a journey to continuous auditing - isaca · – ad hoc use of continuous monitoring tools and...
TRANSCRIPT
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 1
A Journey to Continuous AuditingÜberwachung – Continuous Monitoring – Continuous Auditing
Matt IronsideQiCA, CIA
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 2
Contents
• Background• The Journey
– To date– Next Steps– Challenges
• Summary• Questions
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 3
Background
144.3 million tonnes of cement173.0 million tonnes of aggregates
48.4 million cubic metres of ready-mix concrete
Holcim…in numbers
80’000 people in 70 countries
Source: Annual Report 2011 Holcim Ltd Net Sales CHF 20.744m
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 4
• Holcim History– Founded in 1912 in Holderbank, Aargau– Extensive Global growth since 1990 through acquisition, construction
of cement plants and entering into new countries / markets– In 2000s, smaller number of acquisitions, but majority of a significant
size to the Holcim business
0
2
4
6
8
10
12
14
16
18
20
1910s 1920s 1930s 1940s 1950s 1960s 1970s 1980s 1990s 2000s
No.
Of C
ompa
nies
Add
ed
Decade
Background
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 5
• Construction Industry– No self-regulated body (unlike, for example, the Financial Services
sector, e.g. FINMA, FSA (UK), etc)– Regulated through the Statutory Laws applicable to the Countries and
Regions where Holcim does business– Regarding internal controls, the key regulatory requirement is
satisfying Article 728a Swiss Code of Obligations (SCO)
Background
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 6
• Holcim Internal Audit– Decentralized concept…
Background
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 7
Background
Group Internal Auditof Holcim Ltd
Local IAat Group company A
Local IAat Group company B
Local IAat Group company C
Local IAat Group company D
Local IAat Group company E
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 8
• Holcim Internal Audit– Decentralized concept
• Group Internal Audit• Local Internal Audit in Group Companies
– Structured on a Regional basis…
Background
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing”
9
USA
Canada
Aggregate Industries, US
Aggregate Industries,
Europe
Holcim Trading
Morocco
Lebanon
Outre Mer
Nigeria
Head Group Internal Audit
Mexico
Argentina
Chile
Brazil
Colombia
Ecuador
Costa Rica
Nicaragua
El Salvador
LatinAmerica
North America,UK, Africa,Middle East
Trading
Western EuropeFrance
BelgiumThe Netherlands
Germany
Central EuropeSwitzerland/B-W
Italy
Spain
E/SE EuropeCIS/CasBulgariaCroatia
Czech RepublicHungaryRomania
SerbiaSlovakiaAustriaRussia
Azerbaijan
Europe
India
Bangladesh
Sri Lanka
Singapore
Malaysia
IndiaSouth AsiaSingapore/Malaysia
China
Thailand
Vietnam
Cambodia
Indonesia
Philippines
Australia
New Zealand
ChinaASEANOceania
Corporate and Head Office
IT AuditHSEA
IT AuditLASER
IT AuditNASC
IT AuditHSEE
GroupIT Audit
IT AuditHSSA
IT AuditHGRS
GroupICS
Group Internal Audit
IT AuditHOSS
Chairman of the Board of Directors Holcim Ltd
Audit Committeeof Holcim Ltd
Background
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 10
• Holcim Internal Audit– Decentralized concept
• Group Internal Audit• Local Internal Audit in Group Companies
– Structured on a Regional basis• Internal Audit broadly aligned to Holcim’s Executive Management
Organisation Structure• IT Audit based on Holcim Regional IT Service Center concept• Approximately 135 Internal Audit (IA) staff and 8 IT Audit (ITA) staff• Group Internal Audit and majority of the IA / ITA functions have been
created and resourced in the last 10 years.• Approximately 95% of IA / ITA staff are located in the respective Local
(Group) Companies, with remaining 5% in Group Internal Audit.
