Automated Controls Monitoring for Finance Teams
Dusk LimStrategic Account Manager, ASEAN
Robert Luu, FCXP (CX-I), HCP, ACDA Advanced
Director, Client Partnership, Asia-Pacific & Japan
WEGALVANIZE.COM
Housekeeping
• Today’s session will be approximately 60 minutes with 15 minutes for Q&A at the end.
• Please submit your questions through the Q&A panel on your Zoom console.
• This session will be recorded. We will send a copy of the recording and slides to all attendees.
WEGALVANIZE.COM
Topics
• Defining Continuous Monitoring
• Drivers for finance teams to do proactive monitoring
• 3 myths of CCM
• Maturity model – understanding it and in use
• Moving up the maturity model – how to implement a CCM program
• Sample CCM journey
• Challenges in implementing CCM
• Benefits and ROI
WEGALVANIZE.COM
What is Continuous Monitoring?
Definition by IIA GTAG:
Continuous Monitoring is a process that management puts in place to ensure that its policies, procedures, and business processes are operating effectively.
WEGALVANIZE.COM
Drivers of Continuous Controls Monitoring
▪ Operational (e.g. Procurement, Sales)
▪ Compliance (e.g. SOX, Data Privacy, ICFR)
▪ Risk management (e.g. risk indicators, early warnings)
▪ Financial (e.g. accounting standards)
▪ Technology (e.g. Cybersecurity, Access Controls)
▪ Fraud detection (e.g. AML, ABAC, Embezzlement)
WEGALVANIZE.COM
ACFE – Global Study on Occupational Fraud & Abuse
WEGALVANIZE.COM
WEGALVANIZE.COM
1
3
2
I don’t need CCM because my ERP system
has built-in automated controls and I’m
already protected.
Isn’t that the job of our auditors?
It sounds great in theory, but in reality, it’s not practical or affordable to implement
.
3 Myths of Continuous Monitoring
WEGALVANIZE.COM
A d H o c T e s t i n g
A u t o m a t e d A n a l y s i s
C o n t i n u o u s
M o n i t o r i n g
I n c r e a s e C o v e r a g e
• Typically one-off and
utilizes sampling.
• Usually don’t by
auditors
• 100% testing
• Data analytics tool is
likely utilized in some
ways
• Generally still done by
auditors
• Automated monitoring
process
• Scheduled based
• Control owners given
the ability to identify
control gaps
• High ability to respond
to risks as they emerge
• Data driven metrics
• Wide reaching coverage
• Impact on strategic
risks, objectives and
relationships
• Predicting risks
Your Controls Monitoring Maturity ModelH i n d s i g h t > I n s i g h t > F o r e s i g h t
C o n t i n u o u s M o n i t o r i n g
WEGALVANIZE.COM
Topics
• Defining Continuous Monitoring
• Drivers for finance teams to do proactive monitoring
• 3 myths of CCM
• Maturity model – understanding it and in use
• Moving up the maturity model – how to implement a CCM program
• Sample CCM journey
• Challenges in implementing CCM
• Benefits and ROI
WEGALVANIZE.COM
A d H o c T e s t i n g
A u t o m a t e d A n a l y s i s
C o n t i n u o u s
M o n i t o r i n g
I n c r e a s e C o v e r a g e
• Typically one-off and
utilizes sampling.
