Embed Size (px)
Citation preview
©2019 RSM US LLP. All Rights Reserved.
TRANSFORMING THE INTERNAL AUDIT CYCLE USING DATA ANALYTICS AND AUTOMATIONIIA San Antonio ChapterI Audit Conference
February 27, 2019
Agenda
Background & Current State of the Profession
Supporting Technologies & Processes
Automating IA Processes
Getting Started
©2019 RSM US LLP. All RightsReserved.
About Me: Steve Biskie, CGMA, CISA
Director, National Risk Analytics & Automation Leader, RSM
25+ years audit analytics experience
Worked with multiple large software companies on enhancing their audit analytics and risk monitoring capabilities
Well-regarded data analytics and continuous auditing expertWorked with > 50% of the Fortune Global 50 Most Admired Companies50+ conferences and audit events, including multiple keynote presentations10+ articles in audit professional publications4-time IIA All-Star speaker
Author of Surviving an SAP Audit, and contributor to the Workbook for a Successful Audit Analytics Program (available in the IIA bookstore)
©2019 RSM US LLP. All RightsReserved.
Heads-up: Get out your phones/computers
We will be using some polling technology throughout this session
To participate, you will need to go to www.PollEv.com/rsmusworks with any mobile device or computer
©2019 RSM US LLP. All RightsReserved.
©2019 RSM US LLP. All Rights Reserved.
BACKGROUND & CURRENT STATE OF THE PROFESSION
IIA Audit Executive Center
2017 North American Pulse of Internal Audit Survey
©2019 RSM US LLP. All RightsReserved.
IIA Audit Executive Center, cont…
2017 North American Pulse of Internal Audit Survey
“CAEs are often eager to use data analytics because it enables them to look at large volumes of data and quickly identify nonconforming activities or outliers. Leveraging the vast amount of data available in most organizations can enhance the capacity and impact of internal audit, instilling confidence in internal audit among our key stakeholders.
These potential benefits may compel CAEs to implement data analytics, even when the needed structures and processes are not fully in place. Pulse results suggest that if CAEs were to audit their own data analytics practices, many would not have positive results.”
©2019 RSM US LLP. All RightsReserved.
“Emerging Risk” both strategic and granular
Strategic ----------------Risks can be identified anywhere in the audit process. --------------- Granular
What does the audit of the future look like?
As an auditor, my day starts with:1. Notifications of any significant risk
changes that occurred overnight• The risks themselves• The tools management uses to monitor risks
2. Options for how those risk changes might influence my day/week
3. Actioning the “next steps” of any testing that could not be fully automated
4. Discussions with management and other experts about emerging risks and indicators that could be used to enhance risk monitoring
…and my day ends with:1. Planning the next phase of audit
optimization2. Adjusting/training my army of audit
bots as new information is learned3. Pressing the “do audit” button as I
head home
©2019 RSM US LLP. All RightsReserved.
“One Audit = One Day”-Manuel Coello, CVS Health (Aetna)
©2019 RSM US LLP. All Rights Reserved.
SUPPORTING TECHNOLOGIES & PROCESSES
The Need for Innovative Auditing
Risk Analytics
Answer questions about past, present, and future• IFTTT, SoD, and business rules• Data visualization• Process mining• Risk scoring, modeling, and statistics • Text mining, machine learning, and AI
RPA
Automate and routinize key audit tasks• Scheduled jobs• Low cognitive task automation• Cross-application “macros”• Manual, repetitive or high volume tasks• Higher-order task automation (with AI)
Agile
Organize, prioritize and deliver on audits• Risk backlog vs defined plan• Quick sprints, adaptable to changes• Incremental work vs all at once• Increased information and communication flow• Client collaboration
We’ve had the tools for awhile…
Internal Audit Automation has actually been around for decades
Traditional audit technologies helped to automate data analysis procedures
PC-integrated technologies helped to automate tasks
Newer Robotic Process Automation (RPA) technologies automate where back-end system access is unavailable
RPA Overview
Robotic Process Automation (“RPA”)
RPA refers to a set of modular software programs (or “bots”) to complete structured, repeatable, and logic-based tasks by mimicking the actions taken by existing human staff.
• Developed bots are capable of interacting with and integrating disparate enterprise applications, databases, and files to limit the business need to develop custom, application specific integrations.
