Automated Controls Monitoring for Finance Teams

Dusk LimStrategic Account Manager, ASEAN

Robert Luu, FCXP (CX-I), HCP, ACDA Advanced

Director, Client Partnership, Asia-Pacific & Japan

WEGALVANIZE.COM

Housekeeping

• Today’s session will be approximately 60 minutes with 15 minutes for Q&A at the end.

• Please submit your questions through the Q&A panel on your Zoom console.

• This session will be recorded. We will send a copy of the recording and slides to all attendees.

WEGALVANIZE.COM

Topics

• Defining Continuous Monitoring

• Drivers for finance teams to do proactive monitoring

• 3 myths of CCM

• Maturity model – understanding it and in use

• Moving up the maturity model – how to implement a CCM program

• Sample CCM journey

• Challenges in implementing CCM

• Benefits and ROI

WEGALVANIZE.COM

What is Continuous Monitoring?

Definition by IIA GTAG:

Continuous Monitoring is a process that management puts in place to ensure that its policies, procedures, and business processes are operating effectively.

WEGALVANIZE.COM

Drivers of Continuous Controls Monitoring

▪ Operational (e.g. Procurement, Sales)

▪ Compliance (e.g. SOX, Data Privacy, ICFR)

▪ Risk management (e.g. risk indicators, early warnings)

▪ Financial (e.g. accounting standards)

▪ Technology (e.g. Cybersecurity, Access Controls)

▪ Fraud detection (e.g. AML, ABAC, Embezzlement)

WEGALVANIZE.COM

ACFE – Global Study on Occupational Fraud & Abuse

WEGALVANIZE.COM

WEGALVANIZE.COM

1

3

2

I don’t need CCM because my ERP system

has built-in automated controls and I’m

already protected.

Isn’t that the job of our auditors?

It sounds great in theory, but in reality, it’s not practical or affordable to implement

.

3 Myths of Continuous Monitoring

WEGALVANIZE.COM

A d H o c T e s t i n g

A u t o m a t e d A n a l y s i s

C o n t i n u o u s

M o n i t o r i n g

I n c r e a s e C o v e r a g e

• Typically one-off and

utilizes sampling.

• Usually don’t by

auditors

• 100% testing

• Data analytics tool is

likely utilized in some

ways

• Generally still done by

auditors

• Automated monitoring

process

• Scheduled based

• Control owners given

the ability to identify

control gaps

• High ability to respond

to risks as they emerge

• Data driven metrics

• Wide reaching coverage

• Impact on strategic

risks, objectives and

relationships

• Predicting risks

Your Controls Monitoring Maturity ModelH i n d s i g h t > I n s i g h t > F o r e s i g h t

C o n t i n u o u s M o n i t o r i n g

WEGALVANIZE.COM

Topics

• Defining Continuous Monitoring

• Drivers for finance teams to do proactive monitoring

• 3 myths of CCM

• Maturity model – understanding it and in use

• Moving up the maturity model – how to implement a CCM program

• Sample CCM journey

• Challenges in implementing CCM

• Benefits and ROI

WEGALVANIZE.COM

A d H o c T e s t i n g

A u t o m a t e d A n a l y s i s

C o n t i n u o u s

M o n i t o r i n g

I n c r e a s e C o v e r a g e

• Typically one-off and

utilizes sampling.

• Usually don’t by

auditors

• 100% testing

• Data analytics tool is

likely utilized in some

ways

• Generally still done by

auditors

• Automated monitoring

process

• Scheduled based

• Control owners given

the ability to identify

control gaps

• High ability to respond

to risks as they emerge

• Data driven metrics

• Wide reaching coverage

• Impact on strategic

risks, objectives and

relationships

• Predicting risks

Your Controls Monitoring Maturity ModelH i n d s i g h t > I n s i g h t > F o r e s i g h t

C o n t i n u o u s M o n i t o r i n g

Controls Monitoring Planning ProcessS e tt i n g u p y o u r a u t o m a t e d m o n i t o r i n g p ro g ra m

