IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP



Similar documents
Continuous Auditing / Continuous Monitoring

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

Driving business performance Using data analytics

Leveraging Data Analytics and Continuous Auditing. Internal Audit. January 9, 2014

Using data analytics and continuous auditing for effective risk management

KPMG s Financial Management Practice. kpmg.com

Transforming risk management into a competitive advantage kpmg.com

Title here. Successful Business Model Transformation. in the Financial Services Industry. KPMG s Evolving World of Risk Management SECTORS AND THEMES

Transforming Internal Audit: A Maturity Model from Data Analytics to Continuous Assurance

Driving Business Value. A closer look at ERP consolidations and upgrades

Accenture Human Capital Management Solutions. Transforming people and process to achieve high performance

Vital Risk Insights kpmg.com

How To Transform It Risk Management

Reduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager

CONTINUOUS CONTROLS MONITORING

Fraud Risk Management

RSA ARCHER OPERATIONAL RISK MANAGEMENT

ORACLE ENTERPRISE GOVERNANCE, RISK, AND COMPLIANCE MANAGER FUSION EDITION

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Continuous Monitoring: Match Your Business Needs with the Right Technique

ERP Controls Integration

Data & Analytics in Internal Audit. January 13, 2015

Leveraging a Maturity Model to Achieve Proactive Compliance

Dynamic Enterprise Performance Management

Placing a Value on Enterprise Risk Management ADVISORY

Stakeholder management and. communication PROJECT ADVISORY. Leadership Series 3

The Power of Risk, Compliance & Security Management in SAP S/4HANA

Preserving and Growing Value Through Enterprise Risk Management

CA Service Desk On-Demand

ADVISORY SERVICES. Risk management in an evolving world. Making the case for social media governance. kpmg.com

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

Advisory Services Oracle Alliance Case Study

GOVERNANCE, RISK AND COMPLIANCE. Internal Audit. Assessing Fraud Vulnerabilities. kpmg.com/in

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

CA Workload Automation

can you improve service quality and availability while optimizing operations on VCE Vblock Systems?

The Case for Sourcing Internal Audit ADVISORY

Application Control Effectiveness for SAP. December 2007

Unlocking the power of SAP s governance, risk and compliance technology

Leveraging Privileged Identity Governance to Improve Security Posture

Enabling IT Performance & Value with Effective IT Governance Assessment & Improvement Practices. April 10, 2013

Minimize Access Risk and Prevent Fraud With SAP Access Control

An Oracle White Paper November Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

SAP Overview Brochure. Confidence Powers Success. SAP Solutions for Governance, Risk, and Compliance.

Addressing common challenges in the record-to-report process. kpmg.com

Patient Relationship Management

RSA ARCHER AUDIT MANAGEMENT

UNCOVER WHAT S HIDDEN IN YOUR SAP ERP DATA TO HELP CUT COSTS AND RAISE COMPLIANCE

Process Control Optimisation with SAP

KPMG Advisory. Microsoft Dynamics CRM. Advisory, Design & Delivery Services. A KPMG Service for G-Cloud V. April 2014

Enterprise Risk Management & Information Technology

Business Information Services. Product overview

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Accenture: Digitizing Internal Audit

CONNECTING ACCESS GOVERNANCE AND PRIVILEGED ACCESS MANAGEMENT

Integrating GRC with Performance Management Demands Enterprise Solutions

Internal audit value optimization for insurance organizations

Infosys: Treating Governance and Compliance Strategically with SAP Access Control

Running the business of IT metrics that matter

CA Service Desk Manager

Asia Pacific. Tax Management Consulting Why and What?

Transforming operations and technology

What is Security Intelligence?

