SlideShare a Scribd company logo

Vikas Dutta Presentation at Rutgers CARLAB Nov 2012

Download as PPTX, PDF
Vikas Dutta, CISA, CIPP/IT, ISO 27001 LA
Vikas Dutta, CISA, CIPP/IT, ISO 27001 LA
1 of 23
Projects in Internal Audit at CA November 3, 2012 Vikas Dutta, Principal Internal Audit Rob Zanella, VP Internal Audit
Agenda — Introductions — CA Technologies — Reason for Continuous Auditing — Audit innovation — Continued work with external sources
CA Technologies CA Technologies is an IT management software and solutions company with a deep expertise across all IT environments—from mainframe and distributed, to virtual and cloud. — Our products enable customers to automate, manage and secure IT environments and deliver more flexible IT services. — CA Technologies makes agility possible. —*#1 Management Software Vendor — —$4.4 billion annual revenue and strong profit — —~13,400 employees worldwide in 4 regions (NA, LA, EMEA & APJ) — —Customers in virtually every country, including majority of Forbes Global 2000 — —~$500 million and ~5,000 people annually designing and supporting software — —30+ years in business managing complex heterogeneous environments — —Ranked among top 50 Greenest US companies
− Reduce # of key controls for SOX − Increase # of monitoring controls by having a common global ERP system − Test by exception rather than sampling approach − Enable real time decision making for management End State is to incorporate the above and get to a state of: • Predictive Audit analytics, rather than Preventive/Detective • A predictive audit could help auditors and management to block a problem before it spreads. • It is better to look forward than just look back at the historical information — Continuous audit is used to monitor present transactions — Can we use CA to predict the future? − Audit by exception − Alarm and warning system • Auditing by exception Reason for Continuous Auditing
—Identify Key Risk Indicators for CA − Frequent small amount payments to suppliers − Payments in different currency other than base currency of the company − Identify all Vendors where country is not specified in the address − Check for quantity discrepancies between license agreed to in contract vs quantity license keys generated − Providing support to customers whose agreements have lapsed Reason for Continuous Auditing
− Using technology to enable more efficient and quality audit process − Big Data analytics − Rule based systems − Data mining − Statistical modeling Audit Innovation
Expected outcomes —Enhanced audit quality and stakeholder value —Allows IA to be flexible and responsive —Increased analytical abilities (Hybrid auditors) —Breaking the cycle of traditional auditing methods —Continue to look at the organization critically and drive change
— CARLABS − Controls Maturity Model for Internal Audit − Duplicate Payment Analysis —COTS Continued work with CARLABS
Continuous Auditing and Continuous Monitoring Data Analytics Maturity Model Copyright © 2011 Pearson Education, Inc. or its affiliates. All rights reserved. 9 Level 1 Level 2 Level 3 Level 4 Level 5 Ad Hoc Repeatable Centralized Continuous Monitoring Optimizing • No formal DA approach, procedures or methodology • DA performed occasionally at best • Tools are not readily available • Dependent on the skills of limited number of SME’s • Practices evolved in level 1 through 4 are used to continually improve DA processes, procedures and results furthering Continuous Monitoring efforts. • DA methodology is institutionalized • Mgt understanding of business issues and root cause • Advanced tools used e.g. visual analysis and modeling • Mgt involved in Continuous control monitoring tools Level 1 Level 2 Level 3 Level 4 Level 5 • DA policy supported by a defined methodology • DA use is monitored by management • Understanding of the business relevance • Create data analysis models • DA recognized as a value-add to audit • DA is not institutionalized • Relies on a central group / individual • Tools area available, however not applied consistently or correctly
NO CONTROLS AD HOC CONTROLS EXIST CONTROLS WORK CONTROLS PLANNED CONTROLS ALIGNED WITH NEEDS CONTROLS CONTINUOUSLY MONITORED AND IMPROVED IA Maturity Model Phases Roadmap
Elements Used to Establish Criteria for the Maturity Model COSO: “Automated controls tend to be more reliable…since they are less susceptible to human judgment and error, and are typically more efficient.”  #1: Automation Most business processes have a mix of manual and automated controls  #2: Level of Automatability Should every organization strive to be at the highest level of maturity? What is the optimal level?  #3: Level of Significance
Criteria Used to Build the Maturity Model 1. Level of Automation • Simple, top-down measure • Calculating the percentage of all controls within a process that are currently automated 2. Level of Complexity of Automation • Break down the control into its basic steps • Evaluate opportunity for automation at each step • Allows a quantifiable, robust measure of level of automation by incorporating complexity of automatability 3. Level of Significance • Sending out a questionnaire to the owners of the controls • Score controls using their level of significance or importance
