Reduce Audit Time Using Automation, By Example. Jay Gohil Senior Manager

Similar documents
PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

Using Technology to Automate Fraud Detection Within Key Business Process Areas

Leveraging Continuous Auditing / Continuous Monitoring in internal audit April 10, 2012

The Power of Risk, Compliance & Security Management in SAP S/4HANA

Leverage T echnology: Move Your Business Forward

Supporting Compliance Management with Technology

Continuous Controls Monitoring. Virginia ISACA January Meeting 19 January 2010

Process Control Optimisation with SAP

AGA Kansas City Chapter Data Analytics & Continuous Monitoring

LEVERAGE TECHNOLOGY TO EMPOWER INTERNAL AUDIT

Agenda 3/7/ ERM Symposium March 14 16, Continuous Controls Monitoring. I. Changes In Corporate Environment

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

Continuous Monitoring: Match Your Business Needs with the Right Technique

Minimize Access Risk and Prevent Fraud With SAP Access Control

SAP BusinessObjects GRC Access Control 10.0 New Feature Highlights and Initial Lessons Learned

Continuous Monitoring and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes

Governance, Risk & Compliance for Public Sector

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

Continuous Controls Monitoring ISACA, Houston Chapter. August 17, 2006

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

ARBUTUS. Arbutus Audit Analytics ARBUTUS ANALYZER. ArbutusSoftware.com

Data Analytics: Applying Data Analytics to a Continuous Controls Auditing / Monitoring Solution

Mastering Risk with Data-Driven GRC

CFO. Improving the Bottom Line with Advanced Controls CONTENTS

2/5/2013. Session Objectives. Higher Education Headlines. Getting Started with Data Analytics. Higher Education Headlines.

Understanding ERP Architectures, Security and Risk Brandon Sprankle PwC Partner March 2015

UNCOVER WHAT S HIDDEN IN YOUR SAP ERP DATA TO HELP CUT COSTS AND RAISE COMPLIANCE

Data Analytics: Applying Data Analytics to a Continuous Controls Auditing / Monitoring Solution

Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms

Change Management Best Practices for ERP Applications, An Internal Auditor's Perspective. Jeffrey T. Hare, CPA CISA CIA ERP Risk Advisors

<Insert Picture Here> Financial Audit Scoping Tool Blueprint for Oracle GRC Applications

Application Control Effectiveness for SAP. December 2007

ONESOURCE INDIRECT TAX

Data Analytics Leveraging Data Visualization and Automation in Audit Real World Examples

Directory of. Advertising Supplement

AUDITING AND THE SAP ENVIRONMENT

building a business case for governance, risk and compliance

Oracle Role Manager. An Oracle White Paper Updated June 2009

Harness Enterprise Risks With Oracle Governance, Risk and Compliance

White Paper. Managing Risk to Sensitive Data with SecureSphere

Governance, Risk and Compliance (GRC) software Business needs and market trends

OVERVIEW OF THE ISSUE

Continuous Audit and Case Management For SAP: Prevent Errors and Fraud in your most important Business Processes

Automating the Audit July 2010

An Introduction to Continuous Controls Monitoring

ISACA NY- Data Analytics March

How To Help Your Business Succeed

Risk Management in Role-based Applications Segregation of Duties in Oracle

Tax Systems & Process Services Elevate your tax function

Unlocking the power of SAP s governance, risk and compliance technology

Information Technology Auditing for Non-IT Specialist

TECHNOLOGY SOLUTIONS FOR THE INTERNAL AUDITOR

Optimizing Automation of Internal Controls for GRC and General Business Process Compliance

An Auditor s Guide to Data Analytics

Module 6 Essentials of Enterprise Architecture Tools

Feature. Multiagent Model for System User Access Rights Audit

Leveraging Data Analytics and Continuous Auditing. Internal Audit. January 9, 2014

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

IT Risk Management Life Cycle and enabling it with GRC Technology

TAKE COST CONTROL AND COMPLIANCE TO A NEW LEVEL. with ACL Travel & Entertainment Expense Fraud and Cost Control Solution

Building an Audit Trail in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Audit Compliance and Internal Audit Analysis for Dynamics

Securing Your Business with Managed File Transfer

Risk-Based Assessment of User Access Controls and Segregation of Duties for Companies Running Oracle Applications

