Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Leveraging Data Analytics to Expand Audit Coverage and
Clint McPherson
p gAdd Organizational Value
Managing Director, Dallas, TX
Cindy HartManager Dallas TXManager, Dallas, TX
Setting the Stage - Data Analysis Defined
Data Analysis isData Analysis is ….
the extraction of data from a client’s information system in
Data Analysisy
order to perform data selection, classification, ordering, filtering, translation, CAATSand other functions to provide the client with informationabout their business
D t Mi i processesData Mining
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
2
What is Data?
Di SalesDiv NameSales
Amount EmployeeID
Transaction User Name TransactionDate User Name Transaction Type
Customer Number
QuantityPrice
G/L Account
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
3
Data Becomes ReportsDiv Name
Transaction Date
Sales Amount
User Name Transaction Type
EmployeeID
Data File Inventory Report
Customer Number
QuantityPrice
G/L Account
Quantity
Warehouse Part Description Quantity Unit Cost ExtendedCost
1 5340 XJ4701 540 1.65 891.00
ClientApplication
ProgramPart Number
Unit Cost
1 5560 LN502 1005 .79 793.95
4 4061 SR437 6057 .85 5148.45
4 9011 CF605 275 2.25 618.75Warehouse
Number 10 5560 LN502 850 .74 629.00
10 4831 JR864 579 1.15 665.85
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
4
With Data Analysis…YOU Design Reports Div Name
Transaction Date
Sales Amount
User Name Transaction Type
EmployeeID
Summarized by Part Number
Customer Number
QuantityPrice
G/L Account
Data File Extensions & Footings Verified
Quantity
Data Analysis
Techniques
Part Number
Unit Cost
Cust NameCust ID
Excess Inventory
WarehouseNumber Unusual Items
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
5
Benefits from Internal Audit’s Use of Data Analytics
Benefits Include:Increased testing coverage (100% of population)
Improved timeliness of testing
Greater visibility
Independent testing
Creation of Fraud Testing Environment
Improved consistency
More efficient allowing focus on overall process efficiency and effectiveness
Cost-effective solution
Greater confidence in your SOX initiatives
The Auditing Profession is entering the Age of Continuous AuditingContinuous Auditing
This is the Fourth Age -- (Age of Inspection & Re-performance, Age of Control Focused Auditing, Age of Risk Based Auditing)
Annual Audits are being viewed as untimely and obsolete
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
6
Internal Control issues are expected to be reported almost immediately
The 6 Elements of Infrastructure
Policies define processes
Process assigned to key
owners
Informed decisions based
on reports
Information facilitates definition
of controls
Automation and data integrity meet needs
BusinessPolicies
BusinessProcesses
People & Organization
ManagementReports Methodologies Systems
& Data
Risk if element is deficient:
People lack the knowledge and experience to
perform process
Reports do not provide
information for effective
management
Methodologies do not adequately
analyze data and information
Information is not available for analysis and
reporting
Process does not carry out
established policies or
achieve intended result
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
7
Critical Success Factors & Common Pitfalls
BusinessPolicies
BusinessProcesses
People & Organization
ManagementReports Methodologies Systems
& Data
• Focus on what matters:– Fraud, Waste & Abuse– Compliance– Business Performance– Monitoring Risk across the Organization
• Link the program to business objectives• Link the program to business objectives• Articulate the specific benefits of investing in a program and the implementation strategy
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
8
Critical Success Factors & Common Pitfalls
BusinessPolicies
BusinessProcesses
People & Organization
ManagementReports Methodologies Systems
& Data
• Define a high-level process– Inputs– Activities– Outputs
• Identify source of inputsHow is information captured?– How is information captured?
