INCREASING AUDIT AGILITY WITH DATA ANALYTICS AND … · Leader & SAP Champion, RSM ......
Transcript of INCREASING AUDIT AGILITY WITH DATA ANALYTICS AND … · Leader & SAP Champion, RSM ......
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
INCREASING AUDIT AGILITY WITH DATA ANALYTICS AND AUTOMATION
2019 GFOAT Fall Conference
October 7, 2019
Arlington, TX
© 2018 RSM US LLP. All Rights Reserved.
With You Today
Director, National Risk Analytics & Automation
Leader & SAP Champion, RSM
25+ years audit analytics experience
♦ 5 years with a Big 4 in Detroit
♦ 5 years with an Internal Audit services firm, running
their national ERP Implementation practice
♦ 3 years with a large insurance firm, leading all
Internal Controls initiatives within the CFO suite
♦ 1.5 years leading Technology Risk Consulting for
international services firm
♦ 5 years with ACL services, leading the strategy and
implementation of ACL’s consulting and training
♦ 5 years as Founder of High Water Advisors;
specializing in improving GRC through technology
♦ 2.5 years with RSM in Risk Consulting
Instructor with the MIS Training Institute
Steve BiskieCGMA, CISA
+1 303 915 1583
www.linkedin.com/in/stevebiskie
@SteveBiskie
www.rsmus.com
© 2018 RSM US LLP. All Rights Reserved.
Agenda
• Why Innovate?
• Level-Setting
• Demonstration
• Audit of the Future
• Wrap-Up
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
WHY INNOVATE?
© 2018 RSM US LLP. All Rights Reserved.
Increased pressure to focus on more
sophisticated and relevant risks while still
responsible for traditional risks and compliance areas
“Datafied” processes and commoditized automation and analytical capabilities create a
RENEWED opportunity to scale audit and compliance
efforts
Modern Processes: Challenge & Opportunity
5
• Unprecedented velocity of change and risk
• Service offering and process changes
• Technology transformation
• Workforce changes
• Geographic coverage / expansions
• Regulatory landscape
• Data is critical to business intelligence
• Data volume, variety, velocity, and veracity
• DA becoming standard practice for regulators
• Expectation that audit to provide more value
• Opportunity for audit to challenge the status
quo
Audit must scale and adapt
© 2018 RSM US LLP. All Rights Reserved.
Risk Creeps Into Our Modern Information Systems
Configurable system controls may be:• Disabled (past, present, future)• Misconfigured or left to default settings• Outdated/obsolete
Internal system processes may override expected controls, for example:• Sundry invoices bypass 3-way match• Auto-PO or auto-goods receipt generation• Credit and replace practices override pricing
Failed or faulty processing routines may impact data integrity and availability:• Gaps in time series• Mishandled NULL values• Changes in scale/units
• Incomplete or erroneous legacy data• Sample or test data left in the system• Faulty join and aggregation logic• Hardware/software constraints
Realistic transaction
Typos, workarounds, duplicates, unstandardized text, truncated/censored entries
Unauthorized C/R/U/D as elevated user
Managerial override
‘Dirty data’ from downstream system
Buffer overflows, transmission problems
Exception report ignored,
misinterpreted, or
unreliable
System warnings are soft, ignored, or misinterpreted
Enterprise Application
6
© 2018 RSM US LLP. All Rights Reserved.
Benefits of Technology-Enabled Audits
7
Scale Consistency Force Multiplier
Scheduling Limit “Low Cognitive” Tasks Opportunity Cost
© 2018 RSM US LLP. All Rights Reserved.
The Need for Innovative Auditing
Risk Analytics
Answer questions about past, present, and future• IFTTT, SoD, and business rules
• Data visualization
• Process mining
• Risk scoring, modeling, and statistics
• Text mining, machine learning, and AI
Automation
Automate and routinize key audit tasks• Scheduled jobs
• Low cognitive task automation
• Manual, repetitive or high volume tasks
• Cross-application “macros”
• Higher-order task automation (with AI)
Agile
Organize, prioritize and deliver on audits• Risk backlog vs defined plan
• Quick sprints, adaptable to changes
• Incremental work vs all at once
• Increased information and communication flow
• Client collaboration
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
LEVEL-SETTING
© 2018 RSM US LLP. All Rights Reserved.
Data Analytics
Data Analytics (DA) is using technology to
automate, in part or in whole, the discovery,
interpretation and communication of actionable
insights and meaningful conclusions derived from
data
Digital Evidence + Algorithms + Technology(set of operations / procedures)(business data) (understood by computers)
Automated
• Ad hoc
• Repeatable
• Continuous
Purpose
• Descriptive
• Diagnostic
• Predictive
• Prescriptive
Rule Source
• Experts
• Statistics
• ML/AI
Focus
• Risk (KRIs)
• Performance (KPIs)
DEFINITION
SIMPLIFIED
FOR AUDIT
CORE
ELEMENTS
© 2018 RSM US LLP. All Rights Reserved.
