A protocol for continuous
monitoring and assurance
Gerard A. (Rod) Brennan, Siemens Corporation
Miklos A. Vasarhelyi, Rutgers University
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Siemens PLM Software
Outline
Motivation
Implementation: of accredited control
monitoring software
Reengineering: Rationalization and
reorganization of the audit
program
Automation: of elements not in the adopted
software solution
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 2
Siemens PLM Software
Motivation
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Siemens PLM Software
A 3 pronged approach to audit automation
Automate audit plan using delivered Rule Sets:
Est 25% of a typical manual audit plan
Automate using external data sets (Static &
Variable): Est an additional 25% a typical
manual audit plan
Re-enginer manual controls into automated
controls with improved control precision: Est an
additional 25% a typical manual audit plan
Total = Automation Opportunity ~75%!!
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 4
Siemens PLM Software
Implementation
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Siemens PLM Software
SAP Certification Audit, cont.
 The certification audit program utilized by Siemens IT Audit Pool
covers eight functional areas within the SAP environment.
1. BC – Basis System
2. CO - Computer Operations and Outsourcing
3. FI – Financial Accounting
4. FI – AA – Asset Accounting
5. SD – Sales and Distribution
6. MM – Material Management
7. PS – Project System
8. HR – Human Resources
 These audit programs include relevant automated and manual
internal controls related to IT general, and automated and manual
application (e.g., business) controls.
 The SAP certification audit is not only controls-focused; many
auditees have optimized their SAP system based on knowledge
gained through the audit
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 6
Siemens PLM Software
Proposed Audit Automation Project: Goals and
Objectives -- Jan 2008
 Siemens AG has recognized a clear opportunity to leverage audit automation
tools and technology to improve compliance, mitigate fraud, assure conformance
to processes, and reduce cost of compliance.
 The proposed project will leverage A&D PL’s successful installation of Approva
BizRights to build a working model for tactically deploying and achieving the
above objectives, while at the same time obtaining the 4-year SAP certification.
 A 2 day feasibility and scoping session was held at PL’s Maryland Heights, MO
office to review the audit program and validate assumptions on feasibility of
Approva BizRights utilization -- high potential for automation identified!.
 Participants:
 Siemens North America operational audit lead
 PL IT and IA representatives
 Rutgers University, Continuous Audit and Reporting Laboratory
Approva
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 7
Siemens PLM Software
Value Proposition (Cost and Quality)
Quality
 Continuous versus point-in-time/periodic auditing
 Information on the full population in SAP vs. sample-based
 Deterrent to fraud (including collusive fraud) Creating a “perception of
monitoring” within the organization
 Sustainability of the control environment thru real-time updates and alerts to
management personnel
 Assures process conformance and business process optimization
Cost
 Savings through cash flow improvements (e.g., vendors with unusually
accelerated payment terms; customers with delayed payment terms)
 Savings from other process improvements, systems optimization
 Savings from improved fraud deterrents1
A&D PL specific:
For 3 of every 4 years, eliminate ~ 500 man-hours of IT GCC and
application control testing (@ $137/hr = $68,750/year for PL)
Significantly reduce 475 man-hours of annual KPMG IT audit hours (@
$200/hr and 50% reduction, $47,500/year)
1 - 2007 Fraud Report by ACFE estimated fraud costs as up to 5% of revenues in most organizations
General – Siemens IT audit pool billing rate is $137/hour; KPMG is $200/hr in Siemens North America
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 8
Siemens PLM Software
Technology Requirements
Technology
A&D PL already has the following Approva modules “live”
in production. These will be heavily utilized as part of this
project:
 Authorizations Insight
 Access Mgmt Insight
 User Activity Insight
 Procure-to-Pay Insight
 Order-to-Cash Insight
The following modules will be required and will be installed
at A&D PL for the project:
Financial Close Insight
General Computer Controls Insight
Insight Authoring Studios
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 9
Siemens PLM Software
Project Deliverables
1. SAP certificate for A&D PL’s systems
2. Siemens operational audit’s “Teammate” working papers
to support all work performed
3. Final/validated Approva BizRights rule books held by A&D
PL 1
4. Re-engineered audit action sheets held by Siemens
Operational Audit 2
5. Final validation of re-engineered approach by KPMG
6. Case study
1 Made available to other Siemens businesses upon request.
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 10
Siemens PLM Software
Reengineering
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Siemens PLM Software
Scope Definition
Redefine the SAP certification audit with a focus on audit automation
and continuous controls monitoring.
Restructure/re-engineer the SAP certification audit program, enhancing
clarity on automated versus manual tests
Produce tactical case-study illustrating ‘old way’ versus ‘new way’ in
certifying an SAP system
 Case study will be made available within Siemens
 Case study will be made available to Approva and Rutgers for their
support and respective investment
Complete the SAP audit and receive 4-year certificate for A&D PL
Key point: Tests that (1) cannot be automated and (2) have already
been performed in 2007 SOX will not be re-performed. Siemens
Operational Audit will give credit for work performed, and rely on 2007
SOX testing.
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 12
Siemens PLM Software
Proposed Methodology/Protocol (Jan –
Feb 2008)
 Create a schematic for an automated audit approach
building on the PL installed Approva base and the SAP
certification audit (see below)
 Create a development team made up of representatives
from PL IT & IA, SC Audit, Rutgers Univ and Approva.
 Create specific time phased work packages for all
participants
 Process Steps:
 Secure, install and test Financial Close & Gen.
Computing Controls (GSS) modules from Approva ON
PL’s platform
 Systematically map each AAS (SAP Cert Audit) to the
Approva toolset and eliminate redundancies.
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 13
Siemens PLM Software
Proposed Methodology/Protocol (Jan – Feb 2008)
 Identify automation opportunities in 4 key areas:
1. Using Approva standard rules
2. Creating new rules using Approva Authoring
Studio
3. Re-engineer manual AAS to use automated
controls
4. Re-bundle manual controls in consolidated Audit
Plan
 Test & cleanse automated controls & workflow
 Reorganize and restructure audit action sheets and
submit for approval to CFA and KPMG
 Document this process for repeatability at other
Siemens locations
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Page 14
Siemens PLM Software
Automation
An architecture for the long term prototype
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Siemens PLM Software
MCP
Auditor
Management
Audit
Evidence
Receptacle
A.A.S
(audit
Action
Items)
From Siemens
Approva
and other
literature
Page 16
Master
Audit
Program
Audit
Parameterization
Tool
CA
Control
Dashboard
Other
Static
Parameters
Inference
Engine
Evergreen
Opinion
Deterministic
Data
Extraction
Stochastic
External
Snapshot
Table
comparisons
comparisons
Class of
Other
Auditable
Actions
---Remote
Interactive
Sustainable
Audit
Mail
Object
of Audit
Communic.
Other
Management Verification
Tool
Processes
Tool
Tool
© 2007. Siemens Product Lifecycle Management Software Inc. All rights reserved
Siemens PLM Software