Data Analytics For the Restaurant Industry

Using data analytics and continuous auditing for effective risk management

Magic Quadrant for Enterprise Governance, Risk and Compliance Platforms

Information overload: How to make data analytics work for the internal audit function

SAP BASIS and Security Administration

How To Use Netsuite With Openair

Chartis RiskTech Quadrant for Operational Risk Management Systems

Integrating Data Analytics into Internal Audit

Case Study: ICICI BANK INTERNAL AUDIT DEPARTMENT PENTANA AUDIT WORK SYSTEM IMPLEMENTATION

Ensure Effective Controls and Ongoing Compliance

Supplier Portal. Date: January 24, Purpose: Reference material for use by the Suppliers when reviewing settlement invoices.

GRC Program Best Practices & Lessons Learned

Best Practices in Duplicate Invoice Detection

Using Assurance Models in IT Audit Engagements

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

BMC Remedyforce Asset Management. Frequently Asked Questions

Speed, Visibility and Control Best Practice AP Processing in Oracle E-Business Suite

Service Catalogue Real World Case Studies October 2010 Presenter: Blaine Bey, I.S.P., ITCP - President, CIPS BC. (BlaineBey@SierraSystems.

Logical Modeling for an Enterprise MDM Initiative

CIIA South West Analytics in Internal Audit - Tackling Fraud

Software Asset Management on System z

Managed Solution. for Staffing Industry

Q1 Labs Corporate Overview

Enforcive / Enterprise Security

IDS for SAP. Application Based IDS Reporting in the ERP system SAP R/3

C31: Introduction to Application Controls: SAP and JD Edwards Sarah E. Thompson and K. C. Fike, PwC

Dynamic Enterprise Performance Management

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

The presentation will begin in a few moments

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

W H I T E P A P E R S A P E R P L i f e - C y c l e M a n a g e m e n t O v e r c o m i n g t h e D o w n s i d e o f U p g r a d i n g

IMPROVING RISK VISIBILITY AND SECURITY POSTURE WITH IDENTITY INTELLIGENCE

How To Improve Your Business

Best Practices Report

HP Service Manager. Service Request Catalog (SRC) Tips & Tricks Document

Transcription:

Reduce Audit Time Using Automation, By Example Jay Gohil Senior Manager

Today s Session Speaker Bio: Jay Gohil, Protiviti Jay is a Senior Manager in the ERP Services practice in Atlanta. In the past seven years, Jay has focused on SAP Security, Segregation of Duties, and Governance, Risk, and Compliance Access Control (GRC-AC) projects. Topic: Defining and leveraging continuous controls monitoring (CCM) Understand how to move from ad-hoc manual audit testing to a more streamlined and automated approach and using SAP Process Control to continuously monitor risk. This session uses an example situation to address: Maturing from manual testing to a more automated approach Reviewing current tools for automation How to identify and exploit SAP s Process Control 10 solution to streamline control testing 2

Agenda I. Background on Continuous Auditing and Monitoring II. Terminology III. Current Tools & Market Convergence IV. Maturing From Manual To Automated V. Example Scenario 3

Continuous Auditing vs. Continuous Monitoring Continuous Auditing Any method used by auditors to perform auditrelated activities on a more continuous or continual basis. Continuous Monitoring A process that management puts in place to ensure that its policies, procedures, and business processes are operating effectively. Source: The Institute of Internal Auditor's Global Technology Audit Guide (GTAG), Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment: 4

The Inverse Relationship between Continuous Auditing and Continuous Monitoring Higher level of monitoring of controls = Lower level of detailed testing of controls need Lower level of monitoring of controls = Higher level of detailed testing of controls needed Management Response Comprehensive Monitoring of Internal Controls Little Monitoring of Controls Reduced Effort Significant Effort/ Greater Resources Audit Effort 5

Benefits Increased testing coverage (100% of population) Improved timeliness of testing Greater visibility Independent testing Identification of trends Improved consistency More efficient allowing focus on overall process efficiency and effectiveness Cost-effective solution The Auditing Profession is entering the Age of Continuous Auditing Annual Audits are being viewed as untimely and obsolete Internal Control issues are expected to be reported almost immediately 6

Terminology!?! CA continuous auditing CM continuous monitoring CCM continuous controls monitoring CCM-AC continuous controls monitoring for application configuration CCM-MD continuous controls monitoring for master data CCM-SOD continuous controls monitoring for segregation of duties CCM-T continuous controls monitoring for transactions 7

