Cacm Methodology Guide

The full scope of services within the Continuous Auditing / Continuous Monitoring (CACM)
Methodology Guide is not permissible for SEC audit clients and IFAC PIE clients and their affiliates.
CACM services are generally permissible for IFAC non-PIE audit clients subject to evaluating
engagement circumstances using the conceptual framework (i.e. threats and safeguards approach) as
outlined in the Global Quality & Risk Management Manual Chapter 11. Refer to the contents of this
document for detailed guidance. Note: Throughout this document you will see the symbol to the left which
indicates that you should refer to the independence guidance on slides 11-20 of this guide.
CONTINUOUS AUDITING/CONTINUOUS MONITORING
Continuous Auditing/
Continuous Monitoring
Methodology Guide
ADVISORY
For the purpose of this document, all references to KPMG International, a Swiss cooperative that serves as a
coordinating entity for a network of independent member firms operating under the KPMG name, will be referenced
as KPMG International. Throughout this document, “KPMG” [“we,” “our,” and “us”] refers to the local, independent
KPMG member firm or firms. Throughout this document “client” [“they,” “their and “them”] refers to the local,
independent member firm’s client. KPMG International provides no client services.
For Internal Use Only

© 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG
network of independent firms are affiliated with KPMG International. KPMG International provides no client
services. No member firm has any authority to obligate or bind KPMG International or any other member firm
vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member
firm. All rights reserved. FOR INTERNAL USE ONLY
Contents
Introduction and Overview

Risk Management Guidance
Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
4a CA KPMG Licensed Tool
4b CA/CM Third Party Tool
5.0 Execute
6.0 Evaluate
Close (GREG)
network of independent firms are affiliated with KPMG International. KPMG International provides no client 1
Introduction And Overview
The Continuous Auditing / Continuous Monitoring (CA/CM) Methodology Potential CA Triggers

Guide provides guidance for KPMG member firm engagement teams to  Increased desire to improve existing internal auditing
provide CA/CM planning, assessment, design, implementation and processes (i.e., to make the auditing process more
execution services for their clients. efficient and effective)
 Increased demand for more reliable information
The implementation of CA/CM will typically involve the consideration of  Evidence of one or more occurrences of fraudulent
existing business processes, controls, business models, systems and activity
organizational structures, all of which aim to help an organization achieve its
business objectives and help enhance overall performance results. Potential Client Benefits
 Identification of control weaknesses and operational
CA/CM services should be delivered by KPMG member firm professionals
inefficiencies
with experience in the planning, designing, and implementing of CA/CM
 Ability to frequently or continuously assess risks through
engagements. These engagements may include working with CA/CM
the timely consideration of transactions and/or the
software providers (e.g., Approva, Oversight, IDEA, KOLA etc.) to implement
operation of controls
CA/CM for the client. KPMG professionals should be familiar with the
 Increased ability to deal with issues when they are fresh
implementation requirements and techniques of these products.
and address problems before they escalate
Potential CM Triggers
General Guidance for Using this Methodology Guide  Increased demand to demonstrate sound governance
• CA/CM engagements should be delivered by experienced,  Increased scrutiny by rating agencies and listing
multidisciplinary KPMG member firm managers/partners who have exchanges
participated in CA/CM training.  Occurrence or risk of fraud or misconduct
• Each client will have different needs that may require some adaptation  Expanding regulatory and legal risk environment
of the recommended steps provided in this guide.
Potential Client Benefits
• Refer to the CA/CM MicroWeb site to access the current version of the
 Improved speed of information delivery to the business
methodology and the related tools and templates.
allowing a quicker response
• Components of the CA/CM service may be offered to audit clients but
 Monitoring regulatory and internal compliance
require lead partner approval which is obtained and tracked through the
 Ability to compare data and transactions across multiple
Sentinel/Global Conflict Management (GCM) system. See detailed
platforms
guidance regarding independence on slides 13 to 20.
Understanding the Visual Metaphor
CA/CM Implementation Model - Functional Components Defined
• Continuous Auditing (CA) is defined as the collection of audit evidence and indicators, by an internal or external auditor, on IT systems,
processes, transactions and controls on a frequent or continuous basis, throughout a period. Technology is one key to helping enable CA.
• Continuous Monitoring (CM) is defined as an automated feedback mechanism used by management to help ensure that systems and
controls operate as designed and transactions are processed as prescribed.
The CA/CM Visual Design

Assess By confirming the business areas to be
By gathering relevant information and addressed as part of the engagement, we are
conducting analyses, we are able to able to complete the draft implementation plan
assess the current state of the client’s and design measures, thresholds, analytics,
CA/CM environment and determine the reports and dashboards relating to the
scope and objectives of the engagement selected CA/CM suite of tools
Risk
Understanding the organization’s risk
Implement
profile is fundamental to delivering a
We may either implement the selected
CA/CM engagement as we are able to
CA tool on behalf of the client or work
help prioritize and direct resources to
with a third party to assist the client
those areas that are important to the
with the implementation of the selected
client’s business
CA/CM tool
Industry and Functional Knowledge People, Process, Technology

Our industry and functional knowledge supports a The CA/CM methodology also considers the role of
People, Process and Technology. We consider the role
CA/CM implementation. By leveraging our
of people (e.g., CA/CM resources, skills and
understanding of industry specific risks and control knowledge, executive support), existing processes
weaknesses, as well as our understanding of the (e.g., CA/CM strategies, training and reporting
systems and processes of the organization, we processes), and technology (e.g., systems, data quality
are able to assist the client to achieve an effective and user reporting).
and efficient implementation.
How to Read this Methodology Guide
CA/CM Process Overview
Slide 22 provides an overview of the CA/CM engagement process and demonstrates how they incorporate with the
Global RAS Engagement Guide (GREG).
Phases
C
The phase objectives, the high-level steps, and the potential outputs or deliverables for the phase are listed. The
orange points represent areas in the methodology where a KPMG engagement management checkpoint slide has
been added to provide additional guidance. The checkpoint provides additional considerations that may be
discussed with the client or the engagement team prior to proceeding to the next section.
Steps and Activities
Provides additional information about the activities associated with each of the steps. The potential inputs,
potential outputs, and available tools, techniques, methodologies or templates are listed for each activity.
Activities and Tasks
Provides additional detail about the potential tasks that are associated with each of the activities listed. The
slide provides guidance related to the specific tasks and general risk management notes. The order (and
inclusion/exclusion - a number of the activities and tasks are not applicable when undertaking a CM
engagement) in which the tasks or activities are performed may be adjusted based on the needs of the
engagement. It is expected that some of the activities or tasks may be conducted in parallel, when
appropriate.
The full scope of services within the Continuous Auditing / Continuous Monitoring (CACM) Methodology
Guide is not permissible for SEC audit clients and IFAC PIE clients and their affiliates. CACM services are
generally permissible for IFAC non-PIE audit clients subject to evaluating engagement circumstances
using the conceptual framework (i.e. threats and safeguards approach) as outlined in the Global Quality &
Risk Management Manual Chapter 11. Refer to the contents of this document for detailed guidance. Note:
Throughout this document you will see the symbol to the left which indicates that you should refer to the
independence guidance on slides 11-20 of this guide.
How to find the supporting tools, templates and sample outputs
• The CA/CM Knowledge Repository supports the methodology and is populated with sample tools, templates, and
sanitized outputs. It resides on the CA/CM homepage
• The CA/CM method guide also identifies where other KPMG methodologies may be useful for supporting delivery of
CA/CM engagements
• This guide must be in slide show mode to access links to tools and templates
Main Repository
CA/CM
Knowledge Repository
Tools and templates
Other Relevant Methodologies
• ARisk Content
Questionnaire and Advisory Toolkit
Tools and Templates
Register Template
1.0
Plan Assess
2.0
Design
3.0
Implement
4.0
Execute
5.0
Evaluate
6.0 • T –ERM Methodology
2.3 Perform risk assessment, gap analysis and supplemental analysis – Business Performance
Activity Summary • GRC Methodology Improvement
• Understand and confirm the client’s current state
Assist the member firm client with the following
• AT – ERM Risk Methodology and Tools
Potential Inputs Potential Outputs Tools and Templates
activities
2.3.1 Perform Risk Assessment • Current State documentation • Heat Map • AT – Risk Content Assessment Analysis GREG – Global RAS
(from 2.2.1) • Risk Register Questionnaire and Register
Template
• ERM Methodology
• GRC Methodology
• Fraud Risk Management Engagement Guide
• AT – ERM Risk Assessment
Methodology Methodology and Tools
Analysis
• Fraud Risk Management
Methodology
• Risk Assessment Outputs

Enterprise Risk
2.3.2 Perform Gap Analysis • Gap Analysis
(from 2.3.1)
Management
2.3.3 Perform Supplemental Analysis • Risk Assessment and Gap
Analysis (from 2.3.1 and 2.3.2)
• Updated Gap Analysis
• Updated Heat Map
Methodology and Tools
• Current State documentation • Updated Risk Register
Governance, Risk and

2.3.4 Perform Retrospective Data • Risk Assessment and Gap • Retrospective
Analysis Analysis diagnostic analytical
Methodology Compliance
• Selected data analysis tool/s results
(e.g., Approva, IDEA, etc.) Methodology and Tools
For Internal Use Only

Fraud Risk Management
© 2008 KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client
services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to 35
Methodology and Tools
obligate or bind any member firm. All rights reserved. Printed in [country in which the publication has been printed].
Acronyms used in this method guide
Term Meaning Term Meaning

ALD Advisory Learning & Development IT Information Technology
ARMP Area Risk Management Partner ITPA IT Project Advisory
BPI Business Performance Improvement methodology JE Journal Entries
CM Change Management KOLA KPMG Online Auditing
CSF Critical Success Factors KPI Key Performance Indicators
CSV Comma Separated Values KSI Key Success Indicators
EPM Engagement Project Management PA Process Analysis
ERM Enterprise Risk Management PPL Professional Practice Letter
ERP Enterprise Resource Planning QA Quality Assurance
FRM Financial Risk Management RAS Risk Advisory Services
FTP File Transfer Protocol RM Risk Management
GCM Global Conflict Management SAN Sentinel Approval Number
GREG Global RAS Engagement Guide SEC Securities and Exchange Commission
GRMM Global Risk Management Manual SOX Sarbanes Oxley Act
GSC Global Services Centre SoD Segregation of Duties
IFAC International Federation of Accountants USB Universal Serial Bus
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
Risk Management Guidance (1 of 3)
General Risk Management Guidance
Consider the risk management guidance below prior to proposing on a CA/CM engagement. Additional risk management
guidance can be found throughout the methodology related to the specific delivery areas.
Topic What is Risk Management concerned about?

The full scope of services in this methodology guide is not permissible for SEC audit clients and their affiliates. See detailed guidance
Type of targeted
regarding independence on slides 10-17 of this guide.
client
Intended
Distribution of the CA/CM deliverables should be limited to the KPMG member firm team, client project teams, and the client steering
distribution of
committee, subject to the use of deliverables clause.
deliverables
The use of third parties and subcontractors are common in CA/CM engagements. In some cases KPMG will work with a software provider to
Anticipated third
present the CA/CM approach for a client. Subcontractors may be utilized to augment engagement team resources. Engagement teams
party/subcontract
should refer to U.S.-RMM Chapter 33 for specific guidance on the procedures for use of subcontractors and consult their local risk
ors supporting
management guidance. Engagement teams should also refer to Part III, Chapter 8 of the Global Quality & Risk Management Manual –
the initiative
(GQ&RMM) for additional guidance.
The project team should be aware of existing KPMG external audit relationships with software suppliers when engaging with the client. KPMG
Potential conflict- teams should not work with these vendors on proposal opportunities but may operate as advisors on behalf of the client to conduct a vendor
of-interest issues evaluation. KPMG member firms may also work with these vendors to assist with implementation activities as long as both parties have been
contracted independently by the client.
The client needs to have skilled resources available to review all KPMG recommendations. The client is responsible for all management
Client resources
decisions for this and other projects.
The engagement team should establish appropriate milestones for client signoff to help ensure continuous oversight by the client steering
Client sign-off
committee. These signoffs should be documented and included in the engagement work papers.
Other risk Consult your local risk management partner before performing engagements with significant IT components. CA/CM assessment, design and
management implementation services should be conducted by qualified KPMG professionals. Where appropriate, BPS professionals should be consulted to
issues assist with process redesign efforts.

KPMG member firm field professionals should collect only that information necessary for the execution of KPMG’s role in the engagement,
and they should refuse to accept PII and other confidential information that may be provided by the client but is not needed by the KPMG
team. PII may include, for example, one or more (or certain combinations, including business contact information) of the following: name,
address, phone number, email addresses, financial and bank account numbers, social security numbers, state and federal identification
numbers, employee ID numbers, medical information, photos, and date of birth, etc. Protected Health Information (PHI) is a subset of PII and
refers to confidential, personal, identifiable information about individuals which relates to an individual's past, present or future physical or
mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care
Personal to an individual.
Identifiable
Field professionals should discuss this issue with clients so both KPMG and the client fully understand the sensitive nature and intended use
Information (PII)
of the information collected. If KPMG becomes aware that the client has provided (and KPMG has accepted) PII or other confidential
and Other
information not needed by KPMG for purposes of the engagement, such information should be immediately returned to the client and not
Confidential
retained by KPMG, except when doing so would cause KPMG to be in non-compliance with any engagement-specific data retention
Information
requirements.
Encryption technology must always be used when collecting, transporting, and storing client data and related analysis when such work is
performed in environments outside KPMG laptops.* Member firm professionals are required to limit the access and distribution of client data
and related analysis to those KPMG professionals who have a “need to know.” * U.S. partners and employees should refer to required
guidance provided by the U.S. Information Security Group at (http://usisweb.us.kworld.kpmg.com/isg/policyframework/overview.asp). See
additional guidance in part V – Information, IT Resources and Personal Security (Risk Management Manual), section 40 – Protecting
Electronic Information and Information technology Resources (Risk Management Manual).
Client management must make all decisions and judgments in relation to the project.
With regard to non-audit clients, KPMG may perform most project management activities subject to the active involvement of competent client
personnel to oversee the activities. KPMG may serve as an engagement advisor reporting to a client engagement manager who has active
involvement. KPMG may also furnish resources for the Project Management team (for non-audit clients only); refer to local member firm risk
management guidance. For audit clients, please refer to the independence guidance section of this document for further guidance.
Project KPMG may not manage or take responsibility for the engagement activities of a client or third party personnel. However, KPMG may perform
Management facilitation and coordination roles as long as the management role and responsibility for decisions remain with the client. The Partner or
Manager should have specific experience or training in project management. Second Partner involvement may be required for large or
complex engagements, at the discretion of the Area/Country Risk Management Partner. Refer to the independence guidance for permissions
on audit clients and their affiliates.
The engagement team should establish appropriate milestones for client signoff to help ensure continuous oversight by the client steering
committee. These signoffs should be documented and included in the engagement work papers.

