Upload
vulien
View
231
Download
5
Embed Size (px)
Citation preview
© 2017 Property of Corporate Compliance Seminars www.compliance.seminars.com 1
Continuous Monitoring
A Practical Implementation for All Organizations
Corporate Compliance Seminars
John C. Blackshire, CPA 479-200-4373 / [email protected]
1
Corporate Compliance Seminars 2
“I don’t want any &*$%#@ outsider
monitoring what I do!!!”
“I can manage without leaving my office!”
“It costs too much to
implement a continuous
monitoring approach.” “Our employees love us, so why
would we need to monitor fraud?”
“We can’t monitor IT processes. They’re
too complex.”
Overheard in the Hallway…
Accountant, Auditor, IT Project Manager, Compliance Assessor, System Implementer, Sales Director, Trainer
• Co-Founder of Corporate Compliance Seminars
• Founder and CEO of The Application Support Company (TASC)
• Consultant to Executives and Boards of Directors
• Walker Interactive Products
• Insurance Systems of America
• KPMG
• Past Meeting Coordinator - IIA International Conference
3 Property of Corporate Compliance Seminars www.compliance.seminars.com
4
Internet search:
Alerts of web content
Property of Corporate Compliance Seminars www.compliance.seminars.com
5
Continuous Monitoring:
“The ongoing monitoring of financial and operational objectives, governance, risk and regulatory compliance by management.”
Why is it needed by Management? • Increased performance pressure from global competition
• International terrorism and political unrest
• Economic instability
• Increased regulatory environment
• Security breaches
• Rapid pace of technological change
• Reliance on suppliers
Property of Corporate Compliance Seminars
www.compliance.seminars.com
Examples of CM - Budget-to-actual variance - Sales activity - Inventory turnover - Order fulfillment - Quarterly financial reviews - Production schedule
Continuous monitoring success comes from understanding…..
How does the “business model” work?
What and how does management monitor day-to-day?
What are the components of the Key Performance Indicators (KPIs)?
Is there Segregation of Duties with KPSs?
What does management not want to talk about?
What are the biggest risks to future performance?
Ability to start defining a continuous monitoring program!!!
Property of Corporate Compliance Seminars www.compliance.seminars.com 6
“A process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding achievement of objectives in the following categories: operations, financial reporting and compliance.”
7
Components of Internal Control
Definition of Internal Control
Layers of Internal Control
Property of Corporate Compliance Seminars www.compliance.seminars.com
“Control Environment”
“Risk Assessment”
“Control Activities”
“Information & Communication”
“Monitoring Activities”
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
6. Specifies relevant objectives
7. Identifies and analyzes risk
8. Assesses fraud risk
9. Identifies and analyzes significant change
10. Selects and develops control activities
11. Selects and develops general controls over technology
12. Deploys through policies and procedures
13. Uses relevant information
14. Communicates internally
15. Communicates externally
16. Conducts ongoing and/or separate evaluations
17. Evaluates and communicates deficiencies
8
Property of Corporate Compliance Seminars 9
1. Mission Statement and Explicate Corporate Values
2. Business Model – Factors – Metrics - Measurements
3. Codes: Ethics – Employee Conduct – Customer Conduct – Supplier Conduct
4. Simple Corporate Policy Statements
Six Layers of Control
5. Procedures are kept separate from Corporate Policy
6. Monitoring – Continuous Monitoring - MBWA – Testing – I/A – E/A
Property of Corporate Compliance Seminars www.compliance.seminars.com
10
Onboard Vehicle Management System
Property of Corporate Compliance Seminars www.compliance.seminars.com
11
Continuous monitoring success comes from understanding…..
How many items can a human handle? Millers 7 Plus or Minus 2
Logical comparisons – The Calendar does on work.
Establish a floor and a ceiling.
Exception handling for all floor / ceiling issues
How is Pareto’s Law at work here? The 80/15/5 Rule
The impact of “Monitoring” itself.
Ability to using and prosper with a continuous monitoring program!!!
Property of Corporate Compliance Seminars www.compliance.seminars.com 12
• Monitors in real time; immediate knowledge of potential problems
• Initiate quick action and reduce risk
• Forward looking with “predictive analytics”
CAUTION:
Use Continuous Monitoring to supplement your traditional management activities, not replace it.
