Getting

Started with
Data Analytics
in Small Audit
Departments
1
 PARTICIPATE IN SESSION POLLING and Q&A
• Download the IIA Conferences App to
participate in polling during select
sessions

• Select the session through the schedule

icon and click on the polling icon

• Ask a member of the Conference Staff if

you need assistance

• You can also go to https://ic.cnf.io/ from

your mobile device web browser

• Submit your questions for the session or

to specific presenters by selecting the
ASK icon

2
 Joe Oringel
CPA | CIA
Managing Director
Visual Risk IQ
joe.oringel@visualriskiq.com
704.353.7000
@VisualRiskIQ (twitter)

Bradley Carroll
CPA | CFF | CIA | QIAL | CFSA | CRMA
Principal | Frazier & Deeter
bradley.carroll@frazierdeeter.com
404-253-7466

3
 Learning Objectives
• Identify the diverse skills needed to accomplish data analytics (DA)
on small audit teams (hint - it's a group effort. Both IT and non-IT
skills are needed!)
• Overcome inertia and learn to establish a repeatable process for DA
with a focus on staff development
• List potential challenges to more successful DA efforts and discuss
ways to overcome these challenges
• Brainstorm ideas for quick wins and share examples of innovative
ways to provide enhanced assurance
• Practical examples from real-life DA in a small audit shop
• This session is not intended to be “how-to” on technical methods**:
o Data acquisition and preparation (i.e. normalization)
o Extract, Transform and Load process
o DA software evaluation
o DA software tutorial

4
 Fundamental Building Blocks
Visual Risk IQ’s QuickStart methodology. Established 2006

5
 Fundamental Building Blocks
Data Analytics Body of Knowledge - borrowed from APRA

• Project Management
• Data Acquisition and Manipulation
• Statistical Techniques
• Visual Reporting Techniques
• Communication
• (Finance and Audit) Domain Expertise
• Change Management / Strategic Thinking
Our profession should acknowledge data analytics excellence is a team
sport, not an individual one.
6
 How did this work for us at the Bank?

7
 Polling Question

Have you started to utilize

data analytics software?
A. No
B. Just getting started
C. All the time

8
9
 Data Analysis – Maturity Model

Optimizing
Continuous

Repeatable

• Manual – undocumented exploration

Ad Hoc • Ad Hoc – one use process, initial investigation
• Repeatable – predefined, scripted, perform the same tests on
similar data on a scheduled basis
Manual • Continuous – fully automated analytics, running at scheduled
intervals, embedded into production systems, include
notifications and workflows, remediation tracking, dashboards
• Optimizing – continually improving process performance
through both incremental and innovative technological
changes/improvements.

10
 Analytics and Internal Audit

Why the hype? Why does it matter?

Big Data Relevance and Stature

Compliance Increased assurance

New Tools & Techniques Increased efficiency

Others are having success Insights to make better decisions

11
 You are not alone
• IIA Executive Center 2018 North American Pulse of Internal Audit
– 1/3 use simple analytic techniques
– Very few automating routine tasks
• Protiviti’s 2018 Internal Audit Survey - key findings
– Use of analytics in auditing remains in early stages
– Audit analytics more advanced in Europe/Asia-Pacific organizations
– Correlation between AC engagement in analytics and information the
committee receives around internal audit’s use of analytics
• The most common tool for data analytics among internal audit
teams is still MS Excel, but that’s starting to tip.
12
 You are not alone (cont’d)
• PwC 2018 State of the Internal Audit Professional Study
– Only 14% of respondents are “Evolvers” who are advanced in
technology adoption
– 2% of internal audit departments are using robotics or artificial
intelligence
– Must innovate and be revolutionary to stay relevant to add value
and not lose your seat at the table.

13
 Perceived Barriers
• Too complex
• No training
• Budget constraints
• Data access
• Inertia
• Intimidation

14
 Analytical Tools
• Visual Analytics
– Tableau
– PowerBI
– Qlik
• Traditional IA-focus
– IDEA
– Arbutus
– ACL / Galvanize
– Excel
• Others?
– SQL
– Cognos
– SAS

15
 Group Exercise
• Identify a few opportunities to implement a CAAT or DA to
replace a traditional audit sampling methodology.
• What control are you testing and how will the CAAT or DA
test it?
• What tool would you use?
• Where/how will you pull data?

16
 Data Access
• Identify your data sources – What is the data source for your
sampling?
• Does data exist in a usable format?
• How do you connect to data?
• How do you import data into tool?
• Manipulating the data.

17
 Polling Question

Do the standards require

the use of data analysis?
A. Yes
B. No

18
19
 The Standards
• Standard 1220.A2: In exercising due professional care
internal auditors must consider the use of technology-based
audit and other data analysis techniques.