At no stage can a guarantee or promise to the client be made regarding compliance with said regulation/standard or the expected potential
financial statement impacts. Any projected financial statement impact should be in the form of direction. This data can be provided on the
understanding that KPMG does not guarantee that this directional impact will be realized as a result of implementing action plans and can be
Limitation of subject to change. All analysis should be based on sound process with the process and analysis provided as evidence as to how the
Results of directional impact was determined.
Engagements
Implementing regulations, laws, standards and guidelines may affect accounting and other financial and operating ratios relevant to banking
and covenants. It is required that the client accepts full responsibility for assessing the impact of options on banking and finance covenants if
we assist the client in the underlying assessment.
The use of third parties and subcontractors are common in CA/CM engagements. In some cases KPMG will work with a software provider to
Working with present the CA/CM approach for a client. Subcontractors may be utilized to augment engagement team resources. Engagement teams
Third Parties should refer to U.S.-RMM Chapter 33 for specific guidance on the procedures for use of subcontractors and consult their local risk
management guidance.
KPMG policy requires that professionals with appropriate training, depth of experience, and concentration of practice serve on engagements.
Throughout the course of the engagement, the member firm’s core team will need to utilize subject matter professionals who are
knowledgeable in, for example, information technology, change management, tax structures, industry specifics, and other key areas. Subject
Qualified matter professionals are typically identified when the team is initiating and planning the engagement, and their use is a factor in the
Professionals engagement scope and fees. If, while performing the engagement, the team requires subject matter professionals in addition to those already
deployed, it should review and adjust the engagement scope and fees as necessary. While no certification or accreditation is required, given
the nature of each particular engagement, the Engagement Leader must consider whether the engagement is appropriately staffed to include
the involvement of engagement team members with specialized knowledge, skills, and experience.
Independence Guidance (1 of 10)
Introduction to independence guidance

The full scope of services in this Methodology Guide is not permissible for SEC audit clients and their affiliates and IFAC Public Interest
Entities (PIEs) and their related entities . Generally, restrictions are greater for SEC audit clients and their affiliates and for IFAC PIEs
than for other audit clients. The following are general guidelines on the application of the independence rules with respect to CACM
methodology for audit clients and their affiliates. It is intended to be used as general guidance only and is not a substitute for reading
independence policies and guidance provided in Chapter 12 of the U.S. Risk Management Manual and Chapters 11 and 20 of the Global
Quality & Risk Management Manual. The specific facts and circumstances of the audit client situation must be carefully assessed when
applying this independence guidance.
Internal Audit Services Guidance
SEC Audit Clients and their Affiliates (SEC Audit Client(s))

Permission is required from the SLRMP before engaging in this type of engagement with SEC audit clients or their affiliates. Consultation
with the independence group is required for any requests to perform Internal Audit Services work at Audit clients. (Refer to IAS Chapter
3).
KPMG does not provide recurring outsourcing or co-sourcing internal audit services to SEC Audit clients. Internal audit services that
relate to the internal accounting controls, financial systems, or financial statements of an SEC audit client may not be provided unless it is
reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the audit client's
financial statements (S-X 2-01 (c)(4)(v)).
However, performing non-recurring engagements of operational items or other programs, that are not in substance the outsourcing of the
internal audit function may be permitted. Providing audit or attest services relating to internal controls also are permitted. Consultation
with the Independence Group is required prior to accepting such internal audit work for an SEC audit client. In addition, for SEC Audit
clients, audit committee pre-approval is required. Refer to RMM-US 12.21.5.1-12.21.5.3.3 and 12.21.5.13 for further guidance.
SEC audit clients are subject to the Sarbanes-Oxley Act of 2002 Section 404 and Internal Control Over Financial Reporting (ICOFR).
KPMG cannot provide services to audit clients where the service or deliverable becomes the basis for management's assessment of
ICOFR. KPMG may not design or conduct tests of internal controls for audit clients as part of management's internal control evaluation
nor may the firm assist management in evaluating and concluding on the design or operating effectiveness of internal controls. The firm
may, however, point out control deficiencies. In addition, engagement teams should consider the firm's ability to continue to provide
certain advisory services to its audit clients who become or intend to become issuers within a one year period.
IFAC Audit Clients and their Related Entities (IFAC Audit Client(s))
We may not perform management responsibilities for an IFAC audit client. Performing a significant part of the client’s internal audit
activities increases the possibility that KPMG member firm personnel providing internal audit services will assume a management
responsibility. Examples of internal audit services that involve assuming management responsibilities include:
a) setting internal audit policies or the strategic direction of internal audit activities;
b) directing and taking responsibility for the actions of the entity’s internal audit employees;
c) deciding which recommendations resulting from internal audit activities shall be implemented;
d) reporting the results of the internal audit activities to those charged with governance on behalf of management;
e) performing procedures that form part of the internal control, such as reviewing and approving changes to employee data
access privileges;
f) taking responsibility for designing, implementing and maintaining internal control; and
g) performing outsourced internal audit services, comprising all or a substantial portion of the internal audit function, where the
member firm is responsible for determining the scope of the internal audit work and may have responsibility for one or more of
the matters noted in a) – f).
For IFAC audit clients who are Public Interest Entities (PIEs) we may not provide internal audit services that relate to:
a) a significant part of the internal controls over financial reporting;
b) financial accounting systems that generate information that is, separately or in the aggregate, significant to the client’s
accounting records or financial statements on which the member firm will express an opinion; or
c) amounts or disclosures that are, separately or in the aggregate, material to the financial statements on which the member
firm will express an opinion.
For IFAC audit clients who are non-PIEs, a threats and safeguards approach should be applied.
For all IFAC audit clients, when a KPMG member firm accepts an engagement to provide internal audit services to an audit client and
the results of these services will be used in conducting the external audit, the self-review threat that is created shall be evaluated and
safeguards applied when necessary to eliminate the threat or reduce it to an acceptable level.
Refer to GQ&RMM-US Section 11.1.10 for further guidance on internal audit activities.
General Independence Guidance

Permitted Services for All Audit Clients and their Affiliates–
We are permitted to perform certain services for all audit clients and their affiliates, including:
Assessment Services. We may perform various assessment services and provide our observations and recommendations (O&R) for an
audit client’s consideration. Our O&R may include our comments on a client’s processes, systems, controls or operations and our
recommendations. In addition, we can provide our comments regarding the relative priority of items for action (i.e., high, medium, and
low). However, we need to ensure that our O&R are not so extensive that we are in substance designing processes, systems, or controls
for the audit client because doing so may violate the independence rules, if related to the client’s financial or risk management systems
and controls. See restrictions below for SEC and IFAC audit clients as they relate to Design and Implementation Services.
The assessment services and our O&R on processes and systems may be performed on systems as they currently exist or after they are
re-designed by the audit client or a third party, as a pre-implementation assessment of the design or as a post-implementation
assessment. However, caution should be exercised in performing an assessment of the same matter so frequently that in substance we
are becoming part of the client’s design, implementation or monitoring effort. See restrictions below for SEC and IFAC audit clients as
they relate to Design and Implementation Services and Monitoring Services.
Gap Analysis. Assessment services may also include a gap analysis. We may perform a gap analysis in many areas, including
comparison of existing client processes and controls to established industry and regulatory standards or controls. We can also provide
our comments regarding the relative priority of any gaps for action (i.e., high, medium, and low). However, it is ultimately the client’s
responsibility to determine which gaps to remediate and to perform the remediation itself.
SEC Audit Clients and their Affiliates (SEC Audit Client(s))
Management function. We may not perform a management function for an SEC audit client. Management functions include acting,
temporarily or permanently, as a director, officer or employee of an audit client or taking responsibility for decision-making, designing,
implementing, maintaining and monitoring internal controls. Examples include negotiating on behalf of a client, having custody or control
of a client’s assets or authorizing transactions, managing a project team for a client or participating as a member of a client’s model
development team.
SEC Audit Clients (continued)

Design and Implementation Services. We may not perform design and implementation services related to a client’s financial or risk
management systems and controls. Prohibited design and implementation services include but are not limited to the following:
 Assist the audit client to design the envisioned future state or develop a detailed roadmap
 Assist the audit client to design and implement business processes, systems and controls, including risk management or financial
systems and controls
 Active project management assistance
For SEC audit clients, KPMG member firm professionals may perform design and implementation services unrelated to financial or risk
management processes, systems, or controls if the work does not involve a management function.
Monitoring Services. We may not perform monitoring services for SEC audit clients and their affiliates. We may perform an assessment
once the client’s system/process/controls have been redesigned or implemented by the client or third party (refer to permitted services on
previous slide). However, we should not perform an assessment of the same matter so frequently that in substance we are becoming part
of the client’s monitoring effort.
IFAC Audit Clients and their Related Entities (IFAC Audit Client(s))
Management responsibilities. We may not perform management responsibilities for an IFAC audit client. Whether an activity is a
management responsibility depends on the circumstances and requires judgment. Examples of management responsibilities include
setting policies and strategic direction, directing and taking responsibility for the actions of the entity’s employees, authorizing
transactions, deciding which recommendations to implement, taking responsibility for the preparation and fair presentation of the financial
statements and taking responsibility for designing, implementing and maintaining internal control.
Activities that are routine and administrative, or involve matters that are insignificant, are generally not deemed to be a management
responsibility. Examples include executing an insignificant transaction that has been authorized by management, monitoring the dates
for filing statutory returns and advising an audit client of those dates. Further, providing advice and recommendations to assist
management in discharging its responsibilities is not assuming a management responsibility.
IFAC Audit Clients and their Related Entities (continued)
Design and Implementation Services
IFAC audit clients who are Public Interest Entities (PIEs). We may not perform design and implementation services that are related to
a client’s IT systems that form a significant part of the internal control over financial reporting or generate information that is significant to
the accounting records or financial statements on which any KPMG member firm with express an opinion.
IFAC audit clients who are not Public Interest Entities (Non-PIEs). We may perform design and implementation services that are
related to a client’s IT financial systems and controls as long as the appropriate safeguards are in place to reduce the risk of self-review.
For IFAC audit clients that are not PIEs, such services shall not be provided unless the client acknowledges and takes on the following
responsibilities:
a) the client acknowledges its responsibility for establishing and monitoring a system of internal controls;
b) the client assigns the responsibility to make all management decisions with respect to the design and implementation of the hardware
or software system to a competent employee, preferably within senior management;
c) the client makes all management decisions with respect to the design and implementation process;
d) the client evaluates the adequacy and results of the design and implementation of the system; and
e) the client is responsible for operating the system (hardware or software) and for the data it uses or generates.
Depending on the degree of reliance that will be placed on the particular IT systems as part of the audit, a determination shall be made as
to whether to provide such non-assurance services only with personnel who are not members of the audit team and who have different
reporting lines within the member firm. The significance of any remaining threat shall be evaluated by the audit engagement team and
safeguards applied when necessary to eliminate the threat or reduce it to an acceptable level.
For both PIEs and Non–PIEs we can perform design and implementation services for non-financial systems (including those
that relate to risk management controls).
15
Monitoring Services
All IFAC audit clients. If the client remains responsible for maintaining the processes, systems, and controls for which we would be
performing monitoring services, such services are generally permissible. However, for PIEs, we may not provide internal audit services
that relate to:
 a significant part of the internal controls over financial reporting;
 financial accounting systems that generate information that is significant to the client's accounting records or financial statements on
which KPMG will express an opinion; or
 amounts or disclosures that are material to the financial statements on which KPMG will express an opinion.
Monitoring of internal control is an example of internal audit activities, as such, whether or not monitoring services are part of an internal
audit engagement, we should evaluate the significance of any monitoring activities in relation to the above restrictions. For both PIEs and
Non-PIEs there is clearly a danger with monitoring services that we effectively become responsible for maintaining the underlying
processes themselves, which would be a prohibited management responsibility. Therefore, the monitoring services provided to IFAC
audit clients should be continually assessed to ensure that independence is not impaired.
Fee Arrangements
SEC Audit Clients

Contingent/performance related fees are not permitted for SEC audit clients and their affiliates.
IFAC Audit Clients (PIEs and Non-PIEs)

For IFAC audit clients and their related entities, contingent fee arrangements are generally subject to the threats and safeguards
approach, but we may not charge (directly or indirectly) a contingent fee for non-assurance services if the:
 fee is charged by the KPMG member firm expressing the opinion on the financial statements and is material to that member firm; or
 fee is charged by another member firm that participates in a significant part of the audit and is material to that member firm; or
 outcome of the service, and therefore the fee, is dependent on a future or contemporary judgment related to the audit of a material
amount in the financial statements
16
For IFAC clients, when specific guidance on a particular non-assurance service phase/step is not included, the conceptual framework
(e.g. threats and safeguards approach) as outlined in the Global Risk Management Manual Chapter 11 shall be applied when evaluating
the particular circumstances. The following independence restrictions apply:
SEC Audit IFAC Audit IFAC Audit
Phase Comments
Clients Clients PIE Client Non PIEs
Plan Permitted Permitted Permitted Activities in Phase 1 are permitted for audit clients as they are internal planning activities.
Activities 2.1 to 2.4 (except the development of response and remediation plans in activity 2.3.4)
are permitted for SEC audit clients as they are data gathering, assessment and gap analysis
services. Activity 2.5 is not permitted for SEC audit clients and their affiliates as they are design
services related to a client’s financial or risk management processes, systems or controls. We
may provide our O&R and comments on a client’s processes, systems, controls or operations.
However, we need to ensure that our O&R are not so extensive that we are in substance
designing processes, systems, or controls for the audit client.
Guidelines for IFAC audit clients: For IFAC PIE audit clients we can perform internal audit
activities related to risk and operational processes. However, for activity 2.5 we are not permitted
to provide internal audit services/ document the future state if they relate to:
a) a significant part of the internal controls over financial reporting;
b) financial accounting systems that generate information that is, separately or in the
aggregate, significant to the client’s accounting records or financial statements on which the
Some Some Permitted with member firm will express an opinion; or
Assess
Restrictions Restrictions safeguards c) amounts or disclosures that are, separately or in the aggregate, material to the financial
statements on which the member firm will express an opinion.
Refer to additional guidance on Slide 12 for IFAC PIE and non-PIE audit clients.
Subject to the above restriction for IFAC PIEs, this Phase is permitted upon evaluating the threats
and safeguards, and provided we do not assume a management responsibility as outlined on
page 13. It is important that a member of client management is responsible for making the
significant judgments and decisions that are the proper responsibility of management, evaluating
the results of the service and accepting responsibility for the actions to be taken arising from the
results of the service. For example, we cannot be responsible for the design of the client’s future
state in Steps 2.5. KPMG may provide O&R in preparing plans and illustrate our advice with
example drafting without impairing independence. In this context, we may process information for
a client but may not perform critical analyses or insight that would be provided by a Manager level
team member or above.

Phase Comments
Activities in 3.1 are permissible for audit clients, as we are prioritizing outcomes from the assess
phase per management’s criteria. Activities 3.2-3.3 and 3.5 are not permitted for SEC audit clients
and their affiliates as they are design services related to a client’s financial or risk management
processes, systems or controls. We can, however, provide O&R on the client’s design and
implementation of this process.
Some Some Permitted with For activity 3.4 for all audit clients, KPMG may assist with some vendor selection activities as
Design
Restrictions Restrictions safeguards outlined in the Global Advisory Risk Group (GARG) Alert 11-004 Updated VSA Policy (global) or
APL 11-002/PPL-11-005 Vendor Selection Assistance (including Shared Services and Outsourcing
Advisory) Engagements Policy and Guidance (US).
Guidelines for IFAC audit clients: Refer to restrictions for IFAC PIE audit clients in performing
internal audit activities in Steps 3.2-3.3 and 3.5 and limitations for IFAC non-PIEs outlined under
“Guidelines for IFAC audit clients” in the Assess phase.
Activities in 4a CA KPMG Licensed Tool are not permitted for SEC audit clients as they are services
related to a client’s financial or risk management processes, systems or controls.
Guidelines for IFAC audit clients: Refer to the Assess Phase for the restrictions for IFAC PIE audit
clients in performing internal audit activities in 4a CA KPMG Licensed Tool. We should not perform
this phase if the internal audit scope relates to the three prohibitions as outlined in the Assess
Phase. In addition to these internal audit restrictions for IFAC PIE audit clients, we may not perform
Implement implementation services that are related to a client’s IT systems that form :
Some Permitted with a) a significant part of the internal control over financial reporting or
4a. CA Not Permitted
KPMG restrictions safeguards b) generate information that is significant to the accounting records or financial statements.
Tool
We can, however, provide O&R on the client's design or implementation of such IT systems. This
restriction applies to both Phase 4a and 4b.
For IFAC audit clients that are not PIEs, we may perform implementation services that are related to
a client’s financial systems and controls as long as the appropriate client safeguards are in place as
outlined on pg 14. Refer also to limitations for IFAC non-PIEs outlined under “Guidelines for IFAC
audit clients” in the Assess phase.

