a journey to continuous auditing - isaca · – ad hoc use of continuous monitoring tools and...

5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 1

A Journey to Continuous AuditingÜberwachung – Continuous Monitoring – Continuous Auditing

Matt IronsideQiCA, CIA


Contents

• Background• The Journey

– To date– Next Steps– Challenges

• Summary• Questions


Background

144.3 million tonnes of cement173.0 million tonnes of aggregates

48.4 million cubic metres of ready-mix concrete

Holcim…in numbers

80’000 people in 70 countries

Source: Annual Report 2011 Holcim Ltd Net Sales CHF 20.744m


• Holcim History– Founded in 1912 in Holderbank, Aargau– Extensive Global growth since 1990 through acquisition, construction

of cement plants and entering into new countries / markets– In 2000s, smaller number of acquisitions, but majority of a significant

size to the Holcim business

0

2

4

6

8

10

12

14

16

18

20

1910s 1920s 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s

No.

Of C

ompa

nies

Add

ed

Decade

Background


• Construction Industry– No self-regulated body (unlike, for example, the Financial Services

sector, e.g. FINMA, FSA (UK), etc)– Regulated through the Statutory Laws applicable to the Countries and

Regions where Holcim does business– Regarding internal controls, the key regulatory requirement is

satisfying Article 728a Swiss Code of Obligations (SCO)

Background


• Holcim Internal Audit– Decentralized concept…

Background


Background

Group Internal Auditof Holcim Ltd

Local IAat Group company A

Local IAat Group company B

Local IAat Group company C

Local IAat Group company D

Local IAat Group company E


• Holcim Internal Audit– Decentralized concept

• Group Internal Audit• Local Internal Audit in Group Companies

– Structured on a Regional basis…

Background

5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing”

9

USA

Canada

Aggregate Industries, US

Aggregate Industries,

Europe

Holcim Trading

Morocco

Lebanon

Outre Mer

Nigeria

Head Group Internal Audit

Mexico

Argentina

Chile

Brazil

Colombia

Ecuador

Costa Rica

Nicaragua

El Salvador

LatinAmerica

North America,UK, Africa,Middle East

Trading

Western EuropeFrance

BelgiumThe Netherlands

Germany

Central EuropeSwitzerland/B-W

Italy

Spain

E/SE EuropeCIS/CasBulgariaCroatia

Czech RepublicHungaryRomania

SerbiaSlovakiaAustriaRussia

Azerbaijan

Europe

India

Bangladesh

Sri Lanka

Singapore

Malaysia

IndiaSouth AsiaSingapore/Malaysia

China

Thailand

Vietnam

Cambodia

Indonesia

Philippines

Australia

New Zealand

ChinaASEANOceania

Corporate and Head Office

IT AuditHSEA

IT AuditLASER

IT AuditNASC

IT AuditHSEE

GroupIT Audit

IT AuditHSSA

IT AuditHGRS

GroupICS

Group Internal Audit

IT AuditHOSS

Chairman of the Board of Directors Holcim Ltd

Audit Committeeof Holcim Ltd

Background


• Holcim Internal Audit– Decentralized concept

• Group Internal Audit• Local Internal Audit in Group Companies

– Structured on a Regional basis• Internal Audit broadly aligned to Holcim’s Executive Management

Organisation Structure• IT Audit based on Holcim Regional IT Service Center concept• Approximately 135 Internal Audit (IA) staff and 8 IT Audit (ITA) staff• Group Internal Audit and majority of the IA / ITA functions have been

created and resourced in the last 10 years.• Approximately 95% of IA / ITA staff are located in the respective Local

(Group) Companies, with remaining 5% in Group Internal Audit.

Background


AssuranceCreation of Value & Drive Discipline

Trusted Business Partner

Goal

ProcessPhase I

Internal AuditDefinition

Phase II

Internal AuditPlanning

Phase III

Internal AuditExecution

Phase IV

Internal AuditReporting

Phase VInternal Audit

Evaluation& Transfer

Methodology & Tools

IAHandbook ACL FUMTTeamMate

Base People Independence Integrity Organization

IA RiskAssessment SAP GRC

Professionalism

ACL SAP GRC

Background


• We are undergoing a natural evolution in the maturity of our audit methodology and approach– We have been embedding the Holcim Internal Audit approach across

all Holcim IA / ITA functions.– 2011 – External Quality Review concluded that the Holcim

Methodology and approach is in compliance with the IIA Standards and Code of Ethics and consistently applied across the Holcim IA / ITA functions

• To continue to meet our goals defined in our ‘Value House’, the next evolution stage is to apply a more ‘quantifiable’ dimension to our work.

• Through the use of our IT audit tools, we will be able to analyse much greater quantities of data giving us the ability to:– Provide greater assurance on operating effectiveness of controls– Better assess the indicators of fraud

The Journey


• Continuous Monitoring within Holcim– Ad hoc use of Continuous Monitoring tools and techniques in the

business processes that support financial reporting.– However, extensive use of dedicated systems to monitor production

activities such as:• Capacity• Production flow

• Continuous Auditing…

The Journey to Date


• Use of the ACL and SAP GRC tools varies in our Internal Audit functions across Holcim.

• They are generally used for satisfying the objectives of a specific audit at a particular point in time.– Use of ACL to analyse data within the scope of an audit– Use of SAP GRC Access Control to review IT related controls over

the granting, amendment and revocation of user access

The Journey to Date

• Applying the IIA’s GTAG for Continuous Auditing…..Holcim is still at the ‘Introductory Level’.


• However transitioning to the ‘Moderate Level’ is in progress– Examples of Holcim Internal Audit Functions embedding the use of IT

tools for their control assessments and tests– Initiatives in place to allow ad hoc assessments to occur on a more

systematic basis.• Development of scripts within the ACL tool to provide a dashboard on key

control indicators• Use of the SAP GRC module

– To monitor the effectiveness of Segregation of Duties across fundamental business processes

– To alert on the bypassing of key controls within the Purchase to Pay (P2P) business process

The Journey to Date


• Implement and roll out the ‘control assessment’ initiatives already in progress.

• Develop Continuous Auditing practices for ‘control assessment’ that cover global, regional and local requirements.– Initially leverage off Article 728a, SCO regulatory requirements– Broaden to cover other key controls

• Embed the use of data analysis tools across all Holcim Internal Audit functions.

• Develop and implement use of Continuous Auditing practices for ‘risk assessment’.– Application in Local Companies that have many sites– Annual audit planning risk assessment

• Engage Management (both Operations and IT), to promote and enable these steps to happen.

Next Steps


• The efficiency challenge– There is no Globally standardised business process model across our

Companies. A combination of Regional and Local process models are in place.

– Our IT infrastructure is also implemented on a Regional / Local basis (Regional IT Service Center Concept).

• The effectiveness challenge– Changing the mind set of incorporating an analysis of data to the

traditional risk-based audit approach.– Supporting the Holcim IA functions that only have a small number of

staff.

Challenges


• We are at the early stage of our transition, regarding the adoption of Continuous Auditing techniques.

• Holcim’s history in terms of…..– Organisation structure– Level of regulation regarding internal control– Development of a Global Holcim Internal Audit practice

…provide a context of the current maturity level for the use of such techniques.

Summary


• Thank you…..questions?

Questions

a journey to continuous auditing - isaca · – ad hoc use of continuous monitoring tools and...

Documents