Data Analytics & Internal Audits IIA, Boise Chapter March 2014
Data Analytics & Internal Audits IIA, Boise Chapter March 2014 How Did I Get Here? • Student Auditor at University Internal Audit Department • Accounting Degree • Protiviti Internal Controls Testing • Protiviti Data Analytics Team 1 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Objectives 2 1) Encourage the use of data analytics in existing internal audit reviews 2) Share fundamental knowledge to successfully incorporate data analytics into audit work programs 3) Introduce Continuous Monitoring concepts © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Establishing a Common Language Data Analytics Techniques used by auditors or management to manipulate large volumes of data to provide meaningful insight into activities occurring throughout the business. Continuous Auditing Method used by auditors to perform audit-related activities on a continuous basis. Activities range from continuous control assessment to continuous risk assessment. Continuous Monitoring Process that management puts in place to ensure that its policies and procedures are adhered to, and that business processes are operating effectively. Continuous monitoring typically involves automated continuous testing of ALL transactions within a given business process area against a suite of controls. 3 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Why Data Analytics? Data Analytics Opportunities and Value Proposition 1. Optimize the return on your existing data investments 2. Provide insights to help pinpoint new opportunities and improve operational efficiencies and visibility across the organization 3. Enable faster problem-solving and decision-making at the strategic, operational and tactical levels 4. Find hidden meaning – patterns, trends, relationships – in your data 5. Deliver intelligence to the field in real-time 6. Mitigate the risk of fraud 7. Improve your company's competitive advantage 8. Achieve or validate compliance with government and regulatory guidelines 9. Confirm existing controls are working properly 10. Reconcile data across disparate systems 5 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Example Internal Audit Case Studies Case Study #1 6 Organization Need Our client, a grocery chain, systematically transmitted multiple price change files per day originating from three different corporate systems to each of their 90 store locations. Store systems relied on manual processes for price files to be imported and applied at the register. Compliance with corporate supplied prices had never been tested. Solution To test compliance with corporate supplied pricing, we sought to analyze 100% of the transactions in each store during the audit period to determine if the corporate supplied price had been appropriately applied. This POS data extract totaled 300 million records for the one year audit period. After interviewing corporate and store-level stakeholders, Protiviti identified the relevant price system data sources (Ad, DSD, Pricing Dept.) and the rules governing price hierarchy. Prices were systematically applied based on the key characteristics of SKU, store, date, and price type. Result: Underpricing on sales of $14M. Results of this analysis were validated and reviewed with management. Root cause was identified as store department managers manually overriding corporate suggested prices to sell excess inventory purchases. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Advantages of Data Analytics 1. Testing of full populations No need to extrapolate sample results Drill down to individual transactions 2. Efficient & Repeatable 3. Undisputed results 7 New understanding can be incorporated and the calculations rerun With agreement on inputs and model 4. Enhanced risk assessment for audit area selection 5. Targeted samples for testing © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Tools for Internal Audit Data Analytics Comparative Tool Features and Efficiencies 8 MS Excel MS Access ACL SQL/Oracle Complexity Low Low Medium Very High Capacity Up to 1.04 Million Records only Up to 2 GB Performance dips as the data volume increases. Good performance up to 1 GB of data No Limit Skill Sets Limited availability but easy to train Limited availability but easy to train Limited availability but easy to train Limited availability Analysis Time Quick Quick Quick High Cost Very Low Very Low Medium Very High Database Security Low Medium Medium Very High Calculation Integrity Low High High High © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Phases of a Successful Internal Audit Using Data Analytics These phases are not unique to data analytics focused internal audits. They can easily be integrated into the existing framework of internal audit work programs. Scoping 9 Data Request Data Integration © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Data Analysis Findings Validation & Reporting Methodology Phases Scoping Data Request Data Integration Data Analysis Objectives • • • Perform existing scoping activities to prepare for the review Understand areas where Data Analytics would be most useful Identify relevant systems and data sets Key Questions • • • • • • 10 What data exists? Can the subject of our audit be readily observed in existing data sets? Does the auditee agree that Data Analytics can lead to an accurate answer? Are multiple data sets required? Can these be tied together? What thresholds, characteristics, etc. constitute an exception? What business processes support the