CIIA South West Analytics in Internal Audit - Tackling Fraud

Transcription

1 CIIA South West Analytics in Internal Audit - Tackling Fraud 10 December 2014

2 Agenda Intro to Analytics When to use analytics and how to get started Risk Monitoring and Control Automation Common Pitfalls Analytics in IA examples Basic Analytics Repeatable Analytics Embedded Analytics Data Visualisation Top-performing companies are three times more likely than lower performers to be sophisticated users of analytics and are two times more likely to say that their analytics use is a competitive differentiator Source: Sloan Management School/MIT Questions/Discussion 2

3 Intro to Analytics 3

4 What is Analytics? Analytics is the practice of capturing, managing and analysing data to drive business strategy and performance. It includes a range of approaches and solutions, from looking backward to evaluating what happened in the past, to forward-looking scenario planning and predictive modelling. Foresight Understand signals to shape the future Insight Use data to drive changes here and now Hindsight Conduct rearview mirror assessments Hindsight Insight Foresight Predictive and Prescriptive Descriptive Optimisation What s the best that can happen? Predictive Modeling What will happen next Randomised testing What happens if we try this? Statistical analysis Why is this happening? Exceptions/Alerts What actions are needed Query/drill downs What exactly is the problem Ad-hoc reports How many, how often, where? Standard reports Why did it happen 4

5 Where Analytics can fit in Historical Perspective Error Detection/ Quantification Targeted analytics to detect errors or fraud Identification of where errors or fraud has occurred Quantification of errors Root cause identification for errors Current Monitoring Risk Monitoring/Control Automation style solutions over risks and control frameworks, or operational areas; Assess current state profile Identify failing controls or operational areas; Opportunity cost of existing activities; Forward Looking Defining and monitoring a set of key risk indicators (KRIs) Using trend analysis of KRIs to help predict the riskier parts of the business, or operations, and provide early warning for risk management / mitigation purposes Identify opportunities for improvements using data 5

6 The Benefits for Internal Audit Audit Quality Better assurance More robust and challenging More credible findings Uncover previously unknown facts Full population coverage in testing procedures leaves no stone unturned. Underpins quantification of impact Better understanding of detail required in planning, drives improved risk focus Ability to rapidly profile data makes audit enquiries more focussed Control deficiencies more easily seen Enables medium term trend analysis and linkage to other data sources and evidence Audit Efficiency Automation Speed of execution Delivery of findings People change resilience Provides a platform for audit automation More responsive to new risks Routine testing concepts ( regular tests / red flags / control safety nets ) Scripts and approaches are strategically captured for redeployment Easier and quicker access to system data and information next time Direct Auditee access to findings Rapid redeployment of analytics, with low lead time Better retention of knowledge in large and changing IA teams Business Value More insightful More visual outputs Control culture evolution Can support the presentation of facts and trends more visually Supports root cause analysis and reasons for control failure Uncovers previously unknown facts and trends Provides the ability to better explore findings further, pinning down key issues Gives the auditee the full detail of the underlying evidence Presents technologies and approaches that the business could adopt and evolve themselves Supports capabilities such as benchmarking to improve insight In practice, we also find that greater use of analytic methodologies, technologies and techniques drives a more engaging, visual and rewarding conversation relating to risk management and control for all key stakeholders, using time more wisely in the long term and releasing resource for improvement activities. 6

7 Where Does Data Belong in an Audit? Process improvements improve data quality and reduce data anomalies Data reviews Data reviews focus an identifying areas of poor or ineffective control Process improvements Data results and insights Process reviews focus on adequacy, effectiveness and efficiency of controls Process reviews Data results and anomalies factored into scoping of process reviews 7

8 Common Uses of Analytics Profiling large populations of transactions (e.g. mortgages, payments, journals or deposits) to identify characteristics of fraud or audit interest; Visualise data sets to learn something new or to better communicate audit findings in reporting documents; Selecting a risk focussed sample of transactions for further audit testing; Re-performing complex calculations (e.g. provisions) to identify potential error, management override or areas where judgement has been applied; Reviewing MI compilation processes and the quality of data submitted to regulators or management; Re-performing system calculations to identify potential error; Quickly understanding spreadsheet risks and identifying errors; Automating areas of time consuming audit work to make it more efficient (e.g. matching invoices and clearing documents automatically), and; Substantively test a control has been operating effectively (e.g. changes to product APR are restricted to appropriate personnel). 8

9 When to use analytics 9

10 Key Risks Areas of core focus An analytically enabled audit approach supports higher quality, more valuable and more efficient Auditing of many business risks: Information Security Financial Transactions Mortgage LTV AML End User Computing Data Quality Complaints and Social Media Fraud / Wrongdoing Dormant Accounts External Reporting Compliance Segregation of Duties Arrears Management Reconciliations 10

11 Should I use Analytics? Reliance on MI Exploratory Auditing Intelligent Sampling Huge Populations/ Extended Assurance Data Analytics? Automation of Audit work Highly Automated Processes/ Controls Complex Spreadsheets Complex Calculations 11

12 Should I use Analytics? Data Quality Data Usage Data Accuracy Data Oriented? Data Completeness Data Ownership Data Management Data Security 12