Continuous Auditing/Monitoring Tools in the Market 8

Leaders in CCM Gartner Magic Quadrant for Continuous Controls Monitoring Source: Gartner s website at http://www.gartner.com/ 9

Tool Convergence The vendors and associated products used for Continuous Audit have drastically changed in the past couple of years including: Vendor Consolidation (e.g. Infor acquires Approva, IBM acquires OpenPages and Algorithmics, EMC-RSA acquires Archer, Thomson Reuters acquires Paisley) Divergence amongst competitors focusing on audit management vs. audit automation Governance Risk and Compliance (GRC) and Continuous Controls Monitoring Tools GRC Platform Finance GRC (e.g. configuration & transaction monitoring) IT GRC (e.g. SOD, IAM) Operations GRC (e.g. EH&S, QM, etc) Product increased interoperability to allow for a more integrated GRC platform (e.g. SAP GRC 10.0, Oracle GRC) Industry specific solution content becoming more important (e.g. Oil & Gas, Banking, Dodd-Frank, etc.) Enterprise Risk Management (e.g. Self Assessments, RM Dashboards, KRIs, etc.) Policy, Process & Document Management What are your needs and priorities (short and long-term)? 10

egrc egrc Enterprise Governance, Risk and Compliance A technology solution to support the oversight and operation of enterprisewide risk management and compliance programs, with the overall objective being improvements in corporate governance. - Gartner 11

egrc Components Content Management Managing documentation related to policies, risks, controls, testing, configuration. Workflow / Alerts Automating controls surrounding approvals, tasks, and alerts Transactional Analysis / Monitoring Monitoring controls on a configuration and transactional level to determine if controls are operating as designed. User Access Reporting / Monitoring Segregation of Duties (SOD) / Sensitive Access Configuration Monitoring Automated / System Controls Dashboarding Providing management with a comprehensive overview of the control / risk environment. 12

The Controls Challenge Are we making unnecessary or unapproved discounts? Have any POs been changed after approval? Are people making unauthorized or incorrect manual entries to the GL? Are purchasing cardholders violating company policy? Are we making duplicate payments? Are my POs missing based on accurate vendor master data? Am I losing money because of fraud? Is anyone manually clearing blocked invoices? Are we at risk of an audit finding for user access? Are we misclassifying assets as expenses? Transactions (CCM-T) Did anyone? Master Data (CCM-MD) Is the underlying data accurate? Access to Applications (CCM-SOD) Can anyone? Can users access sensitive information? Configuration of IT Systems & Processes (CCM-AC) Do our systems allow anyone to? Are system configuration changes exposing me to risk? 13

Trends and Leaders in egrc Gartner Magic Quadrant for egrc July 2011 October 2012 Source: Gartner s website at http://www.gartner.com/ 14

Business Controls Where do you want to be? Continuum Optimized Managed Defined Repeatable Initial / Adhoc Identification of Business Risks: Business Process risks have been identified, documented, and are understood by the business. An effective risk classification system is used to define the importance, likelihood and impact of each risk. Configurable Controls: Reliance is placed on system controls to minimize manual business process controls. Optimal use of all applicable system control items Detective / Manual Controls / Business Rules / Policies: Controls that address key risks are documented and regularly reviewed. Definition of global and local controls Data Governance: Centralized management of master data, leveraging both configurable controls and automated reporting to prevent and manage inconsistencies Continuous Control Monitoring: Automated processes are implemented to alert and identify changes in key configuration controls and transactional anomalies. Management self assessment programs are used to assess the effective operation of manual process controls. Internal Audit and other assurance providers are integrated into key business process controls Identification of Business Risks: Limited understanding of risks within each business process. Failure to classify the importance of business process risks Configurable Controls: System application controls have not been documented or tested for effectiveness. Reliance is placed of manual process controls rather than taking advantage of system controls Detective / Manual Controls / Business Rules / Policies: Controls are operating within the business but have not widely understood or formally documented. There is no link between key process risks and control items Data Governance: Inconsistent and independent management of master data (vendor, customer, COA) Continuous Control Monitoring: Regular testing and monitoring of both system and manual controls is not performed. 15

