Cost Effec/ve Approaches to Best Prac/ces in Data Analy/cs for Internal Audit Presented to: ISACA and IIA Joint Mee/ng October 10, 2014 By
Outline Introduc.on The Evolving Role of Internal Audit The importance of Data Most Cost Effec.ve and Best prac.ces in Data Provisioning The next logical step - - CCM Most Cost Effec.ve and Best prac.ces in CCM
Rausch Advisory Services LLC. Internal Audit: SAS70/ISO Reviews Compliance Reviews Construc.on Audits Risk Mgt. Sarbanes Oxley (Including Automa.on) Data Analy.cs Con.nuous Controls Monitoring (CCM) PMO/Methodology Establishment and training De- provisioning Automa.on Informa/on Security: Informa.on Security Enterprise- wide Risk Assessment Business Con.nuity Management Vulnerability Assessments Social Engineering Network, Wireless and Web Applica.on Security Reviews Incident Analysis and Response Data Loss Preven.on Audi.ng and Implementa.on Interim Resource Management Security Awareness Training Finance & Accoun/ng: Close Accelera.on and Automa.on Budge.ng/FP&A - - System selec.on, Custom Solu.ons and applica.ons, and interim resources) Senior Staff Augmenta.on/Interim Execu.ves Custom Accoun.ng Applica.on development (in Excel, Access,.NET, SQL Server, Visual Basic and other technologies) Business Performance Improvement & Systems: PIVOT ( Profitability Improvement Via Op.mized Transac.ons ) Process Improvement, Quality, and Con.nuous Improvement Business Intelligence (Including KPI Metrics and linkage to strategy and incen.ve programs) Project Management Resources Custom Solu.ons in Time Capture, project tracking, Capex tracking Post Merger Integra.on (System Conversion and Realiza.on of Cost Synergies) Strategy Workshops and retreats Requirements Development and Systems Selec.ons Master Data Management and Centralized User ID Management Solu.ons 3
Evolving Role of Internal Audit Historic Mainstream CuOng- Edge Focus Audit en..es based on rota.onal plan Priori.ze audit en..es based on risk Focus on strategic, business, and process risk Perspec.ve Historic Historic Future Style Corporate police Father knows best Consultant and advisor Mandate Compliance with policies and procedures Assurance on financial control; compliance Business assurance Risk Focus Financial Financial plus Enterprise risks Tool Kit Compliance work programs Audit work programs for key processes; controls Risk frameworks, self- assessments Technology None Automated work papers Automated tes.ng and con.nuous monitoring Source: Deloice & Touche 4
Data Analy/cs is not just for IT Types 5
Where is the Data we need? Vast majority is in a database ERP systems GL s Other applica.ons Flat files 3rd party providers spreadsheets 6
What tool Can access all of these? SQL Server ETL / Data Provisioning Powerful Analy.cs Built in web server/ Repor.ng tool Job scheduler Email Alerts Powerful Flexible Scalable Easy to use Cost Effec.ve (Free) SQL Server Express with Advanced Services 7
SQL Server for Data Provisioning SSIS: Powerful, but not usually needed unless doing sophis.cated transforma.ons Linked Server: Virtual reference for use in Queries (think of it as a pointer to the data) Obtain Read Only Permissions to Source Run Simple Script to create linked Server Run queries to access data 8
SSIS Graphical Design 9
Crea/ng a Linked Server EXEC sp_addlinkedserver @server = '{Linked Server Name}',@srvproduct = '{System DSN Name}',@provider = 'MSDASQL',@datasrc = '{System DSN Name}' EXEC sp_addlinkedsrvlogin @rmtsrvname = '{Linked Server Name}',@useself = 'False',@locallogin = NULL,@rmtuser = '{Oracle User Name}',@rmtpassword = '{Oracle User Password}' 10
Querying with a Linked Server select * from [LinkedServerName]..SYSADM.PS_PAY_EARNINGS where PAY_END_DT >= DATEADD(dd, - 30, GETDATE()); GO 11
