Data Analysis Process Is A Multi Risk Process. EuroCACS 2013 Session 211

(1)

Data Analysis Process

Is

A Multi Risk Process

(2)

Your lecturer

Business processes in the modern world

Data Analysis: Definition

Why we need DA?

Related Standards

(3)

A review of risks involved in the Data

Analysis Audit “DAA”

Case Study based on the survey stage

Combined Survey in comparison to a

regular survey

(4)

Content

(3)

Case Study Review

List of Inherent Risks in the case study data

analysis process vs. inherent risks in the DAA

Conclusion

(5)

Your Lecturer

(1)

Aya Steiner, CPA, CISA, CIA, CRMA,

Born in Tel Aviv, Israel; in 1972.

Lives with a partner, 2 sons and a Persian cat.

B.O.B in Business & Accounting

Experienced in identifying and quantifying

business, operational

&

IT risks

Has high level of experience in programming

audit codes in various data analysis software

(6)

During the past 13 years, has filled several roles

in industrial, financial, retail & government

sectors in Israel.

Areas of expertise:

(1) Internal Auditing

(2) IT Auditing

(3) Data Analysis Auditing

Member of the Israeli Chapter Council and a

member in several committees

(7)

Your Lecturer

(3)

Initiator, lecturer & manager of the Data

Analysis Auditor certification program in

(8)

Business processes in modern world

Behind every business process there is at least one DB and at least, one or more, computerized systems

In every business process, an auditor needs to cope with the increase of:

(1) exposure to failure due to complexity of business IT process

(2) the constant growth in data volume (3) the quantity & complexity of IT

(9)

Business processes in modern world

One should also consider the constant growth in the

number and variety of:

(1) products

(2) change rate of procedures

(3) rules & regulations in each country &

worldwide

(4) The human Factor – experience, skills &

abilities of auditors and audited *

(10)

Business processes in modern world

IT systems are critical in achieving competitive advantage The number of procedures & regulations needed to be implemented and observed in IT software in order to accomplish compliance is horrific

Each computerized control / check demands an organized process of characterization

The cost and vast amount of financial resources needed – Thus The gap…

(11)

Business processes in modern world

The range, scope and sophistication of embezzlements and frauds

A much higher proficiency, experience, caution* and know-how are required from the auditor

An increasing need for implementing technological audit tools in the audit process

(12)

Data Analysis Definition:

(1) Investigating and analyzing data from different

computerized systems and environments

(2) Identifying business & IT risks

in the audited processes

(3) Using automated means as much as possible

(4) Achieving change from raw information

into relevant, reliable and presentable

knowledge in the audit report

(13)

Why do we need Data Analysis?

Generally the use of data analysis methodology

can achieve:

(1) Effective identification of business and IT audit

risks on the whole.

(2) Effective and relevant response to the audit

risks.

(3) Quantification and evaluation of anomalies and

irregularities

(14)

Why do we need Data Analysis?

(2)

(4) To achieve substantial increase in the quantity

of anomalies and irregularities identified in the

audited

(5) To increase quality of generated products from

the audit process as well as locating

(15)

Why do we need Data Analysis?

(3)

(6) To implement checks, which in the past, were

done only by computer programmers

(7) To achieve assurance of manual and

computerized controls

(16)

Related Standards

(1)

International Standard No.G13 - Risk evaluation

Audit Risk:

The risk of false presentation in financial reports. This consists of:

(1) Inherent risk

(2) Control risk

(3) Detection risk

All the above deal with possible risks the audit team will not expose substantial errors.

Data analysis can effectively, efficiently and reliably deal with the above audit risks as a whole

(17)

Related Standards

(2)

International Standard No.G16 – Data Analysis Technologies

(1) States that the DA process creates inherent risks of its own

(2) Talks about the significance of choosing well trained professionals for conducting the DA process

(3) Gives several examples of inherent risks in the DA process

(18)

List of

General

risks in “DAA”

(1)

1) Data analysis process is a structured process which combines the need for knowledge, experience and extreme caution in conducting the process in general

2) Each Stage of the data analysis process is based on previous stages - thus the particular need for

(19)

(3) Failure in one of the stages, or sub stages, of the process, can directly & profoundly affect the relevance and quality of the final product

(4) Need for comprehensive knowledge of IT software in general

(5) Acquaintance with different kinds of data bases

(6) Programming skills & logical comprehension

(20)

List of Inherent risks in DA Process

(1) Inadequate Population – refers to the risk that the

designated and received audited population would not reliably reflect the audited process, be partial or false

(2) Definition of anomalies and irregularities can be insufficient – this refers to the risk in the survey

(21)

(3) The need for high level of experience in identifying

risks and irregularities – refers to the risk that a data

analysis auditor might not be experienced enough to

identify risks or irregularities in the computerized checks

(22)

(4) Comprehending the business operation and IT

audited process – refers to

one of the biggest risks in the data analysis process.

