Upload
wwwavivaspectrumcom
View
182
Download
1
Embed Size (px)
Citation preview
Compliance Made Simple™
PKF IndiaPKF India
Continuous Control Monitoring Tool for Internal Control Effectivenesswith case study in Hospitality
1
Compliance Made Simple™
PKF India
Professional Speaker Bios
Ramakrishnan (Ramki), a Charteredaccountant and graduate cost accountantfrom India is also a certified SAP FICOConsultant has diversified experience of overthirty years in the Profession and has handledassignments in many parts of the world fromAustralia to Argentina. He renders Assuranceand Risk Advisory Services, and has alsoserved in the Audit and Assurance board ofICAI. He is a member of European Professionalstandards committee of PKF International. Hisskill set encompasses M&A assignments(International), Attestation Functions andStrategic Consulting
Narasimhan (Narsi) a chartered accountantfrom India is a multi-facet expert withspecialized knowledge in Hospitality industry,SAP consulting and Information technologyservices. His expertise includes EnterprisePerformance Management competency(Digital Transformation and BusinessAnalytics) leading and delivering EPMtransformation projects; He specializes in thedesign and implementation of ContinuousMonitoring solutions for clients. He has alsoworked on cost optimization studies
2
S. Ramakrishnan, Managing Partner PKF Sridhar & Santhanam
S. Narasimhan, Partner PKF Sridhar & Santhanam
Compliance Made Simple™
PKF India
Our inspirationGoogle is doing lot of revolutionary stuff –changing the world.
Larry Page says Google’s original mission “to organise world’s info. and make it universally accessible and useful” is “ probably a bit too narrow!”
• What they are trying to do in life sciences is audacious and path breaking.• They are trying to change medicine from ‘reactive to proactive.’• To day we go to doctor when ill –this is like changing oil in car when it breaks down.
So enter nano particles.
• These are 1/2000th the size of a red blood cell and they will be painted with a protein or genetic material so they can bind themselves to say a cancer cell.
• You pop a pill which can course through people’s bodies ; these can be concentrated through magnetized wearable devices that can be queried!
• The system would allow constant monitoring so that a whole host of diseases can be detected and treated well before they would, with existing diagnostic tools.
This inspired us to look at Proactive Auditing
3
Compliance Made Simple™
PKF India
Why CCM?
4
• COSO framework suggests that monitoring is a timely assessment of the design and operation of controls
• To effectively manage risk and provide greater transparency in the monitoring process
Fundamentals
• Strategic Drivers• Globalization driving pressure to improve governance & improve
accountability• External Drivers
• Regulatory requirement, increased business risk etc• Operational Drivers
• ERP complexities, keenness to reduce cost of compliance, degeneracy in conduct of employees leading to possible misconduct etc
Drivers of CCM
Compliance Made Simple™
PKF India
Framework for CCM Implementation
5
Determine roles &
responsibilities
Identify key performance indicators
to be monitored at transaction level and
process level
Understand level of process
control
Identify tests to be carried out
Identify data source
Apply Technology
Follow up and refine
Compliance Made Simple™
PKF India
Framework elaborated
6
Source ACL
Compliance Made Simple™
PKF India
Possible sub-frameworks• Broadly three categories of sub-frameworks can be deployed
– Descriptive Statistics & monitoring• Measures of central tendency. The mean, median, and the mode are often used to
relate and identify non-compliance with policies • Measures the variability or the spread of the numbers. This set includes the
minimum and maximum, the interquartile range, and the range (the maximum minus the minimum amount). This set of values includes the minimum amount which might yield investigative insights if the number was negative in a data set that should not contain negative numbers (e.g., wages, inventory counts, coupon or rebate amounts, or odometer readings).
• The shape of the distribution of the data
– Relative Size Factor Test• Difference between largest record in subset to second largest record• Logic and aim is to detect errors and frauds on real time basis along with
reasonableness test.
– Subset Duplicates• Duplicates of same-same-same (exact duplicates) / same-same-different (close
duplicates) are routinely applied• Duplication within subset is unique. The Subset Number Duplication (SND) test
identifies excessive number duplication within subsets. This test works well in situations where excessive number duplication might signal that the numbers have been invented which might be a red flag for fraud.
