Continuous Monitoring: Match Your Business Needs with the Right Technique

Similar documents
The Role of Oversight and Monitoring and the Use of Analytics to Increase Effectiveness of your Compliance Program

Process Control Optimisation with SAP

AML Topics Using analytics to get the most from your transaction monitoring system

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

Continuous Auditing / Continuous Monitoring

Managing GST with data analytics

Advisory Services Oracle Alliance Case Study

The Power of Risk, Compliance & Security Management in SAP S/4HANA

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Functional and technical specifications. Background

Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

An Introduction to Continuous Controls Monitoring

Minimize Access Risk and Prevent Fraud With SAP Access Control

Introduction. By Santhosh Patil, Infogix Inc.

A Control Framework for e-invoicing

AGA Kansas City Chapter Data Analytics & Continuous Monitoring

PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Reduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager

PROCURE-TO-PAY TRANSFORMATION FOR CFOs. Achieving Control, Visibility & Cost Savings.

Ensuring Contract Compliance through integration of Ariba Contracts and SAP ECC Michael Chavez and Sean Rhoades, Deloitte Consulting LLP

Leverage T echnology: Move Your Business Forward

Leveraging Continuous Auditing / Continuous Monitoring in internal audit April 10, 2012

Legal exchange. Total Legal Spend Management Solution for Corporate legal departments

B2B Operational Intelligence

Using Technology to Automate Fraud Detection Within Key Business Process Areas

Validating Third Party Software Erica M. Torres, CRCM

ITSM Maturity Model. 1- Ad Hoc 2 - Repeatable 3 - Defined 4 - Managed 5 - Optimizing No standardized incident management process exists

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

Continuous Audit and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes

Financial Close Optimization: Five Steps for Identifying and Resolving Systems and Process Inefficiencies

Simplifying the audit through innovation

Addressing common challenges in the record-to-report process. kpmg.com

Losing Control: Controls, Risks, Governance, and Stewardship of Enterprise Data

Continuous Monitoring and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes

Office of the Auditor General. Audit of Accounts Payable. Tabled at Audit Committee November 26, 2015

Building a Data Quality Scorecard for Operational Data Governance

Software Asset Management on System z

Leveraging Data Analytics and Continuous Auditing. Internal Audit. January 9, 2014

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

Audit of NSERC Award Management Information System

Legal exchange. Total Legal Spend Management Solution for Insurance Companies

Cybersecurity The role of Internal Audit

Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance

An Oracle White Paper November Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime

Vendor Invoicing Through Payment FI-AP /17/08 09/18/08. LaGOV. Version 1.0

CA Service Desk Manager

THE ABC S OF DATA ANALYTICS

How to improve account reconciliation activities*

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Auditing Standard 5- Effective and Efficient SOX Compliance

DATA AUDIT: Scope and Content

Selection Requirements for Business Activity Monitoring Tools

HOT TREND: ACCOUNTS PAYABLE AUTOMATION

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

Integrating Data Governance into Your Operational Processes

How Accenture is taking SAP NetWeaver Identity Management to the next level. Kristian Lehment, SAP AG Matthew Pecorelli, Accenture

I D C A N A L Y S T C O N N E C T I O N

Making Every Project Business a Best-Run Business

Veramark White Paper: Reducing Telecom Costs Why Invoice Management is the Best Place to Start. WhitePaper. We innovate. You benefit.

Risk and Controls 101

Enterprise Level Change Control: A Life Science Business Imperative. Presented by: Carl Ning Solutions Delivery Manager Sparta Systems

Outperform Financial Objectives and Enable Regulatory Compliance

Solihull Metropolitan Borough Council. IT Audit Findings Report September 2015

Fighting Fraud with Data Mining & Analysis

FISCAL PLAN RESPONSE TO THE AUDITOR GENERAL

Making Automated Accounts Payable a Reality

Vulnerability Management

Improving. Summary. gathered from. research, and. Burnout of. Whitepaper

Ariba Network Seller Enablement is a PROGRAM, not a project

HOWARD UNIVERSITY POLICY

SUPPLIER INVOICE WORKFLOW EINVOICE Efficient automated workflow 2010 IFS

How to achieve more timely, accurate and transparent reporting through a smarter close*

Sarbanes-Oxley Control Transformation Through Automation

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

How can Identity and Access Management help me to improve compliance and drive business performance?

