Continuous Monitoring?

Transcription

1 Continuous Auditing or Continuous Monitoring? Drs. Arie Pronk RE RA CISA CAMS VUrORE Thema avond Continuous Auditing (Dynamisering van de Audit) 5 september 2006, Amsterdam 1

2 Biography Arie Pronk is Head of Group Audit Operations / Operations & Services within ABN AMRO. He is responsible for world wide Group Audit Communications, CAATs Services, Audit Systems Support and Audit Issue Tracking. As Global Project Manager CAATs Implementation, he is responsible for delivering a global CAATs infrastructure and methodology to Group Audit. 2/30

3 Agenda 1. Introduction 3. Current Environment & Developments 5. Challenge & Solution 7. Proof of Concept Continuous Monitoring 3/30

4 Introduction 4/30

5 IIA s Global Technology Audit Guide 3 GTAG 3 Continuous Auditing? Implications for Assurance, Monitoring, and Risk Assessment Continuous Auditing Method used to perform audit related activities on a continuous basis includes control and risk assessment Performed by Internal Audit Continuous Monitoring Processes to ensure policies/processes are operating effectively and to assess adequacy/effectiveness of controls Performed by operational/financial management; audit independently evaluates adequacy of management activities Continuous Assurance Combination of continuous auditing and audit oversight of continuous monitoring The power of continuous auditing lies in the intelligent and efficient continuous testing of controls and risks that result in timely notification of gaps and weaknesses to allow immediate follow up and remediation 5/30

6 IIA s Global Technology Audit Guide 3 The business and regulatory environment and emerging audit standards are driving auditors and management to make more effective use of information and data analysis technologies as a fundamental enabler of continuous auditing and continuous monitoring Pressure to perform ongoing evaluation of internal controls Many of the techniques of continuous monitoring of controls by management are similar to those that may be performed in continuous auditing by the internal audit department The outcomes of continuous auditing and monitoring (by management) are similar and involve notifications or alerts indicating control deficiencies or higher risk levels 6/30

7 IIA s Global Technology Audit Guide 3 7/30

8 Current Environment & Developments 8/30

9 Take overs Assurance Our Environment Back to Basics Outsourcing Internal Control Cost Reduction Globalization Audit ROB SOX Tabaksblat A turbulent period with hours and money being spent on SOXA testing, Compliance investigations, preparations for Basel II etc. Synergies Offshoring Basel II WID Risk Management Compliance Insourcing 9/30

10 Our Environment Turbulent period with increasing regulatory demands, more disclosure of procedures and controls, extensive testing of internal controls (e.g. SOXA, Basel2, Corporate Governance) Growing claim on business and audit resources for internal control and compliance related activities Business and Corporate Functions both focus on: Increasing Economic Profit Adhere to internal control and compliance regulations Lower costs to improve efficiency ratio 10/30

11 See SOXA etc. as an opportunity! Try to reduce costs and increase benefits! Steps: 3. Think of control as a process Control needs to be viewed as a process model, not just a series of checklists to be completed * Global Guideline Activity: 12 Determine data application needed, extraction date and location of data Once the request is completed and all appropriate testing parameters are Introduction included, the CAAT team will determine the data application needed, cut off date and location of data. (Activity 12) The objective is to determine if the data can be independently obtained by the Objective CAATs Team or the CAATs Team needs to request a 3rd party like IT to deliver the data to them. CAATs Expert Responsible A complete data request including all appropriate testing parameters in the Conditions CAATs Knowledge Database. CAATs Knowledge Database Resources/Tools Determine entity involved, application, hardware platform, required Activities tables and fields, extraction date etc. Verify whether the CAATs Team is able to technically interface with the hardware platform, application and data Verify if the required authorization is already granted by the business owner and request authorization for access, if needed Determine tables and fields needed by using the data dictionary Verify if data access and extraction is indeed possible Verify if data with the required extraction date is available Comments Decision 13 Can data be independently obtained by CAATs? Next Instruction Activity 16 Get needed data via approved extraction methods Interdependencies More information It s a Business responsibility but Audit can add value! The motivation to implement better controls should come from a desire to improve operations, risk management processes, and governance * Shift from extensive testing to monitoring & active risk management Companies need to develop better monitoring procedures that will help them identify when a process has suffered a decrease in control * * Rittenberg, There is No Shortcut to Good Controls; Internal Auditor, August /30

12 See SOXA etc. as an opportunity! (cntd) Steps (cntd): 2. Integrate control into basic operating activities and avoid unnecessary costs & procedures 5. Synergize by having Business and Corporate Functions work together! Business, Audit, Compliance, Risk Management, IT, Finance, etc. are all looking for the same data on risks and controls! Go from control checklists to control monitoring Go from reactive through detective to proactive 12/30

13 Challenge & Solution 13/30

14 Our Challenge Business needs & challenges Keep up with the changing organization & (control) environment Identify and manage risks across the enterprise Increase level of internal control Implement monitoring processes that signal impending control deficiencies and take corrective action immediately Audit needs & challenges Enhance audit assurance to internal and external stakeholders Assess control effectiveness and compliance with standards over time Pro active audit planning and approach More efficient and effective SOXA testing 14/30

15 Required Solution? Further improve risk management and control systems Enhance cooperation/synergies between Business and Corporate Functions Monitor (key) controls more continuously Integrate control monitoring in day to day business activities Install information systems infrastructure to access, analyze and report relevant information on (key) controls Address documenting requirements 15/30