20
21
 Our library (estab. 2017)
• Ghost employees – CIF/HR/Active Directory
• Ghost vendors – Employee CIF / A/P
• Common Address
• Common Phone
• Common EIN
• Missing / bogus DOBs, EIN in CIF
• Dormant Account address
• Bank statements “held” by branch
• Branch address compared to CIF addresses
• 50+ Checking without owner being 50 years old
• Make-A-Deposit not used by customer
• Make-A-Deposit limits > historical usage
22
 Our library (estab. 2017)
• A/P Benford Analysis
• Expense Report Benford Analysis
• BSA Transaction Testing
• Branch Risk Rating
• Waived / Refunded Service Charges by Officer
• Sales and Service compensation
• Accounts closed within 30/60 days of opening
• Charge off accounts opened with Qualifile override
• Official Check “structuring” to circumvent authorization limits

23
 Our library (estab. 2017)
• Late CD holds when collateral for loans
• Accounts with $0 balance for 60+ days
• OFAC on all CIF
• Geographic concentrations for loan types
• Concentrations by industry or borrower
• Loans >90 past due not on non-accrual
• Denied loan demographics, geography
• Flood zone exposure
• CAAT to identify overdrawn employee accounts
• Artificial Intelligence/Robotic Processing Auditing – data driven alerts
using Tableau

24
 Types of Analytics/Visualization
• List compares
• Benford Analysis
• Trend lines
• Group comparisons
• Concentration mapping
• Bubble Charts

25
26
 OFAC Testing

Customer
Information
Files

“Fuzzy Logic” list compare for items on both

lists = independent check of OFAC screening at
account opening. N 7th St = North Seventh
Street = North 7th St
27
 Issues Tracker

28
 Sales Incentives Analysis

29
 Split Limits (AML / BSA)

Who exceeded
the limit over
multiple days?

30
 Geographic Concentrations

31
 Remote Deposit Limit Analysis

• Extracted data from remote deposit database, trending

historical usage of all customers with limits greater than
$100k to determine if limits were appropriate or if the bank
had unnecessary risk exposure
• Management reviewed data and decreased limits, where
appropriate, lowering the risk exposure by 64%

32
 Make a Deposit Analysis

Extract from product Core application

database, filtering on MAD transactions filtering by
product MAD transaction codes

33
 Service and NSF Refunds/Waivers

34
 Benford Analysis on A/P

35
 Group Exercise

36
 Polling Question

What do you see as your

barriers to using data analytic
software?
A. Inertia
B. Cost
C. Lack of expertise
D. No management buy-in
E. Other

37
38
 Learning Objectives (recap)
• Identify the diverse skills needed to accomplish data analytics
(DA) on small audit teams (hint - it's a group effort. Both IT and
non-IT skills are needed!)
• Overcome inertia and learn to establish a repeatable process for
DA with a focus on staff development
• List potential challenges to more successful DA efforts and
discuss ways to overcome these challenges
• Brainstorm ideas for quick wins and share examples of innovative
ways to provide enhanced assurance
• Practical examples from real-life DA in a small audit shop

39
40
 References
• Internal Auditor April 2018, “Out of Step with Analytics”
• IIA Audit Executive Center’s 2018 North American Pulse of
Internal Audit
• Protiviti’s 2018 Internal Audit Capabilities and Needs Survey
• PwC’s 2018 State of the Internal Audit Profession
• Visual Risk IQ webinar series w/ Tableau

41
 TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!

Not using the conference app?

Visit: ic.cnf.io to complete
your session evaluations.
42
 Case Based Learning:
Advanced Fraud Risk
Assessment Techniques from
Internal Auditor's Eye

1
 PARTICIPATE IN SESSION POLLING and Q&A
• Download the IIA Conferences App to
participate in polling during select
sessions

• Select the session through the

schedule icon and click on the polling
icon

• Ask a member of the Conference Staff

if you need assistance

• You can also go to https://ic.cnf.io/ from

your mobile device web browser

• Submit your questions for the session

or to specific presenters by selecting
the ASK icon

2
 Fraud Defined

“The use of one’s occupation for personal

enrichment through the deliberate misuse or
misapplication of the employing organization’s
resources or assets.” (ACFE)

3
 Fraud Defined

“… any illegal act characterized by deceit,

concealment, or violation of trust. IIA’s
International Professional Practices Framework (IPPF)

4
 Fraud Risk

The vulnerability that an Opportunities

organization faces from

individuals capable of
combining all three
elements of the fraud Incentives/Pressure Attitudes/Rationalisations

triangle is fraud risk.

5
 Factors Affecting Fraud Risk

• Nature of the business

• The environment in which it operates
• The ethics and values of the company and its
employees
• The effectiveness of its internal controls

6
 FRAUD TREE

7
 Fraud Risk Management

8
 COSO Internal Control Framework and FRA

Fraud
Governance

Control
Monitoring
Activities

Information and Risk

Communication Assessment

9
 Polling Question 1
Please open the conference app to participate

10
 Polling Question 1

Have you(or your company) conducted a fraud risk

assessment in the last 12 months?
a. YES
b. NO
c. Not sure

11
12
 Why Conduct a Fraud Risk Assessment

• Improve communication and

awareness about fraud.
• Identify what activities are the
most vulnerable to fraud.
• Know who puts the
organization at the greatest
risk.
• Develop plans to mitigate
fraud risk.
13
 Risk Management Process

