This document discusses implementing continuous control monitoring (CCM) to improve internal control effectiveness. It provides examples of control checks that can be automated for various processes like order to cash, procure to pay, expenses, and revenue cycles. It also includes case studies showing how CCM identified issues in a hospitality industry client, such as fraudulent allowances, missing room revenues, cash misappropriation, and duplicate billing. The document discusses technologies like Excel, ACL, and SQL that can be used for CCM and compares their costs and benefits. It promotes conducting a free control compliance analysis to assess CCM opportunities.
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Continuous Monitoring Webinar Aviva Spectrum
1. Compliance Made Simple™
PKF IndiaPKF India
Continuous Control Monitoring Tool for
Internal Control Effectiveness
with case study in Hospitality
1
2. Compliance Made Simple™
PKF India
Professional Speaker Bios
Ramakrishnan (Ramki), a Chartered
accountant and graduate cost accountant
from India is also a certified SAP FICO
Consultant has diversified experience of over
thirty years in the Profession and has handled
assignments in many parts of the world from
Australia to Argentina. He renders Assurance
and Risk Advisory Services, and has also
served in the Audit and Assurance board of
ICAI. He is a member of European Professional
standards committee of PKF International. His
skill set encompasses M&A assignments
(International), Attestation Functions and
Strategic Consulting
Narasimhan (Narsi) a chartered accountant
from India is a multi-facet expert with
specialized knowledge in Hospitality industry,
SAP consulting and Information technology
services. His expertise includes Enterprise
Performance Management competency
(Digital Transformation and Business
Analytics) leading and delivering EPM
transformation projects; He specializes in the
design and implementation of Continuous
Monitoring solutions for clients. He has also
worked on cost optimization studies
2
S. Ramakrishnan, Managing Partner
PKF Sridhar & Santhanam
S. Narasimhan, Partner
PKF Sridhar & Santhanam
3. Compliance Made Simple™
PKF India
Our inspiration
Google is doing lot of revolutionary stuff –changing the world.
Larry Page says Google’s original mission “to organise world’s info. and make it universally
accessible and useful” is “ probably a bit too narrow!”
• What they are trying to do in life sciences is audacious and path breaking.
• They are trying to change medicine from ‘reactive to proactive.’
• To day we go to doctor when ill –this is like changing oil in car when it breaks down.
So enter nano particles.
• These are 1/2000th the size of a red blood cell and they will be painted with a protein
or genetic material so they can bind themselves to say a cancer cell.
• You pop a pill which can course through people’s bodies ; these can be concentrated
through magnetized wearable devices that can be queried!
• The system would allow constant monitoring so that a whole host of diseases can be
detected and treated well before they would, with existing diagnostic tools.
This inspired us to look at Proactive Auditing
3
4. Compliance Made Simple™
PKF India
Why CCM?
4
• COSO framework suggests that monitoring is a timely assessment of the
design and operation of controls
• To effectively manage risk and provide greater transparency in the
monitoring process
Fundamentals
• Strategic Drivers
• Globalization driving pressure to improve governance & improve
accountability
• External Drivers
• Regulatory requirement, increased business risk etc
• Operational Drivers
• ERP complexities, keenness to reduce cost of compliance, degeneracy in
conduct of employees leading to possible misconduct etc
Drivers of CCM
5. Compliance Made Simple™
PKF India
Framework for CCM Implementation
5
Determine
roles &
responsibilities
Identify key
performance indicators
to be monitored at
transaction level and
process level
Understand
level of process
control
Identify
tests to be
carried out
Identify data
source
Apply
Technology
Follow up and
refine
7. Compliance Made Simple™
PKF India
Possible sub-frameworks
• Broadly three categories of sub-frameworks can be deployed
– Descriptive Statistics & monitoring
• Measures of central tendency. The mean, median, and the mode are often used to
relate and identify non-compliance with policies
• Measures the variability or the spread of the numbers. This set includes the
minimum and maximum, the interquartile range, and the range (the maximum
minus the minimum amount). This set of values includes the minimum amount
which might yield investigative insights if the number was negative in a data set that
should not contain negative numbers (e.g., wages, inventory counts, coupon or
rebate amounts, or odometer readings).
• The shape of the distribution of the data
– Relative Size Factor Test
• Difference between largest record in subset to second largest record
• Logic and aim is to detect errors and frauds on real time basis along with
reasonableness test.
