KPMG EMA CACM Survey (2012)

651 views

Published on

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
651
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

KPMG EMA CACM Survey (2012)

  1. 1. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.Continuous auditingand continuousmonitoring:The current status andthe road aheadKPMG’s EMAregion surveyDecember 2012
  2. 2. 2 | Continuous auditing and continuous monitoring: The current status and the road ahead© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
  3. 3. Introduction 4Executive Summary 5About the survey 6Are the potential benefits of CA/CM well understood? 8Which processes benefit most from CA/CM? 10Who are the initiators and beneficiaries? 12Current and future state of adoption 14Barriers to adoption 16Past and future investments 18Do technology and tooling provide adequate support? 20How KPMG can help 22Contacts 23ContentsContinuous auditing and continuous monitoring: The current status and the road ahead | 3© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
  4. 4. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.4 | Continuous auditing and continuous monitoring: The current status and the road aheadIntroductionIn general, CA/CM seeks to addvalue by improving compliance andsupporting business goals. Froma technology perspective, CA/CMenables a high degree of automationto monitor systems and data, andimplements closed-loop mechanismsfor any exceptions detected. As amonitoring mechanism, CA/CM helpsto detect irregularities in systemconfigurations, processes and data,either from a risk or a performanceperspective. Potential benefits ofCA/CM include:• Enhanced and more timely oversightof compliance across the enterprise;• Improved efficiency andeffectiveness of the controlenvironment through automation,leading to cost-reductionopportunities;• Business improvement throughreduced errors and improved errorremediation, allowing reallocation ofresources to value-adding activities;• The ability to report morecomprehensively on compliancewith internal and regulatoryrequirements.The purpose of this document is tosummarise the results of a surveyconducted in 2012 across Europe,the Middle East and Africa. It exploresthe potential benefits of employingCA/CM in the current economicclimate and gauges how advanced theirimplementation is. The target groupconsisted primarily of company officialswhose daily activities are currentlysupported by CA/CM- related tools, orofficials who hold functions in whichCA/CM may play an important role inthe future. Examples of these typesof functions are boards of directors,finance, operational/line management,internal control and internal audit.A word of thanksWe would like to thank all the differentparties involved in this paper. Wewould especially like to thank all theparticipants in this survey, whosevaluable insight into the current andfuture status of CA/CM within theirorganisations forms the basis ofthis white paper. Special thanks arealso due to Koen Rombauts, BertScherrenburg, Barbara Legg, Mauriceop het Veld and Peter Paul Brouwers,all from KPMG the Netherlands, forconducting the survey and draftingthis white paper.Defining CA and CM Continuous auditing (CA) is thecollection of audit evidence andindicators by either the externalauditor or the internal auditor ininformation technology (IT)systems, processes, transactionsand controls on a frequent orcontinuous basis throughout aperiod. Continuous monitoring (CM) isa feedback mechanism used bymanagement to ensure thatcontrols operate as designed andthat transactions are processedas described. This monitoringmethod is the responsibility ofmanagement and can form animportant component of theinternal control structure.Definitions taken from KPMG LLP’sContinuous Auditing and Continuous Monitoring:Transforming Internal Audit and ManagementMonitoring to Create Value, 2008New board and regulatory pressures, cost and efficiencyconsiderations and the emergence of new business risks arehelping to change the scope of risk and performance management.In this shifting scope, continuous auditing (‘CA’) and continuousmonitoring (‘CM’) will have an increasing role to play.