• Usually don’t by
auditors
• 100% testing
• Data analytics tool is
likely utilized in some
ways
• Generally still done by
auditors
• Automated monitoring
process
• Scheduled based
• Control owners given
the ability to identify
control gaps
• High ability to respond
to risks as they emerge
• Data driven metrics
• Wide reaching coverage
• Impact on strategic
risks, objectives and
relationships
• Predicting risks
Your Controls Monitoring Maturity ModelH i n d s i g h t > I n s i g h t > F o r e s i g h t
C o n t i n u o u s M o n i t o r i n g
Controls Monitoring Planning ProcessS e tt i n g u p y o u r a u t o m a t e d m o n i t o r i n g p ro g ra m
Key controls for financial reporting, IT application control dependency, manual
controls requiring special review, and preventative or detective nature
Categorize your control environment
Don’t boil the ocean – prioritize the control environment categories for
quick wins and high impact control areas for risk mitigation
Determine objectives and risk assurance
Tell the correct narrative to management and process owners
using agreed upon key performance and key control indicators
Align executive reporting and notification requirements
Involve process owners and control owners in the workflow design
to maximize adoption rate
Socialize remediation workflow process
1
2
3
4
Purchase to Payment CycleI l l u m i n a t i n g t h e p r o c e s s g a p s
PROCESSES& SUGGESTIONS
BUSINESS VALUES
Vendor Management Purchase Order Validation Invoice Management Payment Monitoring
Vendor risk assessment
Due diligence & monitoring
High risk vendors
Early payment discounts
Split purchases
Approval authorizations
Dormant POs
Keyword analysis
Suspicious invoice patterns
Duplicate invoices
Contract pricing compliance
Duplicate payments
Suspicious bank accounts
Unusual dates or holidays
Onboarding
Requisitions
Potential
fraud
Review workflow
Outstanding invoices
Payment term review
Potential fraud
Ongoing
monitoring
Approval limits
Order processing
Over/under billing
Reconciliations
Offboarding
Automated Notifications, Templates,
& Action Follow-up
Automated Robotics & Analytics
Legend
Accuracy validation
Improve alignment to
Vendor Risk Team
Improve preventative
controls of purchases
Increase visibility and
accuracy over spending
Improve detective
monitoring of spending
BUSINESSVALUES
WEGALVANIZE.COM
How Can Controls Monitoring Become a Preventative Control?
Detect Errors
in Sub-Ledger
Correct Errors
in Sub-Ledger
Prevent
Misstatements
to General
Ledger
Improving the controls in the Accounting Closing Process:
Daily Daily Daily
Month-End
Reduce Need
for Correcting
Journal Entries
WEGALVANIZE.COM
Data-Driven Continuous Monitoring: Simplifying Big Data
ERP SAP HR X Y
“Big Data”
“Useful” Data
Objectives > Criteria > Risk > Frequency >
Data Requirements
Data extraction Analytics &
analyses
Alerts & exceptions Remediation
Data-Driven Continuous Monitoring
Executive Oversight over Financial Controls
ControlsBond (Storyboards) – controlling the narrative with a compelling story and alignment to high impact areas incorporating a data-driven approach
Executive Oversight over Financial Controls
ControlsBond (Frameworks) – executive alignment on reporting of control assurance and automated assessments
Scheduled Control Performance
ControlsBond (Mission Control) – Minimal visibility and capabilities within the platform, primarily using Mission Control for flattened view of assigned Control Execution schedules. Responding via questionnaire upload for evidence.
Manual Control Reviews
Solicit and capture qualitative assessments with controlled and open responses
ControlsBond (Results)– results management and remediation workflow with automated distribution/reconciliation
Remediation and Workflow ManagementS t re a m l i n e t h e d e c i s i o n - m a k i n g p ro c e s s
Executive Visibility & Strategic Metrics
Key risk indicators top of mind for executive
management awareness and required action
Front-line Ownership & Accountability
1st/2nd Level reviewers within the processes
responsible for timely actions
Escalation & Performance Monitoring
Key performance indicators for middle
management to provide oversight and increase
productivity
WEGALVANIZE.COM
Challenges in automating controls monitoring
WEGALVANIZE.COM
Common Challenges
• Overlapping or redundant controls
• Control registers not accurately documented and dispersed
• IT Application controls assumed to be automated
• Lack of collaboration with application owners and key
stakeholders
• Inconsistency of data throughout ERP system(s)
WEGALVANIZE.COM
Benefits and Positive Outcomes
• Reduce costs by minimizing manual work and rationalize low-risk
controls
• Increase positive collaboration with first line of defense for better
assurance
• Share real-time updates on compliance and high-risk issues
• Increase management and executive confidence in data-driven
decisions
WEGALVANIZE.COM
Thank you for your
attention!
Q & A
https://www.linkedin.com/in/robert-luu/
https://www.linkedin.com/in/dusklim/