Contenu connexe
Similaire à Governance risk and compliance (20)
Plus de Magdalena Matell (6)
Governance risk and compliance
- 2. 2Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
GRC Services | Overview
Part of the Outsourcing in Capgemini and specializes in Internal Controls, SOX compliance and Enterprise Risk
Management since 2004
Comprises of 100+ Chartered Accountants / IT Auditors/ MBAs out of 250+ FTEs, with client bases in more than 40
countries across all geographies
Primarily located in Bangalore, India and supported by centers in China, Poland, Brazil and Guatemala
Independent assessment of controls as per the guidelines framed in consultation with management and statutory auditor
for SOX assessments
Monitoring of transactions / controls on almost real-time basis; Discussing the potential issues with Management and
reporting
Operates in partnership with external auditors/Big 4s when assessing controls for the purpose of ISAE 3402 / SSAE 16
audits
- 3. 3Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
GRC | An integrated and centralized approach
GRC
Control Center
Board
Reputational
Regulatory
Operations
Asset Management Risks
Sustainability / Carbon
Compliance
Policy Non-compliance
IT
Insider Threats
IT Sabotage
Human Error
Integrity
Procurement
Vendor Risks
Intellectual Property Theft
Executives and Managers
Reputational
Regulatory
Statutory Non-compliance
Finance
Financial Statements
Revenue Leakage
Credit Risk
Duplicate Payments
Human Resources
Health and Safety
Sales and Services
High-risk Credit
Customers
Export Licenses
Supply Chain
Customers
& Channel
- 4. 4Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Capgemini GRC solutions | A holistic approach to Enterprise Risk Management
OperatingObjectives
Unified Risk Management Approach
Control Library
Design of Risk and
Control Framework
Design Assessment
Methodology
Control KPI and Risk
Insights
GRC Process and Services
Continuous
Transaction
Monitoring
Continuous
Controls
Monitoring
Fraud Risk
Management
Audits
Access Controls
and SoD
Analysis
Risk Insights 360º
Cybersecurity
Risk Management Technology
eGRC Tools Client Intelligent Centre
Risks Addressed
Financial
Risks
Fraud
Risk
Operational
Risks
Regulatory
Risks
IT
Risks
Outcomes
Reduced Risk
Reduced Cost/
Improved
Profitability
Proactive Financial
Leakage Control
Improved
Compliance &
Reputation
Increased
stakeholders’
confidence
3. Providing set of project
and process based
services
4. Enabled by the right
technology
1. Addressing the right
risks
5. Providing measurable
outcomes
2. Applying unified
approach
GRCControlCenter
- 5. 6Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Continuous Transaction Monitoring (CTM)
- 6. 7Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Coverage and Need for CTM
Ongoing assurance to management on compliance to
policies or processes
Continuous Transaction
Monitoring
Record to
Analyse
Procure
to Pay
Master
Data
Hire to
Retire
Credit to
Cash
Businesses keep continuously changing and are always in
need to find better ways to monitor due to expansion, change
in technology, merger or acquisition of another business
Traditionally, testing and controls are performed on sampling
and periodical basis which does not provide value to
management and too late to take corrective action.
Given the volume and complexity of transactions, it is
extremely difficult to monitor transactions manually and on
periodic basis
Manual control testing is time consuming and prone to errors.
Process controls are not sufficient to identify all errors and
frauds
Traditional control measures such as approval mechanism,
segregation of duties are not sufficient.
CTM is the process to analyze data or transactions to identify exceptions. The exceptions may be in the nature of
deviations from process or policy or errors. It uses technology as a key driver to analyze and monitor the key
transactions on almost real time basis.
- 7. 8Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
CTM | Indicative coverage
Analysis of transactions against identified control objectives, to identify erroneous or fraudulent transactions.
Master Data
Multiple employees with
same address
Terminated employees on
Payroll
Payroll checks exceeding set
amount
Multiple payroll deposits to
the same bank account
Changes in exemptions,
gross pay, hourly rates,
salary amounts, etc
Hire to Retire
Unusually high credit limits
Discounts and waivers
review
Refund to customer and
reasons
Lost sales
Delayed collections
Credit to Cash
Duplicate Payments Check
Invoice validation check
AP Master Data Validation
Contract Compliance - Service
Invoice Validation
High value non PO invoices
Splitting PO to bypass approval
limits
Vendor advance vs. invoice paid
Manual payments review
POs created after invoice date
Related party transactions
Procure to Pay
Clearing accounts review
Validation of chart of
accounts, cost centre, profit
centre, etc.