Level of Significance • Score controls on a scale of 0-5 • The magnitude of the significance metric affects the overall process maturity: • A control deemed to have a higher level of significance will have greater effect on overall process maturity • A control deemed to have a lower level of significance will have less of an effect on overall process maturity • Whether the significance-weighted effect on overall process maturity is positive or negative depends on the maturity level of the control itself: • A less mature control will have a negative effect • A more mature control will have a positive effect • This will likely be the final metric utilized within the model to determine the magnitude and direction effects of an individual control on the business process maturity level
Level of Complexity of Automation (Example) Control: On a quarterly basis, the role owner reviews access to SAP to ensure that only authorized personnel have access to process invoices against Purchase Orders including ability to input, edit or cancel invoices. 1. Are tickets containing the reviews retrieved manually? YES NO If yes, can this be automated? YES NO 2. When copying files that evidence the review in order to filter by “passed” or “failed”, are the files copied manually? YES NO If yes, can this be automated? YES NO 3. Are these files manually filtered to check for “failed” items?YES NO If yes, can this be automated? YES NO 4. When reviewing other users the role owner “passed,” but the user is found to be in a different cost center, is the review performed manually? YES NO If yes, can this be automated? YES NO
Results Key: 4 of 4: 100% automatable 3 of 4: 75% automatable 2 of 4: 50% automatable 1 of 4: 25% automatable 0 of 4: 0% automatable Level of Complexity of Automation = Manual Steps Capable of Automation + Currently Automated Steps Total steps Calculating the Level of Complexity of Automation
Transaction status prediction- use for KRI slide? —Revenue cycle is a high risk area. − Channel stuffing —This study aims to predict future sales cancellations, an indicator of a suspicious transaction. —If there is any suspicious transaction, the system should have a warning or an alarm report. —What prediction model(s) will more accurately forecast business transaction outcomes? 16
areas for continuous auditing at CA Technologies – sales cycle —CA Technologies has several ways to license products; each way is unique and complex − Analysis of different discount between single product sale transactions vs. combined (product, usage, maintenance, term extension) transaction − Management to evaluate indicators • to determine effectiveness of sales and marketing strategies • to evaluate for pricing manipulation for the benefit of personal incentive compensation
areas for continuous auditing at CA Technologies – commission cycle — CA’s philosophy is to provide incentive compensation to participants who contribute to maintaining and growing CA’s business − Analysis of worldwide commission payments to predict revenue growth and comparison of the prediction to the forecast − Management to evaluate indicators • to determine potential revenue growth in specific areas • to evaluate the effectiveness of compensation plan with sales strategies/objectives — Benefits of utilizing CAR Labs − Adapt Rutgers current research work to assist CA current business solutions − At the forefront of research and discovery that provide repeatable solutions
areas for continuous auditing at CA Technologies – accounts payable cycle — CA Technologies is consistently reevaluating our controls over Foreign Corrupt Practice Act (FCPA) − Analysis of vendor and travel and entertainment expenses for indicators or potential indicators of FCPA violations − Management to evaluate indicators • to determine effectiveness of training • to evaluate whether self-disclosure is required — Benefits of utilizing CAR Labs − Has the tools and training to help Internal Audit work more effectively − Generates creative ideas for improving processes, analyzing data and developing monitoring scripts
IA Data Analytics Methodology 20 Review existing controls and industry standards Obtain GIA/GPO/ Business buy-in Develop DA queries & tools Automate Data Acquisition Review capabilities with IA Fin/Ops Use new process/tool during GIA audit Demo findings and capabilities to business Share with business to enable continuous monitoring Identify Audit Area for data analytics Analysis Data Collection Planning Reporting
Internal Audit’s, Changing Focus in a Changing World Increased Emphasis — Process Improvement / Operational Efficiency / Cost Reductions — New Information Technologies Systems / Processes and Control environments — Strategic Initiatives, Programs and Emerging Markets — Operational Controls, Ethics and Compliance — Regulatory Compliance Programs — International Locations Decreased Emphasis — SOX/ Financial Reporting — Travel & Entertainment — Procurement
Controls Design Maturity Model Detective Preventative Continuous Predictive Controls
Control Environment Maturity The 5 stages of the Capability Maturity Model — 1. Initial (processes are ad-hoc, chaotic, or actually few processes are defined) — 2. Repeatable (basic processes are established and there is a level of discipline to stick to these processes) — 3. Defined (all processes are defined, documented, standardized and integrated into each other) — 4. Managed (processes are measured by collecting detailed data on the processes and their quality) — 5. Optimizing (continuous process improvement is adopted and in place by quantitative feedback and from piloting new ideas ands technologies)

