1. Copyright © 2003 Americas’ SAP Users’ Group Compliance and Continuous Monitoring: Achieving Best Practice Standards for Internal Control Michelle Thomson ACL Services Ltd.

2. Agenda  Challenges of financial management  Challenges of designing effective controls  Assessing controls through data analysis  The role of continuous monitoring  Benefits of continuous monitoring

3. Challenges Increased Business Complexity Accelerating Business Cycles Decreased Time & Resources Competition Fewer People Increased Margin for Error Increased Scope of Responsibilities & Decision Making Partners Audit Committee Stock Exchanges Shareholders Media Public ClientsEnvironment Rating Agencies Board of Directors Increased Regulation, Scrutiny & Accountability CEOGovernment Systems Integration Wealth Creation Strategic Leadership Operational Excellence Financial Control Financial Management Information Quality IT Infrastructure Complex Transactions Global Markets Logistics

4. Challenges of Designing Effective Controls  Transactions and transactional data are the lifeblood of organizations  Controls over these transactions and the data that record them are critical  Financial accountability and assurance depend on the integrity and reliability of the:  Transactions  Data that records the transactions  Financial reports that summarize the transactional data

5. Challenges of Designing Effective Controls  Cost vs. benefit of controls  Manual controls break down as volumes increase  Automated controls within applications are time- consuming to implement, expensive, hard to maintain  New system implementations often disregard audit, internal control experts  Super users and system administrators can by-pass controls

6. Control Breakdowns  “These (improper) payments occur for many reasons including insufficient oversight or monitoring, inadequate eligibility controls, and automated system deficiencies. However, one point is clear – the basic or root cause of improper payments can typically be traced to a lack of or breakdown in internal controls.”  GAO Report, Coordinated Approach Needed to Address the Government’s Improper Payments Problems, August 2002

7. Control Layers Within an Organization Determine Risks & Impacts Policies Controls Transactions

8. Controls Assessment Through Data Analysis  Key method of testing controls  Typical assessments involve:  Examination of 100% of transactions to determine compliance with defined controls  Determination if transactions exist for which no controls have been implemented  Audit processes using data analysis tend to be comprehensive and usually take place long after the transactions occurred

9. Continuous Monitoring Using Data Analysis  Convert audit analytical procedures into a monitoring process for all transactional data  Test transactional data against defined control rules and parameters  Run automatically on a regular basis  Generate exception reports or alerts automatically

10. Value of Continuous Monitoring  Independent of the underlying business application system  Improved timeliness of response to problems  A detective control – but can also be preventative  An additional level of control by identifying problems in early stages

11. Continuous Monitoring Checklist  Monitors data from disparate systems to provide holistic view of transaction  Identifies rogue transactions in a timely manner  Validates effectiveness of controls  Mitigates deficient control structures  Identifies further process improvement opportunities  Provides independent assurance

12. Controls Review Methods Ad Hoc Analysis Repeated Control Review Continuous Monitoring Confidence Trust

13. Anatomy of Continuous Monitoring CM Applications DATA Specific data from multiple data sources and data formats are compiled, indexed and prepared for analysis RULES DATA Contains business rules, control policies, or test requirements of the organization ANALYSIS Complex technology applies the rules to the data to identify transaction anomalies

14. DATA RULES ANALYSIS Continuous Monitoring Reporting Medium Transaction Monitoring Process Primary Data Source Sources: Financial Systems HR Systems CRM Systems Others Data Output

15. Common Applications of Continuous Monitoring  General business processes  Purchase / payments cycle  Vendor fraud  Expense claims  Payroll  Industry-specific (particularly regulatory compliance)  Chemical/ Pharmaceutical – FDA regulations  Medicare/Medicaid compliance

16. Benefits of Continuous Monitoring Systems  Validation that controls built into application systems are operating effectively  Compensate for poor controls in application systems  Transaction systems cannot ensure integrity across disparate systems  Comprehensive analysis of transactions is not practical in large transaction systems  Independence from the transaction system

17. Continuous Monitoring & Audit  Fastest growing area within audit and control community  Significant role as a response to increased focus on controls and assurance  CEO & CFO requirements around Sarbanes-Oxley Act  Acts as a supplemental control level, strengthening overall internal controls  Provides increased assurance over the effectiveness of controls