– Subset Duplicates
• Duplicates of same-same-same (exact duplicates) / same-same-different (close
duplicates) are routinely applied
• Duplication within subset is unique. The Subset Number Duplication (SND) test
identifies excessive number duplication within subsets. This test works well in
situations where excessive number duplication might signal that the numbers have
been invented which might be a red flag for fraud.
7
Source: Mark J Nigrini
8. Compliance Made Simple™
PKF India
Possible areas of CCM – 1
8
• Customer Management Compliance By mapping new customer orders created with
existing ones and running description statistics and relative size to ensure all
abnormal items are compiled as per SOP. This includes due diligence of new
customers. KYC norms compliance, tax compliance etc.
• Pricing policy compliance – similar to above but checks to be done in tandem with
SOP / Policies fit in to ERP configuration. Many checks can be done like certain
customers always in lower band of limits fixed and certain customers in higher end
of price band. Analysis in sync with quantity offtake. (like lower band for lesser
quantity and higher band for larger quantity!) etc
• Scheme / commissions / sales promotion – Check compliance on real time basis
with new orders being created.
• Credit control – Adherence, need for revision / limit busting / exception handling as
per SOP and whether deviation approvals has become a rule. (like count of
deviations approved in a day to total number of orders in a day both in count and
also in value). Look for patterns in customers .. is it happening in only certain
customers or in certain product groups / subset.
• Delivery scheduling – Compliance with customer delivery schedule acceptance.
Look for potential slippages (alerts) rather than do review post slippage . Also look
for patterns in customers and product groups on a daily basis.
Order to Cash
9. Compliance Made Simple™
PKF India
Possible areas of CCM – 2
9
• Data integrity compliance: De-Dup monitoring for all new vendor master created
(both in MM module and AP Module) (if it is not in line with existing ERP controls).
• Reasonableness compliance: On daily basis, any quantity exceeding the normal
quantity in requisition being beyond average number of days consumption
(production norms or sales norms) – approval deviations - monitoring both limit
busting (exceptions becoming rule) and also quantities closer to upper limit (just a
notch less than highest limit)
• Compliance with contract terms - In case of contracted materials with contracted
vendors – we can set alerts for non-compliance regarding purchase of materials or
services from non-contracted vendors at the stage of PO itself.
• Price monitoring – Efficiency and also compliance – In case new purchase price is
more than certain % of existing moving average price or previous purchase price,
CCM can be used to track the same and monitor price escalations at the stage of
PO placement itself
• Compliance with Tax codes / input credit possibility - Run CCM on PO stage itself
to ensure tax code is correctly mentioned in PO with the master list of items so
that input credit is taken.
• Value limit compliance – LOA level compliance / unit level limits / material level
limits
Procure to Pay
10. Compliance Made Simple™
PKF India
Possible areas of CCM – 3
10
Payables
•Duplicate Payments
•Employee vendor mismatch
•Vendor Data Completeness
•Split PO’s and Split
Transactions
•Excessive
Claims/Unauthorized
expenses
•Suspect Expense by dates
and time (Weekends,
Holidays , midnight)
•Inactive vendors
11. Compliance Made Simple™
PKF India
Possible areas of CCM – 4
11
• Sales promotion expenses – upon incurrence / approval to link
with scheme and continuously monitor.
