This presentation aims to clarify how we can make use of data analytics tools and techniques to cut through the complexity of data to focus on what we want to know.
Case studies on auditing staff and medical claims as well as procurement and payments review will help illustrate the principles that one can adopt to cut through the complexity to zoom in on what is of importance to the auditor or controls professional.
It aims to share how we can “make sense out of nonsense” if we understand our data, apply basic data analytical approaches to access the data and to generate the information that we need to solve business problems or to make business decisions.
1. Audit Testing ERP Application and Connecting with Cloud
Yoong Ee Chuan CISA, CISM, CPA, CIA
2. Agenda
1. Analysing how data analytics enhances audit testing of ERP
applications
2. Exploring different data analytics and computer assisted audit
tools and techniques
3. Understanding the risks of hosting ERP data with cloud
computing
4. Questions and answers
3. Audit Testing – ERP Applications
What is Data Analytics?
“Analysis of data is a process of inspecting, cleaning, transforming, and
modeling data with the goal of highlighting useful information, suggesting
conclusions, and supporting decision making. Data analysis has multiple facets
and approaches, encompassing diverse techniques under a variety of names,
in different business, science, and social science domains.” -- Source:
http://en.wikipedia.org/wiki/Data_analysis
• Some examples
• Computer-assisted-audit tools/techniques
• Data mining
• Business intelligence
• Statistical applications
4. Audit Testing – ERP Applications
“Making sense out of nonsense!”
6. Audit Testing – ERP Applications
Challenges of Audit Testing ERP Applications
• ERP systems provide wealth of information
• If you can access it quickly, efficiently and effectively
• Challenges include
• Lack of IT knowledge and skills by auditor
• Lack of knowledge of ERP package/module
• Lack of SQL, query language
• Overwhelming transaction volume from computerised records
• difficult to agreggate information for meaningful analysis
• cannot see the forest for the trees
• Access to data usually requires help of Information Technology , Finance
and Operations to obtain reports and analysis needed
• Use of data analytics allows the stories behind the data to emerge based
on the questions the auditor asks
7. Audit Testing – ERP Applications
Why Use Data Analytics for Audit Testing ERP Applications?
• Increasing quantity and quality of data available
• Larger organisations typically have Enterprise Resource Planning (ERP)
implementations
• Human Resources/Payroll
• Financial Accounting/Management Reporting
• Accounts Payables
• Accounts Receivables
• Fixed Assets/Inventory
• General Ledge
• Project Management/Costing
• Core business applications for operations
• Business transactions captured in the bits and bytes of data residing in
ERP systems
8. Audit Testing – ERP Applications
• Ability to analyse the underlying data representing business transactions
in meaningful ways:
• Empowers auditors to understand the business risks
• Use in audit planning and risk assessment
• Surveying audit universe from financial and operating data
• Summarisation of key fields by department, divisions, sections
• Helps to flag out areas of interest, potential misstatement,
non-compliance and potential fraud risks
• Ascertain compliance with business policies and procedures:
• Carry out detailed substantive and compliance auditing
procedures
• 100% testing instead of sampling
• Enhanced assurance and coverage
• Provides sufficient and appropriate evidence for audit reporting
• Exceptions are specific transactions flagged out by the data
analytics tools
10. Exploring Data Analytics & CAATs
• You already have them!
• Data analytics software
• Key characteristics
• Slice and dice to what you desire
• Filter, sort, summarise, total, count, chart, pivot
• E.g.s Microsoft Excel, Acccess, Open Office Calc, Google Docs etc.
• IDEA, ACL, SPSS etc
• There is no “perfect” tool
• Match the tools to the skillsets, experience, availability
11. Exploring Data Analytics & CAATs
Example: Interactive Data Extraction and Analysis (IDEA)
• Caseware IDEA - Data analysis / generalised audit software / computer-
assisted audit tool
Caveats: Auditors / control professionals still need to:
• Audit objectives
• Need to understand business application and data residing in system
• Need to know what is the audit issue/business problem.
• Need to define that data needed and apply the right analysis to derive
the answers
• Answers may not always be 100% conclusive, still need professional
judgement and other corroborating evidence
13. Auditing ERP Applications – Case Study
Audit of Staff Claims
• Medical Claims
• Transport Claims
Why audit ERP applications using data analytics?
• Data analysis approach allows detection of non-compliances and help
organisation achieve value-for-money
• Review ALL (100%) of transactions vs sample 30 claims
How to approach audit of ERP applications
• Step 1: Import data from ERP system i.e. Excel or flat files
• Step 2: Define field definition (text, numeric, date)
• Step 3: Run analysis i.e. exceptions, duplicates, patterns
• Step 4: Report exceptions, anomalies, patterns
15. Use of IDEA in Audit of Staff Claims (Medical)
Detecting Duplicate Claims
Obtain list of staff medical claims from
ERP system for period of interest ( e.g. all
transactions for 1 year)
Identify key fields for testing i.e. “RECEIPT
NO.” , “STAFF ID” and “CLINIC/HOSPITAL”
Summarise by “STAFF ID”, followed by
“RECEIPT NO.” and analyse for anomalies
Run duplicates test on “RECEIPT NO.”
