KPMG Governance Risk Compliance

Governance, Risk,
and Compliance
Driving Value through Controls Monitoring
ADVI S O R Y
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
G R C : A DEFIN IT ION
Governance, risk, and compliance (GRC) is more than a soft-

ware solution; it is a strategic discipline. GRC is a continuous
process that is embedded into the culture of an organization
and governs how management identifies and protects against
relevant risks, monitors and evaluates the effectiveness of
internal controls, and responds to and improves operations
based on learned insights. GRC is the integration of all gover-
nance, risk assessment and mitigation, and compliance and
control activities to operate in synergy and balance. A GRC
strategy can help create business value by reducing costs,
identifying operational inefficiencies, rationalizing controls, and
enabling identification and management of risks. GRC works
best when multiple roles (e.g., corporate secretary, corporate
compliance, enterprise risk, internal audit, IT, line of business,
investigations, legal) collaborate within a common framework
and architecture to bring an enterprise view across governance,
risk, and compliance activities throughout the organization. A
GRC strategy can help an organization prevent “surprises”
while preserving shareholder value.
C ON T E N TS
Introduction 1
The Current Environment 2
GRC Maturity Assessment 3
Controls Monitoring: Opportunities and Challenges 6
An Approach to Implementing Controls Monitoring Tools 8
Conclusion 14
DRIVING VALUE THROUGH CONTROLS MONITORING | 1
I N TR O DU C TION
A
s organizations continue to cope with the high cost of achieving and sus-
taining compliance with a variety of regulations, leaders are considering
new ways to reduce costs, strengthen decision-making capabilities, and
improve business performance.
Many have found that a strong governance, risk, and compliance discipline can
enable them to integrate inefficient and isolated programs, processes, and systems
into effective and efficient enterprise-wide, risk-based internal control structures. To
further drive value, organizations are implementing controls monitoring tools that can
help them align strategic initiatives with risk management, serve as documentation
repositories, and support ongoing GRC monitoring and reporting. Benefits vary by
organization and depend on the extent of an organization’s reliance on automated
versus manual controls as well as the maturity of its compliance program. Benefits
also depend, ultimately, on the organization’s need for enterprise-level transparency;
its people, process, technology, and risk and control integration; and the extent to
which the organization can lower performance and monitoring cost through enabling
technologies.
In evaluating their existing GRC capabilities, many organizations have found that:
t1PUFOUJBMDPOUSPMCFOFGJUTPGBOFYJTUJOHFOUFSQSJTFSFTPVSDFQMBOOJOH &31
TZTUFN
have often not been fully leveraged—resulting in self-imposed limitations on these Under standing G RC
systems’ capabilities to support efforts to reduce costs or add operational value.
“Among the many unintended conse-
t&YJTUJOHLFZDPOUSPMTPGUFOIBWFEFUFSJPSBUFEPWFSUJNFBOEBSFMBSHFMZNBOVBM
RVFODFTPG4BSCBOFT0YMFZXBTBOFX
costly, and inefficient.
acronym: GRC. Born of an [intended]
t.POJUPSJOHDBQBCJMJUJFTBSFOPOFYJTUFOUPSJOBEFRVBUFTPUIBUDPOUSPMGBJMVSFT emphasis on improving governance,
often go undetected, pointing to related deficiencies in governance oversight
risk, and compliance, the acronym was
and risk management.
RVJDLMZBQQSPQSJBUFECZQSPWJEFSTPG
Having evaluated their business needs and opportunities, many leaders are considering everything from document management
how to embed controls monitoring capabilities into their financial, operational, and to ERP systems. But while software
regulatory processes as a means of improving decision making and performance plays a role, GRC is really a management
while reducing costs—all primary objectives of a well-developed GRC discipline. discipline: it’s about how to balance the
These efforts call for them to: often-competing demands of regulators,
t*EFOUJGZUIFSJHIUDPOUSPMT CBTFEPOLOPXMFEHFPGUIFPSHBOJ[BUJPOTLFZSJTLT BOE shareholders, customers, and market
to the extent possible, automate control performance for real-time monitoring forces, all without running afoul of an
t&NCFEDPOUSPMTNPOJUPSJOHXJUIJOSFHVMBSCVTJOFTTBOEEFDJTJPOQSPDFTTFT increasingly tangled thicket of regulatory
t*OUFHSBUFDPOUSPMTNPOJUPSJOHXJUIUIFPSHBOJ[BUJPOT(3$ FOUFSQSJTFSJTLNBO- demands.