• Travel expenses – same city different person / same person
different city comparisons and alerts based on limits (relative size)
• Repairs & Maintenance – Asset wise control can be monitored if it
is recorded in ERP. Then CCM can ensure compliance with internal
SOPs
• Taxes – ensure correctness of taxes including VAT, employee
related taxes / dues like social security etc
• Ensuring that freight outward is linked to customer order and
policies of the company
Expenses Control
12. Compliance Made Simple™
PKF India
Possible areas of CCM – 5
FCPA Compliance
12
•Identification of
•multiple gifts to a single individual
•entertainment of government affiliated individual
•Segregation of Duties violations: E.g., Submitter vs. Approver (Travel & Entertainment)
•unauthorized Travel & Expense cards
•charitable contributions to suspect organizations
Example tests for gifts, entertainment and charitable contributions
•Identification of
•bonuses or commissions of unusual quantity or timing
•vendors where alternate payee names have been flip-flopped within X days
•One-time vendor payment more than the threshold value
Example tests for suspicious activities
•Identification of
•Payments to “Risky” vendors / partners in high risk jurisdictions
•Checks made to “cash”
•High volume of cash transactions
•Payments made from out of country bank accounts or sent outside the country of operation
•Vendors where bank accounts have been flip-flopped within X days
Example tests for general indicators
13. Compliance Made Simple™
PKF India
Possible areas of CCM – 6
Expenses Controls
13
• Use of new attorney / accountant / agent / consultant with no prior
relationship
• Identification of payments made following manual overrides in the
system
• Identification of payments classified as government expenses
• Identification of frequent use of one-time vendor arrangements
• Detect payments made without reference documents
Example tests for payments to agents, consultants, and other
payments
• Payments made following manual override in the system, such as direct
manual postings to the GL
• Identify invalid or suspicious journal entries to temporary accounts
• Identify suspicious journal entry bookings at unusual times or flip-flopping
• Identify adjustments to accounts inactive for more than X days
Example tests for suspicious GL activities
15. Compliance Made Simple™
PKF India
Industry specific - Hospitality
• Setting up an automated process to monitor revenue
leakage based on
– Specific pattern of transactions
– Identified exceptional transactions
• In the process of identifying
– Potentially fraudulent / suspicious transactions
– Potentially non compliant transactions
• Identified exceptions recorded
– Requiring specific response from the appropriate management level
– Based on such response, action may be initiated
– Reponses can be validated on sample basis by audit
• Detailed audit replaced with a much better exception based monitoring
mechanism
• PKF India has effectively implemented these for various hotel chains
15
16. Compliance Made Simple™
PKF India
Possible room revenue control checks in Hotels
• Following checks can be automated using any soft tool
– Negative postings
– Allowances after checkout / Settlement
– Lost Postings
– Day use exception
– Multiple Login Failure
– Reinstatements No shows
– All Transfers
– All Splits
– Discount amount changes / Rate changes
– Reinstated Folios
– Missing room revenue
– AR invoice transfer
* This is an indicative list and customization of exceptions is done as per requirement
14
17. Compliance Made Simple™
PKF India
Case study- 1 Exceptions - Sequence-based tests
15
Analyze sequence of
allowances/ paid outs in
every guest folio, in
connection with the time of
check-out
Identify and report
instances where
allowances/ paid outs
have been posted in the
guest folio after check-
out.
Why check this?
er bill. Now, the cashier handling her billing makes an allowance of $ 1000 in her folio at 1:18 and sh
r the guest has departed, her signature on the paid out being forged. This will be brought to light by
18. Compliance Made Simple™
PKF India
Case Study 2 - Unaccounted / Missing Revenue
1st Guest has a
room charge in
his account
2nd Guest
room
charge
changed
to NIL
Cash Collection from
First Guest
- misappropriated
Transfer room
charge
from first guest to
second guest
Option Misused
Modify
Rate /
Rate Code
Transfer
Posting
Collection from second
guest set off against
first guest’s charge
By Omission &
Transfer Run a query
for:-
•Identification
of transfers
made between
unrelated
folios,
Unauthorized
rate changes.
•Identify room
revenue not
billed by
comparing daily
guest inhouse
details from
PMS to billing
details, as
accounted
How to check??
16
19. Compliance Made Simple™
PKF India
Case Study 3 - Misappropriation of Cash
Hotel has
advance
Collection policy
For Room
charges
Guest may
short stay
Guest is told that
advance paid is
non-refundable
Few charges in the
Folio are allowanced
Option Misused
Allowance
Refund
Refund is recorded
with
Forged guest
signature
In cash pay out
Refund of Advance collected
OR
17
20. Compliance Made Simple™
PKF India
Case study- 4 Pattern based testing
18
Data Analytics by auditors
❑Auditors decided to undertake data analytics
❑During the various analysis they did, they found that some Buffet Breakfast were being billed at noon /
❑Then a more focused analysis was undertaken for a long period which showed that
▪It was all on week days
▪It was for 4 -5 pax on each day – one such bill only
▪All of these were by the same steward!
Also, all week days when there was no such case, it was noticed, the steward was on leave or was off dut
How to identify?
Segregate all buffets billed during lean hours and then analyze pattern
with user ID and date. With the volume of transactions, CCM is the best
way to identify such transactions
Shift wise menu availability not configured- Resulted in Buffet Breakfast being available for
selection during lunch / dinner time. Difference in rate between B/fast and lunch / dinner was
significant
The smart operator – one steward, identified this and started using this to his benefit Arranged
with a group of regular customers to bill only as Buffet Breakfast.
