Data & Analytics in Internal Audit. January 13, 2015

(1)

Data & Analytics in

Internal Audit

(2)

© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International Cooperative (“KPMG International”), a Swiss entity. NDPPS 144455

1 With You Today

KPMG

■

Brian Greenberg, Director, Data & Analytics-enabled Internal Audit (National)

(3)

2 Agenda/Objectives

■

Current Trends in Data & Analytics, Technology and Continuous Auditing

–

Data & Analytics: A Maturity Model

■

Utilizing DA in Internal Audit

–

How to effectively plan an audit to maximize the use of DA

–

Efficiently utilize DA in the execution of core audit activities

■

Transformation into a Data & Analytics-enabled Internal Audit

Organization

■

Talent Management

–

Attributes of a highly effective Internal Audit DA team (in Internal Audit)

– Enabling Your Analytical Mind

(4)

3 Why use Data & Analytics in Internal Audit?

■

Continued pressure to “do more with less”

■

Expectations of IA to provide increased value

(5)

© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 26125NSS

Audit Methodology-based Maturity Model

4 Traditional

Auditing

Ad Hoc

Integrated

Analytics

Continuous Risk

Assessment &

Continuous

Auditing

Integrated

Continuous

Auditing &

Continuous

Monitoring

Continuous

Assurance of

Enterprise Risk

Management

Maturity

Level II

Maturity

Level I

Maturity

Level III

Maturity

Level IV

Maturity

Level V

IA Methodology

IA

Methodology

Strategic analysis

Enterprise risk

assessment

IA plan

development

Execution and

reporting

Continuous

reporting

Data analytics are generally not

used

Data analytics are partially used

but are sub-optimized

Data analytics are effectively and

consistently used (optimized)

(6)

5 Current Trends: Data & Analytics, Technology and

Continuous Auditing

■

Convergence of Internal Audit and BI/CA/CM

■

CA/CM strategic development link to enterprise initiatives:

• Partnering with the business

• KRIs and KPIs

■

Enterprise Risk Management & Audit planning process

• Quantitative and/or continuous risk assessment

(7)

6 How Internal Audit Is Leveraging Data & Analytics

■

Audit Execution (most common)

• Meaningful insights; not lists of exceptions

■

Tactical efforts – e.g. FCPA compliance, proactive fraud detection, etc.

■

Audit planning – periodically identify changes in key metrics to drive

dynamic audit planning

■

Pre-fieldwork scoping

■

Adoption of risk-based testing methods instead of traditional sample

testing

(8)

7 Data & Analytics-enabled Internal Audit Process

Analytics-Driven

Continuous Risk

Assessment

Dynamic

Audit Plan

D&A enabled

Audit Workplan

D&A Audit

Scoping and

Planning

Data &

Analytics

Audit

Execution

Enhanced

Dynamic

Reporting

Data & Analytics

-enabled Internal

Audit

Operationalize into

repeatable and

sustainable analytics

Business

Monitoring

(9)

8 Client Issues to be Solved – Limitations of Traditional

(Audit and/or Enterprise) Risk Assessment Process

How is CRA different?

Continuous Risk

Assessment

■

Proactive

■

Continuous

■

Quantitative-enhanced

■

Dynamic IA Planning

■

Insights into

emerging and

changing risks

Traditional Risk

Assessment

■

Reactive

■

Annual or

Infrequent

■

Qualitative-focused

■

Results in static IA

Plan

(10)

9 Quantitative-Enhanced – Continuous Risk Assessment

■

Quantitative metrics (e.g., KPIs,

KRIs) which provide additional

insights for audit plan development

■

Focused on specific audit areas

during planning phase

■

Emerging risks out of IA plan

execution

Examples: Number of new contracts

signed, overtime fluctuations by location

Bottom Up

Start with Auditable Universe

Source: IA findings, system reporting

Top Down

Start with Risk Universe

Source: Management reporting, risk

assessment interviews, ERM results

■

Linkage to Enterprise Wide

Risks and Initiatives

■

Management KRIs/KPIs to

monitor the business

■

Segment/Function Reporting

Example: Target Revenue goals (%/$),

Market Fluctuations

(11)

10 Value of Data & Analytics-Enabled Internal Auditing

Year 1

Year 2

Year 3

Effort

Data & Analytics

Integration

■

Identify the “right” audits for

DA

■

Increase the number of

audits performed per year

■

Decrease the time required

to cycle through the audit

universe

■

Increase the scope of

specific audits

(12)

Prioritizing Your Audit Plan for Use of Data Analytics

Not a likely

candidate

Possible Candidate

Top Priority

Possible Candidate

Not a likely

candidate

Top Priority

Availability:

Is data available for the audited

process?

No

Comprehension:

Do your resources have the business

knowledge available to understand

the source data?

