Continuous Control Monitoring (CCM) is an ongoing, repetitive assessment process that leverages technology to continuously monitor business processes, internal controls, and systems for deviations, aiming to improve efficiency, compliance, and risk management.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
for joining and
and
allow me just first to thank John Jama
the ime chapters in
in Jordan for their efforts in
organizing the events and uh and
arranging this webinar but by way of
introduction I'm Isha Milian I'm a
Consulting supervisor at aicc I work
really in the intersection between data
risk management data analytics list management
management
and today I'll be giving you a small
brief about continuous control
monitoring and how we can leverage on it and
and
for not just return order but for all
so what is continuous control monitoring
we've been hearing a lot about
it and and just in a general
perspective continuous auditing or
okay
now is it okay
is it on
yes I guess yes yes
thank you
so continuous control monitoring and
continuous other uh they are both terms
used in accounting work to describe the
process of continuously monitoring an
activity within the business or whether
it's monitoring the processes internal
controls or systems and looking for
signs of deviation
so abides nature CCM or continuous
control monitoring is an ongoing
repetitive assessment from control
Effectiveness that involves regulatory
viewing the
tests and objectives
it's a process of regulatory whether
they are performance indicators activity-based
activity-based
indicators or measures in order to make
sure that our business
is processing within the desired limits
if I would take a more formal uh
definition I would go to the IRA
definition in the gtag in 2015 yeah
through 2005 which defined continuous
monitoring as a process that management
puts in place
to ensure that its policies procedures
and business processes are operating effectively
effectively
let me just go a little bit brief about
continuous control monitoring or
continuous monitoring agenda
I think most of you would think that
it's new and it's just started in the
last decade but then the reality of
continuous monitoring goes a little bit further
further
um the first signals of continuous
monitoring or the first time we started
hearing about continuous auditing for
continuous monitoring was actually in
the 90s or the late 80s and it wasn't a
research paper uh developed uh
at ATM T Bell labs and this paper
discussed the use of continuous audit of
online systems and it mainly focused on
how can
we audit paperless databases
this was the first time continuous
auditing as a term comes uh and I mean
into the perspective it it wasn't the
term continuous auditing as we know
today virtual monitoring it was a cpam
or C pass which is continuous process
auditing of systems or continuous
process auditing methodology
later on we started to move uh in the
sorry I think
a mic was unmute for someone
okay that's okay
another and as soon as we we moved into
the 2000s
especially after
the.com bubble and the Enron case and
and with the emergence of sarbanes Oxley
legislation organization were faced with
an enormous pressure
uh to ensure proper compliance with the
new legislation and to ensure that there
are controls that are in place are
infected on an ongoing basis but this triggered
triggered
more and more organization to look for
better ways and better approaches to
monitor their internal controls and at
this period of time a lot of proof of
Concepts were internally developed
mainly to evaluate the uses of
continuous monitoring in a highly
systemized Erp environment so an
automobile project that came in the
2000s was done by Siemens where they
started testing one over 150 processes
in their sap system and this case was
mainly used as a reference for future
case studies or projects uh
as a reference
later we started in the 2010s where I
think all of us started listening about
CCM especially that General other
software providers and sir and other
services providers started developing
their own uh platforms to evaluate
internal controls continuously
this these platforms were mainly
characterized with them built in with a
library of tests and testing scenario
covering different areas whether it's
ordered to cash hard to retire put you
to pay other Financial aspects
especially when it comes to a general
ledger and this was mainly in the 2010s
how the the uh the continuous monitoring
was evolved we started seeing
off-the-shelf softwares and platforms
that are used by
uh by users and therefore
the thing became more evolving we
started hearing continuous monitoring
more often
the 2010 the 2020s as we're living today
is is a little bit more advanced we
started hearing about integration of
different technology whether it's about
artificial intelligence machine learning
or process mining in the continuous
monitoring Solutions and that to move
detective of and reactive and detecting
and uncovering the exceptions into other
becoming a predictive tool which can
prevent them prevent errors prior to
them being occurred
and the new tools actually started to
change from being the responsibility of
audits such
and as as the previous tools that gen
audit softwares to being the
responsibility of management
and that brings me up to the next topic
which is
we're hearing continuous auditing and
continuous monitoring interchangeably
but in reality they are different
continuous auditing by definition is the
methodology that enables independent
Auditors to provide Assurance on a
subject map using series or what it is
report and
these are usually done within short
identified with a short period of time
the audience of the continuous auditing
or actually if you want to say the old
ownership of continuous auditing tools
was usually the internal function within
the organization and usually the reports
of the continuous auditing would include
audit reports would include compliance
checks and would include comparisons
between uh existing period and previous period
monitoring is an automated ongoing
process that enables management to
assess effectiveness of controls and
detect Associated risks thus improving
business processes and increasing cost effectiveness
effectiveness
unlike continuous auditing the people
that are involved in CCM are includes a
wider scope of stakeholders so we we can
see the management is involved we can
see uh
you can see the finance function
involved you can see support functions
whether we talk about risk management
compliance or even the internal auditor
all involved when it comes to the system
in comparison with the reports that used
to be generated from continuous auditing
continuous monitoring will include more
exceptions that are automatically
reported to responsible officers and
dashboards provided to management to
give them a status of ongoing
intermediate actions so although
they might seem seem similar there are
some kind of differences between both of
them but if you want to talk about the
similarities between continuous auditing
and monitoring is first of all the
frequency both continuous auditing and
continuous monitoring are continuous
assessment of organization processes and
internal controls
the scope again both is similar we have
similar scope both of them
consist of a range of automated data
analytics tests that will lack the
information from different areas within
the processes
both of them collect information from
transactions being processed within the organization
organization
and both of them are integrated to
company systems
in addition to that both of them will
require regular review and may sometimes
require revision
uh and refining of the tests to ensure
uh evolving walls of the company are
being matched so in simple term when an
organization has established a
foundation of data analytics that are repeated
repeated
repeatable either in the internal audit
plan or within business function
the natural step is to then Implement a
frequent or real-time process
so moving from just normal data
analytics into a more continuous
continuous assessment
if this repeatable analytics Falls
within uh the other scope then we can
call it continuous auditing but then
when the repeatable analytics occur as a
feedback mechanism
as part of management responsibilities
for example uh Finance are involved to
check exceptions or duplicate payments
then the nature of this data analytics
and here we come to the first poll
question and I think [Music]
[Music]
we're having difficulties to see that
all questions and
yes there's a technical issue to display
the whole question yes so feel free to
add your your comments and I will I will
what is the current challenge faced by
your organization that will trigger the
use of a c continuous auditing or a
continuous monetary solution
is it process inefficiencies or high
number of ways being
identified in the organization is it the
lack of integration between existing
systems whether just meeting up with a
never-ending regulatory bodies
requirements uh is it about internal
fraud and identifying internal fraud
abuses or controls override
inadequate Human Resources then maybe we
need to do continuous auditing to or
education
complexity of transactions which of them
will trigger you to use continuous
you can only add the number instead of
writing the answer yes
internal fraud abuse control last item
increased sophistication
because I can see
a lot of
choices yes a lot of dances are spread
but mainly the majority of the answer
came in number two which is lack of
integration between existing systems and
in fact continuous auditing and
continuous monitoring resolution are
usually a good way to integrate systems
although I was expecting a little bit to
go on into the uh
into some answer like six that increased
sophistication and complexity of
transaction or one as Western process
inefficiencies but then it seems most of
you are facing issues when it comes to
integration within existing systems in
your organization so you have the data
so the business is all organization
nowadays are faced with tremendous
amount of challenges and every
transaction that an organization
processes exposes it to a certain level
of risk uh
challenges can include increased
complexity of transactions and
operations which is one uh
a lot of people in in the chat included
as part of the challenges they are
facing cyber security threats so people
might be afraid of attacks cyber attacks
occurring it can be never-ending
regulatory demands and especially that
regulatory bodies will try to add more
people's interests are protected but
then again that puts a great burden on
organizations especially financial
institutions that have to deal with a
wide range of regulatory demands
whether a new topic that is currently
we're all facing supply chain disruption
whether it was due to pandemic that was
happening whether it was due to oil
prices that went high again all of that
created some kind of disruption in the operations
operations
inflations and prices and stability as
you can see we're facing an increased
amount of inflation uh recently and this
is a challenge that organization face
and and will have to let's say see how
it can overcome it or assess itself better
better
whether it's Manpower shortage
especially a post covered with hitting
about uh they call it the era of of of
people resigning and working from home
and deciding whether not to continue uh
physical jobs but mainly to go into
freelance we're witnessing a lot of
Manpower footages in in organization
across the world
whether it's incidents of Fraud and
controls override and manipulation and
abuses of power within the organization
or again the the issue of data available
in disparate systems and we don't have
proper integration of of uh when it
comes to information information is not
