Continuous Auditing Or Continuous Monitoring? - VUrORE

Continuous Auditing orContinuous Monitoring?Drs. Arie Pronk RE RA CISA CAMSVUrORE Thema avond Continuous Auditing(Dynamisering van de Audit)5 september 2006, Amsterdam1

BiographyArie Pronk is Head of Group Audit Operations / Operations & Serviceswithin ABN AMRO. He is responsible for world wide Group AuditCommunications, CAATs Services, Audit Systems Support and AuditIssue Tracking. As Global Project Manager CAATs Implementation, he isresponsible for delivering a global CAATs infrastructure and methodologyto Group Audit.2/30

Agenda1.Introduction3.Current Environment & Developments5.Challenge & Solution7.Proof of Concept Continuous Monitoring3/30

Introduction4/30

IIA’s Global Technology Audit Guide 3GTAG 3 Continuous Auditing? Implications for Assurance, Monitoring,and Risk AssessmentContinuous Auditing Method used to perform audit related activities on a continuous basis –includes control and risk assessment Performed by Internal AuditContinuous Monitoring Processes to ensure policies/processes are operating effectively and toassess adequacy/effectiveness of controls Performed by operational/financial management; audit independentlyevaluates adequacy of management activitiesContinuous Assurance Combination of continuous auditing and audit oversight of continuousmonitoring“The power of continuous auditing lies in the intelligent and efficient continuoustesting of controls and risks that result in timely notification of gaps and weaknessesto allow immediate follow up and remediation”5/30

IIA’s Global Technology Audit Guide 3“The business and regulatory environment and emerging auditstandards are driving auditors and management to make moreeffective use of information and data analysis technologies as afundamental enabler of continuous auditing and continuousmonitoring”“Pressure to perform ongoing evaluation of internal controls”“Many of the techniques of continuous monitoring of controls bymanagement are similar to those that may be performed incontinuous auditing by the internal audit department”“The outcomes of continuous auditing and monitoring (bymanagement) are similar and involve notifications or alerts indicatingcontrol deficiencies or higher risk levels”6/30

IIA’s Global Technology Audit Guide 37/30

Current Environment& Developments8/30

Take oversAssuranceOur EnvironmentBack to BasicsOutsourcingInternal ControlCost ReductionGlobalizationAuditROBSOXTabaksblatA turbulent period with hours and money being spenton SOXA testing, Compliance investigations,preparations for Basel II etc.SynergiesOffshoringBasel IIWIDRisk ManagementComplianceInsourcing9/30

Our Environment Turbulent period with increasing regulatory demands, moredisclosure of procedures and controls, extensive testing ofinternal controls (e.g. SOXA, Basel2, Corporate Governance) Growing claim on business and audit resources for internalcontrol and compliance related activities Business and Corporate Functions both focus on: Increasing Economic Profit Adhere to internal control and compliance regulations Lower costs to improve efficiency ratio10/30

See SOXA etc. as an opportunity !Try to reduce costs and increase benefits !Steps:3.Think of control as a process“Control needs to be viewed as a process model,not just a series of checklists to be completed” *Global GuidelineActivity: 12 Determine data application needed, extraction date and location of dataOnce the request is completed and all appropriate testing parameters areIntroductionincluded, the CAAT team will determine the data application needed, cut offdate and location of data. (Activity 12)The objective is to determine if the data can be independently obtained by theObjectiveCAATs Team or the CAATs Team needs to request a 3rd party like IT to deliverthe data to them.CAATs ExpertResponsibleA complete data request including all appropriate testing parameters in theConditionsCAATs Knowledge Database.CAATs Knowledge DatabaseResources/Tools Determine entity involved, application, hardware platform, requiredActivitiestables and fields, extraction date etc. Verify whether the CAATs Team is able to technically interface withthe hardware platform, application and data Verify if the required authorization is already granted by the businessowner and request authorization for access, if needed Determine tables and fields needed by using the data dictionary Verify if data access and extraction is indeed possible Verify if data with the required extraction date is available CommentsDecision 13 Can data be independently obtained by CAATs?Next InstructionActivity 16 Get needed data via approved extraction methods Interdependencies More informationIt’s a Business responsibility but Audit can add value !“The motivation to implement better controls should come from a desireto improve operations, risk management processes, and governance” *7.11.Shift from extensive testing to monitoring & active risk management“Companies need to develop better monitoring proceduresthat will help them identify when a processhas suffered a decrease in control” **Rittenberg, There is No Shortcut to Good Controls; Internal Auditor, August 200511/30

See SOXA etc. as an opportunity ! (cntd)Steps (cntd):2.Integrate control into basic operating activitiesand avoid unnecessary costs & procedures5.Synergize by having Business andCorporate Functions work together! Business, Audit, Compliance, Risk Management, IT, Finance, etc. areall looking for the same data on risks and controls!Go from control checklists to control monitoringGo from reactive through detective to proactive12/30

Challenge & Solution13/30

Our ChallengeBusiness needs & challenges Keep up with the changing organization & (control) environmentIdentify and manage risks across the enterpriseIncrease level of internal controlImplement monitoring processes that signal impending controldeficiencies and take corrective action immediatelyAudit needs & challenges Enhance audit assurance to internal and external stakeholdersAssess control effectiveness and compliance with standards overtimePro active audit planning and approachMore efficient and effective SOXA testing14/30

