implement Continuous Monitoring before loss is material

Continuous Monitoring Notifications

Implementation Assistance

Considerations

Independence (optics, regulatory)

Scale/scope

Complexity of business area or analysis

Availability of skilled resources

Disparate systems (all data not in SAP)

Opportunity cost or risk of time delay

Implementation Methodology

Increased Shareholder ValueIncreased Shareholder Value

ImplementImplementContinuousMonitoring

BuildBuild Functioning Application

AssessAssess Preliminary SDD

DesignDesign Solutions Design Document

Practical Implementation Issues

Direct access to the data vs. an extract?

Direct access to source data preferred

Is all data in SAP? How to access other systems?

Time- or processed-based data testing range?

Ensure that all transactions are captured since the last test process

Practical Implementation Issues

Set priorities for findings

Identifying specific control exposures and risk indicators

Define specific control tests for transactional data

Risk of high volumes of exceptions = ignore reports

Establish sensitivity thresholds for reporting and alerts

“Scoring/weighting” of events dependent upon combination of control parameters that are failed and indicators of risk

Allow “tuning” of application sensitivity

Prioritize alerts

High score events trigger immediate alert with management

Interface Example for Tuning Monitoring Parameters

Note: This amount can be modified from the parameters menu.

Interface Example for Tuning Monitoring Parameters

Continuous Monitoring Application

Example of Alert Notification

Conclusion

Will Continuous Monitoring reduce risk and costs at your company?

What’s stopping you from moving forward?

Don’t be shy to ask for help

Copyright © 2003 Americas’ SAP Users’ Group

Thank you for attending!

Please remember to complete and return your evaluation form following this session.

Session Code: 504