agement (ERM), or corporate values programs Because the information, roles, respon-
t*OUFHSBUFDPNQMJBODFBOECVTJOFTTDPOUSPMSFRVJSFNFOUTJOUPBTJOHMFDPOUSPM sibilities, and even budgets involved in
framework to achieve a “single view” of risk GRC fall across many different business
t*NQMFNFOUDPOUSPMTNPOJUPSJOHUPPMTUPIFMQUIFPSHBOJ[BUJPOCVJMEBTVTUBJOBCMF units, the CFO is often the most logical
GRC program and improve business and decision-making processes. champion of an integrated approach. But
even as traditional managers of risk, and
This white paper explores the potential benefits of controls monitoring as a means
even with the force of the law behind
of improving decision making, reducing the costs of control performance and
them, CFOs can find it challenging to
monitoring, and driving greater business value. It identifies the business benefits
that can result from transforming the way controls are monitored, and it discusses create a unified approach to GRC.”
considerations for implementing a monitoring capability that is fundamental to any

“An Integrated Approach to Risk and
organization’s GRC discipline. Compliance,” CFO.com Editorial Webcast,
March 25, 2008
2 | GOVERNANCE, RISK, AND COMPLIANCE
THE C U R R ENT E NV IR O NM ENT
Before Sarbanes-Oxley, organizations’ decision-making processes tended to focus

broadly on cost reduction and business improvement, giving comparatively less
attention to risk management issues. For many organizations, however, the
proliferation of regulation in recent years has prompted a much greater focus on
compliance and the integrity of controls.
The substantial costs associated with these regulatory compliance efforts are
receiving ongoing attention. These costs have continued to rise as organizations
have sought to cope with a lack of integration among multiple regulatory compli-
ance frameworks as well as a lack of business processes in which compliance
efforts have been embedded.
5PBEESFTTSFRVJSFNFOUT NBOZPSHBOJ[BUJPOTIBWFiCPMUFEPOwDPNQMJBODFQSPHSBNT
that are separate and distinct from their system of internal controls over operations.
They may have invested in multiple ERP solutions and add-on components that often
did not fully integrate. They may have found that their controls and test method-
ologies were largely manual. Moreover, many organizations had not integrated a
GPDVTPOSJTLNBOBHFNFOUXJUIJOCVTJOFTTWBMVFT CVTJOFTTSFRVJSFNFOUT BOE
business remuneration processes. The overall result is fragmented programs that
are complicated to operate, difficult to manage, expensive to implement and
monitor through periodic tests, and increasingly less effective in supporting sound
and timely business decisions.
Economic pressures are prompting organizations to address these challenges,

specifically by leveraging risk management and compliance investments to improve
business performance. Controlling costs is one reason for these efforts—a goal
reflected in the recently updated SEC Interpretive Guidance and PCAOB Auditing
Standard No. 5. The SEC and PCAOB have recognized the cost burden that
Sarbanes-Oxley placed on public companies and are seeking to strike the right
balance between the cost of compliance and the benefits to public company
financial reporting.
At the same time, years of experience with compliance processes are enabling
leaders to find new ways to turn regulatory obligations into strategic opportunities
to reduce performance cost and improve control effectiveness. Specifically, they
are focused on integrating multiple compliance efforts and embedding them into
day-to-day operations. These endeavors call for increasing the use of automated
tools that drive improvements in the management of governance, risk, and com-
pliance—specifically by embedding controls monitoring routines into day-to-day
processes.
DRIVING VALUE THROUGH CONTROLS MONITORING |
G R C M AT U RIT Y ASSESSMEN T
Enhancing an organization’s GRC discipline begins with understanding the maturity

level of the existing compliance program(s). The evolution of such a program can be
described as a progression across four states of maturity—fragmented, implemented,
embedded, and enhanced—which are described in Figure 1.1 Within each of the
four states, organizations assign accountabilities to leaders who take ownership of
monitoring risks and controls.
Figure 1: The Maturing of Compliance
Finance Compliance
C is culture-centric and
Enhanced framework-integrated.
fr It is achieved as
Compliance part
pa of how business is done and is
inherently
in part of organizational culture.
Operations The
Th enhanced state implies a change in
mindset
m in which compliance is performed
not
no solely for the sake of complying with
different
di laws but also to gain business
process
pr improvement.
Compliance
C is process-centric. It is
Embedded achieved
ac in a fundamentally new way
by
by building compliance activities and
procedures
pr into existing business
processes
pr and technology so that
business
bu owners can start to share
responsibility
re for compliance.
Compliance
C is program-centric. It is
Implemented achieved
ac via the oversight of a new,
overarching,
ov stand-alone program that
oversees
ov the hiring of dedicated
personnel
pe whose main focus is
coordinating
co and communicating the
compliance
co activities.
Compliance
C is project-centric. It is
Fragmented achieved
ac through disconnected and/or
inconsistently
in applied efforts throughout
the
th enterprise. Extensive coordination
and
an work are required by a centralized
project
pr management function.
Source: KPMG LLP (U.S.), 2005
1
This maturity model was introduced in the KPMG white paper, The Compliance Journey: Making Compliance Sustainable,
KPMG LLP, 2005.
| GOVERNANCE, RISK, AND COMPLIANCE
As an organization moves up in the maturity model, ownership spreads across

