You are on page 1of 38

ACaseStudyinContinuousControls

Monitoring

Presentedto:

August20,2013
Coursegoals&objectives

Toguideparticipantsthroughtheterminology,conceptsandvalueproposition
fordeployingContinuousControlsMonitoring(CCM).
ReviewofwhatCCMis
BenefitsofCCM
RequiredComponents
DiscusstheEmoryCaseStudy
Toolstoleverage
TheApproachandBestPractices
DiscussEmorysROI
AboutthePresenters
MarkHafitz DirectorofInformationTechnologySpecialProjects
AswellasbeinganEmoryalumnus,MarkhasworkedforEmoryUniversityforover20years.Hiscareerat
EmorystartedintheInformationTechnologyDivisionworkingasaProgrammer/Analystsupportingfinancial
applications.SeveralyearslaterhebeganworkingintheHumanResourcesDivisionastheAssistantDirector,
InformationSystems.HemanagedthedailyoperationsoftheHumanResourcesInformationSystemsareaand
oversawthedevelopmentandmaintenanceofallHumanResourcessystems.Forthelast15yearshehas
workedintheFinanceDivisionmanagingandoverseeingthecompletionofthedivisionwidefinancialsystems
projectsastheDirectorofFinancialProjects. PriortoEmory,Markspentseveralyearsasa
Programmer/AnalystworkingwiththeInformationSystemsgroupatKimberlyClarkCorporation. Mark
receivedhisMasterofBusinessInformationSystemsdegreefromGeorgiaStateUniversity,andaBachelorof
ArtsinEnglishLiteraturefromEmoryUniversity.

MichaelLisenby,ManagingPartnerSolomonEdwards Atlanta
MikeLisenby isaspecialistinEnterpriseRiskServices&Compliance.Mikehasover16yearsofexperiencein
helpingbusinessesmanagetheiraccounting,finance,technologyresourcesandcomplianceneedseffectively.
Mikesexperienceincludesconsultingandcosourcing,ITaudits,SOXcompliance,andtechnologysecurity
assessments,riskidentification,assessmentandevaluation;riskresponse;riskmonitoring;ITcontroldesign
andimplementation;andITcontrolmonitoringandmaintenance.MikeheldleadershiproleswithArthur
AndersenandseveralotherNationalConsultingFirms,andhaspriorinternalauditexperiencewithFortune
BrandsandPhilipMorris.HecurrentlyholdsaCRISC(CertifiedinRiskandInformationSystemsControl)
Certification.
WhatisCCM
ContinuousControlsMonitoring(CCM)isanongoingsystematicpracticeof
observingandchecking,forreasonableassurance,thatInformationTechnology
Systems(hardwareand/orsoftware)operateasdesigned.Thesesupervisory
practices,againstITsystems,haveabasisformaintainingdatavalidity,reliability,
andintegrity.SeveralareaswheremodernorganizationsdependonITsystemsto
operatecontinuously,accuratelyandeffectively:
Thereportingoforganizationfinances.
ECommerceandElectronicFundsTransfer.
NetworkandComputingPlatformSecurity.
Medical,Criminal,orFederalDataRecordsManagementandRetention.
PublicTelecommunicationsVoiceandDataNetworks
NationalEnergyGridsandUtilities.
Wikipedia

4
BenefitsofCCM
Processproblemsarereflectedintransactionaldataifyouknowwhatto
lookfor
100%oftransactionstestedwithsophisticatedanalyticsinnearrealtime
(asopposedtoaperiodicsamplelongafteroccurrence)
Resultscanbeactedonrapidly,sometimesbeforetransactioncycle
completes
Goesbeyondjustreportingtoprovideanactionablecontrolframework
Cuttingcosts,catchingpolicyviolationsorfraud Ex:T&Eexpense
submissions
Automatemanualtasks Ex:Reconciliations,IAtestingprocedures,
accesscontrols
StoppingRevenueLeakage Ex:salesorsourcedocumentsthattrigger
revenuerecognitionmissing

5
CreatingValue

6
ComponentsofCCM

SourceSystems Reports
&
Dashboards
GL

Reporting
AP Statistical
Tool
and
AnalyticalRoutines Exception
AR Continuously Exceptions Management
PerformedonData Identified Interface

HR Email
Replication Alerts
Or ReplicatedData InvoiceA123from
ETL For AcmeSolutionsinthe
Other Analysis amountof$543.21may
beaduplicateofinvoice
1231intheamountof
$543.21Dated4142010
fromAcmeInc.