Key controls for financial reporting, IT application control dependency, manual

controls requiring special review, and preventative or detective nature

Categorize your control environment

Don’t boil the ocean – prioritize the control environment categories for

quick wins and high impact control areas for risk mitigation

Determine objectives and risk assurance

Tell the correct narrative to management and process owners

using agreed upon key performance and key control indicators

Align executive reporting and notification requirements

Involve process owners and control owners in the workflow design

to maximize adoption rate

Socialize remediation workflow process

1

2

3

4

Purchase to Payment CycleI l l u m i n a t i n g t h e p r o c e s s g a p s

PROCESSES& SUGGESTIONS

BUSINESS VALUES

Vendor Management Purchase Order Validation Invoice Management Payment Monitoring

Vendor risk assessment

Due diligence & monitoring

High risk vendors

Early payment discounts

Split purchases

Approval authorizations

Dormant POs

Keyword analysis

Suspicious invoice patterns

Duplicate invoices

Contract pricing compliance

Duplicate payments

Suspicious bank accounts

Unusual dates or holidays

Onboarding

Requisitions

Potential

fraud

Review workflow

Outstanding invoices

Payment term review

Potential fraud

Ongoing

monitoring

Approval limits

Order processing

Over/under billing

Reconciliations

Offboarding

Automated Notifications, Templates,

& Action Follow-up

Automated Robotics & Analytics

Legend

Accuracy validation

Improve alignment to

Vendor Risk Team

Improve preventative

controls of purchases

Increase visibility and

accuracy over spending

Improve detective

monitoring of spending

BUSINESSVALUES

WEGALVANIZE.COM

How Can Controls Monitoring Become a Preventative Control?

Detect Errors

in Sub-Ledger

Correct Errors

in Sub-Ledger

Prevent

Misstatements

to General

Ledger

Improving the controls in the Accounting Closing Process:

Daily Daily Daily

Month-End

Reduce Need

for Correcting

Journal Entries

WEGALVANIZE.COM

Data-Driven Continuous Monitoring: Simplifying Big Data

ERP SAP HR X Y

“Big Data”

“Useful” Data

Objectives > Criteria > Risk > Frequency >

Data Requirements

Data extraction Analytics &

analyses

Alerts & exceptions Remediation

Data-Driven Continuous Monitoring

Executive Oversight over Financial Controls

ControlsBond (Storyboards) – controlling the narrative with a compelling story and alignment to high impact areas incorporating a data-driven approach

Executive Oversight over Financial Controls

ControlsBond (Frameworks) – executive alignment on reporting of control assurance and automated assessments

Scheduled Control Performance

ControlsBond (Mission Control) – Minimal visibility and capabilities within the platform, primarily using Mission Control for flattened view of assigned Control Execution schedules. Responding via questionnaire upload for evidence.

Manual Control Reviews

Solicit and capture qualitative assessments with controlled and open responses

ControlsBond (Results)– results management and remediation workflow with automated distribution/reconciliation

Remediation and Workflow ManagementS t re a m l i n e t h e d e c i s i o n - m a k i n g p ro c e s s

Executive Visibility & Strategic Metrics

Key risk indicators top of mind for executive

management awareness and required action

Front-line Ownership & Accountability

1st/2nd Level reviewers within the processes

responsible for timely actions

Escalation & Performance Monitoring

Key performance indicators for middle

management to provide oversight and increase

productivity

WEGALVANIZE.COM

Challenges in automating controls monitoring

WEGALVANIZE.COM

Common Challenges

• Overlapping or redundant controls

• Control registers not accurately documented and dispersed

• IT Application controls assumed to be automated

• Lack of collaboration with application owners and key

stakeholders

• Inconsistency of data throughout ERP system(s)

WEGALVANIZE.COM

Benefits and Positive Outcomes

• Reduce costs by minimizing manual work and rationalize low-risk

controls

• Increase positive collaboration with first line of defense for better

assurance

• Share real-time updates on compliance and high-risk issues

• Increase management and executive confidence in data-driven

decisions

WEGALVANIZE.COM

Thank you for your

attention!

Q & A

Robert.Luu@wegalvanize.com

https://www.linkedin.com/in/robert-luu/

Dusk.Lim@wegalvanize.com

https://www.linkedin.com/in/dusklim/