Recommended

Steps to select the right ERP Vendor
Steps to select the right ERP VendorSteps to select the right ERP Vendor
Steps to select the right ERP VendorBatchMaster Software Pvt. Ltd.
 
Asset Management Leading Practices
Asset Management Leading PracticesAsset Management Leading Practices
Asset Management Leading Practicesjohnnyg14
 
Erp selection ensuring alignment and value
Erp selection ensuring alignment and valueErp selection ensuring alignment and value
Erp selection ensuring alignment and valueExpertia Consulting Group España
 
Layered process audit
Layered process audit Layered process audit
Layered process audit The Apprentiice
 
Erp
ErpErp
ErpSajan Sahu
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
ERP Gap Analysis
ERP Gap AnalysisERP Gap Analysis
ERP Gap AnalysisBurCom Consulting Ltd.
 
Reconciliations Done Right: Automate and Scale Your Bank and Credit Card Reco...
Reconciliations Done Right: Automate and Scale Your Bank and Credit Card Reco...Reconciliations Done Right: Automate and Scale Your Bank and Credit Card Reco...
Reconciliations Done Right: Automate and Scale Your Bank and Credit Card Reco...BlackLine
 

Recommended

Steps to select the right ERP Vendor
Steps to select the right ERP VendorSteps to select the right ERP Vendor
Steps to select the right ERP VendorBatchMaster Software Pvt. Ltd.
 
Asset Management Leading Practices
Asset Management Leading PracticesAsset Management Leading Practices
Asset Management Leading Practicesjohnnyg14
 
Erp selection ensuring alignment and value
Erp selection ensuring alignment and valueErp selection ensuring alignment and value
Erp selection ensuring alignment and valueExpertia Consulting Group España
 
Layered process audit
Layered process audit Layered process audit
Layered process audit The Apprentiice
 
Erp
ErpErp
ErpSajan Sahu
 
Value-added it auditing
Value-added it auditingValue-added it auditing
Value-added it auditingMarc Vael
 
ERP Gap Analysis
ERP Gap AnalysisERP Gap Analysis
ERP Gap AnalysisBurCom Consulting Ltd.
 
Reconciliations Done Right: Automate and Scale Your Bank and Credit Card Reco...
Reconciliations Done Right: Automate and Scale Your Bank and Credit Card Reco...Reconciliations Done Right: Automate and Scale Your Bank and Credit Card Reco...
Reconciliations Done Right: Automate and Scale Your Bank and Credit Card Reco...BlackLine
 
It services in telecom
It services in telecomIt services in telecom
It services in telecomSridhar Radhakrishnan
 
P2P Document
P2P DocumentP2P Document
P2P DocumentKishore Js
 
GAP ANALYSIS
GAP ANALYSISGAP ANALYSIS
GAP ANALYSISMeera Merin
 
Erp software selection
Erp software selectionErp software selection
Erp software selectionAnnisa Shabrina
 
Three steps-to-selecting-a-plm-system-white-paper
Three steps-to-selecting-a-plm-system-white-paperThree steps-to-selecting-a-plm-system-white-paper
Three steps-to-selecting-a-plm-system-white-paperCBX Software
 
Erp selection steps
Erp selection stepsErp selection steps
Erp selection stepsanilbele
 
Keda case analysis- ERP Implementation
Keda case analysis- ERP ImplementationKeda case analysis- ERP Implementation
Keda case analysis- ERP ImplementationRachna Gupta
 
