Continuous auditing and continuous monitoring: The current status and the road ahead KPMG’s EMA region survey December 2012 2 | Continuous auditing and continuous monitoring: The current status and the road ahead © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 3 Contents Introduction4 Executive Summary 5 About the survey 6 Are the potential benefits of CA/CM well understood? 8 Which processes benefit most from CA/CM? 10 Who are the initiators and beneficiaries? 12 Current and future state of adoption 14 Barriers to adoption 16 Past and future investments 18 Do technology and tooling provide adequate support? 20 How KPMG can help 22 Contacts23 © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 4 | Continuous auditing and continuous monitoring: The current status and the road ahead Introduction New board and regulatory pressures, cost and efficiency considerations and the emergence of new business risks are helping to change the scope of risk and performance management. In this shifting scope, continuous auditing (‘CA’) and continuous monitoring (‘CM’) will have an increasing role to play. In general, CA/CM seeks to add value by improving compliance and supporting business goals. From a technology perspective, CA/CM enables a high degree of automation to monitor systems and data, and implements closed-loop mechanisms for any exceptions detected. As a monitoring mechanism, CA/CM helps to detect irregularities in system configurations, processes and data, either from a risk or a performance perspective. Potential benefits of CA/CM include: • Enhanced and more timely oversight of compliance across the enterprise; • Improved efficiency and effectiveness of the control environment through automation, leading to cost-reduction opportunities; • Business improvement through reduced errors and improved error remediation, allowing reallocation of resources to value-adding activities; • The ability to report more comprehensively on compliance with internal and regulatory requirements. The purpose of this document is to summarise the results of a survey conducted in 2012 across Europe, the Middle East and Africa. It explores the potential benefits of employing CA/CM in the current economic climate and gauges how advanced their implementation is. The target group consisted primarily of company officials whose daily activities are currently supported by CA/CM- related tools, or officials who hold functions in which CA/CM may play an important role in the future. Examples of these types of functions are boards of directors, finance, operational/line management, internal control and internal audit. A word of thanks We would like to thank all the different parties involved in this paper. We would especially like to thank all the participants in this survey, whose valuable insight into the current and future status of CA/CM within their organisations forms the basis of this white paper. Special thanks are also due to Koen Rombauts, Bert Scherrenburg, Barbara Legg, Maurice op het Veld and Peter Paul Brouwers, all from KPMG the Netherlands, for conducting the survey and drafting this white paper. Defining CA and CM Continuous auditing (CA) is the collection of audit evidence and indicators by either the external auditor or the internal auditor in information technology (IT) systems, processes, transactions and controls on a frequent or continuous basis throughout a period. Continuous monitoring (CM) is a feedback mechanism used by management to ensure that controls operate as designed and that transactions are processed as described. This monitoring method is the responsibility of management and can form an important component of the internal control structure. Definitions taken from KPMG LLP’s Continuous Auditing and Continuous Monitoring: Transforming Internal Audit and Management Monitoring to Create Value, 2008 © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 5 Executive Summary CA/CM is winning ground within organisations that aim for continuous control and continuous performance. The level of awareness, the increasing availability of tools and the aim for greater efficiency in assurance are important drivers for further investigation into what CA/CM can bring to the organisation. This report summarises the outcome of a survey which examined the awareness about and the current and future status of CA/CM across Europe, the Middle East and Africa. The key observations are: • Respondents do understand the benefits of CA and CM. They realise that CA aims to bring comprehensive assurance with greater coverage across the organisation (89% of the respondents). Many believe CA will also facilitate real-time operational assurance (81%) and a reduced burden for line management (74%). CM is set up to detect and correct process irregularities and helps to identify process improvements (90%); Page 8 • CA/CM is considered to be most valuable in scenarios where processes are repetitive and susceptible to risk e.g. financial management reporting (82%). These processes are often transaction-based supported by applications with structured data; Page 10 • Eighty five percent of the respondents stated that the internal auditors introduced CA/CM into the organisation and that