7
Source: Mark J Nigrini
Compliance Made Simple™
PKF India
Possible areas of CCM – 1
8
• Customer Management Compliance By mapping new customer orders created with existing ones and running description statistics and relative size to ensure all abnormal items are compiled as per SOP. This includes due diligence of new customers. KYC norms compliance, tax compliance etc.
• Pricing policy compliance – similar to above but checks to be done in tandem withSOP / Policies fit in to ERP configuration. Many checks can be done like certain customers always in lower band of limits fixed and certain customers in higher end of price band. Analysis in sync with quantity offtake. (like lower band for lesser quantity and higher band for larger quantity!) etc
• Scheme / commissions / sales promotion – Check compliance on real time basis with new orders being created.
• Credit control – Adherence, need for revision / limit busting / exception handling as per SOP and whether deviation approvals has become a rule. (like count of deviations approved in a day to total number of orders in a day both in count and also in value). Look for patterns in customers .. is it happening in only certain customers or in certain product groups / subset.
• Delivery scheduling – Compliance with customer delivery schedule acceptance. Look for potential slippages (alerts) rather than do review post slippage . Also look for patterns in customers and product groups on a daily basis.
Order to Cash
Compliance Made Simple™
PKF India
Possible areas of CCM – 2
9
• Data integrity compliance: De-Dup monitoring for all new vendor master created (both in MM module and AP Module) (if it is not in line with existing ERP controls).
• Reasonableness compliance: On daily basis, any quantity exceeding the normal quantity in requisition being beyond average number of days consumption (production norms or sales norms) – approval deviations - monitoring both limit busting (exceptions becoming rule) and also quantities closer to upper limit (just a notch less than highest limit)
• Compliance with contract terms - In case of contracted materials with contracted vendors – we can set alerts for non-compliance regarding purchase of materials or services from non-contracted vendors at the stage of PO itself.
• Price monitoring – Efficiency and also compliance – In case new purchase price is more than certain % of existing moving average price or previous purchase price, CCM can be used to track the same and monitor price escalations at the stage of PO placement itself
• Compliance with Tax codes / input credit possibility - Run CCM on PO stage itself to ensure tax code is correctly mentioned in PO with the master list of items so that input credit is taken.
• Value limit compliance – LOA level compliance / unit level limits / material level limits
Procure to Pay
Compliance Made Simple™
PKF India
Possible areas of CCM – 3
10
Payables
•Duplicate Payments•Employee vendor mismatch•Vendor Data Completeness•Split PO’s and Split Transactions
•Excessive Claims/Unauthorized expenses
•Suspect Expense by dates and time (Weekends, Holidays , midnight)
•Inactive vendors•Transactions with Blacklisted
Compliance Made Simple™
PKF India
Possible areas of CCM – 4
11
• Sales promotion expenses – upon incurrence / approval to link with scheme and continuously monitor.
• Travel expenses – same city different person / same person different city comparisons and alerts based on limits (relative size)
• Repairs & Maintenance – Asset wise control can be monitored if it is recorded in ERP. Then CCM can ensure compliance with internal SOPs
• Taxes – ensure correctness of taxes including VAT, employee related taxes / dues like social security etc
• Ensuring that freight outward is linked to customer order and policies of the company
Expenses Control
Compliance Made Simple™
PKF India
Possible areas of CCM – 5 FCPA Compliance
12
• Identification of • multiple gifts to a single individual• entertainment of government affiliated individual• Segregation of Duties violations: E.g., Submitter vs. Approver (Travel & Entertainment)• unauthorized Travel & Expense cards• charitable contributions to suspect organizations
Example tests for gifts, entertainment and charitable contributions
• Identification of • bonuses or commissions of unusual quantity or timing• vendors where alternate payee names have been flip-flopped within X days• One-time vendor payment more than the threshold value
Example tests for suspicious activities
• Identification of • Payments to “Risky” vendors / partners in high risk jurisdictions• Checks made to “cash”• High volume of cash transactions• Payments made from out of country bank accounts or sent outside the country of operation• Vendors where bank accounts have been flip-flopped within X days
Example tests for general indicators
Compliance Made Simple™
PKF India
Possible areas of CCM – 6 Expenses Controls
13
• Use of new attorney / accountant / agent / consultant with no prior relationship
• Identification of payments made following manual overrides in the system