Establishing the context

Communication and consultation

Monitoring and review

Risk Assessment

Risk identification

Risk analysis

Risk evaluation

Risk treatment

14
 Fraud Risk Assessment Process
Establish the fraud
risk assessment team

Identify all fraud

Reassess risk periodically schemes and fraud
considering changes risks

Estimate likelihood and

Document the risk significance of each fraud
assessment scheme and risk

Assess and respond to Get everyone involved

residual risks that needs to considering fraud triangle
be mitigated

Identify existing controls and

assess their effectiveness
15
 Assembling Fraud Risk Assessment Team

• Made of individuals with diverse knowledge, skills, and perspectives

• Includes members from internal and external resources
• Accounting and finance personnel
• Risk management personnel
• Legal department
• Compliance department
• Internal auditors
• External consultants if necessary
16
 Polling Question 2
Please open the conference app to participate

17
 Polling Question 2

Which method does your organization use to

conduct fraud risk assessment?
a. Interviews
b. Focus Groups
c. Anonymous feedback mechanism
d. Surveys

18
19
 Determine the Best Techniques to Use

Interviews

Focus Groups

Anonymous feedback mechanism

Surveys

20
 Elements of Good Fraud Risk Assessment

Collaborative effort- Access to people

at all levels
share ownership

Good working Right

knowledge of Sponsor
the business

Protection for
Whistleblowers

21
 Elements of Good Fraud Risk Assessment

Independence Ability to think

and Objectivity the unthinkable

22
23
 Common Errors in Conducting Fraud Risk
Assessment (FRA)

• Management does not take responsibility for the FRA

• The FRA is not risk-based
• The FRA is too broadly based
• Not having necessary skill sets to perform the FRA
• The FRA process does not include the appropriate people
• The FRA is not systematic and recurring

24
 Fraud Case Study - Facts
• XYZ won the tender for supply of office Equipment.
• The price that XYZ quoted was almost twice the price offered
by nearest competitors.
• Some disgruntled suppliers (those who lost the tender)
complained.
• The matter was presented to auditors for a special audit.
• The tender process was repeated after the first process failed
to secure the winning bidder
• XYZ had failed in first tender for lack of experience but won a
few months later when the tender was re-advertised
25
 Fraud Case Study – Bow Tie Analysis

26
 Fraud Case Study – Bow Tie Analysis

Lack of Investigation
policies
C=RISK CAUSES

Tender

I=RISK IMPACT
Rejection
Defective Complaints Scope
Reputation
tender limitation

E=RISK
Revision of

EVENT
doc.
selection Price
Forgeries Loss of
Legal criteria. Inlfation
money
loopholes.
Missing
Selective docs
Aggression
Lack of notification
Regulatory
oversight. sanctions

27
 Conclusion

The success of Fraud Risk Assessment depends on the

awareness of the organization and ownership of the process.

It is important to consider the Risk of Fraud every time you

plan for engagement.

28
If you find water rising up to your ankle, that's the
time to do something about it, not when it's around
your neck.

Chinua Achebe

29
 TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!

Not using the conference app?

Visit: ic.cnf.io to complete
your session evaluations.
30
 Career Observations
on the Profession
Panel
Larry Harrington, CIA, QIAL, CRMA, CPA
Patty Miller, CIA, QIAL, CRMA, CISA, CPA
Larry Rittenberg, PhD, CIA, CPA

1
 PARTICIPATE IN Q&A
• Download the IIA Conferences App to
participate in Q&A during select
sessions

• Select the session through the

schedule icon

• Submit your questions for the session

or to specific presenters by selecting
the ASK icon

• Ask a member of the Conference Staff

if you need assistance

• You can also go to https://ic.cnf.io/ from

your mobile device web browser

2
 Panel Members
Larry Harrington
Recently retired CAE for Raytheon Company. During career, held positions as CAE, and VP of Finance, HR and Operations
at Fortune 200 companies. Remains active in IIA; has served at local level and on NA and Global Boards (rising to
Chairman for both Boards). A frequent speaker, author and passionate supporter of the Internal Audit Foundation, and
elected into North American Hall of Distinguished Internal Audit Practitioners.

Patty Miller
Retired Risk Services Partner from Deloitte, serving technology, consumer and manufacturing clients in Bay Area. Held
numerous mid and senior management positions in Internal Audit, Finance, M&A, and Process Reengineering. Served in
multiple NA and Global volunteer roles, including Chairman of Board and Chair of Standards Board. Frequent speaker,
author, elected into the North American Hall of Distinguished Audit Practitioners, and recipient of the Victor Z. Brink and
William Bishop III Lifetime Achievement Awards.

Larry Rittenberg, PhD

Larry is Professor Emeritus from University of Wisconsin, and longtime contributor to IIA. Has done extensive research
and been major influencer to profession with such projects as Outsourcing IA, Politics of IA, and by helping draft Definition
of IA and Professional Practices Framework. Served on executive committee of Global Board and other global
committees. Was appointed Chair of COSO, and served as Audit Committee Chair at Woodward, Inc., and on Audit
Committee of Petro China. Recipient of the Victor Z. Brink and Bradford Cadmus Awards
and elected into the North American Hall of Distinguished Internal Audit Practitioners.
3
 Session Topics
The panelists will share perspectives in the following areas based on their
years of experience, followed by an interactive question and answer session.

