Continuous Monitoring and Continuous Auditing
Continuous Monitoring and Continuous Auditing
Continuous Monitoring and Continuous Auditing
continuous auditing
From idea to implementation
CM
CA
:
,
,
Achieve more timely, less costly compliance with policies, procedures, and
regulations
Greater efforts to align internal audit activities with management's strategic business
goals
Transaction Monitoring
A lender wanted comfort that the pricing of each
loan it extended was in keeping with its underwriting policies, in order to ensure profitability.
Its practice had been to calculate loan price on
a defined set of business and credit rules, but to
allow manual override of these rules.
However, when implemented by the lender's
agents, that manual override could occur without
detection, causing a potential control failure.
10
0%
0%
0%
,000
10,000
,000
11
12
The Situation:
The Shared Services group of a fast-growing global provider of cable
television news and entertainment programming faced skyrocketing
travel and entertainment (T&E) transaction volume. Given the company's
resource limitations, both that volume and time-consuming manual audits
of expense claims potentially increased the risk of error, fraud, and misuse
within the T&E reimbursement process. The enterprise needed assistance
in scoping, planning, configuring, and implementing its Audit Command
Language (ACL) continuous controls monitoring (CCM) tools.
The Solution:
As in many business processes, moving from a manual to an automated
review system involves data analytics. Data analytics assist in auditing
and risk management and in testing controls and control overrides. For
example, data analytics can be used to test a population of transactions,
as in this instance T&E claims, so that no overrides occur without proper
approval. In this case, Deloitte helped provide a suite of automated,
customizable analytics for T&E expense processing, control, and audit.
This system enables monitoring of T&E transactions and claims with the
aim of identifying suspicious activity, errors, and exceptions.
The Shared Services group can now monitor T&E transactions on a
continuous basis. The group also moved from employing a random
sample approach to a more focused approach of reviewing claims that
display attributes of potentially fraudulent or erroneous expenses. Using
nearly real-time CM, analysts can investigate and resolve issues that might
otherwise go undetected. In addition to containing costs and minimizing
losses, the CCM tool provides additional assurance around compliance
relating to T&E business processes.
ACLCCM
13
Optimize processes
Drive process
improvement
Improve
operations
Drive operational
improvement
Improve
controls
and reduce
cost
Drive sustainable
cost-effective
compliance
.
Then, the enterprise applies controls automation and monitoring techniques to achieve
operational control objectives, such as
inventory, receivables, payables, credit, or
warranty claims management.
.
()
1.
.
.
().
15
16
ERPGRC
ERPGRC
17
18
The Situation:
As part of its enterprise transformation initiative, a global manufacturer
of durable goods planned a worldwide rollout of the next generation of
its ERP system. This initiative aimed to commonize core finance and
purchasing processes across global operating regions. This multi-year
project to enable worldwide business processes required that security
controls be reviewed and documented during the implementation
lifecycle to minimize the potential for (and instances of) post-launch
remediation.
The Solution:
The enterprise required a methodology for assessing pre-implementation
ERP security and internal controls. Deloitte's methodology focused on
internal controls in four key areas: business process controls, application
security, data and interface controls, and general computer controls. This
approach has been built into a repeatable, proven process for designing,
building, testing, and deploying internal controls.
A controls assessment identified, documented, and assessed ERP internal
control and security recommendations. This enabled the enterprise to
evaluate their ERP control structure through successive phases and to
drive management's control requirements into the program. The enterprise realized efficiencies as each regional launch progressed. Pre-implementation assessments established the controls baseline, supported
future test plans, and provided the controls that were designed into the
processes.
This pre-implementation review of security and business process controls
consisted of three phases: Phase 1: Plan, define and design; Phase :
Construct, test, and deploy; Phase : Execute deliver, and help provide
ERP support. This initiative also called for audit-related assessments of
the enterprise's segregation of duties tools and warranty claims management program.
SOD
ERPGRC
ERP
ERPGRC
ERP
GRCERP
ERP
19
20
4.
1.
GRC
2.
3.
5.
21
22
Benefits of CM and CA
Continuous monitoring can enable an enterprise to:
Improve risk and control assurance, usually in the same or less time
than previous approaches Reduce costs, including internal audit
costs and costs associated with unaddressed control deficiencies
Expand internal audit coverage with minimal (or no) incremental cost
23
Consider Continuousness
This document has highlighted the key considerations for a management team or an internal
audit function considering continuous monitoring
or continuous auditing. It has flagged the key
issues and barriers, set the matter in the context
of a risk management framework, and flagged
potential IT concerns.
Contacts
To learn more about how Deloitte professionals can help you and your organization, please contact:
Scott Raso
Adrian Lee
Partner
Enterprise Risk Services
Direct: + 10 0
Fax: + 10 0
[email protected]
Tonny Xue
Partner
Enterprise Risk Services
Direct: + 10 0 1
Fax: + 10 0
[email protected]
24
+ 10 0 011
+ 10 0
[email protected]
+ 10 0
+ 10 0
[email protected]
+ 10 0 1
+ 10 0
[email protected]
25
Beijing
Deloitte Touche Tohmatsu CPA Ltd.
