Governance risk and compliance

Governance, Risk and Compliance Services
Continuous Transaction Monitoring

2Copyright © Capgemini 2015 All Rights Reserved
Governance, Risk and Compliance Services | CTM
GRC Services | Overview
 Part of the Outsourcing in Capgemini and specializes in Internal Controls, SOX compliance and Enterprise Risk
Management since 2004
 Comprises of 100+ Chartered Accountants / IT Auditors/ MBAs out of 250+ FTEs, with client bases in more than 40
countries across all geographies
 Primarily located in Bangalore, India and supported by centers in China, Poland, Brazil and Guatemala
 Independent assessment of controls as per the guidelines framed in consultation with management and statutory auditor
for SOX assessments
 Monitoring of transactions / controls on almost real-time basis; Discussing the potential issues with Management and
reporting
 Operates in partnership with external auditors/Big 4s when assessing controls for the purpose of ISAE 3402 / SSAE 16
audits

GRC | An integrated and centralized approach
GRC
Control Center
Board
Reputational
Regulatory
Operations
Asset Management Risks
Sustainability / Carbon
Compliance
Policy Non-compliance
IT
Insider Threats
IT Sabotage
Human Error
Integrity
Procurement
Vendor Risks
Intellectual Property Theft
Executives and Managers
Reputational
Regulatory
Statutory Non-compliance
Finance
Financial Statements
Revenue Leakage
Credit Risk
Duplicate Payments
Human Resources
Health and Safety
Sales and Services
High-risk Credit
Customers
Export Licenses
Supply Chain
Customers
& Channel

Capgemini GRC solutions | A holistic approach to Enterprise Risk Management
OperatingObjectives
Unified Risk Management Approach
Control Library
Design of Risk and
Control Framework
Design Assessment
Methodology
Control KPI and Risk
Insights
GRC Process and Services
Continuous
Transaction
Monitoring
Continuous
Controls
Monitoring
Fraud Risk
Management
Audits
Access Controls
and SoD
Analysis
Risk Insights 360º
Cybersecurity
Risk Management Technology
eGRC Tools Client Intelligent Centre
Risks Addressed
Financial
Risks
Fraud
Risk
Operational
Risks
Regulatory
Risks
IT
Risks
Outcomes
Reduced Risk
Reduced Cost/
Improved
Profitability
Proactive Financial
Leakage Control
Improved
Compliance &
Reputation
Increased
stakeholders’
confidence
3. Providing set of project
and process based
services
4. Enabled by the right
technology
1. Addressing the right
risks
5. Providing measurable
outcomes
2. Applying unified
approach
GRCControlCenter

Continuous Transaction Monitoring (CTM)

Coverage and Need for CTM
Ongoing assurance to management on compliance to
policies or processes
Continuous Transaction
Monitoring
Record to
Analyse
Procure
to Pay
Master
Data
Hire to
Retire
Credit to
Cash
Businesses keep continuously changing and are always in
need to find better ways to monitor due to expansion, change
in technology, merger or acquisition of another business
Traditionally, testing and controls are performed on sampling
and periodical basis which does not provide value to
management and too late to take corrective action.
Given the volume and complexity of transactions, it is
extremely difficult to monitor transactions manually and on
periodic basis
Manual control testing is time consuming and prone to errors.
Process controls are not sufficient to identify all errors and
frauds
Traditional control measures such as approval mechanism,
segregation of duties are not sufficient.
CTM is the process to analyze data or transactions to identify exceptions. The exceptions may be in the nature of
deviations from process or policy or errors. It uses technology as a key driver to analyze and monitor the key
transactions on almost real time basis.

CTM | Indicative coverage
Analysis of transactions against identified control objectives, to identify erroneous or fraudulent transactions.
Master Data
 Multiple employees with
same address
 Terminated employees on
Payroll
 Payroll checks exceeding set
amount
 Multiple payroll deposits to
the same bank account
 Changes in exemptions,
gross pay, hourly rates,
salary amounts, etc
Hire to Retire
 Unusually high credit limits
 Discounts and waivers
review
 Refund to customer and
reasons
 Lost sales
 Delayed collections
Credit to Cash
 Duplicate Payments Check
 Invoice validation check
 AP Master Data Validation
 Contract Compliance - Service
Invoice Validation
 High value non PO invoices
 Splitting PO to bypass approval
limits
 Vendor advance vs. invoice paid
 Manual payments review
 POs created after invoice date
 Related party transactions
Procure to Pay
 Clearing accounts review
 Validation of chart of
accounts, cost centre, profit
centre, etc.
 Posting date vs. cut-off date
 Duplicate / unauthorized JEs
 Frequently reversed JVs
 Aged open items in Balance
Sheet Reconciliation
 Volume of master data
change month on month
 Slow / non moving inventory
Record to Analyse
GEM Lever 4: Global Process Model© (GPM©)
Enabling benchmarking and best practice sharing
Segregation of Duties
Vendor Master Customer Master Employee Master
Concurrent Audit (CA) is a sub-set of CTM and these
services are performed by us as part of CA currently.