the enterprise and compliance becomes embedded within the very culture of the
business. As depicted in Figure 2, monitoring and testing become “business as
usual,” driven by a strategic direction and measured by continuously monitoring
transactions against pre-established business rules. These activities are no longer
performed by compliance project personnel but rather at the operational and
tactical levels of the business—where the control responsibility resides and per-
formance dashboards provide the necessary transparency to an organization’s
governance structure and support the decision-making process.
Figure 2: Continuous Monitoring within Business Processes
ar t of norm
in g as p al b
i to r u si
m on ne
ss
us pr
uo o
Strategic
in
ce
nt
ss
Monitor
Co
es

es
Co
ess
ntin
Tactical
usiness proc
uous m
Review
onitorin
mal b
Operational
Test
g as
r
f no
ar t p
o
rt
o
pa
fn
as
Warehouse
rm
Purchasing Manufacturing Sales & Distribution

g
Management al
rin o bu
ni t o ess
sin
sm proc
e sses Continuou
5IFFYUFOUPGUIFFGGPSUSFRVJSFEUPJNQMFNFOUBDPOUSPMTNPOJUPSJOHTPMVUJPOBTQBSU
of an organization’s GRC discipline is dependent on the maturity of an organization’s
compliance program, the ratio of manual to automated controls, and the extent
of the program’s integration with process, systems, and people. In general, the
more mature or embedded an organization’s compliance program and automated
controls, the easier it is to implement a tool-based controls monitoring solution.
An organization should consider its relative state of maturity as the first step on
the path to implementing a controls monitoring tool in support of its GRC program,
DPOTJEFSJOHTVDIRVFTUJPOTBT
t%PFTUIFPSHBOJ[BUJPOIBWFBO&3.QSPHSBNJOQMBDFUPBEESFTTIPMJTUJDBMMZUIF
myriad risks facing the business?
t)BTUIFPSHBOJ[BUJPOEFWFMPQFEBOBXBSFOFTTPGUIFWBSJPVTDPNQMJBODFQSPHSBNT
to which it is subject, and has it considered the shared touch points among
these programs for an integrated view?
t"SFUIFPSHBOJ[BUJPOTDPNQMJBODFFGGPSUTIBOEMFECZBTJOHMFGVODUJPOPSTQSFBE
across the business among the affected parties?
t%PFTUIFBDUPGDPNQMZJOHGJUDPNGPSUBCMZJOUPUIFEBZUPEBZSVOOJOHPGUIF
CVTJOFTTPSJTJUBOBODJMMBSZFGGPSUUIBUSFRVJSFTJODSFNFOUBMSFTPVSDFTBOEUJNF
t%PFTUIFPSHBOJ[BUJPOVTFUFDIOPMPHZUPGBDJMJUBUFJUTDPNQMJBODFBOENPOJUPSJOH
efforts, either through a common platform for most key business functions or
through a compliance tool or repository?
t)BTUIFPSHBOJ[BUJPODPOTJEFSFEUIFNBUVSJUZPGJUTDPOUSPMTQPSUGPMJP ESJWJOH
toward automated, preventive controls that are typically less costly and more
effective than manual, detective controls?
CONT R O LS M ONI TOR IN G :

OPP O RTUN IT I ES AN D C H A LLEN G ES
Organizations can transform the performance of finance, compliance, and opera-

tions by automating the controls that help enforce desired actions, the mechanisms
that validate performance, and the systems that provide monitoring and oversight of
compliance. In the same way that organizations have made significant investments
in reinventing processes and transforming controls, they should also be shifting
from point-in-time testing (often now implemented as a bolt-on control) to ongoing
testing embedded within the business processes.
As with ERP system implementations, one of the critical elements of realizing value
in a controls monitoring tool is to ensure that processes are properly engineered
and that key controls are automated. When done right, the implementation of a
bolted-on controls monitoring tool integrated within a new ERP application, or even
the use of an existing monitoring capability within the application, can help an orga-
nization reduce risk management costs and improve business performance.
Controls monitoring tools can help simplify the consolidation of an organization’s