7
Approach
Step1: Step2: Step3: Step4:
DesignControls ImplementETL DevelopAnalytics UserComponents

Workshop(s): Collaboratew/IT: IterativelyforEach DevelopReports&


DetermineRisks Setuphardware UseCase: Dashboards
andControlUse &Connectivity Develop
Casesneeded SelectETL Algorithm(s)
Understandthe Approach UnitTesting: UserTraining
systemsinvolved DevelopETL Reviewand UserAcceptance
Understandthe process refinetoreduce Testing
Data Develop falsepositives Tuning&
DefineAnalytical Transformations, SetupReports& Optimization
Logicneeded,by ifrequired DashboardsTool
UseCase TestIntegrityand (IISorSharePoint)
DefineException Impacton DevelopEmailAlerts
Resolution Production SetupExceptions (Optional)
Management
workflow& Environment Interface RollOut
StatusCodes Start
DevelopHigh scheduler/Cron System
Level job Documentation
Architecture
AnalyticsDBInPlace
Security
Requirements CreateExceptionsDB

CreateDesign
Document

8
Step2:
ImplementETL ExportTransform&Load

Extract

Multiplewaystoapproach:
LinkedServerObject(typicalforanOracleDBSource)
ETLTools(suchasSSIS;opensourcetoolsareavailabletoo)
Replication(Publication/Subscriptionmodel)
IfMirrororReplicatedinstanceofproductiondataisalreadyavailablethatisthepreferred
method.Ifnot,indexedshortrunningquerieswithReadOnlyaccountstopullindaily
incrementalactivityandonlyfromneededtables/columns,basedonscheduledjob(duringnon
peakhours)isrecommended.
Keyobjectiveisautomatedavailabilityofnearrealtimedataneededtosupportcontinuous
analytics
ExampleofpossibleTransformation:MappingmightbeneededtotranslatetoparentsChart
ofAccountsorothercommonmodelfromvariousautonomoussystemstoallowcross
comparisons
SomeanalyticsneedtotrackchangestoMasterData(Example:VendorMasterFileTampering
Testing);inthiscase,wecreatedlogictocreateversionedsnapshotsofrecordsintheETLlogic
BecausewewanttheExceptiontobeabletoberesolvedbytheOwnerwithoutthemhavingto
logintothesourceapplication,wepullalldataneededtounderstandandresolvetheExceptions
forpresentationintheExceptionReport

9
Step3:
DevelopAnalytics
SpecificIndicators

Name DuplicatePO
Description TestformultipleoccurrencesofthesamePOnumberbeingreferencedby
multipleinvoices.
Functional Foreachgivenvoucher,testallvoucherswithintheprevious60daysforthe
Logic/ samePOnumberbeingreferenced.
Algorithm
Probability 80%

Name DuplicateAmount
Description TestformultipleoccurrencesofthesameAmountbeingreferencedby
multipleinvoicesfromtheSameVendor.

Functional Foreachgivenvoucher,testallvoucherswithintheprevious60daysfromthe
Logic/ samevendorthatareforthesameamount.
Algorithm

Probability 20%

Each Indicator becomes a part of the Where Clause and possibly helps drive joins

10
Step3:
DevelopAnalytics
ScriptDevelopment
MultipleIndicatorsinSQL
Select
ExceptionID(key),
DuplicateInvoiceasException_Type,
XXXasProbability,
Etc(Alldataneeded)
FromVouchersasV
JoinVouchersasV_Same_PO
onV.PO=V_Same_PO.PO
JoinVouchersasV_Same_Amt
onV.Amt =V_Same_Amt.Amt

WhereV.Vendor +V.InvNo <>


V_Same_PO.Vendor +V_Same_PO.InvNo
And(V_Same_PO.VoucherNum notNull
OR
V_Same_Amt.VoucherNum notNull)

11
Step3:
DevelopAnalytics
ScriptDevelopment(continued)
TheUseofProbabilities

TheProbabilityfieldinyourselectclause:

Select
'Probability'=
(caseWHENV.PO=V_Same_PO.PO THEN80%end)+(casewhenV.Amt =
V_Same_Amt.Amt then20%end)
FromTable_X

