Leveraging Data Analytics to Expand Audit Covera ge and pg ... · Leveraging Data Analytics to Expand Audit Covera ge and Clint McPherson pg ... Global managemen t consulting, technology

Leveraging Data Analytics to Expand Audit Coverage and

Clint McPherson

p gAdd Organizational Value

Managing Director, Dallas, TX

Cindy HartManager Dallas TXManager, Dallas, TX

Setting the Stage - Data Analysis Defined

Data Analysis isData Analysis is ….

the extraction of data from a client’s information system in

Data Analysisy

order to perform data selection, classification, ordering, filtering, translation, CAATSand other functions to provide the client with informationabout their business

D t Mi i processesData Mining

© 2010 Protiviti Inc. CONFIDENTIAL: This document is for your company's internal use only and may not be copied nor distributed to another third party.

2

What is Data?

Di SalesDiv NameSales

Amount EmployeeID

Transaction User Name TransactionDate User Name Transaction Type

Customer Number

QuantityPrice

G/L Account


3

Data Becomes ReportsDiv Name

Transaction Date

Sales Amount

User Name Transaction Type

EmployeeID

Data File Inventory Report

Customer Number

QuantityPrice

G/L Account

Quantity

Warehouse Part Description Quantity Unit Cost ExtendedCost

1 5340 XJ4701 540 1.65 891.00

ClientApplication

ProgramPart Number

Unit Cost

1 5560 LN502 1005 .79 793.95

4 4061 SR437 6057 .85 5148.45

4 9011 CF605 275 2.25 618.75Warehouse

Number 10 5560 LN502 850 .74 629.00

10 4831 JR864 579 1.15 665.85


4

With Data Analysis…YOU Design Reports Div Name

Transaction Date

Sales Amount

User Name Transaction Type

EmployeeID

Summarized by Part Number

Customer Number

QuantityPrice

G/L Account

Data File Extensions & Footings Verified

Quantity

Data Analysis

Techniques

Part Number

Unit Cost

Cust NameCust ID

Excess Inventory

WarehouseNumber Unusual Items


5

Benefits from Internal Audit’s Use of Data Analytics

Benefits Include:Increased testing coverage (100% of population)

Improved timeliness of testing

Greater visibility

Independent testing

Creation of Fraud Testing Environment

Improved consistency

More efficient allowing focus on overall process efficiency and effectiveness

Cost-effective solution

Greater confidence in your SOX initiatives

The Auditing Profession is entering the Age of Continuous AuditingContinuous Auditing

This is the Fourth Age -- (Age of Inspection & Re-performance, Age of Control Focused Auditing, Age of Risk Based Auditing)

Annual Audits are being viewed as untimely and obsolete


6

Internal Control issues are expected to be reported almost immediately

The 6 Elements of Infrastructure

Policies define processes

Process assigned to key

owners

Informed decisions based

on reports

Information facilitates definition

of controls

Automation and data integrity meet needs

BusinessPolicies

BusinessProcesses

People & Organization

ManagementReports Methodologies Systems

& Data

Risk if element is deficient:

People lack the knowledge and experience to

perform process

Reports do not provide

information for effective

management

Methodologies do not adequately

analyze data and information

Information is not available for analysis and

reporting

Process does not carry out

established policies or

achieve intended result


7

Critical Success Factors & Common Pitfalls

BusinessPolicies

BusinessProcesses



& Data

• Focus on what matters:– Fraud, Waste & Abuse– Compliance– Business Performance– Monitoring Risk across the Organization

• Link the program to business objectives• Link the program to business objectives• Articulate the specific benefits of investing in a program and the implementation strategy


8


BusinessPolicies

BusinessProcesses



& Data

• Define a high-level process– Inputs– Activities– Outputs

• Identify source of inputsHow is information captured?– How is information captured?