Thoughts from the Board Room

Dr. Larry Rittenberg

CAEs as Leaders
Patty Miller

The Importance of Alignment, your Team, and your

Brand
Larry Harrington

4
 We welcome your questions and comments and look
forward to future discussions!

Larry Harrington
– harringtonlj@aol.com

Patty Miller
– pkmiller100@gmail.com

Larry Rittenberg, PhD

– lrittenberg@bus.wisc.edu
5
 TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!

Not using the conference app?

Visit: ic.cnf.io to complete
your session evaluations.

6
Beginning the Journey
into Internal Auditing
Insights, Stories and Tips for Success
from Expert Practitioners from Across
the World

Bruce Turner AM, CRMA, CISA, CFE

1
 PARTICIPATE IN SESSION POLLING and Q&A
• Download the IIA Conferences App to
participate in polling during select
sessions

• Select the session through the

schedule icon and click on the polling
icon

• Ask a member of the Conference Staff

if you need assistance

• You can also go to https://ic.cnf.io/ from

your mobile device web browser

• Submit your questions for the session

or to specific presenters by selecting
the ASK icon

2
 My community ‘down under’
Sydney
Harbour
(left)

Nepean River
(right)

Blue
Mountains
(below)

3
 Wisdom of a global luminary

“Everyone starting a career should understand the value of

personal branding. We all have a brand, whether we know
it or not. But those who proactively manage that brand will
see their career accelerate faster than those who don’t
manage their brand.”
—Larry Harrington
Chief Audit Executive, U.S.
Past Chairman of IIA Global Board of Directors 2015–2016

4
 Long and winding road

21,024,000
minutes
5
 Personal branding: storytelling and people listen

48 Publications

31 Conferences

16 Courses and Webinars

11 Quality Assessment Reviews

6 * Since 2012
 Wisdom of a global business leader

“A good company delivers excellent products and services,

and a great company does all that and strives to make the
world a better place.”
—Bill Ford Jr., great-grandson of ‘captain of industry’ Henry
Ford and business leader in his own right

7
 Personal branding: making the world a better place

White
Ribbon
Ambassador

Influencing
Aboriginal
the Health &
broader Wellbeing
community

Maintaining
a Local
Presence
8
 Session context

The twenty-first century has thrown up fresh challenges for

auditors as a consequence of rapid business changes,
global connectivity, emerging technologies, and
increasingly complex economic, regulatory and operating
environments.

But auditors need to first get the basics right …

9
 Talking basics …

Objective Just do it!

Process Scrubbing?

Tools Mop Head?

Quantity How Much?

10
 Session objective

Equip new auditors and those

who support them to deliver
upon increasing expectations
of key stakeholders by thinking
beyond the traditional auditing
scope, and having the tools to
do so.

11
 Understanding stakeholder expectations

 The success in conducting internal audits is highly

dependent on the support and influence of key
stakeholders
 Some stakeholders have greater influence than others
 Areas of focus for auditors in dealing with stakeholders:
– Become masters in knowing the mission, strategy, objectives, and risks of
your business
– Help stakeholders recognize you understand the business, framing your
communication with them within the context of strategy and objectives
12
 Enhancing and protecting organizational value

“Creating a strong business and building a better world are

not conflicting goals—they are both essential ingredients
for long-term success.”
—Bill Ford Jr., great-grandson of ‘captain of industry’ Henry
Ford and business leader in his own right

13
 Getting started

14
 Polling Question 1
Please open the conference app to participate

15
 Polling Question 1

What do you primarily hope to gain from this

session?
a. Insights to aid own personal development
b. Knowledge to develop audit colleagues
c. General awareness of auditing and business practices
d. Tips to influence internal audit leaders
e. None of the above

16
17
 Session content - expand the thinking … 10 key features

TypicalContent
elementsofof
today’s presentation
the internal audit process

Planning Fieldwork Reporting Follow-up Quality

• Understand • Right to • Reporting • Reporting • People -
the context audit (third creatively useful and attuned,
• Considering parties) • Reporting on meaningful balanced
‘what if’ • Decision- financial solutions and credible
scenarios support stewardship • Telling the • Outcomes -
reporting story scrutiny of
(spreadsheet audit
risks) workpapers

18
 Planning – understanding
the context

19
 Wisdom of a global luminary

“Master the fundamentals—the business, risk management

(the way it should be, not the way it generally is), and
internal control. Seek to understand why people do the
things they do, the way they do them, and always think
about what would be best for the organization as a whole.”