Phase Comments
With the exception of certain activities outlined below in 4.8 b and 4.9b, phase “CA/CM –
Implement Working with a third party” activities are not permitted for SEC audit clients as they are
services related to a client’s financial or risk management processes, systems or controls. For
4b: CA/CM – IFAC audit clients, refer to restrictions in 4a.
Working Some Some Permitted with
with a Restrictions restrictions safeguards For skill assessment activities in 4.8.1b and 4.8.4b , refer to guidance for activities in activity
third party 5.5 below.
For training activities in 4.9b , refer to guidance for activities in activity 5.6 below.
With the exception of certain activities outlined below ,the Execute phase is not permitted for
SEC audit clients as they are services related to a client’s financial or risk management
processes, systems or controls.
Refer to the restrictions for IFAC PIE audit clients in performing internal audit activities and
limitations for IFAC non-PIEs outlined under “Guidelines for IFAC audit clients” in the Assess
phase.
For activities in activities 4.8.1b, 4.8.4b and 5.5, KPMG may suggest high level qualifications,
roles and responsibilities requirements based on general industry standards and KPMG
Some Some Permitted with experience with leading practices. We cannot assign specific resources or assign individuals
Execute to specific roles and responsibilities. We can discuss generic resource/skills sets needed but
Restrictions restrictions safeguards
not assess the actual skill sets of employees.
In activities 4.9b and 5.6, analyzing training needs is permitted. In addition, KPMG is
permitted to facilitate client workshops or educate client staff on general CA/CM techniques
and KPMG experience with leading practice. The training should not be client-specific nor
should we provide detailed instructions as to how the client’s processes, systems, and
controls or project should be planned, scoped or managed. We may also provide training
materials for use and delivery by the audit client to its personnel. We may also review and
provide advice and guidance on client-developed training materials. Management is solely
responsible for the ultimate scope of training to be provided to client personnel.

Phase Comments
For activities in 6.1, we can perform a post-implementation assessment review for all audit
clients and their affiliates and provide observations and recommendations for improvements.
However, in activities 6.2.1 and 6.2.2 , this cannot extend to the development of
implementation and action plans for SEC audit clients or their affiliates as documenting such
plans are considered a management function. KPMG member firm professionals are
permitted to review a client’s plan designed by the client and provide feedback in the form of
observations and recommendations (O&R) and alternatives; however, they should not
Evaluate
Some Permitted with Permitted with provide client-specific, detailed instructions as to how the client’s plans should be planned,
Restrictions safeguards safeguards scoped or managed.
For IFAC audit clients, in Activity 6.2.1 and 6.2.2 we may assist management in documenting
its implementation and action plans, provided management takes responsibility and our
procedures are limited to those outlined under “Guidelines for IFAC audit clients” in the
Assess phase.
The independence guidance included in this global methodology applies to SEC and IFAC audit clients. In the cases where SEC or IFAC is not
relevant local independence guidance should be considered.
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
Engagement Phases
Initiate Plan Coordinate Close

GREG Phases
• Internal • Refine • Engagement scope control • Engagement quality control • Finalize client
engagement engagement • Engagement schedule control • Engagement team management presentation
and client work plan • Engagement cost control • Engagement communications management • Close
acceptance with client • Engagement risk control • Stakeholder management engagement
procedures • Kick off contract
• Proposing engagement • Update CA/CM
and collateral
contracting
Plan Assess Design Implement Execute Evaluate

1.0 4.0 5.0 6.0
CA/CM Phases
2.0 3.0
• Facilitate the • Gain an • Confirm and prioritize • Finalize data • Execute queries • Conduct a post
planning activities understanding of areas to be addressed definitions and data and routines implementation
for the overall the client’s • Confirm mapping • Complete data assessment
CA/CM environment implementation plan • Configure, test and analysis • Identify potential
engagement • Document and with the client validate tool set-up • Assist the client improvements
• Gain an confirm the • Consider change • Provide risk/control with remediation • Discuss control
understanding of current state management issues support throughout efforts and training gaps and
the client’s environment • Assist the client with the implementation needs weaknesses with
objectives and • Perform risk selecting the tool(s) to process client
success criteria assessment and be utilized (refer to the
related to the supplemental IT Project Advisory
engagement analysis methodology for
guidance).
General Guidance for using Global RAS Engagement Guide (GREG)
• This flowchart illustrates the generic relationship between the GREG phases and the corresponding CA/CM phases
• On a long-term CA/CM engagement, it is possible that multiple engagement letters may need to be executed. For example,
the client may approve an initial engagement to deliver Plan and Assess and later approve a separate engagement for the
other phases.
The full scope of services in this methodology guide is not permissible for SEC audit clients. See detailed guidance
regarding independence on slides 13-20.
CA/CM Phase Objectives, Steps, and Outputs
Phase High-Level Objectives Step Overview Potential Outputs

• Assist the client in gaining an • Kickoff agenda and
1.0
understanding of CA/CM Confirm client Prepare presentation
• Establish agreement with the • Engagement letter
Plan
objectives engagement Engagement

client regarding the scope, with key approach with kick-off • Stakeholder matrix
objectives and success criteria stakeholders team • Cost management workbook
of the CA/CM engagement 1.1 1.2 1.3
C • Risk/issue register
2.0 • Understand the client’s • Maturity matrix summary

environment Perform risk • Risk assessment
Assess
Document and assessment, gap Determine Understand

• Document and confirm the current Gather relevant • Heat map
confirm the analysis and availability and management’s
and desired state environments information supplemental quality of data desired state • Gap analysis
current state
• Determine the availability and • Retrospective diagnostic
quality of available data
2.1 2.2 2.3 analysis 2.4 2.5
C analytic results
• Confirm the business areas to • Implementation plan

3.0 Define
Create and Design suite • Tool selection report
Design
be addressed exceptions,
• Confirm the implementation Prioritize areas confirm Client selects of analytics, • Customization plan
to be addressed implementation measures and
plan with the client anomaly CA/CM tool(s) reports and • Summary of key measures
plan with client dashboards and thresholds
• Client selects the CA/CM tool(s) 3.1 3.3 thresholds
to be utilized
3.2 3.4 3.5
C
4a: CA Only - KPMG licensed tool
• Obtain information from client • Information request
4.0a
to implement the selected Create data • Data definitions and maps
Implement
Request Extract data Modify/

tool/s definitions and Validate • Data dictionaries
information detailed data based on data customize
• Finalize data definitions and request selected tool(s)
analytics • Tool configuration
data mapping 4.1a
maps 4.5a • Sample output from tool(s)
4.2a 4.3a 4.4a
• Request and obtain data from • Scoping documents
client to test selected tool(s) Perform further Develop protocols
modifications to surrounding the assignment
selected tool(s) and resolution of exceptions
4.6a 4.7a C
C Management checkpoint. Refer to pages 27, 37, 50, and 63 for additional guidance.
CA/CM Phase Objectives, Steps, and Outputs
Phase High-Level Objectives Step Overview Potential Outputs

• Assist the client with the 4b: CA/CM – Working with a CA/CM third party • Implementation schedule
4.0b
implementation of the CA/CM • Tool specifications
Implement
application Confirm our Validate data Evaluate results and

mapping and Perform • Sample exception reports
• Assist with the validation of understanding of client perform customization • Sample dashboards, notifications
implementation plan of standard sensitivity
planned data analytical routines of analytics
analytic results and alerts
• Help ensure that CA/CM application 4.2b 4.3b modifications 4.4b
dashboard/reports are accurate,
4.1b • Documentation for implemented
alerts properly execute and analytic routines
notifications are properly routed Develop protocols
Discuss and • Client acceptance documentation
Evaluate results and
• Provide observations and Validate that surrounding the document • Training work plan
perform additional assignment and
recommendations regarding sensitivity outputs operate CA/CM client • Training guide and supporting
client training needs as expected resolution of training needs materials
modifications 4.8b
• Assist with the development 4.5b 4.6b 4.7b exceptions
and delivery of the training
Assist with
development and
delivery of CA/CM
4.9b training C
• Run queries and routines • Customized routines
Assist client
• Provides reports and analyses Establish and Assist client with with • Exception reports
to the clients Run queries and compare to identification of root remediation and • Dashboards, notifications and alerts
5.0 • Assist with researching the routines benchmark cause of enhance • Remediation or enhancement plan
CA ONLY
Execute
analysis results 5.1

1.1 data exceptions/results 5.4 program • Training work plan
5.2 5.3
• Assist with remediation efforts • Training guide and supporting
• Provide observations and Discuss and materials
recommendations regarding Assist with
document client development and
client training needs CA/CM training
• Assist with the development delivery of CA/CM
needs training
and delivery of the training 5.5 5.6
C
• Assist the client with conducting • Post implementation report
6.0
a post implementation • Performance scorecard
Evaluate
assessment Conduct post Identify • Lessons learned

• Assist the client with identifying implementation potential • Control gaps and
potential improvements and assessment improvements recommendations
6.1 6.2
tracking potential benefits
realization
C
C Management checkpoint. Refer to pages 101, 118 and 125 for additional guidance.
Applicable to CA only
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
1.0 2.0 3.0 4.0 5.0 6.0
Management Checkpoint C
KPMG Engagement Manager Checkpoint Items for

Consideration Include:
 Has the protection of KPMG Intellectual Property been considered?
 Have we applied the evaluation/acceptance criteria relating to third party vendors?
 Have we ensured that there is an designated representative on the client side who is sufficiently knowledgeable to evaluate KPMG
deliverables and make decisions on behalf of the client?
 Identify subject matter specialists needed to conduct the engagement occurs while initiating and planning the engagement. This
process is a factor in establishing the engagement scope and fees.
 Remember that the engagement scope and fees should be reviewed and adjusted as necessary if additional subject matter specialists
are needed.
 KPMG may perform most project management activities subject to the active involvement of competent client personnel to oversee
the activities and the guidelines on active project management set forth in the IT Project Advisory Methodology.
 KPMG may not manage or take responsibility for the project activities of third party vendor personnel. However, KPMG may perform
facilitation and coordination roles as long as the management and responsibility for decisions remains with the client.
 Have we completed the required client and engagement acceptance procedures (e.g., signed engagement letter, final KRisk
Approval, filing of the SAN)?
0.0 Initiate – Phase Overview
0.1 0.2 0.3 0.4 0.5

Initial Client Client/ Planning the Project Scoping Proposing and
Contact Engagement Proposal and Financial Contracting
Acceptance Assessment
Refer to the Global RAS Engagement Guide (GREG)

C
PRIMARY OBJECTIVES:
The Initiate Phase includes Pre-Proposal and Proposal activities.
The Pre-Proposal activities include all of the engagement and client
acceptance/continuation steps.
The Proposal activities include preparing for and delivering the
proposal and/or engagement letter/contract to the client.
General Guidance for using GREG

• Detailed GREG information is not provided in this
methodology
• U.S. professionals should access the GREG through
Available GREG Templates:
the Engagement Project Management site
0.1 Risk Register
• Global Professionals should access the global GREG
0.2 Cost Management Workbook
0.3 Project Charter Web site to locate their local versions or to leverage
the global guide
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
1.0 Plan – Phase Overview
1.1 1.2 1.3

Confirm client Prepare
Engagement
objectives with engagement
kick-off
key stakeholders approach with team
C
Also refer to GREG
PRIMARY OBJECTIVES: POTENTIAL OUTPUTS:

• Kickoff meeting agenda
• Obtain agreement with the client regarding the scope
objectives and success criteria of the CA/CM engagement. • Kickoff meeting presentation
• Engagement letter
• Refine the engagement work plan, schedule, and budget,
prior to commencing the engagement. • Completed GREG templates
• Stakeholder Matrix
• Initiation of work paper files
Note: For U.S. professionals, engagement teams must develop the General Guidance for accessing GREG
below GREG/EPM templates or should otherwise achieve similar • Detailed GREG information is not provided in this
objectives through other means.
methodology
• U.S. Professionals should access the GREG through
Available GREG Templates the Engagement Project Management site
1.1 Project Charter • Global Professionals should access the global GREG
1.2 Risk Register Web site to locate their local versions or to leverage
1.3 Communications Plan the global guide
1.4 Cost Management Workbook
1.1 Confirm client objectives with key stakeholders – Activity Summary

• Confirm the scope and objectives of the engagement with the client
activities Potential Inputs Potential Outputs Tools and Templates
1.1.1 Schedule a facilitated interview with key • KPMG CA/CM Talk book • CA/CM Talk book
client stakeholders • CA/CM Project Scoping Tool • CA/CM FAQs
• Establishing a Business Case
for CA/CM
• CA/CM Project Scoping Tool
1.1.2 Confirm the scope and key objectives of • Meeting notes • CA/CM Engagement Letter
the engagement • Draft engagement letter Template
1.1.3 Refine engagement scope and update • Revised draft • CA/CM Engagement Letter
the engagement letter • Draft engagement letter engagement letter Template
1.1 Confirm client objectives with key stakeholders– Activity and Task Guidance
Activities and Tasks General Guidance Risk Management Notes
1.1.1 Schedule a facilitated • The engagement team needs to understand the buyer’s level of knowledge of • The engagement team must
interview with key client CA/CM (e.g., understanding how the client defines CA/CM). complete the relevant client
stakeholders • The engagement team may need to walkthrough a deck of introductory acceptance procedures prior to
material to clarify KPMG’s definition of CA/CM. This may also include an having a robust discussion with the
buyer to help ensure CA/CM
overview of industry practices and examples of current CA/CM projects. assistance can be provided to the
• The engagement team should understand the following: client.
- Buyer’s motivations/ triggers and expectations that led to the CA/CM project • Prior to conducting interviews an
- Top three to five objectives of the what the buyer(s) expect to achieve from evaluation of the occurrence of
the CA/CM initiative fraud should be completed. If the
- Maturity of the organization regarding understanding of CA/CM client or KPMG believes that
- The organization’s core financial and non-financial applications unusual activity may represent
• Confirm that all relevant stakeholders have been identified fraud, a forensic team should be
• Validate that appropriate executive (C-Level) support has been established for engaged and a separate
engagement letter will need to be
the project created.
1.1.2 Confirm the scope and • The engagement team should confirm the specific scope of work that will be • The engagement team should
key objectives of the completed, using the drafted engagement letter. The team should clearly clearly outline KPMG roles and
engagement identify the following: responsibilities.
- Project Sponsor and key stakeholders
- Key objectives and scope
- Range of hours and fees
- Key success factors
- Any dependents and/or risk areas that would prevent or inhibit the project
- Timeline for project completion
- Other risk management issues
1.1.3 Refine engagement • Based on the discussions with the buyer(s), the scope may need to be revised • Changes to engagement letter should
scope and update the • The engagement letter must be updated with any scope changes be appropriately reviewed and
approved. Additionally, the
engagement letter • Formal endorsement of the engagement letter is required engagement scope should be based
on team skills, experience and
methodologies. It is important that we
have the proven skills and ability to
deliver on items in the scope.
1.2 Prepare engagement approach with team – Activity Summary

• Work with the member firm client to further refine the work plans and engagement management approach
1.2.1 Develop a Work Plan and Engagement Budget • Engagement Letter • Work Plan • GREG – Cost Management
• Cost Management Workbook
Workbook • CA/CM Engagement Letter
• Budget • CA/CM Working with Third
Parties Checklist
1.2.2 Assign Resources • Engagement Letter • Resource • GREG – Resource

• Work Plan Management Plan Management Plan
1.2.3 Prepare Quality Management Plan • Engagement Letter • Quality Management • GREG – Quality Management
• Work Plan Plan Plan
1.2.4 Prepare Engagement Risk Register • Engagement Letter • Engagement Risk • CA/CM Risk Register
• Work Plan Register
• Client Documentation
and Interviews
1.2.5 Prepare Communications Plan • Engagement Letter • Communications Plan • GREG – Communication Plan
• Work Plan
1.2.6 Prepare Project Charter • Engagement Letter • Project Charter • GREG – Project Charter
• Communications Plan
• Engagement Risk
Register
• Quality Management
Plan
• Work Plan
1.2 Prepare engagement approach with team – Activity and Task Guidance

