Accueil
Envoyer
Imprimer
Partager
In a previous article, we looked at how internal audit's knowledge of data analysis technology could help the business to identify financial control risks, compliance failures and problems in business transactions. The vision for an increasing number of organizations is for the ongoing testing of entire sets of financial transactions against a comprehensive range of controls and compliance requirements.
The objective is not to inundate business and financial managers with masses of data on exceptions for investigation, but rather to provide valuable insights into trends and areas where control issues are becoming of significant concern – as well as to highlight high risk transactions and specific instances of fraud, error and abuse that need to be addressed.
While internal audit is often the initiator in developing these capabilities as part of a process to improve the efficiency and effectiveness of the audit process, it is not the responsibility of auditors to monitor business processes and transactions. Business management is responsible for managing risks and for the effectiveness of internal control mechanisms, but they seldom have experience in using data analysis technology to support them in this process. In organizations where accounting internal audit has demonstrated the value of continuous auditing techniques, much of the groundwork has often already been performed and it can be a relatively straightforward process for management to take over the responsibility for performing continuous monitoring techniques.
The term "continuous monitoring" was rarely used by business finance managers prior to Sarbanes-Oxley. The concept of continuous controls monitoring arose, in the finance arena at least, primarily as a response to SOX shining a spotlight on management's responsibility for financial controls. Since then, there has been debate as to whether the objective is to directly test controls or transactions themselves, as well as to the meaning of "continuous." For an increasing number of organizations, the outcome of this debate has become quite clear and can be expressed as follows:
There is value in regularly testing financial transactions in order to:
- help ensure that effective control systems are in place;
- identify suspect and high-risk transactions on a timely basis;
- detect trends of changing financial control risks.
The practical question is how to implement transaction monitoring techniques in a cost-effective and efficient manner. The answer is to identify the basic people, process and technology components that need to be in place. Let's consider some of these.
Data Access and Data Repositories
The data required to perform transaction testing and monitoring is usually a very small sub-set of the data maintained within an ERP system. Let's take parts of the purchase-to-pay process as examples. Typical financial controls risks in the purchase-to-pay process could be that payments are being made to vendor accounts fraudulently set-up by employees, or duplicate payments are occurring because of deliberate or accidental duplicate invoice entries. In order to determine whether such activities have occurred within an SAP or Oracle Financials system requires access to probably only 20 data elements contained in a handful of data tables – a very small sub-set of the many thousands of data tables in a typical SAP implementation.
The most common approach is to use audit analytic technology to extract this data directly from the ERP system and store the transactions in a data repository. This is the data used by the transaction monitoring tests to determine whether problems exist.
The argument is sometimes put forward that a data warehouse used for business intelligence (BI) reporting could be used. However, in practice, BI data warehouses do not contain the detailed transaction and master file data that is required for financial controls testing.
Transaction and Control Tests
The process used to select specific financial monitoring tests is usually based on a prioritization of the most likely risks. Consider, for example, the likelihood of a problem occurring with duplicate payments. Although most ERP systems have controls that prevent the same invoice number being entered for the same vendor, are there system controls in place that would detect an invoice being entered twice with a slightly different invoice number or modified vendor name? In practice, there are five or six different ways in which the analysis of invoice payment transactions can be used to detect whether a duplicate invoice control has been circumvented.
The usual place to start is to identify the, say, top 10 tests within a given business process area that are likely to detect control weaknesses that could have a significant financial or regulatory compliance impact.
Over time, once the value of specific tests is determined, the best approach is to develop a library of tests, using appropriate audit and control analysis software, that can be run as required against updated data in the data repository.
Dashboards
Producing detailed analyses of suspect transactions can be a valuable part of the transaction monitoring process. However, the most important value is usually obtained through the production and distribution of summary reports and visual analyses of the results of monitoring over time. This is how trends in control risks and suspect transactions can be used to support the risk management process overall. By highlighting regional locations or stages in the business process in which exceptions most frequently arise, management is able to respond appropriately and avoid the risks of escalating control issues.
One of the key advantages of implementing a continuous transaction monitoring system is that it does not have to involve a "big-bang" rollout. Most organizations achieve the greatest benefits by starting small, proving the value and growing incrementally, either within a business process area or into new ones.
