1 / 16

A protocol for continuous monitoring and assurance

A protocol for continuous monitoring and assurance. Gerard A. (Rod) Brennan, Siemens Corporation Miklos A. Vasarhelyi, Rutgers University. Outline. Motivation Implementation: of accredited control monitoring software

finn
Download Presentation

A protocol for continuous monitoring and assurance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A protocol for continuous monitoring and assurance Gerard A. (Rod) Brennan, Siemens Corporation Miklos A. Vasarhelyi, Rutgers University

  2. Outline • Motivation • Implementation: of accredited control monitoring software • Reengineering: Rationalization and reorganization of the audit program • Automation: of elements not in the adopted software solution

  3. Motivation

  4. A 3 pronged approach to audit automation • Automate audit plan using delivered Rule Sets: Est 25% of a typical manual audit plan • Automate using external data sets (Static & Variable): Est an additional 25% a typical manual audit plan • Re-enginer manual controls into automated controls with improved control precision: Est an additional 25% a typical manual audit plan • Total = Automation Opportunity ~75%!!

  5. Implementation

  6. SAP Certification Audit, cont. • The certification audit program utilized by Siemens IT Audit Pool covers eight functional areas within the SAP environment. • BC – Basis System • CO - Computer Operations and Outsourcing • FI – Financial Accounting • FI – AA – Asset Accounting • SD – Sales and Distribution • MM – Material Management • PS – Project System • HR – Human Resources • These audit programs include relevant automated and manual internal controls related to IT general, and automated and manual application (e.g., business) controls. • The SAP certification audit is not only controls-focused; many auditees have optimized their SAP system based on knowledge gained through the audit

  7. Proposed Audit Automation Project: Goals and Objectives -- Jan 2008 • Siemens AG has recognized a clear opportunity to leverage audit automation tools and technology to improve compliance, mitigate fraud, assure conformance to processes, and reduce cost of compliance. • The proposed project will leverage A&D PL’s successful installation of Approva BizRights to build a working model for tactically deploying and achieving the above objectives, while at the same time obtaining the 4-year SAP certification. • A 2 day feasibility and scoping session was held at PL’s Maryland Heights, MO office to review the audit program and validate assumptions on feasibility of Approva BizRights utilization -- high potential for automation identified!. • Participants: • Siemens North America operational audit lead • PL IT and IA representatives • Rutgers University, Continuous Audit and Reporting Laboratory • Approva

  8. Value Proposition (Cost and Quality) • Quality • Continuous versus point-in-time/periodic auditing • Information on the full population in SAP vs. sample-based • Deterrent to fraud (including collusive fraud) Creating a “perception of monitoring” within the organization • Sustainability of the control environment thru real-time updates and alerts to management personnel • Assures process conformance and business process optimization • Cost • Savings through cash flow improvements (e.g., vendors with unusually accelerated payment terms; customers with delayed payment terms) • Savings from other process improvements, systems optimization • Savings from improved fraud deterrents1 • A&D PL specific: • For 3 of every 4 years, eliminate ~ 500 man-hours of IT GCC and application control testing (@ $137/hr = $68,750/year for PL) • Significantly reduce 475 man-hours of annual KPMG IT audit hours (@ $200/hr and 50% reduction, $47,500/year) • 1 - 2007 Fraud Report by ACFE estimated fraud costs as up to 5% of revenues in most organizations • General – Siemens IT audit pool billing rate is $137/hour; KPMG is $200/hr in Siemens North America

  9. Technology Requirements • Technology • A&D PL already has the following Approva modules “live” in production. These will be heavily utilized as part of this project: • Authorizations Insight • Access Mgmt Insight • User Activity Insight • Procure-to-Pay Insight • Order-to-Cash Insight • The following modules will be required and will be installed at A&D PL for the project: • Financial Close Insight • General Computer Controls Insight • Insight Authoring Studios

  10. Project Deliverables • SAP certificate for A&D PL’s systems • Siemens operational audit’s “Teammate” working papers to support all work performed • Final/validated Approva BizRights rule books held by A&D PL 1 • Re-engineered audit action sheets held by Siemens Operational Audit 2 • Final validation of re-engineered approach by KPMG • Case study • 1 Made available to other Siemens businesses upon request.

  11. Reengineering

  12. Scope Definition • Redefine the SAP certification audit with a focus on audit automation and continuous controls monitoring. • Restructure/re-engineer the SAP certification audit program, enhancing clarity on automated versus manual tests • Produce tactical case-study illustrating ‘old way’ versus ‘new way’ in certifying an SAP system • Case study will be made available within Siemens • Case study will be made available to Approva and Rutgers for their support and respective investment • Complete the SAP audit and receive 4-year certificate for A&D PL • Key point: Tests that (1) cannot be automated and (2) have already been performed in 2007 SOX will not be re-performed. Siemens Operational Audit will give credit for work performed, and rely on 2007 SOX testing.

  13. Proposed Methodology/Protocol (Jan – Feb 2008) • Create a schematic for an automated audit approach building on the PL installed Approva base and the SAP certification audit (see below) • Create a development team made up of representatives from PL IT & IA, SC Audit, Rutgers Univ and Approva. • Create specific time phased work packages for all participants • Process Steps: • Secure, install and test Financial Close & Gen. Computing Controls (GSS) modules from Approva ON PL’s platform • Systematically map each AAS (SAP Cert Audit) to the Approva toolset and eliminate redundancies.

  14. Proposed Methodology/Protocol (Jan – Feb 2008) • Identify automation opportunities in 4 key areas: • Using Approva standard rules • Creating new rules using Approva Authoring Studio • Re-engineer manual AAS to use automated controls • Re-bundle manual controls in consolidated Audit Plan • Test & cleanse automated controls & workflow • Reorganize and restructure audit action sheets and submit for approval to CFA and KPMG • Document this process for repeatability at other Siemens locations

  15. Automation An architecture for the long term prototype

  16. Auditor Management Audit Parameterization Tool Other Static Parameters Deter- ministic Stocha- stic External Table comparisons Snapshot comparisons Other Data Extraction Remote Audit Communic. Tool Interactive Mail Management Tool Sustainable Object Verification Tool Other MCP Audit Evidence Receptacle Master Audit Program Operating Alarm Flows Operating Alarm Flows CA Control Dashboard A.A.S (audit Action Items) From Siemens Approva and other literature Inference Engine Evergreen Opinion Class of Auditable Actions ---- of Audit Processes

More Related