1.2.1 Develop a Work Plan • The engagement team should develop a detailed work plan and budget. Once
and Engagement the engagement begins, it is necessary to further detail the engagement
Budget activities and formally assign responsibility and hours for the engagement team
members.
• Moving forward, the detailed work plan should be continuously updated to
compare actual time spent versus budget and to provide an estimate for
completion. On small engagements, the initial high-level work plan may be
sufficient to appropriately track the engagement. On larger engagements,
developing a detailed work plan will help the engagement team to better oversee
scope, schedule, and budget. The budget can be developed using the Cost
Management Workbook.
1.2.2 Assign Resources • KPMG member firm engagement resources must be formally assigned in the
local scheduling/resource system. To avoid availability conflicts, resources
should be formally assigned as soon as the engagement letter is approved. If the
engagement needs a specific resource who is already scheduled, the
engagement teams should work to find an appropriate alternative resource.
• It is the engagement partner’s responsibility to determine whether the
engagement staff is qualified to conduct the activities assigned to it.
• The staff should be provided with appropriate guidance to perform its work and
allowed reasonable time to carry out its assignment. The engagement team
members should also be exposed to appropriate background material about the
client, its industry, and the particular situation it is facing.
1.2 Prepare engagement approach with team – Activity and Task Guidance
1.2.3 Prepare Quality • The Quality Management Plan communicates the overall expectations and
Management Plan directions for how engagement quality will be maintained. The engagement
manager and partner are responsible for establishing quality expectations and
for providing final quality acceptance.
1.2.4 Prepare Engagement • Engagement Risk Management is the process that is used to determine how to
Risk Register approach the activities involved in identifying and mitigating the risk events for
the engagement. KPMG’s risk management processes are generally concerned
with managing the member firm’s risk as associated with market permissions,
regulatory requirements, or general service delivery guidance. Engagement Risk
Management is concerned with addressing the engagement or project specific
events that may negatively impact the team’s ability to deliver within scope, on
budget, and on time.
1.2.5 Prepare • The Communications Management Plan is the written strategy for getting the
Communications Plan right information to the right people at the right time. The client sponsor(s)
identified in the engagement letter represent just one element of the engagement
audience. The engagement team should also consider the communication
requirements of other possible stakeholders and interested client parties. All
relevant client communication shall be signed by authorized persons as
established by KPMG member firms.
1.2.6 Prepare Project Charter • The Project Charter provides a preferred vehicle for communicating the
engagement objectives across the engagement and client team. Special care
should be taken to help ensure that the scope, objective, and deliverable
information in the Project Charter reconcile with the engagement letter.
• The charter may also contain additional information about the engagement that
is not appropriate for inclusion in the engagement letter. It may include
information about the engagement’s team roles and responsibilities, as well as
the quality, engagement risk, and communication management plans.
• The Project Charter should be shared with the client during the kickoff meeting to
validate the team’s approach and to establish expectations for the engagement
management process.
1.3 Engagement kickoff – Activity Summary

• Finalize the detailed work plan and initiate the project activities
Assist the member firm client with the following Potential Inputs Potential Outputs Tools and Templates
activities
1.3.1 Set up the project infrastructure • Engagement Letter
1.3.2 Kickoff meeting • Project Charter • Kickoff Meeting Agenda • GREG – Kickoff Meeting
• Communication Management • Kickoff Meeting Template
Plan Presentation • GREG – Rapid Start Workshop
• Engagement Risk Register • Kickoff Meeting Notes Guide
• Quality Management Plan • Stakeholder Matrix
• Work Plan
1.3.3 Obtain client approval for Work Plan (not • Project Charter • Detailed Project Plan • GREG – Rapid Start Guidance
mandatory) • Work Plan and Checklist
• GREG – Project Plan
1.3 Engagement kickoff – Activity and Task Guidance
1.3.1 Set up the project infrastructure • At this stage, the engagement manager:
– Notifies the lead partner and other participating
parties that the engagement is commencing
– Prepares an initial billing, if applicable
– Prepares and/or updates the work paper file
– Confirms the availability and approval for phone,
network, and office space access at the client site
– Schedules an internal engagement team meeting
– Confirms the start date with the client and arranges
the kickoff meeting
– Identifies background reading material for all team
members (e.g., Project Charter, industry data,
annual reports, etc.)
1.3.2 Kickoff meeting • The engagement team should conduct a project
initiation or kickoff meeting with the client team and key
personnel. The kickoff meeting helps ensure that the
client, as well as the KPMG member firm, is satisfied
with the overall engagement approach.
1.3.3 Obtain client approval for Work Plan • For larger engagements, it may be beneficial to hold a
rapid start workshop with the client steering committee
to define the client’s involvement in the project and gain
consensus on project definition, status reporting, and
other areas.
KPMG Engagement Manager Checkpoint Items for Client Management Checkpoint Items for
Consideration Include: Consideration Include:
 Has communication with the client stakeholders been  Do the client stakeholders have sufficient agreement on the
maintained throughout the planning process? The client should draft objectives for the project to succeed?
be driving the effort.  Is there a sense of urgency within the organization to drive
 Revisit the stakeholder analysis that was performed. Are the the initiative? Does this initiative have the necessary
stakeholder’s requests realistic and can they be addressed? support?
 Has the client conducted an open and frank discussion on  Has a steering group been defined? Is this steering group
potential issues and problems with existing performance? Were empowered to lead the initiative?
any areas avoided that may impact this? Has client leadership
 Has the stakeholder obtained the necessary support from
challenged complacency with existing performance levels?
their leadership to properly fund the CA/CM effort?
 Update the engagement management documents as necessary
(e.g., risk register, communications plan, cost management  Has the initiative been communicated to everyone who
workbook). may be impacted by the change (e.g., management, staff,
customers, vendors)?
 Remember that the validation and internal approval of the
client’s business case can take a long time (e.g., two to six  As part of the project infrastructure, have we considered
months). protocols regarding access to the client’s IT systems?
 Have we assisted the client in clearly documenting the client’s
assumptions and related support for the potential benefits of
CA/CM?
 Has the protection of KPMG Intellectual Property been
considered?
 Have we applied the evaluation/acceptance criteria relating to
third party vendors?
 Have we considered the protocols surrounding KPMG access to
third party applications?
 As part of the project infrastructure, have we considered
protocols regarding access to the client’s IT systems?
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
2.0 Assess – Phase Overview
2.1 2.2 2.3 2.4 2.5

Gather relevant Document and Perform risk
assessment, Determine Understand
information confirm the current
gap analysis and availability and management’s
state quality of data
supplemental analyses desired state
C

• Maturity Matrix Summary
• Understand the client's current CA/CM environment as a
whole and as per the agreed scope • Risk Assessment
• Define and confirm the current and desired state • Heat Map
environments • Gap Analysis
• Determine the availability and quality of available data to • Retrospective diagnostic analytical results
be analyzed as part of the risk assessment, gap analysis
and any supplemental analyses (e.g., retrospective
diagnostic), as well as for use in the desired CA/CM
environment
1.0 2.0 3.0 4.0 5.0 6.0
2.1 Gather relevant information – Activity Summary

• Understand the client’s environment
2.1.1 Obtain and discuss relevant • Interview notes • Work papers • AT Business Context
documentation to further understand • Supporting documentation Questionnaire
the client’s environment such as Internal Audit reports
and work papers, SOX
documentation, process maps,
procedural documentation,
control catalogues, segregation
of duties matrices, etc.
2.1.2 Understand client’s use of existing data • Risk Assessment and Gap • Work papers • CA/CM Tool Summaries
analysis tools and applications Analysis • CA/CM Maturity Matrix
• CA/CM Project Scoping
Tool
1.0 2.0 3.0 4.0 5.0 6.0
2.1 Gather relevant information – Activity and Task Guidance

2.1.1 Obtain and discuss • The engagement team should gather relevant documentation to understand the • Information received from
relevant documentation overall client environment, as well as specific documentation to understand the the client should be clearly
to further understand process areas within scope. identified and handled in
the client’s environment • General documentation may include: Organizational structure, IT infrastructure, accordance with any
list of IT applications and systems, contact listing, past risk assessments, confidentiality or non-
management letters from external auditor, current management reporting output disclosure agreement that
(e.g. dashboards) etc. apply to the engagement.
• If a specific process area has been included in the scope of the engagement,
supporting documentation may also include: process maps, policies and
procedures, SOX documentation and deficiencies, key control matrix, chart of
accounts, application user listing, process output reports, examples of
management reports/internal audit reports etc.
2.1.2 Understand client’s use • Identify any existing tools currently being used at the client environment. If such
of existing data analysis tools exist, discuss the benefits of the use of available data analysis tools.
tools and applications
1.0 2.0 3.0 4.0 5.0 6.0
2.2 Document and confirm the current state – Activity Summary

• Document and confirm the current state
2.2.1 Meet with stakeholders/ process owners • Relevant documentation that • Draft document of the • AT – Process Documentation
to understand and document the current was gathered through the client’s current state Example
state previous step (high-level) • AT – Process Summary
Template
• CA/CM Project Scoping Tool
2.2.2 Share summarized results of current • Draft document of the client’s • CA/CM Maturity Matrix • CA/CM Maturity Matrix
state with client and plot to the CA/CM current state
maturity matrix
1.0 2.0 3.0 4.0 5.0 6.0
2.2 Document and confirm the current state – Activity and Task Guidance

2.2.1 Meet with stakeholders/ • The engagement team should meet with stakeholders/ process owners to
process owners to identify key objectives for the organization/ process area(s) within the scope of
understand and the CA/CM engagement.
document the current • If an appropriate level of supporting documentation is obtained from the client,
state the team should validate their understanding of the documentation via
interviews/ walkthroughs.
• If the documentation is insufficient the team should document their
understanding of the process area(s) under review. Specific emphasis should
be placed to identify key objectives, risks that impact key objectives, controls
that have been identified and the various exceptions that result from this
process. The high-level mapped process area(s) should then be confirmed with
the client.
2.2.2 Share summarized • A summarized version of the current state document should be shared with the
results of current state client to confirm our understanding
and plot to the CA/CM • Client should provide input on objectives, risks, controls and exceptions
maturity matrix • The team could also present the required information using the CA/CM Maturity
Matrix Summary format
1.0 2.0 3.0 4.0 5.0 6.0
2.3 Perform risk assessment, gap analysis and supplemental analysis –

Activity Summary
• Understand and confirm the client’s current state
2.3.1 Perform Risk Assessment • Current State documentation • Heat Map • AT – Risk Content
(from 2.2.1) • Risk Register Questionnaire and Register
Template
• ERM Methodology *
• GRC Methodology *
• AT – ERM Risk Assessment
Analysis
Methodology
2.3.2 Perform Gap Analysis • Risk Assessment Outputs • Gap Analysis

(from 2.3.1)
2.3.3 Perform Supplemental Analysis • Risk Assessment and Gap • Updated Gap Analysis
Analysis (from 2.3.1 and 2.3.2) • Updated Heat Map
• Current State documentation • Updated Risk Register
2.3.4 Perform Retrospective Data • Risk Assessment and Gap • Retrospective • Fraud Risk Management
Analysis Analysis diagnostic analytical Methodology
• Selected data analysis tool/s results
(e.g., Approva, IDEA, etc.)
(*) Note that these service offerings are broader in scope than CA/CM and are included as references only.
1.0 2.0 3.0 4.0 5.0 6.0
2.3 Perform risk assessment, gap analysis and supplemental analysis –

Activity and Task Guidance
2.3.1 Perform Risk • Obtain and review relevant documentation from steps 2.1 and 2.2 • An IARCS professional should be
Assessment • Interview key stakeholders and process owners and identify risks that may consulted prior to performing the
impact/ threaten key objectives for a specific process or entity. risk assessment.
• In conducting the risk assessment, follow the guidelines outlined in the ERM
Methodology, as appropriate
• If Internal Audit has already completed a risk assessment as part of its planning
process the results should be reviewed and discussed with the client.
Additionally, if an ERM assessment has recently been completed and/or a Fraud
Risk Assessment has been undertaken, the results should be reviewed in light of
the objectives of the CA/CM engagement.
• Assist management to prioritize risk areas as high, moderate or low
• Plot key risks on a Heat Map and or other relevant format
2.3.2 Perform Gap Analysis • Utilize information obtained from the above interviews and the risk assessment
results and compare to leading practices and/or guidance in the CA/CM maturity
matrices
• Provide a list of areas where control failures, errors and fraud could occur
• If applicable, identify areas where efficiencies could be realized through process
re-engineering, automation, etc.
• Gaps can be ranked in several ways: level of risk, level of effort required to fix the
gap, potential impact to the financial statement/ operations, etc.
2.3.3 Perform Supplemental • Where required, perform additional analysis to supplement the risk assessment
Analysis and gap analysis
• Assist client with the data extraction and map relevant data in preparation for • Confirm with client hours and fees related
2.3.4 Perform Retrospective the retrospective data analysis. The date range of the data selected for to conducting a retrospective diagnostic
Data Analysis and ensure that an additional engagement
analysis will be determined based on the risk assessment and included in the letter (or addendum) has been issued and
(restrictions apply for engagement letter signed prior to moving forward.
SEC audit clients and • Where applicable, tool license costs should be considered during discussions • Retrospective data analysis should be
their affiliates) with the client completed by suitably qualified
Forensics/ITA professionals.
• Evaluate the results of data analysis; review findings; refine analysis and
present recommendations to client for action
• Assist with the development of response and remediation plans. (This task is
not permitted for SEC audit clients and their affiliates).
• Also refer to Phase 4a beginning on page 64 for additional guidance
1.0 2.0 3.0 4.0 5.0 6.0
2.4 Determine availability and quality of data – Activity Summary

• Understand the client’s existing General Ledger/Information Systems/ERP architecture and IT controls to determine the availability and quality of data

activities
2.4.1 Understand client’s General Ledger, • General Ledger, Information • Business process • ERP Advisory Methodology
Information Systems and/or ERP System and/or ERP summary • CA/CM Control Catalogues
implementation, including IT controls implementation plan and • Summary of available,
and related business processes to supporting technical quality data sets for
determine the quality of data captured, documentation including file further analysis
(i.e., systems, sub-ledgers, tables and layouts and field definitions,
fields used as part of the business Segregation of Duty (SoD)
process, data elements captured and assignments, configurable
retained, etc.) controls settings, etc.
2.4.2 Understand existing IT controls to help • Internal audit reports, past risk • IT controls assessment • AT – Controls Matrix
understand the completeness and assessments, management • SoD conflicts • ERP Advisory Methodology
accuracy of data captured letters from external auditor, IT • Configurable controls • CA/CM Control Catalogues
policies and procedures, SOX gaps
documentation of controls and
deficiencies, key control matrix
1.0 2.0 3.0 4.0 5.0 6.0
2.4 Determine availability and quality of data – Activity and Task Guidance

2.4.1 Understand client’s • Through review of documentation and discussions with client understand the
General Ledger, business processes and related IT configurations for subject areas of client’s
Information Systems General Ledger, Information Systems and/or ERP system implementation.
and/or ERP • Request and obtain relevant supporting documentation (such as the ERP
implementation, implementation plan, relevant technical documentation), which outlines the
including IT controls relevant system tables, data fields and information captured, processed and
and related business stored.
processes to determine • Determine if any significant system changes/upgrades have occurred
the quality of data
captured, (i.e. systems,
sub-ledgers, tables and
fields used as part of the
business process, data
elements captured and
retained, etc.)
2.4.2 Understand existing IT • Through review of documentation and discussions with client understand the
controls to help business processes and related IT controls for subject areas of client’s
understand the General Ledger, Information Systems and/or ERP system.
completeness and • Determine any significant gaps or deficiencies and consider potential impact
accuracy of data captured to CA/CM implementation
1.0 2.0 3.0 4.0 5.0 6.0
2.5 Understand management’s desired state – Activity and Task Guidance