16. Use of IDEA in Audit of Staff Claims (Medical)
Detecting Duplicate Claims
Obtain data, identify fields of
interest i.e. “RECEIPT NO.”,
“RECEIPT DATE”, “STAFF ID”
Run duplicates test on
“RECEIPT NO.” and “RECEIPT
DATE”
Query HR on duplicate
payment
17. Use of IDEA in Audit of Staff Claims (Transport)
Detecting Erroneous Claims
Audit Observation #1
Non-deduction of Normal Travel Expenses from Office to Home for journeys Starting or
Ending from Home
• Obtain staff travel claims data for 1 year
• Identify fields of interest i.e. “FROM”, “FROM_TO_HOME”,
1 “OFF_DAY”, “STAFF ID”
• Extract FROM = “Home”, FROM_TO_HOME = “N” and
OFF_DAY = “N”
2 • Do similar for TO = “Home” etc.
• Flags out all transactions where staff did not deduct the cost
of journeys starting or ending at “home” since
reimbursement policy does not allow claims for journeys
3 made from home to workplace
18. Use of IDEA in Audit of Staff Claims (Transport)
Detecting Erroneous Claims
Audit Observation #2
Possible Duplicate Taxi Claims and Claims without Valid Taxi Receipt Numbers
• Obtain staff travel claims data for 1 year
• Identify fields of interest i.e. “RECEIPT_NO”
1
• Extract data where “RECEIPT_NO” is not “” and test for
duplicates
2 • Extract data where “RECEIPT_NO” is “” (blank)
• Flag out all exceptions to business rules and query
department responsible for anomalies
3
19. Use of IDEA in Audit of Staff Claims (Transport)
Detecting Erroneous Claims
Audit Observation #3
Unusual multiple journeys within the same day by same staff
• Obtain staff travel claims data for 1 year
• Identify fields of interest i.e. “RECEIPT DATE”, “STAFF ID”
1
• Summarise by “RECEIPT DATE” and “STAFF ID”
• Sort by “NO_OF_RECS” (no. of records)
2
• High “NO_OF_RECS” indicate multiple journeys made on
same day by same staff. Unusual unless staff is doing
3 delivery
20. Use of IDEA in Audit of Staff Claims
Using a Data Driven in Auditing ERP
Understand • Walkthrough and document business process
• Identify key controls for testing
business process
Obtain data of • Identify and understand data available
• Key fields for testing
interest
• Do field statistics or summarise all fields to get
Get big picture overall picture of data
Analyse for • Run analysis for exceptions to business rules
exceptions
22. Connecting with Cloud
Cloud Computing is already here:
• Cloud computing is the delivery of computing as a service rather than
a product, whereby shared resources, software and information are provided to
computers and other devices as a utility (like the electricity grid) over a
network (typically the Internet).
-- Wikipedia (http://en.wikipedia.org/wiki/Cloud_computing)
• Cloud computing in consumer space is pervasive
• Email services: e.g. Google Gmail, Microsoft Hotmail
• Instant messenging: e.g. Yahoo Messenger, Microsoft Live, Gmail Gtalk
• Web content management: e.g. blogger, wordpress
• Cloud computing in business space is growing
• Refer to OpenCloud Taxonomy
25. Connecting with Cloud
Issues relating to Cloud Computing:
• Key Issues: Security (Source: Trustworthy Computing: Privacy in the
Cloud Computing Era – November 2009, Microsoft)
• Are hosted data and applications within the cloud protected by
suitably robust privacy policies?
• Are cloud computing provider’s technical infrastructure,
applications and processes secure?
• Are processes in place to support appropriate action in the event of
an incident that affects privacy or security?
27. Connecting with Cloud
Public Sector Perspective
• Government Instruction Manual No. 8 (IM8) has been in force
• Policy on Infocomm Technology (ICT) Security
• Recent update (vide MICA ICT Circular No. 2/2011 on 2 June 2011):
Policy now applies to ICT security of systems used to store, process or
access Government Data
• Previously related to, “Systems owned by government agencies”
• Covers new situations where data resides in commercial vendor’s
systems and not systems owned by government agencies e.g. where
cloud is involved
28. Connecting with Cloud
NP Experience
• Education sector – drive towards cloud adoption
• Student Email serivces:
• From Lotus Notes MS Connectmail
• Cost savings in infrastructure, security and administration
• Mobile Student Assessment for Clinical Attachment
• Health Sciences (Nursing) students
• Practicums and clinical attachments to hospital big part of course
curriculum
• Assessment using traditional written examination enhanced
• Using assessment application developed by 3rd party vendor for iPod Touch
• iPod Touch Application Database of student assessment records for
practicum on Cloud
29. Connecting with Cloud
NP Experience
• Internal Audit’s response
• IT security control objectives do not change
• Refer to compliance model (figure 6 – Mapping the Cloud Model to the
Security Control & Compliance model) to help understand gaps
• However, cloud deployment of applications and hosting of data re-raises
some of the outsourcing risks where vendors are managing your
information assets
• Assess risks and sensitivity of data
• In accordance to IM8 requirements?