—Norman Marks
Retired Chief Audit Executive, U.K. and U.S.
Author, Evangelist, and Mentor for Better Run Organizations
20
 Environmental scanning is fundamental

 Many traditional business models have been disrupted

and won’t recover to their previous form
 Understand changing business practices and what that
means for audit coverage
 Strive to deliver insights to management that are
relevant to them, timely, and genuinely add value
 Be attuned to what’s over the horizon

21
Severe Extreme Pole Near Wild-fires Pristine
drought fire risk storage Fence break out Forests

Case 1 – Energy company pole yard – field trip

22
 Planning … considering
‘what if’ scenarios

23
 Controls over currency processing operation
Inherent Risk: Theft of cash.
Strong control environment including:
Impregnable physical security
Movements under triple control
Custodianship under triple control
Senior staff hold keys & combinations
CCTV covers all banknote movements
Auto destruction damaged banknotes
Daily reconciliation of all transactions
24
Note: Banknotes are highly liquid.
Rigorous employee vetting
Code of conduct reminders
Strict segregation of duties
Transactions computerized
Passwords involve triple control
Daily scrutiny of records
Regular surprise cash counts
 Polling Question 2
Please open the conference app to participate

25
 Polling Question 2

How would you rate the residual risk of theft

(likelihood) in the currency processing area?
a. Rare
b. Unlikely
c. Possible
d. Likely
e. Almost certain

26
27
 Theft of cash … unbelievably it happened!

Source of excerpts: ‘The Age’ and

‘The Herald Sun’ newspapers

28
 Controls over currency processing bypassed
Inherent Risk: Theft of cash.
Strong control environment including:
Impregnable physical security
Movements under triple control
Retrieved banknotes
later and snuck them out Custodianship under triple control
in loose clothing Senior staff hold keys & combinations
CCTV covers all banknote movements
Auto destruction damaged banknotes
Dropped physical
banknotes in areas not Daily reconciliation of all transactions
covered by CCTV
Note: Banknotes are highly liquid.
Long-term employee
who was overlooked for
Rigorous employee vetting promotion
Code of conduct reminders
Entered false
Strict segregation of duties
destruction transaction
Transactions computerized of $100,000
Passwords involve triple control
Daily scrutiny of records Stole passwords of 2
workmates; discreetly
Regular surprise cash counts
watched their keystrokes

Changed destruction Changed paper records

Falsified paper-work so
transactions to agree to accord with
it ‘looked right’
with computer system transaction; unnoticed

Nobody noticed!
29
 Essence of risk-based auditing

Internal auditors must consider inherent risks in a

manner where they always remain alert and
suspicious, apply challenging ‘what if’ scenarios, and
never become complacent.

30
 Fieldwork … and a ‘right
to audit’ (third parties)

31
 Trust but verify …

 Increased outsourcing to third-party providers

o Often non-core and may be low-value/high-volume
o … or requiring specialist expertise
o These are operational risks requiring effective controls
 Be cognizant of activities within scope of audit that are
undertaken outside organization
 Invoke ‘right to audit’ as part of audit fieldwork

32
Deep dive
Third Contract Escalated Paying for
higher-risk
party to destroy reputation premium
contracts:
security hardware and legal service;
‘right to
provider securely risks not getting
audit’

Case 2 – Obsolete hardware ‘cleaned’ by third party supplier

33
 Risk of sensitive information being compromised

Contractor of good repute … but myriad of serious

breaches of critical contractual conditions:
 Lax custodianship
 Absence of security clearances for contractor’s staff
 Untimely destruction
 Hardware not separated from other non-secure items
 Security bins left open (people could take hardware)

34
 Fieldwork … decision-support
reporting (spreadsheet risks)

35
 Determining key management reports
Often from
 Common audit objective is to spreadsheets

review the reliability and Report

Report
Type
Type
integrity of financial, Purpose
Purpose
Data
Data
Source
Source
operational, and decision-
support information List
List of
of
Report
Report Criticality
 Criticality
Key
Key
Requires systematic approach Name
Name Reports
Reports

to determine and rank key

reports
 High reliance on spreadsheets
36
 Spreadsheet errors are problematic

 Global organizations have suffered major reputational

damage due to spreadsheet errors:
o Adverse financial impacts
o Profit overstated by $A10 million; income expectation overstated
by $US15 million; underestimation of profit by 3.5%
o Democratic outcomes compromised
o False election result
o Serious privacy breaches

37
 Spreadsheet risks – recent surveys and polls

 75% of spreadsheets (of a large number) are ‘business

critical’ … many of the remainder are ‘significant’ for
business management
 70% of poll participants confirmed their entities rely
heavily on spreadsheets for critical business needs
 BUT 43% have little or no processes to confirm the
spreadsheets are functioning properly

38
 Policy and Staff
Utilize
Develop Determine f/work - trained in
monitoring
List of Key future IT develop; risks,
/ checking
Reports solution use; controls,
software
control f/work

Case 3 – Controlling spreadsheet risks

39
 Polling Question 3
Please open the conference app to participate

40
 Polling Question 3

How do you rate your IPPF expertise?

a. Expert level – fully apply ALL IPPF elements
b. Highly developed – fully apply audit standards
c. Reasonably familiar – partially apply IPPF / standards in work
d. Developing – know a little about it but really at a ‘novice’ level
e. Have little, limited or no knowledge

