3. Continuous monitoring vs. audit vs.
assurance
“Continuous monitoring refers to the processes that
management puts in place to ensure that the policies,
procedures, and business processes are operating
effectively.”
Continuous assurance
Audit
Results of continuous auditing and continuous monitoring process
Audit testing of CM Continuous auditing
Management
Continuous monitoring
Activities, transactions and events
Business systems and processes
Source: The IIA – Global Technology Audit Guide - Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment
Page 3 May 11, 2009 CCM and Data Analytics
4. What is continuous control monitoring
(CCM)?
Continuous Controls Monitoring (CCM) is an integrated
set of processes and techniques, enabled by technology,
which is designed to help an organization:
• Automate the monitoring of the control environment
• Identify control exceptions continuously based upon pre-
defined business rules
• Identify process improvement opportunities and
underlying root causes
• Reduce risk spend
Page 4 May 11, 2009 CCM and Data Analytics
5. Trends in the deployment of CCM
Key trends: RISKS
H
• Many CCM deployments are
focused mainly on access
(SoD) and application
controls – interest in Impact
transaction monitoring is
increasing
• Budget and ownership of
CCM is coming from Internal L Likelihood H
Audit – long-term ownership
Day-to-Day risks may be acceptable or require some
resides in the business form of self assessment
functions CCM—Mid-level risk areas may be suitable for
automated analytics on data that is IT dependent
• Software tools to extract and/or processed manually
data and monitor controls Internal Audit—More judgmental risks and estimation
processes may require more rigorous analytics and
are maturing manually intensive assessment procedures
Page 5 May 11, 2009 CCM and Data Analytics
6. Areas of Focus – Segregation of Duties
Internal control environment
Key Stakeholders
Segregation Configurable Master file and
of duties controls transaction data
► Detect and/or prevent user access and segregation of
duties violations
► Identify and monitor users with access to sensitive areas
within the application
► Facilitate user access provisioning and periodic access
review process related to IT general controls
Page 6 May 11, 2009 CCM and Data Analytics
7. Areas of Focus – Configurable Controls
Internal control environment
Key Stakeholders
Segregation Configurable Master file and
of duties controls transaction data
► Detect changes made to critical configurable controls
settings
► Verify that system patches and program changes do not
impact the integrity of configurable controls
► Enable comparison of configurable controls across
business units and against leading practices
Page 7 May 11, 2009 CCM and Data Analytics
8. Areas of Focus – Master File and Transaction
Data
Internal control environment
Key Stakeholders
Segregation Configurable Master file and
of duties controls transaction data
► Monitor master file data and architecture for
unauthorized or unusual changes
► Monitor transaction data for control exceptions based on
pre-defined business rules
Page 8 May 11, 2009 CCM and Data Analytics
9. Optimizing the value of CCM deployments
To harvest the greatest value from a CCM deployment, the
strategy should encompass security, controls, and process
improvement objectives and sufficiently cover end-to-end
processes.
Business Improvement
CCM capabilities are repeatable
and holistic
Value of CCM Initiative
Process Improvement
Focus: automated transactional
analysis
Controls Improvement
Focus: automated application
Current State controls testing
for Many
Organisations
Compliance management
Focus: monitoring of access
controls / SoD requirements
Maturity of CCM Competency
Page 9 May 11, 2009 CCM and Data Analytics
11. Continuous control monitoring - exception
management approach
Business Process Management /
Exceptions Internal Audit / Compliance /
Shared Services Center Risk Management Functions
Priority risk
Segregation General Routine Potential
Sensitive areas for
of duties policy transaction fraudulent
transactions monitoring
conflicts violations exceptions activity
activities
Control owner notified Filter through
of exception Blended approach: exceptions
Operational SOX
controls controls ► Shared ownership of
exception management
Review and validate process Validate exceptions
exceptions with business owners
► Prioritized approach
based on nature of
Remediate and exceptions and sensitivity Remediate and
address root cause of what is being address root cause
monitored
Document results of ► Increased accountability Document results of
exception review and for controls exception review and
remediation remediation
Post review activities
Monitor controls
Trending analysis Process improvement
dashboards
Page 11 May 11, 2009 CCM and Data Analytics
12. The importance of a proper CCM road map
A proper methodology is key to ensure that CCM objectives
are properly captured, incorporated, and sustained.
Executive Sponsorship
Planning CCM Road Map & Design Rollout
Identify Process Training on
Define Perform Application Assess and Configure Reengineering Solution,
Evaluate On-Going
the CCM CCM & Remediate CCM & Define Reengineered
Results Support
Vision Diagnostic Automated Controls Solution Supporting Processes &
Controls Policies Policies
ROI Analysis
Project Management
Page 12 May 11, 2009 CCM and Data Analytics
13. Select CCM tools in the market
Monitoring Capabilities
CCM Tools Master File &
Segregation of Configurable
Transaction
Duties Controls
Data
ACL (Continuous Controls Monitoring
Solution)
Approva
Aveksa
Blackline (Financial Statement Close
Process)
IDEA
Oracle GRC (formerly Logical Apps)
Oversight
SAP GRC (formerly Virsa)
Ernst & Young does not endorse any of these vendors or products listed above.
