How a university audit team became senior leadership s trusted advisors. September 14, 2017

Transcription

1 How a university audit team became senior leadership s trusted advisors September 14, 2017

2 Presenters Curtis Josey Jr. Data Analytics Manager Audit Office, Cornell University Mark Perry, CPA Audit Director Audit Office, Cornell University Nonie Dalton Senior Product Manager ACL

3 Agenda Background Key Objectives Challenges & Opportunities Audit Technology Use Q & A

4 Background

5 Quick Facts ~ 16,600 Year Founded Colleges and Schools Faculty and Staff ~22,900 $5.7B >250K Students Endowment (2016) Alumni

6 Certified Competency University Audit Office Core Services Audit Assurance Fraud Investigation IT Risk Assurance Data Analytics Management Advisory ACDA CIA CISA CFE CPA

7 UAO Audit Analytic Timeline Acquire Talent Acquire ACL licenses, hardware, and training First Project Need (too big for Excel) Predictable Acquire Tableau Gain Data Access Standardize Scripting Start Continuous Assurance Program Repeatable Sustainable Scalable Transferable to Units/Management 2017+

8 Key Objective

9 Key Objective: Be a Trusted Advisor Internal auditing is designed to add value and improve an organization s operations. Definition of Internal Auditing, The Institute of Internal Auditors Management appreciates receiving relevant and timely information. Lisa Lee, Vice President, Audit [A]uditors should [focus] on increasing value to the business, positioning internal audit as partners in strategy. Brad Ames, Internal Audit Director The Institute of Internal Auditors, February 2017

10 Integrating Audit and Analytics Relevant & Timely Audit Approach Traditional Audit Ad-Hoc Analytics Continuous Auditing OR Monitoring Continuous Auditing AND Monitoring Planning and Risk Assess Discovery / Visualization Execution Reporting Descriptive Diagnostic Proactive Sub-optimal Use Fully Integrated

11 Traditional vs Continuous Audit Activity Value Traditional Continuous Relevancy Once every 3 5 years Daily, Monthly, Quarterly, etc. Verifiable Often a spreadsheet or report extract Direct access from system of record, restricted to a read-only format Efficiency Interrupts normal business process and operations for the duration of the activity. Streamlined to reduce administrative burden on business units; unit audits are faster and more focused Insight Based on sampling of aged data Based on 100% of data Report Lengthy report (10+ pages) process Storyboards & streamlined reporting Impact One-time management awareness Facilitates management s ongoing awareness, monitoring capabilities, and ability to make timely corrections

12 Challenges & Opportunities

13 Challenge #1: Continuous Auditing Trigger words for management Does management want to be audited forever? Units may not care about audit efficiency Workload concerns Who will remediate issues identified? How will the remediation be tracked? Will management be put in negative spotlight? How will results and conclusions be reported?

14 Opportunity #1: Continuous Auditing Timely Assurance First impressions count, use positive framing Find a champion in management Provide a path for management success Emphasize relevant perceived value Minimize administrative burdens

15 Challenge #2: Data Acquisition Policies and Procedures Decentralized, no one person provisions all data access Each Data Steward may use different provisioning process Audit charter not mentioned in data policies Practices Historical trust deficit between audit and units Change: ad-hoc spreadsheets to direct database access Data of value spread across multiple systems Net Result = Worthwhile investment, commitment required

16 Opportunity #2: Data Acquisition Build Trust & Relationships Data providers, subject matter experts, technology staff Socialize changes to leadership Be transparent Data Protection Plan Create written information security program (WISP) Document data management lifecycle Data Access Agreements Negotiate and formalize regular and on-going data access

17 Challenge #3: Auditing What Matters Perception based on historical audits Tests with limited perceived value Too many false positives Focusing on all non-compliance vs impact of non compliance Aged data used for analysis Infrequent audit activity Tests in areas where there is no champion

18 Opportunity #3: Risk & Value Ranking Risk Assurance Timely Assurance Win - Win Business Value

19 Audit Technology Use

20 ACL Technology: Communicate Insight Quickly How quickly can you find the biggest outlier

21 ACL Technology: Results (Lite) Module INSIGHT: Quality information supports internal controls, and effective decision-making

22 ACL Technology: Beyond Timely Assurance Accelerate audit work Setting management up for success Policy advisories

23 Signs of Success Timely, fact-driven, forward-looking risk monitoring Analytics integrated into the entire audit process Clients ask about audit tools for operational use Management proactively addresses risks Audit now has a seat at the table Senior Leadership wants more! Issues Time Management Audit

24 Key Takeaways Acquire Talent Acquire Tools Build Competency Find a Champion / Build Relationships Data Access Agreement / Protection Plan Leverage ACL integrations Consider a blend of agile audit and advisory work Enhance Communications

25 Questions?

26 For more information contact: