Leveraging Data Analytics to Expand Audit Coverage and Add Organizational Value Clint McPherson Managing Director, Dallas, TX Cindy Hart Manager, Dallas, TX
Setting the Stage - Data Analysis Defined Data Analysis CAATS Data Analysis is. the extraction of data from a client s information system in order to perform data selection, classification, ordering, filtering, translation, and other functions to provide the client with information about their business Data Miningi processes 2
What is Data? Name Div Sales Amount Employee ID Transaction Date User Name Transaction Type Quantity Customer Number Price G/L Account 3
Data Becomes Reports Name Div Sales Amount Employee ID Transaction Date User Name Transaction Type Quantity Customer Number Price G/L Account Data File Inventory Report Warehouse Part Description Quantity Unit Cost Extended Cost Quantity 1 5340 XJ4701 540 1.65 891.00 Part Number Unit Cost Client Application Program Warehouse Number 10 5560 1 5560 LN502 1005.79 793.95 4 4061 SR437 6057.85 5148.45 4 9011 CF605 275 2.25 618.75 LN502 850.74 629.00 10 4831 JR864 579 1.15 665.85 4
With Data Analysis YOU Design Reports Name Div Sales Amount Employee ID Summarized by Part Number Transaction Date User Name Transaction Type Quantity Customer Number Price G/L Account Data File Extensions & Footings Verified Quantity Part Number Unit Cost Cust Name Cust ID Data Analysis Techniques Excess Inventory Warehouse Number Unusual Items 5
Benefits from Internal Audit s Use of Data Analytics Benefits Include: Increased testing coverage (100% of population) Improved timeliness of testing Greater visibility Independent testing Creation of Fraud Testing Environment Improved consistency More efficient allowing focus on overall process efficiency and effectiveness Cost-effective solution Greater confidence in your SOX initiatives The Auditing Profession is entering the Age of Continuous Auditing This is the Fourth Age -- (Age of Inspection & Re-performance, Age of Control Focused Auditing, Age of Risk Based Auditing) Annual Audits are being viewed as untimely and obsolete Internal Control issues are expected to be reported almost immediately 6
The 6 Elements of Infrastructure Policies define processes Process assigned to key owners Informed decisions based on reports Information facilitates definition of controls Automation and data integrity meet needs Business Policies Business Processes People & Organization Management Reports Methodologies Systems & Data Risk if element is deficient: Process does not carry out established policies or achieve intended result People lack the knowledge and experience to perform process Reports do not provide information for effective management Methodologies do not adequately analyze data and information Information is not available for analysis and reporting 7
Critical Success Factors & Common Pitfalls Business Policies Business Processes People & Organization Management Reports Methodologies Systems & Data Focus on what matters: Fraud, Waste & Abuse Compliance Business Performance Monitoring Risk across the Organization Link the program to business objectives Articulate the specific benefits of investing in a program and the implementation strategy 8
Critical Success Factors & Common Pitfalls Business Policies Business Processes People & Organization Management Reports Methodologies Systems & Data Define a high-level process Inputs Activities Outputs Identify source of inputs How is information captured? How will inputs be validated? Determine types of activities that will be performed Data Analysis & Investigation of Anomalies Manual Audit Procedures Identify expected outputs & audience Define periodic reporting process 9
Critical Success Factors & Common Pitfalls Business Policies Business Processes People & Organization Management Reports Methodologies Systems & Data Obtain executive support for the program Identify all key stakeholders Champion Program management and executers Data providers Recipients of detailed results and periodic summaries Understand needs of key stakeholders Obtain buy-in for program from key stakeholders Identify and develop required skills & competencies Identify and address organizational obstacles 10
Critical Success Factors & Common Pitfalls Business Policies Business Processes People & Organization Management Reports Methodologies Systems & Data Identify data requirements for the program What information is required? Where is that information stored? Who can provide the information? Design a standard data request format Timeline Source & Required Data Background Information Define data validation process & reporting Define reporting requirements by stakeholder What information does the audience want and what questions do they want answered? How will detailed results be summarized? Who will make conclusions based on the results? 11
Critical Success Factors & Common Pitfalls Business Policies Business Processes People & Organization Management Reports Methodologies Systems & Data Define test scope & tolerances Develop testing procedures ( rules ) Select or build application, if applicable Understand standard queries Select applicable procedures Embed queries into application Test logic and confirm results Provide adequate training to applicable stakeholders Automate as many rules as practical System-based audit targets Manually-intensive audit targets 12
Critical Success Factors & Common Pitfalls Business Policies Business Processes People & Organization Management Reports Methodologies Systems & Data Understand how applicable data is captured & reported in operational and financial systems Procurement through Payment Sale through Cash Application Payroll & Expense Reimbursement General & Sub-Ledgers Bank information External Databases Understand system interfaces (automated & manual) Advocate automating data capture where practical Know the audit tools available and their capabilities Select the right tools for program/procedures Focus on driving efficiency over time vs. initial investment 13
So, this is all great stuff Clint but how do we use this and what are some good examples?
