1. Overcoming Small Department Challenges
Session G4
Wednesday, April 30th, 2014
10:45 – 11:45
David Fernandes
Implementing ACL - A Strategy For Success
2. ACL Workpapers & GRC Project
Case Study
Implementing ACL - A Strategy For Success
Session G4 Slide # 2
3. TOPICS
YOUR EXPECTATIONS
GOALS & CHALLENGES
ACL WORKPAPERS
GRC OVERVIEW
ACL RISK OVERVIEW
Q&A
Implementing ACL - A Strategy For Success
Session G4 Slide # 3
4. YOUR EXPECTATIONS
How many in Audit Department ? <5 < 10
What are you using now ? Excel / Word / TeamMate
What do you want to accomplish with a Workpapers / GRC
solution ?
When do you want to have a Workpapers / GRC solution in place ?
Session G4 Slide # 4
Implementing ACL - A Strategy For Success
5. • Fraud Detection
• Segregation of Duties
• Automation of Data Mining
• Compliance Issues
• Regulatory Issues
• Commission Payments
But wait…there is more ……
• Identify fraud, misuse, and errors
• Identify compliance issues
• Flag exceptions in real time
• Automate manual processes for continuous monitoring
What issues do you want to solve ??
Session G4 Slide # 5
Implementing ACL - A Strategy For Success
6. TOPICS
YOUR EXPECTATIONS
GOALS & CHALLENGES
ACL WORKPAPERS
GRC OVERVIEW
ACL RISK OVERVIEW
Q&A Session G4 Slide # 6
Implementing ACL - A Strategy For Success
7. Goals - Do More - With Less
Develop a framework for assessing different levels of audit analytic techniques and
associated benefits.
Define progressive levels to evolve its use of Data / Business Analytics.
Identify the building blocks: People, Process and Technology that must be in place to
optimize benefits.
Understand, plan and communicate design criteria to achieve timely implementation.
Establish a proactive and comprehensive view for effective ERA and ERM.
Session G4 Slide # 7
Goals & Challenges
9. BLSS - Manchester Revenue - 2013 SOX CYCLE CONTROLS
Section Control Objective 2013 Control Activity
Control
Owner
Control
Frequency
Control
Type
Manual
/ System
Population
Sample /
Ratio
Test
Reference
Tab # Name
Rollforward
Test Status
New
Customers
Authorization is required
prior to setting up or
modifying customer
account within the ERP
system.
R&R
CA 01
A- All new customer accounts must be approved for
credit & have an account set up in system before any
work commences or shipments are made.
B- The AR department assesses customer credit
worthiness for new & existing customers at time of PO
receipt / acceptance. Credit personnel perform the initial
assessment, but obtain the applicable approvals based
upon the Credit Limit Matrix. Additionally, credit
personnel may solicit input from Manager of Credit &
Collections and/or Corporate Controller in assessing
credit worthiness.
Stephen
Hurst
Daily Detective Manual 0
R&R CA
01
N/A
Customer
Purchase
Order
Customer Purchase
Order (CPO) and
verified, validated,
reviewed and approved.
R&R
CA 02
Upon receipt of a customer purchase order (CPO), order
administration shall match the CPO to the approved
quotation or sales proposal, and shall verify that all
elements including terms and conditions and line item
detail on the CPO match the associated quotation,
proposal, or sales contract.
Stephen
Hurst
Daily Detective Manual
30 of 72 /
42% /
$900k of
$3.7M /
24%
R&R CA
02
Ineffective
Invoicing
Invoices for orders
which do/not require
physical shipment are
reviewed for period
revenue recognition.
R&R
CA 03
a. Invoices should provide a reference to the customer
purchase order or contract to which it references…
b. Invoices should only be posted for hardware that is
shipped and services that have been provided (unless
other invoicing arrangements are agreed to with the
customer and a process to ensure deferral of un-earned
revenue is implemented)
Stephen
Hurst
Daily Detective Manual
6.095m of
6.861m /
89% /
25 of 47 /
53%
R&R CA
03
Effective
Session G4 Slide # 9
Goals & Challenges
10. IInntteerrnnaall AAuuddiitt RReeppoorrtt
BBLLSSSS MMaanncchheesstteerr,, UUKK
Field Work Dates September 30th
– November 29th
Final Report Date: December 2nd
Table of Contents
Audit Key Steps .........................................................................................................2
Executive Summary...................................................................................................2
Appendix I – Summary of Key Controls by Process ........................................5
Appendix II – Deficiencies ...................................................................................6
Appendix III – SOX Enterprise Scoping .............................................................10
Appendix IV – Background .................................................................................11
Appendix V – Organization Charts....................................................................12
Appendix VI – Distribution ..................................................................................16
The team responsible for this audit, comprised of David Fernandes and Alex Byrne, would like
to thank those individuals who contributed to this project, and particularly, employees who
provided insights and comments as part of this audit.