• Identification of payments classified as government expenses• Identification of frequent use of one-time vendor arrangements• Detect payments made without reference documents
Example tests for payments to agents, consultants, and other payments
• Payments made following manual override in the system, such as direct manual postings to the GL
• Identify invalid or suspicious journal entries to temporary accounts• Identify suspicious journal entry bookings at unusual times or flip-flopping• Identify adjustments to accounts inactive for more than X days
Example tests for suspicious GL activities
Compliance Made Simple™
PKF India
CASE STUDIES IN HOSPITALITY
14
Compliance Made Simple™
PKF India
Industry specific - Hospitality
• Setting up an automated process to monitor revenue leakage based on– Specific pattern of transactions– Identified exceptional transactions
• In the process of identifying– Potentially fraudulent / suspicious transactions– Potentially non compliant transactions
• Identified exceptions recorded– Requiring specific response from the appropriate management level– Based on such response, action may be initiated– Reponses can be validated on sample basis by audit
• Detailed audit replaced with a much better exception based monitoring mechanism
• PKF India has effectively implemented these for various hotel chains
15
Compliance Made Simple™
PKF India
Possible room revenue control checks in Hotels
• Following checks can be automated using any soft tool – Negative postings– Allowances after checkout / Settlement– Lost Postings– Day use exception– Multiple Login Failure– Reinstatements No shows– All Transfers– All Splits– Discount amount changes / Rate changes– Reinstated Folios– Missing room revenue– AR invoice transfer
* This is an indicative list and customization of exceptions is done as per requirement
14
Compliance Made Simple™
PKF India
Case study- 1 Exceptions - Sequence-based tests
15
Analyze sequence ofallowances/ paid outs inevery guest folio, inconnection with the time ofcheck-out
Identify and reportinstances whereallowances/ paid outshave been posted in theguest folio after check-out.
Why check this?
cash. She does not wait for her bill. Now, the cashier handling her billing makes an allowance of $ 1000 in her folio at 1:18 and shows the cash settlement at only $ 5000. Thus, cash of $ 1000, can be misappropriated and the only clue is the out
Or, maybe, a paid out has been posted in the folio after the guest has departed, her signature on the paid out being forged. This will be brought to light by checking Adjustements after checkout
Compliance Made Simple™
PKF India
Case Study 2 - Unaccounted / Missing Revenue
1st Guest has aroom charge in
his account
2nd Guest room
charge changed
to NIL
Cash Collection from First Guest
- misappropriated
Transfer room charge
from first guest to second guest
Option Misused
ModifyRate /
Rate Code
TransferPosting
Collection from secondguest set off against first guest’s charge
By Omission & Transfer Run a query
for:-•Identificationof transfersmade betweenunrelatedfolios,Unauthorizedrate changes.
•Identify roomrevenue notbilled bycomparing dailyguest inhousedetails fromPMS to billingdetails, asaccounted
How to check??
16
Compliance Made Simple™
PKF India
Case Study 3 - Misappropriation of CashHotel has advance
Collection policy For Room charges
Guest may short stay
Guest is told that advance paid is non-refundable
Few charges in the Folio are allowanced
Option Misused
Allowance
Refund
Refund is recorded with
Forged guest signature
In cash pay out
Refund of Advance collected
OR
17
Compliance Made Simple™
PKF India
Case study- 4 Pattern based testing
18
Data Analytics by auditors❑Auditors decided to undertake data analytics❑During the various analysis they did, they found that some Buffet Breakfast were being billed at noon / night…❑Then a more focused analysis was undertaken for a long period which showed that▪It was all on week days▪It was for 4 -5 pax on each day – one such bill only▪All of these were by the same steward! Also, all week days when there was no such case, it was noticed, the steward was on leave or was off duty!
How to identify?Segregate all buffets billed during lean hours and then analyze pattern with user ID and date. With the volume of transactions, CCM is the best way to identify such transactions
Shift wise menu availability not configured- Resulted in Buffet Breakfast being available forselection during lunch / dinner time. Difference in rate between B/fast and lunch / dinner wassignificantThe smart operator – one steward, identified this and started using this to his benefit Arrangedwith a group of regular customers to bill only as Buffet Breakfast.Obviously for personal gain…
Compliance Made Simple™
PKF India
Case study- 5 Duplicate bill reused
19
❑Most restaurant software provides for re-printing of the bill already prepared
❑This is many a times misused especially where buffet is involved or where similar order is frequent
❑The same bill is re-printed and the cash collected from the second customer is pocketed and not have to be accounted for!
