Embed Size (px)
Citation preview
PwC
The Path Forward for DataAnalysis and ContinuousAuditing
May 2011
www.pwc.com
PwC
Agenda
What are we hearing in the market?
The CA Maturity Path
Where to start? What is the difference between CA & CCM?
Best Practice Approach
Getting the Right Data & the Right Resources
Next Steps
2
PwC
Agenda
What are we hearing in the market?
The CA Maturity Path
Where to start? What is the difference between CA & CCM?
Best Practice Approach
Getting the Right Data & the Right Resources
Next Steps
3
PwC
Key Drivers for Change in the Internal Audit
The needs of organizations for risk mitigation and assurance havechanged dramatically…
• Strategic risk is a key concern for Boards, yet the amount of informationprovided regarding strategic, value impacting opportunities and threats isoften limited
• Executive Management is also focused on strategic, organizational andbusiness risks
• Globalization, expansion and the heightened pace of change are increasingthe complexity of risks
• Broader Risks: risks around financial controls and basic compliance aremanaged more effectively, while there are few robust techniques foroverseeing broader risk
• Do More with Less: there are increasing pressures to reduce the cost ofcompliance
4
PwC
Year to Year Efficiency Priorities
5
31%
39%
69%
69%
58%
49%
42%
11%
14%
23%
24%
29%
34%
46%
Reduce external training
Reduce travel
Standardize audit procedures
Utilize a more risk based approach
Identify audit process inefficiencies
Simplify reporting
Increase use of technology
Plan to employ Have employed
PwC
Barriers to Effective Use of Technology
6
45%
41%
36%
56%
54%
40%
43%
55%
Other
Lack of methodology
Lack of access
Lack of skills and knowledge
Data tools Organizational systems
PwC
Agenda
What are we hearing in the market?
The CA Maturity Path
Where to start? What is the difference between CA & CCM?
Best Practice Approach
Getting the Right Data & the Right Resources
Next Steps
7
PwC
Stakeholders’ Perspectives on the Future ofInternal Audit
8
• Technology to execute audits
- Data retrieval software to automatetesting
• Increase audit coverage
• Focus on anomalies
• Continuous monitoring
- Data mining/analysis software forpredictive analysis and modeling
• Technology to improve the efficiency of theaudit process
- Automate issue tracking
- Streamlined reporting
- Knowledge management and leadingpractices
- Storage and retrieval of work products
1. Realigning audit coverage
2. Improving processand leveraging technology
Significantly More Value
Materially Less Cost
Optimize Internal Audit processes and leveragetechnology to enhance insight and increase productivity.
PwC
Internal Audit Process Framework – As Is
9
ANNUALANNUALRiskRisk
AssessmentAssessmentAudit PlanAudit Plan
FieldworkFieldworkTechnology is beingapplied here (in audit
management anddata analysis), tospeed up audit
process…
ReportingReporting WrapWrap--UpUp
…but the major limiting
factors are in annual riskassessment and inreporting delays
Process to utilize results for next year’s Risk Assessment
Utilize information from previous audits for current audits (ad-hoc data analysis notleveraged project to project). However, informal sharing of information within group.
PwC
Internal Audit Process Framework - Future
10
A technology enabled approach to the internal auditframework allows for more timely identification of andresponse to risks.
ONGOINGONGOING RiskRiskAssessmentAssessment
• Monitor key risks• Changes in KRIsindicating change inrisk profile
Audit PlanAudit Plan• Monitor results tochange frequency/scope of plannedaudits
ReportingReporting• Report changes intrends to management
PERIODICPERIODICFieldworkFieldwork
Strategic AuditStrategic Audit
No ActionNeeded
ContinuousAudit
Program
ExecuteAutomated
Script
ExceptionReporting
ReviewReports
PwC
Continuous Auditing Maturity
11
Ad Hoc Analytics• Occasional, ad-hoc data
analysis on certain audits
Routinely Leverage• Core technical
competencies residentwithin the department
• Results used for updatingrisk assessment throughoutthe audit process
Initial Stage• Creation of data experts to
develop routine dataanalysis techniques
• No process for incorporatinginto IA methodology
• IA focused
Fully Optimized• Technology enables full
integration into internal auditworkflow
• Business focused
There is a broad spectrum oftechnology use in ContinuousAuditing.
Enhancing the use oftechnology can assist withimproving the efficiency of theContinuous Auditing process.
PwC
Agenda
What are we hearing in the market?
The CA Maturity Path
Where to start? What is the difference between CA & CCM?
Best Practice Approach
Getting the Right Data & the Right Resources
Next Steps
12
PwC
Challenges Facing CAEs
Chief Audit Executives (CAEs) are faced with several challenges whereCA is concerned:
• Where do I start?
• What technologies do I need to consider?
• What are the best practices for leveraging data analysis in theinternal audit?
• What pitfalls do I need to avoid?
• What are my competitors doing? Are there any benchmarks orother guidelines I can use to help direct my strategy?
• What does a successful CA pilot look like?
13
PwC
Benefits from Continuous Controls Monitoring(CCM)
14
Preventative Detective
Risk Management Compliance-Office Process-Owner Internal Audit
• Optimization(automation) of theinternal controlssystems and itsmonitoring (incl.monitoring of potentialviolations/alerts and itsremediation)
• Uncover additionalprocess in-efficiencies(e.g. Human errors,unexploitedcontractual conditions)
• Reduction of (existing)process controls
• Optimisation of therisk based auditapproach
• Establishment of thepre-requisites for aContinuous Audit(internal und externalaudit)
• Automation of testing
• Damage minimizationthrough proactiveprevention anddetection (e.g. fraud)
• Enforcement of policiesand standards
• Demonstration ofdevelopments/trends ofnewly implemented(compliance) initiatives
• Increase of processand data quality
• Internal compliancebenchmarking
• Transparency withregard to attitudechange towardscompliance
• Effective detailed riskanalyses in de-/centralbusiness units
• Reporting andevaluation of key dataand ratios (e.g.integrated compliancerisk)
• Continuous, completeand company-wideanalyses of acompany‘s fraud risksbased on empiricaldata
Continuous Controls Monitoring
PwC
Agenda
What are we hearing in the market?