  5. 5. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.Continuous auditing and continuous monitoring: The current status and the road ahead | 5Executive SummaryCA/CM is winning ground withinorganisations that aim for continuouscontrol and continuous performance.The level of awareness, the increasingavailability of tools and the aimfor greater efficiency in assuranceare important drivers for furtherinvestigation into what CA/CM canbring to the organisation.This report summarises the outcomeof a survey which examined theawareness about and the current andfuture status of CA/CM across Europe,the Middle East and Africa. The keyobservations are:• Respondents do understand thebenefits of CA and CM. They realisethat CA aims to bring comprehensiveassurance with greater coverageacross the organisation (89% of therespondents). Many believe CA willalso facilitate real-time operationalassurance (81%) and a reducedburden for line management (74%).CM is set up to detect and correctprocess irregularities and helps toidentify process improvements(90%); Page 8• CA/CM is considered to bemost valuable in scenarios whereprocesses are repetitive andsusceptible to risk e.g. financialmanagement reporting (82%).These processes are oftentransaction-based supported byapplications with structured data; Page 10• Eighty five percent of therespondents stated that the internal auditors introducedCA/CM into the organisation andthat they are also seen as its mainbeneficiary (87%). Operational/line management is not oftenthe initiator (59%) of CA/CM butcertainly enjoys its benefits (87%); Page 12• The current state of adoption is low.Only 9% of respondents have bothCA and CM embedded across theirorganisation. However, a remarkable83% have at least consideredimplementing CA/CM; Page 14• Respondents consider the limitedinsight into the CA/CM toolingavailable on the market as thelargest barrier to the adoption ofCA/CM (69%). It is not alwaysclear what suitable CA/CM toolingshould consist of; Page 16• Organisations are changing positionfrom just being interested in CA/CM to actually investing in CA/CM-related projects. In the nexttwo years, the percentage oforganisations that are not investingin CA/CM will decline from 37%to 19%, while 62% expect tocommence projects valued at upto €250,000. Page 18KPMG’s visionOrganisations should realise thateffective implementation of CA/CMcan take time and effort. A variety ofchallenges can be expected along theway. No matter how they choose tolaunch the effort, organisations shouldlook to define the desired end-state fortheir CA/CM efforts.Organisations should understandthat CA/CM is not only aboutimplementing tooling, it is a changein the way of working where youhave to redefine your objectives,roles and responsibilities and the wayto handle the outcome. Moreover,implementing CA/CM is aboutunderstanding the extent to which CA/CM can transform processes, risk andcontrols, technology, and people in anintegrated way. When implementingCA/CM, organisations typically followseveral stages of maturity, startingwith the introduction of data analyticstechniques to support existing manualprocedures. Depending on the driversbehind CA/CM, the end state maybe CA/CM systems that are fullyembedded and used throughoutorganisations.Together, CA and CM provide insightand transparency for continuouscontrol and performance improvement.Therefore CA and CM must beperceived as long-term, systematicapproaches rather than short-termmeasures.Based on our practical experienceswith supporting the implementationof several CA/CM frameworks we atKPMG strongly believe that this willdefinitely be a way forward to creategreater transparency in an efficient andsustainable way.
  6. 6. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.About the survey6 | Continuous auditing and continuous monitoring: The current status and the road aheadWithin these regions, the respondentswere from the 32 following countries:Western Europe Eastern Europe Middle East Africa- Andorra- Austria- Belgium- Finland- France- Germany- Italy- Luxembourg- The Netherlands- Norway- Portugal- Spain- Switzerland- United Kingdom- Bulgaria- Greece- Hungary- Moldova- Poland- Romania- Slovakia- Turkey- Bahrain- India- Qatar- Saudi Arabia- United Arab Emirates- Yemen- Guinea-Bissau- Kenya- Nigeria- South AfricaWestern EuropeEastern Europe incl TurkeyMiddle EastAfrica68%4%4%24%Survey questions included thefollowing:• What are the benefits of CA/CM?• Who are the initiators of CA/CMand who benefits most?• How much capital needs to beinvested?• What are the barriers to adoption?• What future does CA/CM have?Representation of regions andcountriesMost of the respondents by far werefrom Western Europe (68%) andEastern Europe including Turkey (24%).Nevertheless, respondents from theMiddle East and Africa (both 4%) arealso included in the survey results.Analysis of the survey results showedthat there are not many significantdifferences between the various regions.As a result of this, the outcome of thesurvey and analysis as included in thiswhite paper represents the whole EMAregion.The KPMG online survey was rolled out across the EMAregion (Europe, Middle East, and Africa) in 2012 andcontains responses from 718 individuals. The respondentsare primarily from internal audit as well as from boards ofdirectors, CFOs, operational/line management, finance andrisk management professionals.