16 Continuous Control Monitoring 16/30

17 Continuous Control Monitoring (cntd) We need to make sure that monitoring processes signal impending control deficiencies and that corrective action is taken in a timely fashion* * Rittenberg, There is No Shortcut to Good Controls; Internal Auditor, August 2005 The challenge for business management and corporate functions is to process and refine large volumes of data into actionable information** This challenge is met by establishing an information systems infrastructure to source, capture, process, analyze and report relevant information** ** COSO ERM 17/30

18 IIA s Global Technology Audit Guide 3 18/30

19 What is the link with Audit? The internal audit activity should assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. IIA Performance Standard 2110 Internal audit functions need to keep up with the changing competitive organisation environment and provide audit coverage aligned with the key risk areas of the organisation The challenge is to work smarter not harder; for internal audit to cover expanding exposures more efficiently and deliver more value through ideas that generate cost savings, revenue enhancements and process improvements E&Y Internal Audit Benchmarking Survey; April /30

20 What is the link with Audit? (cntd) Enhanced assurance to internal and external stakeholders by better assessing control effectiveness and compliance with standards over time through (continuous) monitoring a larger number of controls with less resources Improved quality of audits, more efficient and more effective audits by gathering more audit evidence and testing larger populations/data sets Flexibility in allocating audit resources to higher risk areas and allowing to be responsive to changes in the control environment by using CAATs on a regular basis to provide continuous auditing or monitoring of key controls or performance indicators Not only: Test reliability of data and transactions Acquire audit evidence and fact finding But also: Identify trends, pinpoint exceptions, and highlight potential areas of concern in our audit objects/universe (continuous) monitor controls and identify control issues and ensure compliance with standards 20/30

21 3. Proof of Concept Continuous Monitoring 21/30

22 HP s Continuous Control Modelling and Monitoring (CCMM) Note: The challenge for business management and corporate functions is to process and refine large volumes of data into actionable information (COSO ERM) Possible solution for providing the information systems infrastructure for documenting and monitoring (key) controls New assessment approach that systematically isolates and predicts emerging risks in a dynamic control environment to give ongoing visibility to compliance 22/30

23 CCMM Lifecycle AAB Accounts Payable AAB Accounts Payable C ont rols (Excel AAB Account s Payable C ont rols (Excel AAB Account s Payable Spr eadsheet ) C ont rols (Excel Spr eadsheet ) ates C ont rol s (Excel SO XA Templ Spreadsheet) Spr eadsheet ) Busi ness Processes Business Processes Application 1. (re-)model the Business Environment into (key) controls 4. Make decisions upon Reporting and Alerts Tailored Loops for: -C ISO organization -C FO organization -Business Units -G roup Audit -G roup Functions -SO X C om pliance C ontrols M odeling D atabase Infrastructure 2. Collect and Analyse data Analysis Engine Application KPIs Controls & Metrics 3. Present Real-time Dashboards (Controls, KRI s, KPI s) FinancialKRIs Infrastructure KRIs 23/30

24 Objective Proof of Concept Scope: Accounts Payable process ABN AMRO BU Netherlands (Q1 2006) 3 tracks Objective Accounts Payable SAP system access controls Accounts Payable financial process controls Accounts Payable process and SOXA testing template/audit program modelling Assess usability of CCMM toolbox in an ABN AMRO environment (processes and IT infrastructure) Questions for ABN AMRO Do CCMM tools offer added value in addition to already existing tools and techniques? And if so, where can we gain most? 24/30

25 Benefits identified Model Customizable and flexible control environment model Ability to document and maintain SOXA templates and audit programs Dashboards Dashboards based on exception reporting with drill down functionality Reporting Historical data and trend analysis; Benchmark across multiple applications 25/30

26 Value adding components Run time insight in key controls and impending areas of concern Multi location/system comparisons Off site monitoring Automate repetitive tasks Process/risk/control/test repository 26/30

27 Next steps Enough positive feedback for next phase Build Business Case for pilot project Get Management buy in; Business and Corporate Functions collaboration Focus on SOXA relevant processes implemented in multiple locations 27/30

28 Possible Showstoppers... Availability of data and cooperation of IT personnel Required knowledge of systems and data dictionaries Tooling, Education, Support Budget, Commitment... The under use of CAATS may be due to a shortage of skills in internal audit functions to perform the testing, investment constraints, set up time, or not seeing the benefits to be gained from CAATs E&Y Internal Audit Benchmarking Survey; April /30

29 Final note Goal Continuous Monitoring Provide comfort to management on control over, and performance of, processes 29/30

30 Questions? 30/30

31 Annex 31/30

32 Introduction ABN AMRO International bank with origins going back to th biggest bank in Europe and 13th in the world Over 3,000 branches in almost 60 countries and territories A staff of about 97,000 full time equivalents worldwide Focusing on: consumer and commercial clients in our home markets of the Netherlands, the US Midwest, Brazil and in selected growth markets around the world selected wholesale clients with an emphasis on Europe, and financial institutions private clients 32/30

33 Introduction Group Audit Internal audit function of ABN AMRO Holding N.V., encompasses all majority and wholly owned subsidiary companies FTE Region spread Asia 15% Netherlands 37% Global Head of Group Audit: Peter Diekman About 850 employees world wide (auditors and support staff) Assurance services and Consulting services: Operational Audits, IT Audits, Financial Audits, Compliance Audits, Project Audits, Inspections, Consultancy and Special Investigations Europe 16% North America 10% Latin America 22% 33/30