Erp Selection, Design, And Implementation Support
Erp Selection, Design, And Implementation SupportErp Selection, Design, And Implementation Support
Erp Selection, Design, And Implementation SupportChuck Papageorgiou
 
Steps For Success of ERP Selection
Steps For Success of ERP SelectionSteps For Success of ERP Selection
Steps For Success of ERP SelectionCalvin Hewitt
 
Integrated requirements process
Integrated requirements processIntegrated requirements process
Integrated requirements processITSHIFT
 
Erp selection criteria
Erp selection criteria Erp selection criteria
Erp selection criteria Unitedworld School Of Business
 
Erp implementation checklist
Erp implementation checklistErp implementation checklist
Erp implementation checklistMitch Rushing
 
Control you indirect spend with SAP SCM
Control you indirect spend with SAP SCMControl you indirect spend with SAP SCM
Control you indirect spend with SAP SCMImplement Consulting Group
 
Invenio's SAP P2P Solution
Invenio's SAP P2P SolutionInvenio's SAP P2P Solution
Invenio's SAP P2P SolutioninvenioLSI
 
Robert Latest cv
Robert Latest cvRobert Latest cv
Robert Latest cvRobert Cordock
 
BPR OR Business Process Re-Engineer
BPR OR Business Process Re-EngineerBPR OR Business Process Re-Engineer
BPR OR Business Process Re-EngineerUbaid Rahman
 
Revenue Recognition
Revenue RecognitionRevenue Recognition
Revenue RecognitionBearingPoint
 
Quality management processes
Quality management processesQuality management processes
Quality management processesselinasimpson0701
 
Success and Failure of ERP
Success and Failure of ERPSuccess and Failure of ERP
Success and Failure of ERPDr. C.V. Suresh Babu
 
Sales order processing kpi
Sales order processing kpiSales order processing kpi
Sales order processing kpimazidavi
 
Benchmarking
BenchmarkingBenchmarking
Benchmarkingnavya sree
 
benchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdfbenchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdfbehaylu3
 

More Related Content

What's hot

Three steps-to-selecting-a-plm-system-white-paper
Three steps-to-selecting-a-plm-system-white-paperThree steps-to-selecting-a-plm-system-white-paper
Three steps-to-selecting-a-plm-system-white-paperCBX Software
 
Erp selection steps
Erp selection stepsErp selection steps
Erp selection stepsanilbele
 
Keda case analysis- ERP Implementation
Keda case analysis- ERP ImplementationKeda case analysis- ERP Implementation
Keda case analysis- ERP ImplementationRachna Gupta
 
Erp Selection, Design, And Implementation Support
Erp Selection, Design, And Implementation SupportErp Selection, Design, And Implementation Support
Erp Selection, Design, And Implementation SupportChuck Papageorgiou
 
Steps For Success of ERP Selection
Steps For Success of ERP SelectionSteps For Success of ERP Selection
Steps For Success of ERP SelectionCalvin Hewitt
 
Integrated requirements process
Integrated requirements processIntegrated requirements process
Integrated requirements processITSHIFT
 
Erp implementation checklist
Erp implementation checklistErp implementation checklist
Erp implementation checklistMitch Rushing
 
Invenio's SAP P2P Solution
Invenio's SAP P2P SolutionInvenio's SAP P2P Solution
Invenio's SAP P2P SolutioninvenioLSI
 
BPR OR Business Process Re-Engineer
BPR OR Business Process Re-EngineerBPR OR Business Process Re-Engineer
BPR OR Business Process Re-EngineerUbaid Rahman
 
Revenue Recognition
Revenue RecognitionRevenue Recognition
Revenue RecognitionBearingPoint
 
Quality management processes
Quality management processesQuality management processes
Quality management processesselinasimpson0701
 
Sales order processing kpi
Sales order processing kpiSales order processing kpi
Sales order processing kpimazidavi
 

What's hot (20)

It services in telecom
It services in telecomIt services in telecom
It services in telecom
 
P2P Document
P2P DocumentP2P Document
P2P Document
 
GAP ANALYSIS
GAP ANALYSISGAP ANALYSIS
GAP ANALYSIS
 
Erp software selection
Erp software selectionErp software selection
Erp software selection
 