Mitsubishi Electric Europe: Assuming Control of Collections and Disputes

Implementing a Data Governance Initiative

BDO Consulting. Segregation of Duties Checklist

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

How To Improve Your Business

Commodity Price Risk Management (CPRM) - Trends and Challenges for Corporates

Knowledge Management Series. Internal Audit in ERP Environment

Sarbanes-Oxley: Beyond. Using compliance requirements to boost business performance. An RIS White Paper Sponsored by:

Audit of Financial Management Governance. Audit Report

Optimize procure-to-pay processes for profitability, efficiency, and compliance

<Insert Picture Here> PeopleSoft Financial Management Solutions 9.1 and Roadmap into Release 9.2

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

Transcription:

Continuous Monitoring: Match Your Business Needs with the Right Technique Jamie Levitt, Ron Risinger, September 11, 2012

Agenda 1. Introduction 2. Challenge 3. Continuous Monitoring 4. SAP s Continuous Monitoring Tools 5. The Continuous Monitoring Roadmap 2

Purpose The purpose of this presentation is to give you an understanding of how: Continuous monitoring techniques such as continuous transaction monitoring (CTM) and continuous control monitoring (CCM) may assist your Company's efforts to operate and evaluate controls Both SAP Process Control and Oversight Systems function to provide assistance to management in monitoring the Company's controls environment *Note, for the purposes of today s presentation we have restricted the content to these two tools. However, there are other tools in the marketplace that are able to perform some of the functions mentioned in this presentation. 3

Introduction Current state: Businesses are in a constant state of change. 4

Current state Businesses are always changing as they are always finding better ways to do what they do. New risks are continuously introduced by way of: - Expansion into new locations - Mergers and acquisitions - New processes - New technologies Other risks can become irrelevant as technology, processes and business units are decommissioned, centralised or standardized. This leads to a need to perform process optimizations. 5

Process optimization Reduce unneeded activities and identify unmitigated risks Process optimization is the activity of revisiting current processes, controls, and risks to refine the activities and perform the process more effectively. It usually is done through the following actions: Identify and replace inefficient controls or activities Remove controls or activities that are not needed Tailor current controls or activities to better fit with the business process and technologies Identify unmitigated risks and implement controls or activities that mitigate those risks 6

Challenge How to balance cost and flexibility? 7

Finding balance Businesses struggle to balance cost and flexibility When determining how to best mitigate risk, there is an inherent struggle with balancing business flexibility and minimizing the cost of supporting controls. Typically, there is a trade-off between: Preventive configurable controls (low cost to implement and operate) and Detective controls (allow business processes flexibly at a much higher cost). 8

Configurable Controls Configurable controls: - Are low cost to implement and operate, - Prevent 100 percent of problematic transactions by disallowing these transactions to process, and - Are absolute. Most business processes cannot process transactions in exactly the same way 100 percent of the time as there are always exceptions to the norm. For example: - Financial close, - Small business units, and - Newly acquired businesses. 9

Issues with configurable controls Configurable controls cause issues due to their inflexibility. Carve-outs Detective control(s) are put in place to mitigate risk where the configurable control cannot be applied. This is problematic as detective controls are: Manual in nature and periodically performed, The exception to the norm, Costly to operate, and Normally performed on a sample basis because of the volume of transactions. Circumvention of current processes and control Preventive controls can cause the business users to circumvent the controls by use of back doors (i.e., superuser access, batch input, manual postings, or nonroutine functionality). Business choke Preventive controls can also unnecessarily choke processes whereby the configuration in the system essentially restricts the businesses from performing their day-to-day duties or processing transactions timely. 10

Continuous monitoring Continuous monitoring can enable companies to increase breadth of risk coverage and maintain business flexibility while minimizing business efforts to operate and evaluate controls, removing the need to make this trade-off. 11

Continuous monitoring: Definitions Continuous monitoring is the process or technology that is used to constantly review something against expected criteria. Continuous monitoring involves: The set of the expected criteria An automation to review against that criteria to identify exceptions A notification method (in most cases workflow or email based) Continuous Control Monitoring (CCM) A technique that analyzes configuration, master data or transactions to identify exceptions that would indicate an issue with that control s effectiveness. Example: monitoring the release strategy configuration for alignment with the expected configuration. Continuous Transaction Monitoring (CTM) A technique that analyzes all transactions or other data to identify exceptions that would indicate an abnormal (out of policy) transaction. Example: monitoring all purchase orders processed to identify duplicate purchase orders or purchase orders processed outside budget or approval limits. 12