  7. 7. Continuous auditing and continuous monitoring: The current status and the road ahead | 7© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.Less than € 50 million€ 50 million - € 250 million€ 250 million - € 1 billionGreater than € 1 billion36%24%21%19%Financial servicesIndustrial marketsInfrastructure, government, healthConsumer marketsTechnology, media, telecoms29%26%20%15%10%First lineSecond lineThird line37%13%50%Size of organisations respondingto the surveyThirty six percent of respondents werefrom organisations with a turnoverexceeding €1 billion and 24% fromorganisations with a turnover rangingbetween €250 million and €1 billion.Cross section of sectorsThe respondents represented across section of industry sectors,including: financial services (29%),industrial markets (26%), infrastructure,government and health (20%),consumer markets (15%), andtechnology, media, telecoms (10%).Representation of lines of defenceOf the respondents, 37% were fromthe first line of defence (boards ofdirectors, CEO, CFO, finance,operational/line management, IT); 13%were from the second line of defence(risk management, internal control andcompliance); 50% of the respondentswere from internal audit (third line ofdefence).Business owners:first line of defenceCompliance regulators:second line of defenceAssurance providers:third line of defenceBusiness owners have risk contentownership. They are responsiblefor identifying and managingrisks incurred over the course ofdaily business. Such risks canbe operational in nature or maybe associated with finance andcompliance. The risks may representdiscrete events rather than ongoingexposure. In addition to complyingwith risk-management policies,business owners are expectedto identify and assess emergingexposure.Standard setters own risk processesand specific monitoring responsibilities.They establish policies and procedureshandling risk; provide guidance andcoordination among all stakeholders;identify enterprise trends, synergies,and opportunities for a change; andoperationalize new events. In additionto facilitating critical liaison betweenbusiness owners and assuranceproviders, standard setters provideoversight within specific risk areas(such as credit), and in terms ofspecific enterprise objectives(such as compliance).Assurance providers ensure thatthe company is achieving businessobjectives, mitigating and managingrisks, and optimizing risk managementprocess effectiveness. Internal Auditoften serves as the primary assuranceprovider in the third line of defensefor many companies. Assuranceproviders are responsible for settingstandards for risk management,ensuring that these are wellunderstood, broadly embraced, andadequate for the company’s needs.Assurance providers liaise with seniormanagement or the corporate boardto enable visibility into enterprise riskmanagement activities.Source: KPMG.com – Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness and efficiency.
  8. 8. 8 | Continuous auditing and continuous monitoring: The current status and the road ahead© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.CA is designed to result in comprehensive assurance with greatercoverage across the organisation. CM detects and correctsprocess irregularities and helps implement process improvements.Many believe CA will also facilitate real-time operational assuranceand reduce the burden for line management.Based on the survey:Respondents do understand thebenefits of CA and CM. They realisethat CA provides more assurancewith greater coverage and depth andthat it enables real-time operationalassurance. However, organisations areless likely to take into considerationthat CA can also lower costs. ThisAre the potential benefitsof CA/CM well understood?8 | Continuous auditing and continuous monitoring: The current status and the road aheadProvides more assurance with greater coverage and depthEnables real-time operational assurance to be obtainedregarding business processes/activitiesReduces burden for line management to facilitate audit activities(e.g. no or limited interviews, walkthroughs etc.)Reduces internal audit costsReduces external audit costsCA is not/will not be adopted, so this question is notrelevant for my organisationMain drivers of CA adoption for an organisation89%81%74%56%53%41%Enables identification of process irregularities andimplementation of process improvements on a continuous basisImproves transparency/reporting requirements from board/managementTransfers the responsibility regarding detecting andcorrecting of irregularities to the business processes itselfComplies with applicable legislation and regulations(e.g. anti-bribery, export controls)Reduces compliance costsAchieves competitive advantagesMain drivers of CM adoption for an organisationindicates a short-term perception thatrelatively high up-front investments areneeded while the long-term benefits ofCA are not yet fully understood.Overall, the survey results reflect thatrespondents understand what CM canbring to the organisation i.e. it enablesidentification of process irregularitieson a continuous basis. Moreover, ittransfers the responsibility regardingdetecting and correcting irregularitiesonto the business itself. However, only64% of respondents believed that CMwill result in the organisation achievingcompetitive advantages.90%84%84%78%69%64%