Three steps-to-selecting-a-plm-system-white-paper
Three steps-to-selecting-a-plm-system-white-paperThree steps-to-selecting-a-plm-system-white-paper
Three steps-to-selecting-a-plm-system-white-paper
 
Erp selection steps
Erp selection stepsErp selection steps
Erp selection steps
 
Keda case analysis- ERP Implementation
Keda case analysis- ERP ImplementationKeda case analysis- ERP Implementation
Keda case analysis- ERP Implementation
 
Erp Selection, Design, And Implementation Support
Erp Selection, Design, And Implementation SupportErp Selection, Design, And Implementation Support
Erp Selection, Design, And Implementation Support
 
Steps For Success of ERP Selection
Steps For Success of ERP SelectionSteps For Success of ERP Selection
Steps For Success of ERP Selection
 
Integrated requirements process
Integrated requirements processIntegrated requirements process
Integrated requirements process
 
Erp selection criteria
Erp selection criteria Erp selection criteria
Erp selection criteria
 
Erp implementation checklist
Erp implementation checklistErp implementation checklist
Erp implementation checklist
 
Control you indirect spend with SAP SCM
Control you indirect spend with SAP SCMControl you indirect spend with SAP SCM
Control you indirect spend with SAP SCM
 
Invenio's SAP P2P Solution
Invenio's SAP P2P SolutionInvenio's SAP P2P Solution
Invenio's SAP P2P Solution
 
Robert Latest cv
Robert Latest cvRobert Latest cv
Robert Latest cv
 
BPR OR Business Process Re-Engineer
BPR OR Business Process Re-EngineerBPR OR Business Process Re-Engineer
BPR OR Business Process Re-Engineer
 
Revenue Recognition
Revenue RecognitionRevenue Recognition
Revenue Recognition
 
Quality management processes
Quality management processesQuality management processes
Quality management processes
 
Success and Failure of ERP
Success and Failure of ERPSuccess and Failure of ERP
Success and Failure of ERP
 
Sales order processing kpi
Sales order processing kpiSales order processing kpi
Sales order processing kpi
 

Similar to Vikas Dutta Presentation at Rutgers CARLAB Nov 2012

benchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdfbenchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdfbehaylu3
 
benchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdfbenchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdfbehaylu3
 
BPM (Business Process Management) Introduction
BPM (Business Process Management) IntroductionBPM (Business Process Management) Introduction
BPM (Business Process Management) IntroductionIntegrify
 
Improve Regulatory Compliance & Risk Management Using Best Practices
Improve Regulatory Compliance & Risk Management Using Best PracticesImprove Regulatory Compliance & Risk Management Using Best Practices
Improve Regulatory Compliance & Risk Management Using Best PracticesLavante Inc.
 
Internal Audit Considerations in Creating an RPA Program
Internal Audit Considerations in Creating an RPA ProgramInternal Audit Considerations in Creating an RPA Program
Internal Audit Considerations in Creating an RPA ProgramAuxis Consulting & Outsourcing
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls FactoryNathan Anderson
 
The Good, The Bad, and The Metrics
The Good, The Bad, and The Metrics The Good, The Bad, and The Metrics
The Good, The Bad, and The MetricsTeamQualityPro
 
Assessmentsaudit322112 13008159137665-phpapp01
Assessmentsaudit322112 13008159137665-phpapp01Assessmentsaudit322112 13008159137665-phpapp01
Assessmentsaudit322112 13008159137665-phpapp01Ana Maria Dulgheru
 
Internal Audit Strategic Framework
Internal Audit Strategic FrameworkInternal Audit Strategic Framework
Internal Audit Strategic FrameworkJeremy Cheng
 
Draft - Digital Transformation Rough Plan.pdf
Draft - Digital Transformation Rough Plan.pdfDraft - Digital Transformation Rough Plan.pdf
Draft - Digital Transformation Rough Plan.pdfEnricoJohanes1
 
Case study: Camunda BPM in PwC project
Case study: Camunda BPM in PwC projectCase study: Camunda BPM in PwC project
Case study: Camunda BPM in PwC projectcamunda services GmbH
 
The System and Process of Controlling
The System and Process of ControllingThe System and Process of Controlling
The System and Process of ControllingMahamid Rahman
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Gaiani (CarnCorpAudit)
 