18. In Conclusion  Continuous Monitoring provides an opportunity for significantly improved levels of control and assurance  The accounting and control profession has discussed it for years – the time is now ideal for implementation  Technology is available to enable continuous monitoring  Businesses can’t afford to miss the issues

19. Copyright © 2003 Americas’ SAP Users’ Group Using ACL to Continuously Monitor SAP Accounts Payable Gene Scheckel ConocoPhillips

20. Why Continuously Monitor AP?  To keep tabs on items  beyond the scheduled audit plan  outside normal controls  Do not continuously monitor normal controls within SAP BUT Do continuously monitor items where there is no specific control within SAP

21. What We Monitor  Duplicate payments between SAP and other financial systems  Unusually large payments  Payments to employees as outside vendors  Duplicate vendors in the Vendor Master

22. Continuous Monitoring  Duplicate payments between SAP and other financial systems  The Challenges Convert new acquisition from legacy financial system to SAP Legacy system and SAP both have duplicate payment controls But duplicate payment controls do not exist between the two systems

23. The Results  Duplicate payments between SAP and legacy financial system Approximately 150,000 payments per month

24. Continuous Monitoring  Unusually large vendor payments  The Challenge… Uncover overpayments due to data entry errors

25. The Results  Invoice Amount = 20,725.00  Approver noted invoice error and manually entered new amount to be paid.  Data entry clerk ignored the note. Amount Paid = $43,803.31 Recovered $23,078.31

26. Continuous Monitoring  Payments to employees as outside vendors Not employee reimbursements  The Challenge… Uncover potential conflicts of interest and employee fraud

27. The Results  A supervisor who approved invoices paid to the small business he owned  A purchasing agent doing business with a company owned by her husband

28. Continuous Monitoring Findings  Discovery of duplicate payments, overpayments and possible fraud  Preservation of the reliability of SAP preventive controls

29. Next Steps  Apply continuous monitoring methodology to other areas of the business  Procurement Cards  Long Distance Phone Bills  Validate User IDs

30. Copyright © 2003 Americas’ SAP Users’ Group Implementing Continuous Monitoring Derek Warburton ACL Services Ltd.

31. Agenda  Success factors  Reactive vs. proactive approach  When to get help  Continuous Monitoring methodology  Practical implementation issues  Next steps

32. Effective Continuous Monitoring  Success is a function of  People: expertise, availability  Process: applying proven methodology  Technology: right tools for the job

33. Continuous Monitoring Checklist  Monitors data from disparate systems to provide holistic view of transaction  Identifies rogue transactions in a timely manner  Validates effectiveness of controls  Mitigates deficient control structures  Identifies further process improvement opportunities  Provides independent assurance

34. Continuous Monitoring Approach  Reactive  Implement Continuous Monitoring after experiencing a significant loss  Proactive Strategic  Identify high risk business areas, and implement Continuous Monitoring before loss is material

35. Continuous Monitoring Notifications

36. Implementation Assistance Considerations  Independence (optics, regulatory)  Scale/scope  Complexity of business area or analysis  Availability of skilled resources  Disparate systems (all data not in SAP)  Opportunity cost or risk of time delay

37. Implementation Methodology Increased Shareholder Value Implement Continuous Monitoring Build Functioning Application Assess Preliminary SDD Design Solutions Design Document

38. Practical Implementation Issues  Direct access to the data vs. an extract?  Direct access to source data preferred  Is all data in SAP? How to access other systems?  Time- or processed-based data testing range?  Ensure that all transactions are captured since the last test process

39. Practical Implementation Issues  Set priorities for findings  Identifying specific control exposures and risk indicators  Define specific control tests for transactional data  Risk of high volumes of exceptions = ignore reports  Establish sensitivity thresholds for reporting and alerts  “Scoring/weighting” of events dependent upon combination of control parameters that are failed and indicators of risk  Allow “tuning” of application sensitivity  Prioritize alerts  High score events trigger immediate alert with management

40. Interface Example for Tuning Monitoring Parameters Note: This amount can be modified from the parameters menu.

41. Interface Example for Tuning Monitoring Parameters

42. Continuous Monitoring Application

43. Example of Alert Notification

44. Conclusion  Will Continuous Monitoring reduce risk and costs at your company?  What’s stopping you from moving forward?  Don’t be shy to ask for help

45. Copyright © 2003 Americas’ SAP Users’ Group Thank you for attending! Please remember to complete and return your evaluation form following this session. Session Code: 504