– How will inputs be validated?• Determine types of activities that will be performed
– Data Analysis & Investigation of Anomaliesy g– Manual Audit Procedures
• Identify expected outputs & audience• Define periodic reporting process
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
9
Critical Success Factors & Common Pitfalls
BusinessPolicies
BusinessProcesses
People & Organization
ManagementReports Methodologies Systems
& Data
• Obtain executive support for the program– Identify all key stakeholders– Champion– Program management and executers– Data providers
Recipients of detailed results and periodic summaries– Recipients of detailed results and periodic summaries• Understand needs of key stakeholders• Obtain buy-in for program from key stakeholders• Identify and develop required skills & competenciesy p q p• Identify and address organizational obstacles
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
10
Critical Success Factors & Common Pitfalls
BusinessPolicies
BusinessProcesses
People & Organization
ManagementReports Methodologies Systems
& Data
• Identify data requirements for the program– What information is required?– Where is that information stored?– Who can provide the information?
• Design a standard data request formatTimeline– Timeline
– Source & Required Data– Background Information
• Define data validation process & reportingp p g• Define reporting requirements by stakeholder
– What information does the audience want and what questions do they want answered?– How will detailed results be summarized?
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
11
– Who will make conclusions based on the results?
Critical Success Factors & Common Pitfalls
BusinessPolicies
BusinessProcesses
People & Organization
ManagementReports Methodologies Systems
& Data
• Define test scope & tolerances• Develop testing procedures (“rules”)• Select or build application, if applicable
– Understand standard queries– Select applicable procedures
Embed queries into application– Embed queries into application– Test logic and confirm results
• Provide adequate training to applicable stakeholders• Automate as many “rules” as practicaly p
– System-based audit targets– Manually-intensive audit targets
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
12
Critical Success Factors & Common Pitfalls
BusinessPolicies
BusinessProcesses
People & Organization
ManagementReports Methodologies Systems
& Data
• Understand how applicable data is captured & reported in operational and financial systems– Procurement through Payment– Sale through Cash Application– Payroll & Expense Reimbursement– General & Sub-Ledgers
Bank information– Bank information– External Databases
• Understand system interfaces (automated & manual)– Advocate automating data capture where practicalg p p
• Know the audit tools available and their capabilities• Select the right tools for program/procedures • Focus on driving efficiency over time vs. initial investment
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
13
So, this is all great stuff Clint but how do we use this and what are some good
examples?examples?
Data Analysis - Suggested Approach
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
15
Possible Examples for Consideration
Travel and Entertainment Examples
S d b E l L D ll EB f d’ L J l E t i
G/L and Journal Entry Examples
• Spend by Employee
• Analysis of Expenses by Employee (just below threshold, comparison of employees expensing duplicates,
• Large Dollar Expenses Identification
• Non-Timely Expense Submission
Expense Analysis by Category
• Benford’s Law on Journal Entries by User
• Journal Entries identifying outliers (Uncommon Accounts, Profit Centers, Cost Centers)
expensing airfare but no hotel (vice versa), expensing car but no airfare, etc)
• Analysis of MCCG and MCC of T&E or P-Card Transactions
• Expense Analysis by Category (e.g., Airfare, Office Supply, Cell Phone, Professional Dues)
• Per Diem Expense Identification and comparison to trips, policy
• Manual Round Dollar Entries
• Unusual Posting Dates/Times
• Analysis of Split Entries (Entries just below Approval Threshold) T&E or P Card Transactions
• Benford’s Law Analysis on Employee Expenses
• Expense Dollar and Volume Stratification
threshold, and potential duplicates in meal reimbursement and per diem
• Duplicate Expense Submission
A l i f W k d
• Analysis of Suspense, Clearing, and Intercompany Accounts
• Credits vs. Aged Invoices
• Reversed Month End Journal
• Inactive Employee Spend Analysis
• Spend by Expense Type
• Analysis of Weekend Transaction Dates
• Analysis of No Activity from Personnel in Expense-Centric Departments
Entries
• Entries within Accounts
• Inactive Accounts Entries
• Calculate and sort percentage
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
16
pCalculate and sort percentage variances in GL accounts between periods
Case Study 1
Background
• Organization: Global management consulting, technology services and outsourcing company with offices and operations in more than 50 countries and annual revenues in excess of $21 billion.
