Vikas Dutta Presentation at Rutgers CARLAB Nov 2012
1. Projects in Internal Audit at CA
November 3, 2012
Vikas Dutta, Principal Internal Audit
Rob Zanella, VP Internal Audit
2. Agenda
— Introductions
— CA Technologies
— Reason for Continuous Auditing
— Audit innovation
— Continued work with external sources
3. CA Technologies
CA Technologies is an IT management
software and solutions company with
a deep expertise across all IT
environments—from mainframe and
distributed, to virtual and cloud.
— Our products enable customers to
automate, manage and secure IT
environments and deliver more
flexible IT services.
— CA Technologies makes agility
possible.
—*#1 Management Software Vendor
— —$4.4 billion annual revenue and strong
profit
— —~13,400 employees worldwide in 4 regions
(NA, LA, EMEA & APJ)
— —Customers in virtually every country,
including majority of Forbes Global 2000
— —~$500 million and ~5,000 people annually
designing and supporting software
— —30+ years in business managing complex
heterogeneous environments
— —Ranked among top 50 Greenest US
companies
4. − Reduce # of key controls for SOX
− Increase # of monitoring controls by having a common global ERP system
− Test by exception rather than sampling approach
− Enable real time decision making for management
End State is to incorporate the above and get to a state of:
• Predictive Audit analytics, rather than Preventive/Detective
• A predictive audit could help auditors and management to block a problem before it
spreads.
• It is better to look forward than just look back at the historical information
— Continuous audit is used to monitor present transactions
— Can we use CA to predict the future?
− Audit by exception
− Alarm and warning system
• Auditing by exception
Reason for Continuous Auditing
5. —Identify Key Risk Indicators for CA
− Frequent small amount payments to suppliers
− Payments in different currency other than base currency of the company
− Identify all Vendors where country is not specified in the address
− Check for quantity discrepancies between license agreed to in contract
vs quantity license keys generated
− Providing support to customers whose agreements have lapsed
Reason for Continuous Auditing
6. − Using technology to enable more efficient and quality audit process
− Big Data analytics
− Rule based systems
− Data mining
− Statistical modeling
Audit Innovation
7. Expected outcomes
—Enhanced audit quality and stakeholder value
—Allows IA to be flexible and responsive
—Increased analytical abilities (Hybrid auditors)
—Breaking the cycle of traditional auditing methods
—Continue to look at the organization critically and drive change
8. — CARLABS
− Controls Maturity Model for Internal Audit
− Duplicate Payment Analysis
—COTS
Continued work with CARLABS
11. Elements Used to Establish Criteria for the
Maturity Model
COSO: “Automated controls tend to be more reliable…since they are
less susceptible to human judgment and error, and are typically more
efficient.”
#1: Automation
Most business processes have a mix of manual and automated controls
#2: Level of Automatability
Should every organization strive to be at the highest level of maturity?
What is the optimal level?
#3: Level of Significance
12. Criteria Used to Build the Maturity Model
1. Level of Automation
• Simple, top-down measure
• Calculating the percentage of all controls within a process that are
currently automated
2. Level of Complexity of Automation
• Break down the control into its basic steps
• Evaluate opportunity for automation at each step
• Allows a quantifiable, robust measure of level of automation by
incorporating complexity of automatability
3. Level of Significance
• Sending out a questionnaire to the owners of the controls
• Score controls using their level of significance or importance
13. Level of Significance
• Score controls on a scale of 0-5
• The magnitude of the significance metric affects the overall process
maturity:
• A control deemed to have a higher level of significance will have
greater effect on overall process maturity
• A control deemed to have a lower level of significance will have less
of an effect on overall process maturity
• Whether the significance-weighted effect on overall process maturity is
positive or negative depends on the maturity level of the control itself:
• A less mature control will have a negative effect
• A more mature control will have a positive effect
• This will likely be the final metric utilized within the model to determine
the magnitude and direction effects of an individual control on the
business process maturity level
14. Level of Complexity of Automation
(Example)
Control: On a quarterly basis, the role owner reviews access to SAP to ensure that only authorized personnel have access to process invoices against Purchase
Orders including ability to input, edit or cancel invoices.
