Data & Analytics in Internal Audit. January 13, 2015

Data & Analytics in Internal Audit January 13, 2015

With You Today KPMG Brian Greenberg, Director, Data & Analytics-enabled Internal Audit (National) Sean Mulyanto, Manager IT Advisory (Los Angeles) 1

Agenda/Objectives Current Trends in Data & Analytics, Technology and Continuous Auditing Data & Analytics: A Maturity Model Utilizing DA in Internal Audit How to effectively plan an audit to maximize the use of DA Efficiently utilize DA in the execution of core audit activities Transformation into a Data & Analytics-enabled Internal Audit Organization Talent Management Attributes of a highly effective Internal Audit DA team (in Internal Audit) Enabling Your Analytical Mind 2

Why use Data & Analytics in Internal Audit? Continued pressure to do more with less Expectations of IA to provide increased value An increased emphasis by IA on ERM and Governance 3

Audit Methodology-based Maturity Model IA Methodology IA Methodology Maturity Level I Traditional Auditing Maturity Level II Ad Hoc Integrated Analytics Maturity Level III Continuous Risk Assessment & Continuous Auditing Maturity Level IV Integrated Continuous Auditing & Continuous Monitoring Maturity Level V Continuous Assurance of Enterprise Risk Management Strategic analysis Enterprise risk assessment IA plan development Execution and reporting Continuous reporting Data analytics are generally not used Data analytics are partially used but are sub-optimized Data analytics are effectively and consistently used (optimized) 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 26125NSS 4

Current Trends: Data & Analytics, Technology and Continuous Auditing Convergence of Internal Audit and BI/CA/CM CA/CM strategic development link to enterprise initiatives: Partnering with the business KRIs and KPIs Enterprise Risk Management & Audit planning process Quantitative and/or continuous risk assessment Data Visualization 5

How Internal Audit Is Leveraging Data & Analytics Audit Execution (most common) Meaningful insights; not lists of exceptions Tactical efforts e.g. FCPA compliance, proactive fraud detection, etc. Audit planning periodically identify changes in key metrics to drive dynamic audit planning Pre-fieldwork scoping Adoption of risk-based testing methods instead of traditional sample testing 6

Data & Analytics-enabled Internal Audit Process Business Monitoring Enhanced Dynamic Reporting Analytics-Driven Continuous Risk Assessment Data & Analytics Audit Execution Data & Analytics -enabled Internal Audit Dynamic Audit Plan Operationalize into repeatable and sustainable analytics D&A Audit Scoping and Planning D&A enabled Audit Workplan 7

Client Issues to be Solved Limitations of Traditional (Audit and/or Enterprise) Risk Assessment Process How is CRA different? Traditional Risk Assessment Reactive Annual or Infrequent Qualitative-focused Results in static IA Plan Continuous Risk Assessment Proactive Continuous Quantitativeenhanced Dynamic IA Planning Insights into emerging and changing risks 8

Quantitative-Enhanced Continuous Risk Assessment Top Down Start with Risk Universe Source: Management reporting, risk assessment interviews, ERM results Linkage to Enterprise Wide Risks and Initiatives Management KRIs/KPIs to monitor the business Segment/Function Reporting Example: Target Revenue goals (%/$), Market Fluctuations AUDIT PLAN Bottom Up Start with Auditable Universe Source: IA findings, system reporting Quantitative metrics (e.g., KPIs, KRIs) which provide additional insights for audit plan development Focused on specific audit areas during planning phase Emerging risks out of IA plan execution Examples: Number of new contracts signed, overtime fluctuations by location 9

Value of Data & Analytics-Enabled Internal Auditing Identify the right audits for DA Increase the number of audits performed per year Decrease the time required to cycle through the audit universe Increase the scope of specific audits Effort Data & Analytics Integration Year 1 Year 2 Year 3 10

