Presented by: Andrew Simpson

Chief Operating Officer, CaseWare Analytics

Defense in Depth The Role of Continuous Controls Monitoring in the Three Lines of Defense Model

CaseWare International

• Founded in 1988

• An industry leader in providing technology solutions for

finance, accounting, governance, risk, and audit

professionals

• Over 400,000 users of our technologies across 130

countries and 16 languages

• Customers include Fortune 500 and Global 500

companies

Agenda

• The Three Lines of Defense Model

• Continuous Controls Monitoring (CCM)

• Case Studies of CCM at Each Line of Defense

• Q & A

Drivers of Risk Management

Risk is high on the agenda for boards today due to:

• A focus on cost reduction

• A desire for added value

• An evolving regulatory environment

• Technological changes and availability of data

High Performers

Source: Experis, Top 5 Characteristics of a High Functioning Internal Audit Organization

Exploring Opportunity Minimizing Business

Uncertainty

Managing Compliance

and Crisis

• Complying with

corporate governance

standards

• Avoiding personal

liability failure

• Owning company crisis

• Achieving global best

practices

• Understanding and

evaluating business

risks

• Understanding full range

of risks facing business

today

• Improving returns

through value-based

management

• Enhancing capital

allocation

• Protecting corporate

reputation

Where Do You Want to Be?

THE THREE LINES OF DEFENSE

MODEL

Risk-Based Audit Methodologies:

Three Line of Defense Model

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

The 1st Line of Defense

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

The 1st Line of Defense

OPERATIONAL MANAGEMENT

• Own and manage risks

• Design and implement internal controls

• Responsible for maintaining effective controls

The 2nd Line of Defense

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

The 2nd Line of Defense

RISK MANAGEMENT & COMPLIANCE

• Help build and monitor first line of defense

• Ensure compliance with regulations

• Financial risks and reporting requirements

• Identify changes in risk appetite

The 3rd Line of Defense

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

The 3rd Line of Defense

INTERNAL AUDIT

• Provide senior management with assurance

• Monitor the effectiveness of the first and second lines of

defense

• Independent

Coordinating the Three Lines

First Line of Defense Second Line of Defense Third Line of Defense

Risk Owners/Managers Risk Control and Compliance Risk Assurance

• Operating management

• Limited independence • Reports primarily to

management

• Internal audit • Greater independence • Reports to governing

body

CONTINUOUS CONTROLS

MONITORING (CCM)

Risk-Based Analytics:

What Is CCM?

An audacious vision for CCM:

• Know the state of any control in the business

• Resolve identified breaches before impact

• Provide an unparalleled ROI

The Importance of Monitoring

COSO Guidance

(effective controls

systems must include

monitoring)

Role of CCM

• Independent monitoring of automated and partially

automated controls

• Continuous detection of breaches

• Transparency in detection and remediation

• Address IT concerns

• Collaborative approach to timely remediation

CCM at Each Line of Defense

• Effectively monitor internal controls at the 1st and 2nd

lines of defense

• Allow the 3rd line of defense to be confident in its

assurance role

• Create a remediation process that minimizes the impact

of a control breakdown

• Provide evidence of due diligence for external auditors

and regulators

CASE STUDIES OF CCM AT EACH

LINE OF DEFENSE

Analytics in Action:

The 1st Line of Defense

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

Enersource

• Canadian Energy Company since 1917

• Third largest in Ontario

• Over 200,000 residential and commercial customers

• Provides electrical infrastructure design, construction,

operations support, and maintenance

Reputational Risks

Financial Risks

Verification of Bills

• Reputational risk is the primary concern

• Was using an in-house MS Excel system to verify the

accuracy of bills

o Upgraded to smart meters in 2009

o Challenges

o Took 5 hours to process a batch of bills

o Exceptions manually circulated by email

o Impossible to track resolution

o Labor intensive to make changes

The CCM Solution

• Independently calculate bills and identify inaccuracies

• Extract data from other sources—not just billing system

• Sent exceptions in XML format to bill print system for

those bills not to be printed

• Engaged users in the Billing Department to resolve

issues

• Validate corrections made in core systems

• Maintain history of exceptions and actions taken to

resolve them

Results

• Has not had a single public incident

• Accuracy of billing improved significantly

• Billing anomalies automatically distributed

• Bills verified in less than 5 minutes (not 5 hours)

• Bills sent out same day—improving cash flow

• Evidence retained for regulators/auditors

• Labor-intensive manual reviews were eliminated

The 2nd Line of Defense

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

Christies Auction House

• Founded in 1766 by James Christie

• 53 offices in 32 countries

• Prices range from $200 to $80 million

Challenges

• Risk and compliance group mandated to review 100% of

transactions

• Primary area of concern is client accounting

• Need to ensure that fees and charges are accurate

• Need to involve the business in timely remediation

The CCM Solution

• Implemented for 40 key controls

• Monitor transactions near real time

• Covering multiple locations (UK and New York)

• Phase I started in risk and compliance then rolled out to

the business

Phase II—Customer Screening

• Important to meet regulatory requirements

• AML and KYC compliance

• Integrate with World-Check sanction list data for

screening

The 3rd Line of Defense

Adapted from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41

Metcash

• A leading marketing and distribution company

• Operating in the grocery, liquor, and hardware wholesale industries

• Turnover of $12 billion

• 5,000+ employees

• Market cap $3.2 billion

Challenges

• Several disparate systems

• Many audit scripts

• Emailing exceptions in Excel

• SAP generating many exception reports

• Business struggling to cope

The CCM Solution

• All analytics built in-house by CM Team

• Covered 30 key controls to start

• CCM implemented for Purchase to Payment in Phase I

• Expanded to the retail business processes in Phase II

• Adopted as central exception management system

(including SAP reports)

Results

• Started in internal audit

• Rolled out to business users

• Use action/reason codes to facilitate root cause analysis

• Daily examination of processes

• First-year results:

o 5.5 billion transaction covered

o $1.8 million in savings

Conclusion

• Internal control effectiveness is positively impacted by

collaboration

• That covers collaboration at all three levels

• CCM is a compelling vehicle to facilitate a collaborative

process

Contact

Andrew Simpson

Chief Operating Officer

CaseWare Analytics

andrew.simpson@caseware.com

613.824.9233 ext. 2144