13 Risk Monitoring & Control Automation 13

14 What is Risk Monitoring and Control Automation? Embedded analytic solutions that enable regular monitoring of internal controls and processes, highlighting areas of risk and exposure Make controls efficient without making them ineffective Provide a method for efficiently monitoring and reporting on the effectiveness of key controls Embed and enable a continuous defence against transactional errors and potential fraud Eliminate manual processing of BAU activities, allowing for more focused efforts and a more effective use of time Fix problems and inefficiencies by identifying their root causes instead of only treating symptoms Improve security and data quality, and enhance the overall internal audit 14

15 Embedded Analytic Solutions Delivering more value Aim for a flexible, scalable and secure solution, focussed on not just the analytics, but also the downstream remediation and reporting process needs. Other data sources ERP Environment Connected in real-time to analytic platform Capture knowledge of key risks, internal controls and assurance requirements Action taken Exception Closed Generate Exception Remote access to samples and analytics, anytime/anywhere Analytics Platform Route and Escalate Notify User Drives, informs and performs follow up activities

16 Common Pitfalls 16

17 Analytics in Internal Audit Best Practice Tips and pitfalls in unleashing the potential Invest in understanding the Data estate thoroughly Invest in understanding end to end data flows well Give more time to 1st year scoping and planning Failure to get CFO and CoAC support Failure to understand how risks translate into characteristics in the data Champion three to four proof of concepts Don t just pick analytics from lists and libraries Plan for incomplete and poor quality data Treat it like a medium term project Failure to use appropriate technologies Giving up too easily Failure to invest in appropriate foundations Encourage business handover and adoption Brand your analytically enabled audit reports Ensure scripts and procedures are high quality and retained 17

18 Examples 18

19 Spreadsheet Analytics Basic analytics Finance Basic Excel Auditing Excel Spreadsheets Auditing using Excel Spreadsheets Simple matching Profiling Sampling Summarising Support Reporting Exception Identification 19

20 Spreadsheets What can go Wrong Recently in the Press Barclays Capital A reformatting error in an Excel spreadsheet in the largest bankruptcy case in U.S. history, prompted a legal motion by Barclays Capital Inc. to amend its deal to buy some of the assets of Lehman Brothers Holdings Inc. Investigations identified that contracts which had been marked as "hidden" in the spreadsheet, were subsequently added to the purchase offer during the reformatting by the law firm acting on their behalf. C&C Group Shares in C&C fell 15 per cent after it said total revenue in the four months to end-june had not risen 3 per cent as reported, but had dropped 5 per cent. C&C s Group Finance Director and COO said the error in their announcement occurred after data was incorrectly transferred from an accounting system used for internal guidance to a spreadsheet used to produce the trading statement. 20

21 Repeatable Analytics Building Societies/FS Finance Ad-hoc SQL Excel Population sampling taking the mortgage and savings data and identifying exceptions: Unexpectedly large/small % of prior year payment; Interest rates outside of expected range (published interest rate table); Mortgages with maturity date over expected range (e.g. 40 years); Interest-only mortgages that had monthly capital repayments; Accounts where the interest changed in the year but this was not scheduled; Mortgages taken out in the past five years with an initial advance of over 5m (high risk items); Clustering analytics Provision calculations Receivables CCA/PPI/Remediation Payments Out Duplicates Segregation of Duties Mandates Arrears management Categorisation of accounts Management and reporting of accounts in arrears Arrangements Remediation Programs Standard Finance Audits (AP, Payroll, Staff Expenses) Fraud Risk Balance Sheet/ Bank Reconciliation Automation 21

22 Global Media Organisation Transforming finance controls through controls automation This client is a global media organisation that operates a shared service centre in the UK. Internal audit acted as a catalyst to initiate internal controls transformation by recommending continuous controls monitoring to the Audit Committee. The client partnered with Deloitte to manage the business change, technology implementation and delivery of embedded analytics in the shared service centre. Shared services Embedded ACL Exception SSRS ACL AX Our approach Audit led - engaged with the client's assurance providers and users to understand processes, risks and controls and recorded opportunities for control automation or areas of processes with insufficient controls to manage risk Embedded - engaged with technology vendors and the client s IT function design, implement and test an embedded analytic solution in their data centre Controlled process - engaged with process owners and leveraged detailed table knowledge to collaboratively produce design documentation for each analytic, including visual mock ups Global team costs were controlled by using offshore development capabilities to create analytics where appropriate Change management - To deliver lasting change, had a separate business change work steam. Outputs included creating user manuals and delivering training and embedding skills into the client s teams through work shadowing Outcome and benefits Internal audit will now only test the operating effectiveness of new monitoring controls, with their work in turn relied upon by external audit. This improves the efficiency of the assurance landscape and delivers the foundations for transformation in the approaches of these audit providers. Control exceptions can be acted on in a timely manner due to alerts. A full audit trail to support root cause analytics and investigation is provided through an exception management system Visualisation allows the auditor and the business to explore data, gain insight and take action Analytics can be run when the auditor or business or requires, technology is fully embedded and enduring 22

23 Questions/Discussion 23

24 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) Fax: +44 (0) Member of Deloitte Touche Tohmatsu Limited 24