Audit Automation
Use of software (sometimes with AI and machine learning
capabilities) to handle high-volume, repeatable audit-related
tasks that previously required a person to perform
Tasks can include:
• Queries
• Calculations
• eGRC and audit management
• Maintenance of records and transactions (e.g., audit marts)
• Alerts and workflows
• Evidence collection (e.g., screen scraping, polling/surveys, OCR)
• Report generation and distribution
11
© 2018 RSM US LLP. All Rights Reserved.
Robotic Process Automation
12
Developed bots are capable of
interacting with and integrating
disparate enterprise applications,
databases, and files to limit the
business need to develop custom,
application specific integrations.
Across industries, RPA enables
organizations of all sizes to
efficiently scale operations with
minimal impact to existing business
processes.
RPA Value Proposition
Robotic process automation
(“RPA”) refers to a set of
modular software programs (or
“bots”) to complete structured,
repeatable, and logic-based
tasks by mimicking the actions
taken by existing human staff.Robotic Process
Automation
What is RPA
A set of scheduled bots are
capable of running on multiple
servers within a company’s
environment simultaneously with
minimal impact to resource and
network capacity.
RPA Scalability
RPA Extensibility
© 2018 RSM US LLP. All Rights Reserved.
Consistent
execution
Team focus on
more strategic
and analytical
tasks
RPA Characteristics
13
Top and
bottom line
impact
Tasks
performed
significantly
faster
Consistent
execution
while
maintaining
accuracy
Mimics existing
activities currently
performed by
humans.
RPA does
not require
integration
with other
technologies.
Non-intrusive Automated Efficient Cost effective Empowering
© 2018 RSM US LLP. All Rights Reserved.
Analytics and RPA: A Perfect Marriage
Analytic
• Sends transactions for which the bot will mine systems and websites for data (evidence)
RPA
• Automatically collects data and other information to feed to the analytics
14
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
DEMONSTRATION
© 2018 RSM US LLP. All Rights Reserved.
Demonstration: Building the Bot
16
© 2018 RSM US LLP. All Rights Reserved.
Demonstration: Gathering Data to Feed Dashboard
17
© 2018 RSM US LLP. All Rights Reserved.
Analytics and RPA for Manual Journal Entry Testing
Accounting Supervisor
logs into SAP and pulls
MJE population using key
SAP report
Audit Team selects 45
samples (per yr. & location) and
requests supporting evidence
Accounting Supervisor logs
back into SAP and manually takes screenshots of
detail and approval workflow
and downloads related MJE
support.
Audit team manually reviews evidence and manually and
updates MJE testing template based on
the screenshots and other supporting
evidence provided
Audit team follows up
with Accounting Supervisor
on any potential
exceptions
Audit workpaper is finalized and ready for review
Current MJE Testing Process
Automated MJE Testing Process
MJE extracted from backend system tables
directly
Audit Team selects 45 samples
based on full population*(automated sample in
next phase)
RPA Bot pulls data from extracted tables
and logs into system to extract MJE support;. RPA Bot automates
rules based testing and highlighting potential
exceptions within workpaper.
Audit team performs testing
around non-structured
MJE support**
Audit team follows up with
Accounting Supervisor on any potential exceptions
identified by the Bot
Audit workpaper is finalized and ready for review
Key benefits
Quantitative:~250 hours of
combined savings
annually
Qualitative:Improved testing
accuracy
Value focused
talent – reduction
of time performing
manual/routine
tasks
Reduced testing
cycle time/faster
identification of
issues
Improved
employee morale
Enablement of
future automation
and SAP data
analytics
opportunities
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
AUDIT OF THE FUTURE
© 2018 RSM US LLP. All Rights Reserved.
Future Process: DA and Practical Automation
Risk analytics
• Implement analytic tools (including predictive analytics) and processes to gain more extensive insight from your data and enable more effective, agile audits and assessments
Enterprise risk & Control
Monitoring
• Integrate organization-wide information about risks and controls into centralized repositories, and more automatically feed data into and evaluate data from enterprise tools
Process Automation
• Increase audit efficiency by leveraging process automation to automate manual or repetitive tasks
Artificial Intelligence
(AI)
• Integrate the capability of machines to execute tasks that are characteristic of human intelligence
20
© 2018 RSM US LLP. All Rights Reserved.
Data Profiling: “eCorroborative Inquiry”
© 2018 RSM US LLP. All Rights Reserved.
Text Mining: Finding Common Themes
• Exact and fuzzy key word hits in text analysis
• Themes and word counts of internal polls/surveys
• Sentiment analysis of social media posts
• Negative news analysis of business partners
• Mining key attributes of legal documents
• Analysis of call center interactions
− Disclosures
− Complaint patterns
− Protocols initiated
− Fraud indicators
22
© 2018 RSM US LLP. All Rights Reserved.