  9. 9. Clearly, many organisations are awareof the drivers of CA/CM. However,understanding the benefits of CA/CM alone cannot drive it forward.Strategic drivers include the pressureto strengthen governance, enhanceperformance and accountability andthe ability to improve visibility overglobal operations. Operational driversinclude the occurrence or risk offraud and misconduct and processimprovement through the identificationof irregularities on a continuous basis.External drivers include the expandingregulatory and risk environment,scrutiny from rating agencies, and anuncertain economic environment.Since CA/CM does not alwaysnecessarily result in immediate anddirect operational/strategic results,organisations find it hard to appreciatethe competitive advantage of CA/CM.KPMG analysisPastAssurance mainlydelivered by internal auditCurrent/futureHigher level of managementassurance via effective internalcontrol frameworkNo surprisesManagementassessment(1stline of defence)Managementassessment(1stline of defence)Internal control /Risk management(2ndline of defence)Internal control /Risk management(2ndline of defence)Internal audit (3rdline of defence) Internal audit (3rdline of defence)• Based on real facts• Less manual interpretation/intervention• Flexible reporting (overview & detailed reporting)• Automatic of (data) analysis• Re-usable by internal/externalaudit• Reducing manual procedures• Real time insights• High level of detail• Less human interpretation&Increased transparencyReducing cost of complianceContinuous auditing and continuous monitoring: The current status and the road ahead | 9© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
  10. 10. 10 | Continuous auditing and continuous monitoring: The current status and the road ahead© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.10 | Continuous auditing and continuous monitoring: The current status and the road aheadTypically, CA/CM is most valuable in scenarioswhere processes are repetitive and susceptibleto risk (e.g. financial management reporting).These processes are often transaction-basedsupported by applications that run on structureddata.Which processes benefitmost from CA/CM?Based on the survey:In the first place most respondentsbelieve that CA/CM is best suited tosupport processes such as ‘Financialmanagement reporting’ and ‘Treasuryand cash management’.82%Financial management reportingTreasury and cash managementPurchase to paymentIT managementSales order to cash receiptHR/payrollTravel and expensesFixed asset managementInventoryIndustry-specific processes(retail, insurance, telecoms, production)OtherProcesses that benefit most from CA and CM80%82%77%72%71%66%65%62%61%59%4%
  11. 11. KPMG analysisOn the whole, CA/CM helps to fostera culture focussed on efficiency.For example, organisations can useCM to help align components of theprocure-to-pay cycle so vendors arenot paid too early but in line with theterms of the contract. CM enables anorganisation to evaluate the date ofpurchase, the due date of the invoiceand the date of payment. Automatingmanual processes to detect issuesearly and prevent escalation can saveretrospective remediation costs.Obviously, preventing errors fromoccurring improves the overall businessprocess efficiency as well.Typically, areas that tend to have thegreatest return on investment (ROI) in aninitial CA/CM implementation include:• Manual journal entries;• Time and expense;• Purchase to pay;• Purchasing cards (P-cards);• Order to cash;• Inventory management.CA/CM can add most value toorganisations where processes arerepetitive and susceptible to risk.It can improve the organisation’s riskmanagement and control activities.For example, internal audit’s approachto audit planning tends to be largelyrisk-based. Expanding this approach toinclude CA can enhance internal audit’scoverage, regardless of how much riskis expected in those additional areas.CM can also help to allocate risk-management resources effectively.Continuous auditing and continuous monitoring: The current status and the road ahead | 11© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
  12. 12. 12 | Continuous auditing and continuous monitoring: The current status and the road ahead© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.12 | Continuous auditing and continuous monitoring: The current status and the road aheadInternal Audit, supported by the CFO, often introducesCA/CM within the organisation and is also seen as itsmain beneficiary. Operational/line management is notoften the initiator of CA/CM but does enjoy its benefits.Who are the initiatorsand beneficiaries?Based on the survey:Overall, the survey shows thatfunctions across the organisationgain value from CA/CM – even if theyare not the initiators. Internal audit isconsidered both the main initiator andalso the main beneficiary of CA/CM.Many respondents also believe thatthe CFO or the finance departmentare initiators. Once presented witha strong business case, operational/line management and the board ofdirectors tend to be easily convinced ofthe benefits of CA/CM.Internal auditCFO/FinanceInternal controlRisk managementComplianceBoard of directorsITLegalOtherInitiators and beneficiaries of CA and CM85%69%87%87%87%68%82%67%81%59%77%59%59%56%83%55%69%39%4%2%Operational/line managementInitiators of CA and CM Beneficiaries of CA and CM
  13. 13. KPMG analysisInternal audit often triggers CA/CMinitiatives because it has experiencewith data analytics from a controltesting perspective and CA constitutesthe next logical step. Operational/line management is not often the firstinitiator of CA/CM but does benefitfrom it. This may be due to the factthat operational/line management doesnot solely act from a risk perspective– it is primarily responsible for theorganisation’s core business processes.However, operational/line managementrealises that its responsibilities extendfurther and include internal controls,which are often closely linked toCA/CM.Continuous auditing and continuous monitoring: The current status and the road ahead | 13© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