1. Are tickets containing the reviews retrieved manually? YES NO
If yes, can this be automated? YES NO
2. When copying files that evidence the review in order to
filter by “passed” or “failed”, are the files copied manually? YES NO
If yes, can this be automated? YES NO
3. Are these files manually filtered to check for “failed” items?YES NO
If yes, can this be automated? YES NO
4. When reviewing other users the role owner “passed,”
but the user is found to be in a different cost center, is the
review performed manually? YES NO
If yes, can this be automated? YES NO
15. Results Key:
4 of 4: 100% automatable
3 of 4: 75% automatable
2 of 4: 50% automatable
1 of 4: 25% automatable
0 of 4: 0% automatable
Level of Complexity of Automation =
Manual Steps Capable of Automation + Currently Automated Steps
Total steps
Calculating the Level of Complexity of
Automation
16. Transaction status prediction- use for KRI slide?
—Revenue cycle is a high risk area.
− Channel stuffing
—This study aims to predict future sales cancellations, an
indicator of a suspicious transaction.
—If there is any suspicious transaction, the system should have a
warning or an alarm report.
—What prediction model(s) will more accurately forecast
business transaction outcomes?
16
17. areas for continuous auditing at CA Technologies – sales cycle
—CA Technologies has several ways to license products; each
way is unique and complex
− Analysis of different discount between single product sale transactions
vs. combined (product, usage, maintenance, term extension) transaction
− Management to evaluate indicators
• to determine effectiveness of sales and marketing strategies
• to evaluate for pricing manipulation for the benefit of personal incentive
compensation
18. areas for continuous auditing at CA Technologies – commission
cycle
— CA’s philosophy is to provide incentive compensation to participants
who contribute to maintaining and growing CA’s business
− Analysis of worldwide commission payments to predict revenue growth and
comparison of the prediction to the forecast
− Management to evaluate indicators
• to determine potential revenue growth in specific areas
• to evaluate the effectiveness of compensation plan with sales strategies/objectives
— Benefits of utilizing CAR Labs
− Adapt Rutgers current research work to assist CA current business solutions
− At the forefront of research and discovery that provide repeatable solutions
19. areas for continuous auditing at CA Technologies – accounts
payable cycle
— CA Technologies is consistently reevaluating our controls over
Foreign Corrupt Practice Act (FCPA)
− Analysis of vendor and travel and entertainment expenses for indicators or
potential indicators of FCPA violations
− Management to evaluate indicators
• to determine effectiveness of training
• to evaluate whether self-disclosure is required
— Benefits of utilizing CAR Labs
− Has the tools and training to help Internal Audit work more effectively
− Generates creative ideas for improving processes, analyzing data and
developing monitoring scripts
20. IA Data Analytics Methodology
20
Review existing
controls and industry
standards
Obtain GIA/GPO/
Business buy-in
Develop DA queries
& tools
Automate Data
Acquisition
Review capabilities
with IA Fin/Ops
Use new
process/tool during
GIA audit
Demo findings and
capabilities to
business
Share with
business to
enable
continuous
monitoring
Identify Audit Area
for data analytics
Analysis
Data
Collection
Planning Reporting
21. Internal Audit’s, Changing Focus in a Changing World
Increased Emphasis
— Process Improvement / Operational
Efficiency / Cost Reductions
— New Information Technologies
Systems / Processes and Control
environments
— Strategic Initiatives, Programs and
Emerging Markets
— Operational Controls, Ethics and
Compliance
— Regulatory Compliance Programs
— International Locations
Decreased Emphasis
— SOX/ Financial Reporting
— Travel & Entertainment
— Procurement
23. Control Environment Maturity
The 5 stages of the Capability Maturity Model
— 1. Initial (processes are ad-hoc, chaotic, or actually few processes are
defined)
— 2. Repeatable (basic processes are established and there is a level of
discipline to stick to these processes)
— 3. Defined (all processes are defined, documented, standardized and
integrated into each other)
— 4. Managed (processes are measured by collecting detailed data on the
processes and their quality)
— 5. Optimizing (continuous process improvement is adopted and in place by
quantitative feedback and from piloting new ideas ands technologies)