Consolidated in one location or
or
what what we're all facing today the
higher velocity of information all of
these are challenges based by organization
organization
although some organization try to
protect themselves by implementing
anti-fraud prevention and detection
measures include audits as part of their
solution includes process on this
process the visiting includes other kind
of risk assessment but the problem with
all of these are usually first of all
they rely on samples subset of
transaction information that are not
representative of the underlying issues
they only provide a snapshot on a
specific moment in time which results in
a lot of vulnerabilities going
undetected for a long period of time
and by its nature traditional audit
required a long timeline to be executed
so it requires a lot of resources for it
to be executed whether it's Manpower it
costs from from the other team would
require a lot of manpower to be involved
or it would require time and effort from
the actual business unit to prepare the
data and to prepare the information
and last but not least scarcity of audit
resources limits the frequency and
depths of audit visits that can be done
on each activity
so although audit was used as somehow a
solution it wasn't an optimal solution
but then let's say audit becomes more
frequent and although it becomes more
intelligent Maybe by having continuous
auditing in place or continuous
monitoring where the responsibility of
all the moves not just from the internal
Auditors that are doing uh the work and
doing the Assurance services but then
moves also to management where they get
automatic notification of issues they
get automatic exceptions report they
have an overview of how business is operating
operating
leveraging on Technologies such as an as
such AI continuous auditing and
monitoring we can help solve this
challenges faced by organization
although I'm not going to say that
continuous auditing is intended to
replace traditional auditing or
traditional risk-based auditing but then
it provides a way to implement the
regular audit visits that help enhance
the organization activities efficiency
into having them a little bit more
frequent and having them more intelligent
so in general continuous monitoring help
organization in uh complying with
existing laws and Regulation and support
achieving business goals
from a technical point of view so the
CCM or continuous control monitoring
automate the the process of
monitoring transactions or processes or
internal systems so whenever an
irregularity happens it directly have a
closed a closed loop mechanism to
identify it and to act upon it so the
value of continuous auditing or
continuous control monitoring lies and
the fact that we will have continuous
assessment of the general controls that
we put in place to overcome these
challenges that we face
Whenever there is a high risk issue it
will be detected promptly
when it comes to decision making when we
need to take rapid decision because we
have an overview of the business because
we have a proper look on
this is operating and we can know the
areas of inefficiency we can take better
decisions and more rapid decisions
by by just understanding that or
identifying an irregularity as soon as
it occurs we reduce the sometimes the
recovery cost or we eliminate it and
then by doing that also whenever we
automatically did that items or instance
as soon as they occur we have the
possibility of reducing the
organizational exposure to fraud waste
or abuses
and then with all that it because there
is an alignment when it comes to
continuous control monitoring with management
management
uh so we we can witness and improve the
reporting between the management and the board
board so
so
in theory again uh continuous monitoring
will have a great role and a great
addition to uh organizations then it's
very important
to understand
how we can implement it properly and how
can we use it properly
which will bring us to our next topic
which comes to implementation of
continuous control monitoring but before
that I would like you to answer the
second poll question which is in your
opinion what will be the right the right
whether it's prompt identification
of process inefficiencies or irregularities
irregularities
improve transparency slash reporting
between management and the board
transfer exception management
responsibility to process owners and
management instead of it being handled
by audit ensure compliance with
applicable regulation and reduce
assurance and compliance costs
please feel free to answer in
we've got three
one one one [Music]
and two
five one
two one so mainly it goes to one so most
of you uh
says that this will help you promptly
identify process inefficiencies and
divided these which again is is a very
valid point and mainly when we talk
continuous control monitoring this is
the derived benefit that everybody
thinks of but then also other factors
such as transparent exception
uh just like the management of
exceptions to the to the process owners
or improved transparency and Reporting
and this would help the organization to
overcome a lot of challenges on the long
run but then again there is no wrong
answer it's all uh subjective to European
so moving on when it comes to continuous
control monitoring implementation we
just need to understand that this is not
just a technology that we need to adopt
it's it's it's a methodology it's a way
of acting and reacting and it's a way of
taking decisions so it's it's more about
understanding how business value can be
derived from continuously assessing
existing processes risk controls
technology and people so it's not a
solution for everything we need to
understand what are the current
challenges the current inefficiency that
we need to continuously monitor them
what are the kind of activities that we
need to
continue to focus on and ensure they are
falling within the desired limits or the
desired thresholds
so so to properly Implement uh CCM
systems or solution that we should
follow a phased approach uh
such as it should start like by by just identifying
understanding how the process operates
how understanding how the business
operates the
the technology adopted in the process
similar to just doing a risk assessment
or internal audience
and then after that you start defining
some kpis some Kris some indicators some
transactions that we'd like to Monitor
and to assess
and then post doing that to identify
datas that we can test or the data
sources that we can rely on
and then just the technical part in it
is developing these scripts themselves
which a lot of these scripts themselves
would require the business Acumen and
the Judgment of the user and that the
person who's managing the CCM implementation
implementation
and then post that we need to establish
what kind of reporting uh that or what
kind of exception that need to be
reported and what kind of reporting
would like to derive then after that we
need to test and ensure users acceptance
so let me go through each phase in
detail so the first phase should be the
process understanding of it and here we
can see that the person in charge of the
project leader would have to conduct
series of meetings workshops with
different stakeholders to obtain better
understanding uh about the scope
objective and the business case and the
business value that we'd like to derive
from the solution
and once that is set
we can then move to gathering
information to understand what kind of
activities processes transactions that
we'd like to cover within the scope of
the CCN solution
so such information
after confirming the scope and the
objective and business case with the
stakeholders we can start Gathering the
required information to understand the
business to understand the process to
understand the systems in place and we
can acquire such information from
different sources whether from Sops that
we have them whether from manuals
flowcharts management reports or even it
can be done through a series of
workshops to better understand
the business and to better understand
the process being adopted ultimately
what we want to reach here is to be able
to identify what kind of risks are faced
by the organization or the business unit
or the activity you would like to
Monitor and what are
actual controls in place for that
what kind of transaction is being
processed what kind of transaction can
that exposes higher risk to the
organization so all of that is part of
the process understand
after we do that we start defining the
indicators that we'd like to monitor so
a good approach is to start defining a
library of kpis Kris and transaction to
monitor for each business activity
subject to the scope of the continuous
control monitoring and when we do that
we need to take into consideration
uh how frequent I'd like to test these
indicators and how how continuous I want
them to have a lot of information are
just static for a long period of time
and then a transaction tool is not
happens once a year then there is no use
of testing it on a regular basis because
yes continuous auditing or continuous
monitoring is just kind of scripts that
being adopted on and mapped to the
internal systems but then these scripts
will cause some uh
some Investments Sometimes some effort
and even some processing power to be possible
possible
to determine the frequency of the test
we need to take into consideration the
throughput so the number of transactions
being processed the value
the materiality of the transaction being
processed the degree of automation that
is currently in place so if let's say
every transaction is being processed on
the system and the system is built with
certain parameters then maybe the
frequency of the test can be less than
manual process or process that involves
a dealing with external parties
and then the complexity of operation
should be taken into the termination as
one of the factors to determine the
frequency of the test
other factors might be considered it's
optional but then just this is the the a
sample of the the consideration that we
can take place
foreign once the extent of
tests are set indicators are identified
and then we know what kind of tests we'd
like to do what kind of analysis you'd
like to monitor we start identifying
what are the available data within the organization
organization
with available systems available uh
application that can provide us with the
required information to monitor so in
this phase usually it involves a
coordination with the information
technology teams the system owner system
administrator to identify
first of all existing data sources that
can supplement the data to assess The
credibility of these
sources so if the sources are being
or sorry the data in these sources are
being protected from unauthorized
unauthorized amendment to editing is the
data is there any kind of permission in
place to prevent people from
misusing the data on resources or
manipulating the data on the data sources
sources
during this stage usually it during this
coordination uh the project leader or
the person in charge will try to obtain
the permission needed from relevant
stakeholders to allow them access to the
desired data sources applications and
it's during that stage we Define okay
this is the data requirement that we
need this is uh
this is the type of access that you want
usually we should try to uh to aim for a
read-only access to the system so that
the continuous monitoring tool does not
amend or does not have uh does not put
the system the internal systems at any
risk of manipulation of data but then
when we select an appropriate connection
and when I talk about connection is the
integration between the software or the
continuous control monitoring tool that
you're going to use and the data sources
we need to take into consideration
several factors whether there is any
