Scribd
Upload
38 views34 pages

GRC Protiviti Presentation

GRC protiviti presentation

Uploaded by

Cyril Hauppert
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
38 views34 pages

GRC Protiviti Presentation

GRC protiviti presentation

Uploaded by

Cyril Hauppert
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

Reduce Audit Time Using

Automation, By Example

Jay Gohil
Senior Manager
Today’s Session

Speaker Bio: Jay Gohil, Protiviti


Jay is a Senior Manager in the ERP Services practice in Atlanta. In the past
seven years, Jay has focused on SAP Security, Segregation of Duties, and
Governance, Risk, and Compliance Access Control (GRC-AC) projects.

Topic:
• Defining and leveraging continuous controls monitoring (CCM)
• Understand how to move from ad-hoc manual audit testing to a more
streamlined and automated approach and using SAP Process Control to
continuously monitor risk.
• This session uses an example situation to address:
• Maturing from manual testing to a more automated approach
• Reviewing current tools for automation
• How to identify and exploit SAP’s Process Control 10 solution to
streamline control testing

2 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Agenda

I. Background on Continuous Auditing and Monitoring


II. Terminology
III. Current Tools & Market Convergence
IV. Maturing From Manual To Automated
V. Example Scenario

3 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Continuous Auditing vs. Continuous Monitoring

Any method used by auditors to perform audit-


Continuous Auditing related activities on a more continuous or
continual basis.

A process that management puts in place to


Continuous Monitoring ensure that its policies, procedures, and
business processes are operating effectively.

Source: The Institute of Internal Auditor's Global Technology Audit Guide (GTAG), Continuous Auditing: Implications for Assurance, Monitoring
and Risk Assessment:

4 © 2013 Protiviti Inc. An Equal Opportunity Employer.


The Inverse Relationship between
Continuous Auditing and Continuous Monitoring

Higher level of monitoring of controls = Lower level of detailed testing of


controls need
Lower level of monitoring of controls = Higher level of detailed testing of
controls needed

Management Response
Comprehensive
Monitoring of
Internal Controls
Reduced
Little Effort
Monitoring
of Controls
Significant Effort/
Greater Resources

Audit Effort
5 © 2013 Protiviti Inc. An Equal Opportunity Employer.
Benefits

• Increased testing coverage (100% of population)


• Improved timeliness of testing
• Greater visibility
• Independent testing
• Identification of trends
• Improved consistency
• More efficient allowing focus on overall process efficiency and effectiveness
• Cost-effective solution

The Auditing Profession is entering the Age of Continuous Auditing


 Annual Audits are being viewed as untimely and obsolete
 Internal Control issues are expected to be reported almost immediately

6 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Terminology!?!

CA – continuous auditing

CM – continuous monitoring

CCM – continuous controls monitoring

CCM-AC – continuous controls monitoring for application configuration

CCM-MD – continuous controls monitoring for master data

CCM-SOD – continuous controls monitoring for segregation of duties

CCM-T – continuous controls monitoring for transactions

7 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Continuous Auditing/Monitoring Tools in the Market

8 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Leaders in CCM

Gartner Magic Quadrant for


Continuous Controls Monitoring

Source: Gartner’s website at http://www.gartner.com/

9 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Tool Convergence

The vendors and associated products used for GRC Platform


Continuous Audit have drastically changed in the
past couple of years including: Finance GRC
(e.g. configuration &
transaction monitoring)

 Vendor Consolidation (e.g. Infor acquires


Approva, IBM acquires OpenPages and IT GRC
Algorithmics, EMC-RSA acquires Archer, (e.g. SOD, IAM)

Thomson Reuters acquires Paisley)


Governance Risk and
Operations GRC

Compliance (GRC) and
Divergence amongst competitors focusing on Continuous Controls (e.g. EH&S, QM, etc)
Monitoring Tools
audit management vs. audit automation
Enterprise Risk
 Product increased interoperability to allow Management
(e.g. Self Assessments, RM
for a more integrated GRC platform (e.g. Dashboards, KRIs, etc.)
SAP GRC 10.0, Oracle GRC)
Policy, Process &
 Industry specific solution content becoming Document Management

more important (e.g. Oil & Gas, Banking,


Dodd-Frank, etc.)
What are your needs and priorities
(short and long-term)?
10 © 2013 Protiviti Inc. An Equal Opportunity Employer.
eGRC

eGRC – Enterprise Governance, Risk and Compliance

A technology solution to support the oversight and operation of


enterprisewide risk management and compliance programs, with the
overall objective being improvements in corporate governance….
- Gartner