• Understand and document management’s desired state

activities
2.5.1 Understand and document • Current State Document • “To-Be” State • AT – “To Be” Process Model
management’s desired state • Risk Assessment Document Technique Paper
• Gap Analysis • AT – “To Be” Process Models
• CA/CM Maturity Matrices
• CA/CM Control Catalogues
1.0 2.0 3.0 4.0 5.0 6.0
2.5 Understand management’s desired state – Activity and Task Guidance

2.5.1 Understand and • Discuss with management the desired output as a result of CA/ CM effort  KPMG is not permitted to
document • Identify key risks that should be considered in the desired state and discuss the help SEC audit clients
management’s desired level of effort that will be required to mitigate such risks through the CA/ CM develop a road map or a
state approach. desired state. KPMG can
provide management with
our observations and
recommendations regarding
the client developed desired
state.
 Our O&R may include our
comments on a client’s
processes, systems,
controls or operations and
our recommendations. In
addition, we can provide our
comments regarding the
relative priority of items for
action (i.e., high, medium,
and low). However, we need
to help ensure that our O&R
are not so extensive that we
are in substance designing
processes, systems, or
controls for the audit client
because doing so would
violate the independence
rules.
1.0 2.0 3.0 4.0 5.0 6.0
 Has communication with the client stakeholders been  Are the appointed stakeholders appropriate for the
maintained throughout the desired state process? The client project, and do they represent the key beneficiaries
should be driving the effort. throughout the organization?
 Were the important stakeholders’ concerns or requests  Do the client stakeholders have sufficient agreement
identified in the stakeholders analysis addressed? for the project to succeed?
 Update the engagement management documents, as  How does CA/CM fit into the larger IT and business
necessary (e.g., risk register, communications plan, cost program portfolio of each stakeholder?
management workbook).
 Has the stakeholder obtained the necessary support
 Confirm with client hours and fees related to conducting a from its leadership to properly fund the CA/CM effort
retrospective diagnostic and ensure that an additional and allocate the appropriate internal resources?
engagement letter (or addendum) has been issued and
 Has the initiative been communicated to everyone
signed prior to moving forward. Check local client evaluation
that may be impacted by the change (e.g.,
tool (e.g. CEAC) for fee levels and scope.
management, IT, staff, customers, vendors)?
 Have we considered the outcomes from our assessment of
 Do we have agreement from the client’s IT staff
the quality and integrity of the data? Is the engagement still
regarding KPMG access to systems and data?
feasible? Do we need to revisit the original scope and fee?
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
3.0 Design – Phase Overview
3.1 3.2 3.3 3.4 3.5

Prioritize areas Create and confirm Define exceptions, Client selects Design suite of
to be addressed implementation measures CA/CM tool(s) analytics, reports
plan with client and anomaly and dashboards
thresholds
• Identify the key business areas in which to focus • List of business areas to be addressed, in order of risk and/or
importance to the client
• Obtain buy-in from the client on the implementation plan of • Implementation plan
the CA/CM tool(s) • A list of key measures
• A description of how each key indicator will be monitored
• Define which indicators will be monitored and/or assessed and/or assessed (e.g., thresholds)
and by what standards • List of required or preferred functionality
• List of required or preferred technical capability
• Assist the client with selecting a CA/CM tool(s) that can • Shell analytics, reports and/or dashboards
better suit their needs
• Assist the client with developing a meaningful way to view

the outputs from the selected tool(s)
1.0 2.0 3.0 4.0 5.0 6.0
3.1 Prioritize areas to be addressed – Activity Summary

• Identify the key business areas in which to focus

3.1.1 Confirm with the client the business • Client feedback • List of business areas • CA/CM Establishing a
areas to be addressed • Results of the risk assessment, to be addressed (not Business Case
gap analysis, retrospective yet prioritized)
diagnostic analysis, and/or any
other analyses performed in
the Assess phase
3.1.2 Prioritize with the client the business • Results of the heat map and/or • List of confirmed • CA/CM Maturity Assessment
areas to be addressed Maturity Matrix Summary from business areas to be Matrix
the Assess phase. (Note, these addressed in order of • AT- Prioritization Framework
inputs differ from the inputs risk and/or importance
above as they provide an to the client
overview of high risk issues as
well as issues that are
important to the client.)
• Notes from client meetings and
interviews
1.0 2.0 3.0 4.0 5.0 6.0
3.1 Prioritize areas to be addressed – Activity and Task Guidance

3.1.1 Confirm with the client • The business areas to be addressed should include those areas in which
the business areas to be weaknesses were identified in the risk assessment, gap analysis, the
addressed retrospective diagnostic analytic results, and/or any other analyses performed.
3.1.2 Prioritize with the client • Meet with key stakeholders to prioritize and confirm the business areas that • Discussions with the client
the business areas to be should be addressed. The prioritization of the business areas should be on the prioritization of the
addressed consistent with the highest risk ratings (as represented in the heat map) and/or business areas should be
with the goals most important to the client (possibly represented in the Maturity documented in a work paper
Matrix Summary). and retained in the
engagement file. These
business areas should still
fall within the agreed scope
objectives as per the
engagement letter.
1.0 2.0 3.0 4.0 5.0 6.0
3.2 Create and confirm implementation plan with client – Activity Summary
• Obtain buy-in from the client on the implementation plan of the CA/CM tool(s)
activities
3.2.1 Create a plan to implement a CA/CM • Prioritized list of business • Draft implementation • AT – Implementation Plan
approach that will mitigate the identified areas to be addressed plan Examples
weaknesses and gaps • GRC Methodology*
3.2.2 Draft sections of implementation plan, • Discussions with client • Roles and • AT – Implementation Plan
defining team member/client roles and responsibilities section Examples
responsibilities and the change within implementation • AT – Change Roles and
management process for the plan plan Responsibilities Technique
• Change management Paper
section within • AT – Change Strategy
implementation plan • AT – Change Strategy
Technique Paper
• AT – Monitoring and
Measuring Change Technique
Paper
• Change Management
Methodology
3.2.3 Confirm implementation plan with client • Client feedback on draft • Updated
implementation plan implementation plan
(*) Note that these service offerings are broader in scope than CA/CM and are included as references only.
1.0 2.0 3.0 4.0 5.0 6.0
3.2 Create and confirm implementation plan with client –


3.2.1 Create a plan to • The implementation plan should not only identify ways to mitigate weaknesses
implement a CA/CM and gaps in existing controls and processes, but also identify gaps that have no
approach that will corresponding control and/or process.
mitigate the identified • Incorporate regulatory requirements and better practices
weaknesses and gaps
3.2.2 Draft sections of • The implementation plan should also consider the following:
implementation plan, - Client roles and responsibilities
defining team - Team member roles and responsibilities
member/client roles and - How changes relating to existing CA/CM skills and capabilities will be managed
responsibilities and the - How changes relating to existing organizational structures and relationships will
change management be managed
process for the plan - How changes relating to existing processes and controls (e.g., business
processes, risk and compliance activities, technology and infrastructure) will be
managed
• Take time to walk the client through the plan. The client’s understanding and • Discussions with the client
3.2.3 Confirm implementation
buy-in of the plan at this point will help minimize modifications later in the regarding the
plan with client
engagement. implementation plan should
• Help ensure that the implementation plan is formally agreed to by the client be recorded and placed in
the engagement file.
1.0 2.0 3.0 4.0 5.0 6.0
3.3 Define exceptions, measures and anomaly thresholds – Activity Summary

• Define which exceptions or measures will be assessed and/or monitored, and by what standards

3.3.1 Identify the key exceptions or measures • Input from client • A list of key • AT- Example Key
that will be assessed and/or monitored • Reports used by client that indicators/measures to Performance Indicator
show KPIs, KSIs, other metrics be assessed and/or • CA/CM – Establishing a
• Data tables that define system monitored Business Case
fields pertaining to KPIs and
KSIs
• Definition of an ‘exception’
• Exception rates and trends
• Results of the risk assessment,
gap analysis, retrospective
the Assess Phase
• Prioritized list of business
areas to be addressed
3.3.2 Identify the method to assess and/or • Client controls testing • A description of how
monitor the key exceptions or measures documents each key indicator will
• Reports used by client that be monitored and/or
show KPIs, KSIs, other metrics assessed (e.g.,
• Data tables that define system thresholds)
fields
• Results of the risk assessment,
gap analysis, retrospective
the Assess phase
1.0 2.0 3.0 4.0 5.0 6.0
3.3 Define exceptions, measures and anomaly thresholds – Activity and Task
Guidance

3.3.1 Identify the key • Start by reviewing the client’s existing documentation of key indicators
exceptions or measures (exception reports, KPIs/ KSIs and metrics), to understand what data,
that will be assessed transactions, or processes are currently monitored and/or assessed. For
and/or monitored example, a key indicator may be the age of a receivable, value of sales lost due
to overcapacity/stock outs, or average days sales outstanding.
• Identify additional data, transactions, or processes that need to be monitored
and/or assessed based on identification of weaknesses and gaps from the
Assess phase, as well as the prioritized list of business areas to be addressed
from Step 3.1 of this phase.
3.3.2 Identify the method to • Start by reviewing the client’s existing documents which outline and define the
assess and/or monitor controls testing procedures, such as SOX documents or Internal Audit test
the key exceptions or programs.
measures • Review the data tables to understand the structure and format of those fields
containing potential KPIs and KSIs.
• Identify methods to monitor and/or assess each key indicator. For example, the
age of a receivable is evaluated based on groupings of 30, 60, 90, and 120+
days old and is considered bad debt after 120 days old.
1.0 2.0 3.0 4.0 5.0 6.0
3.4 Client selects CA/CM tool(s) – Activity Summary

• Assist the client with their selection of the CA/CM tool(s) that can better suit their needs
3.4.1 Assist the client with identifying tool • Client input regarding required • List of required or • AT –Design considerations
functionality and technical capability or preferred functionality and preferred functionality Technique Paper
technical capability • List of required or • AT – IT Systems
• Existing client tools preferred technical Requirements Examples
capability • CA/CM Tool Summaries
3.4.2 Assist the client with identifying the • List of required or preferred • Tool selection • Sourcing Methodology
CA/CM tool that can better meet their functionality • Selection Assistance
needs • List of required or preferred
technical capability
• Discussions with CA/CM tool
vendors
1.0 2.0 3.0 4.0 5.0 6.0
3.4 Client selects CA/CM tool(s) – Activity and Task Guidance

3.4.1 Assist the client with The following key points should be considered:
identifying tool • What systems and monitoring functions currently exist and what is the
functionality and organization’s use experience?
technical capability • What CA/CM implementation model makes sense based on the system
architecture?
• Does the organization use existing monitoring capabilities within the ERP
system, third-party bolt-on solutions, or a combination of both?
• Will tools reside internally or will the organization batch data to send to an
external service provider to evaluate, detect, and report business rule
exceptions and other anomalies?
• What is the required frequency and sophistication of analysis?
• How will exceptions be reported, assigned, resolved and documented?
• What technology will be shared (or not shared) between management and
internal audit?
• What is the organization’s license costs across technologies and has it
optimized this investment?
3.4.2 Assist the client with • The client should have discussions directly with the CA/CM vendors to help
ensure they are provided with the most up-to-date and accurate information. • KPMG should not attest to the
identifying the CA/CM
functionality or technical
tool that can better meet
capabilities of the various
their needs
CA/CM tools.
• It is required that the ITPA
Selection Assistance Guide be
adhered to in completing this
activity.
1.0 2.0 3.0 4.0 5.0 6.0
3.5 Design suite of analytics, reports and dashboards – Activity Summary

• Assist client with developing a meaningful way to view the outputs of the selected tool(s)
activities
3.5.1 Confirm the desired outputs • Input from client • List of outputs to be
• Relevant existing client reports incorporated into the
analytics, reports,
and/or dashboards
3.5.2 Identify the format in which the client • Input from client • Format of analytics,
prefers to view the output • Relevant existing client reports reports, and/or
• List of outputs to be dashboards preferred
incorporated into the analytics, by client
reports, and/or dashboards
3.5.3 Create a template of the analytics, • List of outputs from Activity • Sample report and/or • ERM Implementation Phase 7
reports and/or dashboards 3.5.1 dashboard – Risk Reporting and
• Format from Activity 3.5.2 Monitoring
– Sample Risk Dashboard
1.0 2.0 3.0 4.0 5.0 6.0
3.5 Design suite of analytics, reports and dashboards – Activity and Task
Guidance

3.5.1 Confirm the desired • The content of the analytics, reports, and/or dashboards should align with the
outputs key data, controls, and processes that will be monitored and/or assessed from
Step 3.3.
3.5.2 Identify the format in • Via discussion with the client, confirm the format of the outputs (e.g., the client
which the client prefers may want to utilize an existing ERP reporting format or export the data into an
to view the output existing data warehouse).
3.5.3 Create a template of the • The shell analytics, reports and/or dashboards should be as close to final as • The client should work
analytics, reports and/or possible prior to implementation. directly with the vendor of
dashboards • The client should review and approve the templates prior to implementation. the selected CA/CM tool.
KPMG can assist the client
by providing advice on draft
analytics, reports and/or
dashboard templates.
1.0 2.0 3.0 4.0 5.0 6.0
 Were the important stakeholders’ concerns or requests  Was all relevant information communicated to all
addressed in the implementation plan? stakeholders?
 Were the engagement management documents updated as  Are any changes to the scope and/or funding
necessary (e.g., risk register, communications plan, cost required?
management workbook)?
 Do the client stakeholders have sufficient agreement
 Have we considered the outcomes from our assessment of for the project to succeed?
the suite of analytics, reports and dashboards? Do we need
to revisit the original scope and fee?
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
4.0a Implement – Phase Overview
4a: CA only – KPMG Licensed Tool (refer to page 82 for an overview of Phase 4b: CA/CM – Working with a third party)
4.1a 4.2a 4.3a 4.4a 4.5a 4.6a

Create data Modify/customize Perform further
Request Extract data based Validate analytics
definitions and selected tool(s) modifications to
information on data request
detailed data maps selected tool(s)
4.7a
Develop protocols
surrounding the
assignment and
resolution of exceptions

• Request and obtain information from client required to • Detailed information request
implement the selected tool(s) • Requested information, such as: system relationships
diagrams, file layouts, data dictionary, legends/codes for ‘type’
• Define and map the client data to the data fields in the selected data
tool(s) • Data definitions and maps
• Preliminary configuration of tool(s)
• Customize the selected tool(s) to meet the client’s specific • Requested data
needs • Sample output from tool(s)
• Analysis of output from tool(s)
• Request and obtain data from client and test selected tool(s) • Scoping document(s)
• Confirm that the output of the selected tool(s) meets the client’s
needs
1.0 2.0 3.0 4.0 5.0 6.0
4.1a Request information – Activity Summary

• Request and obtain information from client required to implement the selected tool(s)
activities
4.1.1a Prepare an information request • Implementation plan • Detailed information • CA/CM - Information request
• Design of analytics, reports, request template
and/or dashboards
4.1.2a Submit the information request to the • Detailed information request • Agreement on existing
client and discuss it with the • Input from client information request
employee(s) who will provide • Modified information
information request
4.1.3a Receive requested information from • Requested information,
client such as:
- system relationship
diagrams
- file layouts
- data dictionary
- legends/codes for
‘type’ data
1.0 2.0 3.0 4.0 5.0 6.0
4.1a Request information – Activity and Task Guidance