– How will inputs be validated?• Determine types of activities that will be performed

– Data Analysis & Investigation of Anomaliesy g– Manual Audit Procedures

• Identify expected outputs & audience• Define periodic reporting process


9


BusinessPolicies

BusinessProcesses



& Data

• Obtain executive support for the program– Identify all key stakeholders– Champion– Program management and executers– Data providers

Recipients of detailed results and periodic summaries– Recipients of detailed results and periodic summaries• Understand needs of key stakeholders• Obtain buy-in for program from key stakeholders• Identify and develop required skills & competenciesy p q p• Identify and address organizational obstacles


10


BusinessPolicies

BusinessProcesses



& Data

• Identify data requirements for the program– What information is required?– Where is that information stored?– Who can provide the information?

• Design a standard data request formatTimeline– Timeline

– Source & Required Data– Background Information

• Define data validation process & reportingp p g• Define reporting requirements by stakeholder

– What information does the audience want and what questions do they want answered?– How will detailed results be summarized?


11

– Who will make conclusions based on the results?


BusinessPolicies

BusinessProcesses



& Data

• Define test scope & tolerances• Develop testing procedures (“rules”)• Select or build application, if applicable

– Understand standard queries– Select applicable procedures

Embed queries into application– Embed queries into application– Test logic and confirm results

• Provide adequate training to applicable stakeholders• Automate as many “rules” as practicaly p

– System-based audit targets– Manually-intensive audit targets


12


BusinessPolicies

BusinessProcesses



& Data

• Understand how applicable data is captured & reported in operational and financial systems– Procurement through Payment– Sale through Cash Application– Payroll & Expense Reimbursement– General & Sub-Ledgers

Bank information– Bank information– External Databases

• Understand system interfaces (automated & manual)– Advocate automating data capture where practicalg p p

• Know the audit tools available and their capabilities• Select the right tools for program/procedures • Focus on driving efficiency over time vs. initial investment


13

So, this is all great stuff Clint but how do we use this and what are some good

examples?examples?

Data Analysis - Suggested Approach


15

Possible Examples for Consideration

Travel and Entertainment Examples

S d b E l L D ll EB f d’ L J l E t i

G/L and Journal Entry Examples

• Spend by Employee

• Analysis of Expenses by Employee (just below threshold, comparison of employees expensing duplicates,

• Large Dollar Expenses Identification

• Non-Timely Expense Submission

Expense Analysis by Category

• Benford’s Law on Journal Entries by User

• Journal Entries identifying outliers (Uncommon Accounts, Profit Centers, Cost Centers)

expensing airfare but no hotel (vice versa), expensing car but no airfare, etc)

• Analysis of MCCG and MCC of T&E or P-Card Transactions

• Expense Analysis by Category (e.g., Airfare, Office Supply, Cell Phone, Professional Dues)

• Per Diem Expense Identification and comparison to trips, policy

• Manual Round Dollar Entries

• Unusual Posting Dates/Times

• Analysis of Split Entries (Entries just below Approval Threshold) T&E or P Card Transactions

• Benford’s Law Analysis on Employee Expenses

• Expense Dollar and Volume Stratification

threshold, and potential duplicates in meal reimbursement and per diem

• Duplicate Expense Submission

A l i f W k d

• Analysis of Suspense, Clearing, and Intercompany Accounts

• Credits vs. Aged Invoices

• Reversed Month End Journal

• Inactive Employee Spend Analysis

• Spend by Expense Type

• Analysis of Weekend Transaction Dates

• Analysis of No Activity from Personnel in Expense-Centric Departments

Entries

• Entries within Accounts

• Inactive Accounts Entries

• Calculate and sort percentage


16

pCalculate and sort percentage variances in GL accounts between periods

Case Study 1

Background

• Organization: Global management consulting, technology services and outsourcing company with offices and operations in more than 50 countries and annual revenues in excess of $21 billion.