generation of the data? © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Findings Validation & Reporting Example Internal Audit Case Studies Case Study #2 – Importance of Scoping 11 Organization Need A large telecom client maintains a large contingent workforce supplied by a third party who themselves subcontract to 135 staffing firms. Our client desired to audit contingent workforce invoice details to determine if contractual terms including appropriate hourly rates were being observed. Result Client insisted that the contract party not be engaged during the scoping phase. Relevant data sets existed in a Vendor Management System to which our client had access. After over 100 hours of analysis, data analysis results showed millions of dollars of overbilling due to excessive hourly rates being applied. Upon review with the staffing firm, it was learned that data extracts used did not reflect approved waivers to hourly rates and that these waivers, in fact, did not exist in a system of record. All findings were cleared. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Methodology Phases Scoping Data Request Data Integration Objectives • • Obtain data necessary to complete the audit Minimize need to re-request data Key Questions • • • • 12 Who can provide the data? ‒ Business Unit: May not be able to change filters, output fields, or file format ‒ IT: May take longer, may not understand “business” meaning of data fields, will give you exactly what you ask for Do we understand what data is available? ‒ More vs. Less – Fields, filters, etc. How do we want the data? How can we receive the data? ‒ Size & Security? © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Data Analysis Findings Validation & Reporting Methodology Phases Scoping Data Request Data Integration Objectives • • Prepare data received for analysis Validate completeness of data received and imported Key Tasks • • • • • 13 Select the technology best suited for the analytics selected. Things to consider: ‒ Volume and type of data ‒ Complexity of the modeling ‒ Accessibility of certain technologies ‒ In-house expertise and skills Importing data into analysis tool – data types are important! Validating completeness using record counts, system report, GL, etc. Determine how disparate data will be integrated (“joined”) Prepare any transformations or mappings © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Data Analysis Findings Validation & Reporting Example Internal Audit Case Studies Case Study #3 – Validating Completeness Organization Need Many of our clients have licensing agreements requiring the contract party to make periodic royalty payments based on sales activity. Our clients exercise the audit clause of these agreements to validate the completeness and accuracy of these royalty payments. Solution Protiviti employs a top-down approach to these audits where a complete population of the licensee’s sales detail is requested. Completeness of the sales data provided is validated by agreeing to audited financial statements. Once completeness has been established, we can isolate those sales which are subject to the agreement and perform a full recreation of payment obligations. Audited Financial Statements Business Unit / Segment sales Licensee Audited Fin. Stmts. All Licensee Invoices at Line Level Business Unit / Segment Sales Sales with IP Content IP Components 14 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Sales with IP Content Transformations and Mappings Some “housekeeping” may be required to make data usable for analysis. Transformations: Mappings 15 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Methodology Phases Scoping Data Request Data Integration Data Analysis Objectives • Perform desired analysis Key Tasks • • • 16 Be Logical Be Creative Be Evolving ‒ Build test scripts ‒ Validate the accuracy of the scripts and other applicable KPIs or metrics ‒ Confirm test scripts are identifying the intended results © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Findings Validation & Reporting Be Logical Build analysis step-by-step. Royalty example: 17 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Example Internal Audit Case Studies Case Study #4 – Time & Expense Analysis Organization Need Solution 18 A technology client terminated a field rep for submitting fraudulent and abusive expense reports. Our client desired to identify if any other field reps within his department were utilizing similar schemes in travel expense reimbursement. Utilized the expense categories of submitted expense reports in performing analysis to identify fraud or abuse: • Incompatible expense reimbursements (fuel without a rental car, etc.) • Excessive reimbursements (More than 3 meals a day) • Ratio analysis (Lodging cost per travel night) • Simple descriptive spend summaries (Total yearly reimbursements for hotel, car, meal, etc.) © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Example Internal Audit Case Studies Case Study #5 – Pattern Analysis 19 Organization Need A hospital system terminated two employees who had gotten access to patient records with the intention of possibly using the information to file false tax returns. Our client wanted to identify if any other employees were using the same scheme to steal client information. Solution The hospital system identified that the terminated employees had been using their appropriate access to admittance systems to steal patient information. Our client identified the objects (“screens”) within that system which contained sensitive client information. Using the log records from that system, we identified a pattern of use consistent with a user stealing PII from the admittance system. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Historical and Descriptive Analysis Although organizations will generally solve customized problems, recognized data and statistical analysis techniques are the basis for solving those problems. Business Performance identifies key ratios and metrics that track how business operations and processes are functioning: • Financial, operational metrics • Scorecards and KPIs Clustering data classifies data variables into similar data types for easy visualization and identification of problem areas: • Grouping • Deciles, quartiles, percentiles or other rank order measurements • Stratifications • Geographical, product, business unit or other segmentation criteria Trending creates visual displays of the data over time showing information such as: • Cyclicality (e.g., time series analysis, by day of the week, month, season, etc.) • Event driven results • Abnormalities Descriptive statistical analysis brings the science of statistics into data analysis: • Distributions • Outliers and standard deviation measurements (z-scores, etc.) • Correlations and regression • Volatility 20 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Methodology Phases Scoping Data Request Data Integration Objectives • Deliver quality and actionable audit results Key Tasks • • • • • 21 Validate approach with auditee Validate any exceptions with auditee Update data analysis and incorporate lessons learned as appropriate Investigate variances, offending transactions, etc. ‒ Categorize variances if possible Finalize audit report ‒ 100% of the population tested ‒ Undisputed results ‒ Targeted follow-up © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Data Analysis Findings Validation & Reporting Transitioning Data Analytics to Continuous Monitoring Continuous Monitoring is an outgrowth of the Data Analytics phases discussed. Data Analytics are formalized, productionalized, and scheduled to allow for repeatable auditing and monitoring. Key characteristics of these phases as they apply to Continuous Monitoring are summarized below. Scoping • Inventory potential analytics areas at a macro level • Select analytics area and identify detailed tests/metrics • Define Requirements for the individual tests or metrics 22 Data Request • Formalize data request • Schedule periodic supply of data • Design transfer protocols for data extracts Data Integration • Automate periodic refresh or load of data request • Automate data validation procedures © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Data Analysis • Design analysis to be performed • Make analysis repeatable Findings Validation & Reporting • Make results of analysis available to end users in near real time Example Internal Audit Case Studies Case Study #6 – Continuous Monitoring Organization Need Solution 23 A large retailer wanted to monitor its point-of-sale (POS) transactions trying to identify fraud and abuse by associates at the register. The following was performed as the solution to the need: 1. Established daily ETL procedures to obtain data from the POS systems for approximately 600 stores. 2. Created a data warehouse and supporting data models to maintain and store data into perpetuity and drive dashboard performance. 3. Created approximately 20 red-flag algorithms that monitored transaction activity on a daily basis. Transactions that are flagged by the algorithms are systematically placed in an Excel file and emailed directly to the divisional personnel responsible for loss prevention. 4. Created a web-based dashboard and score-card solution that identifies outliers and gives end-users the ability to perform research (see trends, investigate transactions, and extract data to Excel for ease-of-use). Below are sample screenshots of the email alerts and scorecard/dashboard. © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Questions? Contact Information Reed Belliston Manager – Internal Audit and Financial Advisory [email protected] P: 801.401.8166 Visit us the web at: www.protiviti.com Access KnowledgeLeader ™ Protiviti’s Subscription Audit Resources Site Join our Community on LinkedIn www.linkedin.com/company/protiviti Follow us on Twitter @Protiviti (www.twitter.com/protiviti) Become a Fan on Facebook www.facebook.com/home.php?#/Protiviti Visit the Protiviti YouTube Channel www.youtube.com/protivitiinc Listen to the Protiviti Powerful Insights Podcast Available at Protiviti.com or Subscribe on iTunes Visit our Pinterest board http://pinterest.com/protiviti/ 25 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party. Confidentiality Statement and Restriction for Use This document contains confidential material proprietary to Protiviti Inc. ("Protiviti"), a wholly-owned subsidiary of Robert Half International Inc. ("RHI"). RHI is a publicly-traded company and as such, the materials, information, ideas, and concepts contained herein are non-public, should be used solely and exclusively to evaluate the capabilities of Protiviti to provide assistance to your Company, and should not be used in any inappropriate manner or in violation of applicable securities laws. The contents are intended for the use of your Company and may not be distributed to third parties. 26 © 2014 Protiviti Inc. CONFIDENTIAL: This document is for presentation purposes only and may not be copied nor distributed to another third party.
© Copyright 2024