160 likes | 399 Views
A protocol for continuous monitoring and assurance. Gerard A. (Rod) Brennan, Siemens Corporation Miklos A. Vasarhelyi, Rutgers University. Outline. Motivation Implementation: of accredited control monitoring software
E N D
A protocol for continuous monitoring and assurance Gerard A. (Rod) Brennan, Siemens Corporation Miklos A. Vasarhelyi, Rutgers University
Outline • Motivation • Implementation: of accredited control monitoring software • Reengineering: Rationalization and reorganization of the audit program • Automation: of elements not in the adopted software solution
A 3 pronged approach to audit automation • Automate audit plan using delivered Rule Sets: Est 25% of a typical manual audit plan • Automate using external data sets (Static & Variable): Est an additional 25% a typical manual audit plan • Re-enginer manual controls into automated controls with improved control precision: Est an additional 25% a typical manual audit plan • Total = Automation Opportunity ~75%!!
SAP Certification Audit, cont. • The certification audit program utilized by Siemens IT Audit Pool covers eight functional areas within the SAP environment. • BC – Basis System • CO - Computer Operations and Outsourcing • FI – Financial Accounting • FI – AA – Asset Accounting • SD – Sales and Distribution • MM – Material Management • PS – Project System • HR – Human Resources • These audit programs include relevant automated and manual internal controls related to IT general, and automated and manual application (e.g., business) controls. • The SAP certification audit is not only controls-focused; many auditees have optimized their SAP system based on knowledge gained through the audit
Proposed Audit Automation Project: Goals and Objectives -- Jan 2008 • Siemens AG has recognized a clear opportunity to leverage audit automation tools and technology to improve compliance, mitigate fraud, assure conformance to processes, and reduce cost of compliance. • The proposed project will leverage A&D PL’s successful installation of Approva BizRights to build a working model for tactically deploying and achieving the above objectives, while at the same time obtaining the 4-year SAP certification. • A 2 day feasibility and scoping session was held at PL’s Maryland Heights, MO office to review the audit program and validate assumptions on feasibility of Approva BizRights utilization -- high potential for automation identified!. • Participants: • Siemens North America operational audit lead • PL IT and IA representatives • Rutgers University, Continuous Audit and Reporting Laboratory • Approva
Value Proposition (Cost and Quality) • Quality • Continuous versus point-in-time/periodic auditing • Information on the full population in SAP vs. sample-based • Deterrent to fraud (including collusive fraud) Creating a “perception of monitoring” within the organization • Sustainability of the control environment thru real-time updates and alerts to management personnel • Assures process conformance and business process optimization • Cost • Savings through cash flow improvements (e.g., vendors with unusually accelerated payment terms; customers with delayed payment terms) • Savings from other process improvements, systems optimization • Savings from improved fraud deterrents1 • A&D PL specific: • For 3 of every 4 years, eliminate ~ 500 man-hours of IT GCC and application control testing (@ $137/hr = $68,750/year for PL) • Significantly reduce 475 man-hours of annual KPMG IT audit hours (@ $200/hr and 50% reduction, $47,500/year) • 1 - 2007 Fraud Report by ACFE estimated fraud costs as up to 5% of revenues in most organizations • General – Siemens IT audit pool billing rate is $137/hour; KPMG is $200/hr in Siemens North America
Technology Requirements • Technology • A&D PL already has the following Approva modules “live” in production. These will be heavily utilized as part of this project: • Authorizations Insight • Access Mgmt Insight • User Activity Insight • Procure-to-Pay Insight • Order-to-Cash Insight • The following modules will be required and will be installed at A&D PL for the project: • Financial Close Insight • General Computer Controls Insight • Insight Authoring Studios
Project Deliverables • SAP certificate for A&D PL’s systems • Siemens operational audit’s “Teammate” working papers to support all work performed • Final/validated Approva BizRights rule books held by A&D PL 1 • Re-engineered audit action sheets held by Siemens Operational Audit 2 • Final validation of re-engineered approach by KPMG • Case study • 1 Made available to other Siemens businesses upon request.
Scope Definition • Redefine the SAP certification audit with a focus on audit automation and continuous controls monitoring. • Restructure/re-engineer the SAP certification audit program, enhancing clarity on automated versus manual tests • Produce tactical case-study illustrating ‘old way’ versus ‘new way’ in certifying an SAP system • Case study will be made available within Siemens • Case study will be made available to Approva and Rutgers for their support and respective investment • Complete the SAP audit and receive 4-year certificate for A&D PL • Key point: Tests that (1) cannot be automated and (2) have already been performed in 2007 SOX will not be re-performed. Siemens Operational Audit will give credit for work performed, and rely on 2007 SOX testing.
Proposed Methodology/Protocol (Jan – Feb 2008) • Create a schematic for an automated audit approach building on the PL installed Approva base and the SAP certification audit (see below) • Create a development team made up of representatives from PL IT & IA, SC Audit, Rutgers Univ and Approva. • Create specific time phased work packages for all participants • Process Steps: • Secure, install and test Financial Close & Gen. Computing Controls (GSS) modules from Approva ON PL’s platform • Systematically map each AAS (SAP Cert Audit) to the Approva toolset and eliminate redundancies.
Proposed Methodology/Protocol (Jan – Feb 2008) • Identify automation opportunities in 4 key areas: • Using Approva standard rules • Creating new rules using Approva Authoring Studio • Re-engineer manual AAS to use automated controls • Re-bundle manual controls in consolidated Audit Plan • Test & cleanse automated controls & workflow • Reorganize and restructure audit action sheets and submit for approval to CFA and KPMG • Document this process for repeatability at other Siemens locations
Automation An architecture for the long term prototype
Auditor Management Audit Parameterization Tool Other Static Parameters Deter- ministic Stocha- stic External Table comparisons Snapshot comparisons Other Data Extraction Remote Audit Communic. Tool Interactive Mail Management Tool Sustainable Object Verification Tool Other MCP Audit Evidence Receptacle Master Audit Program Operating Alarm Flows Operating Alarm Flows CA Control Dashboard A.A.S (audit Action Items) From Siemens Approva and other literature Inference Engine Evergreen Opinion Class of Auditable Actions ---- of Audit Processes