Examples of Continuous Monitoring: Focusing on CCM and CTM CCM CTM Automated controls Master data Transactional data Exceptions relating to configuration settings or parameters in the ERP system Exceptions relating to governance of master data in the ERP system Exceptions relating to business transactions within the ERP system based on available transaction data An exception is reported if the tolerance amount for the three-way match control for accounts payable invoices is changed. An exception is reported if the credit authorization approval control is turned off. An exception is reported if the general ledger field structures have been modified in the master table. An exception is reported if changes (including creation, modification and deletion) are made to critical attributes defined in vendor master data. An exception is reported if changes have been made to the general ledger account code options and/or account mapping for automatic system processing functions. An exception is reported if a purchase order is created on the same day that goods were received for a transaction. An exception is reported if a manual journal entry has unusual accounts and/or descriptors. An exception is reported if an employee receives more than one pay distribution in a pay period. A CCM strategy for configurable controls provides Management with a proactive mechanism to identify when key application control settings have been changed A CTM strategy for master file data provides Management with a proactive mechanism to verify that the integrity of the master file architecture and content is not compromised A CTM strategy for transaction data provides Management with a proactive mechanism to identify potential control exceptions and fraudulent activity. 13

Frequency SAP tool to enable Controls Control types and control monitoring Preventive Automated preventive Real-time detective Detective Manual approvals Physical access Segregation of duties/ sensitive access System calculations Workflow (Oversight)- based alerts Physical counts and checks Detective report reviews Control monitoring Workflow (SAP)- based approvals Spreadsheet reconciliations SAP GRC suite Configuration Transaction monitoring SAP ABAP Reports SAP Business Intelligence Reports Per transaction Per transaction Low Timeliness High Multiple times a day to daily Weekly, monthly, quarterly, biannually, annually High Frequency/timeliness Low High Effort to operate Low Low Effort to operate High Sample Percentage coverage 100% 100% Percentage coverage Sample 14

Control quadrant: Cost vs. flexibility *Optimal state: Real-time detective controls with automated preventive supporting controls used to reduce exceptions High cost Manual detective controls High flexibility Real-time detective controls * Low cost Manual preventive controls Automated preventive controls Low flexibility 15

SAP s continuous monitoring tools SAP Process Control (core competency CCM) and SAP s endorsed business solution, Oversight Systems (core competency CTM) 16

SAP process control and oversight systems attributes Process Control Main Purpose: Manage control or a compliance framework and support the evaluation of that framework. More efficient management of multiple compliance frameworks Easy overview of the state of controls at any given point. Issues with controls can be flagged in an automated fashion or reported in automatically through surveys Policy management Ability to monitor changes to configurable controls Oversight Systems Main Purpose: Manage business or transaction exceptions and support the operation of controls and processes. Very complicated analytics can be performed over extremely large data sets Easy follow-up enabled by background data for exceptions displayed, email integration, automatic logging of all activities for the exception Data is stored in Oversight enabling efficient analysis with no load on production The ability to create granular, flexible rules and the ability to use statistics to enable trending 17

Frequency SAP tool to enable Controls SAP process control and oversight systems Preventive Automated preventive Real-time detective Detective Manual approvals Physical access Workflow (SAP)- based approvals Segregation of duties/ sensitive access System calculations Workflow (Oversight)- based alerts Physical counts and checks Detective report reviews Spreadsheet reconciliations Control monitoring SAP Process Control SAP GRC suite Configuration Transaction monitoring Oversight SAP ABAP Reports SAP Business Intelligence Reports Per transaction Per transaction Low Timeliness High Multiple times a day to daily Weekly, monthly, quarterly, biannually, annually High Frequency/timeliness Low High Effort to operate Low Low Effort to operate High Sample Percentage coverage 100% 100% Percentage coverage Sample 18

PC and oversight real world examples Exchange rates SAP Process Control Rule 1: All changes to the exchange rate table trigger an exception. All exchange rate changes are reviewed in PC after the change has processed in ECC. This could trigger numerous exceptions, need to filter for more critical rates. Rule 2: If an exchange rate fluctuates beyond an expected tolerance, an exception is triggered. Exchange rate changes over expectation are reviewed in PC after the change has processed in ECC. Updates to the tolerance levels would be required over time. Oversight Systems Integrity check 1: Exchange rates are compared with an external source. Rates that do not generate an exception. All inaccurate exchange rates are identified and escalated for resolution. Exception only reporting. Integrity check 2: Exceptions are generated for any change to an exchange rate over a set standard deviation. All abnormal exchange rate changes over the threshold are identified for review. Exception only reporting but may not catch as many exceptions as IC#1. 19

