Continuous Monitoring Webinar Aviva Spectrum

Compliance Made Simple™

PKF IndiaPKF India

Continuous Control Monitoring Tool for Internal Control Effectivenesswith case study in Hospitality

1


PKF India

Professional Speaker Bios

Ramakrishnan (Ramki), a Charteredaccountant and graduate cost accountantfrom India is also a certified SAP FICOConsultant has diversified experience of overthirty years in the Profession and has handledassignments in many parts of the world fromAustralia to Argentina. He renders Assuranceand Risk Advisory Services, and has alsoserved in the Audit and Assurance board ofICAI. He is a member of European Professionalstandards committee of PKF International. Hisskill set encompasses M&A assignments(International), Attestation Functions andStrategic Consulting

Narasimhan (Narsi) a chartered accountantfrom India is a multi-facet expert withspecialized knowledge in Hospitality industry,SAP consulting and Information technologyservices. His expertise includes EnterprisePerformance Management competency(Digital Transformation and BusinessAnalytics) leading and delivering EPMtransformation projects; He specializes in thedesign and implementation of ContinuousMonitoring solutions for clients. He has alsoworked on cost optimization studies

2

S. Ramakrishnan, Managing Partner PKF Sridhar & Santhanam

S. Narasimhan, Partner PKF Sridhar & Santhanam


PKF India

Our inspirationGoogle is doing lot of revolutionary stuff –changing the world.

Larry Page says Google’s original mission “to organise world’s info. and make it universally accessible and useful” is “ probably a bit too narrow!”

• What they are trying to do in life sciences is audacious and path breaking.• They are trying to change medicine from ‘reactive to proactive.’• To day we go to doctor when ill –this is like changing oil in car when it breaks down.

So enter nano particles.

• These are 1/2000th the size of a red blood cell and they will be painted with a protein or genetic material so they can bind themselves to say a cancer cell.

• You pop a pill which can course through people’s bodies ; these can be concentrated through magnetized wearable devices that can be queried!

• The system would allow constant monitoring so that a whole host of diseases can be detected and treated well before they would, with existing diagnostic tools.

This inspired us to look at Proactive Auditing

3


PKF India

Why CCM?

4

• COSO framework suggests that monitoring is a timely assessment of the design and operation of controls

• To effectively manage risk and provide greater transparency in the monitoring process

Fundamentals

• Strategic Drivers• Globalization driving pressure to improve governance & improve

accountability• External Drivers

• Regulatory requirement, increased business risk etc• Operational Drivers

• ERP complexities, keenness to reduce cost of compliance, degeneracy in conduct of employees leading to possible misconduct etc

Drivers of CCM


PKF India

Framework for CCM Implementation

5

Determine roles &

responsibilities

Identify key performance indicators

to be monitored at transaction level and

process level

Understand level of process

control

Identify tests to be carried out

Identify data source

Apply Technology

Follow up and refine


PKF India

Framework elaborated

6

Source ACL


PKF India

Possible sub-frameworks• Broadly three categories of sub-frameworks can be deployed

– Descriptive Statistics & monitoring• Measures of central tendency. The mean, median, and the mode are often used to

relate and identify non-compliance with policies • Measures the variability or the spread of the numbers. This set includes the

minimum and maximum, the interquartile range, and the range (the maximum minus the minimum amount). This set of values includes the minimum amount which might yield investigative insights if the number was negative in a data set that should not contain negative numbers (e.g., wages, inventory counts, coupon or rebate amounts, or odometer readings).

• The shape of the distribution of the data

– Relative Size Factor Test• Difference between largest record in subset to second largest record• Logic and aim is to detect errors and frauds on real time basis along with

reasonableness test.

– Subset Duplicates• Duplicates of same-same-same (exact duplicates) / same-same-different (close

duplicates) are routinely applied• Duplication within subset is unique. The Subset Number Duplication (SND) test

identifies excessive number duplication within subsets. This test works well in situations where excessive number duplication might signal that the numbers have been invented which might be a red flag for fraud.