The CA Maturity Path
Where to start? What is the difference between CA & CCM?
Best Practice Approach
Getting the Right Data & the Right Resources
Next Steps
15
PwC
Where to Start? A Top Down Approach
16
+
Concentration on key risks and link to key controls
Identification of essential/top risk areas
Top down approach to identify key controls: starting with managementlevel / IT-/ automated controls and completion with process controls if thebefore mentioned controls don‘t offer adequate coverage.
Pragmatic top down approach …
... and continuous risk monitoring
Continuous monitoring of the risk remediation progress
Reporting: Alerts reporting and ageing (risk exposure); Recording ofalerts remediation activities
Organization: Responsibility and ownership, escalation process
Compliance level: Trend analyses and monitoring of behavioral change
Top down
Key risks
Monitoring /IT/
Automated controls
Process controls
PwC
PwC’s Risk Based Top Down Approach
Where do you start? To leverage dataanalytics and implement a CA / CCM solutionsuccessfully, you need to first determine where you want theanalytics to be focused
What are the higher risk areas in the enterprise?
Within those areas, which risks do you want to focus on?
Can we create high value analytics which will help address thoserisks?
17
Top down
Key risks
Monitoring /IT/
Automated controls
Process controls
PwC
Agenda
What are we hearing in the market?
The CA Maturity Path
Where to start? What is the difference between CA & CCM?
Best Practice Approach
Getting the Right Data & the Right Resources
Next Steps
18
PwC
Potential Technology Architecture
19
Dashboard
Risk Indicators / Control Parameters
Extractor / Mapping / Load
OracleSAP PSFTJDE Other
Reporting
MS SharePoint orWorkflow Mgmt Tool
MS Analytical &Reporting Servicesor Reporting Tool
MS Integration Services orclient existing ETL Tool*
TBD based on vendorselection and requirements(e.g. ACL CCM, Oversight,MS SQL Server, etc.)
Leverage InternalData Warehouse orMS SQL Server
Technology ConsideredDescription / Use
Screens presented to users based onmodules implemented and user roles.
Behind the scenes formatting of reportsand information to be presented throughthe dashboard.
Analytical engine which is customizedbased on testing/auditing requirements.
Leverage existing client infrastructureand source system.
Automated process to pull data from sourcesystems and map into data warehouse.
Modules are implemented in thewarehouse based on data requirementsassociated with KRI’s.
Audit Data Warehouse
Procure-to-pay
Order-to-cash
FinancialReporting
RetailStore
HR &Payroll
Capital& F.A.P-Card Others
All Industries IndustrySpecific
T & E
Others
*Integration or ETL tool usedwill depend on the softwareused for the Audit DataWarehouse
PwC
CA / CCM Software Tools
20
• Tools should not drive CA / CCM decision-making and approachdefinition
• A suitable tool could be selected once requirements / processes arewell-defined
• There are many acceptable tools on the market
• Most specialized tools require significant investment
• Less expensive general data analysis tools are already owned bycompanies (ACL, MS Access, MS SQL Server). While lacking somespecialized features, these are widespread and could be effectivelyused in the initial phases
PwC
The Ideal CA / CCM Resource
To effectively deliver results with a strong value proposition, the idealresource to lead and build the data analysis and CA / CCM solutionwould have the following capabilities:
• Accounting
• Business processes
• Audit methodologies
• IT and manual controls knowledge
• Basic fraud knowledge across major business cycles
• ERP knowledge
• Data normalization skills
• Strong analytical skills
• Excellent organization & communication skills
• Programming knowledge
21
PwC
Agenda
What are we hearing in the market?
The CA Maturity Path
Where to start? What is the difference between CA & CCM?
Best Practice Approach
Getting the Right Data & the Right Resources
Next Steps
22
PwC
Where are you on the data analysis /CA maturity curve?
23
Ad Hoc Analytics• Occasional, ad-hoc data
analysis on certain audits
Routinely Leverage• Core technical
competencies residentwithin the department
• Results used for updatingrisk assessment throughoutthe audit process
Initial Stage• Creation of data experts to
develop routine dataanalysis techniques
• No process for incorporatinginto IA methodology
• IA focused
Fully Optimized• Technology enables full
integration into internal auditworkflow
• Business focused
There is a broad spectrum oftechnology use in ContinuousAuditing.
Enhancing the use oftechnology can assist withimproving the efficiency of theContinuous Auditing process.
PwC
Further Discussion and Next Steps
24
Contacts:
Brent Papciak [email protected]
John Jay McKey [email protected]
This publication has been prepared for general guidance on matters of interest only, and doesnot constitute professional advice. You should not act upon the information contained in thispublication without obtaining specific professional advice. No representation or warranty(express or implied) is given as to the accuracy or completeness of the information containedin this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, itsmembers, employees and agents do not accept or assume any liability, responsibility or duty ofcare for any consequences of you or anyone else acting, or refraining to act, in reliance on theinformation contained in this publication or for any decision based on it.
© 2010 PricewaterhouseCoopers LLP All rights reserved. In this document, “PwC” refers to[insert legal name of the PwC firm] which is a member firm of PricewaterhouseCoopersInternational Limited, each member firm of which is a separate legal entity.