Data Analysis - Suggested Approach 15
Possible Examples for Consideration G/L and Journal Entry Examples Travel and Entertainment Examples Benford s Law on Journal Entries by User Journal Entries identifying outliers (Uncommon Accounts, Profit Centers, Cost Centers) Manual Round Dollar Entries Unusual Posting Dates/Times Analysis of Split Entries (Entries just below Approval Threshold) Analysis of Suspense, Clearing, and Intercompany Accounts Credits vs. Aged Invoices Reversed Month End Journal Entries Entries within Accounts Inactive Accounts Entries Calculate and sort percentage variances in GL accounts between periods Spend by Employee Large Dollar Expenses Identification Analysis of Expenses by Employee (just below threshold, Non-Timely Expense comparison of employees Submission expensing duplicates, expensing airfare but no hotel (vice versa), expensing car but no airfare, etc) Analysis of MCCG and MCC of T&E or P-Card Transactions Benford s Law Analysis on Employee Expenses Expense Dollar and Volume Stratification Inactive Employee Spend Analysis Spend by Expense Type Expense Analysis by Category (e.g., Airfare, Office Supply, Cell Phone, Professional Dues) Per Diem Expense Identification and comparison to trips, policy threshold, and potential duplicates in meal reimbursement and per diem Duplicate Expense Submission Analysis of Weekend Transaction Dates Analysis of No Activity from Personnel in Expense-Centric Departments 16
Case Study 1 Background Organization: Global management consulting, technology services and outsourcing company with offices and operations in more than 50 countries and annual revenues in excess of $21 billion. Internal Audit (IA) personnel were using ACL to perform limited analyses as part of quarterly company-wide Journal Entry (JE) reviews of more than 13 million journal entry lines. All analyses were performed manually through the ACL graphical user interface. IA personnel were using Excel to perform limited analyses for employee Time & Expense (T&E) testing. Implement routines (i.e., scripts) in ACL to automate the existing limited JE and T&E Project analytics. Objectives Create additional automated testing routines to be executed ec as quarterly Continuous o Controls Monitoring (CCM) procedures. 17
JE Testing Overview Quarterly Company-Wide JE Review Data integrity testing such as reconciliation to control totals, analysis of reporting period, search for blanks in key fields, etc. Analysis of JE approvers to those on authorized list, analysis of manual and automated entries by document type, identify entries where document header or line item text is blank, etc. CCM: Data Exploration Classify unique values for key data fields including: company code, transaction code, manual vs. automated flag, year/period, and currency Statistics on amount and posting date fields CCM: Duplicates Testing Identify duplicates (same account and amount) for manual JE s CCM: Fraud Analytics Keyword search for items such as plug, miscellaneous, temporary, adjust, etc. Entries posted in top 10 countries in the corruption perceptions index listing All manual JE s with same person to enter and post CCM: High Risk Account Entries Identify all entries posted to high risk accounts CCM: Timeliness of Postings Analysis Calculate number of days between JE entry and posting dates 18
T&E Testing Overview General Data Overview Create record count and dollar amount totals by Year and Month (i.e., to reconcile to control totals) Classify unique values for key data fields including: expense type and entry date Identify the top 100 highest and lowest transaction amounts Statistics on amount field T&E Population Analyses Identify transactions just under $25 threshold for receipts per US Policy Extract all transactions that are round multiples of $100 Approval threshold analyses for certain expense types per policy, including : Training / Publication > $500, Business Meals > $1,000, and Travel / Other > $500 Identify potential duplicates using multiple sets of criteria Expense Type Analyses Identify all transactions for certain expense types assessed to be high risk, including: Gifts, Floral, Tickets, Promotional Items, Miscellaneous, Non- Std Office Supplies, Technology Supplies, and Charitable Contributions Key Word Search Keyword search for items assessed to be high risk such as gift, car repair, rent, pet, movie, apartment, doctor, furniture, laptop, p clothes, tuition, laundry, etc. 19