they are also seen as its main beneficiary (87%). Operational/ line management is not often the initiator (59%) of CA/CM but certainly enjoys its benefits (87%); Page 12 KPMG’s vision • The current state of adoption is low. Only 9% of respondents have both CA and CM embedded across their organisation. However, a remarkable 83% have at least considered implementing CA/CM; Page 14 Organisations should understand that CA/CM is not only about implementing tooling, it is a change in the way of working where you have to redefine your objectives, roles and responsibilities and the way to handle the outcome. Moreover, implementing CA/CM is about understanding the extent to which CA/ CM can transform processes, risk and controls, technology, and people in an integrated way. When implementing CA/CM, organisations typically follow several stages of maturity, starting with the introduction of data analytics techniques to support existing manual procedures. Depending on the drivers behind CA/CM, the end state may be CA/CM systems that are fully embedded and used throughout organisations. • Respondents consider the limited insight into the CA/CM tooling available on the market as the largest barrier to the adoption of CA/CM (69%). It is not always clear what suitable CA/CM tooling should consist of; Page 16 • Organisations are changing position from just being interested in CA/ CM to actually investing in CA/ CM-related projects. In the next two years, the percentage of organisations that are not investing in CA/CM will decline from 37% to 19%, while 62% expect to commence projects valued at up to €250,000. Page 18 Organisations should realise that effective implementation of CA/CM can take time and effort. A variety of challenges can be expected along the way. No matter how they choose to launch the effort, organisations should look to define the desired end-state for their CA/CM efforts. Together, CA and CM provide insight and transparency for continuous control and performance improvement. Therefore CA and CM must be perceived as long-term, systematic approaches rather than short-term measures. Based on our practical experiences with supporting the implementation of several CA/CM frameworks we at KPMG strongly believe that this will definitely be a way forward to create greater transparency in an efficient and sustainable way. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 6 | Continuous auditing and continuous monitoring: The current status and the road ahead About the survey The KPMG online survey was rolled out across the EMA region (Europe, Middle East, and Africa) in 2012 and contains responses from 718 individuals. The respondents are primarily from internal audit as well as from boards of directors, CFOs, operational/line management, finance and risk management professionals. Survey questions included the following: • What are the benefits of CA/CM? • Who are the initiators of CA/CM and who benefits most? • How much capital needs to be invested? • What are the barriers to adoption? • What future does CA/CM have? Representation of regions and countries Most of the respondents by far were from Western Europe (68%) and Eastern Europe including Turkey (24%). Nevertheless, respondents from the Middle East and Africa (both 4%) are also included in the survey results. 4% 4% 24% 68% Within these regions, the respondents were from the 32 following countries: Western Europe Eastern Europe Middle East Africa -Andorra -Austria -Belgium -Finland -France -Germany -Italy -Luxembourg - The Netherlands -Norway -Portugal -Spain -Switzerland -United Kingdom -Bulgaria -Greece -Hungary -Moldova -Poland -Romania -Slovakia -Turkey -Bahrain -India -Qatar -Saudi Arabia -United Arab Emirates -Yemen -Guinea-Bissau -Kenya -Nigeria -South Africa Analysis of the survey results showed that there are not many significant differences between the various regions. As a result of this, the outcome of the survey and analysis as included in this white paper represents the whole EMA region. Western Europe Eastern Europe incl Turkey Middle East Africa © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 7 Size of organisations responding to the survey Thirty six percent of respondents were from organisations with a turnover exceeding €1 billion and 24% from organisations with a turnover ranging between €250 million and €1 billion. Cross section of sectors The respondents represented a cross section of industry sectors, including: financial services (29%), industrial markets (26%), infrastructure, government and health (20%), consumer markets (15%), and technology, media, telecoms (10%). Representation of lines of defence Of the respondents, 37% were from the first line of defence (boards of directors, CEO, CFO, finance, operational/line management, IT); 13% were from the second line of defence (risk management, internal control and compliance); 50% of the respondents were from internal audit (third line of defence). 