Conteliga Tool Concept

The Conteliga tool concept was built to support individual control and risk management frameworks in the most holistic way. The main focus is the alignment to a risk-based reporting that creates the most competitive and sustainable advantage to answer to requirements for regulation compliance, fraud prevention and risk management.
Conteliga resulted in a flexible baseline concept for the implementation of individual control frameworks by linking risks to set of controls, supporting cross application and cross functional control definitions in real time by respecting individual ownership models. The benefit is an efficient risk-based monitoring and transparent reporting of risk and control status with clear accountabilities and responsibilities.

Risk

Risks and the related set of actions are defined by management considering company strategies and objectives. Conteliga provides the possibility to describe risks by taking into account thread, likelihood and financial impact.
Risk classifications like the criticality of risks could vary within company entities, for example the risk of a fraudulent payment could be treated as 'medium critical' on group level but as 'high critical' on entity level. Conteliga considers organizational particularities.
The materialization of a risk could have several origins. The risk of a fraudulent payment could be caused by inefficient organization (no segregation of duties), by inappropriate system authorizations, by missing application controls or configuration settings. An independent treatment of controls addressing such weaknesses is inefficient. The Conteliga concept explicitly considers this fact by linking risks to set of controls instead of only monitoring single controls.

Set of Controls

A set of controls comprises one or more single controls and is the interface for linking risks to controls. It is possible to link more than one set of controls to a single risk. This concept allows the definition of reusable control groups like groups checking critical configuration settings for specific applications.

Example: The control group for SAP critical configuration settings consists of two controls: "Control 1" - Identication of users with development keys and "Control 2" - Ensurance that the SAP environment is locked. Single controls in one set of controls are linked via a Boolean relation. If one control in this set of control fails, all SAP supported business processes have a potential risk of unauthorized access.
The concept of set of controls addresses clear responsibilities and accountabilities for an enterprise wide management of risks. The reuse of control groups minimizes maintenance efforts and maximizes risk monitoring transparency by considering all related controls within one centralized tool solution.

Controls

Controls are actions defined by management to address critical company risks. Conteliga supports several types of controls like access and process controls, segregation of duties controls, general computing controls and configuration setting controls. One single control can be used in one or more set of controls. The baseline concept offers the possibility to define detailed control parameters.
Example: Dormant users need to be controlled in any productive system in order to avoid unauthorized personnel to access data via these users. "Control 3" - Identification of dormant users is created with one baseline definition for SAP and another for Oracle systems.
This approach bears advantages for the maintenance and the transparence of controls. It is possible to define for one single control specific control parameters, depending on system, organization or a range of valid values per application. The reuse of control definitions minimizes maintenance efforts and maximizes control monitoring transparency.

Baseline

The efficiency of controls depends on the internal control environment which defines the basis of how risk is viewed and addressed including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which it operates.
An Internal Control System supporting such an ambiguous environment needs to sustain dynamic changes in business processes and flexibility for futur requirements. This is the reason why Conteliga uses a baseline concept for any type of controls, contrarily to other solutions.
Example: If a user has system access to post an invoice and create or modify supplier master data (SoD conflict) bears the potential risk of processing a fraudulent payment. "Control 4" (SoD control) is defined to address this risk. If one subsidiary is using SAP for the supplier master data management and the invoice processing the baseline for "Control 4" is different from another subsidiary, using SAP for the supplier master data management and Oracle Financials for the invoice processing. But "Control 4" to segregate these duties stays the same.

Risk Mitigation – Control realization

Conteliga supports individual ownership models. Owners can be assigned on any level like to controls, risks or business processes. Owners are considered in approval or alerting workflows. If control activities fail, approval and alerting workflows are triggered automatically. It is possible to customize or define such workflows.
Control monitoring and the analysis of control failures create costs. In order to achieve a control cost reduction two main principles have been considered in the tool concept.
Automation of compensating controls. Manual controls are time consuming and inefficient. The set of controls concept allows the automation of compensating controls with a Boolean relation of controls or control groups ("Control 1" or "Control 2").
Avoidance of 'spamming' owners with 'false positives'. A false positive is a control failure without the creation of a potential risk. The analysis of false positives is time and cost consuming and has negative impact on the personnel motivation for internal control activities.

Risk Mitigation – Compensating controls

Potential risks arise if control activities fail or if there are organizational constraints for their implementation. The concept of set of controls supports mitigation actions in case of control failures via a Boolean relation between controls within one set of control.
Example: The risk of processing a fraudulent payment occurs if a user has system access to post invoices and to change supplier master data (SoD conflict). "Control 4" is defined to monitor the separation of these two duties. If a user needs to have such an access, "Control 4" will fail a potential risk occurs. A compensating "Control 5" can be defined which monitors if the user is changing supplier master data for any supplier, who is linked to any invoice he treated within the system. "Control 5" is addressing the potential risk and avoids "false positives".
A set of controls comprising "Control 4" or "Control 5" has been configured. The control owner is only asked for an evidence upload when the risk of processing a fraudulent payment really materialized in the system. Conteliga is able to identify 'false positives' and to focus on real risks. This approach is cost effective and highly motivating for control owners.

© Conteliga GmbH 2013 | Berninastr. 8 | CH-5430 Wettingen
Tel.: +41 78 73 79 303 | contact@conteliga.com
www.conteliga.com