• Internal Audit (IA) personnel were using ACL to perform limited analyses as part of t l id J l E t (JE) i f th 13 illi j l tg quarterly company-wide Journal Entry (JE) reviews of more than 13 million journal entry

lines. All analyses were performed manually through the ACL graphical user interface.• IA personnel were using Excel to perform limited analyses for employee Time & Expense

(T&E) testing.

Project Objectives

• Implement routines (i.e., scripts) in ACL to automate the existing limited JE and T&E analytics.Create additional a tomated testing ro tines to be e ec ted as q arterl Contin o sObjectives • Create additional automated testing routines to be executed as quarterly Continuous Controls Monitoring (CCM) procedures.


17

JE Testing Overview

• Quarterly Company-Wide JE Review– Data integrity testing such as reconciliation to control totals, analysis of

reporting period, search for blanks in key fields, etc.reporting period, search for blanks in key fields, etc.

– Analysis of JE approvers to those on authorized list, analysis of manual and automated entries by document type, identify entries where document header or line item text is blank, etc.

• CCM: Data ExplorationCl if i l f k d t fi ld i l di d– Classify unique values for key data fields including: company code, transaction code, manual vs. automated flag, year/period, and currency

– Statistics on amount and posting date fields

• CCM: Duplicates Testing– Identify duplicates (same account and amount) for manual JE’s

• CCM: Fraud Analytics– Keyword search for items such as “plug”, “miscellaneous”, “temporary”,

“adjust”, etc.

E t i t d i t 10 t i i th ti ti i d li ti– Entries posted in top 10 countries in the corruption perceptions index listing

– All manual JE’s with same person to enter and post

• CCM: High Risk Account Entries– Identify all entries posted to “high risk” accounts


18

• CCM: Timeliness of Postings Analysis– Calculate number of days between JE entry and posting dates

T&E Testing Overview

• General Data Overview– Create record count and dollar amount totals by Year and Month (i.e., to

reconcile to control totals)reconcile to control totals)

– Classify unique values for key data fields including: expense type and entry date

– Identify the top 100 highest and lowest transaction amounts

– Statistics on amount field

• T&E Population Analyses– Identify transactions just under $25 threshold for receipts per US Policy

– Extract all transactions that are round multiples of $100

– Approval threshold analyses for certain expense types per policy, including : Training / Publication > $500 Business Meals > $1 000 and Travel /: Training / Publication > $500, Business Meals > $1,000, and Travel / Other > $500

– Identify potential duplicates using multiple sets of criteria

• Expense Type Analyses– Identify all transactions for certain expense types assessed to be high risk, y p yp g ,

including: “Gifts, Floral, Tickets, Promotional Items”, “Miscellaneous”, “Non-Std Office Supplies”, “Technology Supplies”, and “Charitable Contributions”

• Key Word Search– Keyword search for items assessed to be high risk such as “gift”, “car

repair”, “rent”, “pet”, “movie”, “apartment”, “doctor”, “furniture”, “laptop”,


19

p , , p , , p , , , p p ,“clothes”, “tuition”, “laundry”, etc.

Summary Of Value

JE Testing – Sample Results from One QuarterJE Testing – Sample Results from One Quarter

• Reduced amount of time to perform quarterly JE review procedures including manual analyses through the ACL GUI f i t l 40 60 h t 15 20 hfrom approximately 40-60 hours to 15-20 hours

• Additional CCM test results:– 5,500 journal entries (more than 28,000 journal entry lines) where same individual entered and posted the JE– Nearly 15,000 JE lines just under the $25K approval threshold

137 JE lines with the word “plug” 7 800 JE lines with the word “miscellaneous” and nearly 5 000 JE lines with the– 137 JE lines with the word plug , 7,800 JE lines with the word miscellaneous , and nearly 5,000 JE lines with the word “temporary”

– 164 JE’s where the posting date was more than 30 days before the entry date – More than 75,000 journal entries posted in countries in the top 10 of the Corruption Perceptions Index, including

nearly 30,000 journal entries with line amounts greater than $25,000

T&E Testing – Sample Results from One QuarterT&E Testing – Sample Results from One Quarter

• Identified more than 2,500 expense transactions with the word “wine”, 175 containing the word “laundry”, more than 150 with the word “golf”, 25 with the words “doctor” or “surgery”, 17 with the word “clothes”, and12 with the word “iPod”.