“Desktop” monitoring alone IS NOT as effective as “in person” contact, walkthroughs, interviews, assessments, controls reviews, etc. with the employee in the department
Property of Corporate Compliance Seminars www.compliance.seminars.com
13
• Selling the concept to management and the Board
• Technical competencies to access, manipulate and analyze data
• Validating and improving the current monitoring processes
• Integrating the continuous monitoring into enterprise risk management
• Responding to the results of continuous monitoring and ensuring management action
14 Property of Corporate Compliance Seminars
www.compliance.seminars.com
Are you ready for Continuous Monitoring?
• Do we have a strong, ethical, transparent Control Environment? • Does upper management accept Continuous Monitoring? • Is management effectively monitoring the company?
• Formal Metrics Program? • Formal Risk Management and Compliance function? • Are policies and procedures documented, updated and effectively
communicated? • Do we have mature, effective IT systems and controls?
• Is the technology infrastructure mature and resilient? • Are the application systems stable and accurate? • Are the systems and data secure?
• Do we have the commitment, time, energy, people and funds to implement Continuous Monitoring?
15
Property of Corporate Compliance Seminars www.compliance.seminars.com
• Manual processes and manual controls must be automated
• We must understand the financial systems, the flow of financial transactions, and key reports
• We must identify the risks and controls implemented, including how transactions are classified, initiated, approved, processed reported and reconciled
• We must allocate the resources budget (time, people, money)
• We must obtain access to data to be monitored
• Are you “micromanaging” the controls?
16 Property of Corporate Compliance Seminars
www.compliance.seminars.com
ERM Program – Form a Risk Committee and document organization risks and industry risks. Heat Map the risks. Assess Enterprise Risks at least annually.
Metrics Program – Have each department document their objectives and measurements for success. Assess Key Metrics at least quarterly.
Control Self-Assessment (CSA) Program – Have each department document their internal controls and conduct a CSA at least annually.
17 Property of Corporate Compliance Seminars
www.compliance.seminars.com
1. Define the Objectives
2. Identify the Business Objectives connection to Risks and Controls
3. Establish Data Use Requirements
4. Pilot the System
5. Refine the System
6. Report and Manage Results
18 Property of Corporate Compliance Seminars
www.compliance.seminars.com
19 Property of Corporate Compliance Seminars
www.compliance.seminars.com
Revenue and Receivables (sales revenue does not
match sales transactions)
Treasury/ Investments
(loss on investments)
Purchases and Payables (unauthorized purchases;
invoices do not match PO’s
HR/ Payroll (unauthorized pay increases)
Period End Close (financial consolidation errors)
20
Inventory/ Fixed Assets
(physical to book gap; missing assets)
IT General Controls (insecure systems;
weak change controls; failed backups)
Customer Service (defective products; over/underpayment of warranty returns)
Entity Cycle (weak Board;
ineffective hotline)
Property of Corporate Compliance Seminars www.compliance.seminars.com
ACFE “Report to the Nations”
Continuous Monitoring for Fraud
21 Property of Corporate Compliance Seminars
www.compliance.seminars.com
22
Asset Misappropriation: Theft or Misuse of Assets
Corruption: Wrongfully Influencing a Transaction
Financial Statement: Falsification of FS or Disclosures
Property of Corporate Compliance Seminars www.compliance.seminars.com
23
Property of Corporate Compliance Seminars www.compliance.seminars.com
Property of Corporate Compliance Seminars 24
1. Discipline
2. Standards - Policy
3. Standard Operating Procedures
4. Why?? The requirement i.e. Business – Operational – Control
Attributes of Internal Controls
5. Training on all of the above
6. Monitoring
Property of Corporate Compliance Seminars 25
1. Mission Statement and Explicate Corporate Values
2. Business Model – Factors – Metrics - Measurements
3. Codes: Ethics – Employee Conduct – Customer Conduct – Supplier Conduct
4. Simple Corporate Policy Statements
Six Layers of Control
5. Procedures are kept separate from Corporate Policy
6. Monitoring – Continuous Monitoring - MBWA – Testing – I/A – E/A
1. Continuous Monitoring should supplement your traditional management activities; NOT replace them
2. Obtain management buy-in and budgetary approval
3. Start SMALL with an easy Pilot Project. Demonstrate rapid success!
4. Don’t forget – time spent developing the Continuous Monitoring approach is time away from traditional management, so…leverage existing technology
5. Reduce the false positives for accuracy and to reduce information overload
6. Continuous Monitoring has tremendous benefits of providing real time problem reporting, quick action and RISK REDUCTION!
Property of Corporate Compliance Seminars www.compliance.seminars.com 26
© 2017 Property of Corporate Compliance Seminars www.compliance.seminars.com
27
John C. Blackshire, CPA
479-200-4373 / [email protected]