Prioritizing Your Audit Plan for Use of Data Analytics Availability: Is data available for the audited process? Yes No E.g., audit of a manually performed control Not a likely candidate Comprehension: Do your resources have the business knowledge available to understand the source data? Yes No E.g., audit of a complex process without front end support of process owner or IT Not a likely candidate Data Quality: Is the data being captured consistent in nature and complete Yes No E.g., exploratory audit or profile of a process Possible Candidate Risk: Does the audited process/area represent a high concentration of risk? No Yes E.g., OTC or P2P audit Top Priority Complexity: Is the data being obtained from 3 sources or less? Is the time required to obtain and validate the data low? No Yes E.g., T&E audit Top Priority Repeatability: Will the audit be performed multiple times using a similar data source (e.g. same ERP or quarterly audit)? No Yes Top Priority E.g., P-Card audit Possible Candidate 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 26125NSS

Audit Preparation and Fieldwork Audit Management Define Audit Objective(s), Develop Analytics enabled Audit Work Program Understand the process and transaction flow Understand underlying data structure and availability Determine what analytics are relevant in achieving the audit objective(s) Refine audit work program if necessary and design the analytics based on the work program steps Define exceptions Data Management Acquire data (extract, transform, load) Assess data Completeness & Accuracy Quality Assess Extract Load Transform Data Analytics Develop and execute analytics (i.e., script, program, etc.) Validate results Validate with business owner(s) Confirm audit objective(s) achieved Refine and re-execute procedures, if necessary Develop Refine Execute Validate Analyze and Report Research exceptions Interpret results tell the story Follow-up with process owners Determine root cause Issue Audit Report present results and consider future continuous auditing relevance Issue Pilot Results Compared to success criteria 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 26125NSS

Integrating data & analytics

Audit Cycle Enabled with Data & Analytics Planning / Scoping Fieldwork Enhanced Reporting Workplan Data Request Data Validation Data Transformation Pre-Fieldwork Scoping Analytics Execution Aggregation of Results Interpretation of Results Validation of Results Risk Profiling and Analytics Performance Profiling and Analytics Trend Analysis 14

Planning / Scoping Calculate population statistics Stratify (histogram) Relationships (PO vs Invoice count) Heat map (identify outliers) Data Discovery Tools Understand and map the data flow Days Sales Outstanding by Location Location 13 Location 4 Country Sales Commissions Commission Percentage Location 14 Location 5 Location 3 Location 2 Location 11 Location 16 Location 20 Location 7 CN 1,399,454 31,902 2% LT 960,425 28,812 3% KW 845792 42,289 5% OM 452,965 22,648 5% 0 20 40 60 80 100 Days Sales Outstanding 15

Fieldwork Process walkthrough Ask questions based on insights from analytics Detailed testing Include highest risk samples identified during analytics Perform additional analytics to support the audit objectives / observations 16

Example of Traditional Audit Analytics Traditional analytic techniques generate one spreadsheet per test Routines: 1. Missing Receipts 2. Late Expense Submissions 3. Potential Duplicate Submissions 4. Suspicious Keyword Search 5. High-Risk Merchant Category Code (MCC) Expenses 17

Missing Receipt Results 18

Late Expense Submission Results 19

Potential Duplicate Submission Results 20

Suspicious Keyword Search Results 21

High Risk MCC Expense Results 22

Key Questions To Consider Which departments had the highest rate of indicators? Which employees seemed to violate the policy most frequently? Are there transactions that were identified in multiple tests? Aggregation and data visualization allows auditors to dynamically review the results of analysis by drilling into multiple dimensions within a single screen. 23

Reporting Avoid reporting un-validated analytics Don t just present results, tell a story Analytic Unvalidated Results Potential Impact ($) Validated Results Impact ($) Payment Line Without Vendor 4,748 7,821,454 782 561,912 Voucher Line without PO 4,734 6,335,398 750 1,783,129 Receipt Not Completely Vouchered 3,791 5,973,342 3,791 5,973,342 Invalid PO 1,215 3,995,356 187 234,783 Voucher Line / Receipt Mismatch 2,646 3,012,094 1,543 2,673,527 PO Line Not Completely Received 397 2,949,804 0 0 Payment Without PO 324 2,778,010 0 0 Suspicious Voucher Processing Date 545 1,192,493 54 842,942 24

Transformation into a Data & Analyticsenabled Internal Audit Organization

If it were that easy Data & Analytics Challenges Access to quality data Analytics not achieving audit objectives It s not about Big Data Tools There is no silver bullet Can t buy success Successful use of analytics relies on Change in Mindset Skilled Resources Integrated Methodology Managing Time and Expectations 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 26125NSS 26

