Académique Documents
Professionnel Documents
Culture Documents
Official
eHandbook
LEARN HOW CONTINUOUS CONTROLS MONITORING APPLICATIONS ARE CHANGING THE REPUTATION OF CONTROL FREAKS EVERYWHERE.
TABLE OF CONTENTS
eHandbook
TABLE OF CONTENTS
4 6 9 14 18 20 22 24 26 27 Chapter 1: Why are Control Freaks good for business? Chapter 2: How can you tell when you need a little more control? Chapter 3: Where does continuous controls monitoring (CCM) software fit in? Chapter 4: How do you get started with CCM? Chapter 5: What can CCM offer you? Chapter 6: Charting your progress Chapter 7: Why it pays to be a Control Freak Chapter 8: Staying in peak shape Afterword: Own it, Control Freaks! Additional Resources
ABOUT
eHandbook
CHAPTER 1
eHandbook
THE KEY TRADEOFF: Ensuring you have the right controls in place without strangling productivity and placing unnecessary burdens on employees. 4
CHAPTER 1
eHandbook
Control Freaks across the world are poised to finally receive the appreciation they deserve. Now is their time.
THE OPPORTUNITY: Most organizations have a tremendous opportunity to redistribute their resources from compliance-related controls to value-adding operational controls by using automated technology such as continuous controls monitoring (CCM). 5
CHAPTER 2
eHandbook
How Can You Tell When You Need a Little More Control?
So how do you tell that you need a bit more control? There are the obvious signs. Your auditor dinged you. You had to restate your financial statements. Or maybe you just had a close call. But there are many more subtle signs that youre driving closer to the edge on that mountain pass than you think... or that at least you have a good bit of room for improvement. In this chapter, well help you assess where you stand.
BIG RED Warning Signs That You Might Need Stronger Controls
FINANCE
P You feel like youre spending more than you should on controls & compliance and getting less value than youd like for the money being spent P Youre concerned about risk but have no automated way to identify and monitor your key risk areas P Your staff spends more time running basic accounting activities than they do providing insights into how you run your business P Your finance gurus arent focusing explicitly on risk
DANGER
GET A GRIP ON YOUR CONTROLS
Top 10 Signs Your Personal Life Could Use a Bit More Control
10. Your car registration expired in 2005 9. 8. 7. 6. 5. 4. 3. 2. 1. Two words: Farmville addiction Youve bought new clothes to avoid doing laundry. And not just in college What happened in Vegas doesnt seem to be staying there Youve got a bookie on speed-dial And lately hes been calling you. Regularly You can fall asleep at your desk But you have a hard time sleeping in your bed Your kids teachers dont recognize you But your Starbucks barista knows your order by heart
AUDIT
P Youre spending the majority of your time on compliance-related tasks rather than focusing on emerging risks and ways you can add value to finance and business managers P You rely primarily on manual auditing and sampling to ensure that corporate controls are effective P You have not recommended how the finance organization can save money by eliminating controls P Your organization goes into full-scale red alert crisis mode before and during an audit
IT
P You spend more time than you would like with auditors P Managing who has access to applications is seen as your problem by business users P Youre relying on point-in-time assessments of access rights to protect yourself against insider threats P Finally, if youre manually configuring controls, or your controls arent scalable across your enterprise, you definitely need more control
CHAPTER 2
eHandbook
Here are a few questions you can ask yourself in order to gauge how you measure up: How much of your budget are you spending on controls & risk management? How much time does your organization spend on financial reporting and audit prep? What percent of your controls are automated?
As the charts on the right show, most companies spend just over 10% of their budget on controls and risk management. But most companies 86% to be exact rely primarily on manual methods to validate the effectiveness of their controls. The fact is, companies have spent millions of dollars designing and implementing policies, processes, procedures... and controls. But not even 2 in 10 organizations can tell you on a daily basis if those well-documented processes are actually being followed. With budgets tight, most businesses are taking a broader look at the way they ensure the accuracy and integrity of the information they use to run their business and report results.
Others/Not Sure 1%
THE KEY POINT: Its not just about whether you are spending enough its about how you spend it and what youre getting for that investment.