Obviously for personal gain…
21. Compliance Made Simple™
PKF India
Case study- 5 Duplicate bill reused
19
❑Most restaurant software provides for re-printing of the bill already prepared
❑This is many a times misused especially where buffet is involved or where similar order is freq
❑The same bill is re-printed and the cash collected from the second customer is pocketed and n
❑A special engagement to test for frauds identified this, when they noticed that there were ma
Use CCM to identify these
From the whole list of reprints, run a query to identify only
reprints after settlements.
Further break the list by mode of settlement to identify reprints
after cash settlements- High Risk and Possible fraud
transactions!!!
22. Compliance Made Simple™
PKF India
Case study- 6 Automate reconciliation reports
20
❑ Bar was conspicuously having tallied stock, nearly always
❑ A detailed investigation revealed that excess stocks were being sold and cash pocketed by th
❑ Daily a few shots were not being billed by the Barmen and related cash collection pocketed
❑ Bar stocks were not being reconciled on a daily basis
❑ So, excess stocks were not identified daily
❑ By the time the monthly stock verification in Bar happened most excess stocks have been co
Automate daily stock reconciliation reports
Compare consumption with Sales as per Point of Sale
23. Compliance Made Simple™
PKF India
Case study- 7 Identification of duplicates
21
Implementing “similar fuzzy-
matching” instead of exact
matching yields an
approach more accurate and
powerful than many.
Report Invoice # Invoice
Date
Vendor Amount
EEEE Exact Exact Exact Exact
EEED Exact Exact Exact Different
EEDE Exact Exact Different Exact
EDEE Exact Different Exact Exact
DEEE Different Exact Exact Exact
Different dates
Same vendor,
invoice num and
amt
24. Compliance Made Simple™
PKF India
Case study- 8 Identification of suspicious vendors
22
We are potentially his only
customer
Identification of Unbroken invoice sequence using CCM
26. Compliance Made Simple™
PKF India
Technology that can be used
• Microsoft Excel – Basic entry level
• ACL
• IDEA by Caseware
• SQL based program (or any RDBMS)
• Technology chosen is based on cost / benefit….
26
28. Compliance Made Simple™
PKF India
Control Compliance Analysis
• Free 1 hour assessment
• Email: Info@avivaspectrum.com
Sonia Luna
Partner & Founder Aviva Spectrum
Office (213) 250-5700
Cell (323) 828-5862
28
29. Compliance Made Simple™
PKF India
To Conclude
CCM is not about what software one needs to
buy!!
It’s about having a methodology that defines
– What you are trying to do and
– how do you do it now and
– how you are going to do in future!!!
29
30. Compliance Made Simple™
PKF India
30Compliance Made Simple
Continuous Monitoring FREE
RESOURCES
November 12th, 2014
31. Compliance Made Simple™
PKF India
31Compliance Made Simple
Community & Sharing
Risk Assessments
Join Our LinkedIn Group
COSO Framework Discussion &
Webinars
https://www.linkedin.com/groups/COSO-Implementation-
4888186/about
Technical Community sharing Ideas ,Templates, WEBINARS,
Advise and Learn from others implementing new framework.
Share your latest templates here!
32. Compliance Made Simple™
PKF India
32Compliance Made Simple
Control Compliance Analysis
COSO Transition
1. Top Transition Failures
(Case Studies)
2. Audit Evidence required
3. Priority Driven by
Principles
PCAOB, IIA & SEC Guidance
1. Latest PCAOB Internal
Control Standards
2. IIA Incorporated Top 7 IC
Failures
3. SEC Guidance for Mgmt on
Internal Controls
info@avivaspectrum.com
Subject: CCA Reservation
5
33. Compliance Made Simple™
PKF India
33Compliance Made Simple
Control Compliance Analysis (“CCA”)
Email us for 5 SPOTS ONLY:
Info@avivaspectrum.com
Subject: CCA
CCA
Report
BenchmarkIn-take
™ November 12th, 2014
34. Compliance Made Simple™
PKF India
34Compliance Made Simple
Q & A session (5 – 8 Min)
CONNECT: www.linkedin.com/in/sonialuna
SLIDES: www.slideshare.net/soxppt
VIDEOS: http://avivaspectrum.com/webcasts