CIIA South West Analytics in Internal Audit - Tackling Fraud

Similar documents
Addressing Cyber Risk Building robust cyber governance

Robotic Process Automation Overview and RPA Case Study. November 2015

UK Indirect Tax Conference 2015 Automating Indirect Tax Compliance. Jilly McCullagh 11 November 2015

The robots are coming. A Deloitte Insight report

Finance Business Partnering Less than the sum of the parts. Organisational perception of Finance, percentage of respondents agreeing with statements

PwC The Path Forward for Data Analysis and Continuous Auditing May 2011

Keeping sight of your business Hot topics facing Financial Services organisations in IT Internal Audit

Finance Transformed. Changing the focus Finance Business Partnering

Developmental assignments Enablers not solutions

Global Mobility for Professional Practices Managing a mobile workforce

Deloitte Shared Services, GBS & BPO Conference SMAC / Enabling Technologies and Shared Services in the Public Sector

Cyber Security Evolved

Enhanced Portfolio Management in uncertain times

The Internal Audit fraud challenge Prevention, protection, detection

D-G4-L4-231 Data Governance Assessment Design and Implementation Deloitte LLP Service for G- Cloud IV

Deloitte Shared Services, GBS & BPO Conference Shared Services Design Through to Implementation

ISO27032 Guidelines for Cyber Security

Extract of article published in International HR Adviser magazine The role of HR in global mobility

Charity Audit Committee performance evaluation Self assessment checklist. October 2014

Indirect Tax Conference VAT and Pensions. Alistair Jones & Andrew Dalah Financial Services VAT 14 November 2014

Transforming customer management in the water sector How to become a leader in customer service

Data Analytics in Internal Audit. Elizabeth Dunkerley

Banking and Financial Services Internal Audit Group

Annual Shared Services and BPO Conference 2013 Shared services from feasibility through to implementation. Tibor Nagy & Jeppe Larsen

Coleg Gwent Internal Audit Report 2012/13 Assets and Inventory. Assurance Rating:

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

D-G4-L4-126 Police contact management and demand reduction review Deloitte LLP Service for G-Cloud IV

Avon & Somerset Police Authority

Coleg Gwent Internal Audit Report 2012/13 Payroll and HR. Assurance Rating: Payroll

Financial Planning & Analysis The Next Frontier of Business Process Outsourcing?

Data analytics the changing use of data within Internal Audit

IFRS industry insights

Governance in brief BIS and the FRC consult on options for UK implementation of the EU Audit Directive & Regulation

IFRS industry insights

Internal Audit Testing and Sampling Techniques. Chartered Institute of Internal Auditors May 2014

Current issues and trends in the Aerospace supply chain

Annual Shared Services and BPO Conference 2013 The art of the possible for shared services how to streamline your local finance organisation

ACL WHITEPAPER. Automating Fraud Detection: The Essential Guide. John Verver, CA, CISA, CMC, Vice President, Product Strategy & Alliances

AGA Kansas City Chapter Data Analytics & Continuous Monitoring

Internal Audit at the University of Cambridge.

Leveraging Continuous Auditing / Continuous Monitoring in internal audit April 10, 2012

Risk Considerations for Internal Audit

Coleg Gwent Internal Audit Report 2014/15 Staff Performance Management. Assurance Rating:

Application controls testing in an integrated audit

G Cloud III Framework Lot 4 (SCS) Project Management


Contracts with Participation Features First set of decisions after extensive preparation and outreach activities

Need to know Financial Reporting Council issues FRS 103 Insurance Contracts

Adding insight to audit Transforming internal audit through data analytics

The Power of Risk, Compliance & Security Management in SAP S/4HANA

Analytics & Big Data What, Why and How. Colin Murphy FSAI Dr. Richard Southern Sinead Kiernan FSAI

IPT 2015 Sales & Use Tax Symposium Indian Wells, CA. Tax Accrual Data Analytics Dashboards to Minimize Risk

January Senior Insurance Managers Regime Strengthening accountability in insurance

MiFID II/MiFIR. Implications for Fund Managers. May Deloitte LLP. All rights reserved.

