Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML...
-
Upload
nguyendieu -
Category
Documents
-
view
224 -
download
3
Transcript of Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML...
![Page 1: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/1.jpg)
Presented by: Andrew Simpson
Chief Operating Officer, CaseWare Analytics
Defense in Depth The Role of Continuous Controls Monitoring in the Three Lines of Defense Model
![Page 2: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/2.jpg)
CaseWare International
• Founded in 1988
• An industry leader in providing technology solutions for
finance, accounting, governance, risk, and audit
professionals
• Over 400,000 users of our technologies across 130
countries and 16 languages
• Customers include Fortune 500 and Global 500
companies
![Page 3: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/3.jpg)
Agenda
• The Three Lines of Defense Model
• Continuous Controls Monitoring (CCM)
• Case Studies of CCM at Each Line of Defense
• Q & A
![Page 4: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/4.jpg)
Drivers of Risk Management
Risk is high on the agenda for boards today due to:
• A focus on cost reduction
• A desire for added value
• An evolving regulatory environment
• Technological changes and availability of data
![Page 5: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/5.jpg)
High Performers
Source: Experis, Top 5 Characteristics of a High Functioning Internal Audit Organization
Exploring Opportunity Minimizing Business
Uncertainty
Managing Compliance
and Crisis
• Complying with
corporate governance
standards
• Avoiding personal
liability failure
• Owning company crisis
• Achieving global best
practices
• Understanding and
evaluating business
risks
• Understanding full range
of risks facing business
today
• Improving returns
through value-based
management
• Enhancing capital
allocation
• Protecting corporate
reputation
![Page 6: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/6.jpg)
Where Do You Want to Be?
![Page 7: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/7.jpg)
THE THREE LINES OF DEFENSE
MODEL
Risk-Based Audit Methodologies:
![Page 8: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/8.jpg)
Three Line of Defense Model
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 9: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/9.jpg)
The 1st Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 10: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/10.jpg)
The 1st Line of Defense
OPERATIONAL MANAGEMENT
• Own and manage risks
• Design and implement internal controls
• Responsible for maintaining effective controls
![Page 11: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/11.jpg)
The 2nd Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 12: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/12.jpg)
The 2nd Line of Defense
RISK MANAGEMENT & COMPLIANCE
• Help build and monitor first line of defense
• Ensure compliance with regulations
• Financial risks and reporting requirements
• Identify changes in risk appetite
![Page 13: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/13.jpg)
The 3rd Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 14: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/14.jpg)
The 3rd Line of Defense
INTERNAL AUDIT
• Provide senior management with assurance
• Monitor the effectiveness of the first and second lines of
defense
• Independent
![Page 15: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/15.jpg)
Coordinating the Three Lines
First Line of Defense Second Line of Defense Third Line of Defense
Risk Owners/Managers Risk Control and Compliance Risk Assurance
• Operating management
• Limited independence • Reports primarily to
management
• Internal audit • Greater independence • Reports to governing
body
![Page 16: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/16.jpg)
CONTINUOUS CONTROLS
MONITORING (CCM)
Risk-Based Analytics:
![Page 17: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/17.jpg)
What Is CCM?