12
Step3:
DevelopAnalytics
ScriptDevelopment(continued)
DuplicateInvoiceActualScript

5.7BPossibleDuplicateInvoice:SameInvoiceNoandAmountforSimilarVendors,within PROBABILITY=(casewhenCCM.dbo.fn_StrClean(ISNULL(V_Prior_Addr.ADDRESS1,'
60days. ')+ISNULL(V_Prior_Addr.ADDRESS2,'')+ISNULL(V_Prior_Addr.City,''))
=CCM.dbo.fn_StrClean(ISNULL(V_Dup_Addr.ADDRESS1,'')+
InsertintoCCM.dbo.EXCEPTIONS_Stage
ISNULL(V_Dup_Addr.ADDRESS2,'')+ISNULL(V_Dup_Addr.City,''))
SELECT then.6
CasewhenV_Dup.BUSINESS_UNIT in('EMUNV')then'EUV'else'EHC'endASCOMPANY,'' End)+
ASDEPT_NUM,''ASDEPT_NAME,'EXCEPTION'ASTYPE,'ProcuretoPay'ASCATEGORY, (Casewhen
'5.7BPossibleDuplicateInvoice SameInvoiceNo,DifferentButSimilarVendors'as CCM.dbo.fn_calculateJaroWinkler(CCM.dbo.fn_StrClean(ISNULL(V_Name_Dup.NA
Exception_Name,'5.7B'+V_Dup.BUSINESS_UNIT +V_Dup.Voucher_ID asEXCEPTIONID, ME1,'')),
GETDATE()ASEXCEPTION_DATE, CCM.dbo.fn_StrClean(ISNULL(V_Name_Prior.NAME1,'')))>.97
V_Dup.OPRID_LAST_UPDT ASASSOCIATED_USER,'NEW'ASSTATUS,''AS then.6
EXCEPTION_OWNER,''ASNOTES,INDICATORS=(casewhen else(.5.5)
CCM.dbo.fn_StrClean(ISNULL(V_Prior_Addr.ADDRESS1,'')+ End),
ISNULL(V_Prior_Addr.ADDRESS2,'')+ISNULL(V_Prior_Addr.City,'')) V_Dup.GROSS_AMT ASFINANCIAL_IMPACT,
VAL_1=V_Dup.INVOICE_ID,
=CCM.dbo.fn_StrClean(ISNULL(V_Dup_Addr.ADDRESS1,'')+
DEF_1='DuplicateInvoiceNo.',
ISNULL(V_Dup_Addr.ADDRESS2,'')+ISNULL(V_Dup_Addr.City,''))
VAL_2=V_Prior.INVOICE_ID ,
then'SameInvoiceNumberforVendorswithSimilarAddress.' DEF_2='PriorInvoiceNo',
else'' VAL_3=V_Dup.GROSS_AMT,
end)+ DEF_3='InvoiceAmt',
(Casewhen VAL_4=V_Dup.Voucher_ID,
CCM.dbo.fn_calculateJaroWinkler(CCM.dbo.fn_StrClean(ISNULL(V_Name_Dup.NAME1,' DEF_4='DuplicateVoucherID',
')), VAL_5=V_Prior.Voucher_ID,
DEF_5='Prior_Voucher_ID',
CCM.dbo.fn_StrClean(ISNULL(V_Name_Prior.NAME1,'')))>.97
VAL_6=V_Dup.VENDOR_ID,
then'SameInvoiceNumberforVendorswithSimilarName.' DEF_6='DuplicateVendorID',
else'' VAL_7=V_Prior.Vendor_ID,
End), DEF_7='PriorVendorID',

