Transcript BA Consulting Structure

Practical Issues of
Implementing Continuous
Assurance Systems
Presented by John Verver CA, CISA, CMC
to the 5th
Continuous Assurance Symposium
November 22-23 2002
Implementing Continuous Assurance
Systems
 Status of use of continuous assurance implementations.
 What is meant by “continuous”?
 The practical issues of integrating continuous
auditing/monitoring procedures to the data and the underlying
application.
 Defining the control parameters to be tested.
 Setting the thresholds for reporting and priorities for
notifications.
 Softwarefunctionality required to support continuous
monitoring
Continuous Assurance Systems
Status of continuous assurance implementations within the ACL
user base:
 ACL user base includes over 150,000 licensed users:
 The Final 4
 89 of the Fortune 100
 44% of the Global 500
 30+ national governments and virtually all US state governments
 Very few organizations have fully embedded and automated
continuous auditing/monitoring applications
 Most “Continuous Monitoring applications” are simply series of
automated data analysis tests that are run on a regular basis, and are
manually initiated - not true continuous applications e.g:
 Detecting indicators of fraud
 Identifying duplicate and other overpayments
Continuous Assurance Systems
“Continuous” Assurance Applications:
 Automated analyses that test transactional data against
defined control parameters/rules
 Generally independent of the underlying business application
system
 Run automatically on a daily / weekly basis – (occasionally
more frequently)
 Automatically generate exception reports / alerts
 Detective more than preventative
Continuous Assurance Systems
Most common application areas among ACL user base:
General business process:
 Purchase / Payments cycle
 Vendor fraud
 Expense claims
Industry-specific
 Money laundering, anti-terrorist legislation
 Insurance claims
 Medicare/Medicaid compliance
Continuous Monitoring Application
Payments system
Continuous Monitoring system
Independent,
comprehensive
series of control
tests
Continuous Assurance Systems
Why are they needed?:
 Confirmation that controls built into application systems are
operating effectively
 Make up for lack of controls in application systems
Continuous Assurance Systems
Getting to the data:
 Direct access vs extract
 Direct access to mainframe / server data usually preferable
 Data extract may be preferable to minimise processing impact
 Define the “data slice”
 Decide on the point at which to take the slice (Time-based?
Process-based? – depends on underlying application system and
timing of CA process)
 Ensure that all transactions are captured since the last test
process
Continuous Assurance Systems
Money-laundering application
DDA
Files
(DB/2)
ACL for
OS/390
Client Server
Control parameters
defined within
ACL “rules-engine”
ACL for
Windows
Client
Customer names,
Account Master
Daily Account History
ACL daily
extract /
monitoring
process
launched by
JCL and
Windows
Schedulers
Processing log
Reports and alerts
Distributed
by e-mail
Lower
Priority
reports
Adjust
alert sensitivity
High priority
alerts
File of
suspect
transactions
Additional analysis by
ACL of
suspect transactions
Continuous Assurance Systems
Establishing the control parameters:
 Identify specific control exposures
 Identify indicators of risk
 Use transactional analysis to determine if conditions exist for
which no controls designed/risks indentified
 Define specific control parameters / tests
 Establish sensitivity thresholds for reporting and alerts
 “Scoring/weighting” of events dependent upon combination of
control parameters that are failed and indicators of risk
Continuous Assurance Systems
ACL functionality that supports Continuous Assurance
applications:
 Analytical and inquiry processes that support audit and control
procedures
 Direct data access e.g.
 ACL OS/390 Client Server
 Direct Link for SAP R/3
 ODBC-compliant databases
 NOTIFY – e-mail notification of reports and alerts
 Complete logging of processes
 Definition of control parameters (“rules-engine”)
 Development of interactive and automated applications
Example of interface for tuning
monitoring parameters
Note: This
amount can be
modified from the
parameters menu.
Example of interface for tuning
monitoring parameters
Example of ACL Notify command