Professional Documents
Culture Documents
Started with
Data Analytics
in Small Audit
Departments
1
PARTICIPATE IN SESSION POLLING and Q&A
• Download the IIA Conferences App to
participate in polling during select
sessions
2
Joe Oringel
CPA | CIA
Managing Director
Visual Risk IQ
joe.oringel@visualriskiq.com
704.353.7000
@VisualRiskIQ (twitter)
Bradley Carroll
CPA | CFF | CIA | QIAL | CFSA | CRMA
Principal | Frazier & Deeter
bradley.carroll@frazierdeeter.com
404-253-7466
3
Learning Objectives
• Identify the diverse skills needed to accomplish data analytics (DA)
on small audit teams (hint - it's a group effort. Both IT and non-IT
skills are needed!)
• Overcome inertia and learn to establish a repeatable process for DA
with a focus on staff development
• List potential challenges to more successful DA efforts and discuss
ways to overcome these challenges
• Brainstorm ideas for quick wins and share examples of innovative
ways to provide enhanced assurance
• Practical examples from real-life DA in a small audit shop
• This session is not intended to be “how-to” on technical methods**:
o Data acquisition and preparation (i.e. normalization)
o Extract, Transform and Load process
o DA software evaluation
o DA software tutorial
4
Fundamental Building Blocks
Visual Risk IQ’s QuickStart methodology. Established 2006
5
Fundamental Building Blocks
Data Analytics Body of Knowledge - borrowed from APRA
• Project Management
• Data Acquisition and Manipulation
• Statistical Techniques
• Visual Reporting Techniques
• Communication
• (Finance and Audit) Domain Expertise
• Change Management / Strategic Thinking
Our profession should acknowledge data analytics excellence is a team
sport, not an individual one.
6
How did this work for us at the Bank?
7
Polling Question
8
9
Data Analysis – Maturity Model
Optimizing
Continuous
Repeatable
10
Analytics and Internal Audit
11
You are not alone
• IIA Executive Center 2018 North American Pulse of Internal Audit
– 1/3 use simple analytic techniques
– Very few automating routine tasks
• Protiviti’s 2018 Internal Audit Survey - key findings
– Use of analytics in auditing remains in early stages
– Audit analytics more advanced in Europe/Asia-Pacific organizations
– Correlation between AC engagement in analytics and information the
committee receives around internal audit’s use of analytics
• The most common tool for data analytics among internal audit
teams is still MS Excel, but that’s starting to tip.
12
You are not alone (cont’d)
• PwC 2018 State of the Internal Audit Professional Study
– Only 14% of respondents are “Evolvers” who are advanced in
technology adoption
– 2% of internal audit departments are using robotics or artificial
intelligence
– Must innovate and be revolutionary to stay relevant to add value
and not lose your seat at the table.
13
Perceived Barriers
• Too complex
• No training
• Budget constraints
• Data access
• Inertia
• Intimidation
14
Analytical Tools
• Visual Analytics
– Tableau
– PowerBI
– Qlik
• Traditional IA-focus
– IDEA
– Arbutus
– ACL / Galvanize
– Excel
• Others?
– SQL
– Cognos
– SAS
15
Group Exercise
• Identify a few opportunities to implement a CAAT or DA to
replace a traditional audit sampling methodology.
• What control are you testing and how will the CAAT or DA
test it?
• What tool would you use?
• Where/how will you pull data?
16
Data Access
• Identify your data sources – What is the data source for your
sampling?
• Does data exist in a usable format?
• How do you connect to data?
• How do you import data into tool?
• Manipulating the data.
17
Polling Question
18
19
The Standards
• Standard 1220.A2: In exercising due professional care
internal auditors must consider the use of technology-based
audit and other data analysis techniques.
20
21
Our library (estab. 2017)
• Ghost employees – CIF/HR/Active Directory
• Ghost vendors – Employee CIF / A/P
• Common Address
• Common Phone
• Common EIN
• Missing / bogus DOBs, EIN in CIF
• Dormant Account address
• Bank statements “held” by branch
• Branch address compared to CIF addresses
• 50+ Checking without owner being 50 years old
• Make-A-Deposit not used by customer
• Make-A-Deposit limits > historical usage
22
Our library (estab. 2017)
• A/P Benford Analysis
• Expense Report Benford Analysis
• BSA Transaction Testing
• Branch Risk Rating
• Waived / Refunded Service Charges by Officer
• Sales and Service compensation
• Accounts closed within 30/60 days of opening
• Charge off accounts opened with Qualifile override
• Official Check “structuring” to circumvent authorization limits
23
Our library (estab. 2017)
• Late CD holds when collateral for loans
• Accounts with $0 balance for 60+ days
• OFAC on all CIF
• Geographic concentrations for loan types
• Concentrations by industry or borrower
• Loans >90 past due not on non-accrual
• Denied loan demographics, geography
• Flood zone exposure
• CAAT to identify overdrawn employee accounts
• Artificial Intelligence/Robotic Processing Auditing – data driven alerts
using Tableau
24
Types of Analytics/Visualization
• List compares
• Benford Analysis
• Trend lines
• Group comparisons
• Concentration mapping
• Bubble Charts
25
26
OFAC Testing
Customer
Information
Files
28
Sales Incentives Analysis
29
Split Limits (AML / BSA)
Who exceeded
the limit over
multiple days?
