Professional Documents
Culture Documents
and Compliance
Driving Value through Controls Monitoring
ADVI S O R Y
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
G R C : A DEFIN IT ION
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
C ON T E N TS
Introduction 1
Conclusion 14
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
DRIVING VALUE THROUGH CONTROLS MONITORING | 1
I N TR O DU C TION
A
s organizations continue to cope with the high cost of achieving and sus-
taining compliance with a variety of regulations, leaders are considering
new ways to reduce costs, strengthen decision-making capabilities, and
improve business performance.
Many have found that a strong governance, risk, and compliance discipline can
enable them to integrate inefficient and isolated programs, processes, and systems
into effective and efficient enterprise-wide, risk-based internal control structures. To
further drive value, organizations are implementing controls monitoring tools that can
help them align strategic initiatives with risk management, serve as documentation
repositories, and support ongoing GRC monitoring and reporting. Benefits vary by
organization and depend on the extent of an organization’s reliance on automated
versus manual controls as well as the maturity of its compliance program. Benefits
also depend, ultimately, on the organization’s need for enterprise-level transparency;
its people, process, technology, and risk and control integration; and the extent to
which the organization can lower performance and monitoring cost through enabling
technologies.
In evaluating their existing GRC capabilities, many organizations have found that:
t1PUFOUJBMDPOUSPMCFOFGJUTPGBOFYJTUJOHFOUFSQSJTFSFTPVSDFQMBOOJOH &31
TZTUFN
have often not been fully leveraged—resulting in self-imposed limitations on these Under standing G RC
systems’ capabilities to support efforts to reduce costs or add operational value.
“Among the many unintended conse-
t&YJTUJOHLFZDPOUSPMTPGUFOIBWFEFUFSJPSBUFEPWFSUJNFBOEBSFMBSHFMZNBOVBM
RVFODFTPG4BSCBOFT0YMFZXBTBOFX
costly, and inefficient.
acronym: GRC. Born of an [intended]
t.POJUPSJOHDBQBCJMJUJFTBSFOPOFYJTUFOUPSJOBEFRVBUFTPUIBUDPOUSPMGBJMVSFT emphasis on improving governance,
often go undetected, pointing to related deficiencies in governance oversight
risk, and compliance, the acronym was
and risk management.
RVJDLMZBQQSPQSJBUFECZQSPWJEFSTPG
Having evaluated their business needs and opportunities, many leaders are considering everything from document management
how to embed controls monitoring capabilities into their financial, operational, and to ERP systems. But while software
regulatory processes as a means of improving decision making and performance plays a role, GRC is really a management
while reducing costs—all primary objectives of a well-developed GRC discipline. discipline: it’s about how to balance the
These efforts call for them to: often-competing demands of regulators,
t*EFOUJGZUIFSJHIUDPOUSPMT
CBTFEPOLOPXMFEHFPGUIFPSHBOJ[BUJPOTLFZSJTLT
BOE
shareholders, customers, and market
to the extent possible, automate control performance for real-time monitoring forces, all without running afoul of an
t&NCFEDPOUSPMTNPOJUPSJOHXJUIJOSFHVMBSCVTJOFTTBOEEFDJTJPOQSPDFTTFT increasingly tangled thicket of regulatory
The substantial costs associated with these regulatory compliance efforts are
receiving ongoing attention. These costs have continued to rise as organizations
have sought to cope with a lack of integration among multiple regulatory compli-
ance frameworks as well as a lack of business processes in which compliance
efforts have been embedded.
5PBEESFTTSFRVJSFNFOUT
NBOZPSHBOJ[BUJPOTIBWFiCPMUFEPOwDPNQMJBODFQSPHSBNT
that are separate and distinct from their system of internal controls over operations.
They may have invested in multiple ERP solutions and add-on components that often
did not fully integrate. They may have found that their controls and test method-
ologies were largely manual. Moreover, many organizations had not integrated a
GPDVTPOSJTLNBOBHFNFOUXJUIJOCVTJOFTTWBMVFT
CVTJOFTTSFRVJSFNFOUT
BOE
business remuneration processes. The overall result is fragmented programs that
are complicated to operate, difficult to manage, expensive to implement and
monitor through periodic tests, and increasingly less effective in supporting sound
and timely business decisions.