13
Step3:
DevelopAnalytics
ScriptDevelopment(continued)
DuplicateInvoiceActualScript(Continued)
VAL_8=V_Name_Dup.NAME1, VAL_18=NULL,
DEF_8='DuplicateVendorName', DEF_18=NULL, onV_Prior.INVOICE_ID =V_Dup.INVOICE_ID
VAL_9=V_Name_Prior.NAME1, VAL_19=NULL, andV_Prior.VENDOR_ID !=V_Dup.VENDOR_ID
DEF_19=NULL, andV_Prior.INVOICE_DT >=DATEADD(dd,60,V_Dup.INVOICE_DT)
DEF_9='PriorVendorName', andV_Dup.ENTERED_DT >=V_Prior.ENTERED_DT leftouterjoin
VAL_10=V_Dup.Invoice_DT, VAL_20=NULL,
DEF_20=NULL, CCM.dbo.PS_VENDOR asV_Name_Dup
DEF_10='DuplicateInvoiceDate', VAL_21=NULL, onV_Name_Dup.VENDOR_ID =V_Dup.VENDOR_ID leftouterjoin
VAL_11=V_Prior.INVOICE_DT, DEF_21=NULL, CCM.dbo.PS_VENDOR asV_Name_Prior
DEF_11='PriorInvoiceDate', VAL_22=NULL, onV_Name_Prior.VENDOR_ID =V_Prior.VENDOR_ID leftouterJoin
DEF_22=NULL, CCM.dbo.PS_VENDOR_ADDR asV_Dup_Addr
VAL_12= onV_Dup_Addr.VENDOR_ID =V_Dup.Vendor_ID
CCM.dbo.fn_StrClean(ISNULL(V_Dup_Addr.ADDRESS1,'')+ VAL_23=NULL,
DEF_23=NULL, andV_Dup_Addr.ADDRESS_SEQ_NUM =V_Dup.ADDRESS_SEQ_NUM
ISNULL(V_Dup_Addr.ADDRESS2,'')+ leftouterJoinCCM.dbo.PS_VENDOR_ADDR asV_Prior_Addr
ISNULL(V_Dup_Addr.City,'')), VAL_24=NULL,
DEF_24=NULL, onV_Prior_Addr.VENDOR_ID =V_Prior.Vendor_ID
DEF_12='ScrubbedDuplicateVendorAddress', andV_Prior_Addr.ADDRESS_SEQ_NUM =V_Prior.ADDRESS_SEQ_NUM
VAL_25=NULL,
VAL_13= DEF_25=NULL, whereV_Dup.ENTERED_DT >=DATEADD(dd,5,V_Dup.INVOICE_DT)
CCM.dbo.fn_StrClean(ISNULL(V_Prior_Addr.ADDRESS1,'')+ VAL_26=NULL, andV_Prior.ENTRY_STATUS NOTIN('X','R')
ISNULL(V_Prior_Addr.ADDRESS2,'')+ DEF_26=NULL, andV_Prior.Vendor_ID isnotnull
ISNULL(V_Prior_Addr.City,'')), VAL_27=NULL, andV_Dup.GROSS_AMT =V_Prior.GROSS_AMT
DEF_13='ScrubbedPriorVendorAddress', DEF_27=NULL, and(
VAL_14=NULL, VAL_28=NULL, CCM.dbo.fn_StrClean(ISNULL(V_Prior_Addr.ADDRESS1,'')+
DEF_28=NULL, ISNULL(V_Prior_Addr.ADDRESS2,'')+ISNULL(V_Prior_Addr.City,''))
DEF_14=NULL, =CCM.dbo.fn_StrClean(ISNULL(V_Dup_Addr.ADDRESS1,'')+
VAL_15=NULL, VAL_29=NULL,
DEF_29=NULL, ISNULL(V_Dup_Addr.ADDRESS2,'')+ISNULL(V_Dup_Addr.City,''))
DEF_15=NULL, VAL_30=NULL, OR
VAL_16=NULL, DEF_30=NULL
DEF_16=NULL, fromCCM.dbo.PS_VOUCHER asV_Dup CCM.dbo.fn_calculateJaroWinkler(CCM.dbo.fn_StrClean(ISNULL(V_Name
leftouterjoinCCM.dbo.PS_VOUCHER as _Dup.NAME1,'')),
VAL_17=NULL, CCM.dbo.fn_StrClean(ISNULL(V_Name_Prior.NAME1,'')))>.97
DEF_17=NULL, V_Prior
);
GO

14
CaseStudy Issues

SignificantControlWeaknesses
Decentralizedstructure
Multipledisbursementprocesses
Broadlydistributedaccess
Dutiesnotsegregated
Fewrestrictions/discretionaryaccounts
Poormonitoringcontrols

BleedingFromaThousandCuts
1millionannuallyininaccuratepayments
Multiplefrauds

ResourceLimitations

15
CaseStudy Considerations

DesiretobeProactivevs.Reactive
Catcherrorsbeforepaid

Budget
NoLicensingfees/annualcommitments

Flexibility/EaseofUse
Auditdepartmenttomaintain/minimalITsupport
Growthpotential:handleunlimiteddatasourcesandcontinuallyadd
newlogictests
Communications(noticeofexceptions;resolution)
Transferabilitytomanagement
Reportingcapabilities

Security&Compliance
Theenvironmentneededtobesecure(SSL)tosafeguardconfidential
information

16
CaseStudy WhySEG

WhyEmorydecidedtoPartnerwithSEGanduseanopen
sourcesolution:
SubjectMatterExpertise
Costeffective/Noadditionallicensingfees
CoSourcedApproach
Leverageduseofexistingtechnology/Nottiedtovendor
Knowledgetransfer/abilitytosupportinhouse
Abilitytodeployinaphasedapproach

17
AlgorithmsCreated PhaseI

VendorMasterIntegrityChecks
Conflictsofinterest
Duplicatevendors
VendorMasterTampering