Posting date vs. cut-off date
Duplicate / unauthorized JEs
Frequently reversed JVs
Aged open items in Balance
Sheet Reconciliation
Volume of master data
change month on month
Slow / non moving inventory
Record to Analyse
GEM Lever 4: Global Process Model© (GPM©)
Enabling benchmarking and best practice sharing
Segregation of Duties
Vendor Master Customer Master Employee Master
Concurrent Audit (CA) is a sub-set of CTM and these
services are performed by us as part of CA currently.
- 8. 9Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
CTM | Approach and Methodology
•Audit Objectives
•Risk assessment
•Test procedures
Plan
•Run query
•Extract and massage
data
Extract Data
•Validate the
exceptions
•False positives and
real exceptions
Analyze
•Root cause analysis
•Finalize & prioritize
exceptions
Finalize
Exceptions •Review, analyze and
manage exceptions
Sustain &
Improve
Continuous involvement of Senior Management
- 9. 10Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
CTM | Plan
1. Define
objectives of
CTM
2. Identify key
financial
applications &
processes in
scope
3. Perform
risk
assessment
4. Identify
data
requirements
5. Define key
business
rules to be
tested
6. Develop
custom queries
to extract data
7. Write test
procedures
How We Can Help
Finalization of scope
Develop custom queries
Write Test procedures
Outcome
Custom Queries and Test
Procedures.
- 10. 11Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
CTM | Extract Data
1. Run Query
2. Extract Data for each of the
identified test scenarios
3. Format /
massage data
How We Can Help
Analyze outcome of test
scenarios
Outcome
Formatted Data for Analysis
- 11. 12Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
CTM | Analyze
1. Obtain first cut
exceptions
2. Validate the exceptions
3. Bifurcate the
exceptions into
false positives and
real exceptions
How We Can Help
Conduct Governance calls to
discuss exceptions
Analyse exceptions
Outcome
Exception Analysis Report
- 12. 13Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
CTM | Finalize the Exceptions
1. Share and
discuss
exceptions with
client stakeholders
2. Perform root
cause analysis
3. Finalize
exceptions
4. Prioritize
exceptions
5. Define action
plan to plug the
gap
How We Can Help
Prepare Action Plan
Outcome
Final Exception Report and action
plan for remediation
- 13. 14Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
CTM | Sustain & Improve
1. Review of gaps by
senior management
2. Analyze recurring
exceptions
3. Manage
exceptions – track,
report and follow up
How We Can Help
Ongoing testing
Analyze exceptions
Follow up exceptions closure
Outcome
Dashboard on Transaction
Monitoring
- 14. 15Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Potential Benefits of CTM and Critical Success Factors
Support of audit committee and senior
management for implementation of CTM
Technical competencies and enabling technology
necessary to access, manipulate, and analyze the
data.
Proficiency of teams carrying out CTM analysis Appropriate follow-up and reporting mechanism
Critical Success Factors
Client dependent Capgemini dependent
CTM helps management to anwer the following key questions :
Whether the entries in suspense account are cleared on timely basis?
Whether the financial ratios are in line with management expectation and industry / company peers?
Whether the transactions have been processed compromising the Segregation of Duties (SoD)?
Are there any unusual Journal entries?
Are there any unusual transactions which may be result of error or fraud ?
- 15. 16Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Duplicate Payment Review as an example of CTM activity
What is a duplicate payment?
Payment made for the same goods or services more than once
How do they happen?
Invoices get paid more than once due to Data entry errors, process changes,
duplicate submissions, incorrect vendor selection, cross entity/department/system
payments, vendor master duplications , non uniform invoice numbers, illegible
invoices
Why CTM is needed?
70% or more of the duplicate payments cannot be identified with controls that are
normally built into AP processes- need for an independent review to identify such
cases using the necessary tools, techniques and skilled resources. Multiple
algorithms in place for duplicate payment check as a part of CTM
Benefits:
Significant reduction of double payments incluiding recovery of previous
overpayments.
- 16. 17Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Delivering GRC outcomes | A proven technology framework
Report
Analysis
Action
Control Data
Warehouse
Access
Control
Risk
Trends
Mitigation
Failures
Control
Dashboard
Outcome
Record
eGRC Tool
ERP and Client Systems
Information
Data
GEM Lever 5: Technology
Enabling benchmarking and best practice sharing
- 17. 18Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Control Center – Indicative Snapshot
Controls tested
Consolidated
results of
controls tested
Publish Flash
Report
GEM Lever 7: Governance
Note:
1. The above is the indicative dashboard to be used as part of Governance process.
2. Dashboards to be published by Control Center operating from offshore location.
- 18. 19Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Control Center – Indicative Snapshot (Cont’d.)
GEM Lever 7: Governance
Note:
1. The above is the indicative dashboard to be used as part of Governance process.
2. Dashboards to be published by Control Center operating from offshore location.
- 19. 20Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
GRC | Clients across towers
Global Food Company
World’s Leading Media and
Entertainment Company
Media and Entertainment
Company
Agriculture & Food Sector Company
American Multinational Conglomerate
High-Technology Engineering Group
Global Electronics Company
Global Chemical Corporation
Multinational Packaging Company
Global Power Company
Ongoing Service Project based Services
- 20. 21Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
GRC Case Study- I
Consumer Products Major
- 21. 22Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Establishing the Control Service Center for Large FMCG Client
Diversified culture
Presence in over 100 countries
Multiple platforms and multiple
ERPs
Complex, multiple compliance
requirement
Lack of standardization
Multiple stakeholders
Business Issue Our Approach
Centralization – Control Service
Centre
Control Analytics
Control Monitoring
Self Assessment
Control Assessment
Access Controls
Standardization – One Global
Control Framework
Benefits
Proactive risk assessment
Early identification of Control
Failures
Real time validation of controls
Real time reporting
One point of contact for all audits
One common assessment
approach
Large FMCG with business in 100+ countries and a clear vision of creating a better future everyday with brands and services that
help people feel good, look good, and get more out of life. Sales in 2012 were Euros 51bn with over 400 brands focused on
health and wellbeing. Twelve of their brands generate sales in excess of €1 billion a year.
Capgemini operates Control Service Centre from Bangalore delivering all in-scope services from this location. Access Control and
Self Assessment is operated on SAP GRC while Capgemini has built Analytics platform to manage Control Analytics (end to end
including data collection, applying analytical rules and reporting dashboard). SOX Control testing is delivered is through India, Brazil
and China Centres.
- 22. 23Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Case Study II – Large Agri-business Client
- 23. 24Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Continuous Assurance Program | Large Agri-business Client
Exponential growth – both organic
and by acquisitions
Diverse process and application
landscape
Change management – move to
standardized process
Traditional compliance set up
Need for a proactive compliance
program
Business Issue Our Approach
Continuous Assurance Program
(Continuous control monitoring of
GRC GPM©)
Representative sampling
methodology
Objectives
• Process compliance
• Internal control compliance
• Sox compliance
Centralized team to manage the
global compliance program
Benefits
Proactive remediation
Improved control environment
High level of transparency
Reduction in cost of compliance
A world-leading agribusiness committed to sustainable agriculture through innovative research and technology. The company is
a leader in crop protection, and ranks third in the high-value commercial seeds market. Sales in 2012 were $14.2bn and the
company currently employs more than 26,000 people in over 90 countries.
The continuous assurance program gives us monthly insight into how well our standard internal controls framework is being
adopted by our units, on the basis of independent, thorough testing. It allows us to identify problem areas early, and to engage
proactively with units on specific process and control remediation actions required. Our external auditors have reviewed the
effectiveness of the sampling and testing, and have been able to place reliance on the continuous assurance program for SOX
compliance and audit purposes, thus reducing their audit procedures at individual units.
Head of Process Governance, Finance & IS Compliance, Client
- 24. 25Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
Why Capgemini?
• Experienced resources with wide experience in internal controls,
compliance, risk management and IT risk assurance servicesExperience
• 70+ CPA equivalent finance professionals with qualifications like
CISA, CISSP, CISM etc and 30+ IT assurance professionalsQualifications
• Client base in more than 40 countries across all continentsGlobal Network
• Centres of Excellence in India with operating Centres in China,
Poland, Brazil and GuatemalaCentres of Excellence
Getting the right people for GRC operations involves building a team with the right competencies and experience profile at the right locations...
GEM Levers 1-3: Grade Mix, Location Mix and Competency Model
- 25. The information contained in this presentation is proprietary.
© 2015 Capgemini. All rights reserved.
www.capgemini.com
About Capgemini
With almost 145,000 people in over 40 countries, Capgemini is
one of the world’s foremost providers of consulting, technology
and outsourcing services. The Group reported 2014 global
revenues of EUR 10.573 billion.
Together with its clients, Capgemini creates and delivers
business and technology solutions that fit its clients’ needs and
drive the results they want. A deeply multicultural organization,
Capgemini has developed its own way of working, the
Collaborative Business Experience TM, and draws on Right
shore®, its worldwide delivery model.
Right shore® is a trademark belonging to Capgemini