4.1.1a Prepare an information • The information request should include:
request - Relationship diagrams or schemas that depict any sub-ledger, module and/or
database relationships and table structures
- A description of any other software platforms that use the ERP data as either
an input or output (e.g., external banking software)
- File layouts and/or field definitions for any custom programs or tables
- A data dictionary or schema for the relevant business areas
- Any other legends/codes for ‘type’ data that may be included in the data
extracts
4.1.2a Submit the information • Discuss the information request with the client before the information is
request to the client and gathered. Revise the request where required.
discuss it with the
employee(s) who will
provide information
4.1.3a Receive requested • Once the information is received, verify the information is what was actually • Keep track of any deviations
information from client requested. in the information received
• Ask the client any questions before proceeding with the implementation. from the information
• Maintain a log of all documents received, from whom, and on what date. requested. This may be
• Placing documents in an engagement e-Room allows them to be shared easily important if it results in
among all team members. delays in the work to be
performed by KPMG.
1.0 2.0 3.0 4.0 5.0 6.0
4.2a Create data definitions and detailed data maps – Activity Summary
• Define and map the client data to the data fields in the selected tool(s)
activities
4.2.1a Review system and data documentation • Documents received from • List of • AT – Data Types and
of client’s existing system(s) information request, such as: questions/information Validation Guidance
- System relationships gaps
diagrams
- File layouts
- Data dictionary
- Legends/codes for ‘type’ data
4.2.2a Map the data as defined by the client to • Data dictionary • Data definitions and • AT- Data Migration Example
the data fields in the selected CA/CM • File layouts maps
software application
1.0 2.0 3.0 4.0 5.0 6.0
4.2a Create data definitions and detailed data maps –


4.2.1a Review system and data • Using the documents received from information request, take note of relevant data
documentation of client’s fields, the purpose for which they are used, and how the values in these fields drive
existing system(s) the population of other fields or trigger certain processes.
• Discuss any questions with the client.
4.2.2a Map the data as defined • Once the purpose of each data field is understood, the fields can be mapped or
by the client to the data translated to fields in the selected approach. This will facilitate the actual importing
fields in the selected of data into the CA/CM application.
CA/CM software
application
1.0 2.0 3.0 4.0 5.0 6.0
4.3a Extract data based on data request – Activity Summary

• Request and obtain data from client required to test selected tool(s)
activities
4.3.1a Prepare a data request • Review of documents gathered • Detailed data request • Data request template
based on information request in
Step 4.1a
• Implementation plan
• Design of analytics, reports,
and/or dashboards
4.3.2a Submit the data request to the client and • Detailed data request • Agreement on existing
discuss it with employees who will • Input from client data request
provide the data • Modified data request
4.3.3a Receive the requested data from the • Data files • Data log
client
1.0 2.0 3.0 4.0 5.0 6.0
4.3a Extract data based on data request – Activity and Task Guidance
4.3.1a Prepare a data request • The data request should include the following, at a minimum: • In preparing the data request,
- A specified date range for the data extract consideration should be given to
- A list of all the fields being requested and their respective source tables the handling and storage of
confidential data and Personally
- The column order of the fields requested
Identifiable Information (PII).
- The specified file format, such as the delimited preference (comma, pipe, other),
Refer to the ARMP where
and the file type (CSV, text, other), appropriate.
- The preferred delivery method (CD, USB hard drive, secure FTP, other) • The engagement team should
- Control totals for all files provided (number of records, dollar totals, other) collect or accept only the
minimum PII necessary to fulfil
the purpose for which it is being
collected. Refer to Chapter 11 of
the Risk Management Manual
(RMM) for further guidance.
4.3.2a Submit the data request • It is extremely useful to discuss the data request with the client before the data is
to the client and discuss extracted. Often the client is able to provide insight into nontraditional use of fields
it with employees who or other circumstances unique to their business.
will provide the data
4.3.3a Receive the requested • Once the data is received, it is critical to verify the date ranges, data fields, and • Keep track of any deviations in
data from the client control totals. This can be done using a technology tool. the data received from the data
• Ask the client any questions before proceeding with the implementation. requested. This may be
important if it results in delays in
• Maintain a log of all data files received, from whom, and on what date.
the work to be performed by
• Placing data files in an engagement e-Room allows them to be shared easily
KPMG.
among all team members. • The requested data should be
appropriately stored and referred
to in the Engagement file. An
outline of the data extraction
process should also be retained.
Refer to Chapter 24 of the RMM
for further guidance.
1.0 2.0 3.0 4.0 5.0 6.0
4.4a Modify/customize selected tool(s) – Activity Summary

• Modify or customize the selected tool(s) to meet the client’s specific needs.
4.4.1a Modify or customize the configuration • Implementation plan • Preliminary
of the selected tool(s) to meet the • Data definitions and maps configuration of tool(s)
specifications of the implementation • Standard tool configuration
plan and the shell analytics, reports,
and/or dashboard
1.0 2.0 3.0 4.0 5.0 6.0
4.4a Modify/customize selected tool(s) – Activity and Task Guidance

4.4.1a Modify or customize the • As required, make modifications to the selected tool(s). Note that tool • Consider the impact on existing
configuration of the modifications include the customization of specific data settings and budget if a large amount of
selected tool(s) to meet parameters within the tool. changes are required to meet
client needs.
the specifications of the • Help ensure that all modifications are appropriately documented and
implementation plan and discussed with designated client contact
the shell analytics,
reports, and/or
dashboard
1.0 2.0 3.0 4.0 5.0 6.0
4.5a Validate analytics – Activity Summary

• Confirm that the output of the selected tool(s) meets the client’s needs
activities
4.5.1a Perform a test run of the preliminary • Data extracted from client’s • Sample output from
tool configuration system(s) tool(s)
• Data mapping design
4.5.2a Analyze the results of the test output • Implementation plan • Analysis of output from
with the client • Data mapping design tool(s)
• Results from the preliminary • Proposed configuration
test run of the tool configuration changes
• Transaction supporting • Documentation
documentation supporting that the
results from the
application met the
client’s expectations
1.0 2.0 3.0 4.0 5.0 6.0
4.5a Validate analytics – Activity and Task Guidance

4.5.1a Perform a test run of the • Once the data has been received from the client, it should be uploaded into the • Data should be physically
preliminary tool tool for testing secured when not being used
configuration • In uploading the data, adjustments may need to be made to the data format and
structure
• Using the client data, run the queries and routines
4.5.2a Analyze the results of • Compare the results of the standard analytic to independent analysis to validate
the test output with the • Documentation of end-user and
that the CA application(s) results meet expectation. business process owner
client • On a test basis, compare results of the CA application(s) standard analytics to acceptance should be
transaction supporting documentation. maintained in the engagement
• Obtain documentation of end-user and respective business process owner file.
acceptance.
1.0 2.0 3.0 4.0 5.0 6.0
4.6a Perform further modifications to selected tool(s) – Activity Summary

• Adjust the configuration of the tool(s) to meet the client’s requirements
4.6.1a Modify as needed the configuration of • Preliminary configuration of • Updated configuration
the selected tool(s) to meet the tool(s) of tool(s)
specifications of the implementation • Data definitions and maps • Revised configuration
plan and the shell analytics, reports, • Proposed configuration changes
and/or dashboard changes
4.6.2a Test the modified configuration of the
selected tool(s)
4.6.3a Rerun the analytics, as necessary • Results of the previous test • Sample output from tool(s)
analytics
1.0 2.0 3.0 4.0 5.0 6.0
4.6a Perform further modifications to selected tool(s) –

4.6.1a Modify as needed the
configuration of the selected
tool(s) to meet the
specifications of the
implementation plan and the
shell analytics, reports, and/or
dashboard
4.6.2a Test the modified • Compare the results to independent analysis to validate that the CA
configuration of the selected application(s) results meet expectation
tool(s)
4.6.3a Rerun the analytics, as • Documentation of end-user and

• If any inconsistencies are noted based on the above analysis, rerun business process owner
necessary the analytics acceptance should be retained in
• Obtain documentation of end-user and respective business process the engagement file.
owner acceptance
1.0 2.0 3.0 4.0 5.0 6.0
4.7a Develop protocols surrounding the assignment and resolution of

exceptions – Activity Summary
• Identified exceptions are followed up and actioned in a timely manner
4.7.1a Establish protocols surrounding the • Existing process • Draft protocols

assignment and resolution of documentation surrounding the
exceptions • Organizational chart assignment and resolution
of exceptions
4.7.2a Assign the follow-up of identified • Organizational chart • Updated list of process • Global Forensic Data Analysis
exceptions to appropriate business • List of process and data and data owners Methodology
process and data owners owners • Reporting timetable
1.0 2.0 3.0 4.0 5.0 6.0
4.7a Develop protocols surrounding the assignment and resolution of

exceptions – Activity and Task Guidance
4.7.1a Establish protocols • Through discussion with the client, document protocols relating to the
surrounding the assignment and resolution of the identified exceptions
assignment and • Utilize existing organizational procedural format/structure
resolution of exceptions • Obtain and document appropriate approvals from the project sponsor and other
relevant individuals
4.7.2a Assign the follow-up of • In consultation with key stakeholders, document who has responsibility for
identified exceptions to following up on the identified exceptions
appropriate business • Follow-up activities may include root cause analysis, level of documentation
process and data required and reporting protocols
owners • Determine what reporting the individual and wider organization will receive and
in what format
• Obtain documentation of business process and data owner acceptance
1.0 2.0 3.0 4.0 5.0 6.0
 Have we documented any deviations in the information we  Has the initiative been communicated to everyone
received from the information we requested? Have these that may be impacted by the change/s to specific
deviations been resolved? processes (e.g., management, IT, staff, customers,
vendors)?
 Have we considered potential risks associated with the
transmission of the requested data from the client? Will the  Do we have formal and documented agreement
data be encrypted? Refer to Chapter 41 of the Global Risk from the client’s IT staff regarding KPMG access to
Management Manual for further guidance. systems and data?
 Ensure that the engagement management documents are
updated as necessary (e.g., risk register, communications
plan, cost management workbook).
 Have we documented end-user and business process
owner acceptance of the analytics?
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
1.0 2.0 3.0 4.0 5.0 6.0
4.0b Implement – Phase Overview
4b: CA/CM – Working with a third party
4.1b 4.2b 4.3b 4.4b 4.5b 4.6b

Confirm our Evaluate results
Validate data Evaluate results Validate that
understanding of the Perform
mapping and and perform and perform
client implementation customization of outputs operate
plan of the CA/CM standard analytic sensitivity additional sensitivity
analytics as expected
application results modifications modifications
4.7b 4.8b 4.9b

Develop protocols Discuss and Assist with
surrounding the document client development and
assignment and CA/CM training needs delivery of training
resolution of exceptions

• Project management schedules and associated
• Confirm our understanding of project milestones and the documentation
implementation schedule
• Assist with the validation of the application(s) integrity • Exception reports
and completeness
• Dashboards, notifications and alerts
• Validate the results of data analytic routines meet
expectation and align with the outcomes in the Design • Documentation for implemented analytic routines
Phase
• Help ensure that dashboard/reports are accurate, alerts • Client acceptance documentation
properly execute, and notifications are properly routed • Training work plan
• Provide observations and recommendations regarding
client training needs • Training guide and supporting materials
• Assist with the development and delivery of CA/CM
training (as required)
1.0 2.0 3.0 4.0 5.0 6.0
4.1b Confirm our understanding of the client implementation

plan of the CA/CM application – Activity Summary
• Confirm our understanding of project milestones and schedule and assist with validating accuracy of data importation process
4.1.1b Align KPMG staff with relevant project • Implementation plan • Project schedule
milestones • Estimates to complete
4.1.2b Assist client with developing and • Selected CA/CM application • Post implementation
executing data completeness data integrity documentation data integrity work
procedures and documentation • Selected CA/CM application papers
report writer completeness • Post implementation
documentation report writer
completeness work
papers
1.0 2.0 3.0 4.0 5.0 6.0
4.1b Confirm our understanding of the client implementation

plan of the CA/CM application – Activity and Task Guidance
4.1.1b Align staff with relevant • A project management schedule should be created and approved by the client to
project milestones help ensure that appropriate client and KPMG resources are available
4.1.2b Assist client with • Review selected CA/CM application(s) completeness protocols and assist client
developing and with any modifications that may be needed to meet management and third party
executing data requirements
completeness • Compare data imported and processed in the selected application to the data
procedures and that is included in management and financial reporting
documentation • Obtain end-user and business process owner acceptance of data completeness
1.0 2.0 3.0 4.0 5.0 6.0
4.2b Validate data mappings and standard analytic results – Activity Summary
• Validate results of standard data analytic routines
activities
4.2.1b Assist the client with developing • Source Data Record Counts • Imported Data Record • Global Forensic Data Analysis
documentation standards for • Source Data Definitions Counts Methodology
demonstrating data integrity • Source Data Control Totals • Source Data Definitions
• Source Data Control
Totals
4.2.2b Gain an understanding of which data • Definition of data exported from • Documentation • Global Forensic Data Analysis
elements include/exclude data from the source application. demonstrating Methodology
client’s accounting information system • Definition of data completeness of
and management and financial reports included/excluded from client records between data
accounting information system imported into selected
reports application(s) and client
accounting information
system reports relied
on by management.
4.2.3b Review the results of the standard • Data Mapping Design • Documentation • Global Forensic Data Analysis
analytics to determine if the results • Results from initial execution of validating that results Methodology
meet expectation implemented CA/CM from the application
application meet expectation
1.0 2.0 3.0 4.0 5.0 6.0
4.2b Validate data mappings and standard analytic results – Activity and Task
Guidance

4.2.1b Assist the client with • Assist client with identifying relevant data elements and metrics to measure data
developing integrity for the extraction and importation process between the client’s
documentation accounting information system(s) and the implemented application(s).
standards for
demonstrating data
integrity
4.2.2b Gain an understanding • Assist the client with identifying a process to test whether the data extraction and
of which data elements importation process between the client’s accounting information system(s) and
include/exclude data the implemented CA/CM application(s) executed completely.
from the client’s • Compare data imported into the CA/CM application(s) to key management
accounting information reports to identify any instances where data no longer conforms to specifications
system management of the CA/CM application(s).
and financial reports
4.2.3b Review the results of the • Compare the results of the standard analytic to independent analysis to validate
standard analytics to that the CA/CM application(s) results meet expectation.
determine if the results • On a test basis, compare results of the CA/CM application(s) standard analytics
meet expectation to transaction supporting documentation.
• Obtain documentation of end-user and respective business process owner
acceptance of standard analytic results.
1.0 2.0 3.0 4.0 5.0 6.0
4.3b Evaluate results and perform sensitivity modifications – Activity Summary

• Validate the results of the analytic routines and assist with any design changes
activities
4.3.1b Review the results from the validation • Results of test runs of standard • Business process
procedures with relevant business analytics owner acceptance
owners • Proposed configuration
changes
4.3.2b Collect recommendations from business • Proposed configuration • Feasibility assessment
owners and other relevant personnel changes of changes
and evaluate configuration changes to
the CA/CM application(s)
4.3.3b Assist with any design changes and • Accepted configuration • Business process
repeat step 4.2b until data owners/users changes owner and user
accept results acceptance
1.0 2.0 3.0 4.0 5.0 6.0
4.3b Evaluate results and perform sensitivity modifications – Activity and Task
Guidance

4.3.1b Review the results from the • Meet with business process owners and data owners to determine whether
validation procedures with the results from the CA or CM application(s) are accurate
relevant business owners
4.3.2b Collect recommendations • Collected change recommendations or approvals from business process
from business owners and owners and CA or CM application(s) users
other relevant personnel • Obtain specific configuration changes for any test results that business
and evaluate configuration process owners or CA or CM application(s) users disagreed
changes to the CA/CM • Working with the vendor, perform a feasibility assessment on any proposed
application(s), if needed configuration changes and seek approval from implementation team prior to
performing configuration changes
4.3.3b Assist with design • Refer to guidance from step 4.2b
changes and repeat step
4.2b until data
owners/users accept
results
1.0 2.0 3.0 4.0 5.0 6.0
4.4b Perform customization of analytics – Activity Summary