• Identified nearly 5,500 transactions with round dollar amounts that are multiples of $100• Identified for additional testing all transactions requiring separate approvals per policy, including 875 transactions

exceeding the business meal threshold, 325 above the training/publications threshold, and more than 7,500 exceeding the “other expense” threshold.


20

p• Identified more than 8,000 potential duplicate transactions with the same Personnel Number, Expense Date, Charge

Code, Expense Type, and Amount.

More Examples for Consideration

Order-to-Cash Examples

A l i f C h R i t d V if i i ht iV d M t Fil A l i

Procure-to-Pay Examples Information Technology

• Analysis of Cash Receipts and Timely posting

• Customer Credit ranking aligns with Policy Requirements (amounts, authorization) and Perform Analysis on Customer Activity (payments and

• Verifying access rights are in compliance with policy/templates

• Multi-system segregation of duties analysis

• Last user sign on

• Vendor Master File Analysis• # of Inactive Vendors with Activity• Payments to Inactive Vendors• Duplicate Vendors, Invoices,

Payments on Customer Activity (payments and credits)

• Analysis of Write-off Transactions (authorization, timeliness)

• DSO Analysis by Order Date, Bill Date and Payment Received Date

• Comparison to employee master records

• Duplicate employee IDs

• Change Management authorization

N Hi /T i ti

• Vendor to Employee Match• Benford’s Law Analysis - Invoice,

Payments, PO, and/or Credit Analysis• Missed Discounts – Late Payments• Authorization and Analysis of PR, PO, Date, and Payment Received Date

• Analysis of Unfulfilled Customer Purchase Orders

• User Analysis between Processing A/R invoices, posting to the sub-ledger and cash receipts

• New Hire/Terminations

• Problem Management Analysis

• Analysis of system logic to verify procedures (e.g., write-offs, refunds) are programmed accurately

y , ,Invoice, and Payment

• Aging and Analysis of AP and Credit Processing

• Holiday Activity• Void/Reissue Payment Analysis ledger, and cash receipts

• Analysis of Customer Account Aging

• Holiday Activity

• Report benchmarking – determine the accuracy of system reports by utilizing actual transactional and master data (i.e., compute what the values should be based on business rules and then compare to actual

Void/Reissue Payment Analysis• Payment Gap Analysis• User Analysis between Vendor Setup,

Voucher, and Payment Processing• Analysis of Debit Memos/Adjustments

Analysis of Overpayments/Refunds


21

rules and then compare to actual monthly reports)

• Analysis of Overpayments/Refunds (unused credits)

Sample Results - Supplier Statement Audits

Supplier statement reviews can be a significant driver for identifying unused credits or outstanding checks, which result in near term cash recovery.

Received responses from 61%of s ppliers totaling 63% of

B ERP 1 ERP 2 ERP 3

Root Cause Count Dollar Count Dollar Count Dollar

5,725 SuppliersExample Vendor Credit Summary

of suppliers totaling 63% of spend

94 Suppliers with Credits

Root Cause Count Dollar Count Dollar Count Dollar

Adjustment 1 $889 9 $35,042 1 $126

Duplicate payment 16 $40,598 18 $63,790 3 $10,430

Overpayment 24 $18,009 21 $53,345 13 $10,626

Rebate 3 $1,858 37 $28,284 - -

3,468 Responses

Return 26 $126,307 51 $52,123 6 $8,778

Unapplied cash 14 $60,341 74 $74,502 6 $5,344

Unknown 22 $48,467 21 $29,385 4 $36,897

Total 106 $296,469 231 $336,471 33 $72,200

370 Credits

$705KRecovered

Example Key Findings• Aged items on account were surfaced to the organization to enable them to readdress these with the vendor for more

immediate resolution


22

• Credits being received by plant locations, but not being sent to the Shared Service Centers for processing

• Unapplied Cash and Returns were the most prominent root causes of credits

Sample Results - Payment Terms

Non-standard or “unfavorable” payment terms should be analyzed to determine opportunities for either payment discounts or extending to more favorable terms.