Background
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 11
AssuranceCreation of Value & Drive Discipline
Trusted Business Partner
Goal
ProcessPhase I
Internal AuditDefinition
Phase II
Internal AuditPlanning
Phase III
Internal AuditExecution
Phase IV
Internal AuditReporting
Phase VInternal Audit
Evaluation& Transfer
Methodology & Tools
IAHandbook ACL FUMTTeamMate
Base People Independence Integrity Organization
IA RiskAssessment SAP GRC
Professionalism
ACL SAP GRC
Background
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 12
• We are undergoing a natural evolution in the maturity of our audit methodology and approach– We have been embedding the Holcim Internal Audit approach across
all Holcim IA / ITA functions.– 2011 – External Quality Review concluded that the Holcim
Methodology and approach is in compliance with the IIA Standards and Code of Ethics and consistently applied across the Holcim IA / ITA functions
• To continue to meet our goals defined in our ‘Value House’, the next evolution stage is to apply a more ‘quantifiable’ dimension to our work.
• Through the use of our IT audit tools, we will be able to analyse much greater quantities of data giving us the ability to:– Provide greater assurance on operating effectiveness of controls– Better assess the indicators of fraud
The Journey
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 13
• Continuous Monitoring within Holcim– Ad hoc use of Continuous Monitoring tools and techniques in the
business processes that support financial reporting.– However, extensive use of dedicated systems to monitor production
activities such as:• Capacity• Production flow
• Continuous Auditing…
The Journey to Date
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 14
• Use of the ACL and SAP GRC tools varies in our Internal Audit functions across Holcim.
• They are generally used for satisfying the objectives of a specific audit at a particular point in time.– Use of ACL to analyse data within the scope of an audit– Use of SAP GRC Access Control to review IT related controls over
the granting, amendment and revocation of user access
The Journey to Date
• Applying the IIA’s GTAG for Continuous Auditing…..Holcim is still at the ‘Introductory Level’.
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 15
• However transitioning to the ‘Moderate Level’ is in progress– Examples of Holcim Internal Audit Functions embedding the use of IT
tools for their control assessments and tests– Initiatives in place to allow ad hoc assessments to occur on a more
systematic basis.• Development of scripts within the ACL tool to provide a dashboard on key
control indicators• Use of the SAP GRC module
– To monitor the effectiveness of Segregation of Duties across fundamental business processes
– To alert on the bypassing of key controls within the Purchase to Pay (P2P) business process
The Journey to Date
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 16
• Implement and roll out the ‘control assessment’ initiatives already in progress.
• Develop Continuous Auditing practices for ‘control assessment’ that cover global, regional and local requirements.– Initially leverage off Article 728a, SCO regulatory requirements– Broaden to cover other key controls
• Embed the use of data analysis tools across all Holcim Internal Audit functions.
• Develop and implement use of Continuous Auditing practices for ‘risk assessment’.– Application in Local Companies that have many sites– Annual audit planning risk assessment
• Engage Management (both Operations and IT), to promote and enable these steps to happen.
Next Steps
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 17
• The efficiency challenge– There is no Globally standardised business process model across our
Companies. A combination of Regional and Local process models are in place.
– Our IT infrastructure is also implemented on a Regional / Local basis (Regional IT Service Center Concept).
• The effectiveness challenge– Changing the mind set of incorporating an analysis of data to the
traditional risk-based audit approach.– Supporting the Holcim IA functions that only have a small number of
staff.
Challenges
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 18
• We are at the early stage of our transition, regarding the adoption of Continuous Auditing techniques.
• Holcim’s history in terms of…..– Organisation structure– Level of regulation regarding internal control– Development of a Global Holcim Internal Audit practice
…provide a context of the current maturity level for the use of such techniques.
Summary
5.11.2011 ISACA/SVIR-Fachtagung “Überwachung – Continuous Monitoring – Continuous Auditing” 19
• Thank you…..questions?
Questions