If the auditor doesn't comprehend the layers of the audited process, he may incorrectly understand and conclude various kinds of data information

(23)

(5) QA of the data auditor process as a whole –

refers to the risk that the

data auditing process

, at

each of its stages, will not be audited by a

professional & experienced data analysis

audit

manager

This will directly and profoundly inflict on the quality

of the data analysis products and their relevance

(24)

(6) The use of reports received from the audited, refers

to the risk that the data analysis auditor will choose

to accept / receive the raw data needed from the system reports which are not characterized properly (7) The use of data stored in non-operational systems of

a business, refers to the risk the auditor will use

(25)

(8) Incorrect, or partially correct files received

from operational systems refer to the risk

that the data analysis auditor's work will be based

on partial or incorrect files

(9) QA stage refers to the risk that the

data analysis auditor will not perform all the

necessary QA checks

(26)

(10) Computerized audit checks – refer to the

risk that the logic used by data analysis

programmers might not be sufficient or

adequate

It may cause a situation whereby irregularities

might not surface at all

(27)

(11) An unskilled data analysis auditor can

wrongly neutralize records, define inadequate

keys needed for joining files, compare data of

various report periods, thus, not extract all

inherent possible irregularities

I saw this risk occurring too many times…

(28)

(12) Success in the verification stage – refers to risk that although the data analysis auditor has done his work correctly at the audit verification stage, he will not be able to receive confirmation on findings and

irregularities (already) found.

The ability to bring findings as well as closures is a

critical skill and ability for the success of the process as a whole

(29)

Case Study

Company X

One of the biggest retail companies in Israel

Based on the survey stage of

Data Analysis methodology carried out

in

(30)

Survey Stage

The survey stage is the first stage conducted by the

auditor. In this Stage the auditor collects information about:

(1) The audit scope (2) The audit process

(3) All information systems which support the process (4) Past audit reports; procedures and SOX

(31)

One survey in which the audit process is reviewed in several dimensions parrarely and in different

combinations and scopes: (1) Internal audit

(2) Classical IT audit (3) Data Analysis audit

(32)

The combined survey audit provides a

comprehensive picture of the audited

process

The implementation of the combined survey

stage enables implementation of a number

of different audits parrarely in one audit

process

(33)

The combined survey stage can

significantly reduce overall resources

needed to conduct each audit separately

The combined impact of conducting one

combined audit is higher than the impact of

each audit separately

(34)

Case Study

Stock taking Process in

one of the largest retail

companies in Israel

Company X

(35)

Case Study – Company X

Stage 1

Review the survey stage in an audit of the inventory stock taking process… Each time with a different auditor:

Further General Information

The budget designated for each audit separately is limited – 150 hours per audit

A considerable part of each separate audit is allocated to preparation hours of the audit as well as time for writing and presenting the report separately

(39)

Case Study – Company X

Further General Information

1. The company sells a variety of brands of its products in chain stores all over the country

2. All brands are physically managed in one logistical center

3. Each brand is stored in a different physical area in the main warehouse

(40)

Additional information

gathered during the survey done

by the

DAA

(4) Identifying additional data analysis tests which can “close” all pre identified exposures which used to be done in the past only by programmers.

(5) Verifying suspicions of exposure by repeated questioning of several audited parallely

(50)

Some real survey process products found

in the implementation of Combined Hat

based on the above case study:

(1) A computerized problem was identified during stock taking preparations, which had left “inventory” in virtual warehouses

(2) High volume of stock difference rates was identified, on item level, in one of the brands and in specific

(51)

Some real survey process products found

in the implementation of Combined Hat

based on the above case study:

(3) A problem of quality assurance of incoming inventory into the warehouses was identified.

(4) A problem in the item building process, was identified. (5) A profound and problematic logistical behavior was identified.

(52)

List of Inherent Risks in the case study

data analysis process

Parallel risk likelihood in the case study

General Inherent Data Analysis Risk

The business operation and IT audited process combined were very complex

1. Comprehending the business

operation and IT audited process 2. The need for high level of

experience in identifying risks and irregularities

Item management is different for each brand

Warehouse manager is new & withholding information

Different behavior in one brand which caused an inherent stock taking problem

(53)

List of Inherent Risks in the case study

data analysis process

Identifying different unique item keys for each brand

Comprehending the meaning of table fields and values in fields

No duplicate transactions were found by keys given by IT

manager

A complex structure of positive & negative transactions in system tables

(54)

List of Inherent Risks in the case study

data analysis process

Computing positive & negative transactions

Computerized audit checks – refers to the risk that the logic used by data analysis programmers might not be sufficient or adequate

A combined IT & managerial problem was identified during stock taking preparation

A problem of QA of incoming inventory was identified

(55)

List of Inherent Risks in the case study

data analysis process

The very complex DAA work was done by a very professional and experienced DAA & Programmer who worked according to a