Where and How to Begin? Refine Strategy/Roadmap Audit Planning versus Audit Execution Quantitative-enhanced, Continuous Risk Assessment Process to Facilitate Dynamic Audit Planning Audit Execution Annual Audit Plan Prioritization Green, Yellow, Red Audit work program Analytics Enablement Macro analytics for scoping Micro analytics for audit execution Link analytics-based test to audit objective Consider repeatable and sustainable opportunities (e.g., continuous auditing/monitoring) Penetrate and radiate across the audit universe Pilot process Develop Tactical Plans Other areas of opportunity (e.g., teaming with business to design/implement CA/CM) 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 26125NSS

Transformation of Traditional Internal Audit to a Robust Data Analytics Enabled Program Roadmap Develop a Strategic Plan Define the objectives you are trying to achieve Identify key stakeholders and define the success criteria and related measurements Build an effective business case Consider use of a pilot to validate strategy and support business case Develop Tactical Plans Design governance and reporting structure for continuous auditing activities Evaluate data analytic skills and competencies Integrate data analysis into IA methodology and processes Evaluate and select technology tools Consider use of a pilot to validate tactical plans Design and Execute Implementat ion Plans Manage organizational change (internal to Internal Audit and business facing change) Design and deliver trainings Identify focus areas for implementation to satisfy strategic objectives Design and establish data connection/extract; analysis; and reporting mechanisms including riskand performance-based analytics, dashboards, scorecards, reports and alerts, etc. Continuous Program Evaluation/ Evolution Manage organizational change (internal to Internal Audit and business facing change) Regularly evaluate program for effectiveness and refine as necessary Consider additional areas for expansion and maturity Evaluate opportunities to extend into the business 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. 26125NSS

Transformation of Traditional Internal Audit to a Robust Data Analytics Enabled Program When transforming a traditional internal audit program to a robust DA enabled program, consider People, Process and Technology People Process Technology Compile a profile/job description for personnel required for the DA program Identify personnel within the organization that have the required experience/skills; consider other sourcing opportunities if required skills/experience are not resident within IA Develop a training program Techniques Tools Results Interpretation Develop program champions by providing personnel with the appropriate skills/experience with the training program Develop a DA audit methodology, including: Risk Assessment Audit Candidate Profile Procedures to transform an audit candidate to a DA enabled program (e.g., incorporating DA into planning, scoping, procedures, etc.) DA reporting Develop DA KPIs Tool(s) selection Tool usage maximization Data availability/understanding/etl DA tool obsolescence monitoring/prevention

Implementation (and sustainability) challenges General Determining and establishing consensus on objectives and success criteria Measuring and demonstrating success Limited resources (technology and human know how) Data Availability and Quality Lack of access to data Disparate information systems with different data formats Incomplete data sets, inconsistent data quality Data privacy/security issues to navigate Data Analytics Inability to effectively leverage data analytics to achieve audit objectives Definition of exception; addressing false positives and false negatives Workflow around exception resolution; managing volumes of exceptions Change Management Managing impact of CA/DA processes on auditors and other business processes (e.g., change in mindset, skilled resources, managing time and expectations, etc.)

Talent Management

There Is A Learning Curve Beginner Growth Expert Skill Level Time and Experience 32

Critical Thinking and Data Analytics Analytical mind - scientific method approach Understands business process alignment with data flow Embraces technology Curious/inquisitive balanced with disciplined/methodical Trial by fire, willing to learn, to fail, to figure it out Simultaneously understands the big picture 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS 192969 33

Super Auditor Capabilities Business Acumen Accounting Foundational Skills Process Assessment and Improvement IT Background Data Analytic Specific Core Competencies and Skills Tool Skills (MS Access, SQL, IDEA, QlikView) Data Management Data Analytics (diagnostic & prescriptive) 2013 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS 192969 34

Thank you Brian Greenberg KPMG LLP bgreenberg@kpmg.com www.kpmg.com Sean Mulyanto KPMG LLP smulyantomong@kpmg.com www.kpmg.com All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International Cooperative ( KPMG International ). NDPPS 144455