CTM | Approach and Methodology
•Audit Objectives
•Risk assessment
•Test procedures
Plan
•Run query
•Extract and massage
data
Extract Data
•Validate the
exceptions
•False positives and
real exceptions
Analyze
•Root cause analysis
•Finalize & prioritize
exceptions
Finalize
Exceptions •Review, analyze and
manage exceptions
Sustain &
Improve
Continuous involvement of Senior Management

CTM | Plan
1. Define
objectives of
CTM
2. Identify key
financial
applications &
processes in
scope
3. Perform
risk
assessment
4. Identify
data
requirements
5. Define key
business
rules to be
tested
6. Develop
custom queries
to extract data
7. Write test
procedures
How We Can Help
 Finalization of scope
 Develop custom queries
 Write Test procedures
Outcome
 Custom Queries and Test
Procedures.

CTM | Extract Data
1. Run Query
2. Extract Data for each of the
identified test scenarios
3. Format /
massage data
How We Can Help
 Analyze outcome of test
scenarios
Outcome
 Formatted Data for Analysis

CTM | Analyze
1. Obtain first cut
exceptions
2. Validate the exceptions
3. Bifurcate the
exceptions into
false positives and
real exceptions
How We Can Help
 Conduct Governance calls to
discuss exceptions
 Analyse exceptions
Outcome
 Exception Analysis Report

CTM | Finalize the Exceptions
1. Share and
discuss
exceptions with
client stakeholders
2. Perform root
cause analysis
3. Finalize
exceptions
4. Prioritize
exceptions
5. Define action
plan to plug the
gap
How We Can Help
 Prepare Action Plan
Outcome
 Final Exception Report and action
plan for remediation

CTM | Sustain & Improve
1. Review of gaps by
senior management
2. Analyze recurring
exceptions
3. Manage
exceptions – track,
report and follow up
How We Can Help
 Ongoing testing
 Analyze exceptions
 Follow up exceptions closure
Outcome
 Dashboard on Transaction
Monitoring

Potential Benefits of CTM and Critical Success Factors
Support of audit committee and senior
management for implementation of CTM
Technical competencies and enabling technology
necessary to access, manipulate, and analyze the
data.
Proficiency of teams carrying out CTM analysis Appropriate follow-up and reporting mechanism
Critical Success Factors
Client dependent Capgemini dependent
CTM helps management to anwer the following key questions :
 Whether the entries in suspense account are cleared on timely basis?
 Whether the financial ratios are in line with management expectation and industry / company peers?
 Whether the transactions have been processed compromising the Segregation of Duties (SoD)?
 Are there any unusual Journal entries?
 Are there any unusual transactions which may be result of error or fraud ?

Duplicate Payment Review as an example of CTM activity
What is a duplicate payment?
Payment made for the same goods or services more than once
How do they happen?
Invoices get paid more than once due to Data entry errors, process changes,
duplicate submissions, incorrect vendor selection, cross entity/department/system
payments, vendor master duplications , non uniform invoice numbers, illegible
invoices
Why CTM is needed?
70% or more of the duplicate payments cannot be identified with controls that are
normally built into AP processes- need for an independent review to identify such
cases using the necessary tools, techniques and skilled resources. Multiple
algorithms in place for duplicate payment check as a part of CTM
Benefits:
Significant reduction of double payments incluiding recovery of previous
overpayments.

Delivering GRC outcomes | A proven technology framework
Report
Analysis
Action
Control Data
Warehouse
Access
Control
Risk
Trends
Mitigation
Failures
Control
Dashboard
Outcome
Record
eGRC Tool
ERP and Client Systems
Information
Data
GEM Lever 5: Technology
Enabling benchmarking and best practice sharing

Control Center – Indicative Snapshot
Controls tested
Consolidated
results of
controls tested
Publish Flash
Report
GEM Lever 7: Governance
Note:
1. The above is the indicative dashboard to be used as part of Governance process.
2. Dashboards to be published by Control Center operating from offshore location.

Control Center – Indicative Snapshot (Cont’d.)
GEM Lever 7: Governance
Note:
1. The above is the indicative dashboard to be used as part of Governance process.
2. Dashboards to be published by Control Center operating from offshore location.