• Internal Audit (IA) personnel were using ACL to perform limited analyses as part of t l id J l E t (JE) i f th 13 illi j l tg quarterly company-wide Journal Entry (JE) reviews of more than 13 million journal entry
lines. All analyses were performed manually through the ACL graphical user interface.• IA personnel were using Excel to perform limited analyses for employee Time & Expense
(T&E) testing.
Project Objectives
• Implement routines (i.e., scripts) in ACL to automate the existing limited JE and T&E analytics.Create additional a tomated testing ro tines to be e ec ted as q arterl Contin o sObjectives • Create additional automated testing routines to be executed as quarterly Continuous Controls Monitoring (CCM) procedures.
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
17
JE Testing Overview
• Quarterly Company-Wide JE Review– Data integrity testing such as reconciliation to control totals, analysis of
reporting period, search for blanks in key fields, etc.reporting period, search for blanks in key fields, etc.
– Analysis of JE approvers to those on authorized list, analysis of manual and automated entries by document type, identify entries where document header or line item text is blank, etc.
• CCM: Data ExplorationCl if i l f k d t fi ld i l di d– Classify unique values for key data fields including: company code, transaction code, manual vs. automated flag, year/period, and currency
– Statistics on amount and posting date fields
• CCM: Duplicates Testing– Identify duplicates (same account and amount) for manual JE’s
• CCM: Fraud Analytics– Keyword search for items such as “plug”, “miscellaneous”, “temporary”,
“adjust”, etc.
E t i t d i t 10 t i i th ti ti i d li ti– Entries posted in top 10 countries in the corruption perceptions index listing
– All manual JE’s with same person to enter and post
• CCM: High Risk Account Entries– Identify all entries posted to “high risk” accounts
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
18
• CCM: Timeliness of Postings Analysis– Calculate number of days between JE entry and posting dates
T&E Testing Overview
• General Data Overview– Create record count and dollar amount totals by Year and Month (i.e., to
reconcile to control totals)reconcile to control totals)
– Classify unique values for key data fields including: expense type and entry date
– Identify the top 100 highest and lowest transaction amounts
– Statistics on amount field
• T&E Population Analyses– Identify transactions just under $25 threshold for receipts per US Policy
– Extract all transactions that are round multiples of $100
– Approval threshold analyses for certain expense types per policy, including : Training / Publication > $500 Business Meals > $1 000 and Travel /: Training / Publication > $500, Business Meals > $1,000, and Travel / Other > $500
– Identify potential duplicates using multiple sets of criteria
• Expense Type Analyses– Identify all transactions for certain expense types assessed to be high risk, y p yp g ,
including: “Gifts, Floral, Tickets, Promotional Items”, “Miscellaneous”, “Non-Std Office Supplies”, “Technology Supplies”, and “Charitable Contributions”
• Key Word Search– Keyword search for items assessed to be high risk such as “gift”, “car
repair”, “rent”, “pet”, “movie”, “apartment”, “doctor”, “furniture”, “laptop”,
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
19
p , , p , , p , , , p p ,“clothes”, “tuition”, “laundry”, etc.
Summary Of Value
JE Testing – Sample Results from One QuarterJE Testing – Sample Results from One Quarter
• Reduced amount of time to perform quarterly JE review procedures including manual analyses through the ACL GUI f i t l 40 60 h t 15 20 hfrom approximately 40-60 hours to 15-20 hours
• Additional CCM test results:– 5,500 journal entries (more than 28,000 journal entry lines) where same individual entered and posted the JE– Nearly 15,000 JE lines just under the $25K approval threshold
137 JE lines with the word “plug” 7 800 JE lines with the word “miscellaneous” and nearly 5 000 JE lines with the– 137 JE lines with the word plug , 7,800 JE lines with the word miscellaneous , and nearly 5,000 JE lines with the word “temporary”
– 164 JE’s where the posting date was more than 30 days before the entry date – More than 75,000 journal entries posted in countries in the top 10 of the Corruption Perceptions Index, including
nearly 30,000 journal entries with line amounts greater than $25,000
T&E Testing – Sample Results from One QuarterT&E Testing – Sample Results from One Quarter
• Identified more than 2,500 expense transactions with the word “wine”, 175 containing the word “laundry”, more than 150 with the word “golf”, 25 with the words “doctor” or “surgery”, 17 with the word “clothes”, and12 with the word “iPod”.