Test Automation using UiPath Test Suite - Developer Circle Part-1.pdf
Test Automation using UiPath Test Suite - Developer Circle Part-1.pdfTest Automation using UiPath Test Suite - Developer Circle Part-1.pdf
Test Automation using UiPath Test Suite - Developer Circle Part-1.pdfDiana Gray, MBA
 
Software Quality Dashboard Benchmarking Study
Software Quality Dashboard Benchmarking StudySoftware Quality Dashboard Benchmarking Study
Software Quality Dashboard Benchmarking StudyJohn Carter
 

Similar to Vikas Dutta Presentation at Rutgers CARLAB Nov 2012 (20)

Benchmarking
BenchmarkingBenchmarking
Benchmarking
 
benchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdfbenchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdf
 
benchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdfbenchmarking-12517018313111-phpapp01.pdf
benchmarking-12517018313111-phpapp01.pdf
 
BPM (Business Process Management) Introduction
BPM (Business Process Management) IntroductionBPM (Business Process Management) Introduction
BPM (Business Process Management) Introduction
 
Improve Regulatory Compliance & Risk Management Using Best Practices
Improve Regulatory Compliance & Risk Management Using Best PracticesImprove Regulatory Compliance & Risk Management Using Best Practices
Improve Regulatory Compliance & Risk Management Using Best Practices
 
Internal Audit Considerations in Creating an RPA Program
Internal Audit Considerations in Creating an RPA ProgramInternal Audit Considerations in Creating an RPA Program
Internal Audit Considerations in Creating an RPA Program
 
2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory2015 ISACA NACACS - Audit as Controls Factory
2015 ISACA NACACS - Audit as Controls Factory
 
The Good, The Bad, and The Metrics
The Good, The Bad, and The Metrics The Good, The Bad, and The Metrics
The Good, The Bad, and The Metrics
 
Faheem- CV
Faheem- CVFaheem- CV
Faheem- CV
 
Benchmark webinar presentation
Benchmark webinar presentation Benchmark webinar presentation
Benchmark webinar presentation
 
Assessmentsaudit322112 13008159137665-phpapp01
Assessmentsaudit322112 13008159137665-phpapp01Assessmentsaudit322112 13008159137665-phpapp01
Assessmentsaudit322112 13008159137665-phpapp01
 
Benchmark webinar presentation
Benchmark webinar presentationBenchmark webinar presentation
Benchmark webinar presentation
 
Internal Audit Strategic Framework
Internal Audit Strategic FrameworkInternal Audit Strategic Framework
Internal Audit Strategic Framework
 
Draft - Digital Transformation Rough Plan.pdf
Draft - Digital Transformation Rough Plan.pdfDraft - Digital Transformation Rough Plan.pdf
Draft - Digital Transformation Rough Plan.pdf
 
Case study: Camunda BPM in PwC project
Case study: Camunda BPM in PwC projectCase study: Camunda BPM in PwC project
Case study: Camunda BPM in PwC project
 
The System and Process of Controlling
The System and Process of ControllingThe System and Process of Controlling
The System and Process of Controlling
 
Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09Continous auditing and risk monitoring 9 23-09
Continous auditing and risk monitoring 9 23-09
 
Test Automation using UiPath Test Suite - Developer Circle Part-1.pdf
Test Automation using UiPath Test Suite - Developer Circle Part-1.pdfTest Automation using UiPath Test Suite - Developer Circle Part-1.pdf
Test Automation using UiPath Test Suite - Developer Circle Part-1.pdf
 
Call center assessment[1]
Call center assessment[1]Call center assessment[1]
Call center assessment[1]
 
Software Quality Dashboard Benchmarking Study
Software Quality Dashboard Benchmarking StudySoftware Quality Dashboard Benchmarking Study
Software Quality Dashboard Benchmarking Study
 

