1. The document discusses moving up the maturity curve towards more continuous controls and continuous risk assessment. It outlines a basic maturity model with levels related to people, process, technology, and governance. 2. Implementing continuous auditing requires changes across people, processes, technology, and governance. Large steps are rarely possible, but small initial changes can help organizations progress. 3. Leading companies are using continual risk assessment, visualization, and customized monitoring platforms to improve controls and risk assessment. Regularly updating outlier dashboards can serve as a top-level report.

7. Continuous Auditing is a hot topic for today’s Audit leader - but what is Continuous? Continuous auditing and continuous monitoring become “right time” when the timing and frequency of evaluation matches business requirements. What frequency is right for your revenue transactions? Supply chain? ** Source: 2006 State of the Internal Auditing Profession Copyright PricewaterhouseCoopers LLP 2006 Continuous auditing / continuous monitoring programs Today’s continuous auditing frequency Market View of Continuous Auditing Visual Risk IQ is a leader in Continuous Auditing and Monitoring © 2007 Visual Risk IQ, LLC, All Rights Reserved

9. Implementing continuous auditing across an internal audit methodology is not just about technology… Enterprise Audit Projects The audit process Visual Risk IQ – GRC thought leadership, practically applied © 2008 Visual Risk IQ, LLC, All Rights Reserved Technology Technology

10. … it’s about a model that acknowledges the impact of People, Audit Process and Governance also. Enterprise Audit Projects The audit process Visual Risk IQ – GRC thought leadership, practically applied © 2008 Visual Risk IQ, LLC, All Rights Reserved People Technology Governance Audit process People Technology Governance Audit process

11. A basic continuous auditing maturity model The audit process – a maturity model approach Visual Risk IQ – GRC thought leadership, practically applied © 2008 Visual Risk IQ, LLC, All Rights Reserved Basic practices Level 2 practices Better practices Continuous auditing People Staff has some basic data literacy. Knows how to ask IT for information. Some IT- and data-specific specialists are accessible, either in-house or as consultants Audit staff and leaders are IT- and data-literate. Little distinction between IT audit and financial / operational audit people No need for ad hoc data acquisition - CA and CCM systems are well-integrated into finance and operations Technology Basic data capture and analysis using MS-Office or ERP Query tools. Heavy reliance on Corporate IT Some re-usable scripts exists and are used on-demand for relevant audit projects Scripts are stored, scheduled, and run at appropriate intervals Continuous auditing and monitoring technologies contribute to all audit steps Governance Business is reactive to requests from Internal Audit and usually helps in a timely way. Audit can access data directly IT consults with IA prior to making system changes that are known to affect IA. Data driven early warning / risk alerts include both business and controls / audit implications. Audit methodology Risk assessments are conducted annually Risk assessments are conducted more frequently than annually Risk assessments consider objective and subjective data. Gaps between objective and subjective assessments are highlighted Risk alerts are embedded into the IA methodology and drive specific responses real-time

12. Moving up the curve can rarely done in large steps The audit process – a maturity model approach Visual Risk IQ – GRC thought leadership, practically applied © 2008 Visual Risk IQ, LLC, All Rights Reserved Basic practices Level 2 practices Better practices Continuous auditing People Staff has some basic data literacy. Knows how to ask IT for information. Some IT- and data-specific specialists are accessible, either in-house or as consultants Audit staff and leaders are IT- and data-literate. Little distinction between IT audit and financial / operational audit people No need for ad hoc data acquisition - CA and CCM systems are well-integrated into finance and operations Technology Basic data capture and analysis using MS-Office or ERP Query tools. Heavy reliance on Corporate IT Some re-usable scripts exists and are used on-demand for relevant audit projects Scripts are stored, scheduled, and run at appropriate intervals Continuous auditing and monitoring technologies contribute to all audit steps Governance Business is reactive to requests from Internal Audit and usually helps in a timely way. Audit can access data directly IT consults with IA prior to making system changes that are known to affect IA. Data driven early warning / risk alerts include both business and controls / audit implications. Audit methodology Risk assessments are conducted annually Risk assessments are conducted more frequently than annually Risk assessments consider objective and subjective data. Gaps between objective and subjective assessments are highlighted Risk alerts are embedded into the IA methodology and drive specific responses real-time

13. Risk assessment should be the new centerpiece for the audit process Enterprise Audit Projects Risk Assessment Planning & Scoping Execution Planning & Scoping Execution Planning Planning & Scoping Execution Reporting Reporting Visual Risk IQ – GRC thought leadership, practically applied © 2008 Visual Risk IQ, LLC, All Rights Reserved Continual risk assessment

14. Visual reporting can help with Continual Risk Assessment and Continuous Controls Monitoring Corporate Data Visual Risk IQ – GRC thought leadership, practically applied © 2008 Visual Risk IQ, LLC, All Rights Reserved Continual risk assessment

15. Visual Risk IQ – GRC thought leadership, practically applied © 2008 Visual Risk IQ, LLC, All Rights Reserved Continual risk assessment What are other leading companies doing?

16. What are other leading companies doing? Visual Risk IQ – GRC thought leadership, practically applied © 2008 Visual Risk IQ, LLC, All Rights Reserved Continual risk assessment

17. Presentation to the Triad Chapter of the IIAVisual Risk IQ is a leader in Continuous Auditing and Monitoring © 2007 Visual Risk IQ, LLC, All Rights Reserved Regularly updated outlier dashboards can serve as a key top-level report for CRA / CCM Continual risk assessment

18. Another Client Example Individualized per division with drill-down capability… Continual risk assessment

19. Another Client Example, continued … turning data into meaningful information. Continual risk assessment

20. A good continuous controls monitoring platform The Platform Data Locker Reasoning & Analytics Engine Risk and Performance Checks Platform Data & Logs Visual Reporting / User Interface Systems of Record Workflow Engine Extract & Mapping Rules Workflow & Platform Configuration Extract, Map & Load Common Data Models Knowledge Maintenance Interface What does this look like at best in class companies? Visual Risk IQ is a leader in Continuous Auditing and Monitoring © 2007 Visual Risk IQ, LLC, All Rights Reserved

22. Joe Oringel (704) 752-6403 [email_address] Don Sparks 713-327-1877 [email_address] www.visualriskiq.com www.audimation.com Thank you! For more information or discussion, please contact Visual Risk IQ – GRC thought leadership, practically applied © 2008 Visual Risk IQ, LLC, All Rights Reserved