Professional Documents
Culture Documents
David Coderre
Dave_Coderre@hotmail.com
1
Morning Topics
Analytics imperative
Obtaining data
Determining data requirements
Quantitative risk assessment for RBAP
update
Analytics in the Planning phase
2
Why Data Analytics?
The IIAs Global Technology Audit Guide (GTAG 16, Data Analysis
Technologies) states, data analytics can give auditors:
Greater productivity and cost savings
To increase quality, efficiency and value
More efficient data access
Reduced audit risk
3
Why Use Electronic Data Analysis?
Electronic data is available
Powerful and Innovative
Accurate and efficient
Interactive and easy to use
Supports financial monitoring
81% 85%
71% 74%
31%
Data Analytics Plan to expand Data analytics are Data analytics are Data analytics are
are used use of data important to important to
analytics but do important to
regularly improving the strengthening audit gaining a better
not have a well- quantification of coverage
developed plan understand of risks
issues
6
Analytics Maturity Model
Risks
Processes are not People lack Reports do not Controls do not Controls dont
aligned to goals knowledge and provide useful utilize support business
and objectives experience information information process
Data Analysis
Fraud and abuse; Develop under- Asses skills and Info sources; Assess Asses efficiency/
Assess fraud risk standing of competencies integrity and controls effectiveness of
non-compliance process inputs completeness info systems
outputs of the data support to
business process
8
Different Roles / Support by Data
Access methods:
Online access to application
Run standard reports
SQL or Ad hoc reports
Access to application data or extract
10
Data Analysis: a Generic Approach
Data
Analysis
Tests
14
Control Weaknesses / Risk
Discussion:
Risk/Control weakness: there is no control over the
quantity received versus the quantity ordered.
15
Data Requirements Approach #2
Identify key data elements
Info?
Key data
fields Who?
Enter
Modify
Delete Why?
Motivation/
Objective
What?
Key
Controls Tests?
Source /
Integrity
16
Accounts Receivable - Example
17
Accounts Receivable - Example
18
Exercise complete table for A/P
Identify the data fields required by the A/P process and
complete table.
19
Accounts Payable - Example
Info/Data Who Why Control Test
Vendor Clerk Duplicates Vendor creation / Duplicates
Fictitious modification Blanks in key fields
Classify on Created by
Vendor Usage by clerk
Change address Log Modifications by clerk
or bank account
duplicates
Vendor Duplicates
Invoice Clerk Duplicates Duplicates Duplicates
number
Vendor Duplicates Duplicates Duplicates
Amount Clerk Over payment IR=GR=Contract IR<> GR or Contract
Payment terms Vendor table Xtab Vendor by
payment terms
Vendor Over charge IR = GR = Contract IR<> GR or Contract
20
Accounts Payable - Example
Info/Data Who Why Control Test
Date Clerk Early Payment Good Receipt Compare to GR/IR
(GR) and Invoice dates
Receipt (IR)
dates
21
Risk-based
Audit
Planning
David Coderre
Dave_Coderre@hotmail.com
22
Agenda
23
Risk Management: dont worry I know
what I am doing
25
Emerging View of Analytics
27
Benefits of Ongoing Risk Assessment
Auditors can be more proactive in assessing corporate risks and
emerging areas of risk
Predictive business performance measures will help drive
productivity by 20 percent by 2017
Managers that persist in using historical measures miss the
opportunity to capitalize on opportunities that would increase
profit or fail to intervene to prevent an unforeseen event, resulting
in a decrease in profit
ERM is more reliable and effective when ERM frameworks are
shown to produce credible and useful risk-adjusted performance
measures on an ongoing basis
28
Quantitative Risk Indicators (QRIs)
29
Quantitative Risk Indicators
Subjective/qualitative assessment
Quantitative/data-driven
assessment
30
Ongoing Assessment of Risks
Objective:
The development and assessment of data-driven key risk
indicators for ongoing assessments:
For each corporate risk
Assessments of each organizational entity to
determine impact on corporate risk and to develop an
overall risk ranking (Low, Medium, High).
31
Development of KRIs
Steps:
1. Ensure that your Audit Universe is aligned to Strategic
Initiatives that are tied to Corporate Objectives
2. Develop KRIs for each corporate risk and for all
corporate risk categories
3. Perform ongoing assessment of corporate risks and
risk categories by audit entity or any slice of the
organization
4. Select activities/entities to audit which have highest
corporate or risk category ratings.
32
Quantitative Key Risk Indicators
Corporate Risks - example:
X . Risk ..
33
Developing Data-Driven Risk Indicators
for Corporate Risk Intellectual Property
Risk Sub-category Risk Result / Impact Risk Indicator
34
Overall Corporate Risk Rating
Combined assessment of risk across all corporate risks
for each organizational entity.