KPMG LLP Credit Risk Management Practices 2014 Survey on Credit Bureau Reporting

How To Use The Sap Process Control Application

HR Function Optimization

Outperform Financial Objectives and Enable Regulatory Compliance

Complete Financial Crime and Compliance Management

Functional and technical specifications. Background

Masterminding Data Governance

Impact of New Internal Control Frameworks

Integrated Governance, Risk and Compliance (igrc) Approach

IBM QRadar Security Intelligence April 2013

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment

How To Use Ibm Tivoli Monitoring Software

ENTERPRISE MANAGEMENT AND SUPPORT IN THE TELECOMMUNICATIONS INDUSTRY

Credit Unions RISK ADVISORY SERVICES. Enterprise Risk Management, Internal Audit and Complex Accounting Services

Leveraging Continuous Auditing / Continuous Monitoring in internal audit April 10, 2012

A TECHNICAL WHITE PAPER ATTUNITY VISIBILITY

Analytics Strategy Information Architecture Data Management Analytics Value and Governance Realization

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

Cloud Computing An Auditor s Perspective

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

Welcome to Modulo Risk Manager Next Generation. Solutions for GRC

Performance Management for Enterprise Applications

Attestation of Identity Information. An Oracle White Paper May 2006

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

InforCloudSuite. Business. Overview INFOR CLOUDSUITE BUSINESS 1

How To Turn Data Into Insights

Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

Transcription:

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

IT Audit Perspective on Continuous Auditing/Continuous Monitoring INTRODUCTION New demands from the board, senior organizational leaders, and regulators are requiring IT Audit to refocus its efforts beyond regulatory and compliance matters. IT Audit is now expected to play a much larger role; one that expands its historic focus on value preservation (a controls focus) to encompass activities related to value creation (a performance focus). Some of the value creation expectations of IT Audit include: Focus on the C-level agenda and participation in strategy development Integrated risk identification and prioritization versus siloed risk management Evaluation of alignment of people, processes, and systems with business strategy Focus on defined key performance indicators Analysis and quantification of risk factors in new business ventures and strategies Understanding of shared risks among various projects and initiatives. IT Audit is expected to offer increased synthesis and analysis of information to help management identify themes, trends, and business opportunities. Boards and their Audit Committees are seeking a real-time overarching view and interpretation of the control environment from IT Audit, rather than reports on individual technology areas. Increasingly, management will also rely on IT Audit to provide a conclusion on the effectiveness of the technology environment. To meet these new expectations, IT Audit will need to refine its risk assessment processes and significantly enhance its analysis of information through the use of technology. In KPMG LLP s (KPMG) commissioned 2009 IT Internal Audit survey, 1 it was revealed that IT Audit s powerful combination of technical and business know-how, underpinned by an understanding of operational and technology risk, can turn the function from cost center to value builder. The survey also revealed that there is a To assist them in meeting the challenges of their enhanced role and increased expectations, IT Audit functions continuously seek new ways to gain access to valuable and timely information to manage risk and improve performance. Such efforts increasingly include Continuous Auditing (CA) and Continuous Monitoring (CM) of organizational processes, transactions, systems, and controls. CA/CM can free up time and create cost savings and thus allow limited audit resources to increase focus on the abovementioned value creation activities. marked and encouraging shift from traditional to more proactive, valueadding activities undertaken by IT Audit. Practitioners are working more closely with IT and business functions to deliver, for instance, assurance during live projects. 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, 1 "KPMG s 2009 IT Internal Audit Survey; The Status of IT Audit in Europe, the Middle East, and Africa." Approximately 300 organizations from at least 20 countries participated in a 52-question survey to identify current trends in IT Internal Audit methodologies and practices. 1