At the same time, years of experience with compliance processes are enabling
leaders to find new ways to turn regulatory obligations into strategic opportunities
to reduce performance cost and improve control effectiveness. Specifically, they
are focused on integrating multiple compliance efforts and embedding them into
day-to-day operations. These endeavors call for increasing the use of automated
tools that drive improvements in the management of governance, risk, and com-
pliance—specifically by embedding controls monitoring routines into day-to-day
processes.
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
DRIVING VALUE THROUGH CONTROLS MONITORING |
G R C M AT U RIT Y ASSESSMEN T
Finance Compliance
C is culture-centric and
Enhanced framework-integrated.
fr It is achieved as
Compliance part
pa of how business is done and is
inherently
in part of organizational culture.
Operations The
Th enhanced state implies a change in
mindset
m in which compliance is performed
not
no solely for the sake of complying with
different
di laws but also to gain business
process
pr improvement.
Compliance
C is process-centric. It is
Embedded achieved
ac in a fundamentally new way
by
by building compliance activities and
procedures
pr into existing business
processes
pr and technology so that
business
bu owners can start to share
responsibility
re for compliance.
Compliance
C is program-centric. It is
Implemented achieved
ac via the oversight of a new,
overarching,
ov stand-alone program that
oversees
ov the hiring of dedicated
personnel
pe whose main focus is
coordinating
co and communicating the
compliance
co activities.
Compliance
C is project-centric. It is
Fragmented achieved
ac through disconnected and/or
inconsistently
in applied efforts throughout
the
th enterprise. Extensive coordination
and
an work are required by a centralized
project
pr management function.
1
This maturity model was introduced in the KPMG white paper, The Compliance Journey: Making Compliance Sustainable,
KPMG LLP, 2005.
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
| GOVERNANCE, RISK, AND COMPLIANCE
ar t of norm
in g as p al b
i to r u si
m on ne
ss
us pr
uo o
Strategic
in
ce
nt
ss
Monitor
Co
es
es
Co
ess
ntin
Tactical
usiness proc
uous m
Review
onitorin
mal b
Operational
Test
g as
r
f no
ar t p
o
rt
o
pa
fn
as
Warehouse
rm
Management al
rin o bu
ni t o ess
sin
sm proc
e sses Continuou
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
DRIVING VALUE THROUGH CONTROLS MONITORING | 5
5IFFYUFOUPGUIFFGGPSUSFRVJSFEUPJNQMFNFOUBDPOUSPMTNPOJUPSJOHTPMVUJPOBTQBSU
of an organization’s GRC discipline is dependent on the maturity of an organization’s
compliance program, the ratio of manual to automated controls, and the extent
of the program’s integration with process, systems, and people. In general, the
more mature or embedded an organization’s compliance program and automated
controls, the easier it is to implement a tool-based controls monitoring solution.
An organization should consider its relative state of maturity as the first step on
the path to implementing a controls monitoring tool in support of its GRC program,
DPOTJEFSJOHTVDIRVFTUJPOTBT
t%PFTUIFPSHBOJ[BUJPOIBWFBO&3.QSPHSBNJOQMBDFUPBEESFTTIPMJTUJDBMMZUIF
myriad risks facing the business?
t)BTUIFPSHBOJ[BUJPOEFWFMPQFEBOBXBSFOFTTPGUIFWBSJPVTDPNQMJBODFQSPHSBNT
to which it is subject, and has it considered the shared touch points among
these programs for an integrated view?
t"SFUIFPSHBOJ[BUJPOTDPNQMJBODFFGGPSUTIBOEMFECZBTJOHMFGVODUJPOPSTQSFBE
across the business among the affected parties?
t%PFTUIFBDUPGDPNQMZJOHGJUDPNGPSUBCMZJOUPUIFEBZUPEBZSVOOJOHPGUIF
CVTJOFTTPSJTJUBOBODJMMBSZFGGPSUUIBUSFRVJSFTJODSFNFOUBMSFTPVSDFTBOEUJNF
t%PFTUIFPSHBOJ[BUJPOVTFUFDIOPMPHZUPGBDJMJUBUFJUTDPNQMJBODFBOENPOJUPSJOH
efforts, either through a common platform for most key business functions or
through a compliance tool or repository?
t)BTUIFPSHBOJ[BUJPODPOTJEFSFEUIFNBUVSJUZPGJUTDPOUSPMTQPSUGPMJP
ESJWJOH
toward automated, preventive controls that are typically less costly and more
effective than manual, detective controls?