10% 21% 36% 29% 15% 50% 37% 19% 20% 24% Less than € 50 million € 50 million - € 250 million € 250 million - € 1 billion Greater than € 1 billion 26% 13% Financial services Industrial markets Infrastructure, government, health Consumer markets Technology, media, telecoms First line Second line Third line Business owners: first line of defence Compliance regulators: second line of defence Assurance providers: third line of defence Business owners have risk content ownership. They are responsible for identifying and managing risks incurred over the course of daily business. Such risks can be operational in nature or may be associated with finance and compliance. The risks may represent discrete events rather than ongoing exposure. In addition to complying with risk-management policies, business owners are expected to identify and assess emerging exposure. Standard setters own risk processes and specific monitoring responsibilities. They establish policies and procedures handling risk; provide guidance and coordination among all stakeholders; identify enterprise trends, synergies, and opportunities for a change; and operationalize new events. In addition to facilitating critical liaison between business owners and assurance providers, standard setters provide oversight within specific risk areas (such as credit), and in terms of specific enterprise objectives (such as compliance). Assurance providers ensure that the company is achieving business objectives, mitigating and managing risks, and optimizing risk management process effectiveness. Internal Audit often serves as the primary assurance provider in the third line of defense for many companies. Assurance providers are responsible for setting standards for risk management, ensuring that these are well understood, broadly embraced, and adequate for the company’s needs. Assurance providers liaise with senior management or the corporate board to enable visibility into enterprise risk management activities. Source: KPMG.com – Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness and efficiency. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 8 | Continuous auditing and continuous monitoring: The current status and the road ahead Are the potential benefits of CA/CM well understood? CA is designed to result in comprehensive assurance with greater coverage across the organisation. CM detects and corrects process irregularities and helps implement process improvements. Many believe CA will also facilitate real-time operational assurance and reduce the burden for line management. Based on the survey: Respondents do understand the benefits of CA and CM. They realise that CA provides more assurance with greater coverage and depth and that it enables real-time operational assurance. However, organisations are less likely to take into consideration that CA can also lower costs. This indicates a short-term perception that relatively high up-front investments are needed while the long-term benefits of CA are not yet fully understood. Overall, the survey results reflect that respondents understand what CM can bring to the organisation i.e. it enables identification of process irregularities on a continuous basis. Moreover, it transfers the responsibility regarding detecting and correcting irregularities onto the business itself. However, only 64% of respondents believed that CM will result in the organisation achieving competitive advantages. Main drivers of CA adoption for an organisation 89% Provides more assurance with greater coverage and depth Enables real-time operational assurance to be obtained regarding business processes/activities 81% Reduces burden for line management to facilitate audit activities (e.g. no or limited interviews, walkthroughs etc.) 74% 56% Reduces internal audit costs 53% Reduces external audit costs CA is not/will not be adopted, so this question is not relevant for my organisation 41% Main drivers of CM adoption for an organisation Enables identification of process irregularities and implementation of process improvements on a continuous basis 90% Improves transparency/reporting requirements from board/management 84% Transfers the responsibility regarding detecting and correcting of irregularities to the business processes itself 84% Complies with applicable legislation and regulations (e.g. anti-bribery, export controls) 78% 69% Reduces compliance costs Achieves competitive advantages 64% © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 9 KPMG analysis Clearly, many organisations are aware of the drivers of CA/CM. However, understanding the benefits of CA/ CM alone cannot drive it forward. Strategic drivers include the pressure to strengthen governance, enhance performance and accountability and the ability to improve visibility over global operations. Operational drivers include the occurrence or risk of fraud and misconduct and process improvement through the identification of irregularities on a continuous basis. External drivers include the expanding regulatory and risk environment, scrutiny from rating agencies, and an uncertain economic environment. Since CA/CM does not always necessarily result in immediate and direct operational/strategic results, organisations find it hard to appreciate the competitive advantage of CA/CM. Past Assurance mainly delivered by internal audit Increased transparency • Based on real facts • Less manual interpretation/ intervention • Flexible reporting (overview & detailed reporting) Current/future Higher level of