Maturing from Manual to Automated Continuum Optimized Fully Automated: Use of sophisticated tools to automate testing and aligning with business controls. Exceptions are reportable and monitoring is implemented for transactions and configurations. Managed Defined Repeatable Semi-Automated: Automation is used to perform testing across full populations. Use of tools (ACL or databases) to reduce analysis time Initial / Adhoc Manual: Pull data at the time of testing and performing sample based testing 16

Example Scenario: One Time Use Vendors 17

Scenario Creation of vendors is tightly controlled Often times, it s necessary to bypass system checks to create one-time vendors Used on an exception basis, allowing user to bypass controls and push purchases through Control Objective: Purchases against one-time use vendors cannot exceed $10,000 Business Rule: The sum of invoices to one-time use vendors should be less than $10,000 18

Example: Semi-Automated Control Test Step 1: Identifying the data Select field Help (F1) Technical Information (Hammer/Wrench icon) 19

Example: Semi-Automated Control Test Step 2: Obtaining the data based on frequency Method 1: Pull the data manually during each audit Method 2: Reliance on IT to provide the data PARTNER! Pulling data files from a staging location / folder Validate the accuracy and completeness of the data Step 3: Automate the test using Excel / ACL / Access Requires detailed documentation of data requirements and scripts Skill-set with tools is sometimes lost with team member rotation Application Ease of Use Cost Repeatability Assurance of Data Integrity Excel High Low Low Low Access Low Low High Low ACL Medium High High High 20

Identifying the Data Source: SAP Structures Identify transparent tables related to a structure: Right-click on a field containing data and click Help (F1)" Tip! Click the "Technical Info" icon (hammer and wrench). Make a note of the table name and table category (e.g., Struct.) located in the Field Data section of the Technical Information window. For the purpose of this example, let's assume the category is "Struct." In SAP, Execute T-Code SE84 (ABAP Workbench) and browse to ABAP Dictionary > Structures. Enter the structure name and click the Execute button (look for the green checkmark). Click the "Complete List" button to view additional fields. Make a note of the "Package" name. Browse to ABAP Dictionary > Database Tables (in SE84). Enter the Package name and click Execute Review the SAP tables related to the data element Reference: Posted on LinkedIn Atlanta ACL User Group by John Buchanan on 8/15/2013 21

Example: Continuous Monitoring Using SAP Process Controls 10.0 22

CCM Bigger Picture 23

Data Sources Subsets of data associated with business rules or controls Predefined queries for specific data elements The job of a data source (in GRC) is to provide a business-user-friendly view of technical data SAP Process Controls 10.0 ACL Direct Link Note: Data sources can and should be used for multiple rules or controls May require bigger picture thinking and design discussions 24

Data Sources (continued) Intellectual property for table and field names User friendly interface to the data 25

Identify and Define Business Rules/Controls 26

Business Rules User specified logic based on business controls Business rules filter the data stream coming from data sources These rules can also perform calculations on the data Rules define exception situations Examples: Total spend on a one-time vendor should not exceed $10,000 Rule Types Transactional (CCM-T) Configuration (CCM-AC) 27

Rule Type: Configuration Monitoring Rules based on the entries of log files Prerequisite: logging must be enabled on specific tables or specific areas Non-transactional patterns, such as flags or toggles Ability to run monitoring rule against an entire timeframe and reconstruct settings to identify changes that violate the rule Example: Master data changes - enable/disable vendor blocked for credit status Configuration changes My audit test is a point in time so how do I know that the configuration wasn t changed for a short period of time and then changed back? 28

Change Log Example Control Objective: Customer credit checks are performed based on category of customer, company code, and sales area for high risk sales orders 29

CCM Sample Exception Report 30

A Few Key Points to Take Home To achieve your continuous compliance objectives: Identify your compliance needs and the risks to address them Understand the controls in place to mitigate the risk Identify the data sources and partner with IT to obtain accurate and complete data Convert your controls into business rules for automation A continuous risk and controls assurance program is enabled by technology 31

Q & A 32

Complimentary SAP Process Control Webinar 33 http://www.protiviti.com/webinars Look for the event: Identifying the Value SAP Process Control Can Deliver to Your Organization

Thank You Jay Gohil Jay.Gohil@protiviti.com LinkedIn.com/in/JayGohil Powerful Insights. Proven Delivery. TM 34

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information