No

Yes

Data Quality:

Is the data being captured consistent

in nature and complete

No

Risk:

Does the audited process/area

represent a high concentration

of risk?

Complexity:

Is the data being obtained from 3

sources or less?

Is the time required to obtain and

validate the data low?

E.g., audit of a manually

performed control

E.g., audit of a complex

process without front end

support of process owner or IT

No

E.g., exploratory audit

or profile of a process

No

Yes

E.g., OTC

or P2P audit

Yes

Repeatability:

Will the audit be performed multiple

times using a similar data source (e.g.

same ERP or quarterly audit)?

No

Yes

E.g., T&E

audit

E.g., P-Card

audit

(13)

Audit Preparation and Fieldwork



Define Audit Objective(s), Develop Analytics enabled Audit Work Program



Understand the process and transaction flow



Understand underlying data structure and availability



Determine what analytics are relevant in achieving the audit objective(s)



Refine audit work program if necessary and design the analytics based on the work program steps



Define “exceptions”

Audit

Management



Acquire data (extract, transform, load)



Assess data

–

Completeness & Accuracy

–

Quality

Data

Management



Develop and execute analytics (i.e., script, program, etc.)

–

Validate results



Validate with business owner(s)



Confirm audit objective(s) achieved



Refine and re-execute procedures, if necessary

Data

Analytics

Extract

Transform

Load

Assess

Develop

Execute

Validate

Refine



Research exceptions



Interpret results – “tell the story”



Follow-up with process owners



Determine root cause



Issue Audit Report – present results and consider future continuous auditing relevance



Issue Pilot Results – Compared to success criteria

Analyze and

Report

(14)

Integrating data &

analytics

(15)

14 Audit Cycle Enabled with Data & Analytics

Planning /

Scoping

Fieldwork

Enhanced

Reporting

• Workplan

• Data Request

• Data Validation

• Data Transformation

• Pre-Fieldwork Scoping

• Analytics Execution

• Aggregation of Results

• Interpretation of Results

• Validation of Results

• Risk Profiling and Analytics

• Performance Profiling and

Analytics

(16)

15 Planning / Scoping

■

Calculate population statistics

■

Stratify (histogram)

■

Relationships (PO vs Invoice

count)

■

Heat map (identify outliers)

■

Data Discovery Tools

■

Understand and map the data

flow

Days Sales Outstanding by Location

0

20

40

60

80

100 Location 7

Location 20

Location 16

Location 11

Location 2

Location 3

Location 5

Location 14

Location 4

Location 13

Days Sales Outstanding

Country

Sales

Commissions

Commission

Percentage

CN

1,399,454

31,902

2%

LT

960,425

28,812

3%

KW

845792

42,289

5%

OM

452,965

22,648

5%

(17)

16 Fieldwork

■

Process walkthrough

• Ask questions based on insights from analytics

■

Detailed testing

• Include highest risk samples identified during analytics

■

Perform additional analytics to support the audit objectives /

observations

(18)

17 Example of Traditional Audit Analytics

Traditional analytic techniques generate one spreadsheet per test

Routines:

1. Missing Receipts

2. Late Expense Submissions

3. Potential Duplicate Submissions

4. Suspicious Keyword Search

(19)

18

(20)

19

(21)

20

(22)

21

(23)

22

(24)

23 Key Questions To Consider

Which departments had the highest rate of indicators?

Which employees seemed to violate the policy most frequently?

Are there transactions that were identified in multiple tests?

Aggregation and data visualization allows auditors to dynamically review

the results of analysis by drilling into multiple dimensions within a single

screen.

(25)

24 Reporting

Analytic

Unvalidated

Results

Potential

Impact

($)

Payment Line

Without Vendor

4,748

7,821,454

Voucher Line

without PO

4,734

6,335,398

Receipt Not

Completely

Vouchered

3,791

5,973,342

Invalid PO

1,215

3,995,356

Voucher Line /

Receipt

Mismatch

2,646

3,012,094

PO Line Not

Completely

Received

397 2,949,804

Payment

Without PO

324 2,778,010

Suspicious

Voucher

Processing Date

545 1,192,493

Analytic

Unvalidated

Results

Potential

Impact

($)

Validated

Results

Impact

($)

Payment Line

Without Vendor

4,748

7,821,454

782 561,912

Voucher Line

without PO

4,734

6,335,398

750 1,783,129

Receipt Not

Completely

Vouchered

3,791

5,973,342

3,791

5,973,342

Invalid PO

1,215

3,995,356

187 234,783

Voucher Line /

Receipt

Mismatch

2,646

3,012,094

1,543

2,673,527

PO Line Not

Completely

Received

397 2,949,804

0

0 Payment

Without PO

324 2,778,010

0

0 Suspicious

Voucher

Processing Date

545 1,192,493

54 842,942

• Avoid reporting

un-validated analytics

Don’t just present

results, tell a story

(26)

Transformation into a

Data &

Analytics-enabled Internal Audit

Organization

(27)

If it were that easy…

■

Data & Analytics Challenges

• Access to quality data

• Analytics not achieving audit objectives

■

It’s not about “Big Data” Tools

• There is no silver bullet

• Can’t buy success

■

Successful use of analytics relies on

• Change in Mindset

• Skilled Resources

• Integrated Methodology

• Managing Time and Expectations

(28)

Where and How to Begin?