issues with the network and the network
traffic whether how how large is the
like the data that we have do you have
data that is huge that requires
significant amount of processing power
to be uh communicated or connected how
sensitive is the information sometimes
you see the information are very
sensitive that you cannot even uh
require direct access access to it and
then we we maybe add some kind of a data
warehouse in limited in order to
integrate the data uh the CCM to the
data source what kind of testing
frequency is required so let's say I'm
doing the test once a year then maybe
the reports can be generated by the IIT
team or by systemly generated and sent
once a year it does not require direct
indication of the system all of that
will be defined in that stage again
this would require to have the I.T team
involved because they will they are
usually or the the system owners
involved because usually they will have
to give you or to Grant you the
permission to use this kind of data and businesses
businesses
once we do that
we can move to the next step which is a
little bit technical but then not that
much technical uh if you think of it so
developing continuous control monitoring
test scripts require a high degree of it
proficiency and require a little bit of
scripting knowledge
but then
the business Acumen of the product key
the the knowledge the Judgment would
play a detrimental role in designing the
actual analytics scenarios
so think of it as
the traditional tests or in the
compliance checks again they are
straightforward they just require a data
source that we need to identify uh
uh
we need to identify the objective that
we'd like to reach and then the type of
testing we'd like to do so the same
thing we'll need to Define whenever we
do a cc and test the type of test the
nature and the objective
and then once we Define the steps in in
analytics perspective we can then map it
out to existing data sources systems and
application within the organization once
we do that we can uh
uh
determine the parameters of the test and
the thresholds that we'd like
to adopt so a simple question that need
to be answered
usually in this stage is what would the
data look like if control objectives was
not met
and or or what will happen if these
control objectives are not there so it
allows us to understand what kind of
tests that we need to run uh
uh
tests can be then developed
to look either for symptoms
of exposures or to look for control deficiencies
deficiencies
uh for example if if we think about the
control objective that [Music]
[Music] um
um
require PR's to be authorized properly
and then to comply within certain limits
or certain budget then these tests
usually will be conducted and similar to
the way uh compliance checks about or
other tests are done by comparing the
files together and identifying whether
the actual requisitions are followed in
these limits and Within These predefined limits
again once we develop these tests we
need to take
uh factors such as the sensitivity of
the parameters and the thresholds and
and the quality of the analysis uh
into consideration at first we might
face a large number of exceptions being
flagged but then we need to start
refining the test a little bit more
to ensure that we get the proper result
again we don't want a high number of
exception being reported which in
reality they are not that much of
exception so we need to find to find a
balance in the middle in these
exceptions we need to make sure
that we continuously refine the data
continuously refine the analytic
scenarios before we start reporting them
and before we go to the next stage so a
good example would be to do the actual
test on your own first to see the
results and the outcomes of this test
verify the authenticity of the results uh
uh
and then after that start deploying them
on a continuous basis
I mean
it's critical to examine such uh it's
very critical to examine and assess the
results and such can be achieved through
either verifying the authenticity of the
data checking if the data and the data
sources are correct maybe it can be done
through reconciliation or it can be done
through uh that is checks and tests to
verify the authenticity of the data
validating the timeliness of the
information to check that the
information we're testing are relevant
uh to the the area subjected by the test
or the frequency subjected by the test
reviewing the fields sometimes you have
the fields that are not synchronized
properly we have the date field
sometimes everything incorrectly
sometimes you have the amounts of the
numeric figures written as character or
vice versa again it's very important to
Define these elements before or cleanse
this element before we go into full
after we do that we develop the test we
map them out across the different data
source we can move to the next step
which is establishing a reporting
mechanism and when we talk about
establishing a reporting mechanism we
need to take into consideration the
stakeholders involved in these reports
so who's gonna at minimum I need to
start asking myself what kind of
exception should we report
Whom Shall they be reported so who is
involved in the organization who who are
the stakeholders involved every kind of
exception should be reported to a person
that can take action for it so we don't
just want to know about them we need to
take an action and we need this
exception to provide actionable insights
for uh for for future remedial actions
that can take place
how frequent shall they be reported
that's another question that you need to
ask ourselves uh so okay except we can
do the test on on a daily basis for
example but then if we report something
on a daily basis a lot of time people
will meet from seeing it but then if we
just omit High exceptions on an
immediate basis but then when it comes
to a regular testing or regular
dashboards on a more pre on a more
larger periodosity we can ensure people
will be checking them and will be
reviewing the results
and which phone shall they be reported
and again a big answer to that would be
who is involved uh in in reviewing the
results of the exception so when we
let's say deal with Finance
professionals or Auditors maybe they
would require a little bit more of the
detailed transactions such as the tables
such as the the spreadsheets or the
actual data bases but then when we go to
management and especially to hire
management they can a little bit uh
prefer to see a dashboard or business
intelligence dashboard
that overview the whole processes and
just gives a highlighted summary about
the exception we moved it and last but
not least we need to answer this
question to know how can we report and
who who should be allowed to access
these reports uh is how sensitive is the
information being reported so let's say
the information being reported can
result and for example insights and
trading then I need to make sure just to
share it with the people that uh have
clearance to do so or let's say if any
if the issue relates to a bankruptcy of
of one of the divisions then I need to
make sure the people that are seeing
that are either the regulatory bodies or
the uh the the people that are offer us
to see that
based on these answers based on the
results that we can achieve exception
reports should be developed they can be
form of dynamic business intelligence
dashboards they can be in form of email
alerts notification to process owners
and relevant stakeholders they can be
customized reports on exception
identified they can be again exception
database purchase with complete details
or they can even be all the clock files
that can be shared with uh
the other team or the finances
after you complete that after we have
established the reporting mechanism for
uh the exceptions identified we need to
go to the next phase where we get users
acceptance and usually it's very
critical to have an effective testing uh strategy
strategy
for the success to ensure successful
implementation of CCM Solutions so
usually it involves establishing the
appropriate threshold levels and
correctly configuring and building
testing scripts that ensure that
excessive number of false positives are
not produced and resources are not used ineffectively
ineffectively
again we need to assign a responsible
party that will be responsible to review
such results and such exceptions
uh who is capable to understand
how the business operates so he can take
better decisions to refine the tests and
it's also critical to monitor the
outputs and assess the impacts of the findings
findings
to understand what can go next what can
I mean sometimes you might need to
revisit some of your processes sometimes
you might have to revisit
some of the tests maybe you increase a
little bit the depth of certain tests or
reduce a little bit the depth of certain
tests and
again it's very important at the stage
to ensure proper documentation of all
the tests all the scripts and ensure
proper storage of these resources
manuals scripts
so that it can be properly handed over
doing so ensuring that we go step by
step in a phased approach when it comes
to properly to when it comes to
implementing continuous monitoring
solution can help us reach the objective
of whether reducing the inefficiencies
promptly detecting internal fraud uh
ensure compliance with certain regulatory
regulatory
requirements or it can even help us
achieve all the desired output but then
it's very important not to rush it not
to think of continuous monitoring as
just as tool of the shelves that can I
can add it to my system and it can
operate systematically as you can see
more than 80 percent of developing a CCM solution
solution
or a CA solution requires a business
Acumen requires judgment from the people
involved whether it's the internal audit
and it continuous auditing solution or
it is the management the stakeholders
involved in the business uh when it
now I'll move to a practical
implementation of continuous monitoring
so we take the procure to pay cycle as
an example but before that we have a
couple of board questions
uh to be answered the first question is
is in your opinion what are the barriers
of CCM adoption in your organization so
whether it's limited commitment from the
world management lack of knowledge and
expertise rewarding data analytics and
continuous military lack of Human
Resources to support adoption of
solutions technical sophistication of
existing solution in the market lack of
expertise regarding data analytics and
continuous monitoring
I can see lack of a defined business case
case
mainly one and two one two two plus
three two plus five
so I can see the majority is two one
which is lack of knowledge and expertise
regarding data analytics and continuous
monitoring the good thing is I'll show
you today a little bit of a glitch how
we can do that and personally I'm not an
I.T expert so I'm mainly as you can see
from my profile I've really worked in
this management governments and all and
a little bit of data analytics then when
as he said a lot of it is related to
business argument and the solutions that
we have nowadays what the audit
softwares or the other RPA solutions
that are available very easy to be
deployed or even the process mining
solution are very easy to be deployed
within the organization systems and
usually as we said earlier there are
people with library of tests that you
can just plug and play uh
when it comes to uh adopting the CCM Solutions
another cool question I'd like to have
your answer on is how much would your
organization do you think invest in in
continuous monitoring solution in the
next two years
so is it
the organization wouldn't invest is it
below fifty thousand dollars fifty
thousand to a hundred thousand hundred
thousand to 250 000 or above that
so I can see so far in the range of
less than fifty thousand fifty thousand
between 50 and 100 less than 50.