• Customize data analytic routines to meet client requirements
4.4.1b Where required, customize the analytics • Data mapping design • Proposed changes to the • Global Forensic Data Analysis
to meet client requirements • Results from initial execution of analytics Methodology
implemented CA or CM • KTRACE Data Analysis
application Routines
1.0 2.0 3.0 4.0 5.0 6.0
4.4b Perform customization of analytics – Activity and Task Guidance

4.4.1b Where required, • Compare the results of the custom analytic to independent analysis to validate
customize the analytics that the CM application(s) results meet expectation
to meet client • On a test basis, compare results of CM application(s) custom analytics to
requirements transaction supporting documentation. Where required, revise the analytics and
re-run the tests.
• Obtain documentation of end-user and respective business process owner
acceptance
1.0 2.0 3.0 4.0 5.0 6.0
4.5b Evaluate results and perform additional sensitivity modifications –

Activity Summary
• Evaluate the results and where required perform additional sensitivity modifications
activities
4.5.1b Review the results from the validation • Results from test runs of • Business owner
procedures with relevant business custom analytics acceptance
owners • Proposed configuration
changes
4.5.2b Collect recommendations from business • Proposed configuration • Feasibility assessment
owners and other relevant personnel changes of changes
and evaluate configuration changes to
the CM application(s)
4.5.3b Assist with any design changes and • Accepted configuration • Business process
repeat step 4.2b until data owners/users changes owner and user
accept results acceptance
1.0 2.0 3.0 4.0 5.0 6.0
4.5b Evaluate results and perform additional sensitivity modifications – Activity and Task
Guidance

4.5.1b Review the results from • Meet with business process owners and data owners to determine whether the
the validation results from the CA/CM application(s) are accurate
procedures with
relevant business
owners
4.5.2b Collect • Collect change recommendations or approvals from business owners and
recommendations from CA/CM application(s) users
business owners and • Obtain specific configuration changes for any test results where business
other relevant personnel process owners or CA/CM application(s) users disagreed
and evaluate • Perform a feasibility assessment on any proposed configuration changes and
configuration changes seek approval from implementation team prior to performing configuration
to the CA/CM changes
application/s
4.5.3b Assist with design • Refer to guidance in step 4.2b
changes and repeat step
4.2b until data
owners/users accept
results
1.0 2.0 3.0 4.0 5.0 6.0
4.6b Validate that outputs operate as expected – Activity Summary

• Validate that the dashboards/reports, alerts and notifications are properly functioning and obtain user acceptance
4.6.1b Test dashboard reports for • Sample Transaction Data • User Acceptance
completeness and accuracy Documentation
4.6.2b Test alerts and notifications • Sample Transaction Data • User Acceptance
Documentation
4.6.3b Modify dashboard reports, alerts and • Proposed Modifications

• Sample Transaction Data
notifications and rerun as necessary
1.0 2.0 3.0 4.0 5.0 6.0
4.6b Validate that outputs operate as expected – Activity and Task Guidance

4.6.1b Test dashboard reports • Trace dashboard reports to source data and confirm with end-user(s) and
for completeness and respective business process owner(s) for completeness and accuracy
accuracy
4.6.2b Test alerts and • Using sample data, test that the application creates appropriate alerts and
notifications notifications
• Where necessary, make modifications to the dashboard reports, alerts and

4.6.3b Modify dashboard
notifications
reports, alerts and
• Obtain documentation of end-user and respective business process owner (s)
notifications and rerun
acceptance
as necessary
1.0 2.0 3.0 4.0 5.0 6.0
4.7b Develop protocols surrounding the assignment and resolution of

exceptions – Activity Summary
• Identified exceptions are followed up and actioned in a timely manner
4.7.1b Establish protocols surrounding the • Existing process • Draft protocols

assignment and resolution of documentation surrounding the
exceptions • Organizational chart assignment and resolution
of exceptions
4.7.2b Assign the follow-up of identified • Organizational chart • Updated list of process
exceptions to appropriate business • List of process and data and data owners
process and data owners owners • Reporting timetable
1.0 2.0 3.0 4.0 5.0 6.0
4.7b Develop protocols surrounding the assignment and resolution of

exceptions – Activity and Task Guidance
4.7.1b Establish protocols • Through discussion with the client, document protocols relating to the
surrounding the assignment and resolution of the identified exceptions
assignment and • Utilize existing organizational procedural format/structure
resolution of exceptions • Obtain and document appropriate approvals from the project sponsor and other
relevant individuals
4.7.2b Assign the follow-up of • In consultation with key stakeholders, document who has responsibility for
identified exceptions to following up on the identified exceptions
appropriate business • Follow-up activities may include root cause analysis, level of documentation
process and data required and reporting protocols
owners • Determine what reporting the individual and wider organization will receive and
in what format
• Obtain documentation of business process and data owner acceptance
1.0 2.0 3.0 4.0 5.0 6.0
4.8b Discuss and document client CA/CM training needs – Activity Summary
• Discuss resource skill sets with client contact
activities
4.8.1b Discuss resource skill sets with client • Organization Chart
contact
4.8.2b Develop skills assessment • Skill Assessment • AT – Skills Assessment

Criterion Example
• AT – Competency
Assessment Example
• AT – Competency Needs
Assessment Example
4.8.3b Conduct skills assessment • Skills Assessment Form • Completed Skills • AT – Skills Assessment
Assessment Form Example
4.8.4b Evaluate skills assessment and • Skills Assessment Form • Summary of Available
recommend training program to fill gaps • List of Available Training Skills
Programs • Skill Gaps
• Available training
programs to fill gaps
1.0 2.0 3.0 4.0 5.0 6.0
4.8b Discuss and document client CA/CM training needs – Activity and Task
Guidance

4.8.1b Discuss resource skill • Conduct a discussion with the client to determine short-term and long- For resources needed at the client,
sets with client contact term goals around skill sets needed to conduct their business KPMG may suggest high level
• Determine which skill sets they need to have internally and which they qualifications, roles and responsibilities
would be willing to leverage from external entities requirements based on general industry
standards and KPMG experience with
leading practices. We cannot assign
specific resources or assign individuals
to specific roles and responsibilities.
4.8.2b Develop skills • Based on the skill sets that they would like to have internally, develop a We can discuss generic resource/skill
assessment skills assessment to determine the level of experience present from the sets needed but not assess actual skill
current staff sets for SEC audit clients.
4.8.3b Conduct skills • Using the skills assessment, conduct interviews with relevant staff We cannot perform for SEC audit
assessment using exercises to determine the level of skills that the internal staff clients and their affiliates.
possess
4.8.4b Evaluate skills • Summarize the skills assessment and determine gaps present in the Analyzing training needs is permitted.
assessment and skill levels of existing staff In addition, KPMG is permitted to
recommend training • Compare gaps with external available training programs facilitate client workshops or educate
program to fill gaps • Consider the feasibility of developing client specific training to address client staff on technical accounting,
the identified gaps general industry standards and KPMG
• Present findings and recommendations to client experience with leading practice if the
client (and not KPMG) uses and applies
the knowledge during the course of the
project. We may also review and
provide advice and guidance on client-
developed training materials.
Management is solely responsible for
the ultimate scope of training to be
provided to client personnel.
1.0 2.0 3.0 4.0 5.0 6.0
4.9b Assist with developing and delivery of CA/CM training – Activity Summary
• Deliver CA/CM training
activities
4.9.1b Determine audience level and types of • Skills Assessment • Draft Training Agenda
skills needed • Training Overview
Document
4.9.2b Develop training structure and • Internal KPMG training courses • Training Materials
supporting materials • Business process descriptions
• Control Matrices
4.9.3b Deliver training • Training materials • Training Evaluations
1.0 2.0 3.0 4.0 5.0 6.0
4.9b Assist with developing and delivery of CA/CM training – Activity and Task
Guidance

4.9.1b Determine • Based on the target audience and skill requirements set out by the client,  If this is an additional service to the original
audience level and prepare a training overview document. engagement scope follow GREG
types of skills • Submit the training overview and agenda for client approval. procedures.
 Analyzing training needs is permitted. In
needed
addition, KPMG is permitted to facilitate
client workshops or educate client staff on
technical accounting, general industry
standards and KPMG experience with
leading practice if the client (and not
KPMG) uses and applies the knowledge
during the course of the project.
4.9.2b Develop training • Assist the client to prepare relevant CA/CM training materials, using  Training materials should be developed and
structure and existing KPMG and client materials such as business process descriptions reviewed by appropriately skilled KPMG
supporting and control matrices. For Advisory clients, these training materials can be staff. Advisory Learning & Development
(ALD) should also be involved.
materials customized to the client. However, the risk management guidelines listed
For Advisory clients:
for activity 4.9.2 must be adhered to.
 If we are developing training material that is
• For SEC Audit Clients we can provide the client with a generic CA/CM technical in nature, or is based on materials
training slide-deck which the client can tailor for its purposes. other than the client’s CA/CM methodology,
the materials must be approved by the
service line leader.
 Where existing KPMG training material is
used all client references, and references to
internal practices must be removed.
4.9.3b Deliver training • Deliver the training as designed.  For SEC audit clients, KPMG can deliver
• Adjust timeframes and materials as necessary to meet the needs of the general, non-client-specific training. Training
client. tailored to the client’s policies and
procedures must be developed and
delivered by client personnel.
1.0 2.0 3.0 4.0 5.0 6.0
 Have all stakeholders been identified and has a regular  Has the initiative been communicated to everyone
dialogue been established for proper communication of that may be impacted by the change (e.g.,
requirements? management, IT, staff, customers, vendors)?
 Has anything changed within the client organization (market  Do we have formal and documented agreement
or otherwise) that may impact the implementation plan? from the client’s IT staff regarding KPMG access to
client systems and data?
 How have we addressed the important stakeholders’
concerns or requests?  Have all design variances and issues been
resolved?
 Ensure that engagement management documents are
updated as necessary (e.g., risk register, communications
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
5.0 Execute – Phase Overview (for CA only)
5.1 5.2 5.3 5.4 5.5 5.6

Run queries and Establish and Assist client with Assist client with Assist with
Discuss and
routines compare to identification of remediation and development and
document client
benchmark data root cause of help enhance delivery of training
training needs
exceptions/results program
• Assist the client with ongoing auditing activities, including the • Customized Routines
following:
• Various Reports and Analyses:
• Running data extracts against defined queries and
routines • Unusual activity
• Providing reports and analyses to client • Exceptions
• Assisting with researching analysis results • Errors
• Training client personnel to conduct research • Trend Analysis (lead/lag)
• Provide observations and recommendations regarding client • Others

training needs
1.0 2.0 3.0 4.0 5.0 6.0
5.1 Run queries and routines – Activity Summary

• Successfully load client data into the CA tool(s) and complete required data queries and routines
activities
5.1.1 Receive Data Sets from Client • Client Data Sets
5.1.2 Upload Data to Processing Servers • Client Data Sets • QA Checklist for Received
Data
5.1.3 Verify Correct CA Tools and Rulebooks used for • Checklist for Client Rules
Client Verification
5.1.4 Load Client Data into Selected CA Tool(s) • Client Data Sets • QA Checklist for Client Setup • Fraud Risk Management
• Client Scoping • Compare mapping to standard Methodology (Phase 4 –
Questions ERP field mapping for Expanded Activities)
• Client Diagnostic reasonableness • KTrace Journal Entry
• Field Mapping Analysis Scoping Questions
• KTrace Journal Entry
Analysis Diagnostic
1.0 2.0 3.0 4.0 5.0 6.0
5.1 Run queries and routines – Activity Summary

activities
5.1.5 Run Queries and Routines and Generate • Client Data • Transaction Management
Reports • Scoping Questions Report
5.1.5a Run Transaction Processing and Generate

Reports
5.1.5b Run Controls Processing and Generate • Client Specific • Controls Management Report
Reports Information
5.1.5c Run SoD Processing and Generate • Client Specific • SoD Management Report
Reports Information
5.1.6 Preliminary Review of Report and Data Staging • Report QA Comments • Draft Report with Comments
for Drilldown
1.0 2.0 3.0 4.0 5.0 6.0
5.1 Run queries and routines – Activity and Task Guidance

5.1.1 Receive Data Sets from Client • Data may be received from the client in a number of • Data should be physically
different formats, including disk, external hard drive, secured when not being used.
secured FTP, net meeting transfer, etc. Team members should be
familiar with any client specific
• Data received will be process specific (e.g., different data
agreements regarding the
for JE or Procurement)
handling of data. Also refer to
4.3a.
5.1.2 Upload Data to Processing Servers • Data is uploaded into the general processing environment, • Engagement level security should
which is the entry point for multiple KPMG tool sets. be used for each client data set to
restrict access to assigned
personnel.
5.1.3 Verify Correct CA Tools and Rulebooks • Prior to processing, the agreed scope of services and
used for Client client specific considerations should be reviewed.
5.1.4 Load Client Data into Selected CA Tool(s) • In uploading the data to the processing environment,
adjustments may need to be made to the data format and
structure.
1.0 2.0 3.0 4.0 5.0 6.0
5.1 Run queries and routines – Activity and Task Guidance (cont.)

5.1.5 Run Queries and Routines and Generate
Reports
5.1.5a Run Transaction Processing and • Run the tool, create the report output and drilldown tables
Generate Reports using the client data loaded into the processing
environment while leveraging the scoping question
responses
5.1.5b Run Controls Processing and • Using the client data loaded into the processing
Generate Reports environment, run the tool to generate the report
5.1.5c Run SoD Processing and • Using the client data loaded into the processing
Generate Reports environment, run the tool to generate the report
5.1.6 Preliminary Review of Report and Data • Conduct a preliminary review of the report using the QA
Staging for Drilldown comments and the Review Guidelines
1.0 2.0 3.0 4.0 5.0 6.0
5.2 Establish and compare to benchmark data – Activity Summary

• Review current exceptions against an established benchmark
activities
5.2.1 Review initial report that was conducted • One year of business data • Business trends
for a full business cycle prior to the • Report(s) from selected CA
current timeframe of interest (e.g., one application
year of data from previous quarter)
5.2.2 Review report from current period of • One quarter of business data • Business trends
interest • Report(s) from selected CA • Unusual activity
application
5.2.3 Compare report output from current • Report(s) from selected CA • Changes in business
period to the historic period application trends
• Current quarter business data • Changes in unusual
• Previous quarter business active
data
• Quarter one year previous to
the current quarter
1.0 2.0 3.0 4.0 5.0 6.0
5.2 Establish and compare to benchmark data – Activity and Task Guidance

5.2.1 Review initial report that • Initial report runs should cover a timeframe sufficient to capture all recurring
was conducted for a full business activities
business cycle prior to • The baseline reports should be run over the same periods as the review will take
the current timeframe of place. For example, if quarterly reviews are being undertaken, the four previous
interest (e.g., one year quarters should be reviewed individually to create the baseline.
of data from previous
quarter)
5.2.2 Review report from • The report from the current period of interest should initially be reviewed without
current period of the use of the baseline to facilitate the identification of potential unusual trends
interest and patterns.
5.2.3 Compare report output • Each of the unusual trends identified in the current report should be compared to
from current period to the baseline from the like historical period to see if similar activity occurred
the historic period
1.0 2.0 3.0 4.0 5.0 6.0
5.3 Assist client with identification of root cause and exceptions/results –

Activity Summary
• Understand and document the underlying causes of the identified expectations and/or results
activities
5.3.1 Assist client with identification of • CA report(s) • List of unusual activity • Fraud Risk Management
unusual activity • Report(s) from CA Methodology & Toolkit
application
5.3.2 Obtain transactional information related • Client transaction data • Transactions related to
to the unusual activity unusual activity
5.3.3 Design and schedule interviews with • Transactions related to unusual • List of questions
personnel involved activity • Interview schedule
• Archived approvals
• Phone list
5.3.4 Conduct interviews • List of questions • Interview notes
5.3.5 Determine root cause of unusual activity • Client transaction data • Action items to correct • AT - Root Cause Analysis
• Archived approvals root cause
• Interview notes
1.0 2.0 3.0 4.0 5.0 6.0
5.3 Assist client with identification of root cause and exceptions/results –