• Identified nearly 5,500 transactions with round dollar amounts that are multiples of $100• Identified for additional testing all transactions requiring separate approvals per policy, including 875 transactions
exceeding the business meal threshold, 325 above the training/publications threshold, and more than 7,500 exceeding the “other expense” threshold.
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
20
p• Identified more than 8,000 potential duplicate transactions with the same Personnel Number, Expense Date, Charge
Code, Expense Type, and Amount.
More Examples for Consideration
Order-to-Cash Examples
A l i f C h R i t d V if i i ht iV d M t Fil A l i
Procure-to-Pay Examples Information Technology
• Analysis of Cash Receipts and Timely posting
• Customer Credit ranking aligns with Policy Requirements (amounts, authorization) and Perform Analysis on Customer Activity (payments and
• Verifying access rights are in compliance with policy/templates
• Multi-system segregation of duties analysis
• Last user sign on
• Vendor Master File Analysis• # of Inactive Vendors with Activity• Payments to Inactive Vendors• Duplicate Vendors, Invoices,
Payments on Customer Activity (payments and credits)
• Analysis of Write-off Transactions (authorization, timeliness)
• DSO Analysis by Order Date, Bill Date and Payment Received Date
• Comparison to employee master records
• Duplicate employee IDs
• Change Management authorization
N Hi /T i ti
• Vendor to Employee Match• Benford’s Law Analysis - Invoice,
Payments, PO, and/or Credit Analysis• Missed Discounts – Late Payments• Authorization and Analysis of PR, PO, Date, and Payment Received Date
• Analysis of Unfulfilled Customer Purchase Orders
• User Analysis between Processing A/R invoices, posting to the sub-ledger and cash receipts
• New Hire/Terminations
• Problem Management Analysis
• Analysis of system logic to verify procedures (e.g., write-offs, refunds) are programmed accurately
y , ,Invoice, and Payment
• Aging and Analysis of AP and Credit Processing
• Holiday Activity• Void/Reissue Payment Analysis ledger, and cash receipts
• Analysis of Customer Account Aging
• Holiday Activity
• Report benchmarking – determine the accuracy of system reports by utilizing actual transactional and master data (i.e., compute what the values should be based on business rules and then compare to actual
Void/Reissue Payment Analysis• Payment Gap Analysis• User Analysis between Vendor Setup,
Voucher, and Payment Processing• Analysis of Debit Memos/Adjustments
Analysis of Overpayments/Refunds
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
21
rules and then compare to actual monthly reports)
• Analysis of Overpayments/Refunds (unused credits)
Sample Results - Supplier Statement Audits
Supplier statement reviews can be a significant driver for identifying unused credits or outstanding checks, which result in near term cash recovery.
Received responses from 61%of s ppliers totaling 63% of
B ERP 1 ERP 2 ERP 3
Root Cause Count Dollar Count Dollar Count Dollar
5,725 SuppliersExample Vendor Credit Summary
of suppliers totaling 63% of spend
94 Suppliers with Credits
Root Cause Count Dollar Count Dollar Count Dollar
Adjustment 1 $889 9 $35,042 1 $126
Duplicate payment 16 $40,598 18 $63,790 3 $10,430
Overpayment 24 $18,009 21 $53,345 13 $10,626
Rebate 3 $1,858 37 $28,284 - -
3,468 Responses
Return 26 $126,307 51 $52,123 6 $8,778
Unapplied cash 14 $60,341 74 $74,502 6 $5,344
Unknown 22 $48,467 21 $29,385 4 $36,897
Total 106 $296,469 231 $336,471 33 $72,200
370 Credits
$705KRecovered
Example Key Findings• Aged items on account were surfaced to the organization to enable them to readdress these with the vendor for more
immediate resolution
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
22
• Credits being received by plant locations, but not being sent to the Shared Service Centers for processing
• Unapplied Cash and Returns were the most prominent root causes of credits
Sample Results - Payment Terms
Non-standard or “unfavorable” payment terms should be analyzed to determine opportunities for either payment discounts or extending to more favorable terms.
