The full scope of services within the Continuous

The full scope of services within the Continuous Auditing / Continuous Monitoring (CACM) Methodology Guide is not permissible for SEC audit clients and IFAC PIE clients and their affiliates. CACM services are generally permissible for IFAC non-PIE audit clients subject to evaluating engagement circumstances using the conceptual framework (i. e. threats and safeguards approach) as outlined in the Global Quality & Risk Management Manual Chapter 11. Refer to the contents of the Independence guidance on slides 11 -20 of the CACM Methodology Guide for detailed guidance. The Independence guidance was updated in 2013. The remaining content is unchanged. Continuous Auditing / Continuous Monitoring to Manage Risk and Performance The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity.

Agenda Appetite for CA/CM Background on CA/CM Overview Drivers Influencing CA/CM Strategies An Illustration of CA/CM Why implement CA/CM? –Challenges and Requirements for Implementation –How do we get Started? –Implementation of CA/CM Dimensions of CA/CM Enabling with Technology Sample Implementation Model The Value Proposition Key Success Factors of CA/CM How can KPMG help? © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 1

Appetite for CA/CM Survey Data – Risk and Control Innovations – Next Three Years Survey of 435 Senior Executives What risk and control innovation themes exist in your organization? © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 2

Background on CA/CM What is different this time? “Historical” “Current” • theoretical concept – “Mostly Academic View” • significant advances in technology • lacked executive support • practical and realistic – aligning frequency to risks • technologically cumbersome • too costly to implement • lack skills • compliance-based auditing. • business and value drivers more evident • technology options are becoming cost effective • evolving skills in internal audit function. What is different for you – is the concept becoming a reality? © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 3

CA/CM Overview Definitions Continuous Assurance Providing a continuous or on-demand assurance opinion on systems or transactions Continuous Auditing The collection of audit evidence and indicators, by an internal or external auditor, on IT systems, processes, transactions, and controls on a frequent or continuous basis throughout a period Continuous Monitoring An automated feedback mechanism used by management to help ensure that systems and controls operate as designed and transactions are processed as prescribed How is your organization defining the CA/CM initiative? © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 4

CA/CM Overview Objectives Continuous Auditing Performed by Internal Audit • Continuous Monitoring Responsibility of Management gain audit evidence more effectively and efficiently • react more timely to business risks • leverage technology to perform more efficient internal audits • focus audits more specifically • help monitor compliance with policies, procedures, and regulations • • improved governance • increase visibility into operations • obtain better information for day-today decision making • strive to reduce cost of controls • leverage technology to create efficiencies. become more valuable to the business. © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 5

Drivers Influencing CA/CM Strategies CA/CM strategy is influenced by a variety of strategic, operational and external drivers. . . Pressure to improve governance Need to improve performance/ accountability Globalization Scrutiny from rating agencies/listing standards Strategic Drivers Occurrence or risk of fraud ERP conversion CA/CM Strategies Operational Drivers Desire to reduce SOX costs Improve leverage of IT Investments External Drivers Expanding regulatory and legal risk environment Uncertain economic environment increasing business risk What are the drivers influencing CA/CM in your organization? © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 6

An Illustration of CA/CM Let’s Put This Into Perspective - Quick example Risk – quality of customer balances Continuous Auditing –Alert the internal audit department when: • • credit limit exceeded by more than 10 percent AND credit limit has been exceeded for more than 15 days AND no payments made by the customer, AND new shipment made to customer. Continuous Monitoring –alert when credit limit exceeded by 5 percent –alert when changes made to customer limits in master file. Both strategies give management indicators of issues that are arising, allowing for pro-active, rather than reactive actions © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 7

Let’s Put This Into Perspective Quick examples Risk – Possible Fictitious Vendor Continuous Monitoring –vendor address matches a commercial mail receiving agency –multiple, similar vendor names with different vendor IDs in vendor master file –vendor Taxpayer ID matches an Employee Social Security Number (SSN) –vendor telephone number appears to be a mobile telephone number. Continuous Auditing –alert the internal audit department when: • • address matching risk profile (seasonal, prison, CMRA, etc. ), AND/OR labeled as a “one-time” vendor, AND/OR taxpayer ID matches employee SSN, AND/OR telephone number matches an employee. © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 8

An Illustration End-to-End CA/CM Process from technical perspective 3 3 4 5 5 2 3 1 1. 2. 3. 4. 5. Rules created in CA/CM tool Rules run against databases E-mail alerts to auditors/management CA/CM tool populates web server Dashboard provides summary and drill down capability for auditors/management © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 9