Reading in Flat Files - - KNVV Customer Master_ main declare @FileOK INT declare @sql nvarchar(max); exec xp_fileexist '\\SQLPRD08\S$\SAP_Source_Files\Pending_Uploads \KNVV.txt',@FileOK OUTPUT IF (@FileOK = 1) Begin - - Clear old data from prior day: if object_id('sarbox_automation.dbo.knvv') is not null drop table SARBOX_AUTOMATION.dbo.KNVV - - repull master table: set @sql = N'SELECT * into SARBOX_AUTOMATION.dbo.KNVV FROM OPENROWSET(''Microsoft.ACE.OLEDB.12.0'', ''Text; HDR=Yes; Database=\\SQLPRD08\S$\SAP_Source_Files \Pending_Uploads;FMT=Delimited( )'', ''SELECT * FROM KNVV.txt'')'; execute sp_executesql @sql; End go 12
Reading in Spreadsheet Data use CCM truncate table EarnCodesToInclude5_1 BULK INSERT dbo.earncodestoinclude5_1 FROM '\\eu-securefile.eu.emory.edu\finadmin\iad\iad- Share\CCMSAUDIT\Uploads\Earnings Codes\5.1 EARNINGS CODES TO INCLUDE.txt' WITH ( FIRSTROW = 2, FIELDTERMINATOR = '\t', ROWTERMINATOR = '\n' ); Go 13
Data Provisioning Model Centralized Model Self Service Model Auditor Data IT or Power User 14
New COSO Emphasis on CCM/Analy/cs Principle 16: Ongoing Evalua/ons: Technology offers an opportunity to use computerized monitoring, which has a very high standard of objec.vity (once programmed and tested) and allows for efficient review of large volumes of data at a low cost. Advances in automated ac.vi.es have made con.nuous monitoring computer applica.ons available, and these should be considered when selec.ng ongoing evalua.ons.
What is CCM? The use of a combina/on of monitoring sofware and defined business rules to detect, prevent, and monitor the opera/ng effec/veness of internal controls. Key aiributes of CCM/Best of Breed: 100% of transac.ons reviewed, not just a sample Tested in near real.me as they occur Fully automated Robust repor.ng capabili.es Excep.ons history is maintained for meta analysis Tracking and resolu.on is built in Passive alerts and no.fica.ons are built in
Evolving Audit Departments TRADITIONAL)AUDIT) Reac%ve' CCM) Proac%ve' Costly' Cost'Effec%ve' Date'Informa%on' Less'than'100%'of' Transac%ons' Real=Time' Comprehensive'='100%''of' Transac%ons'
Components of CCM Source Systems GL Reports & Dashboards AP AR Sta.s.cal and Analy.cal Rou.nes Con.nuously Performed on Data Excep.ons Iden.fied Repor.ng Tool Excep.on Management Interface HR Other Replica.on Or ETL Replicated Data For Analysis Email Alerts Invoice A123 from Acme Solu.ons in the amount of $543.21 may be a duplicate of invoice 123-1 in the amount of $543.21Dated 4-14- 2010 from Acme Inc. 18 18
Examples of CCM Algorithms Alert when SOD is violated (vs periodic tes.ng) Automated T&E/P- Card fraud detec.on (vs cost of human reviewers) Master File Tampering (Payables, Payroll, etc.) Prevent Revenue Leakage Access Cer.fica.ons/Central User ID Mgt 19
Daily No/fica/on of Process Status
Excep/on No/fica/ons Via Email
Repor/ng
Edit Mode
Management Repor/ng
Use Itera/ve Approach Iden.fy high risk areas Iden.fy processes that touch these areas Iden.fy systems involved in these processes Iden.fy transac.onal records and associated tables involved in those processes Iden.fy how a transac.on failure would manifest Develop Analy.cal algorithms to recognize 25
Download the PIVOT White Paper hip://www.rauschadvisory.com 26
Careers in Data Analy/cs Big Data is transforming businesses Technology is capturing data at speeds and volumes never even imaginable Accountants, Auditors and CPAs are well- posi.oned to take a leadership role in helping to use Big Data to help the organiza.on achieve business objec.ves Big Data has created a huge demand for professionals with analy.cal exper.se You can have a big impact on your organiza.on and your career
QUESTIONS CONTACT INFORMATION Wylie Roberts, C.P.A.: 404-218- 6892 wroberts@rauschadvisory.com Michael Lisenby: 404-404- 705-6768 mlisenby@rauschadvisory.com hcp://www.rauschadvisory.com