  14. 14. 14 | Continuous auditing and continuous monitoring: The current status and the road ahead© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.Adoption continues to be low despite awareness around the benefits ofCA/CM. The main reason is that organisations find it difficult to quantify thebenefits of CA/CM which are needed to justify the business case for itsimplementation. As a result organisations are taking small steps in embeddingCA/CM, for example by experimenting with tools on pilot projects.Current and future stateof adoptionBased on the survey:The current state of adoption is low.A remarkable 17% of respondentshave never considered implementingCA/CM and 14% have only consideredit but have not yet taken any action.Only 10% of respondents are runningpilots on either CA or CM and another12% are actually implementing CA orCM. A mere 16% of the respondentsWhat is the current status of CA/CM within the organisationindicated they have already embeddedCA within their internal audit functionbut only 9% have both CA and CMembedded across their respectiveorganisations.The number of organisations with CA/CM fully embedded is likely to riseslightly in the very near future however.A quarter of respondents revealed thatthey plan to investigate the addedvalue of CA/CM to their organisations.The number of organisations runningpilots remains stable, but the surveyshows that the number oforganisations planning to embedboth CA and CM in the next two yearsis expected to increase significantly(from 9% today to 23% two yearsfrom now).CA and CM are embedded across the organisation and integrated operationallyCM is embedded within line management responsibilitiesCA is embedded within internal auditCurrently implementing CA and/or CMCA and/or CM pilot is currently being runCurrently busy drawing up business case and/or obtaining budget for CMHave considered, but not yet taken any actionHave not considered CA or CM / don’t know9%12%16%12%10%10%14%17%Where organisations would like to be in two years time with respect to CA and CMCA and CM are embedded across the organisationCM is embedded in monitoring activities of line managementCA is embedded in internal auditPilot project(s) underway in various parts of the organisationBusiness case is completed and budget is obtainedAn investigation is conducted into the added value of CA/CM for our organisationWill not consider CA/CM23%10%15%8%4%25%15%14 | Continuous auditing and continuous monitoring: The current status and the road ahead
  15. 15. KPMG analysisAlthough organisations do realisethe benefits of CA/CM, there is stillsome reluctance to fully adopt eitherCA or CM. However, with the needfor continued risk assurance growing,this is likely to improve and morebusinesses can be expected to investin CA/CM in the near future. Like anytransformation process, the adoptionand implementation of CA/CM willtake time and effort.The first step towards adoption isto build a business case to securesupport from senior managementand to outline the objectives, scope,expected costs and projected benefitsof CA/CM. Starting on a small scaleallows management or internal audit totest the CA/CM concept first. The nextstep is to draw up a road map to beable to fully achieve the objectives ofthe CA/CM implementation.Before significant resources areallocated to monitoring controls andtransactions, management will needto consider whether the existingcontrols are the most effective to beable to address the underlying risks.In addition, management should givecareful consideration to what should bemeasured, where the necessary dataresides, and the quality of the data.Simply ‘switching on’ rules that mayexist within a standard technology toolwithout refining them could result in anunmanageable number of ‘exceptions’or ‘false positives’ requiring attention,in turn resulting in increasedinefficiencies as well as a false senseof assurance. Similarly, ‘switching on’poorly designed rules may also resultin a false sense of assurance.Continuous auditing and continuous monitoring: The current status and the road ahead | 15© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
  16. 16. 16 | Continuous auditing and continuous monitoring: The current status and the road ahead© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.Limited insight and understanding of available technology toolsis the largest barrier for organisations to tackle when consideringCA/CM. This is caused by a lack of clarity about what kind offunctionality CA/CM tooling actually consists of.Barriers to adoption16 | Continuous auditing and continuous monitoring: The current status and the road aheadBased on the survey:The key barrier for an organisation toadopt CA/CM is limited insight intothe availability of suitable CA/CMtools. 75% of respondents are usingIT tools, with only 13% of them usingbusiness intelligence dashboards andBarriers to CA and CM adoptionLimited insight in availability of proper CA/CM toolsOrganisation is not familiar with or does not understand thepossibilities of CA/CM sufficientlyLack of knowledge and experience regarding data analysis and/orcontinuous maintenance of toolingLack of staff to support CA/CM implementationLimited commitment and/or awareness at board and seniormanagement levelLimited suitability of IT infrastructure to apply CA/CMBusiness case, including budget, has not been finalised and approvedLimited suitability to apply CA/CM in your type of organisation69%65%64%63%55%46%45%38%10% using dedicated CA/CM tools.Unfamilarity and lack of knowledge orexperience also ranked high amongstthe responses. Lack of staff and limitedcommitment or awareness at a seniorlevel within an organisation were alsomentioned.