1 2
Hackett Group KPMG Continuous Monitoring & Continuous Auditing Survey, 2010
CHAPTER 2
eHandbook
Here are a few examples of some companies we happen to know, who knitted risk management right into their daily business, with some pretty impressive results:
A midwestern chemical company that invested time to categorize risks according to their likelihood and impact used its CCM system to create and monitor several key risk indicators on a daily basis, to indicate process breakdowns or early warning signs of potential revenue recognition risks. A $1B Texas-based software company that used a CCM solution to save their external auditor serious time testing their controls. Now, in addition to cutting audit costs, the company also achieves greater assurance since their controls are monitored continuously, not just spot checked once a quarter. A midwest manufacturer implemented a CCM solution to monitor financial reporting anomalies. By finding and correcting errors at the source, they were able to reduce the number of financial errors requiring manual follow-up and investigation by more than 50 percent, while significantly increasing their confidence in the accuracy of their financial reports. An equipment manufacturer deployed a CCM system to continuously monitor key risks in its procurement process. By routing exceptions indicating abnormal risks to the appropriate business manager, the manager was able to address the risk immediately and make sure that procurement ran smoothly and without error.
RISK AND THE CFO: Over the last 5 years risk management has jumped to the top of the CFOs agenda, with nearly 1 in 2 CFOs saying they are not doing an effective job managing enterprise risk.
1
The New Value Integrator, Insights from the Global Chief Financial Officer Survey, IBM (2010)
CHAPTER 3
eHandbook
CCM 101
Gartner defines Continuous Controls Monitoring as an emerging governance, risk and compliance technology that monitors controls in ERP and other financial applications to improve financial governance, monitor and verify access and transactional rules, and automate audit processes. Its a mouthful, but its thorough. Put a bit more simply, CCM systems ensure the integrity and accuracy of the information you use to run your business by enabling you to identify and respond to risks, accounting errors, policy violations, fraud or just about any business exception that is impacting your performance. CCM solutions work by enabling finance and audit departments to implement both preventive and detective controls. This means that managers define at the outset who has permission to complete varied tasks and they are alerted in real time if any of the rules they set are broken. CCM empowers businesses to establish both who can do what tasks (through application configuration and user access controls) and to visualize what employees have actually done (through master data and transaction controls). Were not saying that this approach is the new skinny jean, or that itll get you a date, but its hard to ignore the momentum in the marketplace towards CCM systems. A recent study by KPMG found that more than 50% of organizations were considering or piloting continuous monitoring and auditing tools.
You could think of a CCM system as a home security system for your business that:
Makes sure all of the doors and windows to the building are locked Makes sure only the right people have the keys Monitors what people are doing once they are inside the building
CHAPTER 3
eHandbook
Too little attention has been placed on continuous controls monitoring by chief financial officers, internal auditors, and corporate risk management and compliance leaders. By automating financial controls monitoring, CCM solutions can increase operational efficiency for critical financial processes, reduce fraud and improve financial governance resulting in a substantial return on investment.
10
CHAPTER 3
eHandbook
Multiple Controls
Access to Applications Can anyone ? Application/Process Configuration Do our systems allow anyone to ?
Controlling who gets to hold the keys: Application controls address the question of who has the keys. Can a single employee both create a vendor and execute a payment to that vendor? Who is able to access personal information stored on company servers? You need control over Who Drives Where.
Financial Systems
Purchasing Systems
ERP Applications
CRM Systems
HR Systems
Monitoring what people are doing: Transaction and master data controls operate more like motion detectors or video cameras, alerting management as appropriate to breaches in established rules. With CCM, you can see, via real-time alerts, just Who is Doing What, and unusual activity or breaches in established rules are flagged for you. So, for instance, if a non-approved employee takes a peek at confidential employment records, tries to override existing controls, or alters master data, youre notified, so you can step in then and there to see whats what.
Multiple Applications
CCM systems ship with rules designed to monitor and correlate all four types of controls across multiple systems and a range of processes including the core financial processes illustrated above.
Purchasing Cards
Procure-to-Pay
Order-to-Cash
Account-to-Report
Most financial applications come with a basic set of configuration settings designed to govern Who Can Do What and set up the official processes (i.e. the doors and windows). With CCM, you can continuously monitor those settings to make sure the windows stay shut and the doors stay locked. So if anyone tries to get around the rules you set, youll hear about it.