less than a million less than a million
350 and 100
I can see I won that's a very uh
I wasn't expecting to see I won because
there is one of the people are going
within the 50 to the hundred thousand
range yes below 50 to 100 000 range
number three number two to three which
again if we talk about existing
solutions that are quickly deployed to
internal assistance and
usually they cost in that range
depending on how extensive you would
like the continuous uterine solution to
be adopted and how and and the level of
sophistication of your internal
processes but then when we talk about
existing solution that are just off the
shelf that do not require much
customization so we're talking something
the last part of the presentation will
be giving a little bit of a case a
business case let's see uh to see how
the business value can be derived from CCO
CCO
so the case background is the CEO of
food Cube Corporation so a company that
manages and operates multiple retail
stores across the Middle East has to ask
you to lead the pilot project for
developing and implementing a continuous
monitoring solution over the P2P cycle
procure to pay cycle
you see who believes that despite the
heavy Reliance on
the company's Erp assisted procure to
pay remains an area prone to fraud uh
money leakage and inefficiency
and then he searched for you the
following objectives the objective of
the project is to deploy the analytics
platform that provides insights into the
overall health of procurement reports
from the moment we request an item
through the PIN
detect exceptions and regularity in a
timely manner and drugs anomalies from
initial detection to resolution
and identify root causes of process
inefficiency and bottlenecks in the operations
we were also informed that as part of
our process understanding that
centralized procurement function is in
place to process all requests received
again as you can see the process is a
little bit traditional so we have the QR
process the good acquisition which
passes through the approval of the
business unit manager and then the
procurement before it goes to the PO stage
stage
uh where the procurement team will
collect the quotations and would process
whether in forms of approving it and
dispatching it to certain suppliers
then once the PO is issued the goods
would be received inspected
invoices would then be received
and then checked reviewed against
the the goods received and against the
Po's requested and then we will be
paying for supplier payments so again a
sample of key restore when these
processes will include let's say in the
pr process having duplicate the PRS
processing duplicate PRS processing
incomplete or unclear PR's purchasing
non-required materials material that we
actually don't have a usage for that
in the POS cycle maybe we have po that
do not match the PR's duplicate POS
issuing POs to unapproved suppliers
splitting pills dividing multiple
1po to multiple POs to override certain
limits delays in processing the POS and
here we're talking a little bit about
inefficiencies of operation
when it comes to goodies receipts and
inspections so we can have mismatching
items mismatching quantities as part of
the risks that are there delays and
submitting claims to suppliers
when it comes to invoice received maybe
we have errors in the invoice provided
by the supplier or let's say invoice
made before the service receipt or for
uh actually the order which means that
that someone is just giving us this
invoice to process it but then the
procurement process is not being adopted
properly we can have invoices that do
not match uh whether the goods receipt
or the purchase order
the next area is the suppliers payment
so again in this area we're mainly uh
afraid to have duplicate payments to
have certain kind of favoritism to
supplier to uh paying to unauthorized
individuals or wrong accounts paying
wrong amounts to be laid in settling
suppliers invoices
and then the last area which again is
mainly about managing suppliers or
managing the relationship with suppliers
so here we're afraid to have let's say
two suppliers account within the
organization and and just processing
certain transactions in each account
just to
to that I mean to show that we're not
having certain favoritism or certain
element of uh
uh relying on school supplier
uh dealing with an unreliable supplier
uh vendors with invalid information or
whether we're really concerned about
vented employee relationships
this is all part of the risks involved
in the procurement site
on the other hand as we know there are
certain controls in place that uh
uh
that the organization have in order to
overcome these systems can mitigate
these risks so for PR for example there
is a review and approval process that
ensure two review property are so the pr
is prepared by the business unit 3 and
then let's review finance manager or
it's reviewed by procurement
and then it's reviewed Again by by the
people responsible of procurement to
ensure the clarity of information
uh in the pr and the clarity of the request
request
if we're ordering non-required material
usually there would be a budget
controller in place or a business unit
head that will be comparing uh the
budgets with the or the purchasing plan
with uh the actual PRS received when it
comes to purchase order again there is
usually dual reviews of POS there is
delegation of authority Matrix that
limits uh the approval to certain limits
there are some system controls to ensure
POS are only to approve PR's
foreign for goods received usually there
is the inspection process that being
done the grm and the items included in
the grv to match the view and so on
uh usually when it comes to claims we
need to make sure that you submit Queens
of time this is part of the to ensure
that we're getting at least recovering
losses of Damages or
non-required items invoice usually the
most common control the speedway
matching or match the PO with the the PO
with the goods receipt and the invoice
issue there is again do a review of
invoices it's another control that is
there usually the one who prepares it is
not the same one who posts it on the system
system
uh other controls might be in place to
restrict invoice for uh to only valid POS
POS
s supplier payments again there is
several review over the payment process
uh sometimes to ensure that we're not
late on supplier payments there is a
payment policy that needs to be adopted
usually five days to 25 days depending
on the organization
uh to ensure that we're not processing
to wrong accounts we usually process
Bank transactions or Bank transfers not
cash payments
and for vendor usually there is some
kind of reality if you open this
periodic assistant
uh there is kind of review of the
information before it's being added and
so on all of these are controls key
controls when it comes to the
procurement process
now getting this understanding of what
are the key risks and the key controls
we will be developing a continuous
monitoring tool by just doing the
analytics tests and then automating them
and then scheduling them for future tests
tests
again because due to the uh all over for
due to it is a pilot project we were not
provided access to the actual system
instead we were provided with the direct
connection with the uh instead of
getting direct Financial the ERG were
getting reports from the I.T Department
that are coming from the systems on a
regular basis which we will use for this
testing again
uh the reports that we were provided is
the list of PR's list of POS list of grn
payment process vendor Master file and
the remastered
so let's start first of all with the pr process
process
so as we can see we are concerned we
have multiple concerns when it comes to
the pr process we'd like to run some
analytics tests and from these analytics
tests we will be building these scripts
themselves so
let me first
so this is the list of PRS usually we
have the pr number the item number this
is that is provided by it the quantity
the date the store prepared by Electric
file this is the data for January 2018. we were provided
we were provided monthly reports so January February
monthly reports so January February March so on
March so on again we can see that we have this
again we can see that we have this information from just the pr report we
information from just the pr report we can check whether there is a duplicate
can check whether there is a duplicate PR from this information
PR from this information duplicate can be on different criteria
duplicate can be on different criteria one way of checking duplicates is
one way of checking duplicates is checking if there's a duplicate PR
checking if there's a duplicate PR but then when we do the tests we need to
but then when we do the tests we need to define the key that we will be using
define the key that we will be using here the pr number is the only key and
here the pr number is the only key and when we did that we uncovered there is
when we did that we uncovered there is no duplicates in January 2018. this is
no duplicates in January 2018. this is again doing just the normal analytics
again doing just the normal analytics test but then
test but then when
when we we
we we Define the test a little bit better and
Define the test a little bit better and we identified that maybe the duplicate
we identified that maybe the duplicate is not in the pr number and the
is not in the pr number and the duplicate might be resulting from an
duplicate might be resulting from an item uh processing the same item on the
item uh processing the same item on the same date from the same store for
same date from the same store for example uh maybe that we can be a
example uh maybe that we can be a duplicate why we didn't do them uh with
duplicate why we didn't do them uh with with 1p all why we process them into
with 1p all why we process them into multiple POS and then we've primed a
multiple POS and then we've primed a little bit to serve like to to override
little bit to serve like to to override some kind of controls in place so let's
some kind of controls in place so let's do this test
do this test what we did is we defined that the the
what we did is we defined that the the common Keys here are the item number
common Keys here are the item number that prepared by the user who is
that prepared by the user who is preparing it and the date of PR again
preparing it and the date of PR again once we did that we identified that
once we did that we identified that there are some kind of exceptions to be
there are some kind of exceptions to be reported
reported again let me I'm just going to carry