35
Risk Categories - example
36
Developing Data-Driven Risk Indicators
for HR Risk Category
Risk Sub-category Risk Result / Impact Risk Indicator
37
HR Risk Category Data-Driven Indicators
Volume / Size
# of employees
Payroll dollars
Variability/Change
Avg age; avg age of senior managers
Avg years of pensionable service; % who can retire < 2 years
Experience years in dept / position / classification
% Fulltime employees; % affected by org change
% acting ; % new hires
Leave: total leave taken; avg sick; avg vacation; avg unpaid
Complexity
# types of employee; # classifications; # locations; # unions
% employee with non-std hours
Other
% Sex (M/F); % FOL (Eng/Fr)
38
HR Risk Category Assessment
39
Data-Driven Risk Indicators for Finance Risk
Exercise: for these and additional risk categories - develop risk indicators
Discretionary expenses
40
Developing Data-Driven Risk Indicators
for Finance Risk Category
Risk Sub-category Risk Results / Impact Risk Indicator
41
Finance Risk - Data-Driven Indicators
Volume
Total Expenses, Revenue, and Assets
Variability/Change
Percentage of discretionary spending
Percentage of expenditures in Period 12, 13+
Total and number of JVs / Suspense account transactions
Total and number of Reversal documents / Loss transactions
Complexity
Number of Funds / Fund centres / Cost centres
Number of Economic object categories / GLs
Number of Currencies / Document types
Use of Internal Orders / Purchase orders / Fund reservations
Use of Materiel and Asset numbers / Real estate blocks / WBS
Number of employees
Number of P-Cards
42
Risk Factor Weighting
43
Financial Risk Category Rating
44
Quantitative Risk Indicators
ACL Demo
45
Other Risks - examples
Legal and Regulatory
Number of new regulations
Number of modified regulations
Regulatory fines within the industry
Frequency and extent of onsite visits by regulators
Frequency of media coverage of issues affecting
regulations
Cyber Security
Number of firewall attacks and breaches
Number of applications operating in the cloud
Amount of IT traffic
Assessment of the organizations cyber security maturity
Frequency of alerts from cyber security vendors
Manufacturing
Number of production lines
Number of special runs
Percentage defects
Percentage downtime
???
Overall Risk Category Rating
Combined assessment of risk across all risk categories
for each organizational entity.
48
Overall Risk Rating
A
1 Corp Risk 1
K 0.9 B
0.8 Corp Risk 2
0.7
0.6 Corp Risk 3
0.5
J C Corp Risk 4
0.4
0.3
0.2
0.1
0
I D
H E
G F
49
Corporate Risk rating by indicator
A
3 Gov
K B
2.5 Proj Mgt
IT Control
2
Safeguard
1.5
J C
1
0.5
I D
H E
G F
50
Overall Risk Rating by Audit Entity
A
3
Projects A - K K
2.5
B
1.5
J C
1
0.5
I D
H E
G F
51
Audit Entity - rating by risk category
A
1 HR
K 0.9 B Fin
0.8
Legal
0.7
Strat
0.6
0.5
J C
0.4
0.3
0.2
0.1
0
I D
H E
G F
52
HR Risk Rating by Region by Indicator
Volume
A
1 Variability
0.9
J B
0.8 Complexity
0.7
0.6
0.5
0.4
I 0.3 C
0.2
0.1
0
H D
G E
53
HR Risk Rating - Complexity by Entity
A Num_EmpTypeR
1
Num_ClassR
K 0.9 B
Num_RegionR
0.8
0.7 Num_UnionR
0.6 Pct_NoStdWWR
0.5
J C
0.4
0.3
0.2
0.1
0
I D
H E High-level of HR Risk
G F
54
Conclusions
55
Risk
Assessment in
the Planning
Phase
IIA Puget Sound Chapter
September 2015
David Coderre
Dave_Coderre@hotmail.com
56
Support to Individual Audits or Reviews
Planning phase of an audit or review
Review operations / improve our understanding of business processes
Identify and assess risks
Assessment of control framework and testing of critical controls
Identify areas for improvement in operations and controls
Establish review objectives and scope
Conduct
Assess compliance
Test controls
Follow-up
Status and impact of recommendation
Fraud Risk
Identify and assess fraud risk
57
Support to Financial Officers
Financial monitoring
Trial balance
Multi-year trend analysis
Cost / Benefit analysis
Life cycle costing
Program and sub-program expenditures
Post payment verification
Internal control testing
ICFR analysis of risks and controls
Assess fraud risk
???
58
There are better ways to check for
weaknesses in the controls
59
Hazardous Materials Example
Objective:
Ensure that purchasing and disposal activities
respected environmental considerations
Ensure that hazardous materials were being
properly stored, used and disposed of
Background:
Numerous warehouses/depots across the country
Various types of hazardous materials with different
environmental impacts, storage and health and
safety requirements
60
Inventory
From To
Economic order quantities
Verifying inventory
(counts) Just-in-time Inventory
Three-way matching Obsolete inventory
(contract receipt Provisioning rates
invoice) Fraud risks
Management override
Items sent to scrap
Turnover rates
Unusual pricing
Attractive items
61
Financial Trends and Analysis
62
Financial Trends and Analysis
63
Multi-Year Summaries
64
Multi-Year Trend Analysis
65
Analysis Examples
Inventory obsolete, sale of scrap, Risk identification and assessment
warehouse space, delivery time, EOQ Acquisition card monitoring
Succession planning Payroll rates and allowances
Hazardous Materials User access rights
Staffing Travel agency costs
Operational efficiency Overtime
Duplicate invoices Separation of duties
Reorganization Charter air routes
Control testing Telecom charges
Health claims System conversion
Inventory Management Management bonuses
Stale/backdated commitments Recruitment process
Trial balance and financial trends Program costing/tracking
66
Challenges and Opportunities
From To
Controls Efficiency and Effectiveness
Compliance Governance, Risk Mgt and
Control processes
Information Gatherer Knowledge Provider
Hindsight Foresight
Shop Floor C-suite
Tick and Bop Strategic Change Agent
Detection Provision of Assurance
67
Operational Readiness
Factors:
Equipment
Personnel
Support
?
68
Reference Materials
70