GRC | Clients across towers
Global Food Company
 World’s Leading Media and
Entertainment Company
 Media and Entertainment
Company
 Agriculture & Food Sector Company
 American Multinational Conglomerate
 High-Technology Engineering Group
 Global Electronics Company
 Global Chemical Corporation
 Multinational Packaging Company
Global Power Company
Ongoing Service Project based Services

GRC Case Study- I
Consumer Products Major

Establishing the Control Service Center for Large FMCG Client
 Diversified culture
 Presence in over 100 countries
 Multiple platforms and multiple
ERPs
 Complex, multiple compliance
requirement
 Lack of standardization
 Multiple stakeholders
Business Issue Our Approach
 Centralization – Control Service
Centre
 Control Analytics
 Control Monitoring
 Self Assessment
 Control Assessment
 Access Controls
 Standardization – One Global
Control Framework
Benefits
 Proactive risk assessment
 Early identification of Control
Failures
 Real time validation of controls
 Real time reporting
 One point of contact for all audits
 One common assessment
approach
Large FMCG with business in 100+ countries and a clear vision of creating a better future everyday with brands and services that
help people feel good, look good, and get more out of life. Sales in 2012 were Euros 51bn with over 400 brands focused on
health and wellbeing. Twelve of their brands generate sales in excess of €1 billion a year.
Capgemini operates Control Service Centre from Bangalore delivering all in-scope services from this location. Access Control and
Self Assessment is operated on SAP GRC while Capgemini has built Analytics platform to manage Control Analytics (end to end
including data collection, applying analytical rules and reporting dashboard). SOX Control testing is delivered is through India, Brazil
and China Centres.

Case Study II – Large Agri-business Client

Continuous Assurance Program | Large Agri-business Client
 Exponential growth – both organic
and by acquisitions
 Diverse process and application
landscape
 Change management – move to
standardized process
 Traditional compliance set up
 Need for a proactive compliance
program
Business Issue Our Approach
 Continuous Assurance Program
(Continuous control monitoring of
GRC GPM©)
 Representative sampling
methodology
 Objectives
• Process compliance
• Internal control compliance
• Sox compliance
 Centralized team to manage the
global compliance program
Benefits
 Proactive remediation
 Improved control environment
 High level of transparency
 Reduction in cost of compliance
A world-leading agribusiness committed to sustainable agriculture through innovative research and technology. The company is
a leader in crop protection, and ranks third in the high-value commercial seeds market. Sales in 2012 were $14.2bn and the
company currently employs more than 26,000 people in over 90 countries.
The continuous assurance program gives us monthly insight into how well our standard internal controls framework is being
adopted by our units, on the basis of independent, thorough testing. It allows us to identify problem areas early, and to engage
proactively with units on specific process and control remediation actions required. Our external auditors have reviewed the
effectiveness of the sampling and testing, and have been able to place reliance on the continuous assurance program for SOX
compliance and audit purposes, thus reducing their audit procedures at individual units.
Head of Process Governance, Finance & IS Compliance, Client

Why Capgemini?
• Experienced resources with wide experience in internal controls,
compliance, risk management and IT risk assurance servicesExperience
• 70+ CPA equivalent finance professionals with qualifications like
CISA, CISSP, CISM etc and 30+ IT assurance professionalsQualifications
• Client base in more than 40 countries across all continentsGlobal Network
• Centres of Excellence in India with operating Centres in China,
Poland, Brazil and GuatemalaCentres of Excellence
Getting the right people for GRC operations involves building a team with the right competencies and experience profile at the right locations...
GEM Levers 1-3: Grade Mix, Location Mix and Competency Model

The information contained in this presentation is proprietary.
© 2015 Capgemini. All rights reserved.
www.capgemini.com
About Capgemini
With almost 145,000 people in over 40 countries, Capgemini is
one of the world’s foremost providers of consulting, technology
and outsourcing services. The Group reported 2014 global
revenues of EUR 10.573 billion.
Together with its clients, Capgemini creates and delivers
business and technology solutions that fit its clients’ needs and
drive the results they want. A deeply multicultural organization,
Capgemini has developed its own way of working, the
Collaborative Business Experience TM, and draws on Right
shore®, its worldwide delivery model.
Right shore® is a trademark belonging to Capgemini

Governance risk and compliance

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Governance risk and compliance

Similaire à Governance risk and compliance (20)

Plus de Magdalena Matell

Plus de Magdalena Matell (6)

Dernier

Dernier (20)

Governance risk and compliance