5.3.1 Assist client with • Review the CA report(s) and identify any unusual activity. Discuss with the client • Prior to conducting interviews an
identification of unusual • Leverage the client’s internal knowledge to calibrate our definition of unusual evaluation of the occurrence of
activity activity fraud should be completed. If the
client or KPMG believes that
unusual activity may represent
fraud, a forensic team should be
engaged and a separate
engagement letter will need to be
created.
5.3.2 Obtain transactional • In areas where the client determines the transactions to be unusual or where the
information related to client is unsure, transactional information supporting the report finding should be
the unusual activity attained and evaluated. The engagement team should consider testing a sample
of transactional data to validate the explanation
5.3.3 Design and schedule • For all unusual findings, a list of questions should be drafted and interviews
interviews with scheduled with personnel who are involved
personnel involved
5.3.4 Conduct interviews • Assist client in conducting interviews

• Identify additional transactional information to support interview findings, where
necessary
5.3.5 Determine root cause • Analyze the transactional and interview findings to identify the root cause of the
of unusual activity unusual activity
1.0 2.0 3.0 4.0 5.0 6.0
5.4 Assist client with remediation and enhance program – Activity Summary
• Document how the identified issues can be remediated and allocate responsibility
activities
5.4.1 Identify ways to remediate the identified • Root cause analysis • List of • AT – Root Cause Analysis
issue(s) and assign responsibility for recommendations,
resolution including allocation of
responsibility
5.4.2 Identify and document ways to enhance • List of available routines • Recommendations of
the CA program to highlight related or • List of implemented routines additional routines
similar types of occurrences
1.0 2.0 3.0 4.0 5.0 6.0
5.4 Assist client with remediation and enhance program – Activity and Task
Guidance

5.4.1 Identify ways to • Using the report results, the client’s control structure and the list of risks that they
remediate the identified want to mitigate, identify potential remediation options
issue(s) and assign • Recommend assignment of responsibility for management action plan
responsibility for
resolution
5.4.2 Identify and document • For example, consider the characteristics that make up the unusual activity and
ways to enhance the CA consider designing additional analytics to see if these characteristics are present
program to highlight in other transactions
related or similar types
of occurrences
1.0 2.0 3.0 4.0 5.0 6.0
5.5 Discuss and document CA/CM client training needs – Activity

Summary
• Discuss and document CA/CM client training needs
activities
5.5.1 Discuss resource skill sets with client • Organization Chart
contact
5.5.2 Develop skills assessment • Skill Assessment • AT – Skills Assessment

Criterion Example
• AT – Competency
Assessment Example
• AT – Competency Needs
Assessment Example
5.5.3 Conduct skills assessment • Skill assessment form • Skill assessment form • AT – Skills Assessment
completed Example
5.5.4 Evaluate skills assessment and • Skills assessment • Summary of available

recommend training program to fill gaps • List of available training skills
programs • Skill gaps
• Available training
programs to fill gaps
1.0 2.0 3.0 4.0 5.0 6.0
5.5 Discuss and document client CA/CM training needs – Activity and Task
Guidance
5.5.1 Discuss resource skill • Conduct a discussion with the client to determine short-term and long-term For resources needed at the client,
sets with client goals around skill sets needed to conduct their business KPMG may suggest high level
contact • Determine which skill sets they need to have internally and which they qualifications, roles and
would be willing to leverage from external entities responsibilities requirements based
on general industry standards and
KPMG experience with leading
practices. We cannot assign specific
resources or assign individuals to
specific roles and responsibilities.
5.5.2 Develop skills • Based on the skill sets that they would like to have internally, develop a We can discuss generic
assessment skills assessment to determine the level of experience present from the resource/skill sets needed but not
current staff assess actual skill sets
5.5.3 Conduct skills • Using the skills assessment, conduct interviews with relevant staff using We cannot perform for SEC audit
assessment exercises to determine the level of skills that the internal staff possess clients and their affiliates.
5.5.4 Evaluate skills • Summarize the skills assessment and determine gaps present in the skill Analyzing training needs is permitted.
assessment and levels of existing staff In addition, KPMG is permitted to
recommend training • Compare gaps with external training programs available facilitate client workshops or educate
program to fill gaps • Consider the feasibility of developing client specific training to address the client staff on technical accounting,
identified gaps general industry standards and
• Present findings and recommendations to the client KPMG experience with leading
practice if the client (and not KPMG)
uses and applies the knowledge
during the course of the project. We
may also review and provide advice
and guidance on client-developed
training materials. Management is
solely responsible for the ultimate
scope of training to be provided to
client personnel.
1.0 2.0 3.0 4.0 5.0 6.0
5.6 Assist with development and delivery of training – Activity Summary

• Assist with the development and/or delivery of the CA training
activities
5.6.1 Determine audience level and types of • Skills Assessment • Draft agenda
skills needed • Training overview
document
5.6.2 Develop training structure and • Internal KPMG training courses • Training materials
supporting materials • Business process descriptions
• Control matrices
5.6.3 Deliver training • Training materials • Training evaluations
1.0 2.0 3.0 4.0 5.0 6.0
5.6 Assist with development and delivery of CA/CM training –


5.6.1 Determine audience and • Based on the skill requirements set out by the client, prepare a training overview
level and types of skills document with a draft agenda
needed • Submit the training overview and agenda for client approval
5.6.2 Develop training • Assist the client to prepare relevant CA training materials, using existing KPMG • Training materials should be
structure and and client materials such as business process descriptions and control matrices. developed and reviewed by
supporting materials For Advisory clients, these training materials can be customized to the client. appropriately skilled KPMG
staff. Advisory Learning &
However, the risk management guidelines listed for activity 4.9.2 must be
Development (ALD) should
adhered to.
also be involved.
• For SEC Audit Clients we can provide the client with a generic CA/CM For Advisory clients:
training slide-deck which the client can tailor for its purposes. • If we are developing training
material that is technical in
nature, or is based on materials
other than the client’s CA/CM
methodology, the materials
must be approved by the
service line leader.
• Where existing KPMG training
material is used all client
references, and references to
internal practices must be
removed.
5.6.3 Deliver training • Deliver training as designed • For SEC audit clients, KPMG
• Adjust timeframes and materials as necessary to meet the needs of the client can deliver general, non-client-
specific training. Training
tailored to the client’s policies
and procedures must be
developed and delivered by
client personnel.
1.0 2.0 3.0 4.0 5.0 6.0
 Does the client have any skill shortages that present a risk  Has relevant training been organized for the client’s
to the adoption of the chosen approach? team?
 Do we need to revisit the original scope and fee?  Are the routines usable by the client? Or, are excess
false positives still being generated?
 Ensure that engagement management documents are
updated as necessary (e.g., risk register, communications  Are the developed analytics identifying transactions
plan, cost management workbook). and helping to mitigate process risks?
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
6.0 Evaluate – Phase Overview
6.1 6.2
Conduct post Identify potential
implementation improvements
assessment
• Conduct a post implementation assessment to consider

potential benefit realization and process performance • Performance Scorecard
• Assist the client with developing a continuous • Lessons Learned

performance improvement approach to help sustain
desired performance levels • Change Acceptance Surveys
• Action Plan
1.0 2.0 3.0 4.0 5.0 6.0
6.1 Conduct post implementation assessment – Activity Summary

• Undertake a post implementation assessment, considering potential benefits realized and documenting lessons learned
activities
6.1.1 Analyze Process Performance Levels • Original Business Case • Performance Scorecard • AT - Post Implementation
• Final Implementation Assessment Questionnaire
Program
Documentation
6.1.2 Assess Effectiveness of the Handover • Transition Plan • Performance Scorecard • AT - Balanced Scorecard
Procedures and the Qualitative Measures • Performance • Change Acceptance Surveys Technique Paper
(Note: this step may not be relevant when the Scorecard • AT - Change Plan Technique
Paper
client is utilizing a CA third party vendor)
• Change Management
Methodology
6.1.3 Conduct Lessons Learned Workshop • Performance • Documented Lessons Learned • BPI Methodology
Scorecard • Updated GREG
• Final Implementation Communications Plan
Program
Documentation
1.0 2.0 3.0 4.0 5.0 6.0
6.1 Conduct post implementation assessment – Activity and Task Guidance

6.1.1 Analyze Process Performance • Consider revisiting the appropriateness of the KPIs, as well as the
Levels definition of an exception, given the changing business environment
• Consider data sources such as trouble tickets, response time, user
6.1.1a Capture performance
surveys for IT-related KPIs
information through interviews,
• Process expectations and perceptions are often drawn from different
workshops and measurement sources at different times, hence differences in opinion (e.g., timing,
data cost) may occur. Often, the measurement at the source may be
6.1.1b Compare performance levels to inconsistent – for example, in one organization, there could be many
KPI objectives ways of measuring delivery lead time. The engagement team should
6.1.1c Document limitations and issues help to ensure that the information is assessed in a consistent
6.1.1d Revisit the definition of manner.
‘exception’ • Consider reviewing the limits of existing monitoring activities (i.e., the
lower and upper boundaries) to help ensure that appropriate areas of
6.1.1e Refocus monitoring activities
risk are targeted
6.1.2 Assess Effectiveness of the • Consider the effectiveness of the stakeholder delivery (e.g., vendor, •Obtain sign-off from the client that the
Handover Procedures and the client management, IT, training) client has received all documentation
Qualitative Measures • Document the client’s perception of the potential benefits and necessary for maintaining and supporting
challenges associated with the new process design. Compare this the environment.
6.1.2a Develop questionnaire for
information against the original business case.
qualitative KPIs
• Document the client resources’ understanding of their current role
6.1.2b Conduct interviews and within the process. Identify what level of training was provided.
workshops
6.1.2c Document limitations and issues
6.1.3 Conduct Lessons Learned • Help ensure that all related process owners and stakeholders are •We can perform a post-implementation
Workshop invited assessment review for audit clients and
6.1.3a Summarize post implementation • Assist the client with developing a communication plan to help ensure their affiliates and provide observations
that lessons learned are appropriately deployed and recommendations related to its
assessment results
• For further details refer to phase 5 of the BPI Methodology communication plan. KPMG may
6.1.3b Facilitate the workshop
participate in meetings and workshops,
6.1.3c Document workshop results however, we may not act as
management by providing solutions or
making other management decisions.
1.0 2.0 3.0 4.0 5.0 6.0
6.2 Identify potential improvements – Activity Summary

• Assist the client with developing a continuous performance improvement approach
activities
6.2.1 Leverage available information to • Root cause evaluation • Improvement plan for  BPI - Design Considerations
identify potential improvements • Recommendations future development
• Post implementation
assessment
6.2.2 Deliver recommendations for potential • Improvement plan to future • Action plan
improvements to client development
1.0 2.0 3.0 4.0 5.0 6.0
6.2 Identify potential improvements – Activity and Task Guidance

6.2.1 Leverage available • Refine findings from data analytics, root cause analysis, recommendations and • We can perform a post-
information to identify the evaluation of the project scope; and identify potential improvements or implementation assessment
potential improvements changed areas of focus review for audit clients and their
affiliates and provide
• Draft an improvement plan for future development observations and
recommendations related to its
communication plan, and
implementation of the CA/CM
tool. For SEC audit clients we
cannot draft or design an
improvement plan.
6.2.2 Deliver • Deliver the recommendations for potential improvements to the client. Results • The client is responsible for all
recommendations for should be prioritized and anticipated outcome for the improvement should be management decisions and
potential improvements communicated. judgments.
to client • In crafting the recommendations, consider revisiting the definition of an
exception
• Where appropriate, revisit the steps associated with the Assess and Design
phases
1.0 2.0 3.0 4.0 5.0 6.0
 Have we assisted the client to identify opportunities for  Have the KPIs changed? Are they still aligned with
ongoing incremental changes? the organization’s strategy?
 Ensure that the engagement management documents are  Has the client identified the potential benefits that
updated as necessary (e.g., risk register, communications have been realized by the organization?
Contents

Methodology
Initiate (GREG)
1.0 Plan
2.0 Assess
3.0 Design
4.0 Implement
5.0 Execute
6.0 Evaluate
Close (GREG)
Close – Phase Overview
7.1 7.2
Administrative Contract Close

Close

• The final phase includes administrative and • Formal Communication of Engagement Closure
engagement closure activities. The administrative
• Final Budget Reconciliation and Client Billing
activities include finalizing the work papers, performing
team performance reviews, and conducting final cost • Close Financials
reconciliation procedures.
• The key step in this phase is to formally communicate

and conduct engagement closure.
General Guidance for using GREG
• Detailed GREG information is not provided in this
methodology.
• U.S. professionals should access the GREG through
the Engagement Project Management site.
• Global Professionals should access the global GREG
Web site to locate their local versions or to leverage
the global guide.
Available GREG Templates
7.1 Closure Letter

Cacm Methodology Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cacm Methodology Guide

Uploaded by

Copyright:

Available Formats

The full scope of services within the Continuous Auditing / Continuous Monitoring (CACM)

CONTINUOUS AUDITING/CONTINUOUS MONITORING

For Internal Use Only

Introduction and Overview

The Continuous Auditing / Continuous Monitoring (CA/CM) Methodology Potential CA Triggers

The CA/CM Visual Design

Industry and Functional Knowledge People, Process, Technology

CA/CM Process Overview

Steps and Activities

Activities and Tasks

• Risk Assessment Outputs

Governance, Risk and

For Internal Use Only

Term Meaning Term Meaning

CSV Comma Separated Values KSI Key Success Indicators

EPM Engagement Project Management PA Process Analysis

ERM Enterprise Risk Management PPL Professional Practice Letter

ERP Enterprise Resource Planning QA Quality Assurance

FRM Financial Risk Management RAS Risk Advisory Services

FTP File Transfer Protocol RM Risk Management

GCM Global Conflict Management SAN Sentinel Approval Number

GRMM Global Risk Management Manual SOX Sarbanes Oxley Act

GSC Global Services Centre SoD Segregation of Duties

IFAC International Federation of Accountants USB Universal Serial Bus

Introduction and Overview

General Risk Management Guidance

Topic What is Risk Management concerned about?

Topic What is Risk Management concerned about?

Topic What is Risk Management concerned about?

Introduction to independence guidance

Internal Audit Services Guidance

SEC Audit Clients and their Affiliates (SEC Audit Client(s))

General Independence Guidance

SEC Audit Clients and their Affiliates (SEC Audit Client(s))

SEC Audit Clients (continued)

IFAC Audit Clients and their Related Entities (continued)

Design and Implementation Services

SEC Audit Clients

IFAC Audit Clients (PIEs and Non-PIEs)

SEC Audit IFAC Audit IFAC Audit

SEC Audit IFAC Audit IFAC Audit

SEC Audit IFAC Audit IFAC Audit

Introduction and Overview

Initiate Plan Coordinate Close

Plan Assess Design Implement Execute Evaluate

Phase High-Level Objectives Step Overview Potential Outputs

objectives engagement Engagement

2.0 • Understand the client’s • Maturity matrix summary

Document and assessment, gap Determine Understand

• Confirm the business areas to • Implementation plan

Request Extract data Modify/

Phase High-Level Objectives Step Overview Potential Outputs

application Confirm our Validate data Evaluate results and

analysis results 5.1

assessment Conduct post Identify • Lessons learned

Introduction and Overview

KPMG Engagement Manager Checkpoint Items for

0.1 0.2 0.3 0.4 0.5

Refer to the Global RAS Engagement Guide (GREG)

General Guidance for using GREG

Introduction and Overview

1.1 1.2 1.3

PRIMARY OBJECTIVES: POTENTIAL OUTPUTS:

1.1 Confirm client objectives with key stakeholders – Activity Summary