  17. 17. KPMG analysisCA/CM is partly a technology solutionand this obviously requires expertknowledge. At the same time thereappears to be uncertainty about whatfunctionality CA/CM tooling actuallyprovides. From a KPMG perspective,CA/CM functionality includes at least:data extraction (from source systems),data analysis, case management(to make exceptions actionable)and reporting (e.g. via dashboards).Organisations should take steps toincrease their knowledge and becomemore familiar with the concepts ofCA/CM in order to overcome specificbarriers to the implementation of CA/CM. There can also be resistanceto change and the focus oncommunication throughout the processis key to overcome this. Other barriersmay include a highly scattered anddiverse IT landscape and inferior qualitysource data, lack of internal resourcesand skills to manage CA/CM, or a lackof resources to implement CA/CMtools. If these risks can be mitigated, asuccessful implementation of CA/CMwill generally translate into reducedreporting costs, enhanced governance,risk mitigation and complianceoutcomes, financial and non-financialROI, as well as increased detectionand prevention of fraud.Continuous auditing and continuous monitoring: The current status and the road ahead | 17© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
  18. 18. 18 | Continuous auditing and continuous monitoring: The current status and the road ahead© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.The number of organisations with embedded CA/CMis likely to grow gradually. CA/CM will evolve naturally,from starting on a small scale to a mature capability.Past and futureinvestments18 | Continuous auditing and continuous monitoring: The current status and the road aheadBased on the survey:The potential benefits of CA/CMare widely understood, yet a gapbetween understanding CA/CM andthe willingness to invest in it continuesto exist. Only a few companieshave implemented CA/CM so far.The survey shows that organisationsare gradually changing position fromjust being interested in CA/CM toactually investing in CA/CM-relatedprojects. The number of organisations€ 0 (no investment)Less than € 100,000€ 100,000 - € 250,000€ 250,000 - € 500,000€ 500,000 - € 1 milliongreater than € 1 million37%37%7% 7%7%10%3%19%16%8%4%46%Investment in CA/CM overthe last two years€ 0 (no investment)Less than € 100,000€ 100,000 - € 250,000€ 250,000 - € 500,000€ 500,000 - € 1 milliongreater than € 1 million37%37%7% 7%7%10%3%19%16%8%4%46%Investment in CA/CM in thenext two yearssurveyed that are not investing inCA/CM will decline by almost 50%over the next two years (from 37% to19%), while 46% expect to start smallprojects and invest up to €100,000 inthis period. However, the survey alsoshows that organisations are reluctantto commit to high investments – thenumber of companies investing morethan €250,000 will remain quite stableand below 20%.