WBSJPVTDPNQMJBODFSFRVJSFNFOUTBOEDBOGBDJMJUBUFUIFDPPSEJOBUJPOPGEJTQBSBUF
EPDVNFOUBUJPOSFRVJSFNFOUTBOEUFTUJOHFGGPSUT8JUITVDIDPOTPMJEBUJPO DPNQMJ-
ance and monitoring become part of doing business, enabling the organization’s
compliance function to mature in the process. Benefits can include:
t&OIBODFEEFDJTJPONBLJOHDBQBCJMJUZCBTFEPOWBMJEBUFECVTJOFTTJOGPSNBUJPO
t3FEVDFEDPTUPGNBOBHJOHCVTJOFTTSJTLBOEQPUFOUJBMGPSHSPXUIJOTIBSFIPMEFSWBMVF
A Cas e S t u d y
t0OHPJOHSFBMUJNFNPOJUPSJOHBOEUIFQPUFOUJBMGPSBDDFMFSBUFEGPMMPXVQPO
A company in the chemicals industry
exceptions
implemented a controls monitoring tool to t&NCFEEFEXPSLGMPXDPOUSPMTNPOJUPSJOHXJUIJOSFHVMBSQSPDFTTFTBOE

test controls using a workflow and dash- automated testing boundaries and exception-based alerts
board mechanism. The main challenge t&OIBODFEDBQBCJMJUZUPHFOFSBUFQSPHSFTTSFQPSUTBOEEFDJTJPONBLJOHEBTICPBSET
was not the technical implementation
of the monitoring tool, but the challenge
of creating the improvement awareness
within the organization. This change man-
agement issue was one of the reasons
the organization renamed its “monitoring”
tool the “insight to improve” tool. The
dashboard provides management with an
overview of the control status of the busi-
ness processes, enhancing the availability
and reliability of information critical to the
decision-making process.
While controls monitoring provides substantial benefits when integrated success-

fully with a strong GRC discipline, organizations that implement such tools face a
variety of challenges beyond the software implementation effort. Change manage-
ment barriers can pose particular difficulties unless leaders take steps to address
them from the outset.
For example, controls monitoring tools are designed to monitor performance rather
than simply test it. Their use provides a new transparency into the organization’s
performance and processes, and organizations need to adjust their cultures to this
transparency. To implement such tools successfully, organizations need to take
steps to involve their business owners—those who understand the business risks
and the existing monitoring process—as well as determine how roles and responsi-
bilities should be adjusted so the organization can make the best use of the tools.
What’s more, training efforts are necessary to demonstrate that the monitoring
process is not intended as a means of assigning blame for poor performance but
rather as an effort to create a sustainable process for monitoring the real risk issues
for corporate leaders so that related business improvements can be made at the
business group/unit level.
AN A PP R OA CH TO I M PLEM EN TIN G C ON T RO L S
MON ITOR I NG TOO LS
Efforts to reduce and sustain compliance costs and improve performance will vary
by organization and depend on the maturity of current practices (see Figure 1).
The approach to implementing the right tool and to monitoring the right controls
calls for a disciplined GRC process, and the vast majority of organizations are working
through the complexities and considerations involved in building an effective, sus-
tainable program.
To help drive a successful controls monitoring implementation, an organization

would perform a critical series of activities:
t"TTFTTUIFPSHBOJ[BUJPOTDVSSFOU(3$NBUVSJUZBOEJEFOUJGZJUTQPSUGPMJPPGLFZDPO-
trols across the various compliance frameworks to which the business is subject.
t4FMFDUBUPPMUPIFMQNPOJUPSQFSGPSNBODFPGUIFTFLFZDPOUSPMT
t#VJMEBiEBTICPBSEwUPQSPWJEFUSBOTQBSFOUQFSGPSNBODFSFQPSUJOHUPEFDJTJPO
makers and embed it within the regular business processes.
These activities are discussed below.
S te p 1 : A ssess the Matur ity of the C om pliance P rogram

and the C ontr ols P ortfolio
To realize the benefits of implementing a sustainable controls monitoring capability,