Page 13 May 11, 2009 CCM and Data Analytics
14. CCM screenshot – illustrative example
Page 14 May 11, 2009 CCM and Data Analytics
16. Data analytics maturity model
Optimizing
Managed
Defined
Repeatable
Initial
Level 1 Level 2 Level 3 Level 4 Level 5
No formal data analytics Recognized as a value- Established data Methodology is Practices evolved in
approach, procedures or add to the audit analytics methodology institutionalized level 1 through 4 are
methodology Use of analytics is Management involved in used to continually
Not yet institutionalized improve data
Performed occasionally championed by mgmt. the on-going data
Relies on a central analysis efforts analytical processes,
at best group or single person Creation of data procedures and results
Tools are not readily analysis models Management
Tools are at a disposal, understands business Use of data analysis
available Understanding of the
however not applied issues and root cause for continuous controls
Dependant on skills of consistently or correctly business meaning of monitoring
limited number of SMR’s data analytic Re-performance of data
procedures and results analytic procedures
Increased proficiency in Advanced tools are used
use of tools effectively
Page 16 May 11, 2009 CCM and Data Analytics
17. Data analytics framework
Business
What will Predictive Data Modeling Intelligence
Happen? Statistical, Econometric, Scenario-Based
Why did it Modeling and Validation Knowledge
happen? Revenue-Sharing Models, Root Cause Analysis, Legal Compliance
What Descriptive Data Analysis
Forensic Evidence , Queries, Profiling, MDA, Data/ Text Mining, Information
What
happened? Benchmarking, Surveys
Is your Information Management Data
data reliable? Data Governance, Data Conversion, Data Integrity
Page 17 May 11, 2009 CCM and Data Analytics
18. Comparison of data analytics to traditional
audit methods
Traditional method
► Typically Labor-intensive manual collection / evaluation
► Limited samples / relatively infrequent tests
► Narrow time period / stressful remediation
► Test procedures are limited in scope
► Capability / benefit tends to lessen with complexity and as
the organization evolves
Data analytics
► Increased insight
► Typically automated collection / evaluation
► High sample sizes / decreased false positives
► Frees up resources to focus on other high-risk areas
► Frequent, faster and more accurate analysis
► Decrease in opportunity for human error
► Incremental and more extensive testing is practical
Investment required Benefits earned ► Capability / benefit tends to increase with complexity and as the
organization evolves
Relatively higher initial costs for analytics can yield significantly more long-term benefit.
Page 18 May 11, 2009 CCM and Data Analytics
19. Enhancing the audit process using data
analytics
► Create sustainable methods for risk assessment and
monitoring of the control environment
► Deploy resources effectively to accomplish audit plan
objectives
► Quantify impact of identified issues in terms of dollars and
frequency
► Increase focus on fraud detection procedures
► Gain valuable insight into business process and improvement
opportunities
► Respond quickly to changing business needs and compliance
requirements with flexible and repeatable procedures
► Forms the basis of continuous controls
Page 19 May 11, 2009 CCM and Data Analytics
20. Applying analytics across the audit process
Audit activity Example opportunities to use data analytics
► Identify risk assessment priorities by using information gathered from
Risk assessment trend analysis, financial ratios and comparisons
► Assist with determining scope of audit plan activities (by size/relevance)
► Provide a preliminary “scan” of relevant audit information to drive project
Audit planning scope, sampling and fieldwork procedures
► Support testing of controls in an efficient and comprehensive manner
Fieldwork ► Identify anomalies, trends and potential fraud indicators
procedures ► Supplement sample testing approaches with full-coverage data analytics
► Provide quantifiable, fact-based information for reportable issues and
exceptions
Reporting ► Supplement reporting with statistical and graphical information gathered
during the audit
► Automate the ongoing monitoring of the control environment to a
Monitoring and sustainable effort through timely exception notification and review
trending ► Analyze trends in the company’s risk profile and identify opportunities for
improvement
Page 20 May 11, 2009 CCM and Data Analytics
21. Example data analytics
Access monitoring analytics
► Segregation of duties assessment
► Key configuration changes
Financial statement computer assisted audit techniques
► Journal entry analytics
► Accounts receivable analytics
Contract audit analytics
► Royalty payment recalculations (incorrect sales figures, royalty
rates)
► Invoicing inaccuracies (overpayments, duplicate transactions)
Page 21 May 11, 2009 CCM and Data Analytics
22. Speakers’ Bio
Peter Rosenzweig has more than 17 years of experience in
the assessment, design, and implementation of complex
risk management and internal control frameworks,
including IT risk and control structures. Peter serves as
regional subject matter resource in the application of Ernst
& Young’s Enterprise Risk Management methodology and
he has assisted various large organizations with the
implementation or transformation of enterprise-wide risk
management capabilities.
Phone: 213.977.5849
peter.rosenzweig@ey.com
Paul de Guzman is a Los Angeles-based Senior Manager
with nine years of experience serving a variety of clients in
both an assurance and advisory capacity. Services
rendered by Paul to his clients include IT General Controls
audit support, IT and business process and controls
enhancement, SAS 70 audits, and system pre- and post-
implementation reviews. In addition, Paul also provides
data analytics in support of assurance services, contract
risk services, fraud reviews, and continuous controls
monitoring initiatives.
Phone: 213.977.7692
paul.deguzman@ey.com