management assurance via effective internal control framework & No surprises • Real time insights • High level of detail • Less human interpretation Reducing cost of compliance Management assessment (1st line of defence) Internal control / Risk management (2nd line of defence) Internal audit (3rd line of defence) • Automatic of (data) analysis • Re-usable by internal/external audit • Reducing manual procedures Management assessment (1st line of defence) Internal control / Risk management (2nd line of defence) Internal audit (3rd line of defence) © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 10 | Continuous auditing and continuous monitoring: The current status and the road ahead Which processes benefit most from CA/CM? Typically, CA/CM is most valuable in scenarios where processes are repetitive and susceptible to risk (e.g. financial management reporting). These processes are often transaction-based supported by applications that run on structured data. Based on the survey: In the first place most respondents believe that CA/CM is best suited to support processes such as ‘Financial management reporting’ and ‘Treasury and cash management’. Processes that benefit most from CA and CM Financial management reporting 82% Treasury and cash management 80% 82% 77% Purchase to payment 72% IT management 71% Sales order to cash receipt 66% HR/payroll 65% Travel and expenses 62% Fixed asset management 61% Inventory Industry-specific processes (retail, insurance, telecoms, production) Other 59% 4% © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 11 KPMG analysis CA/CM can add most value to organisations where processes are repetitive and susceptible to risk. It can improve the organisation’s risk management and control activities. For example, internal audit’s approach to audit planning tends to be largely risk-based. Expanding this approach to include CA can enhance internal audit’s coverage, regardless of how much risk is expected in those additional areas. CM can also help to allocate riskmanagement resources effectively. On the whole, CA/CM helps to foster a culture focussed on efficiency. For example, organisations can use CM to help align components of the procure-to-pay cycle so vendors are not paid too early but in line with the terms of the contract. CM enables an organisation to evaluate the date of purchase, the due date of the invoice and the date of payment. Automating manual processes to detect issues early and prevent escalation can save retrospective remediation costs. Obviously, preventing errors from occurring improves the overall business process efficiency as well. Typically, areas that tend to have the greatest return on investment (ROI) in an initial CA/CM implementation include: • Manual journal entries; • Time and expense; • Purchase to pay; • Purchasing cards (P-cards); • Order to cash; • Inventory management. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 12 | Continuous auditing and continuous monitoring: The current status and the road ahead Who are the initiators and beneficiaries? Internal Audit, supported by the CFO, often introduces CA/CM within the organisation and is also seen as its main beneficiary. Operational/line management is not often the initiator of CA/CM but does enjoy its benefits. considered both the main initiator and also the main beneficiary of CA/CM. Many respondents also believe that the CFO or the finance department are initiators. Once presented with Based on the survey: Overall, the survey shows that functions across the organisation gain value from CA/CM – even if they are not the initiators. Internal audit is a strong business case, operational/ line management and the board of directors tend to be easily convinced of the benefits of CA/CM. Initiators and beneficiaries of CA and CM 85% Internal audit 87% 69% CFO/Finance 87% 68% Internal control 82% 67% Risk management 81% 59% Compliance 77% 59% Operational/line management 87% 56% Board of directors 83% 55% IT 69% 39% Legal Other 59% 4% 2% Initiators of CA and CM Beneficiaries of CA and CM © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 13 KPMG analysis Internal audit often triggers CA/CM initiatives because it has experience with data analytics from a control testing perspective and CA constitutes the next logical step. Operational/ line management is not often the first initiator of CA/CM but does benefit from it. This may be due to the fact that operational/line management does not solely act from a risk perspective – it is primarily responsible for the organisation’s core business processes. However, operational/line management realises that its responsibilities extend further and include internal controls, which are often closely linked to CA/CM. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 14 | Continuous auditing and continuous monitoring: The current status and the road ahead Current and future state of adoption Adoption continues to be low despite awareness around the benefits of CA/CM. The main reason is that organisations find it difficult to quantify the benefits of CA/CM which are needed to justify the business case for its implementation. As a result organisations are taking small steps in embedding CA/CM, for example by experimenting with tools on pilot projects. Based on the survey: The current state of adoption is low. A remarkable 17% of respondents have never considered implementing CA/CM and 14% have only considered it but have not yet taken any action. Only 10% of respondents are running pilots on either CA or CM and another 12% are actually implementing CA or CM. A mere 16% of the respondents indicated they have already embedded CA within their internal audit function but only 9% have both CA and CM embedded across their respective organisations. The number of organisations with CA/ CM fully embedded is likely to rise slightly in the very near future however. A quarter of respondents revealed that they plan to investigate the added value of CA/CM to their organisations. The number of organisations running pilots remains stable, but the survey shows that the number of organisations planning to embed both CA and CM in the next two years is expected to increase significantly (from 9% today to 23% two years from now). What is the current status of CA/CM within the organisation 9% CA and CM are embedded across the organisation and integrated operationally 12% CM is embedded within line management responsibilities 16% CA is embedded within internal audit 12% Currently implementing CA and/or CM CA and/or CM pilot is currently being run 10% Currently busy drawing up business case and/or obtaining budget for CM 10% 14% Have considered, but not yet taken any action 17% Have not considered CA or CM / don’t know Where organisations would like to be in two years time with respect to CA and CM 23% CA and CM are embedded across the organisation 10% CM is embedded in monitoring activities of line management 15% CA is embedded in internal audit 8% Pilot project(s) underway in various parts of the organisation Business case is completed and budget is obtained 4% 25% An investigation is conducted into the added value of CA/CM for our organisation Will not consider CA/CM 15% © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 15 KPMG analysis Although organisations do realise the benefits of CA/CM, there is still some reluctance to fully adopt either CA or CM. However, with the need for continued risk assurance growing, this is likely to improve and more businesses can be expected to invest in CA/CM in the near future. Like any transformation process, the adoption and implementation of CA/CM will take time and effort. The first step towards adoption is to build a business case to secure support from senior management and to outline the objectives, scope, expected costs and projected benefits of CA/CM. Starting on a small scale allows management or internal audit to test the CA/CM concept first. The next step is to draw up a road map to be able to fully achieve the objectives of the CA/CM implementation. Before significant resources are allocated to monitoring controls and transactions, management will need to consider whether the existing controls are the most effective to be able to address the underlying risks. In addition, management should give careful consideration to what should be measured, where the necessary data resides, and the quality of the data. unmanageable number of ‘exceptions’ or ‘false positives’ requiring attention, in turn resulting in increased inefficiencies as well as a false sense of assurance. Similarly, ‘switching on’ poorly designed rules may also result in a false sense of assurance. Simply ‘switching on’ rules that may exist within a standard technology tool without refining them could result in an © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 16 | Continuous auditing and continuous monitoring: The current status and the road ahead Barriers to adoption Limited insight and understanding of available technology tools is the largest barrier for organisations to tackle when considering CA/CM. This is caused by a lack of clarity about what kind of functionality CA/CM tooling actually consists of. Based on the survey: The key barrier for an organisation to adopt CA/CM is limited insight into the availability of suitable CA/CM tools. 75% of respondents are using IT tools, with only 13% of them using business intelligence dashboards and 10% using dedicated CA/CM tools. Unfamilarity and lack of knowledge or experience also ranked high amongst the responses. Lack of staff and limited commitment or awareness at a senior level within an organisation were also mentioned. Barriers to CA and CM adoption 69% Limited insight in availability of proper CA/CM tools Organisation is not familiar with or does not understand the possibilities of CA/CM sufficiently Lack of knowledge and experience regarding data analysis and/or continuous maintenance of tooling 65% 64% 63% Lack of staff to support CA/CM implementation Limited commitment and/or awareness at board and senior management level 55% 46% Limited suitability of IT infrastructure to apply CA/CM 45% Business case, including budget, has not been finalised and approved Limited suitability to apply CA/CM in your type of organisation 38% © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 17 KPMG analysis CA/CM is partly a technology solution and this obviously requires expert knowledge. At the same