AUDIT ANALYTICS AUDIT
1JWn3ix
1JWn3ix
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
CASE STUDY A: DEVELOPING CONTINUOUS ASSURANCE AT SIEMENS<br />
role as vice president of controls management at SFS, he observed that<br />
many of the company’s internal audit programs, such as audit checklists,<br />
are mechanical and repetitive in nature, so he wanted to automate these<br />
processes by moving to a CCM program as an independent control<br />
assurance function that would be separate from internal audit.<br />
Recognizing that organizations are often resistant to change, he decided<br />
to start with small, achievable targets to demonstrate that the program<br />
has merit, and then expand beyond financial reporting into operational<br />
components once the business unit and support unit managers at SFS<br />
had become accustomed to the continuous monitoring methodology.<br />
In the first phase of the project, the new vice president of controls<br />
management focused on financial reporting rules compliance and data<br />
integrity. Personnel at SFS manage data and make decisions within a<br />
framework of company policies expressed as a set of rules. Because SFS<br />
relies on communicating rules and assessing compliance with those rules<br />
in providing services to its clients, the first part of the project was to<br />
develop a system that could notify key people within the company about<br />
"exceptions" and "alerts." An exception demands immediate research and<br />
resolution because it means that a rule was not followed. Depending on<br />
the explanation that is given for the exception, it might also require a<br />
correcting entry in the SFS accounting records. By contrast, an alert flags<br />
any transaction that might be of interest to the owners of that<br />
information, such as a change in a transaction, so that SFS can take<br />
immediate action to verify the information and be proactive in<br />
monitoring the business.<br />
Implementing a CCM program would enhance business processes at SFS<br />
by immediately identifying any exceptions to the company’s system of<br />
rules and policies by internal decision-makers, notifying them of these<br />
exceptions, and demanding resolution. The CCM system would also<br />
improve the company’s financial assurance processes, such as SOX<br />
requirements, by monitoring the entire data population, instead of<br />
relying on the types of sample testing used in traditional SOX or internal<br />
audit methodologies. According to the vice president of controls<br />
management, "Exceptions in the data pool are like fish in the lake. Just<br />
because they are there doesn’t mean you will catch any." Continuously<br />
assessing 100 percent of data attributes (validity, authorization,<br />
completeness, valuation, time period, and disclosure) for exceptions<br />
gives far greater assurance that the data represents the company’s<br />
underlying economic position than periodic sampling ever could. In<br />
addition, the immediacy of the CCM’s feedback raises decision-makers’<br />
cultural and behavioral awareness of rules at SFS, which further<br />
enhances its value as a tool and a methodology.<br />
149