an organization would assess the maturity of its broader GRC discipline as well as
its more tactical compliance programs. Such an effort includes an evaluation of
the nature and extent of key manual and automated controls and the current pro-
cess for monitoring compliance.
A number of key issues would likely arise in a maturity assessment. From a gov-
ernance perspective, organizations should consider how well they are achieving
key goals, including:
t&NCFEEJOHOPUPOMZUIFQFSGPSNBODFPGLFZDPOUSPMTCVUBMTPUIFUFTUJOHPG
these controls into normal operations
t"MJHOJOHSJTLBOEDPNQMJBODFNBOBHFNFOUBDUJWJUJFTXJUIUIFCVTJOFTTTTUSBUFHJD
direction and embedding these efforts into business process performance
t.FFUJOHEFDJTJPONBLFSTEFNBOETGPSBEEJUJPOBMUSBOTQBSFODZJOUPUIFJSPQFSBUJPOT
performance
t&OHFOEFSJOHBNPOHiPXOFSTwPGDPNQMJBODFGSBNFXPSLTUIFXJMMJOHOFTTUP
integrate efforts
t.BOBHJOHDPNQMJBODFGSPNUIFQFSTQFDUJWFPGJNQSPWJOHQFSGPSNBODFBOEDSFBUJOH
strategic value.
The organization needs to determine the scope of the project—that is, whether the
project should be an enterprise-wide implementation or a phased-in approach. If it is
a phased approach, the organization must decide which processes, units, or programs
to include first. As a general rule, the greater the state of the organization’s GRC
maturity, the greater the scope can be since much of the “integration” groundwork
has already been established. In situations where an organization’s GRC capability is
not highly mature, an effective approach can be to start with the most standardized
processes supported by common technology platforms and/or to address some of
the most integrated compliance programs (such as Sarbanes-Oxley).
Achieving a Single View of Risk
0SHBOJ[BUJPOTGBDFBOVNCFSPGDPNQMJBODFSFRVJSFNFOUT JODMVEJOHTFDUJPOPGUIF
Sarbanes-Oxley Act (S-O 404), ISO (i.e., BS7799), U.S. Food and Drug Administration (FDA),
and Basel II, among others. To achieve a single view of risk, organizations should build
FOUJUZTQFDJGJDGSBNFXPSLTUIBUJOUFHSBUFBMMDPNQMJBODFSFRVJSFNFOUTJOUPBTJOHMFGSBNF-
work, thereby reducing their “test” and “monitor” efforts significantly. Depending on the
scope of the implementation, a controls monitoring tool can help enable organizations to
address the complexities of compliance across these various frameworks. Specifically,
such a tool can enable organizations to achieve integration and standardization as well as
a single view of risk, all of which can help drive value-added business insights.
Controls Monitoring
Integrated View of Controls
B
BS7799
Basel III
FDA
4
S-O 404
Tool objective: One solution fits all
Compliance Compliance
report report
S-O 404 Compliance Compliance FDA
report report
© 2008 KPMG LLP, a Canadian limited liability partnership BS7799 Basel II
and a member firm of the KPMG network of independent
member firms affiliated with KPMG International, a Swiss
cooperative. All rights reserved.
The organization then needs to decide on the scope of the controls to monitor.2
Management would start this process by reviewing its existing efforts to manage
Manua l v e r s u s A u t o m a t e d
business risks, its automated controls and the extent to which they are operating
effectively, and its process for measuring compliance—specifically whether this
In reality, there will always be key manual
process is manual or automated and if testing and reporting are embedded within it.
controls; however, since the cost of
It would also assess its existing portfolio of key controls and how that portfolio is
performance and monitoring is generally
aligned with strategic business drivers, ERM initiatives, and other compliance programs.
high and the risk of performance failure
is greater than with automated controls, "TTFTTJOHDPOUSPMEJNFOTJPOTJTFRVBMMZVTFGVM.BOVBMDPOUSPMTEFQFOEPOQFPQMF
organizations should seek to set goals that doing the right action consistently; thus, they carry a greater risk of nonperformance
define the ratio of automated to manual
and a higher cost to perform and to test for compliance than automated controls. By
contrast, automated controls can help reduce costs, improve risk management, and
controls. For example, a reasonable goal
provide more predictive business insights. Automated controls—such as balancing
might be to have 60–70 percent of the
control activities, predefined data listings, data reasonableness tests, and logic tests—
controls portfolio made up of preventive
often are embedded within software programs to prevent or detect unauthorized
automated controls.
transactions.
Once an organization has defined its project scope, sufficient data has typically
been gathered to support the next step—selection of an appropriate controls
monitoring solution.
2
For a discussion of ways to evolve a controls portfolio, see The Compliance Journey: Balancing Risk and Controls with
Business Improvement, KPMG LLP, 2004.
Step 2: S el ec t a n d Imp le m e n t a C o n tr o l s M onitor ing Tool to

Hel p Tr a n s fo r m th e C o n tr o ls P or tfolio
Many organizations will elect to implement a controls monitoring tool for a chosen
subset of their overall GRC programs for the various reasons explored above.
However, when selecting a means of controls monitoring, whether it is a third-
party tool or existing functionality in a current ERP system, an organization is
encouraged to take a “big picture” view. By developing a guiding vision of what
the organization’s integrated, end-state should be, leadership will be better positioned
to methodically evaluate the options and select a tool that provides for optimal
long-term opportunity.
As Figure 3 illustrates, a key determinant in the tool-selection process is often the

depth to which an organization wants to drive its controls monitoring and the level
of integration among the various layers. While strategic and even tactical tools often
provide holistic views and enterprise-wide dashboarding, they may not function
at a deep enough level to provide sufficient monitoring of individual key controls.
Thus, the real efficiency of these tools long-term is their real integration on all levels.
Figure 3: Using Controls Monitoring Tools
Strategic
(ERM)
F ro m I mp r ove Plan t
M E 7 S tep i2.0 Su p po rtive

D M G P RJ i2. 0
O verd ra ch t I P
n aa r Pro je cts
Tactical
D M G P RJ
M E 7 S tep 2 D es ig n & p la n P ro jec t
u itvo erin g &
D M G P RJ 2
m o nitor in g
E n gin eer in g
o n twe rp &
p lan
D M G P RJ
CA TS T ij d
sc h rijven
M E 7 S tep 3 Co ns tru ction
(Process Level)
D M G P RJ 3
U itvoe ren
p ro jec t
D M G P RJ
P ro jec t
se ttle m en t
M E 7 S tep 4 An alyze & E va lu ate

D M G P RJ 4
A na lyse ren
p ro jec t
Operational
(Monitoring/Testing Level)
Purchasing Warehouse Manufacturing Sales & Distribution

Management
Operational Risk Management Tools (fact-finding)

A number of tools are available for monitoring key automated controls at the oper-
ational “fact-finding” level. The right choice will depend on the organization’s busi-
OFTTSFRVJSFNFOUTBOEEFTJSFECFOFGJUT JODMVEJOHQSBDUJDBMDPOTJEFSBUJPOTTVDIBT
how well the proposed tool will integrate with existing systems and tools.
Generally, controls monitoring tools fall into two categories: (1) those that are
integrated within ERP applications—such as SAP GRC and Oracle GRC—and
(2) specialized add-on tools such as Approva, CSI, ACL, IDEA, and BWise. Almost
all of these applications offer one or both of two fundamental monitoring capabilities:
user authorizations/segregation of duties and monitoring of process/transaction
controls. As part of the tool-selection process, an organization must consider
which capabilities it desires to build into its automated framework.
Additional considerations include the tool’s:

t"CJMJUZUPJOUFHSBUFXJUINVMUJQMFDPNQMJBODFGSBNFXPSLTBOEJOUPUIFFYJTUJOH
IT environments
t'VODUJPOBMJUZUPFNCFEDPOUSPMTUFTUJOHWJBBVUPNBUFEXPSLGMPX
t$BQBCJMJUZUPBVUPNBUFGBDUGJOEJOHGPSUSBOTBDUJPOBOBMZTJTBOEFYDFQUJPOSFTPMVUJPO
t'VODUJPOBMJUZUPHFOFSBUFFBTZUPVTFBOEESJMMEPXONBOBHFNFOUSFQPSUT
As part of effectively implementing a controls monitoring tool, an organization

would need to automate any key controls that are expected to be monitored
to allow the tool to perform ongoing compliance assessment. Once a tool is
implemented, and to realize the full value of an embedded controls monitoring
capability, an organization would incorporate into daily operations a set of tactical-,
operational-, and strategic-level dashboard reports with financial, operations, and
compliance metrics, all of which can serve as a strategic compliance monitoring
instrument to provide the necessary business intelligence to decision makers.
© 2008 KPMG LLP, a Canadian limited liability partnership

and a member firm of the KPMG network of independent
member firms affiliated with KPMG International, a Swiss
cooperative. All rights reserved.
DRIVING VALUE THROUGH CONTROLS MONITORING |
Step 3: I m p l em e n t Co n tr o ls Mo n ito r in g D ashboar ds to Enable

B u s i n es s Im p r o v e m e n t
Monitoring performance is one of the most important aspects of this effort because
it brings critical information to the attention of the business owners. Effective
reporting can elevate seemingly mundane compliance activities to important
information about business risks. In other words, integration of the compliance
dashboard into the business will enable insights to emerge and be available to
leadership to monitor control performance against enterprise risks, including
SFHVMBUPSZDPNQMJBODFSFRVJSFNFOUT
Reporting can reveal holes in the organization’s internal control environment, often
on a real-time basis, so that the business owners who understand the inherent
risks can take steps to address the problems.
A few key measures can help ensure the Figure 4: Example Dashboards
effectiveness of reporting/dashboarding.
From the beginning of a controls moni-
toring effort, organizations should:
t*EFOUJGZSFDJQJFOUTPGUIFTFSFQPSUTBT
XFMMBTUIFJSJOGPSNBUJPOSFRVJSFNFOUT
and tailor reporting/dashboarding views
based on business needs
t%JTDVTTUIFDPOUFOUBOEUIFGSFRVFODZ
of the reports
t*EFOUJGZUIFTFQBSBUFWJFXQPJOUTPG
different compliance programs so
reports can be issued as needed
t*EFOUJGZUIFSFRVJSFNFOUTPGWBSJPVT
internal and external reviewers, who are
likely to first look into the results and
UIFOSFRVJSFNPSFEFUBJMFEFYQMBOBUJPOT
Operating Company Procurement Sales
t*NQSPWFBDDFQUBODFPGSFQPSUJOH
item r
dit
ato
dashboarding by integrating control

ot
ents
I
s
sed S D
in F
s
cre
ut n
inv livere ales
it
dic
lim
u s a e R e c t and
d fo greem
pro ted in
oic te
out
in P ipt in
e
db
t (S
nd
e
ne
e s rchas
illin
a
dit
es
has
monitoring tools within GRC or existing

dor duplic
with
ed ith
rs a
O li
ces
eip
cre
ers ue lis
r b
a
e
ed)
w
a
in v d purc
but es cre
in v ed pu
Inv s Rec
inv
sch orde
blo uling
li m mers
exc mers
oic
de
es
le
eed
business intelligence reporting tools

not
ssib
cke
o ic
o ic
ge
ng
ed
oic
oic
e
sto
sto
s
ck
od
Park
Sale
it
ven
Billi
Blo
ord
yet
Inv
Go
Cu
Cu
Po
1000 Country A 12 29 24 23 17 121 379

(such as Hyperion, Business Objects, 1100 Country B 17 40 544 277 1161 2459
1200 Country C 149 212 429 224 66 38 205 547
or Cognos). 2000 Country D 38 22 49 34 14 32 411
2100 Country E 120 21 47 33 13 43 161 459
2200 Country F 48 17 39 29 97 331
2210 Country G 293 10 14 55 33 185 507
2220 Country H 348 177 359 189 16 67 39 209 555
2230 Country I 232 13 16 54 32 181 499
2500 Country J 111 34 73 46 26 36 427
3000 Country K 348 50 34 14 19 363
4000 Country L 93 19 105 85 84 47 241 619
5000 Country M 59 21 47 33 13 63 37 201 539
5100 Country N 458 16 149
5200 Country O 99 15 17 97 54 269 675
5210 Country P 34 13 16 69 40 213 563
14 | GOVERNANCE, RISK, AND COMPLIANCE
CON CLU S ION
Driving business value by implementing controls monitoring technologies can

help organizations improve the accuracy and timeliness of information to make
better decisions, achieve a single view of risk, and reduce the cost of controls
and compliance testing. Monitoring and reporting dashboards strengthen timely
decision-making capabilities and provide solid business improvement insights.
Reducing the pain of compliance and leveraging an organization’s compliance

investment to create value as part of a GRC discipline is certainly attainable.
0SHBOJ[BUJPOT IPXFWFS TIPVMEOPUVOEFSFTUJNBUFUIFFGGPSUSFRVJSFECZSFDPH-
nizing that the distance between the current state and desired future state will
depend on the maturity of the organization’s compliance program, its portfolio of
automated controls versus manual controls, and its ERP environments.
C ON T R I BUTORS
Don F. Farineau
Peter Paul Brouwers
Keri L. Dawson
Diane K. Nardin
Maurice Op het Veld
Thomas Erwin
kpmg.ca
K P M G LLP
KPMG LLP, a Canadian limited liability partnership established under the laws
of Ontario, is the Canadian member firm affiliated with KPMG International, a
global network of professional firms providing Audit, Tax, and Advisory services.
Member firms operate in 144 countries and have more than 137,000 profession-
als working around the world.
KPMG has over 5,000 employees with approximately 450 providing Advisory
Services to clients across Canada.
C O NTAC T US
For more information, please contact your KPMG adviser or any of our IT Advisory
professionals:
Montréal Greater Toronto Area Western Canada

Jean-François Coulonval Yvon Audette Shaun Wilson
(514) 840-2117 (416) 777-8388 (604) 691-3188
jcoulonval@kpmg.ca yaudette@kpmg.ca shwilson@kpmg.ca
Francis Beaudoin Jeff Smith Jeff Thomas

(514) 840-2247 (416) 777-8409 (403) 691-8012
fbeaudoin@kpmg.ca jmsmith@kpmg.ca jwthomas@kpmg.ca
Ottawa Southwestern Ontario

Jim Alexander David Evans
(613) 212-5764 (519) 672-4880
jalexander@kpmg.ca djevans@kpmg.ca
For further information on management issues in IT, visit www.kpmg.ca/itadvisory.
The information contained herein is of a general nature and is not intended to address the circumstances of any
particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in
the future. No one should act on such information without appropriate professional advice after a thorough exami-
nation of the particular situation.
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are
registered trademarks of KPMG International. Products mentioned herein may be the trademarks of their respective owners. 080512

KPMG Governance Risk Compliance

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

KPMG Governance Risk Compliance

Uploaded by

Copyright:

Available Formats

Governance, Risk,

Governance, risk, and compliance (GRC) is more than a soft-

The Current Environment 2

GRC Maturity Assessment 3

Controls Monitoring: Opportunities and Challenges 6

An Approach to Implementing Controls Monitoring Tools 8

t*OUFHSBUFDPOUSPMTNPOJUPSJOHXJUIUIFPSHBOJ[BUJPOT(3$ FOUFSQSJTFSJTLNBO- demands.

considerations for implementing a monitoring capability that is fundamental to any

THE C U R R ENT E NV IR O NM ENT

Before Sarbanes-Oxley, organizations’ decision-making processes tended to focus

Economic pressures are prompting organizations to address these challenges,

Enhancing an organization’s GRC discipline begins with understanding the maturity

Figure 1: The Maturing of Compliance

Source: KPMG LLP (U.S.), 2005

As an organization moves up in the maturity model, ownership spreads across

Figure 2: Continuous Monitoring within Business Processes

Purchasing Manufacturing Sales & Distribution

Source: KPMG LLP (U.S.), 2008

CONT R O LS M ONI TOR IN G :

Organizations can transform the performance of finance, compliance, and opera-

Controls monitoring tools can help simplify the consolidation of an organization’s

implemented a controls monitoring tool to t&NCFEEFEXPSLGMPXDPOUSPMTNPOJUPSJOHXJUIJOSFHVMBSQSPDFTTFTBOE

While controls monitoring provides substantial benefits when integrated success-

To help drive a successful controls monitoring implementation, an organization

These activities are discussed below.

S te p 1 : A ssess the Matur ity of the C om pliance P rogram

To realize the benefits of implementing a sustainable controls monitoring capability,

Achieving a Single View of Risk

Integrated View of Controls

Tool objective: One solution fits all

Step 2: S el ec t a n d Imp le m e n t a C o n tr o l s M onitor ing Tool to

As Figure 3 illustrates, a key determinant in the tool-selection process is often the

Figure 3: Using Controls Monitoring Tools

M E 7 S tep i2.0 Su p po rtive

M E 7 S tep 4 An alyze & E va lu ate

Purchasing Warehouse Manufacturing Sales & Distribution

Operational Risk Management Tools (fact-finding)

Source: KPMG LLP (U.S.), 2008

Additional considerations include the tool’s:

As part of effectively implementing a controls monitoring tool, an organization

© 2008 KPMG LLP, a Canadian limited liability partnership

Step 3: I m p l em e n t Co n tr o ls Mo n ito r in g D ashboar ds to Enable

dashboarding by integrating control

monitoring tools within GRC or existing

business intelligence reporting tools

1000 Country A 12 29 24 23 17 121 379

Source: KPMG LLP (U.S.), 2008

CON CLU S ION

Driving business value by implementing controls monitoring technologies can

Reducing the pain of compliance and leveraging an organization’s compliance

Peter Paul Brouwers

Maurice Op het Veld

Montréal Greater Toronto Area Western Canada

Francis Beaudoin Jeff Smith Jeff Thomas

Ottawa Southwestern Ontario

For further information on management issues in IT, visit www.kpmg.ca/itadvisory.

You might also like

t*OUFHSBUFDPOUSPMTNPOJUPSJOHXJUIUIFPSHBOJ[BUJPOT(3$ FOUFSQSJTFSJTLNBO- demands.