Presented at ACFE conference. Long gone are the days when organizations could afford to treat each risk, fraud and compliance issue as an individual problem and allow business processes, employees and systems to operate in silos. In order for businesses to activate robust fraud detection, diverse teams of fraud investigators, internal auditors, enterprise risk management specialists, business executives and compliance officers must work in unison; each brings a unique perspective and skill set that can be invaluable to the organization. One approach we’ll examine is the Three Lines of Defense Model where management control is the first line of defense in risk management. The various risk control and compliance functions are the second line of defense, and independent assurance is the third. Each team or “line” plays a distinct role to achieve organizational objectives. You Will Learn How To: 1. Make a business case for collaboration while remaining true to the principles of your profession 2. Derive business benefits from risk management and internal audit working collaboratively to fulfill their second and third line of defense mandates 3. Tailor the Three Lines Defense Model to fit your organization SLIDESHARE: www.slideshare.net/CaseWare_Analytics WEBSITE: www.casewareanalytics.com BLOG: www.casewareanalytics.com/blog TWITTER: www.twitter.com/CW_Analytic

1. THE THREE LINES OF DEFENSE MODEL &
CONTINUOUS CONTROLS MONITORING
DEFENSE IN DEPTH

2. AGENDA
• The Three Lines of Defense model
• Continuous Controls Monitoring (CCM)
• Case studies of CCM at each line of defense

3. THREE LINES OF DEFENSE MODEL
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

4. FIRST LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

5. OPERATIONAL MANAGEMENT
• Own and manage risks
• Design and implement internal controls
• Responsible for maintaining effective controls

6. SECOND LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

7. RISK MANAGEMENT & COMPLIANCE
• Help build and monitor first line of defense
• Ensure compliance with regulations
• Financial risks and reporting requirements
• Identify changes in risk appetite

8. THIRD LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

9. INTERNAL AUDIT
• Provide senior management with assurance
• Monitor the effectiveness of the first and second lines of
defense
• Independent

10. COORDINATING THE THREE LINES
First Line of Defense Second Line of Defense Third Line of Defense
Risk Owners/Managers Risk Control and Compliance Risk Assurance
• Operating
management
• Limited independence
• Reports primarily to
management
• Internal audit
• Greater independence
• Reports to governing
body

11. AGENDA
• The Three Lines of Defense model
• Continuous Controls Monitoring (CCM)
• Case studies of CCM at each line of defense

12. VISION FOR CCM
• Know the state of any control in the business
• Resolve identified breaches before impact
• Provide an unparalleled ROI

13. THE IMPORTANCE OF MONITORING
COSO Guidance
(effective controls
systems must include
monitoring)

14. ROLE OF CCM
• Independent monitoring of automated and partially
automated controls
• Continuous detection of breaches
• Transparency in detection and remediation
• Address IT concerns
• Collaborative approach to timely remediation

15. EXAMPLE
Risk: Invoices may not be valid and/or properly authorized
Control Activity: Matching invoices to goods receipt
Owner: Category Management
Method: Partially automated
Type: Preventative
Frequency: Recurring
COSO Component: Control activities

16. PROPERTIES OF CCM TESTING
Frequency: Daily
Detect: Any non-compliance over and below the threshold
Assignment: Category Management
Deadline: Resolve same day
Evidence: Due diligence performed on those over the threshold and any
other exceptions detected
Value: Ensure that control effectiveness is sustained at a high level

17. CCM AT EACH LINE OF DEFENSE
• Effectively monitor internal controls at the first and second
lines of defense
• Allow the third line of defense to be confident in its
assurance role
• Create a remediation process that minimizes the impact of
a control breakdown
• Provide evidence of due diligence for external auditors and
regulators

18. AGENDA
• The Three Lines of Defense model
• Continuous Controls Monitoring (CCM)
• Case studies of CCM at each line of defense

19. FIRST LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

20. ENERSOURCE
• Canadian Energy Company since 1917
• Third largest in Ontario
• Over 200,000 residential and commercial customers
• Provides electrical infrastructure design, construction,
operations support, and maintenance

21. REPUTATIONAL RISKS

22. FINANCIAL RISKS

23. VERIFICATION OF BILLS
• Reputational risk is the primary concern
• Was using an in-house MS Excel system to verify the
accuracy of bills
• Upgraded to smart meters in 2009
• Challenges
• Took 5 hours to process a batch of bills
• Exceptions manually circulated by email
• Impossible to track resolution
• Labor intensive to make changes

24. THE CCM SOLUTION
• Independently calculate bills and identify inaccuracies
• Extract data from other sources—not just billing system
• Sent exceptions in XML format to bill print system for those
bills not to be printed
• Engaged users in the Billing Department to resolve issues
• Validate corrections made in core systems
• Maintain history of exceptions and actions taken to resolve
them

25. RESULTS
• Has not had a single public incident
• Accuracy of billing improved significantly
• Billing anomalies automatically distributed
• Bills verified in less than 5 minutes (not 5 hours)
• Bills sent out same day—improving cash flow
• Evidence retained for regulators/auditors
• Labor-intensive manual reviews were eliminated

26. SECOND LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

27. CHRISTIES AUCTION HOUSE
• Founded in 1766 by James Christie
• 53 offices in 32 countries
• Prices range from $200 to $80 million

28. CHALLENGES
• Risk and compliance group mandated to review 100% of
transactions
• Primary area of concern is client accounting
• Need to ensure that fees and charges are accurate
• Need to involve the business in timely remediation

29. THE CCM SOLUTION
• Implemented for 40 key controls
• Monitor transactions near real time
• Covering multiple locations (UK and New York)
• Phase I started in risk and compliance then rolled out to
the business

30. PHASE II—CUSTOMER SCREENING
• Important to meet regulatory requirements
• AML and KYC compliance
• Integrate with World-Check sanction list data for screening

31. THIRD LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

32. METCASH
• A leading marketing and distribution company
• Operating in the grocery, liquor, and hardware
wholesale industries
• Turnover of $12 billion
• 5,000+ employees
• Market cap $3.2 billion

33. CHALLENGES
• Several disparate systems
• Many audit scripts
• Emailing exceptions in Excel
• SAP generating many exception reports
• Business struggling to cope

34. THE CCM SOLUTION
• All analytics built in-house by CM Team
• Covered 30 key controls to start
• CCM implemented for Purchase to Payment in Phase I
• Expanded to the retail business processes in Phase II
• Adopted as central exception management system
(including SAP reports)

35. RESULTS
• Started in internal audit
• Rolled out to business users
• Use action/reason codes to facilitate root cause analysis
• Daily examination of processes
• First-year results:
• 5.5 billion transaction covered
• $1.8 million in savings

36. CONCLUSION
• Internal control effectiveness is positively impacted by
collaboration
• That covers collaboration at all three levels
• CCM is a compelling vehicle to facilitate a collaborative
process

37. THE THREE LINES OF DEFENSE MODEL &
CONTINUOUS CONTROLS MONITORING
DEFENSE IN DEPTH
Visit casewareanalytics.com
Email connect@caseware.com