Vikas Dutta Presentation at Rutgers CARLAB Nov 2012

  • 1. Projects in Internal Audit at CA November 3, 2012 Vikas Dutta, Principal Internal Audit Rob Zanella, VP Internal Audit
  • 2. Agenda — Introductions — CA Technologies — Reason for Continuous Auditing — Audit innovation — Continued work with external sources
  • 3. CA Technologies CA Technologies is an IT management software and solutions company with a deep expertise across all IT environments—from mainframe and distributed, to virtual and cloud. — Our products enable customers to automate, manage and secure IT environments and deliver more flexible IT services. — CA Technologies makes agility possible. —*#1 Management Software Vendor — —$4.4 billion annual revenue and strong profit — —~13,400 employees worldwide in 4 regions (NA, LA, EMEA & APJ) — —Customers in virtually every country, including majority of Forbes Global 2000 — —~$500 million and ~5,000 people annually designing and supporting software — —30+ years in business managing complex heterogeneous environments — —Ranked among top 50 Greenest US companies
  • 4. − Reduce # of key controls for SOX − Increase # of monitoring controls by having a common global ERP system − Test by exception rather than sampling approach − Enable real time decision making for management End State is to incorporate the above and get to a state of: • Predictive Audit analytics, rather than Preventive/Detective • A predictive audit could help auditors and management to block a problem before it spreads. • It is better to look forward than just look back at the historical information — Continuous audit is used to monitor present transactions — Can we use CA to predict the future? − Audit by exception − Alarm and warning system • Auditing by exception Reason for Continuous Auditing
  • 5. —Identify Key Risk Indicators for CA − Frequent small amount payments to suppliers − Payments in different currency other than base currency of the company − Identify all Vendors where country is not specified in the address − Check for quantity discrepancies between license agreed to in contract vs quantity license keys generated − Providing support to customers whose agreements have lapsed Reason for Continuous Auditing
  • 6. − Using technology to enable more efficient and quality audit process − Big Data analytics − Rule based systems − Data mining − Statistical modeling Audit Innovation
  • 7. Expected outcomes —Enhanced audit quality and stakeholder value —Allows IA to be flexible and responsive —Increased analytical abilities (Hybrid auditors) —Breaking the cycle of traditional auditing methods —Continue to look at the organization critically and drive change
  • 8. — CARLABS − Controls Maturity Model for Internal Audit − Duplicate Payment Analysis —COTS Continued work with CARLABS
  • 9. Continuous Auditing and Continuous Monitoring Data Analytics Maturity Model Copyright © 2011 Pearson Education, Inc. or its affiliates. All rights reserved. 9 Level 1 Level 2 Level 3 Level 4 Level 5 Ad Hoc Repeatable Centralized Continuous Monitoring Optimizing • No formal DA approach, procedures or methodology • DA performed occasionally at best • Tools are not readily available • Dependent on the skills of limited number of SME’s • Practices evolved in level 1 through 4 are used to continually improve DA processes, procedures and results furthering Continuous Monitoring efforts. • DA methodology is institutionalized • Mgt understanding of business issues and root cause • Advanced tools used e.g. visual analysis and modeling • Mgt involved in Continuous control monitoring tools Level 1 Level 2 Level 3 Level 4 Level 5 • DA policy supported by a defined methodology • DA use is monitored by management • Understanding of the business relevance • Create data analysis models • DA recognized as a value-add to audit • DA is not institutionalized • Relies on a central group / individual • Tools area available, however not applied consistently or correctly
  • 11. Elements Used to Establish Criteria for the Maturity Model COSO: “Automated controls tend to be more reliable…since they are less susceptible to human judgment and error, and are typically more efficient.”  #1: Automation Most business processes have a mix of manual and automated controls  #2: Level of Automatability Should every organization strive to be at the highest level of maturity? What is the optimal level?  #3: Level of Significance
  • 12. Criteria Used to Build the Maturity Model 1. Level of Automation • Simple, top-down measure • Calculating the percentage of all controls within a process that are currently automated 2. Level of Complexity of Automation • Break down the control into its basic steps • Evaluate opportunity for automation at each step • Allows a quantifiable, robust measure of level of automation by incorporating complexity of automatability 3. Level of Significance • Sending out a questionnaire to the owners of the controls • Score controls using their level of significance or importance