11
CHAPTER 3
eHandbook
Typical Process for Identifying & Responding to Business Exceptions With Continuous Controls Monitoring
KPIs, Dashboards & Reporting Track KPIs and automate management reporting with configurable dashboards and reports personalized for each role or user. Exception Identification Inspect 100% of your data and transactions. Automatically identify exceptions as they occur. Alerts ensure issues are addressed immediately.
Identify Exceptions
Take Action Exception Management Manage exceptions, assign them and collaborate with others via email from within the CCM system. Track progress and follow-up via dashboards and reports.
View Context 360o View of Exceptions Drill down to view related information and quickly identify the root cause of each exception.
Investigate Risk Scoring & Analytics Quickly understand the financial impact and risk of each exception so you can prioritize follow-up.
12
CHAPTER 3
eHandbook
CCM Systems Enable Finance & Audit to Share a Single Solution for Continuous Auditing & Continuous Monitoring
KPIs, Dashboards & Reporting Risk Scoring & Analysis 360 View of Exceptions Exception Management Audit Trail
Exception Identification
Automated Testing
Continuous Monitoring
Continuous Auditing
CFO/Finance/ Controller
Internal Audit
Financial Systems
Purchasing Systems
ERP Applications
CRM Systems
HR Systems
13
CHAPTER 4
eHandbook
Finance
Improved Security
IT
See all the overlap here? Thats one of the big reasons the first step in a CCM initiative is to bring key functions together to talk. CCM isnt a single functions domain, and it relies on a collaborative approach to be truly successful.
ONE STONE. MUlTIPlE BIRDS. Everybody comes to CCM with their own motivations. The great thing about CCM is that it can accomplish so many goals across supervaried functions.
14
CHAPTER 4
eHandbook
Whats Your Primary Objective: Want to improve your financial governance? Reduce audit fees? Pass your next audit? You should keep your primary needs front and center in designing your CCM approach. Whats Your Long Term Vision: Where do you want to be two years into your CCM initiative? Ten years in? Its good to be mindful of the kind of cross-functional collaboration youd like to see, as well as the overall culture youd like to encourage in your business. Approach your CCM implementation mindful of where you want to steer it. Assemble the Right Team: Make sure youve got buy-in from people who can make a CCM initiative succeed. Err on the side of inclusion when you invite various functions to the CCM table, and make sure youve got process experts involved early-on. Start With a Small Project & Expand: Start with a few controls that achieve your primary objective but validate the long-term vision.
15
CHAPTER 4
eHandbook
Which Specific Process/Activity Areas Do You Expect to See the Most Significant Benefits?1
Purchase to Payment Fraud Risk Management Treasury & Cash Management Sales Order to Cash Receipt 62% 54% 46% 38% 37%
Put another way, they invest based on where they can get the most bang for their CCM buck, and where theyve got the most to lose without a CCM solution in place. In our experience the top five starting points are: Procure-to-Pay Process Account-to-Report Purchasing Card Programs Travel & Expense Process Order-to-Cash Process One very common starting point is financial reporting itself. Its a polite secret among those in finance that reported financial results are a rough approximation of the amount of money made or lost in a given period. The trick is to make sure youre within a defensible margin of error, so that any mistakes on the books arent biggies. Since financial reporting is so open to automation and so handy in rooting out problems as they happen (as in, before they cost a business serious bank), its an especially popular place to kick-start a CCM program.
Focus on Fraud
Fraud is on the rise, affecting 75% of U.S. organizations* and costing U.S. companies some $700 billion annually. Unfortunately, fraud seems to be one of those things people assume wont happen to them until it does, at which point they throw money at the problem. Trust us when we say thats not the best approach. Since most fraud is the result of ineffective controls, a CCM solution that monitors the effectiveness of controls is a great (and more affordable) way to tackle it.
*
16
CHAPTER 4
eHandbook
17
CHAPTER 5
eHandbook
Ten Things We Cannot, Unfortunately, Offer You Through CCM. (Though We Would If We Could!)
1. A pony
2. Or a puppy
3. iPad
4. Candy
5. Cash prizes
6. World Peace
8. A fountain of youth
18
CHAPTER 5
eHandbook
Quiz Time: How Should You Spend The Time You Save with CCM? A) LAvISH HOLIDAY pArTY pLANNING B) FANTASY FOOTBALL DrAFT C) THAT NOvEL YOuvE ALWAYS WANTED TO WOrk ON D) MEMOIrS OF A WELL-rESTED FINANCE prO/ AuDITOr/rISk MANAGEr E) YOur ACTuAL jOB
(if you answered anything but E, you may be a key risk yourself)
19
CHAPTER 6
eHandbook
While CCM initiatives can start at several different points as organizations move up the controls automation curve they generally mature along a consistent trajectory:
What are you monitoring? Who is monitoring it? Why are you monitoring it? How are you monitoring it? How are you measuring success?