PPrriivviilleeggeedd aanndd CCoonnffiiddeennttiiaall
Session G4 Slide # 10
Goals & Challenges
Very little time to
complete report
11. Challenges
Building blocks of processes, roles and technologies were not properly established.
Management does not fully understand or accept their critical role and responsibilities.
Risks that the project will not achieve the desired outcomes.
Business owners fail to see the value of the process and terminate the audit program.
Understanding what data is required to support a specific test and
Obtaining a complete and controlled population of that data.
Decision Making & Communication
Data Analysis tools represent tremendous change for an organization :
Could be a very significant change for your team.
Effective communication of your vision for the change – and how it will impact the entire
organization – is essential.
Be sure to include:
the right people,
the right time,
the right levels.
Session G4 Slide # 11
Goals & Challenges
13. Design a Sustainable Controls Framework
Senior Management view controls as a necessary nuisance, making it difficult for CFO’s / VP Finance or
Compliance Officers and their teams to demonstrate how controls can add value to the business.
Businesses typically agrees with the accounting group about “why” controls are necessary, but disagrees
about “how” to best implement them.
Large company control frameworks usually improve on a linear scale, but business complexity at small to
midsized companies often increases exponentially.
Leverage Experience Update FrequentlyEngage Business
Leaders
Pair finance leaders with
business leaders to ensure
sufficient knowledge of the
business and the risk
environment.
Articulate the benefits of
increased assurance to
persuade business leaders
to participate in controls
updates.
Revisit the framework at least
twice a year (Interim & Roll
Forward) or during periods of
significant business change.
13Session G4 Slide #
Goals & Challenges
14. TOPICS
YOUR EXPECTATIONS
GOALS & CHALLENGES
WHY ACL?
IMPLEMENTATION OVERVIEW
ACL GRC OVERVIEW
Implementing ACL - A Strategy For Success
Session G4 Slide # 14
16. is purpose built for data analytics with proven experience.
can analyze 100% of the available data no matter how much.
is read only ensuring data integrity and security.
can read all data types no matter the source.
has a log file that records every step.
does not require users to be programmers.
Why ACL ?
Session G4 Slide # 16
17. IT Audit Benchmark
Study 2009
The Gold Standard in Audit & Compliance Technology
Data Analysis Software
Other: Access, Business
Objects, Crystal Reports,
IDEA, Showcase, and
internally developed software.
Data Extraction Software Continuous AuditingFraud Detection / Investigation
Other: Excel, Idea, In-house,
Oracle, PeopleSoft,
Proprietary, Showcase
Query
Other: Active Data,
DCMS, Hyperion, SAP,
and SAS.
Other: Access, ActiveData,
Crystal Reports, DCMS,
DISSCO, Focus, Patriot
Officer, PeopleSoft Queries,
SAS, Showcase Query, and
VIPs.
Why ACL ?
Session G4 Slide # 17
18. Data Analytics for ….
• Purchase to Payment: Duplicate payments, segregation of duties,
requisition & purchasing limits, vendor master, etc.
• Purchasing Card: Invalid employees, duplicate purchasing cards, exceed
transaction limit, etc.
• Travel & Entertainment: Transaction limits, split transactions, prohibited
merchants, weekend & holiday transactions, etc.
• General Ledger: Validation of trial balance, duplicate journal entries,
suspicious journal entries, reversed journal entries, etc.
• Payroll: Invalid/Unauthorized employees, overtime approval, retirement &
termination, etc.
• Order to Cash: Prohibited customer, unauthorized discounts, credit limits,
missing sales order, etc.
Why ACL ?
Session G4 Slide # 18
19. TOPICS
YOUR EXPECTATIONS
GOALS & CHALLENGES
WHY ACL?
IMPLEMENTATION OVERVIEW
ACL GRC OVERVIEW
Implementing ACL - A Strategy For Success
Session G4 Slide # 19
20. 20
Pre - Implementation
• Quantify the need for the software (scope, size, cost benefit).