41
42
 Reporting creatively

43
 Creative reporting

 Identify observations that need to be addressed by

business
 Determine solutions and priorities
 Deliver timely reporting
 Be guided by organization’s values, mission, strategic
priorities, and risk appetite
 Be creative in reporting issues (eg photos)

44
 Root cause analysis

 Individual observations without analysing reasons a

problem occurred may:
o Miss the underlying reasons
o Restrict insights to narrow operational perspective
 Auditors raise insights to a strategic level where they
conduct root cause analysis to determine why the
problem occurred in the first place

45
Business Obsolete Flora and Major
Oil Creek
Objective Equipment Fauna River

Case 4 – Business practices at odds with business objectives

46
 Strategic insights
Root cause analysis typically involves a series of five “why?” questions.

 WHY: Manager restricted by ‘budgetary constraints’

 WHY: No authority or priority to address problems
 WHY: Little grasp of applying company’s safety and
environmental values
 WHY: Inherited a poor safety culture
 WHY: Manager new to role and never trained in
workplace health, safety and environment priorities

47
 Reporting on financial
stewardship

48
 Meeting stakeholder expectations

 Think outside the box … to Value for money using

provide foresight the Four E’s
 Embrace full ambit of
capability Shaping different
outcomes
 Transition from delivering
assurance-based outcomes
Assessing hard and
to delivering insightful, soft controls
proactive, and future-
focused outcomes
49
 Value from money derived from Four E’s
Term Meaning
Efficiency Using resources well. Producing the
maximum output from inputs.
Effectiveness Using resources wisely. Achieving
objectives as intended.
Economy Using resources economically but still Where supplies of a specific
maintaining quality. Minimizing the
cost of resources used.
Ethical Applying resources ethically. Living
the corporate values of honesty and
integrity (or similar).
50
Example
Where cost has been reduced
over time.
Where wastage has been
reduced over time.
quality are purchased at the
best price.
Where integrity and ethical
behavior is evident throughout
all phases of the process.
 Delivering different financial audit outcomes
Assurance-Based Insights (Insightful, Proactive, Future-Focused Outcomes)
Revenue and Accounts payable audit … extend analysis into metrics, like
expenditure cycles average processing costs, in order to present benchmarking
as part of audit report
Procurement and Audits of significant contracts … extend analysis onto supply
contract audits chain and periodic (at least annual) review of contractor’s
continued reputation, service quality, and creditworthiness
Major contracts Potentially an independent observer on selection panel for
execution major contracts
Reasonableness of For business efficiency … balance the authorization controls
delegations and (e.g., delegations and segregation) against potential
segregation
51 of duties processing bottlenecks
 Hard controls and soft controls equally valuable

Hard controls are tangible, involve explicit

activities, and are usually objective.
Examples: locks, authorizations, approvals, Hard
delegations of authority, verifications, controls
reconciliations, segregation of duties, and
performance reviews.
Overall
Soft controls are intangible in nature and
include things like culture, tone at the top,
opinion
living shared values, morale, integrity, trust,
and empowerment. They are typically
Soft
subjective and reflect implicit attitudes. controls

52
 Follow-up – reporting useful
and meaningful solutions

53
 Reporting is structured … but flair is encouraged
Holistic root cause
analysis (based on
analysis of
observations
undertaken by the Action plan (i.e.
Audit opinion team as a whole) summary of
(determined by the
recommendations
team leader in
once management
consultation with
comments are
the auditors)
received)

Background Details of
information, risk
profile, audit Audit reportable
observations and
objectives, and recommendations
scope (from
engagement plan)
Report (determined from
fieldwork)

54
 Audit reporting

 Typically primary means of communicating outcomes

 Reflects observations, opinions, and recommendations
 Stakeholders more discerning … want reports that are:
o Easy to read, get to point, tell a story, provide opinions
o Clear, concise, and address agreed audit objectives
 Value is added to an organization and stakeholders when
audit recommendations are implemented

55
 Delivering insights that help the business

Punitive: Educative:
“Gotcha” Cooperative
Mindset Mindset

Less More
valued valued
insights insights

56
 Follow-up - ‘Telling the
Story’

57
 Reporting on recommendations … beyond mundane

Detailed Telling the

view story

Insights that
help the
business

Low High
value value

58
 Report on open recommendations – detail view

 Short covering paper (if any), essentially:

“We are required to follow-up recommendations under
auditing standards; here is a list of all the audit
recommendations”

 Detailed list of ALL recommendations with their status

LOW VALUE: Barely meets basic requirements of audit

committee
59
 Report on open recommendations – tell the story

 Opinion on management’s overall level of commitment to

 Insights on any positive improvement from implementation
 Validation of implementation of higher-risk recommendations
 Commentary on at-risk recommendations, including original
and revised targeted completion dates and comments on action
 Graphs illustrating different lenses of overdue
recommendations
o Risk ratings (high, medium, low). Ageing of periods overdue.
Business area.