Summary Of Value JE Testing Sample Results from One Quarter Reduced amount of time to perform quarterly JE review procedures including manual analyses through the ACL GUI from approximately 40-60 hours to 15-20 hours Additional CCM test results: 5,500 journal entries (more than 28,000 journal entry lines) where same individual entered and posted the JE Nearly 15,000 JE lines just under the $25K approval threshold 137 JE lines with the word plug, 7,800 JE lines with the word miscellaneous, and nearly 5,000 JE lines with the word temporary 164 JE s where the posting date was more than 30 days before the entry date More than 75,000 journal entries posted in countries in the top 10 of the Corruption Perceptions Index, including nearly 30,000 journal entries with line amounts greater than $25,000 T&E Testing Sample Results from One Quarter Identified more than 2,500 expense transactions with the word wine, 175 containing the word laundry, more than 150 with the word golf, 25 with the words doctor or surgery, 17 with the word clothes, and12 with the word ipod. Identified nearly 5,500 transactions with round dollar amounts that are multiples of $100 Identified for additional testing all transactions requiring separate approvals per policy, including 875 transactions exceeding the business meal threshold, 325 above the training/publications threshold, and more than 7,500 exceeding the other expense threshold. Identified more than 8,000 potential duplicate transactions with the same Personnel Number, Expense Date, Charge Code, Expense Type, and Amount. 20
More Examples for Consideration Procure-to-Pay Examples Order-to-Cash Examples Information Technology Vendor Master File Analysis # of Inactive Vendors with Activity Payments to Inactive Vendors Duplicate Vendors, Invoices, Payments Analysis of Cash Receipts and Verifying i access rights are in Timely posting compliance with policy/templates Customer Credit ranking aligns with Policy Requirements (amounts, authorization) and Perform Analysis on Customer Activity (payments and credits) Analysis of Write-off Transactions (authorization, timeliness) DSO Analysis by Order Date, Bill Date and Payment Received Date Vendor to Employee Match Benford s Law Analysis - Invoice, Payments, PO, and/or Credit Analysis Missed Discounts Late Payments Authorization and Analysis of PR, PO, Date, and Payment Received Date Invoice, and Payment Analysis of Unfulfilled Customer Purchase Orders Aging and Analysis of AP and Credit Processing User Analysis between Processing Holiday Activity A/R invoices, posting to the sub- Void/Reissue Payment Analysis ledger, and cash receipts Payment Gap Analysis Analysis of Customer Account Aging Holiday Activity User Analysis between Vendor Setup, Voucher, and Payment Processing Analysis of Debit Memos/Adjustments Analysis of Overpayments/Refunds (unused credits) Multi-system segregation of duties analysis Last user sign on Comparison to employee master records Duplicate employee IDs Change Management authorization New Hire/Terminations i Problem Management Analysis Analysis of system logic to verify procedures (e.g., write-offs, refunds) are programmed accurately Report benchmarking determine the accuracy of system reports by utilizing actual transactional and master data (i.e., compute what the values should be based on business rules and then compare to actual monthly reports) 21