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
| GOVERNANCE, RISK, AND COMPLIANCE
As with ERP system implementations, one of the critical elements of realizing value
in a controls monitoring tool is to ensure that processes are properly engineered
and that key controls are automated. When done right, the implementation of a
bolted-on controls monitoring tool integrated within a new ERP application, or even
the use of an existing monitoring capability within the application, can help an orga-
nization reduce risk management costs and improve business performance.
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
DRIVING VALUE THROUGH CONTROLS MONITORING | 7
For example, controls monitoring tools are designed to monitor performance rather
than simply test it. Their use provides a new transparency into the organization’s
performance and processes, and organizations need to adjust their cultures to this
transparency. To implement such tools successfully, organizations need to take
steps to involve their business owners—those who understand the business risks
and the existing monitoring process—as well as determine how roles and responsi-
bilities should be adjusted so the organization can make the best use of the tools.
What’s more, training efforts are necessary to demonstrate that the monitoring
process is not intended as a means of assigning blame for poor performance but
rather as an effort to create a sustainable process for monitoring the real risk issues
for corporate leaders so that related business improvements can be made at the
business group/unit level.
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
| GOVERNANCE, RISK, AND COMPLIANCE
AN A PP R OA CH TO I M PLEM EN TIN G C ON T RO L S
MON ITOR I NG TOO LS
Efforts to reduce and sustain compliance costs and improve performance will vary
by organization and depend on the maturity of current practices (see Figure 1).
The approach to implementing the right tool and to monitoring the right controls
calls for a disciplined GRC process, and the vast majority of organizations are working
through the complexities and considerations involved in building an effective, sus-
tainable program.
A number of key issues would likely arise in a maturity assessment. From a gov-
ernance perspective, organizations should consider how well they are achieving
key goals, including:
t&NCFEEJOHOPUPOMZUIFQFSGPSNBODFPGLFZDPOUSPMTCVUBMTPUIFUFTUJOHPG
these controls into normal operations
t"MJHOJOHSJTLBOEDPNQMJBODFNBOBHFNFOUBDUJWJUJFTXJUIUIFCVTJOFTTTTUSBUFHJD
direction and embedding these efforts into business process performance
t.FFUJOHEFDJTJPONBLFSTEFNBOETGPSBEEJUJPOBMUSBOTQBSFODZJOUPUIFJSPQFSBUJPOT
performance
t&OHFOEFSJOHBNPOHiPXOFSTwPGDPNQMJBODFGSBNFXPSLTUIFXJMMJOHOFTTUP
integrate efforts
t.BOBHJOHDPNQMJBODFGSPNUIFQFSTQFDUJWFPGJNQSPWJOHQFSGPSNBODFBOEDSFBUJOH
strategic value.
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
DRIVING VALUE THROUGH CONTROLS MONITORING | 9
The organization needs to determine the scope of the project—that is, whether the
project should be an enterprise-wide implementation or a phased-in approach. If it is
a phased approach, the organization must decide which processes, units, or programs
to include first. As a general rule, the greater the state of the organization’s GRC
maturity, the greater the scope can be since much of the “integration” groundwork
has already been established. In situations where an organization’s GRC capability is
not highly mature, an effective approach can be to start with the most standardized
processes supported by common technology platforms and/or to address some of
the most integrated compliance programs (such as Sarbanes-Oxley).