time there appears to be uncertainty about what functionality CA/CM tooling actually provides. From a KPMG perspective, CA/CM functionality includes at least: data extraction (from source systems), data analysis, case management (to make exceptions actionable) and reporting (e.g. via dashboards). Organisations should take steps to increase their knowledge and become more familiar with the concepts of CA/CM in order to overcome specific barriers to the implementation of CA/ CM. There can also be resistance to change and the focus on communication throughout the process is key to overcome this. Other barriers may include a highly scattered and diverse IT landscape and inferior quality source data, lack of internal resources and skills to manage CA/CM, or a lack of resources to implement CA/CM tools. If these risks can be mitigated, a successful implementation of CA/CM will generally translate into reduced reporting costs, enhanced governance, risk mitigation and compliance outcomes, financial and non-financial ROI, as well as increased detection and prevention of fraud. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 18 | Continuous auditing and continuous monitoring: The current status and the road ahead Past and future investments The number of organisations with embedded CA/CM is likely to grow gradually. CA/CM will evolve naturally, from starting on a small scale to a mature capability. Based on the survey: The potential benefits of CA/CM are widely understood, yet a gap between understanding CA/CM and the willingness to invest in it continues to exist. Only a few companies have implemented CA/CM so far. The survey shows that organisations are gradually changing position from just being interested in CA/CM to actually investing in CA/CM-related projects. The number of organisations surveyed that are not investing in CA/CM will decline by almost 50% over the next two years (from 37% to 19%), while 46% expect to start small projects and invest up to €100,000 in this period. However, the survey also shows that organisations are reluctant to commit to high investments – the number of companies investing more than €250,000 will remain quite stable and below 20%. Investment in CA/CM over the last two years Investment in CA/CM in the next two years 7% 7% 3% 3% 4% 4% 7% 7% 7% 7% 19% 19% 8% 8% 37% 37% 10% 10% 16% 16% 37% 37% 46% 46% €€00(no (noinvestment) investment) Less Lessthan than€€100,000 100,000 €€100,000 100,000- -€€250,000 250,000 €€250,000 250,000- -€€500,000 500,000 €€500,000 500,000- -€€11million million greater greaterthan than€€11million million © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 19 KPMG analysis Organisations are eager to learn but shy away from high up-front investments. This sentiment can be attributed to various factors. Driven by limited discretionary spending and the need for heightened accountability, management must focus on achieving healthy ROIs while also lowering exposure to risk. Consequently, CA/CM must be allowed to evolve naturally, from starting small to a mature capability. Nevertheless, organisations should be able to fit investments within budgets on a sustainable basis and start by composing a business case. Furthermore, CA/CM tools are still at a stage of development. Many organisations are waiting for enhanced tools before they consider adoption. However, growing interest in CA/CM is increasingly prompting organisations to test CA/CM through pilot projects. Some companies have successfully managed the cost challenges associated with CA/CM by integrating these into wider project budgets. For companies looking to implement CA/CM, pilots can deliver results quickly and potentially help CA/CM to become auto-financing. An investment in CA/CM fits in well in the context of a larger business intelligence initiative where CA/CM can provide critical business decision-making capabilities. In most other cases, an incremental approach based on an ROI analysis may be more appropriate. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 20 | Continuous auditing and continuous monitoring: The current status and the road ahead Do technology and tooling provide adequate support? Advances in technology have paved the way for increased use of CA/CM. It is of course vital to opt for technology and tools that are suitable for an organisation’s needs. Based on the survey: Many organisations have started to experiment with technology and standard tooling. As for technology, 75% are using IT, with one-third using office automation or standard auditing tools. Only 13% use advanced business intelligence (BI) dashboards, while 11% use dedicated CA/CM tools from suppliers such as SAP GRC, BWise, Approva, Oversight or Aptean (EMF). In the area of tooling usage, internal audit (87%), finance (63%), internal control (59%) and operational/ line management (56%) are using CA/CM tools. Use of technology to support CA/CM Not at all or don’t know 25% 19% Use of office automation (e.g. Microsoft Excel or Access) Use of standard auditing tools (e.g. IDEA or ACL) 16% Use standard reporting e.g. from ERP system 16% Use of Business Intelligence (e.g. dashboards, reports) Use of dedicated CA/CM monitoring tools (e.g. SAP GRC, BWise, Oversight, EMF, Approva) 