again let me I'm just going to carry forward with the test and then show you
forward with the test and then show you overall two that's good
overall two that's good other items items that we can test here
other items items that we can test here is whether uh KRS were reviewed or not
is whether uh KRS were reviewed or not as we can see some of the PRS were not
as we can see some of the PRS were not reviewed we can run analytics script for
reviewed we can run analytics script for that and then we can run another
that and then we can run another analytics script for uh PR's prepared
analytics script for uh PR's prepared and reviewed by the same user again
and reviewed by the same user again which means that someone is is
which means that someone is is overriding the control and is processing
overriding the control and is processing its own appearance once we complete all
its own appearance once we complete all the tests we should expect them to be in
the tests we should expect them to be in a second
in this form you usually
you usually list of PR that includes certain tests
list of PR that includes certain tests which again this is just the audit log
which again this is just the audit log of all the tests being done so we can
of all the tests being done so we can see what kind of result and what kind of
see what kind of result and what kind of exception is being used once we have
exception is being used once we have this exception and they will think about
this exception and they will think about using a general audit software is by
using a general audit software is by easily by going and creating a macro of
easily by going and creating a macro of these results so let's say I want to
these results so let's say I want to create a macro of the
create a macro of the results of the pr testing
create a script which will be something like that
sorry will be something like that it's a
will be something like that it's a technical script I know I'm not going to
technical script I know I'm not going to go into the details but this script
go into the details but this script covers all the activities all the
covers all the activities all the testing activities that we've done for a
testing activities that we've done for a specific month
specific month let's say we want to run the same script
let's say we want to run the same script for others
for others usually such process is
usually such process is is an easy process
is an easy process it's not that complicated you just need
it's not that complicated you just need to
to change the parameters as you can see
change the parameters as you can see from the script the script will open
from the script the script will open list of PRS for January 2018
list of PRS for January 2018 so my script does not include an import
so my script does not include an import process let me open a more defined
process let me open a more defined script
script let me show you the scripts so we can
let me show you the scripts so we can see that the data source the test is
see that the data source the test is already mapped here to the data source
already mapped here to the data source the data source is available in that
the data source is available in that project files I've done the tests that I
project files I've done the tests that I want so one of the tests is to extract
want so one of the tests is to extract duplicates while other tests is to
duplicates while other tests is to extract non-reviewed PRS or prsm that
extract non-reviewed PRS or prsm that are reviewed by the same person and by
are reviewed by the same person and by that we can just change
that we can just change create a variable which is here the
create a variable which is here the month is the variable
month is the variable and replace this variable
and replace this variable with another month
with another month and
and with that you can just run the script
with that you can just run the script immediately and the test will be
immediately and the test will be completed for the next month
completed for the next month as you can see the same testing that we
as you can see the same testing that we have done we have done it on another
have done we have done it on another this is an easy approach to automate
this is an easy approach to automate anything because once you know how to
anything because once you know how to leverage on this technology once you
leverage on this technology once you know what kind of test you can automate
know what kind of test you can automate then you can just run it automatically
then you can just run it automatically so this is the pr process let's go to
so this is the pr process let's go to other areas of testing
other areas of testing the next area of testing that we can run
the next area of testing that we can run to is
to is the PO process and the PO has a lot of
the PO process and the PO has a lot of tests because here we're getting into a
tests because here we're getting into a more let's say official uh
more let's say official uh or or more formal area where again we're
or or more formal area where again we're dealing with external parties so it's a
dealing with external parties so it's a little bit more complicated
little bit more complicated so again I've imported the list of POS
so again I've imported the list of POS all right
all right which comes from that base from this is
which comes from that base from this is assistant generated database we can see
assistant generated database we can see it has the PO details and I can just run
it has the PO details and I can just run a series of tests on this list of Po
a series of tests on this list of Po without using other resources just to
without using other resources just to build an understanding if there is any
build an understanding if there is any exceptions from these POS
exceptions from these POS again we're still talking about January
again we're still talking about January 2018 so one of the first thing I want to
2018 so one of the first thing I want to check if there is any duplicate Bo just
check if there is any duplicate Bo just by duplicate PO number to do that again
by duplicate PO number to do that again as we explained we just Define the key
as we explained we just Define the key which is here the PO number
which is here the PO number the key that is duplicated
the key that is duplicated and we can see that there is
and we can see that there is two
two exceptions identified
exceptions identified again
again another element that we want to check is
another element that we want to check is whether the same supplier has multiple
whether the same supplier has multiple uh POS on the same date
uh POS on the same date so
so I've done another test but here it's a
I've done another test but here it's a model refinal test
model refinal test that we took into consideration the
that we took into consideration the supplier number and the PO date and see
supplier number and the PO date and see if there is the same transaction simply
if there is the same transaction simply and to our surprise we got 330 duplicate
and to our surprise we got 330 duplicate transaction when we did that if we just
transaction when we did that if we just use the duplicate PO number we should we
use the duplicate PO number we should we would have got two uh duplication but
would have got two uh duplication but then this is not an accurate estimate of
then this is not an accurate estimate of the actual error being faced or the
the actual error being faced or the actual issue being fixed the actual
actual issue being fixed the actual issue is we're processing multiple
issue is we're processing multiple requests to the same supplier on the
requests to the same supplier on the same date
same date with different amounts sometimes with
with different amounts sometimes with the different item so why we don't
the different item so why we don't process them all at once
process them all at once and benefit let's say from procurement
and benefit let's say from procurement saving when it comes to public discount
saving when it comes to public discount or
or to ensure that the controls of are in
to ensure that the controls of are in place to limit let's say splitting uh
place to limit let's say splitting uh POS or splitting influences
another issue that we can just check is as we have the pr number linked to the
as we have the pr number linked to the PO report you can check if there is a PO
PO report you can check if there is a PO issue for non-approved PR or for a
issue for non-approved PR or for a non-existing VR so again we can see that
non-existing VR so again we can see that here there are
here there are with just an exception test a range of
with just an exception test a range of 13 POS that are not related to any PRS
13 POS that are not related to any PRS again the criteria of the test I'm not
again the criteria of the test I'm not going to go into the details but then we
going to go into the details but then we did we built a relationship between the
did we built a relationship between the two databases to come up with this
two databases to come up with this output
we can also build as I said we can build a relationship to understand that there
a relationship to understand that there is inefficiencies into operations so
is inefficiencies into operations so let's say there are delayed POS and when
let's say there are delayed POS and when we talk about delayed the old we will
we talk about delayed the old we will talk about
talk about he owes that are
he owes that are taking more than 15 days to be processed
taking more than 15 days to be processed from PRS assuming that's the range
from PRS assuming that's the range within the organization 15 days is
within the organization 15 days is defined in the SLA we can also see if
defined in the SLA we can also see if there is any kind of
POS that were approved before the pr again we can see that if this exists
again we can see that if this exists this is a significant issue that needs
this is a significant issue that needs to be addressed by the company
to be addressed by the company we can see if there is mismatch between
we can see if there is mismatch between the quantities denominated in the PRS
the quantities denominated in the PRS and the quantity is denominated in the
and the quantity is denominated in the PO so sometimes there would be some
PO so sometimes there would be some differences it's very important to
differences it's very important to understand these differences and the
understand these differences and the reason why these differences occurred