Required Solution? Further improve risk management and control systemsEnhance cooperation/synergies between Business andCorporate FunctionsMonitor (key) controls more continuouslyIntegrate control monitoring in day to day business activitiesInstall information systems infrastructure to access, analyze andreport relevant information on (key) controlsAddress documenting requirements15/30

Continuous Control Monitoring16/30

Continuous Control Monitoring (cntd)We need to make sure that monitoring processessignal impending control deficienciesand that corrective action is taken in a timely fashion** Rittenberg, There is No Shortcut to Good Controls; Internal Auditor, August 2005The challenge for business management and corporate functions isto process and refine large volumes of data into actionableinformation**This challenge is met by establishing an information systemsinfrastructure to source, capture, process, analyze and report relevantinformation**** COSO ERM17/30

IIA’s Global Technology Audit Guide 318/30

What is the link with Audit?“The internal audit activity should assist the organizationby identifying and evaluating significant exposures to riskand contributing to the improvement of risk managementand control systems.” IIA Performance Standard 2110“Internal audit functions need to keep up with the changing competitiveorganisation environment and provide audit coverage aligned with the keyrisk areas of the organisation”“The challenge is to work smarter not harder; for internal audit to coverexpanding exposures more efficiently and deliver more value throughideas that generate cost savings, revenue enhancements and processimprovements”E&Y Internal Audit Benchmarking Survey; April 200419/30

What is the link with Audit? (cntd) Enhanced assurance to internal and external stakeholders by better assessingcontrol effectiveness and compliance with standards over time through(continuous) monitoring a larger number of controls with less resourcesImproved quality of audits, more efficient and more effective audits bygathering more audit evidence and testing larger populations/data setsFlexibility in allocating audit resources to higher risk areas and allowing to beresponsive to changes in the control environment by using CAATs on a regularbasis to provide continuous auditing or monitoring of key controls or performanceindicatorsNot only:1.2.Test reliability of data and transactionsAcquire audit evidence and fact findingBut also:1.2.Identify trends, pinpoint exceptions, and highlight potential areas of concernin our audit objects/universe(continuous) monitor controls and identify control issues and ensurecompliance with standards20/30

3. Proof of Concept ContinuousMonitoring21/30

HP’s Continuous Control Modelling andMonitoring (CCMM)Note:“The challenge for business management and corporate functionsis to process and refine large volumes of data into actionableinformation” (COSO ERM)Possible solution for providing the information systemsinfrastructure for documenting and monitoring (key) controlsNew assessment approach that systematically isolates andpredicts emerging risks in a dynamic control environment to giveongoing visibility to compliance22/30

CCMM LifecycleAAB Accounts PayableAAB Accounts PayableC ontrols (ExcelAABAccounts PayableC ontrols (ExcelAABAccounts PayableSpreadsheet)C ontrols (ExcelSpreadsheet) atesC ontrols cessesBusiness ProcessesApplication1. (re-)Model the BusinessEnvironment into (key) controls4. Make decisions uponReporting and AlertsTailored Loops for:-C ISO organization-C FO organization-Business Units-G roup Audit-G roup Functions-SO X C om plianceC ontrols M odelingD atabaseInfrastructure2. Collect andAnalyse dataAnalysisEngineApplication KPIsControls &Metrics3. Present Real-time Dashboards(Controls, KRI’s, KPI’s)FinancialKRIsInfrastructure KRIs23/30

Objective Proof of ConceptScope: Accounts Payable process ABN AMRO BU Netherlands (Q12006)3 tracks1.2.3.Objective Accounts Payable SAP system access controlsAccounts Payable financial process controlsAccounts Payable process and SOXA testing template/auditprogram modellingAssess usability of CCMM toolbox in an ABN AMROenvironment (processes and IT infrastructure)Questions for ABN AMRO Do CCMM tools offer added value in addition to alreadyexisting tools and techniques? And if so, where can we gain most?24/30

Benefits identified Model Customizable and flexiblecontrol environment model Ability to document and maintainSOXA templates and audit programsDashboards Dashboards based on exception reportingwith drill down functionalityReporting Historical data and trend analysis; Benchmark across multiple applications25/30

Value adding components Run time insight in key controls and impending areas of concernMulti location/system comparisonsOff site monitoringAutomate repetitive tasksProcess/risk/control/test repository26/30

Next steps Enough positive feedback for next phaseBuild Business Case for pilot projectGet Management buy in; Business and Corporate FunctionscollaborationFocus on SOXA relevant processes implemented in multiplelocations27/30

Possible Showstoppers .Availability of data and cooperation of IT personnel Required knowledge of systems and data dictionaries Tooling, Education, Support Budget, Commitment . “The under use of CAATS may be due to a shortage of skills in internalaudit functions to perform the testing, investment constraints, set up time,or not seeing the benefits to be gained from CAATs” E&Y Internal Audit Benchmarking Survey;April 200428/30

Final noteGoal Continuous MonitoringProvide comfort to managementon control over, and performance of, processes29/30

Questions?arie.pronk@nl.abnamro.com30/30

Annex31/30