Sample Results - Supplier Statement Audits Supplier statement reviews can be a significant driver for identifying unused credits or outstanding checks, which result in near term cash recovery. Example Vendor Credit Summary B ERP 1 ERP 2 ERP 3 Root Cause Count Dollar Count Dollar Count Dollar Adjustment 1 $889 9 $35,042 1 $126 Duplicate payment 16 $40,598 18 $63,790 3 $10,430 Overpayment 24 $18,009 21 $53,345 13 $10,626 Rebate 3 $1,858 37 $28,284 - - Return 26 $126,307 51 $52,123 6 $8,778 Unapplied cash 14 $60,341 74 $74,502 6 $5,344 Unknown 22 $48,467 21 $29,385 4 $36,897 Total 106 $296,469 231 $336,471 33 $72,200 5,725 Suppliers Received responses from 61% of suppliers totaling 63% of spend 3,468 Responses 94 Suppliers with Credits 370 Credits $705K Recovered Example Key Findings Aged items on account were surfaced to the organization to enable them to readdress these with the vendor for more immediate resolution Credits being received by plant locations, but not being sent to the Shared Service Centers for processing Unapplied Cash and Returns were the most prominent root causes of credits 22
Sample Results - Payment Terms Non-standard or unfavorable payment terms should be analyzed to determine opportunities for either payment discounts or extending to more favorable terms. 131K, 45% Invoice Spend Totals by Payment Term Unfavorable Terms 106K Invoices (37%) Net 30+ No Discount Discounted Terms 17% Discounted Terms 17% 28K, 10% 25K, 9% 6K, 2% 34K, 12% 13K, 4% 11K, 4% 10K, 3% 6K, 2% 26K, 9% 40% Net 30+ No Discount <30 Days No Discount <30 Days No Discount 43% 43% 40% Observations 85% of all non-discount invoice terms required payment in less than the standard 30 day payment terms $197M in invoice spend (17%) had immediate payment terms 23
Fixed Assets Estimating / Recalculating Aging CIP depreciation Verifying accumulated depreciation does not exceed cost for any asset Identifying credit assets Identifying land that is depreciating Identifying assets assigned out of policy useful lives Determining assets set up with cost below capitalization threshold Estimating impact to P&L of increasing / decreasing capitalization threshold Reviewing for assets set up in duplicate Facilitating Item Master clean up Negative Depreciation Inconsistent / Outlier useful lives / Depreciation methods Post-addition percentage analysis (how much more cost added after depreciation started) Aging of fully depreciated assets Analysis of Asset Classification (Leased vs. Fixed or Long-Term vs. Short- Term) Comparison of Asset Turnover Ratio compared to industry average 24
Inventory Summary of Inventory by Type Inventory vs. Sales analysis Inconsistent costing Inconsistent units of measure with the same unit costs Verify category type Extended cost analysis Quantity analysis Per unit cost analysis Current vs Prior year cost comparison setup Reports of unit cost changes (Based on P/Y Quantities, C/Y Unit Costs) Sales analysis Potential excess inventory Margin review User analysis between purchase order and receipt Inventory adjustment analysis (write-offs) by items, users, locations, transaction type, and time of day Inventory adjustment analysis (returns) by items, users, locations, transaction type, and time of day Analysis of scrap activity Negative inventory balances and/or inconsistent fluctuations in inventory accounts between months 25
Lessons Learned Senior Management buy-in crucial for the success of any controls monitoring project Understanding of requirements, documentation and change request procedures Involvement of IT earlier on during the project Test, test and test Focus on high risk processes YOU have a tremendous opportunity to drive value and be an agent of positive change in YOUR organization! 26
Questions / Open Discussion 27
Thank You!
Contact Information Clint McPherson Managing Director, Dallas Office: 469.374.2438 Mobile: 214.215.8374 clint.mcpherson@protiviti.com Cindy Hart Manager, Dallas Office: 972.788.8505 Mobile: 817.253.9176 cindy.hart@protiviti.com Powerful Insights. Proven Delivery. Powerful Insights. Proven Delivery. 29