0SHBOJ[BUJPOTGBDFBOVNCFSPGDPNQMJBODFSFRVJSFNFOUT
JODMVEJOHTFDUJPOPGUIF
Sarbanes-Oxley Act (S-O 404), ISO (i.e., BS7799), U.S. Food and Drug Administration (FDA),
and Basel II, among others. To achieve a single view of risk, organizations should build
FOUJUZTQFDJGJDGSBNFXPSLTUIBUJOUFHSBUFBMMDPNQMJBODFSFRVJSFNFOUTJOUPBTJOHMFGSBNF-
work, thereby reducing their “test” and “monitor” efforts significantly. Depending on the
scope of the implementation, a controls monitoring tool can help enable organizations to
address the complexities of compliance across these various frameworks. Specifically,
such a tool can enable organizations to achieve integration and standardization as well as
a single view of risk, all of which can help drive value-added business insights.
Controls Monitoring
B
BS7799
Basel III
FDA
4
S-O 404
Compliance Compliance
report report
S-O 404 Compliance Compliance FDA
report report
© 2008 KPMG LLP, a Canadian limited liability partnership BS7799 Basel II
and a member firm of the KPMG network of independent
Source: KPMG LLP (U.S.), 2008
member firms affiliated with KPMG International, a Swiss
cooperative. All rights reserved.
| GOVERNANCE, RISK, AND COMPLIANCE
The organization then needs to decide on the scope of the controls to monitor.2
Management would start this process by reviewing its existing efforts to manage
Manua l v e r s u s A u t o m a t e d
business risks, its automated controls and the extent to which they are operating
effectively, and its process for measuring compliance—specifically whether this
In reality, there will always be key manual
process is manual or automated and if testing and reporting are embedded within it.
controls; however, since the cost of
It would also assess its existing portfolio of key controls and how that portfolio is
performance and monitoring is generally
aligned with strategic business drivers, ERM initiatives, and other compliance programs.
high and the risk of performance failure
is greater than with automated controls, "TTFTTJOHDPOUSPMEJNFOTJPOTJTFRVBMMZVTFGVM.BOVBMDPOUSPMTEFQFOEPOQFPQMF
organizations should seek to set goals that doing the right action consistently; thus, they carry a greater risk of nonperformance
define the ratio of automated to manual
and a higher cost to perform and to test for compliance than automated controls. By
contrast, automated controls can help reduce costs, improve risk management, and
controls. For example, a reasonable goal
provide more predictive business insights. Automated controls—such as balancing
might be to have 60–70 percent of the
control activities, predefined data listings, data reasonableness tests, and logic tests—
controls portfolio made up of preventive
often are embedded within software programs to prevent or detect unauthorized
automated controls.
transactions.
Once an organization has defined its project scope, sufficient data has typically
been gathered to support the next step—selection of an appropriate controls
monitoring solution.
2
For a discussion of ways to evolve a controls portfolio, see The Compliance Journey: Balancing Risk and Controls with
Business Improvement, KPMG LLP, 2004.
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
DRIVING VALUE THROUGH CONTROLS MONITORING | 11
Many organizations will elect to implement a controls monitoring tool for a chosen
subset of their overall GRC programs for the various reasons explored above.
However, when selecting a means of controls monitoring, whether it is a third-
party tool or existing functionality in a current ERP system, an organization is
encouraged to take a “big picture” view. By developing a guiding vision of what
the organization’s integrated, end-state should be, leadership will be better positioned
to methodically evaluate the options and select a tool that provides for optimal
long-term opportunity.
Strategic
(ERM)
F ro m I mp r ove Plan t
Tactical
D M G P RJ
M E 7 S tep 2 D es ig n & p la n P ro jec t
u itvo erin g &
D M G P RJ 2
m o nitor in g
E n gin eer in g
o n twe rp &
p lan
D M G P RJ
CA TS T ij d
sc h rijven
M E 7 S tep 3 Co ns tru ction
(Process Level)
D M G P RJ 3
U itvoe ren
p ro jec t
D M G P RJ
P ro jec t
se ttle m en t
Operational
(Monitoring/Testing Level)
A number of tools are available for monitoring key automated controls at the oper-
ational “fact-finding” level. The right choice will depend on the organization’s busi-
OFTTSFRVJSFNFOUTBOEEFTJSFECFOFGJUT
JODMVEJOHQSBDUJDBMDPOTJEFSBUJPOTTVDIBT
how well the proposed tool will integrate with existing systems and tools.