PC and oversight real world examples Vendor master records SAP Process Control Rule 1: All changes to vendor master records trigger an exception. All vendor changes are reviewed in PC after the change has processed in ECC. This could trigger numerous exceptions, need to filter for more critical company codes or restrictions to key fields. Rule 2: Monitor configuration of dual approval controls and key fields defined. This will monitor the configuration in ECC that enforces review and approval for the critical vendor master fields. If a change is made to this configuration, an exception is generated in PC. Oversight Systems Integrity check 1: Key vendor fields (e.g. banking information) which are changed and changed back are flagged as exception. All change-change backs to vendors are flagged for resolution. Exception-only focused reporting. Oversight keeps it s own change history so can identify changes made through back-doors (e.g. DBA level). Integrity check 2: All vendor master with similar names, address, bank information, etc. are flagged for review. All potential duplicates are flagged follow-up. 20

PC and oversight real world examples Duplicate invoices SAP Process Control Rule 1: Monitor configuration of duplicate invoice indicators. This will monitor the configurations in ECC that enforce flagging duplicate invoices. If a change is made to this configuration, an exception is generated in PC. This is a monitoring technique of the supporting configuration; it does not identify actual duplicate invoices. Rule 2: Monitor vendor master records created without the duplicate checkfield activated. All vendors created without the proper configuration will be flagged for review. Oversight Systems Integrity check 1: Invoices to the same or similar vendor, with the same amount same amount with different currencies, similar invoice numbers, and other key attributes are flagged. All potential duplicate invoices are flagged for review. This integrity check flags the actual duplicate invoices in addition to false positives (i.e., invoices that look duplicated but are actually valid). Tuning of integrity checks is vital to ensure that false positives are reduced to the greatest extent possible to ensure the exceptions are manageable. 21

PC and oversight real world examples Invoices over budget SAP Process Control Rule 1: Invoices that exceed the set tolerance limits for user groups are flagged for resolution. All invoices which are potential splits to avoid budget configuration are flagged for review. Rule 2: Tolerance levels for invoices are configured to trigger workflow exceptions for invoices above budget limits. All invoices above budget limits are flagged for review. Oversight Systems Integrity check 1: Transactions that are likely splits can be identified and compared to the chart of authority to flag exceptions. All invoices which are potential splits to avoid budget configuration are flagged for review. Integrity check 2: POs and invoices that are above the norm (by evaluating the standard deviation over the history of transactions) for the vendor, buyer, or other criteria are flagged for resolution. All invoices which are potentially erroneous (e.g. by typos etc.) are flagged for review. 22

Using SAP process controls supporting control operation To be considered during design. If you are using SAP Process Control to support the operation of controls (not limited to evaluation of effectiveness of controls), keep in mind: Exceptions generated by a PC configuration acting as a control would not constitute a deficiency. These exceptions are meant to be reviewed and resolved as part of the control s operation. Must consider this throughout the design of the PC environment to ensure that exceptions generated do not translate to a control failure. 23

The continuous monitoring roadmap Where do you start? 24

Where to start Choose what you wish to achieve first: Lower the cost to operate controls vs. lower the cost to evaluate controls First determine what benefits you wish to realize first from the tool. Deciding this and articulating it up front enables you to: Select the appropriate tool that supports that most immediate initiative Clearly articulate to the project team and stakeholders what will be met in the current phase of the roadmap and what will be accomplished with later functionality Successfully meet the stakeholders objectives 25

The continuous monitoring considerations Driver: Lower cost to operate controls Reduce business efforts to operate controls (useful for clients with many manual controls) Identify business exceptions and control breakdowns sooner Increase business flexibility through moving toward real-time detective controls Achieve more coverage of risk Remove obvious pain points Stop known problematic transactions Driver: Lower cost to evaluate controls Lower the cost of compliance functions efforts Identify control breakdowns sooner Lower the cost of business self-assessment of controls Achieve better visibility of the compliance framework and the overall state of risk Organize risks and controls in a more meaningful fashion Policy management to support controls Continuous Transaction Monitoring Solution Then document the controls in your Continuous Control Monitoring Solution Then implement controls in your Continuous Transaction Monitoring Solution Continuous Control Monitoring Solution 26

For further information, please contact: Jamie Levitt Manager (949) 462 4592 jamie.levitt@us.pwc.com Ronald Risinger Senior Associate (949) 437 4489 ronald.j.risinger@us.pwc.com Certain matters reviewed today may represent services that may be prohibited from providing to our audit clients. In those instances, the information is being provided to inform you of options that you may consider as you assess your company's approach to Continuous Monitoring. Independence rules are complex and we recommend to discuss all services with you in advance within the context of the independence rules. The information contained in this document is provided 'as is', for general guidance on matters of interest only. PricewaterhouseCoopers is not herein engaged in rendering legal, accounting, tax, or other professional advice and services. Before making any decision or taking any action, you should consult a competent professional adviser. 2012 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. refers to the United States member firm, and may sometimes refer to the network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information