  • 13. Level of Significance • Score controls on a scale of 0-5 • The magnitude of the significance metric affects the overall process maturity: • A control deemed to have a higher level of significance will have greater effect on overall process maturity • A control deemed to have a lower level of significance will have less of an effect on overall process maturity • Whether the significance-weighted effect on overall process maturity is positive or negative depends on the maturity level of the control itself: • A less mature control will have a negative effect • A more mature control will have a positive effect • This will likely be the final metric utilized within the model to determine the magnitude and direction effects of an individual control on the business process maturity level
  • 14. Level of Complexity of Automation (Example) Control: On a quarterly basis, the role owner reviews access to SAP to ensure that only authorized personnel have access to process invoices against Purchase Orders including ability to input, edit or cancel invoices. 1. Are tickets containing the reviews retrieved manually? YES NO If yes, can this be automated? YES NO 2. When copying files that evidence the review in order to filter by “passed” or “failed”, are the files copied manually? YES NO If yes, can this be automated? YES NO 3. Are these files manually filtered to check for “failed” items?YES NO If yes, can this be automated? YES NO 4. When reviewing other users the role owner “passed,” but the user is found to be in a different cost center, is the review performed manually? YES NO If yes, can this be automated? YES NO
  • 15. Results Key: 4 of 4: 100% automatable 3 of 4: 75% automatable 2 of 4: 50% automatable 1 of 4: 25% automatable 0 of 4: 0% automatable Level of Complexity of Automation = Manual Steps Capable of Automation + Currently Automated Steps Total steps Calculating the Level of Complexity of Automation
  • 16. Transaction status prediction- use for KRI slide? —Revenue cycle is a high risk area. − Channel stuffing —This study aims to predict future sales cancellations, an indicator of a suspicious transaction. —If there is any suspicious transaction, the system should have a warning or an alarm report. —What prediction model(s) will more accurately forecast business transaction outcomes? 16
  • 17. areas for continuous auditing at CA Technologies – sales cycle —CA Technologies has several ways to license products; each way is unique and complex − Analysis of different discount between single product sale transactions vs. combined (product, usage, maintenance, term extension) transaction − Management to evaluate indicators • to determine effectiveness of sales and marketing strategies • to evaluate for pricing manipulation for the benefit of personal incentive compensation
  • 18. areas for continuous auditing at CA Technologies – commission cycle — CA’s philosophy is to provide incentive compensation to participants who contribute to maintaining and growing CA’s business − Analysis of worldwide commission payments to predict revenue growth and comparison of the prediction to the forecast − Management to evaluate indicators • to determine potential revenue growth in specific areas • to evaluate the effectiveness of compensation plan with sales strategies/objectives — Benefits of utilizing CAR Labs − Adapt Rutgers current research work to assist CA current business solutions − At the forefront of research and discovery that provide repeatable solutions
  • 19. areas for continuous auditing at CA Technologies – accounts payable cycle — CA Technologies is consistently reevaluating our controls over Foreign Corrupt Practice Act (FCPA) − Analysis of vendor and travel and entertainment expenses for indicators or potential indicators of FCPA violations − Management to evaluate indicators • to determine effectiveness of training • to evaluate whether self-disclosure is required — Benefits of utilizing CAR Labs − Has the tools and training to help Internal Audit work more effectively − Generates creative ideas for improving processes, analyzing data and developing monitoring scripts
  • 20. IA Data Analytics Methodology 20 Review existing controls and industry standards Obtain GIA/GPO/ Business buy-in Develop DA queries & tools Automate Data Acquisition Review capabilities with IA Fin/Ops Use new process/tool during GIA audit Demo findings and capabilities to business Share with business to enable continuous monitoring Identify Audit Area for data analytics Analysis Data Collection Planning Reporting
  • 21. Internal Audit’s, Changing Focus in a Changing World Increased Emphasis — Process Improvement / Operational Efficiency / Cost Reductions — New Information Technologies Systems / Processes and Control environments — Strategic Initiatives, Programs and Emerging Markets — Operational Controls, Ethics and Compliance — Regulatory Compliance Programs — International Locations Decreased Emphasis — SOX/ Financial Reporting — Travel & Entertainment — Procurement
  • 22. Controls Design Maturity Model Detective Preventative Continuous Predictive Controls
  • 23. Control Environment Maturity The 5 stages of the Capability Maturity Model — 1. Initial (processes are ad-hoc, chaotic, or actually few processes are defined) — 2. Repeatable (basic processes are established and there is a level of discipline to stick to these processes) — 3. Defined (all processes are defined, documented, standardized and integrated into each other) — 4. Managed (processes are measured by collecting detailed data on the processes and their quality) — 5. Optimizing (continuous process improvement is adopted and in place by quantitative feedback and from piloting new ideas ands technologies)