2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, Continuous Auditing allows the auditor to use predefined indicators to direct and focus audits in a more efficient and timely manner. Examples include system availability, days to close service requests, or continuous vulnerability assessments. Continuous Monitoring complements normal transaction processing by checking every transaction or selected transactions against prespecified criteria. Examples include identifying transactions that exceed predefined thresholds or electronically identifying segregation of duties conflicts. IT Control Dimension (CCM) IT-based controls management (SOD, configurable application controls, etc.) What Is Continuous Auditing/ Continuous Monitoring? While the definitions of CA and CM may vary across organizations and industries, the goal in pursuing these disciplines is to provide greater transparency, effectively manage risk and performance, and provide continuous assurance. Depending on an individual s role within the organization, he or she can think of CA/CM as another lens to assess or monitor the effectiveness and completeness of the organization s Governance, Risk, and Compliance (GRC) programs, as well as to help detect control gaps, transaction anomalies, and variances from agreed-upon performance parameters or Key Performance Indicators (KPI), which is imperative to seamless business operations. CONTINUOUS AUDITING is the collection of audit evidence and indicators by an Internal Auditor on Information Technology (IT) systems, processes, transactions, and controls on a frequent or continuous basis, throughout a period. CA efforts can provide organizations with greater audit coverage (i.e., 100 percent of the population) for the same or less effort over time specifically by redesigning the traditional audit approach so it can become repeatable and sustainable and by retooling people, refining processes, and incorporating embedded or enabling technologies. CA allows the IT Audit team to virtually identify control breakdowns in real time (allowing action to be taken immediately) by keeping track of specific controls, Analytical Dimension Macro-level analysis for trends, patterns, results (e.g., TCO, system availability, etc.) Risk/ Performance transactions, and business events as they occur. The use of CA tends to raise the overall profile of IT Audit within the organization by helping identify control weaknesses that not only impact various aspects of compliance, but also areas that are imperative to effective and efficient IT and business operations. By contrast, CONTINUOUS MONITORING is a feedback mechanism used by management to help ensure that controls operate as designed and transactions are processed as prescribed. This monitoring method is the responsibility of management and can form an important component of the control structure. CM gives management the ability to effectively monitor those areas that are most important to them, using either a control (value preservation) or performance (value creation) lens. As with CA, CM technologies provide the opportunity to change the traditional approach for management and the process owners to focus on monitoring IT and business risk and performance. The diagram below depicts interrelationship of the three dimensions of continuous IT controls monitoring, continuous IT transaction monitoring, and macro-level analytics. Risk and performance monitoring can be enhanced when all three dimensions are implemented as it will help identify risk or opportunity for performance improvement. Transaction-based exception analysis and business rule management IT Transaction Dimension (CTM) 2

BENEFITS Improved Efficiency Automate components of the audit program, audit tests, or review procedures and reduce wait times for data Audit by exception and known control gaps and deficiencies can be continuously audited Reduction of low value-added work and focus on high-impact areas (e.g., fraud, waste, privacy, and data security) Enhanced Controls Provision of more accurate, reliable, relevant information and corrections of errors moved closer to the source Enhanced visibility of IT Audit within IT and business and improved deterrence effect Assistance in providing valuable insight to controls effectiveness and business process risks associated with outsourced business processes Earlier Information Earlier identification and timely corrective actions of internal control deficiencies Improved speed of reduced surprises, such that problems do not build up Ability to proceed with root cause analysis for errors, policy violations, and misconduct in a more timely manner Reduced Complexity Reduction of complexity through global process standardization, thereby easing the review process Appropriate setting and consistency of materiality thresholds, therefore reporting focus on real issues Accurate Reporting More reliable financial reporting and ability to more efficiently report on and certify compliance with internal and regulatory requirements Potential Benefits from Continuous Auditing Putting the theories of Continuous Auditing into practical use can provide IT Audit an insight into areas of risk and opportunity. IT Audit can focus not only on whether a control is being performed, but also whether it is the right control and if it is being performed correctly and in a cost-effective manner. Automation can enhance the efficiency and effectiveness of the control environment so that costs can be lowered and limited resources can be deployed strategically. With CA, IT Audit is better equipped to identify and mitigate operational, external, and strategic risks associated with ERP implementations and conversions, occurrence of fraud, globalization, changes in performance and accountability, or increased legal or regulatory environment. IT Audit can test a broader range of controls by enabling automation of controls, testing, and transaction monitoring and thus expanding its audit coverage. Role of IT Internal Audit in Continuous Auditing IT Audit is in a unique position to add value and play an integral role in the successful implementation of a Continuous Auditing program. Its role should include helping establish the specifications and requirements associated with the new auditing processes and the implementation of supporting tools. For example, during an initial deployment of a CA program, IT Audit can provide knowledgeable and experienced resources to: Identify where the critical data resides Identify key control areas that are not operating consistently or where weaknesses exist Identify control areas that will be of key benefit/value to operational efficiency Drive the design of monitoring routines Oversee the overall implementation of the process and supporting tools. CA allows IT Audit to bring in ERP systems (e.g., SAP, Oracle) into their detection and monitoring capabilities and test for security, segregation of duties, and process level controls. Furthermore, CA delivers regular insight into the status of controls and transactions across the global enterprise. Through enhanced detection and monitoring, CA delivers overall risk and control oversight capability. CA is better able to deliver the IT Audit mandate by testing a broader range of controls at a reduced cost and on a timely basis. It also allows for a greater ability to obtain more granular information when desired. While the frequency of Continuous Monitoring would likely be more real-time (e.g., daily, weekly, monthly), IT Audit may be more focused on a specific period of time or longer-term trends. Considering the evolving role of the IT Audit function, organizations many increasingly rely on Continuous Auditing programs (people, processes, and technologies) to help drive sustainable value preservation and integrated risk management. IT Audit can help identify risks and controls that should be monitored by CA tools, provide insight into automated controls, evaluate audit procedures and results, and continue to define and manage the process on an ongoing basis. 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, 3

