1 / 14

Practical Issues of Implementing Continuous Assurance Systems

Practical Issues of Implementing Continuous Assurance Systems. Presented by John Verver CA, CISA, CMC to the 5 th Continuous Assurance Symposium November 22-23 2002. Implementing Continuous Assurance Systems. Status of use of continuous assurance implementations.

ciara-oneil
Download Presentation

Practical Issues of Implementing Continuous Assurance Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Issues of Implementing Continuous Assurance Systems Presented by John Verver CA, CISA, CMC to the 5th Continuous Assurance Symposium November 22-23 2002

  2. Implementing Continuous Assurance Systems • Status of use of continuous assurance implementations. • What is meant by “continuous”? • The practical issues of integrating continuous auditing/monitoring procedures to the data and the underlying application. • Defining the control parameters to be tested. • Setting the thresholds for reporting and priorities for notifications. • Softwarefunctionality required to support continuous monitoring

  3. Continuous Assurance Systems Status of continuous assurance implementations within the ACL user base: • ACL user base includes over 150,000 licensed users: • The Final 4 • 89 of the Fortune 100 • 44% of the Global 500 • 30+ national governments and virtually all US state governments • Very few organizations have fully embedded and automated continuous auditing/monitoring applications • Most “Continuous Monitoring applications” are simply series of automated data analysis tests that are run on a regular basis, and are manually initiated - not true continuous applications e.g: • Detecting indicators of fraud • Identifying duplicate and other overpayments

  4. Continuous Assurance Systems “Continuous” Assurance Applications: • Automated analyses that test transactional data against defined control parameters/rules • Generally independent of the underlying business application system • Run automatically on a daily / weekly basis – (occasionally more frequently) • Automatically generate exception reports / alerts • Detective more than preventative

  5. Continuous Assurance Systems Most common application areas among ACL user base: General business process: • Purchase / Payments cycle • Vendor fraud • Expense claims Industry-specific • Money laundering, anti-terrorist legislation • Insurance claims • Medicare/Medicaid compliance

  6. Continuous Monitoring Application Payments system Continuous Monitoring system Independent, comprehensive series of control tests

  7. Continuous Assurance Systems Why are they needed?: • Confirmation that controls built into application systems are operating effectively • Make up for lack of controls in application systems

  8. Continuous Assurance Systems Getting to the data: • Direct access vs extract • Direct access to mainframe / server data usually preferable • Data extract may be preferable to minimise processing impact • Define the “data slice” • Decide on the point at which to take the slice (Time-based? Process-based? – depends on underlying application system and timing of CA process) • Ensure that all transactions are captured since the last test process

  9. Continuous Assurance Systems Money-laundering application DDA Files (DB/2) Control parameters defined within ACL “rules-engine” Adjust alert sensitivity Processing log Customer names, Account Master Daily Account History ACL for Windows Client ACL for OS/390 Client Server Reports and alerts Distributed by e-mail File of suspect transactions ACL daily extract / monitoring process launched by JCL and Windows Schedulers Lower Priority reports Additional analysis by ACL of suspect transactions High priority alerts

  10. Continuous Assurance Systems Establishing the control parameters: • Identify specific control exposures • Identify indicators of risk • Use transactional analysis to determine if conditions exist for which no controls designed/risks indentified • Define specific control parameters / tests • Establish sensitivity thresholds for reporting and alerts • “Scoring/weighting” of events dependent upon combination of control parameters that are failed and indicators of risk

  11. Continuous Assurance Systems ACL functionality that supports Continuous Assurance applications: • Analytical and inquiry processes that support audit and control procedures • Direct data access e.g. • ACL OS/390 Client Server • Direct Link for SAP R/3 • ODBC-compliant databases • NOTIFY – e-mail notification of reports and alerts • Complete logging of processes • Definition of control parameters (“rules-engine”) • Development of interactive and automated applications

  12. Example of interface for tuning monitoring parameters Note: This amount can be modified from the parameters menu.

  13. Example of interface for tuning monitoring parameters

  14. Example of ACL Notify command

More Related