30
Geographic Concentrations
31
Remote Deposit Limit Analysis
32
Make a Deposit Analysis
33
Service and NSF Refunds/Waivers
34
Benford Analysis on A/P
35
Group Exercise
36
Polling Question
37
38
Learning Objectives (recap)
• Identify the diverse skills needed to accomplish data analytics
(DA) on small audit teams (hint - it's a group effort. Both IT and
non-IT skills are needed!)
• Overcome inertia and learn to establish a repeatable process for
DA with a focus on staff development
• List potential challenges to more successful DA efforts and
discuss ways to overcome these challenges
• Brainstorm ideas for quick wins and share examples of innovative
ways to provide enhanced assurance
• Practical examples from real-life DA in a small audit shop
39
40
References
• Internal Auditor April 2018, “Out of Step with Analytics”
• IIA Audit Executive Center’s 2018 North American Pulse of
Internal Audit
• Protiviti’s 2018 Internal Audit Capabilities and Needs Survey
• PwC’s 2018 State of the Internal Audit Profession
• Visual Risk IQ webinar series w/ Tableau
41
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
1
PARTICIPATE IN SESSION POLLING and Q&A
• Download the IIA Conferences App to
participate in polling during select
sessions
2
Fraud Defined
3
Fraud Defined
4
Fraud Risk
5
Factors Affecting Fraud Risk
6
FRAUD TREE
7
Fraud Risk Management
8
COSO Internal Control Framework and FRA
Fraud
Governance
Control
Monitoring
Activities
9
Polling Question 1
Please open the conference app to participate
10
Polling Question 1
11
12
Why Conduct a Fraud Risk Assessment
Risk identification
Risk analysis
Risk evaluation
Risk treatment
14
Fraud Risk Assessment Process
Establish the fraud
risk assessment team
17
Polling Question 2
18
19
Determine the Best Techniques to Use
Interviews
Focus Groups
Surveys
20
Elements of Good Fraud Risk Assessment
Protection for
Whistleblowers
21
Elements of Good Fraud Risk Assessment
22
23
Common Errors in Conducting Fraud Risk
Assessment (FRA)
24
Fraud Case Study - Facts
• XYZ won the tender for supply of office Equipment.
• The price that XYZ quoted was almost twice the price offered
by nearest competitors.
• Some disgruntled suppliers (those who lost the tender)
complained.
• The matter was presented to auditors for a special audit.
• The tender process was repeated after the first process failed
to secure the winning bidder
• XYZ had failed in first tender for lack of experience but won a
few months later when the tender was re-advertised
25
Fraud Case Study – Bow Tie Analysis
26
Fraud Case Study – Bow Tie Analysis
Lack of Investigation
policies
C=RISK CAUSES
Tender
I=RISK IMPACT
Rejection
Defective Complaints Scope
Reputation
tender limitation
E=RISK
Revision of
EVENT
doc.
selection Price
Forgeries Loss of
Legal criteria. Inlfation
money
loopholes.
Missing
Selective docs
Aggression
Lack of notification
Regulatory
oversight. sanctions
27
Conclusion
28
If you find water rising up to your ankle, that's the
time to do something about it, not when it's around
your neck.
Chinua Achebe
29
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
1
PARTICIPATE IN Q&A
• Download the IIA Conferences App to
participate in Q&A during select
sessions
2
Panel Members
Larry Harrington
Recently retired CAE for Raytheon Company. During career, held positions as CAE, and VP of Finance, HR and Operations
at Fortune 200 companies. Remains active in IIA; has served at local level and on NA and Global Boards (rising to
Chairman for both Boards). A frequent speaker, author and passionate supporter of the Internal Audit Foundation, and
elected into North American Hall of Distinguished Internal Audit Practitioners.
Patty Miller
Retired Risk Services Partner from Deloitte, serving technology, consumer and manufacturing clients in Bay Area. Held
numerous mid and senior management positions in Internal Audit, Finance, M&A, and Process Reengineering. Served in
multiple NA and Global volunteer roles, including Chairman of Board and Chair of Standards Board. Frequent speaker,
author, elected into the North American Hall of Distinguished Audit Practitioners, and recipient of the Victor Z. Brink and
William Bishop III Lifetime Achievement Awards.
