Continuous Controls Monitoring

Information Systems Audit and Control Association

Phoenix Chapter Meeting
March 26, 2009
Agenda

Continuous Controls Monitoring Making compliance

repeatable, sustainable,
What is Continuous Controls and cost-effective must
Monitoring? become the priority for
ongoing investment.
Benefits and areas of focus Continuous monitoring
and automated testing is
Example CCM scenarios maturing in approach and
applicability to be
Technology considered for evaluation
solutions now rather than later.
John Haggerty, AMR
Research Alert

Page 2
What is Continuous Controls Monitoring?

Continuous Controls Monitoring (CCM) is an integrated

set of processes and techniques, enabled by technology,
which is designed to help an organization:
Automate the ongoing monitoring of the control environment
Identify control exceptions continuously (daily, weekly, monthly)
based upon pre-defined business rules
Monitor, track and report the effectiveness of controls
Identify root causes and improve related processes in a more
timely manner
Reduce the cost of controls

Page 3
Benefits from using CCM

Broader coverage
Increased frequency in testing of controls
Enhances fraud program activities
Scalability
Timely reporting of control violations
Greater value and impact of monitoring activities
Reduced cost of risk management and compliance
activities

Page 4
How to approach a CCM strategy?

Questions to
ask:
What are my pain points?
What are my drivers?
What do I want to monitor?
Who owns the process?
Who is at stake?

Page 5
Areas of Focus Segregation of Duties

Key
Internal Control Environment
Stakeholder
s
Segregation Configurable Master File and
of Duties Controls Transaction Data

Information Security / IT General Controls

Detect and/or prevent user access and segregation of

duties violations
Identify and monitor users with access to sensitive areas
within the application
Facilitate user access provisioning and periodic access
review process related to IT general controls

Page 6
Areas of Focus Configurable Controls

Key
Internal Control Environment
Stakeholder
s
Segregation Configurable Master File and
of Duties Controls Transaction
Data
Information Security / IT General Controls

Detect changes made to critical configurable controls

settings
Verify that system patches and program changes do not
impact the integrity of configurable controls
Enable comparison of configurable controls across
business units and against leading practices

Page 7
Areas of Focus Master File and Transaction
Data
Key
Internal Control Environment
Stakeholder
s
Segregation Configurable Master File and
of Duties Controls Transaction Data

Information Security / IT General Controls

Monitor master file data and architecture for

unauthorized or unusual changes
Monitor transaction data for control exceptions
based on pre-defined business rules

Page 8
CCM process

Integrated
Controls
Dashboard

Page 9
Example CCM scenarios

Segregation of Duties
An exception is reported when a user is granted access to post
inventory receipts and post inventory adjustments
An exception is reported when the monitor detects unauthorized
access to change foreign currency treasury wire transfer
information
Identifies segregation of duties conflicts before access is granted

A CCM strategy to address Segregation of Duties provides

Management with a proactive mechanism to identify user
access violations as they occur

Page 10
Example CCM scenarios

Configurable Controls
An exception is reported when the tolerance amount for the three-
way match control for accounts payable invoices is changed
An exception is reported when the credit authorization approval
control is turned off
Configurable control settings are analyzed against leading practice
configurable settings for opportunities to strengthen the application
control environment (i.e. payment block control)

A CCM strategy for IT Configurable Controls provides

Management with a proactive mechanism to identify when
key application control settings have been changed

Page 11
Example CCM scenarios

Master File Data

An exception is reported when the general ledger field structures
have been modified in the master table
An exception is reported when changes have been made to the
general ledger account code options and/or account mapping for
automatic system processing functions
An exception is reported when a vendor address matches an
address in the employee master file
An exception is reported when a user with sensitive access uses
that access to update the wire payment information for a vendor

A CCM strategy for Master File Data provides Management

with a proactive mechanism to verify that the integrity of the
master file architecture and content is not compromised

Page 12
Example CCM scenarios

Transaction Data
An exception is reported when a purchase order is created on the same day
that goods were received for a transaction
An exception is reported when an invoice is approved by a person without
sufficient authority
An exception is reported when a user with sensitive access rights inputs and
posts an inventory adjustment
An exception is reported when a manual journal entry has unusual accounts
and/or descriptors
An exception is reported when an employee receives more than one pay
distribution in a pay period

A CCM strategy for Transaction Data provides Management with a

proactive mechanism to identify potential control exceptions and
fraudulent activity

Page 13
Sample CCM technologies in the market

Monitoring Capabilities
CCM Tools Segregation of Configurable Master File &
Duties Controls Transaction Data
ACL (Continuous Controls Monitoring Solution)
Approva
Aveksa
Blackline (Financial Statement Close Process)
IDEA
Oracle GRC (formerly Logical Apps)
Oversight
SAP GRC (formerly Virsa)

EY does not endorse any of these vendors or products listed above.