Discounted Terms

131K, 45%

Discounted

Invoice Spend Totals by Payment Term

<30 Days No Discount

Net 30+ No Discount

40%

17%

28K, 10%25K 9%

34K, 12%26K, 9%

Unfavorable Terms

106K Invoices (37%)

<30 Days No Discount

43%

Discounted Terms

17%

Discount

43%

,

6K, 2%

25K, 9%13K, 4% 11K, 4% 10K, 3%

6K, 2%

,

Net 30+ No Discount

40%

Observations• 85% of all non discount invoice terms required payment in less than the standard 30 day payment terms


23

• 85% of all non-discount invoice terms required payment in less than the standard 30 day payment terms

• $197M in invoice spend (17%) had immediate payment terms

Fixed Assets

• Estimating / Recalculating • Aging CIPEstimating / Recalculating depreciation

• Verifying accumulated depreciation does not exceed cost for any asset

Aging CIP

• Facilitating Item Master clean up

• Negative Depreciation

• Inconsistent / Outlier useful• Identifying “credit” assets

• Identifying land that is depreciating

• Identifying assets assigned out of policy useful lives

• Inconsistent / Outlier useful lives / Depreciation methods

• Post-addition percentage analysis (how much more cost added after depreciation started)of policy useful lives

• Determining assets set up with cost below capitalization threshold

• Estimating impact to P&L of

started)

• Aging of fully depreciated assets

• Analysis of Asset Classification (Leased vs. g p

increasing / decreasing capitalization threshold

• Reviewing for assets set up in duplicate

(Fixed or Long-Term vs. Short-Term)

• Comparison of Asset Turnover Ratio compared to industry average


24

industry average

Inventory

• Summary of Inventory by Type • Inventory vs Sales analysisSummary of Inventory by Type

• Inconsistent costing

• Inconsistent units of measure with the same unit costs

• Verify category type

Inventory vs. Sales analysis

• Potential excess inventory

• Margin review

• User analysis between purchase order and receipt• Verify category type

• Extended cost analysis

• Quantity analysis

• Per unit cost analysis

purchase order and receipt

• Inventory adjustment analysis (write-offs) by items, users, locations, transaction type, and time of day

• Current vs Prior year cost comparison setup

• Reports of unit cost changes (Based on P/Y Quantities, C/Y Unit Costs)

• Inventory adjustment analysis (returns) by items, users, locations, transaction type, and time of day

• Analysis of scrap activity)

• Sales analysis

y p y

• Negative inventory balances and/or inconsistent fluctuations in inventory accounts between months


25

Lessons Learned

Senior Management buy-in crucial for the success of any controls monitoring project

Understanding of requirements, documentation and change request procedures

Involvement of IT earlier on during the project

Test test and testTest, test and test

Focus on high risk processes


26

YOU have a tremendous opportunity to drive value and be an agent of positive change in YOUR organization!

Questions / Open Discussion


27

Thank You!

Contact Information

Clint McPherson Cindy Hart

Office: 469.374.2438

Mobile: 214.215.8374

[email protected]

Managing Director, Dallas

Office: 972.788.8505

Mobile: 817.253.9176

[email protected]

Manager, Dallas

Powerful Insights. Proven Delivery.™ Powerful Insights. Proven Delivery.™


29

Documents

Leveraging Data Analytics to Expand Audit Covera ge and pg ... · Leveraging Data Analytics to Expand Audit Covera ge and Clint McPherson pg ... Global managemen t consulting, technology