Role of IT Internal Audit in Continuous Monitoring Similar to its role in Continuous Auditing, IT Audit s role in Continuous Monitoring revolves around delivering value by advising IT and the business. IT Audit can provide knowledgeable and experienced resources to advise both the Assess and design the overall implementation plan Perform risk assessments and design query protocols and reports Once management has a continuous monitoring program in place, IT Audit can continue to provide cross-functional oversight and resources in the areas of risks and controls, IT operations, business process, business functions and IT operations on the deployment, and ongoing oversight of CM initiatives. IT Audit can help management to: Assist management through the change management process Evaluate software tools and provide recommendations regulatory compliance, and forensics and fraud detection, among others. IT Audit s deep insight into risk and controls relating to the organization s strategy, operations, information technology, and Provide recommendations on reporting and dashboards Develop and deliver training business processes, as well as the legal and regulatory environment gives it a unique perspective to provide value-added cross-functional advisory services that will help ensure 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, CA/CM Tools Advances in technology have paved the way for increased use of Continuous Auditing and Continuous Monitoring of organizational processes, transactions, systems, and controls. Technology enabled controls auditing and monitoring tools integrated into ERP solutions or built as third-party bolt-on solutions have and will continue to evolve. While product enhancements will continue and the marketplace will continue to consolidate, organizations are leveraging technologies to change how they evaluate the effectiveness of controls and monitor performance. The success of a CA/CM initiative is highly dependent upon the effective implementation and use of technology tools. In a KPMG commissioned survey, 1 it was determined that automated tools that could help focus audit activity and make better use of IT Audit resources are not commonly used in areas such as planning and risk and controls analysis. Despite plenty of interest in continuous auditing software, real development and rollout is lacking in many organizations. Furthermore, despite data analysis tools being most common, a breakdown of the types of tools used to support IT auditors reveals that 33 percent of organizations do not actually use data analysis or sampling tools. As these tools can help increase the reliability of audit conclusions, their absence could also Execute continuous audits. As available tools vary in form and function, organizations need to consider the capabilities and limitations of each and determine what tools best meet their immediate and future needs. It is important to identify key requirements upfront in order to effectively evaluate available options. Such evaluation may include whether the tool is capable of auditing, monitoring, and reporting of transaction data by comparing processed transaction against a set of control rules to identify exceptions; conditions relating to system access controls; changes to critical resources and data to verify that changes are appropriate and authorized; completeness and accuracy of data as it flows through various Automation of Control Monitoring via Workflow Segregation of Duties Analysis Automated Controls Analysis Multiplatform and Cross-Platform Analysis Privilege Attestation Ability to Perform Controls Monitoring and Transaction Monitoring ERP/IT Systems Supported Capability for Inbuilt Reporting/ Dashboarding the successful implementation of a CM program. IT processes and systems; and volume and resolution of activity in suspense areas, error logs, or exception reports. Some of the available tools today do certain elements of auditing, monitoring, and reporting better than others. For example, certain tools may be more effective at identifying changes to critical resources and determining whether changes are appropriate and authorized, while other tools only monitor error logs for specific criteria. Considerations that are essential to an effective tool selection process include: IFRS Timing and Strategy Technical Requirements Embedded vs. Extract and Analyze User Licensing Industry Specific Capabilities Sales Execution/Pricing Software Support and Upgrade Agreements Multilanguage Support (Non-English) Global vs. Regional Presence undermine the impact of audit activity. 4