reason why these differences occurred sometimes it's just an entry error so
sometimes it's just an entry error so it's very important to assess why this
it's very important to assess why this entry error exists
entry error exists questions
questions this is when it comes to the POS again
this is when it comes to the POS again similar to what I've done for uh
similar to what I've done for uh the pr process
I can just go here to the project overview
overview Define my tests
Define my tests Define a macro for my tests and use it
Define a macro for my tests and use it for future tests
for future tests so again I can see here these are all
so again I can see here these are all the tests I've done on the video you see
the tests I've done on the video you see how fast I've done these tests
how fast I've done these tests uh because again I'm I'm aware of what I
uh because again I'm I'm aware of what I want to do I'm aware of the procurement
want to do I'm aware of the procurement cycle so I know what kind of exception I
cycle so I know what kind of exception I would like to test
would like to test and again you can see that most of these
and again you can see that most of these tests are common sense it's just the
tests are common sense it's just the adaptation of the technology to be able
adaptation of the technology to be able to do these tests
a sample of the script will be something like that which is very important to try
like that which is very important to try to
to maintain a proper arrangement of the
maintain a proper arrangement of the scripts
scripts foreign
ization when it comes to the names of the files so you can see here I've tried
the files so you can see here I've tried to standardize as much as possible the
to standardize as much as possible the names to January 2018 or to February
names to January 2018 or to February 2018 making sure that the file names
are correct and this point of ensuring the standardization of information is
the standardization of information is critical even when we're trying to deal
critical even when we're trying to deal with I.T departments so when we're doing
with I.T departments so when we're doing that with it Department we need to add
that with it Department we need to add to to ensure that the reports being
to to ensure that the reports being generated from the systems or the
generated from the systems or the reports that we can generate have the
reports that we can generate have the same let's say uh names and have
same let's say uh names and have standardized names
standardized names this is very important when it comes to
this is very important when it comes to managing the projects themselves
managing the projects themselves again this is part of the POS we've done
again this is part of the POS we've done certain tests we identify certain
certain tests we identify certain exceptions in January 2018. if I want to
exceptions in January 2018. if I want to run them again for 20 uh for February I
run them again for 20 uh for February I can just read on the script just change
can just read on the script just change I don't need to February
I don't need to February for the goods received no again uh I I
for the goods received no again uh I I was provided with a list of grn issues
was provided with a list of grn issues uh what I want to do now is to assess
uh what I want to do now is to assess whether the goods received were matching
whether the goods received were matching the PO actually so I can do this kind of
the PO actually so I can do this kind of test grn versus Po by just using
test grn versus Po by just using adjoining
adjoining tool
tool similar to the lookup so I combined the
similar to the lookup so I combined the two databases into a single database
two databases into a single database Define what kind of test I want to know
Define what kind of test I want to know here my test is to identify mismatched
here my test is to identify mismatched quantities or mismatched items so I can
quantities or mismatched items so I can see that there are one mismatched item
see that there are one mismatched item between the PO and the uh and the actual
matching item is the following you can see the difference between the item
see the difference between the item number
number and then the mismatching quantities we
and then the mismatching quantities we can see there is a wide range of
can see there is a wide range of mismatching quantities some of them you
mismatching quantities some of them you can see that is here the claim column
can see that is here the claim column where claimed back from the supplier
where claimed back from the supplier some of them were not so if we want to
some of them were not so if we want to identify the ones that were not we're
identify the ones that were not we're just gonna isolate them and get a
just gonna isolate them and get a resulting file that will have
resulting file that will have the non-claimed sorry the non-claimed uh
the non-claimed sorry the non-claimed uh quantities so here we can see there are
quantities so here we can see there are 43 non-claimed
43 non-claimed and we're late in claiming them within
and we're late in claiming them within three days
three days and there were uh
and there were uh this kind of ten that were were clean
this kind of ten that were were clean but then we were also late in claiming
but then we were also late in claiming them thus we lost the uh the ability to
them thus we lost the uh the ability to recover the losses
recover the losses this is when it comes to the emergency
this is when it comes to the emergency note I'm not gonna automate it now I'm
note I'm not gonna automate it now I'm just
just going to move forward to the invoice for
going to move forward to the invoice for the invoices we've done again ranges of
the invoices we've done again ranges of tests
tests so we have combined the list of invoices
so we have combined the list of invoices with the POs
with the POs to identify the invoices that are not
to identify the invoices that are not related to POS so we can see these same
related to POS so we can see these same voices we have 72 invoices out of 400
voices we have 72 invoices out of 400 that are not related to POS
this invoices is very important to exceptionally monitor them
exceptionally monitor them why we have we are processing them I can
why we have we are processing them I can see that most of these invoices are
see that most of these invoices are relating to transport Logistics so maybe
relating to transport Logistics so maybe I'm not adopting the proper uh
I'm not adopting the proper uh procurement process in this area so I
procurement process in this area so I need to make sure to adopt uh the
need to make sure to adopt uh the procurement process in this area
procurement process in this area properly
properly again other other items might include
again other other items might include list of uh while combined the list of
list of uh while combined the list of invoices with the grn we can identify
invoices with the grn we can identify the invoices that are received uh
the invoices that are received uh before the goods are received so here by
before the goods are received so here by just doing a small comparison test
just doing a small comparison test by checking whether the receipt date is
by checking whether the receipt date is before the invoice date or it's after
before the invoice date or it's after them
or checking that the PO data is before the invoice date or the after the
the invoice date or the after the invoice date we can identify some
invoice date we can identify some exception that we can report later on
exception that we can report later on for payment we can have a variety of
for payment we can have a variety of tests to assure whether payments were
tests to assure whether payments were done properly whether the payments were
done properly whether the payments were properly processed or not again
properly processed or not again here we can see the list of payments
here we can see the list of payments with vendors who combine them with the
with vendors who combine them with the vendor Master file
vendor Master file to identify whether uh
to identify whether uh proper Bank details were were like the
proper Bank details were were like the amounts were transferred to the proper
amounts were transferred to the proper Banks
Banks so this is the vendor Master file it
so this is the vendor Master file it includes blank details
it includes the email it includes the postcode the address the supplier name
postcode the address the supplier name and the supplier code so while linking
and the supplier code so while linking them together we can see that here
them together we can see that here we have
we have 11 uh
suppliers were at the bank account details are not matching between the
details are not matching between the Venture Master file and the actual pin
Venture Master file and the actual pin document these ones are exceptions these
document these ones are exceptions these ones are to be reported as exceptions
ones are to be reported as exceptions and highlighted
and highlighted other elements that you have tested also
other elements that you have tested also is whether there is payments outside the
is whether there is payments outside the uh the policy
uh the policy range so pins that were done whether
range so pins that were done whether early payments before five days or late
early payments before five days or late payments that are after 25 days these
payments that are after 25 days these are also areas that we can identify
are also areas that we can identify access animation
access animation last but not least is to check the
last but not least is to check the vendor bastard file to check the
vendor bastard file to check the validity of information there so here we
validity of information there so here we have the date of creation and that date
have the date of creation and that date last updated so as per the policy of the
last updated so as per the policy of the company of food Cube the supplier
company of food Cube the supplier details should have been updated on an
details should have been updated on an annual basis so we've done an exception
annual basis so we've done an exception test to check whether they were updated
test to check whether they were updated whether this control was working or not
whether this control was working or not so we can see here some delays in
so we can see here some delays in updating supplier details
updating supplier details and we can see that these
we have see that the same person there was no door review the same person has