CAEs as Leaders
Patty Miller
4
We welcome your questions and comments and look
forward to future discussions!
Larry Harrington
– harringtonlj@aol.com
Patty Miller
– pkmiller100@gmail.com
6
Beginning the Journey
into Internal Auditing
Insights, Stories and Tips for Success
from Expert Practitioners from Across
the World
2
My community ‘down under’
Sydney
Harbour
(left)
Nepean River
(right)
Blue
Mountains
(below)
3
Wisdom of a global luminary
4
Long and winding road
21,024,000
minutes
5
Personal branding: storytelling and people listen
48 Publications
31 Conferences
7
Personal branding: making the world a better place
White
Ribbon
Ambassador
Influencing
Aboriginal
the Health &
broader Wellbeing
community
Maintaining
a Local
Presence
8
Session context
9
Talking basics …
Process Scrubbing?
10
Session objective
11
Understanding stakeholder expectations
13
Getting started
14
Polling Question 1
Please open the conference app to participate
15
Polling Question 1
16
17
Session content - expand the thinking … 10 key features
TypicalContent
elementsofof
today’s presentation
the internal audit process
18
Planning – understanding
the context
19
Wisdom of a global luminary
—Norman Marks
Retired Chief Audit Executive, U.K. and U.S.
Author, Evangelist, and Mentor for Better Run Organizations
20
Environmental scanning is fundamental
21
Severe Extreme Pole Near Wild-fires Pristine
drought fire risk storage Fence break out Forests
23
Controls over currency processing operation
24
Polling Question 2
Please open the conference app to participate
25
Polling Question 2
26
27
Theft of cash … unbelievably it happened!
28
Controls over currency processing bypassed
Inherent Risk: Theft of cash. Note: Banknotes are highly liquid.
Long-term employee
Strong control environment including: who was overlooked for
Impregnable physical security Rigorous employee vetting promotion
Movements under triple control Code of conduct reminders
Retrieved banknotes Entered false
later and snuck them out Custodianship under triple control Strict segregation of duties
destruction transaction
in loose clothing Senior staff hold keys & combinations Transactions computerized of $100,000
CCTV covers all banknote movements Passwords involve triple control
Auto destruction damaged banknotes Daily scrutiny of records Stole passwords of 2
Dropped physical workmates; discreetly
banknotes in areas not Daily reconciliation of all transactions Regular surprise cash counts
watched their keystrokes
covered by CCTV
Nobody noticed!
29
Essence of risk-based auditing
30
Fieldwork … and a ‘right
to audit’ (third parties)
31
Trust but verify …
32
Deep dive
Third Contract Escalated Paying for
higher-risk
party to destroy reputation premium
contracts:
security hardware and legal service;
‘right to
provider securely risks not getting
audit’
34
Fieldwork … decision-support
reporting (spreadsheet risks)
35
Determining key management reports
Often from
Common audit objective is to spreadsheets
37
Spreadsheet risks – recent surveys and polls
38
Policy and Staff
Utilize
Develop Determine f/work - trained in
monitoring
List of Key future IT develop; risks,
/ checking
Reports solution use; controls,
software
control f/work
40
Polling Question 3
41
42
Reporting creatively
43
Creative reporting
44
Root cause analysis
45
Business Obsolete Flora and Major
Oil Creek
Objective Equipment Fauna River
47
Reporting on financial
stewardship
48
Meeting stakeholder expectations
52
Follow-up – reporting useful
and meaningful solutions
53
Reporting is structured … but flair is encouraged
Holistic root cause
analysis (based on
analysis of
observations
undertaken by the Action plan (i.e.