• Decisions around platforms, vendors and timing .
• Engage Senior Management for support and sponsorship.
• Establish the framework of business requirements.
• Plan a smooth transition from research, testing to implementation.
IMPLEMENTATION OVERVIEW
Session G4 Slide #
21. Planning Document Requests
Data Analysis Tools
Current Working Papers
Document
Results
Fieldwork
The Audit Cycle
Review
Reporting
Follow-up
Organize Supporting Evidence
Identify Findings
Review &
Sign-off
Track Status
Track Finding
Remediation
Roll-forward
Risk Assessment
Audit Plan
Review Notes
21Session G4 Slide #
IMPLEMENTATION OVERVIEW
22. Right Sized Technology Adds More Business Value
Reduces Complexity and Increases Adoption & Usage
CATEGORY FULL WRITE READ
System Administrators
Audit Manager
Auditor
Business Partner / Process Owners : Request List Findings.
Executive Planning Findings
To Do List Results
Requests
External Reviewer: Planning Results
Findings
.
Flow of Information | Design Access Criteria
22
IMPLEMENTATION OVERVIEW
Session G4 Slide #
23. Flow of Information | Workpapers
BROOKS
Findings
Processes
Quality
Narratives
Risks &
Controls
Narratives
Walkthroug
h
Walkthroug
h
Walkthrough
TestingTestingTesting
Findings
Findings
Findings
Narratives
Narratives
Narratives
Overview
Audit Risks
Procedures & Plan
Narratives
Walkthrough
Walkthrough
Execute Audit
Plan
Findings
Findings
Findings
Internal Control Audits:
Controls are identified and tested within processes - Identify Risk & Key Controls -Risk Control Matrix SOX,
Financial, IT General Controls
Audits:
SOX Classification or Process Operational
Capital / Fixed Assets Travel & Entertainment
Financial Reporting / SEC Excess & Obsolescence
Inventory / PI FCPA / Compliance
Human Resources and Payroll Entity Level Control
Purchasing & Payables ITGC
Revenue & Receivables
23Session G4 Slide #
IMPLEMENTATION OVERVIEW
24. 24Session G4 Slide #
IMPLEMENTATION OVERVIEW
Issues
• Cost / Scope Creep
• Data Mining Knowledge
• IT Support
• Cost / Scope Creep
Costs Escalation
Services
Training
Modules
• Limited Data Mining Knowledge
IA knowledge and experience with data mining was very limited.
Difficult to allocate training time for new software.
• IT Support
How do we sustain the system after implementation? Leverage IT, make them a partner.
Who owns the system? IT
Who are the stakeholders? Finance, Operations, IT
Pace of implementation ?
25. 25
Implementation
• Ensure you have effective management of the effort , consider using a Project Manager
• Conflict Management : Resolve issues – planned and unplanned as they arise.
• Take the time to adequately manage the….
i. Project - Data management.
ii. Timeframe - Change management and training.
iii. Budget – Watch for Scope Creep.
IMPLEMENTATION OVERVIEW
Session G4 Slide #
26. Pitfalls
• Identify your key business areas that requires data analysis and your key audit objectives.
a) Involve your business partners.
b) Set up a data warehouse for testing.
• Converting operational audit objectives into information systems objectives.
• Converting application system files to ACL readable format Audit program design specification.
• Detailed Audit program design Audit process automation.
• Writing ACL Scripts for the audit programs ACL Scripts testing Script documentation.
a) Due to the variety of formats and customized audit files, migration of data must be looked at
carefully.
b) Analyzing data using some of the features of CAAT (e.g., stratify, filter, summarize, reports, logs),
c) Linking data tables - ensure that you have an IT resource to assist you.
d) Using filters, computed fields, and extractions.
e) Modification to the infrastructure may lead to data leakages – identify risk zones within each area.
f) Periodic review of the implemented scripts to assess their ability to meeting audit objectives in the
light of changes in the operating business environment.
g) Reformulating audit objectives to address new and emerging business issues.
h) Identifying the relevant application system files to be used in new batch design.
i) Developing new and testing new scripts, and
j) Implementation of the latest and current batches
Planning and Execution Pitfalls to Avoid
26
IMPLEMENTATION OVERVIEW
Session G4 Slide #
27. Scope Management
1. Develop a scope management plan :
Effective pre-implementation communication should make the transition a smooth event.
Ensure stakeholders understand the project vision.
