ontinuous Controls Monitoring Continuous Controls Monitoring
Continuous Controls Monitoring
Continuous Controls Monitoring
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
2
Sarbanes-Oxley
Section 302:
Evaluating disclosure controls and procedures
Design a process to identify operating and other changes that impact the effectiveness of established controls
Provides a credible body of evidence for certification requirements
Section 404:
Provide an annual assessment as to the effectiveness of internal controls in financial reporting and obtain an attestation from external auditors that the controls are effective
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
3
SOX 404 Maturity [META, Dec 2003]
Stage Stage Description
Where’s the market today?
Market Timing
0 Exploration 10% Dec 03 – Jun 04
1 Building Awareness
25% Dec 03 – Sep 04
2 Project Initiation 40% Dec 03 – Dec 04
3 Project Execution 20% Dec 03 – Jun 05
4Perform
Assessment/Review Results
5% Apr 04 – Apr 05
5Optimization/
Continuing Compliance
0% Jun 04 onwards
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
4
A Typical Section 404 Strategy
Accountability – identify team
Evaluate internal control environment of your organization
Document control framework (COSO)
Identify controls at the process, transaction, and application level
Test the controls and evaluate their effectiveness
Set up monitoring processes
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
5
Continue the financial control and aggressive growth plans
initiated in 2003
Continue the financial control and aggressive growth plans
initiated in 2003
Business Issues
Maintain Cost Controls
Reduced Costs
Rationalized products
Streamlined Supply Chain
Expand Business
Look at new markets and new geographies to drive growth
Regulatory compliance
Sarbanes Oxley 2004
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
6
Some Benchmark Statistics
1.6% avg. error rate for Vendor Payments
3.6% avg. error rate for Incoming Invoices
0.5% Duplicate Payments (7% of companies over 5000 employees)
4.8% avg. error rate for T&E Vouchers
1% avg. error rate for T&E Payments
Source: IOMA Benchmark Survey 2003Institute of Management & Administration
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
7
What does a 1% error rate mean to your organization?What does a 1% error rate mean to your organization?
Data Quality Importance
Why is a 99% accuracy rate (3.8 Sigma¹) not good enough? In the US alone, this would equate to:
20,000 lost articles of mail/hour
5,000 incorrect surgical operations/week
200,000 incorrect drug prescriptions/year
No electricity for almost seven hours/month
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
8
End game is
Good Governance is Good Business!
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
9
Continuous Monitoring in Action
Continuous Controls Monitoring in Action
Take best practices for analysis of data performed during traditional audit processes, incorporate additional sophisticated analytics, and embed them in day-to-day operational monitoring processes.Controls & Compliance Rules
Test transactional data against established internal control
parameters
Additional Sophisticated Analytics
Test transactional data against expected historical and statistical
norms
Significant Control Breaches
Suspect Transactions
Transactional Data
DataDataData
Alerts
Findings
Financial Management & Business Unit Managers
Management Action
Immediate notification of critical exposures
Suspect transactions detailed and summarized for further analysis.
Investigations, recoveries, and improved controls and procedures
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
10
ACL Solutions
Ad Hoc
Repeated
Continuous
Customer-defined Applications
ACL Enterprise
Solutions
Trend Analysis Statistical Sampling
Core Business Processes
Controls Compliance
Product line extension
PHASE 1:1. Instantaneous ControlsMonitoring2. Change Management
Corporate Risk Officer
Process Owner
Control Operator
Internal Audit
PHASE 2:1. Risk Quantification2. Controls Development3. Controls Testing
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
11
Levels of Risk/Effort
RISK
Disclosures Controls
Internal Controls over
Financial Reporting
Internal Controls over
Financial Reporting
Disclosures Controls
EFFORT
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
12
CCM Product
Result are displayed for viewing and further
analysis
Modify analysis parameter, scheduling, and security
authorization
Transactional data is interrogated
through sophisticated analysis tests
Access multiple data sources, regardless of
format
BROWSER-BASED USER INTERFACE
ACL ANALYTIC PROCESSES
ERP CRM SCM Legacy
TestResults
Repository
TestParameters
& Thresholds
SystemAccess &
Authorization
DATA SOURCES
FinancialManagement
SystemAdministratio
nAnalysts
Direct Link for SAP R/3
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
13
CCM Solution Framework
Business Process AreasIndustry-Specific
Compliance
P-Card Expenses
Data Quality
Cardholder &Transaction
Authorization
TransactionValidation
Merchant Analysis
Trend Analysis
Travel &Entertainment
Data Quality
TransactionAuthorization
Transaction Validation
Purchase-to-Payment
Data Quality
Requisition
Receiving
Accounts Payable
Cash Disbursement
Payment
Anti-Money Laundering &Compliance
Currency Transaction
Reporting (CTR) Analysis
Suspicious ActivityReporting (SAR)
Analysis
Terrorist ReportingAnalysis
Know Your Customer Analysis
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
14
Solution Areas
Fraud Analysis Fraud Analysis
Regulatory Compliance Regulatory Compliance
Controls Compliance Analysis Controls Compliance Analysis
Strategic Audit Strategic Audit
Data Quality Management Data Quality Management
Other … Other …
Duplicates ?
Mismatches ?Unusual Activity
?Incomplete Data
?
Payables
Duplicate Payments
Control limit Mgmt
Received/ordered
Split payments
Travel & Expense
Approval controls
Threshold compliance
“Absent” expenses
Manage vendors
Pro Card
Limit management
Threshold compliance
Volume activity
Trend analysis
SOX 404 ComplianceSOX 404 Compliance
Compliance
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
15
Controls Monitoring Benefits
There are substantial benefits to implementing ACL’s Controls Monitoring Applications.
Assurance Benefits Independence of
processing
Continuous monitoring of 100% of transactions
Evidentiary matter for Sarbanes-Oxley compliance
Evaluation of the effectiveness of controls
Assurance Benefits Independence of
processing
Continuous monitoring of 100% of transactions
Evidentiary matter for Sarbanes-Oxley compliance
Evaluation of the effectiveness of controls
Performance Benefits
Faster identification of transaction issues
Quicker discovery ofdata integrity issues
Fast implementation and easy integration into existing data sources
Performance Benefits
Faster identification of transaction issues
Quicker discovery ofdata integrity issues
Fast implementation and easy integration into existing data sources
Economic Benefits Reduced transaction
costs
Reduced fraud and errors
Low-cost implementation
Economic Benefits Reduced transaction
costs
Reduced fraud and errors
Low-cost implementation
Improved Business PerformanceImproved Business Performance
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
16
Accessing the data
“Ubiquitous data access from a single point of view”
ACL Server Edition
OS/390DB2IMS
ADABASACL Server Edition
AIXOracleDB2
ACL Server Edition
OS/400DB2
ACL Server Edition
WindowsSQL Server
OracleDB2
ACL Server Edition
LINUXOracleDB2
ACL Desktop Edition
Any non-relational or legacy data
Direct Link for SAP R/3
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
17
IIA 2003 Software Survey
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
18
IIA 2003 Software Survey
© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring
19
Summary
Continuous Monitoring provides an opportunity for significantly improved levels of control and assurance
The accounting and control profession has discussed it for years – the time is now ideal for implementation
Technology is available to enable continuous monitoring
Businesses can’t afford to miss the issues
Good governance is Good Business!
Fred Wechselberger ACL Services Ltd. [email protected] 604-646-4274
www.acl.com [email protected]