Beijing Branch
8/F Deloitte Tower
The Towers, Oriental Plaza
1 East Chang An Avenue
Beijing 100738, PRC
Tel: +86 10 8520 7788
Fax: +86 10 8518 1218
Chongqing
Deloitte & Touche Financial Advisory
Services (China) Limited
Room 10-12
13/F International Trade Center Chongqing
38 Qing Nian Road
Yu Zhong District
Chongqing 400010, PRC
Tel: +86 23 6310 6206
Fax: +86 23 6310 6170
Dalian
Deloitte Touche Tohmatsu CPA Ltd.
Dalian Branch
Room 1503 Senmao Building
147 Zhongshan Road
Dalian 116011, PRC
Tel: +86 411 8371 2888
Fax: +86 411 8360 3297
Guangzhou
Deloitte Touche Tohmatsu CPA Ltd.
Guangzhou Branch
26/F Teemtower
208 Tianhe Road
Guangzhou 510620, PRC
Tel: +86 20 8396 9228
Fax: +86 20 3888 0119 /0121
Hangzhou
Deloitte Business Advisory Services
(Hangzhou) Company Limited
Room 605, Partition A
EAC Corporate Office
18 Jiaogong Road
Hangzhou 310013, PRC
Tel: +86 571 2811 1900
Fax: +86 571 2811 1904
26
Suzhou
Deloitte Business Advisory Services
(Shanghai) Limited
Suzhou Branch
Suite 908, Century Financial Tower
1 Suhua Road, Industrial Park
Suzhou 215021, PRC
Tel: +86 512 6289 1238
Fax: +86 512 6762 3338
Tianjin
Deloitte Touche Tohmatsu CPA Ltd.
Tianjin Branch
30/F The Exchange North Tower
189 Nanjing Road
Heping District
Tianjin 300051, PRC
Tel: +86 22 2320 6688
Fax: +86 22 2320 6699
Wuhan
Deloitte & Touche Financial Advisory
Services Limited
Wuhan Liaison Office
Unit 2, 38/F New World International
Trade Tower
568 Jianshe Avenue
Wuhan 430022, PRC
Tel: +86 27 8526 6618
Fax: +86 27 8526 7032
Xiamen
Deloitte & Touche Financial Advisory
Services Limited
Xiamen Liaison Office
Unit E, 26/F International Plaza
8 Lujiang Road, Siming District
Xiamen 361001, PRC
Tel: +86 592 2107 298
Fax: +86 592 2107 259
1
100
+ 10 0
+ 10 1 11
110-1
00010
+ 10 0
+ 10 10
1
10
11011
+ 11 1
+ 11 0
0
100
+ 0
+ 0 011 / 011
1
A0
1001
+ 1 11 100
+ 1 11 10
+ 100
+ 1 111
-A
1H-N
+ 1
+ 1 0
11B
100
+ 0 0
+ 1
0
0000
+ 1 11
+ 1 000
001
1
1010
+
+ 1
1
0
101
+ 1 1
+ 1
1
0
0001
+ 0
+ 0
0
00
+ 1
+ 0
E
1001
+ 10
+ 10
27
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member
firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/cn/en/aboutfor a detailed description of the
legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally
connected network of member firms in more than 140 countries, Deloitte brings world-class capabilities and deep local expertise to help
clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence.
In China, services are provided by Deloitte Touche Tohmatsu and Deloitte Touche Tohmatsu CPA Limited and their subsidiaries and affiliates.
Deloitte Touche Tohmatsu and Deloitte Touche Tohmatsu CPA Limited are, together, a member firm of Deloitte Touche Tohmatsu Limited.
Deloitte China is one of the leading professional services providers in the Chinese Mainland, Hong Kong SAR and Macau SAR. We have over
8,000 people in 14 offices in Beijing, Chongqing, Dalian, Guangzhou, Hangzhou, Hong Kong, Macau, Nanjing, Shanghai, Shenzhen, Suzhou,
Tianjin, Wuhan and Xiamen.
As early as 1917, we opened an office in Shanghai. Backed by our global network, we deliver a full range of audit, tax, consulting and
financial advisory services to national, multinational and growth enterprise clients in China.
We have considerable experience in China and have been a significant contributor to the development of China's accounting standards,
taxation system and local professional accountants. We also provide services to around one-third of all companies listed on the Stock
Exchange of Hong Kong.
This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, Deloitte Global Services Limited, Deloitte
Global Services Holdings Limited, the Deloitte Touche Tohmatsu Verein, any of their member firms, or any of the foregoing's affiliates (collectively the "Deloitte Network") are, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other
professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for
any decision or action that may affect your finances or your business. Before making any decision or taking any action that may affect your
finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any
loss whatsoever sustained by any person who relies on this publication.
Deloitte )
www.deloitte.com/cn/about
10
10,000
,000
1
11
( "")