• A set of scheduled bots are capable of running on multiple servers within a company’s environment simultaneously with minimal impact to resource and network capacity.
RPA Value Proposition
Across industries, RPA enables organizations of all sizes to efficiently scale operations with minimal
impact to existing business processes.
©2019 RSM US LLP. All RightsReserved.
IA/Compliance Automation: The complete toolbox
TRADITIONAL BI
VISUAL ANALYTICS
TeamMate Analytics
RULES PROCESSING ANALYTICS
MS OFFICE EXCEL ADD-INS CLIENT/SERVER CAATS ADVANCED DA
DATA MGT / ETL MONITORING
UTILITY SCRIPTING
TIGHT ERP INTEGRATION
LOOSE ERPINTEGRATION
PROCESS MINING
Survey/Poll
Speech-to-Text
Text mining
Data quality profiling
DB modeling
EMERGING
ROBOTIC PROCESSAUTOMATION
ERP GRC/SODeGRCDATA
GOVERNANCE
©2019 RSM US LLP. All RightsReserved.
Benefits of Automated Auditing
Scale Consistency Force Multiplier
Scheduling Limit “Low Cognitive” Tasks Opportunity Cost
©2019 RSM US LLP. All Rights Reserved.
AUTOMATING IA PROCESSES
RPA vs. Task Automation
•A “bot” mines the IT directory for program changes, logs into ServiceNow to automatically pull the trouble-tickets supporting those changes, and downloads relevant approvals and testing documentation before creating a consolidated pdf for evidentiary review (potentially with some automated attribute testing)
•A scheduled script automatically pulls the OFAC list from a government website every month and compares it to vendors & customers
•Another script generates a statistical sample of business transactions to automatically select a sample and email relevant participants, requesting they respond with evidence attached to an unattended inbox. Once a response is received with an attachment, the auditor is automatically notified
ROBOTIC PROCESSAUTOMATION
UTILITY SCRIPTING
©2019 RSM US LLP. All RightsReserved.
Practical Automation: Examples for Audit
Removing email attachments and saving on file share to be read by analytics software
API calls to Google to get distances and foreign language translations
Detecting changes made to key files on a file system
Detecting access changes in user access reviews
Using a sample (derived from DA) and screen scraping application screens, then sending evidence to audit
Reading and extracting key information from back-up and job scheduler logs
Performing OCR and extracting details out of contract documents
22
Enough talk…
DEMO
Cues Indicating Opportunities for Automation
Repeat requests for data / analysis
Repeat audits of similar records
Repeat analytic tasks (e.g., analytic review, outlier detection, keywords) or calculations
Routine or time consuming evidence collection
Cyclical/rotational auditsRepeatable routines in standard portion of an audit programAd hoc analytics within custom portion of program
High velocity of change in the organization (“flux points”) necessitating need for regular risk assessment
Compliance requirements for sampling
©2019 RSM US LLP. All Rights Reserved.
GETTING STARTED
Opportunity identification & prioritization
Micro-Task Automation
Integrated Task Automation & Workflow
RPA Pilot
RPA Task Bots
RPA Predictive Bots
RPA Cognitive Bots
“Do Audit” button
Typical Progression to Full Automation
Considerations
• Access to underlying data
• Process stability
• External auditor expectations
• Enterprise initiatives
• Resource constraints• Quality of past process
outcomes
©2019 RSM US LLP. All RightsReserved.
5 Immediate Steps you Can Take
1. Pick a starting point• Have data• Have knowledge (and can thus benchmark)• Likely to get management attention
2. Define KRIs (Key Risk Indicators) that you can measure• Using data you already have access to• Using data you can get access to quickly
3. Determine what can be automated immediately, and what should be automated longer-term
4. Establish a baseline and achievable success measures
5. Start a pilot• Fail quickly and learn fast
Summary
There should be no significant barriers to beginning your automation initiative TODAY
Consider quick-hit process improvement opportunities prior to automation
Recognize the tools in your toolbox that are right for the job
Prioritize low-risk, low-effort areas
Get started!
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have subscribed to receive it or who we believe would have an interest in the topics discussed.
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.
RSM, the RSM logo and the power of being understood are registered trademarks of RSM International Association.
© 2019 RSM US LLP. All Rights Reserved.
RSM US LLP
+1 800 274 3978rsmus.com