By John Verver
John Verver, CA, CISA, CMC is vice president, product strategy and alliances with ACL and a longtime proponent of the role of technology in audit, compliance and continuous controls monitoring. He is currently a member of the advisory board of the Continuous Auditing Research Laboratory at Rutgers University.
www.acl.com
Published in first on BusinessFinance
Source : www.businessfinancemag.com/article/identify-financial-risks-audit-analytics-0402
The objective is not to inundate business and financial managers with masses of data on exceptions for investigation, but rather to provide valuable insights into trends and areas where control issues are becoming of significant concern – as well as to highlight high risk transactions and specific instances of fraud, error and abuse that need to be addressed.
While internal audit is often the initiator in developing these capabilities as part of a process to improve the efficiency and effectiveness of the audit process, it is not the responsibility of auditors to monitor business processes and transactions. Business management is responsible for managing risks and for the effectiveness of internal control mechanisms, but they seldom have experience in using data analysis technology to support them in this process. In organizations where accounting internal audit has demonstrated the value of continuous auditing techniques, much of the groundwork has often already been performed and it can be a relatively straightforward process for management to take over the responsibility for performing continuous monitoring techniques.
The term "continuous monitoring" was rarely used by business finance managers prior to Sarbanes-Oxley. The concept of continuous controls monitoring arose, in the finance arena at least, primarily as a response to SOX shining a spotlight on management's responsibility for financial controls. Since then, there has been debate as to whether the objective is to directly test controls or transactions themselves, as well as to the meaning of "continuous." For an increasing number of organizations, the outcome of this debate has become quite clear and can be expressed as follows:
There is value in regularly testing financial transactions in order to:
- help ensure that effective control systems are in place;
- identify suspect and high-risk transactions on a timely basis;
- detect trends of changing financial control risks.
The practical question is how to implement transaction monitoring techniques in a cost-effective and efficient manner. The answer is to identify the basic people, process and technology components that need to be in place. Let's consider some of these.
Data Access and Data Repositories
The data required to perform transaction testing and monitoring is usually a very small sub-set of the data maintained within an ERP system. Let's take parts of the purchase-to-pay process as examples. Typical financial controls risks in the purchase-to-pay process could be that payments are being made to vendor accounts fraudulently set-up by employees, or duplicate payments are occurring because of deliberate or accidental duplicate invoice entries. In order to determine whether such activities have occurred within an SAP or Oracle Financials system requires access to probably only 20 data elements contained in a handful of data tables – a very small sub-set of the many thousands of data tables in a typical SAP implementation.
The most common approach is to use audit analytic technology to extract this data directly from the ERP system and store the transactions in a data repository. This is the data used by the transaction monitoring tests to determine whether problems exist.
The argument is sometimes put forward that a data warehouse used for business intelligence (BI) reporting could be used. However, in practice, BI data warehouses do not contain the detailed transaction and master file data that is required for financial controls testing.
Transaction and Control Tests
The process used to select specific financial monitoring tests is usually based on a prioritization of the most likely risks. Consider, for example, the likelihood of a problem occurring with duplicate payments. Although most ERP systems have controls that prevent the same invoice number being entered for the same vendor, are there system controls in place that would detect an invoice being entered twice with a slightly different invoice number or modified vendor name? In practice, there are five or six different ways in which the analysis of invoice payment transactions can be used to detect whether a duplicate invoice control has been circumvented.
The usual place to start is to identify the, say, top 10 tests within a given business process area that are likely to detect control weaknesses that could have a significant financial or regulatory compliance impact.
Over time, once the value of specific tests is determined, the best approach is to develop a library of tests, using appropriate audit and control analysis software, that can be run as required against updated data in the data repository.
Dashboards
Producing detailed analyses of suspect transactions can be a valuable part of the transaction monitoring process. However, the most important value is usually obtained through the production and distribution of summary reports and visual analyses of the results of monitoring over time. This is how trends in control risks and suspect transactions can be used to support the risk management process overall. By highlighting regional locations or stages in the business process in which exceptions most frequently arise, management is able to respond appropriately and avoid the risks of escalating control issues.
One of the key advantages of implementing a continuous transaction monitoring system is that it does not have to involve a "big-bang" rollout. Most organizations achieve the greatest benefits by starting small, proving the value and growing incrementally, either within a business process area or into new ones.
By John Verver
John Verver, CA, CISA, CMC is vice president, product strategy and alliances with ACL and a longtime proponent of the role of technology in audit, compliance and continuous controls monitoring. He is currently a member of the advisory board of the Continuous Auditing Research Laboratory at Rutgers University.
www.acl.com
Published in first on BusinessFinance
Source : www.businessfinancemag.com/article/identify-financial-risks-audit-analytics-0402