was no door review the same person has created the supplier profile and has
created the supplier profile and has approved it or reviewed its Edition
approved it or reviewed its Edition and all of that are part of the
and all of that are part of the analytics tests
analytics tests what I will be doing now is I will be
what I will be doing now is I will be creating a reporting mechanism
creating a reporting mechanism how I want them to be reported
how I want them to be reported for the time being I would just report
for the time being I would just report them as
them as let's say the delayed claims I would
let's say the delayed claims I would report them directly by email send them
report them directly by email send them to uh as a PDF file to let's say the
to uh as a PDF file to let's say the procurement Department
other files I can report them export them to further analyze them
other reports can be done sorry
other reports can be exported into different format whether I want to
different format whether I want to export them to excel I want to do some
export them to excel I want to do some kind of dashboards of them so I can
kind of dashboards of them so I can easily go to the delete claims Define
easily go to the delete claims Define them in a dashboard using the dashboards
them in a dashboard using the dashboards tools that I have and then report this
tools that I have and then report this result accordingly
result accordingly what I will be doing now is I would just
what I will be doing now is I would just be automating the tests in front of you
be automating the tests in front of you and we will be repeating them scheduling
and we will be repeating them scheduling to repeat them for other
to repeat them for other periods so let's say we've done them now
periods so let's say we've done them now for January 2018 we will be revisiting
for January 2018 we will be revisiting these tests for other periods such as
these tests for other periods such as February 2018 March 2018 and so on
so it's very important why with this process of automation to ensure first of
process of automation to ensure first of all that we're going in sequence of the
all that we're going in sequence of the tests that being conducted so that as
tests that being conducted so that as you remember the first thing we've done
you remember the first thing we've done is the pr cycle so we don't want the
is the pr cycle so we don't want the scripts to overlap themselves
scripts to overlap themselves so again I'm following now the pr cycle
so again I'm following now the pr cycle after we've done the pr cycle we've
after we've done the pr cycle we've imported the master file
imported the master file I don't want to import it again I don't
I don't want to import it again I don't need to import it again
need to import it again I after the pr cycle I need to move the
I after the pr cycle I need to move the PO cycle so I had tests that are related
PO cycle so I had tests that are related to
to Po's process before PR approval or
Po's process before PR approval or delayed POS and so on I had the other
delayed POS and so on I had the other tests again you can see how easy it is
tests again you can see how easy it is the fact that I'm automating them I'm
the fact that I'm automating them I'm just going to the history of the project
just going to the history of the project and automating it
and automating it I can see if there is some kind of
I can see if there is some kind of exceptions how they are being reported
exceptions how they are being reported again after the PO was issued next thing
again after the PO was issued next thing the goods were received so I will be
the goods were received so I will be selecting
selecting the tests that are related to Goods
the tests that are related to Goods receipt
then after that I will be uploading the test related to invoices
so I will be adding the invoices details you can see the system will give me some
you can see the system will give me some error message and warnings until I
error message and warnings until I complete my testing so it's here warning
complete my testing so it's here warning me that not all the tasks that you have
me that not all the tasks that you have done on the Node are completed so some
done on the Node are completed so some tasks were not done it's very important
tasks were not done it's very important to follow the process again as
to follow the process again as as you have done them so that the
as you have done them so that the scripts don't overlap each other
scripts don't overlap each other next thing is the payments again the
next thing is the payments again the payments will include
payments will include wrong payments payments outside the
wrong payments payments outside the policy range
policy range and the last things that we have checked
and the last things that we have checked is uh
is uh delays and updated supplier details
again all of that I will create it as a script
and I have this script Trading to use it for further automation what I can do
for further automation what I can do here after I've created The Script
here after I've created The Script I can take the script
and then replace everything that has January which February
and Save sorry it's it's all
sorry it's it's all you can see how automated everything is
you can see how automated everything is being done now and then once I've done
being done now and then once I've done that
that you can save the script
you can save the script I call it February
after I save the script I have to do something to build this script as a
something to build this script as a separate application
separate application so this is our February test it's an
so this is our February test it's an executable file on its own and then what
executable file on its own and then what I have to do here
I have to do here is just go to macros go to the library
is just go to macros go to the library section and then see these February
section and then see these February tests I can schedule them
tests I can schedule them [Music]
[Music] having some issues with the
having some issues with the administrator rights usually I would I
administrator rights usually I would I can schedule them here or I can
can schedule them here or I can just close idea
just close idea let's go through the task scheduler that
let's go through the task scheduler that we have here or we I mean I mean you can
we have here or we I mean I mean you can go for a more sophisticated RPA tool
go for a more sophisticated RPA tool whether it comes to uipath or something
whether it comes to uipath or something but then just I want to show you how
but then just I want to show you how easily it's being done what you have to
easily it's being done what you have to do is to create a basic task
do is to create a basic task foreign tests
and then the trigger of this test is let's say weekly monthly
this test is let's say weekly monthly daily
daily uh
uh or when the computer starts or and so on
or when the computer starts or and so on for this time we're just gonna do it for
for this time we're just gonna do it for one time
one time I'll specify to for it to be done within
I'll specify to for it to be done within two minutes and the action would be
two minutes and the action would be to start a program
to start a program and just as simple as we go through
and just as simple as we go through the program the executable file that
the program the executable file that we've done
we've done again the executable file was here
and this is the executable file you can see
this is the executable file you can see idea is not operating
that's it you can see this is scheduled as part of the automated things to be
as part of the automated things to be done by the computer
done by the computer I can develop monthly test weekly tests
I can develop monthly test weekly tests and all of that I just need to schedule
and all of that I just need to schedule them and to schedule their frequency and
them and to schedule their frequency and they will be operating immediately we
they will be operating immediately we just don't want to wait I will run the
just don't want to wait I will run the test automatically and you can see what
test automatically and you can see what will happen is
idea will open on its own we'll do the tests we'll import the
we'll do the tests we'll import the required files we will do the test for
required files we will do the test for February
February we will complete all the tests
we will complete all the tests next
next and we'll report the results immediately
and we'll report the results immediately as I want them to be reported
as I want them to be reported so all of that
so all of that we can reach the fact of continuously
we can reach the fact of continuously monitoring our tests continuously
monitoring our tests continuously monitoring the produced cycle you can
monitoring the produced cycle you can see here this complete tests of the
see here this complete tests of the procure today cycle
procure today cycle we've tested all the areas by just
we've tested all the areas by just automating the tests that we have done
automating the tests that we have done once and we got the results eventually
once and we got the results eventually uh
uh foreign
foreign we just get back to the PowerPoint again
we just get back to the PowerPoint again as we said
as we said define the actual phase of doing the
define the actual phase of doing the tests and doing the scripts is not a
tests and doing the scripts is not a complicated issue just require business
complicated issue just require business understanding and business action you
understanding and business action you can you see how it was not that hard to
can you see how it was not that hard to do the tests you just need to divide to
do the tests you just need to divide to develop the pre-order security of the
develop the pre-order security of the test the type of test that you want to
test the type of test that you want to do and then the type of script and
do and then the type of script and scenario and you can run it
scenario and you can run it automatically
automatically uh you can use more sophisticated tools
uh you can use more sophisticated tools when it comes to exporting the data from
when it comes to exporting the data from system and building connection but then
system and building connection but then for this exercise we were a little bit
for this exercise we were a little bit using uh extract reports so uh from
using uh extract reports so uh from system system generated reports so