60
 Report open recommendations – tell story (cont’d)

 Trends (3 to 5 years) of actions opened, closed, on track,

completed on time, overdue, and total number currently open
 Trends and/or graphs on recommendations being raised applied
against different business risk categories
 List of open recommendations (in full or part) as an attachment
HIGH VALUE: Meets basic requirements of audit committee, and
helps to provide risk-based and objective assurance, advice, and
insights (i.e., ‘value proposition’).

61
 Quality people – attuned,
balanced and credible

62
 Polling Question 4
Please open the conference app to participate

63
 Polling Question 4

What is your experience in having a mentor

(through formal program, informal arrangement, or both)?
a. Found it very worthwhile; would highly recommend
b. It was somewhat helpful; would recommend
c. Not sure just yet (neutral)
d. Not a good experience; would not recommend
e. Never had a mentor

64
65
 Wisdom of a global luminary

“After more than twenty years of experience as an internal

auditor and as a chief audit executive, my personal advice
to a newcomer will be to find a mentor … willing to provide
you with regular feedback and advice … your personal role
model for your career as an internal auditor!”
—Angela Witzany
Head of Internal Audit, Austria
Past Chairman of IIA Global Board of Directors 2016–2017

66
 Common approaches to performance development

Annual
Reviews

Professional Engagement
Development Feedback

Developing an Performance Feedback on Auditor’s

Auditor’s Skillset Insights
Performance
Probationary
Profiling
Reviews

Coach or Informal
Mentor Feedback

67
 The ABCs of auditing

In the eyes of an experienced audit committee chair:

“Some internal auditors have good process developed
into an art form where the process is perfect but nothing is
ever discovered.”
Going beyond the process is as easy as ABC …

Value Added
Attuned Balanced Credible
Knows the business and Applies a balanced approach Regarded as credible in
what needs audit focus to provide valued insights the eyes of stakeholders

68
 Transforming from hindsight to insight … then foresight

 Foresight
o Helping organizations prepare for
the future
 Insight
o Risks facing organization and
control assurance in the here and
now
 Hindsight
o Assessing what happened in the
Source : Sawyers Internal past to provide control assurance
Auditing 7th edition
69
 Quality outcomes - scrutiny of
audit workpapers

70
 Protecting an internal audit asset
 One of internal audit’s major assets is its credibility with
stakeholders
 It’s protected through ongoing monitoring of quality
 There’s a need for quality control across all audit phases

Quality of Quality of Quality of

Planning Fieldwork Reporting

71
 Maintaining internal audit credibility

 Audit workpapers need to be prepared to withstand

intense external scrutiny
 Purpose and intensity of external scrutineer reviews can
be quite diverse
 Can represent a relatively high risk to organization’s
brand and reputation of its senior management

72
 Range of external scrutineers

Stipulated
• External auditors • Special or royal
• Regulatory auditors commission of inquiry
(industry specific) •Coronial enquiry
• Regulatory review
• External quality assessors • Federal or state
• Parliament committee
investigation
• Corruption inquiry
• Fraud investigation
• Taxation compliance review

Routine
Special

73
 Closing

74
 Wisdom of a global luminary

“Aspiring internal auditors must be able to look beyond

today’s concerns to what future demands and changes
might be. Organisations continue to demand more value
from internal audit, more insight into the affairs of the
business and an improved level of assistance around
control optimisation.”
—Anton van Wyk
Partner Big 4 Firm, South Africa
Past Chairman of IIA Global Board of Directors 2014–15
75
 Must get basics right before tackling challenges

Artificial Big Data

Biometrics Blockchain
Intelligence Analytics

Robotic
Conversational Internet of
Process
Commerce Things
Automation

76
 Wisdom of a global luminary

“Have an insatiable curiosity and do not be afraid to ask

questions. Rudyard Kipling said it best in his book The
Elephant’s Child – ‘I keep six honest serving-men: (They
taught me all I knew). Their names are What and Where
and When and How and Why and Who.’”
—Paul Sobel
Chief Audit Executive, U.S.
Past Chairman of IIA Global Board of Directors 2013–2014

77
 Unleashing the power of storytelling
 20 chapters covering the who, why, how, when,
what, and where of auditing
 > 50 contributors from across the world
 > 140 terms explained in comprehensive
glossary
 ≃ 70 exhibits with practical examples and
diagrams
 > 50 references to useful published materials
 36 stories on practitioner’s ‘favorite audits ever’
 20 insights on ‘what practitioners love about
internal audit’
78
 Wisdom of a global luminary

“I had the best job in America. Every single day was

interesting, rewarding, and sometimes just plain fun.”

—Barbara Bush
Former First Lady, United States 1989–93
—Many successful internal auditors would reflect this
same sentiment!!!
79
There has never been a better
time to be an internal auditor!

Questions

80
 TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!

Not using the conference app?

Visit: ic.cnf.io to complete
your session evaluations.
81
 What Color is
your Rainbow?

