Audit: Breaking Down Barriers to Increase the Use of Data Analytics

AUDIT: BREAKING DOWN BARRIERS TO INCREASE THE USE OF DATA ANALYTICS

PRESENTER

Lenny Block, CPA, CIA Associate Vice President, Internal Audit NASDAQ

AGENDA

• Who is NASDAQ?• What are the barriers to using Data Analytics?• How do you increase and expand the use of Data Analytics • What skills are required? • Gaining internal management support• Measure staff utilization and effectiveness• Takeaways & benefits to your organization

NASDAQ: MORE THAN A STOCK EXCHANGE• Operates multiple exchanges and clearing houses,

domestically & internationally• Listing venue to raise capital (IPO)• Multiple asset classes (equities, options, commodities)• Corporate Solutions - Investor relations, public relations,

multimedia solutions, governance• Market Technology - Trading & data solutions to exchanges,

alternative-trading venues, banks and securities brokers • Internal audit team - 20 worldwide

WE KNOW ANALYTICS IS IMPORTANT

• While majority of internal audit leaders and C-suite executives agree data analytics is important to strengthening audit coverage, only a small percentage of organizations are actively using Data Analytics regularly

• What are the barriers to starting, sustaining and expanding the use of Data Analytics?

THE FRUSTRATION

• Natural reaction for the team during implementation• Frustration occurs for the following reasons:

• Lack of technology skills

• No experience

• How to incorporate a Data Analytics tool into the audit

• Source data - How to load it into the tool

• Assessing progress

HOW TO ELIMINATE FRUSTRATION

• Need to address challenges before implementing any tool• Don’t focus on all the tool functions all at once

• Focus on the audit objectives, business issues, problems to solve

• Think big, start small

• Introduce with an easy, out-of-the-box functionality tool• Profiling of data (statistics, null values, zeros, averages, etc.)

• Summarization of data

• Duplicate Key Checks,

• Benford’s law

• Gap analysis

HOW TO ELIMINATE FRUSTRATION

• Many are already familiar with many of these concepts• Some small success using analytics builds confidence

with the tool and it shows its values

BUSINESS, TECHNOLOGY OBJECTIVES

• Focus on the audit objectives, business issues and problems to solve

• Creative thinking on business and technology audit objectives increases and expands the use of Data Analytics

ANALYTICS IS NOT A MAGIC WAND...

“If you do not know where you are going, any road will get you there.”

--Lewis Carroll

ACHIEVE AUDIT GOALS

• What audit objectives we want to achieve?• What questions about our data do we want answered?• Validation of assumptions about whether systems are

programmed correctly

• Investment that pays off, requires perseverance• Expanded coverage• Better understanding of the data• Integrity of the data preserved• Will uncover concerns in other areas

DATA ANALYTICS HELPS…

• Validate data accuracy• Display data in different ways – Prepare Data for Analysis• Existence and Validity - Identification of strange items,

Exception Testing• Completeness (Gaps, Matching)• Validity of formulas and calculations• Edit checks• Compliance testing• Relationships (fuzzy logic)

TRADITIONAL BUSINESS ANALYTICS

THE CHALLENGE

TRADITIONAL BUSINESS APPLICATIONS

Technology• Utilize tools that are both business application and

technology focused• Log files• Access Reviews• Alerts

EMAIL LOGS

• Summarize emails by service provider• Summarize and sort numbers of emails by employee• Isolate, summarize and examine personal emails• Stratify emails by time and examine any unusual activity (e.g.,

lunchtime, weekends, bank holidays)• Analyze incoming emails. Identify common domain addresses• Calculate, sort length of time employees spent on email• Match emails to employee list. Extract any sent by non-

employees• Analyze dormant accounts• Identify non-work related emails by searching for specific words

ACCESS RIGHTS

• Identify accounts with:• Passwords not set or not required for access

• Passwords < the recommended number of characters

• Access to key directories• Supervisor status• Equivalence to users with high level access• Identify accounts not been used in the last 6 months• Identify group memberships• Age password changes

SYSTEMS LOGS

• Generate a list of access outside office hours, holiday/sick leave

• Identify users, particularly those with supervisory rights

• Perform data analysis by user

• Summarize by network address to identify: • All users with their normal PCs

• All PCs with their normal users

• Users on unusual PCs

• Summarize charges by user to determine resource utilization

• Analyze utilization by period to show historical trends (daily, weekly, monthly)

FILE ACCESS & MANAGEMENT

• Monitor file activity and user behavior• prevent data breaches and assists with permissions management

• Monitor every file touch• Know when sensitive files and emails are opened, moved,

modified or deleted

REGULATORY – RULE BOOK VALIDATIONRule Book Validation

• Independent validation of software algorithms utilized to ensure compliance with rules

For example:

To list on a national stock exchange and to remain listed companies must meet comprehensive qualitative and quantitative standards for both the company and the securities offered.