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

Leveraging data analytics and continuous auditing processes for improved audit planning, effectiveness, and efficiency. kpmg.com

Report 7 Appendix 1d Final Internal Audit Report Sundry Income and Debtors (inc. Fees and Charges) Greater London Authority February 2010

Managing Complex Transformations Achieving excellence

Data & Analytics in Internal Audit. January 13, 2015

IFRS industry insights

Item 10 Appendix 1d Final Internal Audit Report Performance Management Greater London Authority April 2010

Operational continuity in recovery and resolution planning Exploring the Service Company structure

A closer look Fair value measurement of financial instruments under IFRS 13

Data analytics Delivering intelligence in the moment

Audit Quality Thematic Review

Low Default Portfolio (LDP) modelling

UK Indirect Tax Conference 2015 How does the EU do VAT? Aili Nurk 11 November 2015

Dacorum Borough Council Final Internal Audit Report

Identity & Access Management The Cloud Perspective. Andrea Themistou 08 October 2015

Global Business Services Better together

A closer look Transition to FRS 102 for financial instruments

Using Technology to Automate Fraud Detection Within Key Business Process Areas

Using data analytics and continuous auditing for effective risk management

An Oracle White Paper November Financial Crime and Compliance Management: Convergence of Compliance Risk and Financial Crime

D-G4-L4-025 Mobile Working Technology Feasibility Study for a Healthcare Body Deloitte LLP Service for G-Cloud IV

Integrating Data Analytics into Internal Audit

Treasury Advisory Services Stability through effective financial risk and liquidity management. Audit. Tax. Consulting. Financial Advisory.

Leveraging Data Analytics and Continuous Auditing. Internal Audit. January 9, 2014

Predictive Modeling for Workers Compensation Claims

Certification of claims and returns annual report

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Transcription:

CIIA South West Analytics in Internal Audit - Tackling Fraud 10 December 2014

Agenda Intro to Analytics When to use analytics and how to get started Risk Monitoring and Control Automation Common Pitfalls Analytics in IA examples Basic Analytics Repeatable Analytics Embedded Analytics Data Visualisation Top-performing companies are three times more likely than lower performers to be sophisticated users of analytics and are two times more likely to say that their analytics use is a competitive differentiator Source: Sloan Management School/MIT Questions/Discussion 2

Intro to Analytics 3

What is Analytics? Analytics is the practice of capturing, managing and analysing data to drive business strategy and performance. It includes a range of approaches and solutions, from looking backward to evaluating what happened in the past, to forward-looking scenario planning and predictive modelling. Foresight Understand signals to shape the future Insight Use data to drive changes here and now Hindsight Conduct rearview mirror assessments Hindsight Insight Foresight Predictive and Prescriptive Descriptive Optimisation What s the best that can happen? Predictive Modeling What will happen next Randomised testing What happens if we try this? Statistical analysis Why is this happening? Exceptions/Alerts What actions are needed Query/drill downs What exactly is the problem Ad-hoc reports How many, how often, where? Standard reports Why did it happen 4

Where Analytics can fit in Historical Perspective Error Detection/ Quantification Targeted analytics to detect errors or fraud Identification of where errors or fraud has occurred Quantification of errors Root cause identification for errors Current Monitoring Risk Monitoring/Control Automation style solutions over risks and control frameworks, or operational areas; Assess current state profile Identify failing controls or operational areas; Opportunity cost of existing activities; Forward Looking Defining and monitoring a set of key risk indicators (KRIs) Using trend analysis of KRIs to help predict the riskier parts of the business, or operations, and provide early warning for risk management / mitigation purposes Identify opportunities for improvements using data 5