7

Source: Mark J Nigrini


PKF India

Possible areas of CCM – 1

8

• Customer Management Compliance By mapping new customer orders created with existing ones and running description statistics and relative size to ensure all abnormal items are compiled as per SOP. This includes due diligence of new customers. KYC norms compliance, tax compliance etc.

• Pricing policy compliance – similar to above but checks to be done in tandem withSOP / Policies fit in to ERP configuration. Many checks can be done like certain customers always in lower band of limits fixed and certain customers in higher end of price band. Analysis in sync with quantity offtake. (like lower band for lesser quantity and higher band for larger quantity!) etc

• Scheme / commissions / sales promotion – Check compliance on real time basis with new orders being created.

• Credit control – Adherence, need for revision / limit busting / exception handling as per SOP and whether deviation approvals has become a rule. (like count of deviations approved in a day to total number of orders in a day both in count and also in value). Look for patterns in customers .. is it happening in only certain customers or in certain product groups / subset.

• Delivery scheduling – Compliance with customer delivery schedule acceptance. Look for potential slippages (alerts) rather than do review post slippage . Also look for patterns in customers and product groups on a daily basis.

Order to Cash


PKF India


9

• Data integrity compliance: De-Dup monitoring for all new vendor master created (both in MM module and AP Module) (if it is not in line with existing ERP controls).

• Reasonableness compliance: On daily basis, any quantity exceeding the normal quantity in requisition being beyond average number of days consumption (production norms or sales norms) – approval deviations - monitoring both limit busting (exceptions becoming rule) and also quantities closer to upper limit (just a notch less than highest limit)

• Compliance with contract terms - In case of contracted materials with contracted vendors – we can set alerts for non-compliance regarding purchase of materials or services from non-contracted vendors at the stage of PO itself.

• Price monitoring – Efficiency and also compliance – In case new purchase price is more than certain % of existing moving average price or previous purchase price, CCM can be used to track the same and monitor price escalations at the stage of PO placement itself

• Compliance with Tax codes / input credit possibility - Run CCM on PO stage itself to ensure tax code is correctly mentioned in PO with the master list of items so that input credit is taken.

• Value limit compliance – LOA level compliance / unit level limits / material level limits

Procure to Pay


PKF India


10

Payables

•Duplicate Payments•Employee vendor mismatch•Vendor Data Completeness•Split PO’s and Split Transactions

•Excessive Claims/Unauthorized expenses

•Suspect Expense by dates and time (Weekends, Holidays , midnight)

•Inactive vendors•Transactions with Blacklisted


PKF India


11

• Sales promotion expenses – upon incurrence / approval to link with scheme and continuously monitor.

• Travel expenses – same city different person / same person different city comparisons and alerts based on limits (relative size)

• Repairs & Maintenance – Asset wise control can be monitored if it is recorded in ERP. Then CCM can ensure compliance with internal SOPs

• Taxes – ensure correctness of taxes including VAT, employee related taxes / dues like social security etc

• Ensuring that freight outward is linked to customer order and policies of the company

Expenses Control


PKF India

Possible areas of CCM – 5 FCPA Compliance

12

• Identification of • multiple gifts to a single individual• entertainment of government affiliated individual• Segregation of Duties violations: E.g., Submitter vs. Approver (Travel & Entertainment)• unauthorized Travel & Expense cards• charitable contributions to suspect organizations

Example tests for gifts, entertainment and charitable contributions

• Identification of • bonuses or commissions of unusual quantity or timing• vendors where alternate payee names have been flip-flopped within X days• One-time vendor payment more than the threshold value

Example tests for suspicious activities

• Identification of • Payments to “Risky” vendors / partners in high risk jurisdictions• Checks made to “cash”• High volume of cash transactions• Payments made from out of country bank accounts or sent outside the country of operation• Vendors where bank accounts have been flip-flopped within X days

Example tests for general indicators


PKF India

Possible areas of CCM – 6 Expenses Controls

13

• Use of new attorney / accountant / agent / consultant with no prior relationship