Why implement Continuous Auditing? CA can help enhance organizational value and offers a broad range of potential benefits. . . Greater Efficiency • audit by exception • automate components of the audit program, audit tests or review procedures • known control gaps and deficiencies can be continuously audited • reduced wait times for data • reduction of low value-added work • improved maintenance of a dynamic and relevant risk profile • automate manual processes • reduced travel costs by automation of testing. Earlier Information • • • improved speed of reporting to the business reduced surprises, problems do not build up enhanced leverage of system functionality identification of misuse and misconduct identification of errors earlier and when issues are fresh ability to proceed with root cause analysis for errors, policy violations, fraud and misconduct in a more timely manner. Enhanced Controls Reduced Complexity • corrections of errors moved closer to the “source” • enhanced visibility of Internal Audit within the business and improved deterrence effect • assist in providing valuable insight to controls effectiveness and business process risks associated with outsourced business processes • ability to audit the “monitoring” function from an Internal Audit perspective, providing an additional layer of governance. • reduction of complexity through global process standardization, thereby easing review • appropriate setting and consistency of materiality thresholds • automated exception report production – focus on the real issues • regulatory compliance can be audited. … which will help Internal Audit to add more value to the business © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 10

Why implement Continuous Monitoring? CM can help enhance organizational value and offers a broad range of potential benefits. . . Greater Efficiency Earlier Information • • • improved speed of information delivery to the business • reduced surprises, problems do not build up • netter information for decision making • ability to progress with root cause analysis for errors, policy violations, fraud and misconduct in a more timely manner. • • reduction of work duplication increased use of automation enhanced ability to identify and correct errors more time for value adding analysis instead of error correction reduced manual SOX testing reduced travel costs by automation of testing and remote monitoring. Enhanced Controls Reduced Complexity • corrections of errors moved closer to the “source” • automated controls • control gaps and deficiencies can be monitored for circumvention and/or exploitation • ERP system and/or business process limitations and deficiencies can be addressed • automated fraud prevention and detection activities. • greater visibility as to how processes are functioning • appropriate setting and consistency of thresholds • regulatory compliance can be monitored • ability to standardize process measures across locations • demonstrate good governance – use leading edge approach. … which results in more focused time to add value to the business © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 11

Challenges and Requirements for Implementation The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide. Challenges Requirements • thought Leadership - lack of content (e. g. , business process specific, industry specific) • technology intensive - virtual real time monitoring requires sophisticated technology • people - lack of deep industry and functional specialization (e. g. , Governance, Risk and Compliance specialization; Fraud and Forensic Investigative specialization) • thorough business process and industry content knowledge • reliability, accessibility, and availability of data • knowledge of and linkage to enterprise risk exposures • senior management sponsorship. • consistency of business processes • change management - impact of changing embedded processes, resistance to change. © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 12

Implementation of CA/CM – How do we get started? KPMG Framework © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 13

Implementation of CA/CM KPMG Framework The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide. Plan Assess Design Plan and scope the engagement Implement Execute Perform the auditing or monitoring Evaluate Revisit the process according to results produced The implementation model To be removed before printing: Services provided within the “Design” phase are prohibited for SEC audit clients. Services provided within the “Implement”, “Execute” and “Evaluate” phases are restricted for SEC audit clients. Refer to the CA/CM Methodology Guide for further information as well as local office risk management policies and guidelines. © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 14

Our approach is designed to provide an efficient, consistent and repeatable process… Activities Phase The full scope of services is not permitted for audit clients or their affiliates. See detailed guidance regarding independence on slides 9 and 10 of the methodology guide. Plan Assess • determine client • gather relevant information objectives with key stakeholders • perform risk assessment • prepare engagement approach with team • kick-off the project. • perform current state assessment • perform gap analysis • assist with drafting the desired state. Design • confirm and prioritize areas to be addressed • define measures and thresholds • assist client with selecting the best CA/CM tool(s) • confirm implementation Implement Execute Evaluate • roll out • run queries and • conduct a post implementation plan routines • set-up for data • assist with implementation assessment extraction activities identification of root cause of exceptions/results • identify potential • assist with training gaps and weaknesses. • assist with other ongoing program activities through the implementation. available resources. improvements • Discuss control plan. Potential Deliverables Needs and requirements summary Gap analysis CA/CM implementation plan Set-up for data extraction activities Selected CA/CM tools Data maps and dictionaries Exception reports Post implementation assessment Risk assessment Engagement letter Lessons learned Current state assessment © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 15

Dimensions of CA/CM Interrelationship of CCM, CTM and Macro Analysis Analytical Dimension Macro Analysis (e. g. , Number of Purchase Orders per week) Risk/ Performance Controls Dimension Changed or Deleted Controls (Continuous Controls Monitoring) Types of Analysis (e. g. , rules, statistical, link mining, etc. ) Transactions Dimension (Continuous Transaction Monitoring) Risk and Performance Monitoring is optimized when all three dimensions are implemented © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 16

Enabling with Technology Considerations Types of Technology Tools (Evolving) · Continuous Control Monitoring (CCM) −Application configuration parameters −User access and segregation of duty analysis −Examples of available tools · Continuous Transaction Monitoring (CTM) − transaction attribute analysis − transaction pattern analysis − examples of available tools. Technology Selection Considerations · Technical – infrastructure limitations – availability of data and number of sources – level of sophistication of IT personnel. © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. · End User Requirements – transaction monitoring – control and configuration monitoring – case management/remediation tracking – master data monitoring. 17