Discounted Terms
131K, 45%
Discounted
Invoice Spend Totals by Payment Term
<30 Days No Discount
Net 30+ No Discount
40%
17%
28K, 10%25K 9%
34K, 12%26K, 9%
Unfavorable Terms
106K Invoices (37%)
<30 Days No Discount
43%
Discounted Terms
17%
Discount
43%
,
6K, 2%
25K, 9%13K, 4% 11K, 4% 10K, 3%
6K, 2%
,
Net 30+ No Discount
40%
Observations• 85% of all non discount invoice terms required payment in less than the standard 30 day payment terms
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
23
• 85% of all non-discount invoice terms required payment in less than the standard 30 day payment terms
• $197M in invoice spend (17%) had immediate payment terms
Fixed Assets
• Estimating / Recalculating • Aging CIPEstimating / Recalculating depreciation
• Verifying accumulated depreciation does not exceed cost for any asset
Aging CIP
• Facilitating Item Master clean up
• Negative Depreciation
• Inconsistent / Outlier useful• Identifying “credit” assets
• Identifying land that is depreciating
• Identifying assets assigned out of policy useful lives
• Inconsistent / Outlier useful lives / Depreciation methods
• Post-addition percentage analysis (how much more cost added after depreciation started)of policy useful lives
• Determining assets set up with cost below capitalization threshold
• Estimating impact to P&L of
started)
• Aging of fully depreciated assets
• Analysis of Asset Classification (Leased vs. g p
increasing / decreasing capitalization threshold
• Reviewing for assets set up in duplicate
(Fixed or Long-Term vs. Short-Term)
• Comparison of Asset Turnover Ratio compared to industry average
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
24
industry average
Inventory
• Summary of Inventory by Type • Inventory vs Sales analysisSummary of Inventory by Type
• Inconsistent costing
• Inconsistent units of measure with the same unit costs
• Verify category type
Inventory vs. Sales analysis
• Potential excess inventory
• Margin review
• User analysis between purchase order and receipt• Verify category type
• Extended cost analysis
• Quantity analysis
• Per unit cost analysis
purchase order and receipt
• Inventory adjustment analysis (write-offs) by items, users, locations, transaction type, and time of day
• Current vs Prior year cost comparison setup
• Reports of unit cost changes (Based on P/Y Quantities, C/Y Unit Costs)
• Inventory adjustment analysis (returns) by items, users, locations, transaction type, and time of day
• Analysis of scrap activity)
• Sales analysis
y p y
• Negative inventory balances and/or inconsistent fluctuations in inventory accounts between months
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
25
Lessons Learned
Senior Management buy-in crucial for the success of any controls monitoring project
Understanding of requirements, documentation and change request procedures
Involvement of IT earlier on during the project
Test test and testTest, test and test
Focus on high risk processes
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
26
YOU have a tremendous opportunity to drive value and be an agent of positive change in YOUR organization!
Questions / Open Discussion
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
27
Thank You!
Contact Information
Clint McPherson Cindy Hart
Office: 469.374.2438
Mobile: 214.215.8374
Managing Director, Dallas
Office: 972.788.8505
Mobile: 817.253.9176
Manager, Dallas
Powerful Insights. Proven Delivery.™ Powerful Insights. Proven Delivery.™
© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.
29