• Identification of payments made following manual overrides in the system

• Identification of payments classified as government expenses• Identification of frequent use of one-time vendor arrangements• Detect payments made without reference documents

Example tests for payments to agents, consultants, and other payments

• Payments made following manual override in the system, such as direct manual postings to the GL

• Identify invalid or suspicious journal entries to temporary accounts• Identify suspicious journal entry bookings at unusual times or flip-flopping• Identify adjustments to accounts inactive for more than X days

Example tests for suspicious GL activities


PKF India

CASE STUDIES IN HOSPITALITY

14


PKF India

Industry specific - Hospitality

• Setting up an automated process to monitor revenue leakage based on– Specific pattern of transactions– Identified exceptional transactions

• In the process of identifying– Potentially fraudulent / suspicious transactions– Potentially non compliant transactions

• Identified exceptions recorded– Requiring specific response from the appropriate management level– Based on such response, action may be initiated– Reponses can be validated on sample basis by audit

• Detailed audit replaced with a much better exception based monitoring mechanism

• PKF India has effectively implemented these for various hotel chains

15


PKF India

Possible room revenue control checks in Hotels

• Following checks can be automated using any soft tool – Negative postings– Allowances after checkout / Settlement– Lost Postings– Day use exception– Multiple Login Failure– Reinstatements No shows– All Transfers– All Splits– Discount amount changes / Rate changes– Reinstated Folios– Missing room revenue– AR invoice transfer

* This is an indicative list and customization of exceptions is done as per requirement

14


PKF India

Case study- 1 Exceptions - Sequence-based tests

15

Analyze sequence ofallowances/ paid outs inevery guest folio, inconnection with the time ofcheck-out

Identify and reportinstances whereallowances/ paid outshave been posted in theguest folio after check-out.

Why check this?

cash. She does not wait for her bill. Now, the cashier handling her billing makes an allowance of $ 1000 in her folio at 1:18 and shows the cash settlement at only $ 5000. Thus, cash of $ 1000, can be misappropriated and the only clue is the out

Or, maybe, a paid out has been posted in the folio after the guest has departed, her signature on the paid out being forged. This will be brought to light by checking Adjustements after checkout


PKF India

Case Study 2 - Unaccounted / Missing Revenue

1st Guest has aroom charge in

his account

2nd Guest room

charge changed

to NIL

Cash Collection from First Guest

- misappropriated

Transfer room charge

from first guest to second guest

Option Misused

ModifyRate /

Rate Code

TransferPosting

Collection from secondguest set off against first guest’s charge

By Omission & Transfer Run a query

for:-•Identificationof transfersmade betweenunrelatedfolios,Unauthorizedrate changes.

•Identify roomrevenue notbilled bycomparing dailyguest inhousedetails fromPMS to billingdetails, asaccounted

How to check??

16


PKF India

Case Study 3 - Misappropriation of CashHotel has advance

Collection policy For Room charges

Guest may short stay

Guest is told that advance paid is non-refundable

Few charges in the Folio are allowanced

Option Misused

Allowance

Refund

Refund is recorded with

Forged guest signature

In cash pay out

Refund of Advance collected

OR

17


PKF India

Case study- 4 Pattern based testing

18

Data Analytics by auditors❑Auditors decided to undertake data analytics❑During the various analysis they did, they found that some Buffet Breakfast were being billed at noon / night…❑Then a more focused analysis was undertaken for a long period which showed that▪It was all on week days▪It was for 4 -5 pax on each day – one such bill only▪All of these were by the same steward! Also, all week days when there was no such case, it was noticed, the steward was on leave or was off duty!

How to identify?Segregate all buffets billed during lean hours and then analyze pattern with user ID and date. With the volume of transactions, CCM is the best way to identify such transactions

Shift wise menu availability not configured- Resulted in Buffet Breakfast being available forselection during lunch / dinner time. Difference in rate between B/fast and lunch / dinner wassignificantThe smart operator – one steward, identified this and started using this to his benefit Arrangedwith a group of regular customers to bill only as Buffet Breakfast.Obviously for personal gain…


PKF India

Case study- 5 Duplicate bill reused

19

❑Most restaurant software provides for re-printing of the bill already prepared

❑This is many a times misused especially where buffet is involved or where similar order is frequent

❑The same bill is re-printed and the cash collected from the second customer is pocketed and not have to be accounted for!