The Benefits for Internal Audit Audit Quality Better assurance More robust and challenging More credible findings Uncover previously unknown facts Full population coverage in testing procedures leaves no stone unturned. Underpins quantification of impact Better understanding of detail required in planning, drives improved risk focus Ability to rapidly profile data makes audit enquiries more focussed Control deficiencies more easily seen Enables medium term trend analysis and linkage to other data sources and evidence Audit Efficiency Automation Speed of execution Delivery of findings People change resilience Provides a platform for audit automation More responsive to new risks Routine testing concepts ( regular tests / red flags / control safety nets ) Scripts and approaches are strategically captured for redeployment Easier and quicker access to system data and information next time Direct Auditee access to findings Rapid redeployment of analytics, with low lead time Better retention of knowledge in large and changing IA teams Business Value More insightful More visual outputs Control culture evolution Can support the presentation of facts and trends more visually Supports root cause analysis and reasons for control failure Uncovers previously unknown facts and trends Provides the ability to better explore findings further, pinning down key issues Gives the auditee the full detail of the underlying evidence Presents technologies and approaches that the business could adopt and evolve themselves Supports capabilities such as benchmarking to improve insight In practice, we also find that greater use of analytic methodologies, technologies and techniques drives a more engaging, visual and rewarding conversation relating to risk management and control for all key stakeholders, using time more wisely in the long term and releasing resource for improvement activities. 6

Where Does Data Belong in an Audit? Process improvements improve data quality and reduce data anomalies Data reviews Data reviews focus an identifying areas of poor or ineffective control Process improvements Data results and insights Process reviews focus on adequacy, effectiveness and efficiency of controls Process reviews Data results and anomalies factored into scoping of process reviews 7

Common Uses of Analytics Profiling large populations of transactions (e.g. mortgages, payments, journals or deposits) to identify characteristics of fraud or audit interest; Visualise data sets to learn something new or to better communicate audit findings in reporting documents; Selecting a risk focussed sample of transactions for further audit testing; Re-performing complex calculations (e.g. provisions) to identify potential error, management override or areas where judgement has been applied; Reviewing MI compilation processes and the quality of data submitted to regulators or management; Re-performing system calculations to identify potential error; Quickly understanding spreadsheet risks and identifying errors; Automating areas of time consuming audit work to make it more efficient (e.g. matching invoices and clearing documents automatically), and; Substantively test a control has been operating effectively (e.g. changes to product APR are restricted to appropriate personnel). 8

When to use analytics 9

Key Risks Areas of core focus An analytically enabled audit approach supports higher quality, more valuable and more efficient Auditing of many business risks: Information Security Financial Transactions Mortgage LTV AML End User Computing Data Quality Complaints and Social Media Fraud / Wrongdoing Dormant Accounts External Reporting Compliance Segregation of Duties Arrears Management Reconciliations 10

Should I use Analytics? Reliance on MI Exploratory Auditing Intelligent Sampling Huge Populations/ Extended Assurance Data Analytics? Automation of Audit work Highly Automated Processes/ Controls Complex Spreadsheets Complex Calculations 11

Should I use Analytics? Data Quality Data Usage Data Accuracy Data Oriented? Data Completeness Data Ownership Data Management Data Security 12

Risk Monitoring & Control Automation 13

What is Risk Monitoring and Control Automation? Embedded analytic solutions that enable regular monitoring of internal controls and processes, highlighting areas of risk and exposure Make controls efficient without making them ineffective Provide a method for efficiently monitoring and reporting on the effectiveness of key controls Embed and enable a continuous defence against transactional errors and potential fraud Eliminate manual processing of BAU activities, allowing for more focused efforts and a more effective use of time Fix problems and inefficiencies by identifying their root causes instead of only treating symptoms Improve security and data quality, and enhance the overall internal audit 14

Embedded Analytic Solutions Delivering more value Aim for a flexible, scalable and secure solution, focussed on not just the analytics, but also the downstream remediation and reporting process needs. Other data sources ERP Environment Connected in real-time to analytic platform Capture knowledge of key risks, internal controls and assurance requirements Action taken Exception Closed Generate Exception Remote access to samples and analytics, anytime/anywhere Analytics Platform Route and Escalate Notify User Drives, informs and performs follow up activities

Common Pitfalls 16

Analytics in Internal Audit Best Practice Tips and pitfalls in unleashing the potential Invest in understanding the Data estate thoroughly Invest in understanding end to end data flows well Give more time to 1st year scoping and planning Failure to get CFO and CoAC support Failure to understand how risks translate into characteristics in the data Champion three to four proof of concepts Don t just pick analytics from lists and libraries Plan for incomplete and poor quality data Treat it like a medium term project Failure to use appropriate technologies Giving up too easily Failure to invest in appropriate foundations Encourage business handover and adoption Brand your analytically enabled audit reports Ensure scripts and procedures are high quality and retained 17