system system generated reports so therefore it was a little bit much
therefore it was a little bit much easier the connection but then it can go
easier the connection but then it can go more complicated depending on the system
more complicated depending on the system used very useful integration can be
used very useful integration can be either done through odbc connection
either done through odbc connection so the connections the Production Tool
so the connections the Production Tool to connect with Oracle databases and
to connect with Oracle databases and with
with SQL SQL and then for sap integration
SQL SQL and then for sap integration usually there should be some kind of API
usually there should be some kind of API that helps integrate with sap and with
that helps integrate with sap and with uh it's it's different modules again I
uh it's it's different modules again I hope
hope it was an easy
demo but before I leave you I just there is one more poll question and after that
is one more poll question and after that yes
uh before we go to the full question we have some questions in the chat box
have some questions in the chat box what's the name if we can respond to
what's the name if we can respond to them
them uh what is the name of the tool that you
uh what is the name of the tool that you are using and could it be implemented to
are using and could it be implemented to any Erp system yes the name the name of
any Erp system yes the name the name of the tourist case where idea it's a
the tourist case where idea it's a general audit software and regarding
general audit software and regarding your second question can it be
your second question can it be implemented to any system yes it can
implemented to any system yes it can Erp system so it can build integration
Erp system so it can build integration with uh SAP with Oracle with SQL with
with uh SAP with Oracle with SQL with any kind of data source whether it's
any kind of data source whether it's directly with specific reports or with
directly with specific reports or with servers again
servers again idea can get the data analytics
idea can get the data analytics uh
uh there's another question I think okay it
there's another question I think okay it will be the same if the control system
will be the same if the control system is integrated with the Erp system yes
is integrated with the Erp system yes the only difference here is uh the
the only difference here is uh the reports were generated that's the only
reports were generated that's the only difference would be the access
difference would be the access permissions so if I have as a user
permissions so if I have as a user access permission to certain information
access permission to certain information by defending the connection by building
by defending the connection by building the connection which is something as
the connection which is something as similar as I can show you
similar as I can show you before I I can leave the PowerPoint one
before I I can leave the PowerPoint one second just to show you how easy
second just to show you how easy so to build the connection you just need
so to build the connection you just need to go
to go through the odbc
through the odbc defined where
defined where the data is residing let's say it's in
the data is residing let's say it's in SQL you create the store you'll find
SQL you create the store you'll find where is the location of the data if
where is the location of the data if it's a machine what kind of machine it
it's a machine what kind of machine it is then you click OK and then you can
is then you click OK and then you can access the data automatically sap will
access the data automatically sap will require a little bit of an additional
require a little bit of an additional tool to do that an API
tool to do that an API which we can if someone is interested I
which we can if someone is interested I can explain it
I can you know uh
can you please write the name yeah case where
before to before we conclude there is just one poll question that I'd like to
just one poll question that I'd like to have your opinion on which is which
have your opinion on which is which function shall be responsible you
function shall be responsible you believe in managing leading continuous
believe in managing leading continuous monitoring initiative in your
monitoring initiative in your organization
organization so far the answer that I've received is
so far the answer that I've received is internal audit I received one answer
internal audit I received one answer that it and CEO office I think
mainly number three internal audit and I've saw one internal control and so
and I've saw one internal control and so again I wouldn't I wouldn't say internal
again I wouldn't I wouldn't say internal audit should be responsible of
audit should be responsible of continuous monitoring although they
continuous monitoring although they should be involved in it I think uh
should be involved in it I think uh having a separate function for internal
having a separate function for internal control can be uh useful but then I
control can be uh useful but then I think it should be we shouldn't have
think it should be we shouldn't have just one owner for continuous monitoring
just one owner for continuous monitoring but then multiple users multiple
but then multiple users multiple stakeholders each one responsible for
stakeholders each one responsible for his uh or her area again internal audit
his uh or her area again internal audit because their access to information and
because their access to information and the right to access certain data they
the right to access certain data they are better positioned than other
are better positioned than other functions for the time being to to to to
functions for the time being to to to to to manage and Lead continuous monitoring
to manage and Lead continuous monitoring initiatives
initiatives before I leave you I just have some few
before I leave you I just have some few takeaways to proper implementation to
takeaways to proper implementation to ensure that we properly
ensure that we properly take CCM and implement it in our
take CCM and implement it in our organizations the first thing start with
organizations the first thing start with smaller pilot project don't try to make
smaller pilot project don't try to make it complicated don't try to go for
it complicated don't try to go for larger projects again it's very
larger projects again it's very important to realize the benefit and the
important to realize the benefit and the business value to get before you get
business value to get before you get going on other areas so a good example
going on other areas so a good example would be to start it on one or two
would be to start it on one or two cycles let's say procure to pay or the
cycles let's say procure to pay or the cash these are standardized cycle before
cash these are standardized cycle before you fully deploy it on the whole
you fully deploy it on the whole organization the next thing is
organization the next thing is involve and align stakeholders early on
involve and align stakeholders early on especially at the start of the project
especially at the start of the project make them responsible or make them feel
make them responsible or make them feel responsible get them involved from the
responsible get them involved from the beginning because again their
beginning because again their involvement their actions toward the
involvement their actions toward the exception is what makes the continuous
exception is what makes the continuous meeting to successful
the third thing whether you can leverage on existing I.T
whether you can leverage on existing I.T Solutions or softwares before you invest
Solutions or softwares before you invest additional amount on new softwares check
additional amount on new softwares check whether your existing systems can do
whether your existing systems can do such things and again as you can see
such things and again as you can see some basic tools such as scheduling that
some basic tools such as scheduling that is available inside
is available inside of of our windows or our Microsoft added
of of our windows or our Microsoft added with certain uh analytics scripts we can
with certain uh analytics scripts we can build our own mini continuous monitoring
build our own mini continuous monitoring solution
solution it can get more sophisticated but then
it can get more sophisticated but then we will need to assess later on after
we will need to assess later on after realizing the business value
realizing the business value train a dedicated Champion with an
train a dedicated Champion with an organization and don't just rely on
organization and don't just rely on having an I.T provider solution provider
having an I.T provider solution provider to just give you uh this tool as an
to just give you uh this tool as an official tool again
official tool again [Music]
[Music] the testing results it's very important
the testing results it's very important to and to interpret the result that
to and to interpret the result that scenarios update them on a regular basis
scenarios update them on a regular basis and last but not least
so whether there is some kind of financial Market reporting or some other
financial Market reporting or some other kind of reported try to have the
kind of reported try to have the continuous monitoring tool as part the
continuous monitoring tool as part the exceptions I mean generated from this
exceptions I mean generated from this tool as part of this report
tool as part of this report and now we can if you have any question
and now we can if you have any question please feel free to ask it in the chat
please feel free to ask it in the chat box
thank you Sean for the great webinar thank you all for attending please feel
thank you all for attending please feel free
chat box directly I'll unmute yourself for go ahead
thank you all I'm your son Nicola thank you notes
I'm your son Nicola thank you notes um
can you please share with us the presentation
yes once received I will share it with attendees inshallah and we already
attendees inshallah and we already recorded this session uh you will find
recorded this session uh you will find that on our YouTube channel
thank you thank you Mr Hisham
welcome anytime inshallah looking forward for more events webinars
forward for more events webinars workshops so see you all inshallah and
workshops so see you all inshallah and our upcoming Workshop
our upcoming Workshop bye
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