2. Implement change management and stick to it as many activities will overlap during the testing and
implementation processes.
3. Ensure effective implementation management ensures that movement from one activity to another is well-
controlled and anticipated:
Define requirements, objectives, deliverables – watch for data integrity, false positives.
Fight the urge to bring in ‘everything’ - Bring in only what you need!
Training
1. Ensure that you understand user training requirements, talk to HR and IT.
2. Develop training plan and strategy,
3. Deliver interactive training, use video etc and detailed documents.. Idiots Guide
Transition to Implementation
27
IMPLEMENTATION OVERVIEW
Session G4 Slide #
29. 29Session G4 Slide #
IMPLEMENTATION OVERVIEW
Actions
• IT Support
IT Participation and involvement.
Joint ownership and encourage staff to take responsibility for influencing the change.
IT Facilitation and support.
Scheduled and automated data extractions at off-peak hours.
• Cost / Scope Creep
Negotiation and agreement.
Involvement of stakeholders.
Tight control of system requirements.
Limited Training.
• Data Mining Knowledge
Focused on in house training.
Pilot demo to ascertain strengths and weaknesses.
30. Provides a standardized workflow; ensuring consistency across the team.
Audits will be centralized, saving time in one easy-to-find place for everyone to
access, including external auditors.
Automatically rolls up time tracked, status and findings, eliminating manual reporting
Manage Document Request Lists , tracking all requested items and send reminders via
email to clients or business owners.
Manages team collaboration. Review notes and comments between staff and reviewer,
or between team members when multiple staff are assigned to work the same section or
objective.
Each project captures all system activity and is viewable on the project dashboard. The
activity log is viewable in Excel when you backup and download your project.
Each audit has its own structure, milestones and workflow. Each milestone within each
audit has a review and sign-off function. Sign-offs and reviews are tracked.
Sign-off and reviews can be performed at the section level, or the control level.
Implementation Benefits
30
IMPLEMENTATION OVERVIEW
31. TOPICS
YOUR EXPECTATIONS
GOALS & CHALLENGES
WHY ACL?
IMPLEMENTATION OVERVIEW
ACL GRC OVERVIEW
Implementing ACL - A Strategy For Success
Session G4 Slide # 31
32. Identify and Prioritize your company’s key controls.
Develop a structured way to collect on the impact and effectiveness
Continuous Auditing & Monitoring
No more excuses!
32
34. Access and analyze complete data
populations with easy and 100% coverage for
superior assurance
Visualize, widely share and act
on information uncovered in
analysis testing across the
business
Automatically distribute exceptions
found during data analysis testing to
multiple business stakeholders
An add-in for Microsoft Excel® designed
for working with data results
produced by analytic systems
Enterprise Continuous Monitoring
Enterprise
Data SQL
HR / Payroll
Workday ERP
Dashboard
ExceptionsData Warehouse
Add Ons
Session B8 Slide #
Play 1. Dilbert The Importance of Strategies Video
Introduce and example of sox compliance
PLAY 2. Dilbert Career Options, Leadership and Imaginary Things, More with Less and Wellness Factor
Set parameters is very difficult…. Nered IT support and clear vision on what control to monitor and how you will do so…
Lets looks at 3 areas required to implement Sustainable Controls Framework
Let’s look at the most recent IT Audit Benchmarking Study (2009) published by The IIA Research Foundation’s Global Audit Information Network. This represents feedback from leading internal audit departments globally.
You can see the commanding lead we have in the area of Data Analysis software…over 3 ½ times the share of our nearest competitor.
And this chart shows an even stronger position in Data Extraction Software, with an 8 fold lead over our next competitor.
Here we look at shares for Fraud detection and investigation. Our lead grows to 10:1 in this area.
And finally, let’s look at Here we look at the emerging need for Continuous Auditing. ACL is the primary solution used by 65% of respondents.
So clearly, our market penetration reflects our focus on this market…we understand your needs and the demands that you face
ACL analytics can be applied across multiple key business processes. Some examples of areas of investigation for each area include…
During the course of conducting and documenting audits, users can assign tasks & request items from users, export comprehensive documentation, upload any related files & documentation, track time, and a lot more in addition to what you see on this slide.
PLAY 3. Dilbert Unpleasant Realization and Steaming Pile of Failure 33 seconds
CHAD- Just an overview of what to expect in the demo.
Chad, we should be close to around 11:15 by now. If not, adjust pace accordingly