❑A special engagement to test for frauds identified this, when they noticed that there were many instances of re
Use CCM to identify theseFrom the whole list of reprints, run a query to identify only reprints after settlements. Further break the list by mode of settlement to identify reprints after cash settlements- High Risk and Possible fraud transactions!!!
Compliance Made Simple™
PKF India
Case study- 6 Automate reconciliation reports
20
❑ Bar was conspicuously having tallied stock, nearly always
❑ A detailed investigation revealed that excess stocks were being sold and cash pocketed by the Barmen
❑ Daily a few shots were not being billed by the Barmen and related cash collection pocketed
❑ Bar stocks were not being reconciled on a daily basis
❑ So, excess stocks were not identified daily
❑ By the time the monthly stock verification in Bar happened most excess stocks have been converted to cash and pocketed!!
Automate daily stock reconciliation reportsCompare consumption with Sales as per Point of Sale
Compliance Made Simple™
PKF India
Case study- 7 Identification of duplicates
21
Implementing “similar fuzzy-matching” instead of exact matching yields anapproach more accurate and powerful than many.
Report Invoice # Invoice
Date
Vendor Amount
EEEE Exact Exact Exact Exact
EEED Exact Exact Exact Different
EEDE Exact Exact Different Exact
EDEE Exact Different Exact Exact
DEEE Different Exact Exact Exact
Different dates
Same vendor, invoice num and amt
Compliance Made Simple™
PKF India
Case study- 8 Identification of suspicious vendors
22
We are potentially his only customer
Identification of Unbroken invoice sequence using CCM
Compliance Made Simple™
PKF India
Methods of implementing CCM With Response Management
25
Compliance Made Simple™
PKF India
Technology that can be used
• Microsoft Excel – Basic entry level
• ACL
• IDEA by Caseware
• SQL based program (or any RDBMS)
• Technology chosen is based on cost / benefit….
26
Compliance Made Simple™
PKF India
Cost / Benefit of control --------- Using Continuous Monitoring
27
Compliance Made Simple™
PKF India
Control Compliance Analysis
• Free 1 hour assessment
• Email: [email protected]
Sonia Luna
Partner & Founder Aviva Spectrum
Office (213) 250-5700
Cell (323) 828-5862
28
Compliance Made Simple™
PKF India
To Conclude
CCM is not about what software one needs to buy!!
It’s about having a methodology that defines
– What you are trying to do and
– how do you do it now and
– how you are going to do in future!!!
29
Compliance Made Simple™
PKF India
30Compliance Made Simple
Continuous Monitoring FREE
RESOURCES
November 12th, 2014
Compliance Made Simple™
PKF India
31Compliance Made Simple
Community & Sharing
Risk Assessments
Join Our LinkedIn Group
COSO Framework Discussion &
Webinars
https://www.linkedin.com/groups/COSO-Implementation-
4888186/about
Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework.
Share your latest templates here!
Compliance Made Simple™
PKF India
32Compliance Made Simple
Control Compliance Analysis
COSO Transition
1. Top Transition Failures (Case Studies)
2. Audit Evidence required3. Priority Driven by
Principles
PCAOB, IIA & SEC Guidance
1. Latest PCAOB Internal Control Standards
2. IIA Incorporated Top 7 IC Failures
3. SEC Guidance for Mgmt on Internal Controls
[email protected]: CCA Reservation 5
Compliance Made Simple™
PKF India
33Compliance Made Simple
Control Compliance Analysis (“CCA”)
Email us for 5 SPOTS ONLY: [email protected]
Subject: CCA
CCA
ReportBenchmarkIn-take
™November 12th, 2014
Compliance Made Simple™
PKF India
34Compliance Made Simple
Q & A session (5 – 8 Min)
CONNECT: www.linkedin.com/in/sonialuna
SLIDES: www.slideshare.net/soxppt
VIDEOS: http://avivaspectrum.com/webcasts