11 © 2013 Protiviti Inc. An Equal Opportunity Employer.


eGRC Components
– Content Management
 Managing documentation related to policies, risks, controls, testing, configuration.
– Workflow / Alerts
 Automating controls surrounding approvals, tasks, and alerts
– Transactional Analysis / Monitoring
 Monitoring controls on a configuration and transactional level to determine if controls
are operating as designed.
– User Access Reporting / Monitoring
 Segregation of Duties (SOD) / Sensitive Access
– Configuration Monitoring
 Automated / System Controls
– Dashboarding
 Providing management with a comprehensive overview of the control / risk
environment.
12 © 2013 Protiviti Inc. An Equal Opportunity Employer.
The Controls Challenge
Are we making unnec- Have any POs Are people making Are purchasing
essary or unapproved been changed unauthorized or incorrect cardholders violating
discounts? after approval? manual entries to the GL? company policy?

Are we making
duplicate payments?
Am I losing money
because of fraud? Is anyone manually
Are my POs missing clearing blocked
based on accurate invoices?
vendor master data?

Transactions (CCM-T)
Are we at risk of an audit “Did anyone __________?”
finding for user access?
Master Data (CCM-MD)
“Is the underlying data accurate?”
Are we misclassifying Access to Applications (CCM-SOD)
assets as expenses? “Can anyone __________?”

Configuration of IT Systems & Processes (CCM-AC)


Can users access “Do our systems allow anyone to __________?”
sensitive information?

Are system configuration


changes exposing me to
risk?

13 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Trends and Leaders in eGRC
Gartner Magic Quadrant for eGRC

July 2011 October 2012

Source: Gartner’s website at http://www.gartner.com/

14 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Business Controls – Where do you want to be?
Identification of Business Risks:
• Business Process risks have been identified, documented, and are understood by the business.
Continuum • An effective risk classification system is used to define the importance, likelihood and impact of each risk.
Configurable Controls:
• Reliance is placed on system controls to minimize manual business process controls.
• Optimal use of all applicable system control items
Optimized Detective / Manual Controls / Business Rules / Policies:
• Controls that address key risks are documented and regularly reviewed.
• Definition of global and local controls
Data Governance:
• Centralized management of master data, leveraging both configurable controls and automated reporting to
prevent and manage inconsistencies
Managed Continuous Control Monitoring:
• Automated processes are implemented to alert and identify changes in key configuration controls and
transactional anomalies.
• Management self assessment programs are used to assess the effective operation of manual process controls.
• Internal Audit and other assurance providers are integrated into key business process controls
Defined
Identification of Business Risks:
• Limited understanding of risks within each business process.
• Failure to classify the importance of business process risks
Configurable Controls:
Repeatable • System application controls have not been documented or tested for effectiveness.
• Reliance is placed of manual process controls rather than taking advantage of system controls
Detective / Manual Controls / Business Rules / Policies:
• Controls are operating within the business but have not widely understood or formally documented.
• There is no link between key process risks and control items
Initial / Data Governance:
Adhoc • Inconsistent and independent management of master data (vendor, customer, COA)
Continuous Control Monitoring:
• Regular testing and monitoring of both system and manual controls is not performed.

15 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Maturing from Manual to Automated

Continuum

Optimized Fully Automated: Use of sophisticated tools to automate testing


and aligning with business controls. Exceptions are reportable and
monitoring is implemented for transactions and configurations.

Managed

Defined
Semi-Automated: Automation is used to perform testing across
full populations. Use of tools (ACL or databases) to reduce
analysis time
Repeatable

Manual: Pull data at the time of testing and performing sample


Initial / based testing
Adhoc

16 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Example Scenario:
One Time Use Vendors

17 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Scenario

• Creation of vendors is tightly controlled


• Often times, it’s necessary to bypass system checks to create “one-time vendors”
• Used on an exception basis, allowing user to bypass controls and push purchases through

• Control Objective: Purchases against one-time use vendors cannot exceed $10,000

• Business Rule: The sum of invoices to one-time use vendors should be less than
$10,000

18 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Example: Semi-Automated Control Test

• Step 1: Identifying the data


– Select field  Help (F1)  Technical Information (Hammer/Wrench icon)

19 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Example: Semi-Automated Control Test

Step 2: Obtaining the data based on frequency


– Method 1: Pull the data manually during each audit
– Method 2: Reliance on IT to provide the data – PARTNER!
 Pulling data files from a staging location / folder
– Validate the accuracy and completeness of the data

Step 3: Automate the test using Excel / ACL / Access


– Requires detailed documentation of data requirements and scripts
– Skill-set with tools is sometimes lost with team member rotation

Assurance of
Application Ease of Use Cost Repeatability
Data Integrity
Excel High Low Low Low
Access Low Low High Low

ACL Medium High High High

20 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Identifying the Data Source: SAP Structures

Identify transparent tables related to a structure:


– Right-click on a field containing data and click “Help (F1)" Tip!
– Click the "Technical Info" icon (hammer and wrench).
– Make a note of the table name and table category (e.g., Struct.) located in the Field Data section of
the Technical Information window.
 For the purpose of this example, let's assume the category is "Struct."
– In SAP, Execute T-Code SE84 (ABAP Workbench) and browse to ABAP Dictionary > Structures.
– Enter the structure name and click the Execute button (look for the green checkmark).
– Click the "Complete List" button to view additional fields.
– Make a note of the "Package" name.
– Browse to ABAP Dictionary > Database Tables (in SE84).
– Enter the Package name and click Execute
– Review the SAP tables related to the data element

Reference: Posted on LinkedIn Atlanta ACL User Group by John Buchanan on 8/15/2013

21 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Example: Continuous Monitoring
Using SAP Process Controls 10.0

22 © 2013 Protiviti Inc. An Equal Opportunity Employer.


CCM – Bigger Picture

23 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Data Sources

• Subsets of data associated with business rules or controls


• Predefined queries for specific data elements
• The job of a data source (in GRC) is to provide a business-user-friendly view of technical
data

SAP Process Controls 10.0 ACL Direct Link

• Note: Data sources can and should be used for multiple rules or controls
– May require bigger picture thinking and design discussions

24 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Data Sources (continued)

• Intellectual property for table and field names


• User friendly interface to the data

25 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Identify and Define Business Rules/Controls

26 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Business Rules

• User specified logic based on business controls


• Business rules filter the data stream coming from data sources
• These rules can also perform calculations on the data
• Rules define exception situations
• Examples:
– Total spend on a one-time vendor should not exceed $10,000

• Rule Types
– Transactional (CCM-T)
– Configuration (CCM-AC)

27 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Rule Type: Configuration Monitoring

• Rules based on the entries of log files


• Prerequisite: logging must be enabled on specific tables or specific areas
• Non-transactional patterns, such as flags or toggles
• Ability to run monitoring rule against an entire timeframe and reconstruct settings to
identify changes that violate the rule
• Example:
– Master data changes - enable/disable vendor blocked for credit status
– Configuration changes

“My audit test is a point in time so how do I know that the configuration
wasn’t changed for a short period of time and then changed back?”

28 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Change Log Example

• Control Objective: Customer credit checks are performed based on category of customer, company
code, and sales area for high risk sales orders

29 © 2013 Protiviti Inc. An Equal Opportunity Employer.


CCM – Sample Exception Report

30 © 2013 Protiviti Inc. An Equal Opportunity Employer.


A Few Key Points to Take Home

To achieve your continuous compliance objectives:


• Identify your compliance needs and the risks to address them
• Understand the controls in place to mitigate the risk
• Identify the data sources and partner with IT to obtain accurate and complete
data
• Convert your controls into business rules for automation
• A continuous risk and controls assurance program is enabled by technology

31 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Q&A

32 © 2013 Protiviti Inc. An Equal Opportunity Employer.


Complimentary SAP Process Control Webinar

http://www.protiviti.com/webinars
Look for the event: Identifying the Value SAP Process Control Can Deliver to Your
Organization
33 © 2013 Protiviti Inc. An Equal Opportunity Employer.
Thank You

Jay Gohil
[email protected]

LinkedIn.com/in/JayGohil

Powerful Insights. Proven Delivery.TM

34 © 2013 Protiviti Inc. An Equal Opportunity Employer.

You might also like