PowerPoint Version

Continuous Controls Monitoring

Continuous Controls Monitoring                                                   

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

2

Sarbanes-Oxley

Section 302:

Evaluating disclosure controls and procedures

Design a process to identify operating and other changes that impact the effectiveness of established controls

Provides a credible body of evidence for certification requirements

Section 404:

Provide an annual assessment as to the effectiveness of internal controls in financial reporting and obtain an attestation from external auditors that the controls are effective

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

3

SOX 404 Maturity [META, Dec 2003]

Stage Stage Description

Where’s the market today?

Market Timing

 0 Exploration 10% Dec 03 – Jun 04

1 Building Awareness

 25%  Dec 03 – Sep 04

 2 Project Initiation  40%  Dec 03 – Dec 04

 3 Project Execution  20%  Dec 03 – Jun 05

 4Perform

Assessment/Review Results

 5%  Apr 04 – Apr 05

 5Optimization/

Continuing Compliance

 0%  Jun 04 onwards

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

4

A Typical Section 404 Strategy

Accountability – identify team

Evaluate internal control environment of your organization

Document control framework (COSO)

Identify controls at the process, transaction, and application level

Test the controls and evaluate their effectiveness

Set up monitoring processes

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

5

Continue the financial control and aggressive growth plans

initiated in 2003

Continue the financial control and aggressive growth plans

initiated in 2003

Business Issues

Maintain Cost Controls

Reduced Costs

Rationalized products

Streamlined Supply Chain

Expand Business

Look at new markets and new geographies to drive growth

Regulatory compliance

Sarbanes Oxley 2004

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

6

Some Benchmark Statistics

1.6% avg. error rate for Vendor Payments

3.6% avg. error rate for Incoming Invoices

0.5% Duplicate Payments (7% of companies over 5000 employees)

4.8% avg. error rate for T&E Vouchers

1% avg. error rate for T&E Payments

Source: IOMA Benchmark Survey 2003Institute of Management & Administration

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

7

What does a 1% error rate mean to your organization?What does a 1% error rate mean to your organization?

Data Quality Importance

Why is a 99% accuracy rate (3.8 Sigma¹) not good enough? In the US alone, this would equate to:

20,000 lost articles of mail/hour

5,000 incorrect surgical operations/week

200,000 incorrect drug prescriptions/year

No electricity for almost seven hours/month

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

8

End game is

Good Governance is Good Business!

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

9

Continuous Monitoring in Action

Continuous Controls Monitoring in Action

Take best practices for analysis of data performed during traditional audit processes, incorporate additional sophisticated analytics, and embed them in day-to-day operational monitoring processes.Controls & Compliance Rules

Test transactional data against established internal control

parameters

Additional Sophisticated Analytics

Test transactional data against expected historical and statistical

norms

Significant Control Breaches

Suspect Transactions

Transactional Data

DataDataData

Alerts

Findings

Financial Management & Business Unit Managers

Management Action

Immediate notification of critical exposures

Suspect transactions detailed and summarized for further analysis.

Investigations, recoveries, and improved controls and procedures

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

10

ACL Solutions

Ad Hoc

Repeated

Continuous

Customer-defined Applications

ACL Enterprise

Solutions

Trend Analysis Statistical Sampling

Core Business Processes

Controls Compliance

Product line extension

PHASE 1:1. Instantaneous ControlsMonitoring2. Change Management

Corporate Risk Officer

Process Owner

Control Operator

Internal Audit

PHASE 2:1. Risk Quantification2. Controls Development3. Controls Testing

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

11

Levels of Risk/Effort

RISK

Disclosures Controls

Internal Controls over

Financial Reporting

Internal Controls over

Financial Reporting

Disclosures Controls

EFFORT

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

12

CCM Product

Result are displayed for viewing and further

analysis

Modify analysis parameter, scheduling, and security

authorization

Transactional data is interrogated

through sophisticated analysis tests

Access multiple data sources, regardless of

format

BROWSER-BASED USER INTERFACE

ACL ANALYTIC PROCESSES

ERP CRM SCM Legacy

TestResults

Repository

TestParameters

& Thresholds

SystemAccess &

Authorization

DATA SOURCES

FinancialManagement

SystemAdministratio

nAnalysts

Direct Link for SAP R/3

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

13

CCM Solution Framework

Business Process AreasIndustry-Specific

Compliance

P-Card Expenses

Data Quality

Cardholder &Transaction

Authorization

TransactionValidation

Merchant Analysis

Trend Analysis

Travel &Entertainment

Data Quality

TransactionAuthorization

Transaction Validation

Purchase-to-Payment

Data Quality

Requisition

Receiving

Accounts Payable

Cash Disbursement

Payment

Anti-Money Laundering &Compliance

Currency Transaction

Reporting (CTR) Analysis

Suspicious ActivityReporting (SAR)

Analysis

Terrorist ReportingAnalysis

Know Your Customer Analysis

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

14

Solution Areas

Fraud Analysis Fraud Analysis

Regulatory Compliance Regulatory Compliance

Controls Compliance Analysis Controls Compliance Analysis

Strategic Audit Strategic Audit

Data Quality Management Data Quality Management

Other … Other …

Duplicates ?

Mismatches ?Unusual Activity

?Incomplete Data

?

Payables

Duplicate Payments

Control limit Mgmt

Received/ordered

Split payments

Travel & Expense

Approval controls

Threshold compliance

“Absent” expenses

Manage vendors

Pro Card

Limit management

Threshold compliance

Volume activity

Trend analysis

SOX 404 ComplianceSOX 404 Compliance

Compliance

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

15

Controls Monitoring Benefits

There are substantial benefits to implementing ACL’s Controls Monitoring Applications.

Assurance Benefits Independence of

processing

Continuous monitoring of 100% of transactions

Evidentiary matter for Sarbanes-Oxley compliance

Evaluation of the effectiveness of controls

Assurance Benefits Independence of

processing

Continuous monitoring of 100% of transactions

Evidentiary matter for Sarbanes-Oxley compliance

Evaluation of the effectiveness of controls

Performance Benefits

Faster identification of transaction issues

Quicker discovery ofdata integrity issues

Fast implementation and easy integration into existing data sources

Performance Benefits

Faster identification of transaction issues

Quicker discovery ofdata integrity issues

Fast implementation and easy integration into existing data sources

Economic Benefits Reduced transaction

costs

Reduced fraud and errors

Low-cost implementation

Economic Benefits Reduced transaction

costs

Reduced fraud and errors

Low-cost implementation

Improved Business PerformanceImproved Business Performance

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

16

Accessing the data

“Ubiquitous data access from a single point of view”

ACL Server Edition

OS/390DB2IMS

ADABASACL Server Edition

AIXOracleDB2

ACL Server Edition

OS/400DB2

ACL Server Edition

WindowsSQL Server

OracleDB2

ACL Server Edition

LINUXOracleDB2

ACL Desktop Edition

Any non-relational or legacy data

Direct Link for SAP R/3

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

17

IIA 2003 Software Survey

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

18

IIA 2003 Software Survey

© Copyright ACL Services Ltd. 2003Continuous Controls Monitoring

19

Summary

Continuous Monitoring provides an opportunity for significantly improved levels of control and assurance

The accounting and control profession has discussed it for years – the time is now ideal for implementation

Technology is available to enable continuous monitoring

Businesses can’t afford to miss the issues

Good governance is Good Business!

Fred Wechselberger ACL Services Ltd. [email protected] 604-646-4274

www.acl.com [email protected]