Refine Strategy/Roadmap



Audit Planning versus Audit Execution



Quantitative-enhanced, Continuous Risk Assessment Process to Facilitate Dynamic Audit

Planning



Audit Execution



Annual Audit Plan Prioritization – Green, Yellow, Red



Audit work program Analytics Enablement



Macro analytics for scoping



Micro analytics for audit execution



Link analytics-based test to audit objective



Consider repeatable and sustainable opportunities (e.g., continuous auditing/monitoring)



Penetrate and radiate across the audit universe



Pilot process



Develop Tactical Plans

(29)

Transformation of Traditional Internal Audit to a Robust

Data Analytics Enabled Program – Roadmap



Define the objectives you are trying to achieve



Identify key stakeholders and define the success criteria and related measurements



Build an effective business case



Consider use of a pilot to validate strategy and support business case

Develop a

Strategic

Plan



Design governance and reporting structure for continuous auditing activities



Evaluate data analytic skills and competencies



Integrate data analysis into IA methodology and processes



Evaluate and select technology tools



Consider use of a pilot to validate tactical plans

Develop

Tactical

Plans



Manage organizational change (internal to Internal Audit and business facing change)



Design and deliver trainings



Identify focus areas for implementation to satisfy strategic objectives



Design and establish data connection/extract; analysis; and reporting mechanisms including

risk-and performance-based analytics, dashboards, scorecards, reports risk-and alerts, etc.

Design and

Execute

Implementat

ion Plans



Manage organizational change (internal to Internal Audit and business facing change)



Regularly evaluate program for effectiveness and refine as necessary



Consider additional areas for expansion and maturity



Evaluate opportunities to extend into the business

Continuous

Program

Evaluation/

(30)

Transformation of Traditional Internal Audit to a Robust Data Analytics

Enabled Program

When transforming a traditional internal audit program to a robust DA enabled program, consider People, Process

and Technology



Compile a profile/job description for

personnel required for the DA

program



Identify personnel within the

organization that have the required

experience/skills; consider other

sourcing opportunities if required

skills/experience are not resident

within IA



Develop a training program

–

Techniques

–

Tools

–

Results Interpretation



Develop program “champions” by

providing personnel with the

appropriate skills/experience with

the training program



Develop a DA audit methodology,

including:

–

Risk Assessment

–

Audit Candidate Profile

–

Procedures to transform an audit

candidate to a DA enabled

program (e.g., incorporating DA

into planning, scoping,

procedures, etc.)

–

DA reporting

–

Develop DA KPIs



Tool(s) selection



Tool usage maximization



Data availability/understanding/ETL



DA tool obsolescence

monitoring/prevention

(31)

Implementation (and sustainability) challenges

General



Determining and establishing consensus on objectives and success criteria



Measuring and demonstrating success



Limited resources (technology and human know how)

Data Availability and Quality



Lack of access to data



Disparate information systems with different data formats



Incomplete data sets, inconsistent data quality



Data privacy/security issues to navigate

Data Analytics



Inability to effectively leverage data analytics to achieve audit objectives



Definition of “exception;” addressing “false positives” and “false negatives



Workflow around exception resolution; managing volumes of exceptions

Change Management



Managing impact of CA/DA processes on auditors and other business processes (e.g., change in mindset,

(32)

(33)

32 There Is A Learning Curve

Skill

Level

Time and Experience

(34)

© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 192969

33 Critical Thinking and Data Analytics

■ Analytical mind - scientific method approach

■ Understands business process alignment with data flow

■ Embraces technology

■ Curious/inquisitive balanced with disciplined/methodical

■ Trial by fire, willing to learn, to fail, to figure it out

(35)

© 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS 192969

34 “Super Auditor” Capabilities

■ Business Acumen

■ Accounting Foundational Skills

■ Process Assessment and Improvement

■ IT Background

■ Data Analytic Specific Core Competencies and Skills

–

Tool Skills (MS Access, SQL, IDEA, QlikView)

–

Data Management

(36)

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although

we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is

received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice

after a thorough examination of the particular situation.

© 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International Cooperative (“KPMG