13% 11% Use of CA and CM tools 78% Internal audit Finance 63% 59% Internal control 56% Operational/line management Risk management 53% IT 52% Compliance CA/CM tools are not implemented, so this question is not relevant for my organisation 50% 43% © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 21 KPMG analysis Organisations that are currently interested in CA/CM need guidance and sufficient information on the benefits and techniques associated with CA/CM. At present, many organisations have started to experiment with standard tooling. However, tools should ideally be customised to meet specific needs within each organisation and are likely to evolve gradually into business intelligence dashboards and eventually into professional CA/CM tooling. Advances in technology have paved the way for increased use of CA and CM in organisational processes, transactions, systems, and controls. Technology- enabled control, auditing and monitoring tools integrated into ERP solutions, or built as third-party bolt-on solutions, have and will continue to evolve. They also help organisations to monitor the efficiency of internal controls, identify and correct lapses in controls and strengthen performance. It is of course vital to opt for technology tools that are viable and suitable to an organisation’s needs. For instance, some organisations may find embedded tools too costly for their purpose. If this is the case then ‘extract and analyse’ software may be a more appropriate alternative. Any technology-dependent initiative – including CA/CM implementation – is bound to face challenges in terms of achieving data accuracy and consistency. Furthermore, as data evolves constantly; formats, protocols and refresh cycles may vary widely across systems. The success of a CA/CM initiative is highly dependent upon the effective implementation and use of the right technology tools. In the same way, those tools will only be successful if used effectively. Organisations need to evaluate how suitable the features, functions and capabilities of a tool are for their needs before engaging a specific tool provider. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 22 | Continuous auditing and continuous monitoring: The current status and the road ahead How KPMG can help Implementing CA/CM is much more than a technology exercise. KPMG has the experience and industry knowledge to help you effectively apply your knowledge of your business risks and internal mechanisms to designing a CA/CM framework that supports strategic management objectives. We also have assisted organisations in building successful business cases to demonstrate Return on Investment (ROI) from CA/CM implementation. Having helped organisations through CA/CM implementation, we understand the pitfalls and have the know-how to navigate the change management process. T CON INUOUS AUDITING • Software selection for CA/CM tool(s) • Designing and implementing CA/CM risk-based approaches -Dashboards -Scorecards -Analytics -Reports - Management Protocols • Optimising past CA/CM implementations (e.g. control rationalisation) • Integrating with governance, risk, and compliance initiatives • Integrating with business intelligence initiatives Desig n ess Ass In addition, KPMG can assist in: Implement • Integrating with other data analysis initiatives Peo pl e P ro c e s s • Conducting a walk along or post implementation review Technology INDUSTRY & FUNCTIONAL KNOWLEDGE CO N TI N U O U S M O N IN ITO R •Training G © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Continuous auditing and continuous monitoring: The current status and the road ahead | 23 Contacts We would be happy to share our CA/CM experiences with you and provide insight into the road ahead. Please contact us for more information. Central and Eastern Europe Jimmy Helm Partner, Head of Forensic T: +420 222 123 430 E: jhelm@kpmg.com Lithuania Povilas Akstinas Associate Director, Advisory T: +370 52 11 36 60 E: pakstinas@kpmg.com Bulgaria Maria Peneva Partner, Head of Risk Consulting T: +359 2 9697 490 E: mpeneva@kpmg.com Poland Agnieszka Gawrońska-Malec Senior Manager, Forensic T: +48 22 528 12 86 E: agawronska-malec@kpmg.pl Czech Republic Maros Holodnak Director, Forensic T: +420 222 123 721 E: mholodnak@kpmg.cz Romania Richard Perrin Partner, Head of Risk Consulting T: +40 372 377 792 E: rperrin@kpmg.com Estonia Karin Rätsep Senior Manager, Head of Business Advisory T: +372 626 8751 E: kratsep@kpmg.com Serbia Boris Milošević Partner, Head of Advisory T: +381 11 20 50 520 E: bmilosevic@kpmg.com Hungary István Molnár Senior Manager, IT Risk and Compliance T: +36 1 887 7445 E: istvan.molnar@kpmg.hu Slovakia Viliam Kaceriak Senior Manager, Advisory T: +421 2 59984 407 E: vkaceriak@kpmg.sk Latvia Evija Miezite Associate Director, Advisory T: +371 6703 8066 E: emiezite@kpmg.com kpmg.com/cee © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. © 2012 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Printed in the Netherlands. 1212
0
You can add this document to your study collection(s)
Sign in Available only to authorized usersYou can add this document to your saved list
Sign in Available only to authorized users(For complaints, use another form )