Why KPMG? Many different skills are required and, because CA/CM continues to evolve, organizations may not have ready access to these capabilities in-house. Working with a sourcing partner can make sense when an organization wants to establish a CA/CM program or enhance its existing capability. A partner can help the organization with assessing its current and desired states along the maturity continuum and developing an execution plan that addresses deployment challenges. Cosourcing can also help an organization gain access to business intelligence and knowledge and realize the full benefit of the latest generation of technology tools. Appropriate CA/CM sourcing partners can offer deep industry knowledge and business acumen, broad business process and technical skills, and the potential for global efficiencies and fixed-cost savings. They can also offer a technology suite of enabling tools and supporting content, data extraction and scrubbing experience, support in tool selection, training, and change management capabilities that are critical during the implementation stage. KPMG understands that an organization s risk profile is fundamental to delivering CA/ CM services. By assessing the risks, we are able to prioritize and direct resources to those processes that are most important to the business and ones that provide the highest amount of return on investment. Design and implement CA/CM approaches including risk-based: - Dashboards - Scorecards - Analytics (including fraud and regulatory-risk specific) - Reports (area and transaction based) - Management Protocols o o o o Notification Reporting Response Investigation As discussed previously, proper linkage with GRC and Enterprise Risk Management (ERM) programs is essential to a successful implementation and management of CA/CM. KPMG s extensive knowledge and experience in advising our clients on GRC, ERM, as well as Business Intelligence, Performance Improvement, and Unified Compliance, strongly positions us as leaders in helping organizations with their CA/CM initiatives. KPMG is able to assist during various stages of the implementation process including Planning, Assessment, Design, Implementation, Execution, as well as Evaluation. With our global network of member firms, knowledge and insight, KPMG can effectively provide value-added services relating to CA/ CM. Some of the examples include: Execute individual CA projects Evaluate antifraud processes that are part of the CA/CM approach Controls automation Integration with governance, risk, and compliance initiatives Integration with business intelligence initiatives Design/incorporate with more sophisticated data analysis initiatives (e.g., predictive modeling, social network analysis) Tool/application evaluation and recommendation 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, Training Risk assessment/scoping 5

us.kpmg.com CONTACT INFORMATION Phil Lageschulte Partner IT Internal Audit National Leader 312-665-5380 pjlageschulte@kpmg.com MIDATLANTIC: Richard E. Archer Principal 412-232-1590 rearcher@kpmg.com MIDWEST: Bernard A. Wieger Partner 816-802-5810 bwieger@kpmg.com Robert T. Soles Partner 312-665-2345 rsoles@kpmg.com NORTHEAST: Ralph Monte Principal 973-912-4820 rmonte@kpmg.com SOUTHEAST: Tom Pankey Managing Director 813-301-2001 tpankey@kpmg.com SOUTHWEST: Shawn Lafferty Principal 713-319-2182 slafferty@kpmg.com WEST: Mark A. Lundin Partner 415-963-5493 mlundin@kpmg.com The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. 2009 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 36277CHI

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information