Audit opinion team as a whole) summary of
(determined by the
recommendations
team leader in
once management
consultation with
comments are
the auditors)
received)
Background Details of
information, risk
profile, audit Audit reportable
observations and
objectives, and recommendations
scope (from
engagement plan)
Report (determined from
fieldwork)
54
Audit reporting
55
Delivering insights that help the business
Punitive: Educative:
“Gotcha” Cooperative
Mindset Mindset
Less More
valued valued
insights insights
56
Follow-up - ‘Telling the
Story’
57
Reporting on recommendations … beyond mundane
Insights that
help the
business
Low High
value value
58
Report on open recommendations – detail view
60
Report open recommendations – tell story (cont’d)
61
Quality people – attuned,
balanced and credible
62
Polling Question 4
Please open the conference app to participate
63
Polling Question 4
64
65
Wisdom of a global luminary
66
Common approaches to performance development
Annual
Reviews
Professional Engagement
Development Feedback
Coach or Informal
Mentor Feedback
67
The ABCs of auditing
Value Added
Attuned Balanced Credible
Knows the business and Applies a balanced approach Regarded as credible in
what needs audit focus to provide valued insights the eyes of stakeholders
68
Transforming from hindsight to insight … then foresight
Foresight
o Helping organizations prepare for
the future
Insight
o Risks facing organization and
control assurance in the here and
now
Hindsight
o Assessing what happened in the
Source : Sawyers Internal past to provide control assurance
Auditing 7th edition
69
Quality outcomes - scrutiny of
audit workpapers
70
Protecting an internal audit asset
One of internal audit’s major assets is its credibility with
stakeholders
It’s protected through ongoing monitoring of quality
There’s a need for quality control across all audit phases
71
Maintaining internal audit credibility
72
Range of external scrutineers
Stipulated
• External auditors • Special or royal
• Regulatory auditors commission of inquiry
(industry specific) •Coronial enquiry
• Regulatory review
• External quality assessors • Federal or state
• Parliament committee
investigation
• Corruption inquiry
• Fraud investigation
• Taxation compliance review
Routine
Special
73
Closing
74
Wisdom of a global luminary
Robotic
Conversational Internet of
Process
Commerce Things
Automation
76
Wisdom of a global luminary
77
Unleashing the power of storytelling
20 chapters covering the who, why, how, when,
what, and where of auditing
> 50 contributors from across the world
> 140 terms explained in comprehensive
glossary
≃ 70 exhibits with practical examples and
diagrams
> 50 references to useful published materials
36 stories on practitioner’s ‘favorite audits ever’
20 insights on ‘what practitioners love about
internal audit’
78
Wisdom of a global luminary
—Barbara Bush
Former First Lady, United States 1989–93
—Many successful internal auditors would reflect this
same sentiment!!!
79
There has never been a better
time to be an internal auditor!
Questions
80
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
1
PARTICIPATE IN SESSION POLLING and Q&A
• Download the IIA Conferences App to
participate in polling during select
sessions
2
Presenters
4
Presenters
Catherine Melvin,
Over 14 years leading performance and
financial audits. Made more than 140
management improvement recommendations,
questioned more than $10 million in costs
spent on unallowable, unapproved,
unsupported, or unreasonable items.
5
Polling Question 1
Please open the conference app to participate
6
Polling Question 1 – pie chart
a. Yes
b. No
c. Not Sure
7
8
How to start building your rainbow
9
Considerations
• Legislative Requirements
• Regulatory Requirements
• Standards
• Other Considerations
10
Legislative Requirements
11
Start building the Matrix
Legal Matrix
Sec.A2102. Sec.A2102.
Citation Short Title Sec.A2102.007(b)
004. 006.
12
Start building the Matrix (Ex. 2)
Legal Matrix
Citation Short Title (3) (4) (5)
Adopt rules
setting standards Risk
Internal and policies for Assessment...
Peer Review
ORS Audits in internal audit Conforms with
every 5
184.360 State functions… IIA and other
years
Government consistent with recognized
industry standards
standards
13
Regulatory Requirements
14
Regulatory Matrix
Regulatory Matrix
Subpart C—
Requirement Pre-Federal Requirement Requirement Requirement
Award
§ 200.205
Federal
(b) Have a (c) Consider risk:
awarding
2 CFR 200 (a) Check frame work to (1) Financial
agency
Uniform Government evaluate risks Stability
review of risk
Guidance repositories PRIOR to (2) Quality of
posed by
award Mgt Systems
applicants
15
Polling Question 2
Please open the conference app to participate
16
Polling Question 2 – pie chart
17
18
Major Standards
19
IIA’s International Professional Practices
Framework (Red Book)
– Applies to all auditors with IIA
certifications
20
GAO’s Generally Accepted Government
Auditing Standards (Yellow Book)
– Applies to all US audits over fiscal or
program activities executed with federal
funds
– Starting in 2019 includes Internal Controls
“Green Book”
21
International Standards of Supreme Audit
Institutions (ISSAI) Framework
– Applies to most international audits over
fiscal or program activities executed as
adopted by each country
22
Other Considerations
• Agency directive
• Management Purview
• Mandatory/Discretionary
• What HAS to be done
• What should be done
• What would you like to do
23
Combine the Matrices
Create your Rainbow
24
Find the Overlap
25
Your Rainbow
26
Put it together
Rainbow
Legal Regulatory Standards Agency Other
GAO GAGAS '3.19 IPPF 1120 – Cannot Number
Sec.A2102. Avoid situations Impartial, of
audit
007 (b) where 3 rd party unbiased auditors
where
believe auditors are attitude and and
Free from not capable of
worked
avoid any Funding
COI objective and conflict of
for 2 yrs.
impartial judgment interest.
27
What’s left and what to do with it
1. Law
2. Regs
3. Standards
4. Agency
5. Management
28
Who can do this work?
Agencies or Departments
– Agency, Management Purview
29
Questions
30
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!