  19. 19. KPMG analysisOrganisations are eager to learnbut shy away from high up-frontinvestments. This sentiment can beattributed to various factors. Driven bylimited discretionary spending and theneed for heightened accountability,management must focus on achievinghealthy ROIs while also loweringexposure to risk. Consequently, CA/CMmust be allowed to evolve naturally,from starting small to a maturecapability. Nevertheless, organisationsshould be able to fit investments withinbudgets on a sustainable basis andstart by composing a business case.Furthermore, CA/CM tools are stillat a stage of development. Manyorganisations are waiting for enhancedtools before they consider adoption.However, growing interest in CA/CM isincreasingly prompting organisations totest CA/CM through pilot projects.Some companies have successfullymanaged the cost challengesassociated with CA/CM by integratingthese into wider project budgets.For companies looking to implementCA/CM, pilots can deliver resultsquickly and potentially help CA/CM tobecome auto-financing. An investmentin CA/CM fits in well in the context ofa larger business intelligence initiativewhere CA/CM can provide criticalbusiness decision-making capabilities.In most other cases, an incrementalapproach based on an ROI analysismay be more appropriate.Continuous auditing and continuous monitoring: The current status and the road ahead | 19© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
  20. 20. 20 | Continuous auditing and continuous monitoring: The current status and the road ahead© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.Advances in technology have paved the way for increased use ofCA/CM. It is of course vital to opt for technology and tools thatare suitable for an organisation’s needs.Do technology and toolingprovide adequate support?Based on the survey:Many organisations have startedto experiment with technology andstandard tooling. As for technology,75% are using IT, with one-thirdusing office automation or standardauditing tools. Only 13% use advancedbusiness intelligence (BI) dashboards,while 11% use dedicated CA/CM toolsfrom suppliers such as SAP GRC,BWise, Approva, Oversight or Aptean(EMF). In the area of tooling usage,internal audit (78%), finance (63%),internal control (59%) and operational/line management (56%) are usingCA/CM tools.Internal auditFinanceInternal controlOperational/line managementRisk managementITComplianceCA/CM tools are not implemented, so this questionis not relevant for my organisationUse of CA and CM tools78%63%59%56%53%52%50%43%Not at all or don’t knowUse of office automation (e.g. Microsoft Excel or Access)Use of standard auditing tools (e.g. IDEA or ACL)Use standard reporting e.g. from ERP systemUse of Business Intelligence (e.g. dashboards, reports)Use of dedicated CA/CM monitoring tools(e.g. SAP GRC, BWise, Oversight, EMF, Approva)Use of technology to support CA/CM25%19%16%16%13%11%20 | Continuous auditing and continuous monitoring: The current status and the road ahead
  21. 21. KPMG analysisOrganisations that are currentlyinterested in CA/CM need guidanceand sufficient information on thebenefits and techniques associatedwith CA/CM. At present, manyorganisations have started toexperiment with standard tooling.However, tools should ideally becustomised to meet specific needswithin each organisation and are likelyto evolve gradually into businessintelligence dashboards and eventuallyinto professional CA/CM tooling.Advances in technology have paved theway for increased use of CA and CM inorganisational processes, transactions,systems, and controls. Technology-enabled control, auditing andmonitoring tools integrated into ERPsolutions, or built as third-party bolt-onsolutions, have and will continue toevolve. They also help organisationsto monitor the efficiency of internalcontrols, identify and correct lapses incontrols and strengthen performance.It is of course vital to opt fortechnology tools that are viable andsuitable to an organisation’s needs.For instance, some organisations mayfind embedded tools too costly fortheir purpose. If this is the case then‘extract and analyse’ software maybe a more appropriate alternative.Any technology-dependent initiativeContinuous auditing and continuous monitoring: The current status and the road ahead | 21– including CA/CM implementation –is bound to face challenges in termsof achieving data accuracy andconsistency. Furthermore, as dataevolves constantly; formats, protocolsand refresh cycles may vary widelyacross systems.The success of a CA/CM initiative ishighly dependent upon the effectiveimplementation and use of the righttechnology tools. In the same way,those tools will only be successful ifused effectively. Organisations needto evaluate how suitable the features,functions and capabilities of a toolare for their needs before engaging aspecific tool provider.© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.