Page 14
Ernst & Young perspectives on CCM

Thoughtful evaluation of the CCM technologies and your

needs is required to realize optimal results
Consider a holistic, risk based strategy when
implementing CCM
Consider using CCM to enhance compliance testing
requirements (SOX, PCI, HIPAA, etc.)
Sponsorship of the program is critical
Thorough analysis of the control exceptions is a critical
component to the success of a CCM program

Page 15
Continuous Controls Monitoring
Technical Session
Information Systems Audit and Control Association
Phoenix Chapter Meeting
March 26, 2009
Agenda

CCM implementation methodology

CCM knowledge sharing discussion

Sample CCM technologies

Project examples

Page 17
 CCM implementation methodology

Identify Diagnose Design Deliver Sustain

Identify key Assess current Develop monitor Build monitors Manage

stakeholders state maturity of requirements & in CCM exception
controls specifications technology review activities
Co-develop
expectations Assess IT Design future Test results and Monitor control
and identify readiness for state CCM refine monitor dashboards
strategic implementation processes configurations
requirements Continuous
Develop Implement improvement
Set goals and implementation monitors in and reporting to
determine blueprint and production management
requirements business case environment

Select CCM
technology

Technical Infrastructure

Governance, Risk and Compliance

Page 18
CCM knowledge sharing discussion

Page 19
Group discussion questions

What are some of areas in your company that

can benefit from a CCM program?

What types of CCM projects have your

companies undertaken?

What are some of the CCM technologies that

your companies have used?

Page 20
Sample CCM technologies in the market

Monitoring Capabilities
CCM Tools Segregation of Configurable Master File &
Duties Controls Transaction Data
ACL (Continuous Controls Monitoring Solution)
Approva
Aveksa
Blackline (Financial Statement Close Process)
IDEA
Oracle GRC (formerly Logical Apps)
Oversight
SAP GRC (formerly Virsa)

EY does not endorse any of these vendors or products listed above.

Page 21
Project example 1 Segregation of Duties
technology evaluation project
Segregation of Duties (SoD) technology evaluation:
Identify the strategic, functional and technical requirements for a
potential technology implementation to monitor user access for
segregation of duties
Review the companys requirements against the capabilities of the
SoD monitoring technologies available in the market
Perform a high-level review of existing ERP system architecture
(table structures) and overall IT readiness
Perform preliminary cost/benefit analysis

Page 22
Project example 2 Segregation of Duties
continuous monitoring technology implementation

Segregation of Duties (SoD) continuous monitoring:

Implemented by many leading companies during the last several years to
automate compliance testing and periodic review processes
Effective way to address SOX compliance control deficiencies
Used a risk-based approach to set up rules to monitor user access for the
most critical and sensitive areas of the application
Many of the monitoring technologies come with pre-built conflict rules for
select ERPs allowing for an efficient configuration process

Different approaches taken by leading companies:

Perform periodic analysis to identify and clean-up SoD conflicts (detective
control)
Identify SoD conflicts through integration with user provisioning and role
management process as user access is created/modified (preventative
control)
Transaction monitoring identify SoD violations through continuous
monitoring of transactions for inappropriate behaviors

Page 23
Project example 3 CCM readiness
assessment project
CCM assessment project:
Performed a comprehensive review of the companys existing SOX 404 controls,
underlying business processes and IT environment to identify those controls that
would be potential candidates for automation with a CCM solution
Considered current state testing strategies and exception trends
Identified manual controls that could be replaced by automated controls
Assessed overall CCM readiness and relative complexity to implement the
monitoring opportunities

Project results:
Identified approximately 65% of the companys controls that could be automated
with a CCM type solution. Most common areas included:
User access controls
Change management ITGCs
Journal entry and reconciliation automated workflow approval controls
Interface error alerts
Configurable control settings
Master file changes

Page 24
Project example 4 Transaction monitoring

Design and implement control monitors over transactions:

Considered existing data analytical procedures performed by the company
(through use of Access, ACL, other simple queries) to identify potential
monitoring opportunities
Analyzed different process areas for typical analytical procedures and
fraud monitoring (procure to pay, inventory, payroll, journal entries, etc.)
Selected a few journal entry monitors for the pilot
Journal entries with missing or unusual descriptions
Journal entries with round digit patterns
Journal entry approvals (preparer vs. approver)
Journal entries with unusual account pairings
Designed and implement automated control monitors for the journal entry
process using SQL server and a exception management/dashboard tool
Next steps for the company use Oversight technologys pre-built monitor
logic to improved efficiency to implement and sustain CCM efforts

Page 25
Ernst & Young www.ey.com

2009 EYGM Limited

All Rights Reserved.

The information contained within this document and any related oral presentation conducted
by Ernst & Young LLP (E&Y) contains proprietary information and may not be disclosed, used or
duplicated - in whole or in part - for any purpose without the express written consent of E&Y.