An audacious vision for CCM:
• Know the state of any control in the business
• Resolve identified breaches before impact
• Provide an unparalleled ROI
![Page 18: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/18.jpg)
The Importance of Monitoring
COSO Guidance
(effective controls
systems must include
monitoring)
![Page 19: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/19.jpg)
Role of CCM
• Independent monitoring of automated and partially
automated controls
• Continuous detection of breaches
• Transparency in detection and remediation
• Address IT concerns
• Collaborative approach to timely remediation
![Page 20: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/20.jpg)
CCM at Each Line of Defense
• Effectively monitor internal controls at the 1st and 2nd
lines of defense
• Allow the 3rd line of defense to be confident in its
assurance role
• Create a remediation process that minimizes the impact
of a control breakdown
• Provide evidence of due diligence for external auditors
and regulators
![Page 21: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/21.jpg)
CASE STUDIES OF CCM AT EACH
LINE OF DEFENSE
Analytics in Action:
![Page 22: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/22.jpg)
The 1st Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 23: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/23.jpg)
Enersource
• Canadian Energy Company since 1917
• Third largest in Ontario
• Over 200,000 residential and commercial customers
• Provides electrical infrastructure design, construction,
operations support, and maintenance
![Page 24: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/24.jpg)
Reputational Risks
![Page 25: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/25.jpg)
Financial Risks
![Page 26: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/26.jpg)
Verification of Bills
• Reputational risk is the primary concern
• Was using an in-house MS Excel system to verify the
accuracy of bills
o Upgraded to smart meters in 2009
o Challenges
o Took 5 hours to process a batch of bills
o Exceptions manually circulated by email
o Impossible to track resolution
o Labor intensive to make changes
![Page 27: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/27.jpg)
The CCM Solution
• Independently calculate bills and identify inaccuracies
• Extract data from other sources—not just billing system
• Sent exceptions in XML format to bill print system for
those bills not to be printed
• Engaged users in the Billing Department to resolve
issues
• Validate corrections made in core systems
• Maintain history of exceptions and actions taken to
resolve them
![Page 28: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/28.jpg)
Results
• Has not had a single public incident
• Accuracy of billing improved significantly
• Billing anomalies automatically distributed
• Bills verified in less than 5 minutes (not 5 hours)
• Bills sent out same day—improving cash flow
• Evidence retained for regulators/auditors
• Labor-intensive manual reviews were eliminated
![Page 29: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/29.jpg)
The 2nd Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 30: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/30.jpg)
Christies Auction House
• Founded in 1766 by James Christie
• 53 offices in 32 countries
• Prices range from $200 to $80 million
![Page 31: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/31.jpg)
Challenges
• Risk and compliance group mandated to review 100% of
transactions
• Primary area of concern is client accounting
• Need to ensure that fees and charges are accurate
• Need to involve the business in timely remediation
![Page 32: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/32.jpg)
The CCM Solution
• Implemented for 40 key controls
• Monitor transactions near real time
• Covering multiple locations (UK and New York)
• Phase I started in risk and compliance then rolled out to
the business
![Page 33: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/33.jpg)
Phase II—Customer Screening
• Important to meet regulatory requirements
• AML and KYC compliance
• Integrate with World-Check sanction list data for
screening
![Page 34: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/34.jpg)
The 3rd Line of Defense
Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41
![Page 35: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/35.jpg)
Metcash
• A leading marketing and distribution company
• Operating in the grocery, liquor, and hardware wholesale industries
• Turnover of $12 billion
• 5,000+ employees
• Market cap $3.2 billion
![Page 36: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/36.jpg)
Challenges
• Several disparate systems
• Many audit scripts
• Emailing exceptions in Excel
• SAP generating many exception reports
• Business struggling to cope
![Page 37: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/37.jpg)
The CCM Solution
• All analytics built in-house by CM Team
• Covered 30 key controls to start
• CCM implemented for Purchase to Payment in Phase I
• Expanded to the retail business processes in Phase II
• Adopted as central exception management system
(including SAP reports)
![Page 38: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/38.jpg)
Results
• Started in internal audit
• Rolled out to business users
• Use action/reason codes to facilitate root cause analysis
• Daily examination of processes
• First-year results:
o 5.5 billion transaction covered
o $1.8 million in savings
![Page 39: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/39.jpg)
Conclusion
• Internal control effectiveness is positively impacted by
collaboration
• That covers collaboration at all three levels
• CCM is a compelling vehicle to facilitate a collaborative
process
![Page 40: Defense in Depth - Fraud · PDF fileThe Importance of Monitoring COSO Guidance ... • AML and KYC compliance ... Slide 1 Author: Damion Mitchell](https://reader034.fdocuments.us/reader034/viewer/2022051405/5a9f3f577f8b9a76178c8c6d/html5/thumbnails/40.jpg)
Contact
Andrew Simpson
Chief Operating Officer
CaseWare Analytics
613.824.9233 ext. 2144