  22. 22. 22 | Continuous auditing and continuous monitoring: The current status and the road ahead© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.How KPMG can helpImplementing CA/CM is much morethan a technology exercise. KPMG hasthe experience and industry knowledgeto help you effectively apply yourknowledge of your business risks andinternal mechanisms to designing aCA/CM framework that supportsstrategic management objectives.We also have assisted organisationsin building successful business casesto demonstrate Return on Investment(ROI) from CA/CM implementation.Having helped organisations throughCA/CM implementation, we understandthe pitfalls and have the know-how tonavigate the change managementprocess.In addition, KPMG can assist in:• Software selection for CA/CM tool(s)• Designing and implementing CA/CMrisk-based approaches- Dashboards- Scorecards- Analytics- Reports- Management Protocols• Optimising past CA/CMimplementations (e.g. controlrationalisation)• Integrating with governance, risk,and compliance initiatives• Integrating with businessintelligence initiatives• Integrating with other data analysisinitiatives• Conducting a walk along or postimplementation review• TrainingCONTINUOUS AUDITINGCONTINUOUS MONITORINGINDUSTRY & FUNCTIONAL KNOWLEDGEPeopleProcessTechnologyImplementDesignAssess
  23. 23. Continuous auditing and continuous monitoring: The current status and the road ahead | 23© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International.EMA regionMr. P.P. (Peter Paul) BrouwersPartner KPMG ITAdvisoryT: +31 (0)40 250 23 25E: brouwers.peterpaul@kpmg.nlAustriaMr.T. (Theodor) DemutDirector KPMG ForensicT: +43 732 6938 24 22E: t.demut@kpmg.co.atBahrain / QatarMs. J. (Jeyapriya) PartibanHead of Risk Consulting, PartnerT: +973 1722 48 07E: jeyapriyapartiban@kpmg.comBelgiumMr. P. (Peter) van den SpiegelSenior Manager KPMG ITAdvisoryT: +32 2708 37 79E: pvandenspiegel@kpmg.comFinlandMrs.Anneli Grönfors-KallioDirector KPMG IARCST: +358 20760 36 97E: anneli.gronfors-kallio@kpmg.fiFranceMr. C. (Cédric) de LavalettePartner KPMG ITAdvisoryT: +33 15568 67 12E: cdelavalette@kpmg.frGermanyMr.T. (Thomas) ErwinPartner KPMG ITAdvisoryT: +49 62 1426-72 49E: terwin@kpmg.comHungaryMr. I. (István) MolnárSenior Manager KPMG IT Riskand ComplianceT: +36 1887 74 45E: istvan.molnar@kpmg.huContactsIndiaMr. S. (Sathish) GopalaiahDirector KPMG GRCST: +91 80306 540 52E: sathish@kpmg.comItalyMr. P. (Piermario) BarzaghiPartner KPMG IARCST: +39 0267 64 31E: pbarzaghi@kpmg.itKenya/Tanzania/UgandaMr. B. (Brian) D’SouzaPartner KPMG ITAdvisoryT: +2542 9280 61 32E: briandesouza@kpmg.co.keThe NetherlandsMr. M. (Maurice) op ‘tVeldPartner KPMG ITAdvisoryT: +31 10 453 42 14E: ophetveld.maurice@kpmg.nlNigeriaMr. O. (Olumide) OlayinkaHead of Risk Consulting, PartnerT: +234 1271 89 55E: olumide.olayinka@ng.kpmg.comNorwayMr. K.P. (Karl-Petter)AarskogSenior Manager KPMG ITAdvisoryT: +47 4063 95 63E: karl.petter.aarskog@kpmg.noPortugalMr. R. (Rui) GomesPartner KPMG ITAdvisoryT: +35 121 011 00 18E: rgomes@kpmg.comRomaniaMr. R. (Richard) PerrinPartner KPMGAdvisoryT: +40 37237 77 92E: rperrin@kpmg.comSaudi ArabiaMr.A. (Altaf) DossaDirector KPMG ForensicT: +96 61874 85 00E: adossa@kpmg.comSouth AfricaMr. F. (Frik) CoetzerDirector KPMG ITAdvisoryT: +270 84431 16 64E: frik.coetzer@kpmg.co.zaSpainMr.A. (Angel) Requena RodriquezPartner KPMG ForensicT: +34 91456 34 15E: arequena@kpmg.esSwitzerlandMr. L. (Luka) ZupanDirector KPMG IARCST: +41 58 249 36 61E: lzupan@kpmg.comTurkeyMrs. I. (Idil) GurdilHead of Risk Consulting, PartnerT: +90 (216) 681 90 14E: igurdil@kpmg.comUnited KingdomMr. D. (Damien) MargetsonDirector KPMG ForensicT: +44 161 246 46 43E: damien.margetson@kpmg.co.ukUAE/MESAMr. K. (Karl) HendricksHead of KPMG RC MESAT: +9714 424 89 00E: khendricks@kpmg.comWe would be happy to share our CA/CM experiences with youand provide insight into the road ahead. Please contact us formore information.
  24. 24. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individualor entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information isaccurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such informationwithout appropriate professional advice after a thorough examination of the particular situation.The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International.© 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independentfirms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority toobligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any suchauthority to obligate or bind any member firm. All rights reserved. Printed in the Netherlands. 1212

×