CORPORATE ETHICS – FCPA

• FCPA Act enacted in 1977• Impact of billion dollar fines

• FCPA compliance is focused fraud analytics geared to bribery and anti corruption of government officials

• One can not identify corruption straight up • But you can identify red flags for follow-up

COST OF FCPA NON-COMPLIANCE

Top ten FCPA enforcement actions of all time: (Average fine of $65 million)

1. Siemens (Germany): $1.6 billion in 2008

2. Alstom (France): $772 million in 2014

3. KBR / Halliburton (USA): $579 million in 2009

4. BAE (UK): $400 million in 2010

5. Total SA (France): $398 million in 2013

6. VimpelCom (Holland): $397.6 million in 2016

7. Alcoa (USA): $384 million in 2014

8. Snamprogetti Netherlands B.V. / ENI S.p.A (Holland/Italy): $365 million in 2010

9. Technip SA (France): $338 million in 2010

10. JGC Corporation (Japan): $218.8 million in 2011

(Sources: FCPA Blog and SEC Websites)

FCPA COMPLIANCE

How we use Data Analytics to ensure FCPA Compliance:

(1) Identify spending trends of vendors, contractors, employees

(2) Prohibited List Screening

(3) Risk Scoring to identify high risk vendors, contractors

(4) Supplemental traditional AP analytics

OTHER KEYS TO SUCCESS

• Repeatable- “Productionalize”- Only need to refresh data• Visualization

• Easily Interpret and summarize data in user friendly way

• Drill down into the underlying data

• Picture worth a thousand words

• Just like auditing, data analytics is an iterative process, one set of results provides additional questions and the next step in your analysis

SKILLS SETS

• Critical thinking• Understanding the business• Familiarity with automated solutions

• Data extract query tools are already built in to ERP and other systems today.

• SAP, PeopleSoft, Hyperion

• Creative problem solvers, what do I want to know about the data• Not afraid of data and technology. • Relational Database concepts versus Excel• Willing to adapt and grow their skill sets. Necessity for their careers• Investment of time to learn outside of work. Trial and error• Perseverance

GAINING MANAGEMENT SUPPORT

• A necessity made easier…

• To search manually for irregularities is almost impossible • Information is more complex • Automated tools are easier to use than before• To rely only on professional judgement can be subjective or

based on poor information

SUPPLEMENTS AUDITING

Data Analytics is a supplement to traditional audit techniques. Specifically: • Expanded coverage• Better understanding of the data • Uncover concerns in other areas• Grow into continuous monitoring or continuous auditing • Red flags which can be used to develop a targeted scope

for an audit, drilling down to root causes and control gaps

STANDARDS HAVE CHANGED

• Today Data Analytics is a requirement rather than a recommendation

• Highlighted in the IIA standards under “Proficiency” where auditors need to have sufficient knowledge of “technology-based audit techniques” to do their work

Critical Thinking Advanced Fuzzy Duplicate Trend Analysis

PLANNING Data Discovery Data Sampling Visualization Data

Insights Identify trends & outliers Benford’s Law Analysis

Focus the Audit DATA INTEGRITY CaseWare Analytics

Profile your Data

MEASURE USE AND EFFECTIVENESS

• Build in to the methodology:• Require the auditor to address before fieldwork begins how

analytics will be used.

• It can be as simple as profiling data to determine sampling approach

• Sample selection itself

• Tie analytics to compensation and incentives

TAKEAWAYS & BENEFITS

• Think outside the box• A Necessity – Standards now include data analytics• Make it about the Audit Objectives, not the tool• Expanded coverage• Better understanding of the data • Better defense with regulators…mitigates actions of rouge

employees• Lets people know we are watching• Job specific training (ie: anti-corruption activities)• Provide employee incentives to learn and use analytics

AUDIT: BREAKING DOWN BARRIERS TO INCREASE THE USE OF DATA ANALYTICS

Visit casewareanalytics.com Email salesidea@caseware.com