the three lines of defense model & continuous controls monitoring
TRANSCRIPT
THE THREE LINES OF DEFENSE MODEL & CONTINUOUS CONTROLS MONITORING
DEFENSE IN DEPTH
AGENDA
• The Three Lines of Defense model• Continuous Controls Monitoring (CCM)• Case studies of CCM at each line of defense
THREE LINES OF DEFENSE MODEL
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
FIRST LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
OPERATIONAL MANAGEMENT
• Own and manage risks
• Design and implement internal controls
• Responsible for maintaining effective controls
SECOND LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
RISK MANAGEMENT & COMPLIANCE
• Help build and monitor first line of defense
• Ensure compliance with regulations
• Financial risks and reporting requirements
• Identify changes in risk appetite
THIRD LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
INTERNAL AUDIT
• Provide senior management with assurance
• Monitor the effectiveness of the first and second lines of defense
• Independent
COORDINATING THE THREE LINES
First Line of Defense Second Line of Defense Third Line of Defense
Risk Owners/Managers Risk Control and Compliance Risk Assurance
• Operating management
• Limited independence• Reports primarily to
management
• Internal audit• Greater independence• Reports to governing
body
AGENDA
• The Three Lines of Defense model• Continuous Controls Monitoring (CCM)• Case studies of CCM at each line of defense
VISION FOR CCM
• Know the state of any control in the business• Resolve identified breaches before impact• Provide an unparalleled ROI
THE IMPORTANCE OF MONITORING
COSO Guidance (effective controls
systems must include monitoring)
ROLE OF CCM
• Independent monitoring of automated and partially automated controls
• Continuous detection of breaches• Transparency in detection and remediation• Address IT concerns• Collaborative approach to timely remediation
EXAMPLERisk: Invoices may not be valid and/or properly authorized
Control Activity: Matching invoices to goods receipt
Owner: Category Management
Method: Partially automated
Type: Preventative
Frequency: Recurring
COSO Component: Control activities
PROPERTIES OF CCM TESTINGFrequency: Daily
Detect: Any non-compliance over and below the threshold
Assignment: Category Management
Deadline: Resolve same day
Evidence: Due diligence performed on those over the threshold and any other exceptions detected
Value: Ensure that control effectiveness is sustained at a high level
CCM AT EACH LINE OF DEFENSE
• Effectively monitor internal controls at the first and second lines of defense
• Allow the third line of defense to be confident in its assurance role
• Create a remediation process that minimizes the impact of a control breakdown
• Provide evidence of due diligence for external auditors and regulators
AGENDA
• The Three Lines of Defense model• Continuous Controls Monitoring (CCM)• Case studies of CCM at each line of defense
FIRST LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
ENERSOURCE
• Canadian Energy Company since 1917• Third largest in Ontario• Over 200,000 residential and commercial customers• Provides electrical infrastructure design, construction,
operations support, and maintenance
REPUTATIONAL RISKS
FINANCIAL RISKS
VERIFICATION OF BILLS
• Reputational risk is the primary concern• Was using an in-house MS Excel system to verify the
accuracy of bills• Upgraded to smart meters in 2009• Challenges
• Took 5 hours to process a batch of bills
• Exceptions manually circulated by email
• Impossible to track resolution
• Labor intensive to make changes
THE CCM SOLUTION
• Independently calculate bills and identify inaccuracies• Extract data from other sources—not just billing system• Sent exceptions in XML format to bill print system for those
bills not to be printed• Engaged users in the Billing Department to resolve issues• Validate corrections made in core systems• Maintain history of exceptions and actions taken to resolve
them
RESULTS
• Has not had a single public incident• Accuracy of billing improved significantly• Billing anomalies automatically distributed • Bills verified in less than 5 minutes (not 5 hours)• Bills sent out same day—improving cash flow• Evidence retained for regulators/auditors• Labor-intensive manual reviews were eliminated
SECOND LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
CHRISTIES AUCTION HOUSE
• Founded in 1766 by James Christie• 53 offices in 32 countries • Prices range from $200 to $80 million
CHALLENGES
• Risk and compliance group mandated to review 100% of transactions
• Primary area of concern is client accounting• Need to ensure that fees and charges are accurate• Need to involve the business in timely remediation
THE CCM SOLUTION
• Implemented for 40 key controls• Monitor transactions near real time• Covering multiple locations (UK and New York)• Phase I started in risk and compliance then rolled out to
the business
PHASE II—CUSTOMER SCREENING
• Important to meet regulatory requirements• AML and KYC compliance• Integrate with World-Check sanction list data for screening
THIRD LINE OF DEFENSE
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
METCASH
• A leading marketing and distribution company• Operating in the grocery, liquor, and hardware
wholesale industries• Turnover of $12 billion• 5,000+ employees • Market cap $3.2 billion
CHALLENGES
• Several disparate systems• Many audit scripts • Emailing exceptions in Excel• SAP generating many exception reports• Business struggling to cope
THE CCM SOLUTION
• All analytics built in-house by CM Team• Covered 30 key controls to start• CCM implemented for Purchase to Payment in Phase I• Expanded to the retail business processes in Phase II• Adopted as central exception management system
(including SAP reports)
RESULTS
• Started in internal audit • Rolled out to business users• Use action/reason codes to facilitate root cause analysis• Daily examination of processes• First-year results:
• 5.5 billion transaction covered
• $1.8 million in savings
CONCLUSION
• Internal control effectiveness is positively impacted by collaboration
• That covers collaboration at all three levels• CCM is a compelling vehicle to facilitate a collaborative
process
THE THREE LINES OF DEFENSE MODEL & CONTINUOUS CONTROLS MONITORING
DEFENSE IN DEPTH
Visit casewareanalytics.com Email [email protected]