Examples 18

Spreadsheet Analytics Basic analytics Finance Basic Excel Auditing Excel Spreadsheets Auditing using Excel Spreadsheets Simple matching Profiling Sampling Summarising Support Reporting Exception Identification 19

Spreadsheets What can go Wrong Recently in the Press Barclays Capital A reformatting error in an Excel spreadsheet in the largest bankruptcy case in U.S. history, prompted a legal motion by Barclays Capital Inc. to amend its deal to buy some of the assets of Lehman Brothers Holdings Inc. Investigations identified that contracts which had been marked as "hidden" in the spreadsheet, were subsequently added to the purchase offer during the reformatting by the law firm acting on their behalf. C&C Group Shares in C&C fell 15 per cent after it said total revenue in the four months to end-june had not risen 3 per cent as reported, but had dropped 5 per cent. C&C s Group Finance Director and COO said the error in their announcement occurred after data was incorrectly transferred from an accounting system used for internal guidance to a spreadsheet used to produce the trading statement. 20

Repeatable Analytics Building Societies/FS Finance Ad-hoc SQL Excel Population sampling taking the mortgage and savings data and identifying exceptions: Unexpectedly large/small % of prior year payment; Interest rates outside of expected range (published interest rate table); Mortgages with maturity date over expected range (e.g. 40 years); Interest-only mortgages that had monthly capital repayments; Accounts where the interest changed in the year but this was not scheduled; Mortgages taken out in the past five years with an initial advance of over 5m (high risk items); Clustering analytics Provision calculations Receivables CCA/PPI/Remediation Payments Out Duplicates Segregation of Duties Mandates Arrears management Categorisation of accounts Management and reporting of accounts in arrears Arrangements Remediation Programs Standard Finance Audits (AP, Payroll, Staff Expenses) Fraud Risk Balance Sheet/ Bank Reconciliation Automation 21

Global Media Organisation Transforming finance controls through controls automation This client is a global media organisation that operates a shared service centre in the UK. Internal audit acted as a catalyst to initiate internal controls transformation by recommending continuous controls monitoring to the Audit Committee. The client partnered with Deloitte to manage the business change, technology implementation and delivery of embedded analytics in the shared service centre. Shared services Embedded ACL Exception SSRS ACL AX Our approach Audit led - engaged with the client's assurance providers and users to understand processes, risks and controls and recorded opportunities for control automation or areas of processes with insufficient controls to manage risk Embedded - engaged with technology vendors and the client s IT function design, implement and test an embedded analytic solution in their data centre Controlled process - engaged with process owners and leveraged detailed table knowledge to collaboratively produce design documentation for each analytic, including visual mock ups Global team costs were controlled by using offshore development capabilities to create analytics where appropriate Change management - To deliver lasting change, had a separate business change work steam. Outputs included creating user manuals and delivering training and embedding skills into the client s teams through work shadowing Outcome and benefits Internal audit will now only test the operating effectiveness of new monitoring controls, with their work in turn relied upon by external audit. This improves the efficiency of the assurance landscape and delivers the foundations for transformation in the approaches of these audit providers. Control exceptions can be acted on in a timely manner due to e-mail alerts. A full audit trail to support root cause analytics and investigation is provided through an exception management system Visualisation allows the auditor and the business to explore data, gain insight and take action Analytics can be run when the auditor or business or requires, technology is fully embedded and enduring 22

Questions/Discussion 23

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.co.uk/about for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP is the United Kingdom member firm of DTTL. This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte LLP would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte LLP accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. Deloitte LLP is a limited liability partnership registered in England and Wales with registered number OC303675 and its registered office at 2 New Street Square, London EC4A 3BZ, United Kingdom. Tel: +44 (0) 20 7936 3000 Fax: +44 (0) 20 7583 1198. Member of Deloitte Touche Tohmatsu Limited 24

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information