CHAPTER 6
eHandbook
A bit later...
Once theyve got the hang of monitoring, organizations are ready to check out the CCM systems road-worthiness. Think that bad boy can make mincemeat of those key risk indicators the same way it slashes audit preparation time? At this point, automated monitoring is old hat. If finance wasnt driving the project initially, they are now fully in the drivers seat. They are finding and fixing accounting errors, analyzing the risk and impact of exceptions the CCM system finds and assigning ownership for follow-up. High-priority exceptions are being routed for quicker review. At this stage, success is measured by cash leaks and increased efficiency in addition to the time savings already being tracked.
Level 1
What Are You Monitoring? Whos Monitoring? Why Are You Monitoring? How Are You Monitoring?
Level 2
Level 3
Procure-to-Pay AND General Ledger Finance AND Internal Audit
Level 4
Procure-to-Pay, General Ledger & Order-to-Cash Finance, Internal Audit & Exec. Mgmt. Automate Testing, Prevent Errors & Monitor Risks Review Weekly w/ Exceptions Routed to Process Owners
Level 5
Procure-to-Pay, General Ledger, Orderto-Cash, T&E/P-Cards & Other Processes Finance, Internal Audit, Exec. Mgmt & Bus. Managers Automate Testing, Prevent Errors, Monitor Risks & Monitor KPIs/KRIs Daily Reviews & Remediation; KPIs/KRIs Tracked Using Dashboards
No Formal Monitoring. Ad Hoc Reviews Procure-to-Pay OR Only. Often Prior To or During Audits General Ledger Audit Organization Performs Audits. Finance Performs Spot Checks To Comply with External Audit Requirements Manual Sampling and Spot Checks Finance OR Internal Audit
Automate Testing
Automate Testing Prevent Errors Review Monthly/Weekly; High-Priority Exceptions Routed for Review
Time Testing Controls Audit Preparation Time Cash Leaks Process Efficiency
Time Testing Controls Audit Preparation Time Cash Leaks Process Efficiency Risk Likelihood/Impact
Time Testing Controls Audit Preparation Time Cash Leaks Process Efficiency Risk Likelihood/Impact
21
CHAPTER 7
eHandbook
CFO/Finance Hard-dollar savings from preventing and reducing cash leaks Reduced risk from improved assurance and effectiveness of internal controls Reduced cost of risk & compliance monitoring Compliance/ Risk Reduced risk of adverse audit findings & fraud Reduced cost of compliance Reduced cost of monitoring key risks CIO/ IT Improved security and integrity of financial applications & data Reduced time supporting audit & compliance requirements Reduced IT cost of ownership Internal Audit Reduced time spent testing routine controls Improved effectiveness and quality of audits due to increased breadth and depth Reduced cost of audit
CONTINUOUS = 100% With continuous controls monitoring youre looking at 100% of your applications, 100% of your users, 100% of your transactions, 100% of the time. 22
CHAPTER 7
eHandbook
catching accounting errors and mistakes that creep into their financial statements, addressing an audit finding or responding to fraud, they know they have unwanted risk. But when it comes time to send the business case up the ladder for approval they need to show hard numbers like hours saved or dollars found. The good news is that you can have that cake and eat it too. The chart below uses a relative scale to show for each process how CCM can both reduce risk and save time and money. As youd suspect, each process has a different mix of benefits. For example, a CCM project focused on the procure-to-pay process will have benefits more heavily weighted toward cash leaks and improved efficiency while the benefits of a project focused on monitoring general ledger transactions will be comprised primarily of reduced risk and improved efficiency.
