As the volume of information companies collect from internal and external sources continues to grow, auditors have to embrace analytics to help them keep pace. Incorporating data analytics into audits, however, can be more challenging than it sounds. Even departments that have established audit objectives and are ready to go with their data analytics tool can have problems getting the right data to so they can start.
In this presentation, Scott Jones, CIA, CRMA discusses the challenges and solutions around identifying, obtaining and verifying the right data to help you achieve your audit objectives.
SLIDESHARE: www.slideshare.net/CaseWare_Analytics
WEBSITE: www.casewareanalytics.com
BLOG: www.casewareanalytics.com/blog
TWITTER: www.twitter.com/CW_Analytic
3. AGENDA
1. Data Challenges
2. Objective
3. 3-Step Process
• IDENTIFY the data
• LOCATE the data
• VERIFY the data
4. Benefits and Take-Aways
4. DATA CHALLENGES
Cohn, Michael. Auditors see increased demand for data analytics. Accounting Today, April 5, 2017
https://www.accountingtoday.com/news/auditors-see-increased-demand-for-data-analytics
5. DATA CHALLENGES
Difficulty obtaining, accessing,
and/or compiling the data*
* Stippich & Preber. Data Analytics. The Institute of Internal Auditors Research
Foundation, 2016
7. OBJECTIVE: 3-STEP PROCESS
• Define a 3 Step Process for obtaining the right data:
• Identify
• Locate
• Verify
“But clearly within the audit space, the use of data analytics is
considered the best practice of today and the future….”
Brian Christensen, Executive VP of Global Internal Audit and Financial Advisory, Protiviti
8. THE FUNDAMENTAL ASSUMPTION
• Effective IT Internal Control Framework
• IT General Controls
• IT Application Controls
• (for the source of the data)
• Without IT controls, the auditor cannot rely on the data
• Testing of IT Controls is beyond the scope of this webinar
10. STEP 1: IDENTIFY THE DATA
• Audit Objectives
• Audit Scope
• Data Analytics Objectives
• Audit Procedures
11. STEP 1: AUDIT OBJECTIVES
• Define specifically the intended outcomes of the audit
• IIA Standard 2210
• Objectives must be established for each engagement
• Derived from a risk assessment
• Consider: errors, fraud, noncompliance & other exposures
• Adequate criteria
• Examples
• Determine the operating effectiveness of internal controls for the
cash disbursement process.
• Assess compliance with the AP transaction approval policy
12. • Boundaries of the audit
• Process
• Location
• Time frame
• IIA Standard 2220
• The established scope must be sufficient to accomplish the
objectives of the engagement
• Consider relevant systems, records, personnel & physical properties
• Example
• Accounts Payable Process
• San Diego Region
• 2016
STEP 1: AUDIT SCOPE
13. STEP 1: DATA ANALYTICS OBJECTIVES
• Derived from Audit Objectives
• Scope should match audit scope
• Clearly defined purpose
• Examples
• To test the population of 2016 AP transactions of the San Diego
Region for indicators of fraud
• To test the population of 2016 AP transactions of the San Diego
Region for compliance with transaction approval thresholds
• To test the population of 2016 AP transactions of the San Diego
region to assure that purchases are from authorized vendors
14. STEP 1: DATA ANALYTICS PROCEDURES
• To achieve Data Analytic Objectives
• Examples
• Duplicates Test – invoice payments
• Join – vendor master file to AP data
• Summarization – identify high risk vendors
• Benford’s Law Analysis – anomalous frequency at
approval thresholds
15. CAVEAT RE: IPPF STANDARD 2310
• Internal Auditors must identify sufficient, reliable, relevant,
and useful information to achieve the engagement’s
objectives
• Sufficient – factual, adequate, convincing
• Reliable – best attainable information, using appropriate techniques
• Relevant – supports observations & conclusion, consistent with
objectives
• Useful – helps the organization meet its goals
16. STEP 2: LOCATE THE DATA
• Sources of Data
• Establish Relationships
• Data Request
• Types of Data
17. STEP 2: SOURCES OF DATA
• Self-service access
• Standard reports and queries
• IT or other third parties
• Audited entity – NOT a reliable source
18. STEP 2: ESTABLISH RELATIONSHIPS
• Who knows where the data are stored?
• Audited function
• IT
• Don’t rely on email
• Talk face to face
• Not just during the audit
• Seek to understand
• Availability
• Locations of databases
• Means of access
• Required authorizations
• Required security – PII, HIPAA, ITAR
19. STEP 2: DATA REQUEST
• Consider the Computer System
• Consider means of transfer
• Describe report
• Objective and scope
• Define fields
• Type of data
• Length
• Format
• Precision
20. STEP 2: TYPES OF DATA
• Character (text)
• Date
• Numeric
• Variable
• Continuous (Interval, Ratio)
• Discrete (integers, counts)
• Attribute
• Ordinal (ranked)
• Nominal (arbitrary classifications)
21. STEP 2: CHARACTER OR TEXT DATA
• Key consideration: Length
• Numbers imported as text may not be useful for calculations
• Check & Invoice Numbers – Numbers or Text?
22. STEP 2: DATE & TIME
• Key Consideration: Format
• Determine what the source reports
• Know what your software can import
• Format determines length
• Date only? or Date and Time?
23. STEP 2: NUMERIC
• Key consideration: Precision
• Source Precision
• Useful Precision
• Type of Data
24. STEP 2: TYPES OF DATA
• Variable
• Also referred to as Quantitative
• Types include Interval, Ratio
• Numbered
• Attribute
• Also referred to as Qualitative
• Types Nominal, Ordinal
• Good/Bad, Red/Yellow/Green
• Sometimes represented by numbers
25. STEP 2: HIERARCHY OF NUMERIC DATA
• Variables
• Real Numbers
• Continuous: All calculations are valid
• Discrete: Most calculations are valid
• Data may be treated as ordinal or nominal
• Ordinal
• Values represent ranked order of the data
• Calculations based on ordering are valid
• Data may be treated as nominal but not variable
• Nominal
• Values are arbitrary numbers that represent categories
• Only frequency calculations are valid
• Data may not be treated as ordinal or variable
27. STEP 2: EXAMPLE DATA REQUEST
Report
Report Name Report Description Expected
Completion
Date
AP Report – San Diego Oracle report of account payable
transactions for KPI San Diego from
payment dates 1/1/2016 through
12/31/2016
5/31/2017
29. STEP 3: VERIFY DATA INTEGRITY
• Transfer the Data
• Completeness
• Reliability
30. STEP 3: TRANSFER THE DATA
• Minimize intermediary handling
• Options
• ODBC
• FTP
• Shared Drive
• SharePoint
• Print report or PDF
• Email
• Portable Media
• Consider security requirements
• Access management
• Encryption
31. STEP 3: COMPLETENESS OF DATA
• Compare record counts to source
• Reliability
• Compare control totals for numeric fields to source
• For all important numeric fields
• Watch for blanks reported as “Errors”
• Run Summarizations and evaluate reasonableness
• Check first and last dates
• Check key sequences for gaps and duplicates
• Example: Concur can report multiple records for one expense report
• Compare to print reports