Generally, controls monitoring tools fall into two categories: (1) those that are
integrated within ERP applications—such as SAP GRC and Oracle GRC—and
(2) specialized add-on tools such as Approva, CSI, ACL, IDEA, and BWise. Almost
all of these applications offer one or both of two fundamental monitoring capabilities:
user authorizations/segregation of duties and monitoring of process/transaction
controls. As part of the tool-selection process, an organization must consider
which capabilities it desires to build into its automated framework.
Monitoring performance is one of the most important aspects of this effort because
it brings critical information to the attention of the business owners. Effective
reporting can elevate seemingly mundane compliance activities to important
information about business risks. In other words, integration of the compliance
dashboard into the business will enable insights to emerge and be available to
leadership to monitor control performance against enterprise risks, including
SFHVMBUPSZDPNQMJBODFSFRVJSFNFOUT
Reporting can reveal holes in the organization’s internal control environment, often
on a real-time basis, so that the business owners who understand the inherent
risks can take steps to address the problems.
A few key measures can help ensure the Figure 4: Example Dashboards
effectiveness of reporting/dashboarding.
From the beginning of a controls moni-
toring effort, organizations should:
t*EFOUJGZSFDJQJFOUTPGUIFTFSFQPSUTBT
XFMMBTUIFJSJOGPSNBUJPOSFRVJSFNFOUT
and tailor reporting/dashboarding views
based on business needs
t%JTDVTTUIFDPOUFOUBOEUIFGSFRVFODZ
of the reports
t*EFOUJGZUIFTFQBSBUFWJFXQPJOUTPG
different compliance programs so
reports can be issued as needed
t*EFOUJGZUIFSFRVJSFNFOUTPGWBSJPVT
internal and external reviewers, who are
likely to first look into the results and
Source: KPMG LLP (U.S.), 2008
UIFOSFRVJSFNPSFEFUBJMFEFYQMBOBUJPOT
Operating Company Procurement Sales
t*NQSPWFBDDFQUBODFPGSFQPSUJOH
item r
dit
ato
sed S D
in F
s
cre
ut n
inv livere ales
it
dic
lim
u s a e R e c t and
d fo greem
pro ted in
oic te
out
in P ipt in
e
db
t (S
nd
e
ne
e s rchas
illin
a
dit
es
has
with
ed ith
rs a
O li
ces
eip
cre
ers ue lis
r b
a
e
ed)
w
a
in v d purc
but es cre
in v ed pu
Inv s Rec
inv
sch orde
blo uling
li m mers
exc mers
oic
de
es
le
eed
cke
o ic
o ic
ge
ng
ed
oic
oic
e
sto
sto
s
ck
od
Park
Sale
it
ven
Billi
Blo
ord
yet
Inv
Go
Cu
Cu
Po
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
14 | GOVERNANCE, RISK, AND COMPLIANCE
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
C ON T R I BUTORS
Don F. Farineau
Keri L. Dawson
Diane K. Nardin
Thomas Erwin
© 2008 KPMG LLP, a Canadian limited liability partnership and a member firm of the KPMG network of
independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
kpmg.ca
K P M G LLP
KPMG LLP, a Canadian limited liability partnership established under the laws
of Ontario, is the Canadian member firm affiliated with KPMG International, a
global network of professional firms providing Audit, Tax, and Advisory services.
Member firms operate in 144 countries and have more than 137,000 profession-
als working around the world.
KPMG has over 5,000 employees with approximately 450 providing Advisory
Services to clients across Canada.
C O NTAC T US
For more information, please contact your KPMG adviser or any of our IT Advisory
professionals:
The information contained herein is of a general nature and is not intended to address the circumstances of any
particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no
guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in
the future. No one should act on such information without appropriate professional advice after a thorough exami-
nation of the particular situation.
© 2008 KPMG LLP, a U.S. limited liability partnership and a member firm of the KPMG network of independent member firms
affiliated with KPMG International, a Swiss cooperative. All rights reserved. Printed in the U.S.A. KPMG and the KPMG logo are
registered trademarks of KPMG International. Products mentioned herein may be the trademarks of their respective owners. 080512