Improved Efficiency Reduced time and cost to test controls Reduced travel costs for internal audit staff Reduced audit preparation time Reduced external audit testing time Reduced time establishing control policies Improved utilization & retention of internal audit staff Reduced Risk Reduced risk of accounting errors and mistakes Reduced risk and cost of audit findings Reduced risk of financial misstatement or delayed 10-K filing Cash leaks, Waste & Fraud Reduced losses from fraudulent payment and billings Reduced time spent finding & correcting accounting errors Reduced inappropriate payments Increased working capital Reduced unwanted purchases Improved cash flow from better enforcing payment terms
$$$ $ $$$ $$ $$ $
$$$ $ $$$ $ $ $
$$$ $ $$$ $ $ $
$$$ $ $$$ $ $ $
$$ $ $$ $ $$ $
$$ $ $$ $ $$ $
80%
Reduction in audit and compliance costs for each manual control or policy automated with CCM
90%
Reduction in likelihood and impact of risks monitored by using CCM
$$$ $ $$ $ $
$$$ $$ $$$
$$$
$$ $$ $$ $$
$$ $$ $$ $$
2-4%
Portion of monitored expenses recovered or prevented by using CCM
23
CHAPTER 8
eHandbook
Change is Constant
like the Boy Scouts & Girl Scouts... Be Prepared! Theres a reason that scouts have had the Be prepared motto drilled into them for the last 100+ years. Its as applicable today as it was back in 1907 when the first scout recited it. The environment both internal and external that organizations operate in today is so complex that you have to be prepared not only to change how you run your business but how you control it as well.
EXTERNAL CHALLENGES
Many CCM projects get started by addressing issues or problems that have cropped up in the past. A common pitfall companies fall into is failing to keep one eye on the windshield. To make sure youre prepared for new challenges that come over the horizon you should make sure your CCM system has the following capabilities. 1. 2. 3. 4. Test & Monitor Multiple Applications Perform Advanced Analytics to Find, Measure & Manage Exceptions Provide Ease of Use for Multiple Stakeholders Provide Ability to Tailor Exception Remediation Process
Master Data
Front Office
Demand Data
X-actional Data
Back Office
Historical Data
INTERNAL CHALLENGES Complex, Global Organizations Mergers & Acquisitions Integration of New Systems Multiple ERPs & Legacy Systems Thousands of Users Millions of Transactions
24
CHAPTER 8
eHandbook
Customer-Facing Processes
It wasnt all that long ago that standard delivery time was 5 days rather than overnight. And remember when your mother or grandmother used to shush you because someone was calling long distance on the phone? Now that were in the age of insta-everything, customer expectations are increasing exponentially often faster than companies ability to deliver on them. The penalty for poor service has increased, too. In the past, a negative customer experience generated a call to a manager, or at worst, the Better Business Bureau. Now its more likely to lead to an online tirade that everyone can see (and circulate). All of this raises the stakes and requires businesses to identify and resolve issues quickly and thoroughly or risk being left behind (and maybe panned on Facebook, too).
Regulations
To hear the grumbling in 2002, one would have thought that SOX would be the be-all-end-all corporate regulation. And to be sure, SOX did send a number of U.S. businesses scrambling to get processes in place to ensure compliance. But that was far from the end of the story. The financial crisis and ensuing finger-pointing have brought about renewed interest in everything from financial reform to consumer protection and a raft of brand-new regulations to boot. And wed be willing to bet a good bit that more regulation is on the horizon. Businesses today need systems to ensure compliance with an ever-changing regulatory landscape, and those systems need to work to address requirements and vulnerabilities across functions without disrupting business flow.
Cost
All of these challenges staying ahead of innovations, expectations and regulations come at a time of unprecedented demands on business users, who are constantly being asked to do more with less. With raw materials and labor fungible across borders, and with growing competition from emerging economies in India and China, cost pressures are only set to increase. That means that businesses need systems that can cost-effectively meet these increasingly burdensome demands.
25
AFTERWORD
eHandbook
26
ADDITIONAL RESOURCES
eHandbook
Additional resources
Approva One Product Overview Control Freak Central Approva Website Control Freak Blog Gartner CCM Magic Quadrant Onetropolis www.approva.net/one www.ilovecontrolfreaks.com www.approva.net www.approva.net/controlfreak www.approva.net/gartnerccm www.onetropolis.com
27
Approva is the leading provider of continuous controls monitoring software and is the industry standard for the Big 4 audit and advisory firms. Approva prevents fraud and reduces waste by automating and improving the way finance, IT, audit and general managers identify and manage risk throughout their business.
ADDRESS PHONE WEB SITE
Approva Corporation
703.956.8300
www.approva.net