❑A special engagement to test for frauds identified this, when they noticed that there were many instances of re

Use CCM to identify theseFrom the whole list of reprints, run a query to identify only reprints after settlements. Further break the list by mode of settlement to identify reprints after cash settlements- High Risk and Possible fraud transactions!!!


PKF India

Case study- 6 Automate reconciliation reports

20

❑ Bar was conspicuously having tallied stock, nearly always

❑ A detailed investigation revealed that excess stocks were being sold and cash pocketed by the Barmen

❑ Daily a few shots were not being billed by the Barmen and related cash collection pocketed

❑ Bar stocks were not being reconciled on a daily basis

❑ So, excess stocks were not identified daily

❑ By the time the monthly stock verification in Bar happened most excess stocks have been converted to cash and pocketed!!

Automate daily stock reconciliation reportsCompare consumption with Sales as per Point of Sale


PKF India

Case study- 7 Identification of duplicates

21

Implementing “similar fuzzy-matching” instead of exact matching yields anapproach more accurate and powerful than many.

Report Invoice # Invoice

Date

Vendor Amount

EEEE Exact Exact Exact Exact

EEED Exact Exact Exact Different

EEDE Exact Exact Different Exact

EDEE Exact Different Exact Exact

DEEE Different Exact Exact Exact

Different dates

Same vendor, invoice num and amt


PKF India

Case study- 8 Identification of suspicious vendors

22

We are potentially his only customer

Identification of Unbroken invoice sequence using CCM


PKF India

Methods of implementing CCM With Response Management

25


PKF India

Technology that can be used

• Microsoft Excel – Basic entry level

• ACL

• IDEA by Caseware

• SQL based program (or any RDBMS)

• Technology chosen is based on cost / benefit….

26


PKF India

Cost / Benefit of control --------- Using Continuous Monitoring

27


PKF India

Control Compliance Analysis

• Free 1 hour assessment

• Email: [email protected]

Sonia Luna

Partner & Founder Aviva Spectrum

Office (213) 250-5700

Cell (323) 828-5862

28

mailto:[email protected]


PKF India

To Conclude

CCM is not about what software one needs to buy!!

It’s about having a methodology that defines

– What you are trying to do and

– how do you do it now and

– how you are going to do in future!!!

29


PKF India

30Compliance Made Simple

Continuous Monitoring FREE

RESOURCES

November 12th, 2014


PKF India


Community & Sharing

Risk Assessments

Join Our LinkedIn Group

COSO Framework Discussion &

Webinars

https://www.linkedin.com/groups/COSO-Implementation-

4888186/about

Technical Community sharing Ideas ,Templates, WEBINARS, Advise and Learn from others implementing new framework.

Share your latest templates here!

https://www.linkedin.com/groups/COSO-Implementation-4888186/about


PKF India


Control Compliance Analysis

COSO Transition

1. Top Transition Failures (Case Studies)

2. Audit Evidence required3. Priority Driven by

Principles

PCAOB, IIA & SEC Guidance

1. Latest PCAOB Internal Control Standards

2. IIA Incorporated Top 7 IC Failures

3. SEC Guidance for Mgmt on Internal Controls

[email protected]: CCA Reservation 5


PKF India


Control Compliance Analysis (“CCA”)

Email us for 5 SPOTS ONLY: [email protected]

Subject: CCA

CCA

ReportBenchmarkIn-take

™November 12th, 2014


PKF India


Q & A session (5 – 8 Min)

CONNECT: www.linkedin.com/in/sonialuna

SLIDES: www.slideshare.net/soxppt

VIDEOS: http://avivaspectrum.com/webcasts

http://www.linkedin.com/in/sonialuna

http://www.slideshare.net/soxppt

http://www.avivaspectrum.com/podcasts