PaymentIntegrityChecks
DuplicatePayments
Potentialpersonalpurchasesoncorporatecard
Expenses/PerDiems
Travelagent/employeeIDnotvalidated

HRChecks
Rehireofterminatedemployees
Newhirebackgroundchecks
FMLAStatusConsistency
FLSAErrorChecking

18
ComponentsofCCMAtEmory

Statistical EmailAlertsgenerated
embeddedlink
and toareport
AnalyticalRoutines
Continuously
PerformedonData EmailAlerts
SourceSystems

PeopleSoft
HR, Exception
Management
Payroll, Exceptions
Interface
Payables, SQL Identified ASP.netWebform
Procurement ETL ReplicatedData
Kronos
ForAnalysis Reporting
LDAP
Tool
VBScript

IISWebBased
Reports
&
Dashboards

19
AutomatedProcessing
AutomatednotificationofdailyETLfeedandAnalyticsSuccessforFailureissentto
management,givingpositiveassurancethattheapplicationiscontinuouslytesting
transactionaldata.Mostdays,noexceptionoccurs,andthereisnothingtoreport,so
thisallowsconfidencethattheapplicationisactuallyturnedonandworking.

20
EmailAlerts

Whenexceptionsdooccur,userspecificEmailAlertsaregenerated(when
exceptionsrelevanttoonlyspecifiedusersoccur)withanembeddedlinktoa
reportthatonlyallowsthemtoseeauthorizeddatauniquetothatuser.

21
SSLEncryption
TheSSLfeaturesinIIScannotbeuseduntilyouobtainandassignaservercertificatetothe
computerthatisrunningIIS.

ConfiguringSSLencryptionisamultistepprocessthatinvolvesthefollowing:
1. RequestingaservercertificateforthecomputerthatisrunningIIS.IftheIISserveralready
hasaservercertificate,youcangotostep4.
2. Obtainingaservercertificatefromacertificationauthority.
3. InstallingthenewlyissuedservercertificateintoIIS,Bindingit.
4. EnablingSSLencryption.
5. UpdatingthedatabaseoftrustedCertificationAuthorityoneachsmartdevicesoitcan
recognizetheservercertificateasauthentic.

22
ServerCertificates

23
BindingCertificate

24
VerifyBinding

25
ConfigureSSLSettings

26
IISReporting

27
IISReporting

28
AlternateView

ClickingtheabovelinkpresentsanAlternateviewofalldatarelatedtothat
specificexception.

29
AlternateView(continued)

Scrollingdowntobottom,theusercanclickthelinktoenterEditMode(shown
onnextscreenshot).

30
EditMode

31
EditMode

Afterupdatingtheinformation,userclickstheUpdatelink

32
UpdateSuccess

33
ManagementReporting

34
CaseStudy ROI

Implementationcostsrecoveredin6weeks
Duplicatepayments(invoicesandsupplementalpay)
Caughtpriortodisbursement(reducedcoststocorrect)

ControlEffectivenessMonitoringResults
Conflictsofinterest
Expenses/PerDiems
Rehireofterminatedemployees
InconsistentFMLAstatus
Travelagent/employeeIDnotvalidated

FutureOpportunities/NextSteps
Revenue
RACAudits
Compliance:grantsandcontracts
Removalofnetworkaccessforterminatedemployees
Statisticalanalysis

35
CaseStudy Results

DuplicatePayments:April1 July
31
$140,000
$120,000
$100,000
$80,000
$60,000
$40,000
$20,000
$0
April May June July
NumberofExceptions AllTests
25

20

15

10

0
April May June July

36
DoesCCMMakeSenseForYourCompany?

Anymanualprocessessubjecttohumanerror?
AnyManualAuditsorReconciliations?
AnyrecurringAnalyticalproceduresthatconsumealotoftimeorare
painpoints?
Concernsaboutpolicycompliance?
Concernsaboutemployeetheft?

Iftheanswerisyestoanyofthese,itislikelythatCCMcanbringsolidvalueto
yourcompanyenablingyoutoincreaseitsAuditCapabilityMaturityLevelwhile
allowingthefinanceandauditteamstoshowtheirstrategicvaluetotherestof
thecompany.

37
For More Information

MikeLisenby,CRISC ScottStevenson,CIA,CPA
SolomonEdwards EmoryUniversity
ManagingPartner AssociateChiefAuditOfficer
mlisenby@solomonedwards.com Office:4046862916
Office:4044974152 sjsteve@emory.edu
Mobile:4042818005

SolomonEdwardsGroup,LLC
AtlantaOffice
FiveConcourseParkway,Suite1450
Atlanta,Georgia30328

You might also like