1
 PARTICIPATE IN SESSION POLLING and Q&A
• Download the IIA Conferences App to
participate in polling during select
sessions

• Select the session through the

schedule icon and click on the polling
icon

• Ask a member of the Conference Staff

if you need assistance

• You can also go to https://ic.cnf.io/ from

your mobile device web browser

• Submit your questions for the session

or to specific presenters by selecting
the ASK icon

2
 Presenters

Mara Ash, CIA, CGFM, CMRA, CGAP

She is a federal compliance expert with
over 25 years of financial management and
audit experience in government and private
sectors. As a federal compliance expert her
goal is to help organizations improve
service delivery, ensure compliance, and
enhance transparency.
3
 Presenters

John Provan, CPA, CIA

Over 14 years leading performance and
financial audits. Made more than 140
management improvement recommendations,
questioned more than $10 million in costs
spent on unallowable, unapproved,
unsupported, or unreasonable items.

4
 Presenters

Catherine Melvin,
Over 14 years leading performance and
financial audits. Made more than 140
management improvement recommendations,
questioned more than $10 million in costs
spent on unallowable, unapproved,
unsupported, or unreasonable items.

5
 Polling Question 1
Please open the conference app to participate

6
 Polling Question 1 – pie chart

Do you know the laws and regulations applicable

to your agency?

a. Yes
b. No
c. Not Sure

7
8
 How to start building your rainbow

9
 Considerations

• Legislative Requirements
• Regulatory Requirements
• Standards
• Other Considerations

10
 Legislative Requirements

• What legal requirements are specific to

your region or agency?
• Do you have conflicting laws?
• Are laws specific?

11
 Start building the Matrix

Legal Matrix
Sec.A2102. Sec.A2102.
Citation Short Title Sec.A2102.007(b)
004. 006.

Tex. Gov. Texas Access to

Budget
Code 10 Internal CIA or CPA Administrator and
>$10M
§ 2102 Auditing Act Free from COI

12
 Start building the Matrix (Ex. 2)

Legal Matrix
Citation Short Title (3) (4) (5)
Adopt rules
setting standards Risk
Internal and policies for Assessment...
Peer Review
ORS Audits in internal audit Conforms with
every 5
184.360 State functions… IIA and other
years
Government consistent with recognized
industry standards
standards

13
 Regulatory Requirements

• What regulations govern your work or

agency?
• Are there specific regulations related to the
area you are auditing?
• Are there specific regulations related to
your agency?

14
 Regulatory Matrix
Regulatory Matrix
Subpart C—
Requirement Pre-Federal Requirement Requirement Requirement
Award
§ 200.205
Federal
(b) Have a (c) Consider risk:
awarding
2 CFR 200 (a) Check frame work to (1) Financial
agency
Uniform Government evaluate risks Stability
review of risk
Guidance repositories PRIOR to (2) Quality of
posed by
award Mgt Systems
applicants

15
 Polling Question 2
Please open the conference app to participate

16
 Polling Question 2 – pie chart

What Standards do you use?

a. IIA’s International Professional Practices Framework (Red

Book)
b. GAO’s Generally Accepted Government Auditing Standards
(Yellow Book)
c. International Standards of Supreme Audit Institutions (ISSAI)
Framework
d. Other Standards

17
18
 Major Standards

• IIA’s International Professional Practices

Framework (Red Book)
• GAO’s Generally Accepted Government
Auditing Standards (Yellow Book)
• International Standards of Supreme Audit
Institutions (ISSAI) Framework

19
 IIA’s International Professional Practices
Framework (Red Book)
– Applies to all auditors with IIA
certifications

20
 GAO’s Generally Accepted Government
Auditing Standards (Yellow Book)
– Applies to all US audits over fiscal or
program activities executed with federal
funds
– Starting in 2019 includes Internal Controls
“Green Book”
21
 International Standards of Supreme Audit
Institutions (ISSAI) Framework
– Applies to most international audits over
fiscal or program activities executed as
adopted by each country

22
 Other Considerations

• Agency directive
• Management Purview
• Mandatory/Discretionary
• What HAS to be done
• What should be done
• What would you like to do

23
 Combine the Matrices
Create your Rainbow

24
 Find the Overlap

• Once we have the list – what is the same?

• Is there overlap between requirements and
standards? If it is on every list, then DO IT!
• Narrow the field
• Overlap is the priority!

25
 Your Rainbow

The overlap in the matrix is your “standards”

– This is what makes you red, yellow,
orange or any other color

26
 Put it together

Rainbow
Legal Regulatory Standards Agency Other
GAO GAGAS '3.19 IPPF 1120 – Cannot Number
Sec.A2102. Avoid situations Impartial, of
audit
007 (b) where 3 rd party unbiased auditors
where
believe auditors are attitude and and
Free from not capable of
worked
avoid any Funding
COI objective and conflict of
for 2 yrs.
impartial judgment interest.

27
 What’s left and what to do with it

1. Law
2. Regs
3. Standards
4. Agency
5. Management

28
 Who can do this work?

National or State Audit Agencies

– Laws, Regs, standards

Agencies or Departments
– Agency, Management Purview

29
 Questions

30
 TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!

Not using the conference app?

Visit: ic.cnf.io to complete
your session evaluations.
31