Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Page 2
What is Continuous Controls Monitoring?
Page 3
Benefits from using CCM
Broader coverage
Increased frequency in testing of controls
Enhances fraud program activities
Scalability
Timely reporting of control violations
Greater value and impact of monitoring activities
Reduced cost of risk management and compliance
activities
Page 4
How to approach a CCM strategy?
Questions to
ask:
What are my pain points?
What are my drivers?
What do I want to monitor?
Who owns the process?
Who is at stake?
Page 5
Areas of Focus Segregation of Duties
Key
Internal Control Environment
Stakeholder
s
Segregation Configurable Master File and
of Duties Controls Transaction Data
Page 6
Areas of Focus Configurable Controls
Key
Internal Control Environment
Stakeholder
s
Segregation Configurable Master File and
of Duties Controls Transaction
Data
Information Security / IT General Controls
Page 7
Areas of Focus Master File and Transaction
Data
Key
Internal Control Environment
Stakeholder
s
Segregation Configurable Master File and
of Duties Controls Transaction Data
Page 8
CCM process
Integrated
Controls
Dashboard
Page 9
Example CCM scenarios
Segregation of Duties
An exception is reported when a user is granted access to post
inventory receipts and post inventory adjustments
An exception is reported when the monitor detects unauthorized
access to change foreign currency treasury wire transfer
information
Identifies segregation of duties conflicts before access is granted
Page 10
Example CCM scenarios
Configurable Controls
An exception is reported when the tolerance amount for the three-
way match control for accounts payable invoices is changed
An exception is reported when the credit authorization approval
control is turned off
Configurable control settings are analyzed against leading practice
configurable settings for opportunities to strengthen the application
control environment (i.e. payment block control)
Page 11
Example CCM scenarios
Page 12
Example CCM scenarios
Transaction Data
An exception is reported when a purchase order is created on the same day
that goods were received for a transaction
An exception is reported when an invoice is approved by a person without
sufficient authority
An exception is reported when a user with sensitive access rights inputs and
posts an inventory adjustment
An exception is reported when a manual journal entry has unusual accounts
and/or descriptors
An exception is reported when an employee receives more than one pay
distribution in a pay period
Page 13
Sample CCM technologies in the market
Monitoring Capabilities
CCM Tools Segregation of Configurable Master File &
Duties Controls Transaction Data
ACL (Continuous Controls Monitoring Solution)
Approva
Aveksa
Blackline (Financial Statement Close Process)
IDEA
Oracle GRC (formerly Logical Apps)
Oversight
SAP GRC (formerly Virsa)
Page 14
Ernst & Young perspectives on CCM
Page 15
Continuous Controls Monitoring
Technical Session
Information Systems Audit and Control Association
Phoenix Chapter Meeting
March 26, 2009
Agenda
Project examples
Page 17
CCM implementation methodology
Select CCM
technology
Technical Infrastructure
Page 18
CCM knowledge sharing discussion
Page 19
Group discussion questions
Page 20
Sample CCM technologies in the market
Monitoring Capabilities
CCM Tools Segregation of Configurable Master File &
Duties Controls Transaction Data
ACL (Continuous Controls Monitoring Solution)
Approva
Aveksa
Blackline (Financial Statement Close Process)
IDEA
Oracle GRC (formerly Logical Apps)
Oversight
SAP GRC (formerly Virsa)
Page 21
Project example 1 Segregation of Duties
technology evaluation project
Segregation of Duties (SoD) technology evaluation:
Identify the strategic, functional and technical requirements for a
potential technology implementation to monitor user access for
segregation of duties
Review the companys requirements against the capabilities of the
SoD monitoring technologies available in the market
Perform a high-level review of existing ERP system architecture
(table structures) and overall IT readiness
Perform preliminary cost/benefit analysis
Page 22
Project example 2 Segregation of Duties
continuous monitoring technology implementation
Page 23
Project example 3 CCM readiness
assessment project
CCM assessment project:
Performed a comprehensive review of the companys existing SOX 404 controls,
underlying business processes and IT environment to identify those controls that
would be potential candidates for automation with a CCM solution
Considered current state testing strategies and exception trends
Identified manual controls that could be replaced by automated controls
Assessed overall CCM readiness and relative complexity to implement the
monitoring opportunities
Project results:
Identified approximately 65% of the companys controls that could be automated
with a CCM type solution. Most common areas included:
User access controls
Change management ITGCs
Journal entry and reconciliation automated workflow approval controls
Interface error alerts
Configurable control settings
Master file changes
Page 24
Project example 4 Transaction monitoring
Page 25
Ernst & Young www.ey.com
The information contained within this document and any related oral presentation conducted
by Ernst & Young LLP (E&Y) contains proprietary information and may not be disclosed, used or
duplicated - in whole or in part - for any purpose without the express written consent of E&Y.