Enabling with Technology Additional Considerations What are the objectives? –IA, IA for Mgt or both –Strengthen IA data analytics. What are the anticipated areas of focus? –ERP? Non-ERP? Both? –Controls, transactions, macro analysis –Risk types? (e. g. , fraud, performance, waste, regulatory compliance). How will the analysis be performed? –Embedded, extracted –Frequency: regular, repeatable, near real -time. © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Required sophistication of analytic functionality –Rules, statistical, temporal, artificial intelligence. Exception handling –Alerts –Aggregation, prioritization, scoring –Assignment, investigation, resolution, documentation. Reporting and dashboard capabilities Impact on system performance (extraction) Required speed of analysis and hardware requirements (daily analytics) Cost 18

Enabling with Technology Two Main Technology Types Type 1 – Embedded Monitor at Source Examples : SAP® GRC, Oracle® GRC, Approva® Auditee Auditor Monitor © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Report Follow up 19

Enabling with Technology Two Main Technology Types Type 2 – Data Analytics Examples : ACL®, IDEA®, SAS®, Approva, Business Objects® Auditee Auditor Extract © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Upload Test Review Follow up 20

Sample Implementation Model Combination CA/CM Approach Organization ERP Systems Operations Financial Applications CA Application Management CM Application (Mgmt) Internal Audit © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 21

The Value Proposition Benefits of Implementing CA/CM CA brings greater efficiency, enhanced controls, earlier information, and reduced complexity Board of Directors Improved insight into the business risks across the enterprise Improved corporate governance Potential for improved reporting to the board Management Allows senior management to have greater visibility into the organization—enhancing its oversight capabilities Improved corporate governance Improved information for dayto-day decision making Reduction of work duplication Improved leverage of IT investment Reducing surprises © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Internal Audit Identification of ‘issues’ closer to occurrence Better able to test a broader range of controls, including security, segregation of duties, and process level controls at a reduced cost and on a timely basis Improved speed of reporting to the business Improved information to focus audit efforts Improved maintenance of risk profile 22

Key Success Factors of Continuous Monitoring Critical success factors Senior executive support KPMG’s response addresses these vital issues Technology tools and experienced resources Established approach to CM Well planned approach Organizational alignment executive involvement at all stages of the project including opportunity identification, selection, prioritization and sign-off clear CM leadership roles to drive cultural change identification of control owners to report failures, escalate issues, etc. fact-based approach to identification, quantification and prioritization of CM opportunities selection of appropriate CM tools to contain costs and speed up communication experienced staff who can commence fieldwork immediately. global continuous monitoring framework and approach identification of key control check points methodology emphasizes risk and continuous improvement. detailed project initiation and work plan documents knowledge of and linkage to enterprise risk exposures organization’s risk profile is fundamental to the assessment and design of the CM approach. incorporation of key line management within the CM project partnering with team members to help enable knowledge transfer senior industry and functional practitioners. © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 23

Key Success Factors of Continuous Auditing Critical success factors KPMG’s response addresses these vital issues Senior executive support Executive education on the development of a business case Obtain buy-in by the Chief Audit Executive regarding approach Commitment to train internal resources Experienced resources and technology tools Experienced staff who hit the ground running Thorough business process and industry content knowledge Selection of appropriate CA tools to contain costs and speed up communication Established approach to CA Provide root cause analysis capabilities for errors, policy violations, fraud and misconduct Identification of key control check points Methodology emphasizes continuous improvement Well planned approach Detailed project initiation and work plan documents Organization’s risk profile is fundamental to the assessment and design of the CM approach Knowledge of and linkage to enterprise risk exposures Organizational alignment Partnering with internal team members to help enable knowledge transfer Consistent alignment of goals, measures and incentives Audit the “monitoring” function from an Internal Audit perspective Transition Planning Balancing existing internal audit practices with CA Managing independence © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. 24

How can KPMG help? • Design and implement CA/CM approaches including risk-based: - Dashboards - Scorecards - Analytics (including fraud and regulatory risk specific) - Reports (area and transaction based) - Management Protocols • Notification • Reporting • Response • Investigation • • • Controls automation • Integration with governance, risk and compliance initiatives • Coordination with business intelligence initiatives • Design/incorporate with more sophisticated data analysis initiatives (e. g. , predictive modeling, social network analysis) • Tool/application evaluation and recommendation • Training Execute individual CA projects Evaluate anti-fraud processes that are part of the CA/CM approach. • © 2011 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved. Risk assessment/scoping. 25

Contact information John W. Doe KPMG LLP (201) 123 -4567 jwdoe@kpmg. com www. kpmg. com Copyrights and Disclaimers may vary between applications. Please consult the GB&RC Micro. Web for specific policies. http: //www. grm. kworld. kpmg. com/GBRC/resource/default. asp Please delete this message prior to printing or presenting.