Process Mining: Understanding the “True” Process
What process deviations don’t we know about?
What can an event log containing an event ID, timedate stamp, user ID/role, and a metric tell us about a business process?
23
© 2018 RSM US LLP. All Rights Reserved.
Dashboards: Visually Presenting the Facts
24
© 2018 RSM US LLP. All Rights Reserved.
Risk-Scoring: Getting to the Issues Quickly
25
© 2018 RSM US LLP. All Rights Reserved.
Tech-Driven Innovation Across the Audit Process
26
Develop
audit plan
Plan the
audit
Controls
testing
Substantive
procedures
Reporting
audit
findings
Follow
up on
findings
• Data profiling and
trending
• Visual and
statistical analysis
• Process mining to
understand
transactional flow
• Bots push
questionnaires to
control owners
• Data mine survey
responses
• Data-driven risk
indicators
• 1st and 2nd line
KRIs and CSA
results
• People risk
indicators to get
at residual risk
• Continuous Risk
Assessment (CRA)
• Data mine
changes and
flux
• Bots extract
evidence from
disparate systems
• Bots automate
sample selection
• Bots solicit
stakeholders for
information
• Bots monitor
unattended mailbox
for responses
• Rules-based
exception testing
• Auditors conduct
ad-hoc analysis
• Data-driven
quantification of
findings and risks
• Dynamic reporting
of risks and
findings
• Evaluate need for
additional
continuous audit
procedures
• Provide
management with
analytic prototypes
• Automated alerts of
aged issues /
exceptions
• Automated re-testing
of resolution
• Quality
• Timing
• Visual issue trending
• Ad-hoc analysis
• Remote procedure
calls to web
services (e.g.,
Google APIs)
• Recalculation and
reperformance
• Application
processing
verification
Strategic Emerging Risks can be ID’d anywhere in the audit process Granular
© 2018 RSM US LLP. All Rights Reserved.
Tech Streamlines and Facilitates Auditor Judgment
Each mode can be ad hoc, repeatable or continuous
LEARN
Profile business activity: Who, What, Where, When, Why and How?
Report changes within the organization and systems
Conduct Exploratory Data Analysis (EDA) – what could we be looking at?
CATCH
Identify ineffective controls
Identify persistent or new risks
Detect anomalous/irregular patterns
Identify noncompliance
Detect fraudulent activity
Flag waste and abuse
CONFIRM
Attest to the effectiveness
Affirm something’s existence
Corroborate an allegation
Substantiate an audit finding
VALUATE
Assess impact of an event
Estimate likelihood or probability
Calculate level of effort, return on investment, or cost of implementation
Develop
audit plan
Plan the
audit
Controls
testing
Substantive
procedures
Reporting
audit
findings
Follow
up on
findings
© 2018 RSM US LLP. All Rights Reserved.
Tech Ecosystem for Technology-Enabled Audits
28
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
WRAP-UP
© 2018 RSM US LLP. All Rights Reserved.
Reality Check: We’ve had the tools for awhile…
• Internal Audit Automation has actually been around for decades
• Traditional audit technologies helped to automate data analysis procedures
• PC-integrated technologies helped to automate tasks
• Newer Robotic Process Automation (RPA) technologies automate where back-end system access is unavailable
Unchanged audit
processes result in the
use of analytics and
automation stagnating in
many organizations
© 2018 RSM US LLP. All Rights Reserved.
Common Barriers to Effective Implementation
• Issues with data quality, access and permissions
• "Know how“ and critical/analytical thinking
• Staff (and stakeholder) resistance to change
• This takes time, time, planning and ‘sweat equity’
• Automated process may become unfit for purpose
• Perverse incentives: reward A, but hope for B
31
© 2018 RSM US LLP. All Rights Reserved.
Requiring a Planned, Multiphase Implementation
2018
Make it work
2019
Make it stick
2020
Make it scale
Learning &
Culture
Operational
Stakeholders
& Partners
Financial
Outcomes
Time to competency
Audit effectiveness
Transactional coverage
Innovation
Consistently met needs Ease of doing business
Analytic ROI
Reusable, configurable components Streamlined DA portfolio
Staff engagement
© 2018 RSM US LLP. All Rights Reserved.
Conclusion and Call to Action
• There should be no significant barriers to
beginning your transformation initiative TODAY
• Consider quick-hit process improvement
opportunities prior to automation
• Recognize the tools in your toolbox that are
right for the job
• Prioritize low-risk, low-effort areas
• Get started!
© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.
34
© 2018 RSM US LLP. All Rights Reserved.
This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not
constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based
on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal
Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have
subscribed to receive it or who we believe would have an interest in the topics discussed.
RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM
International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own
acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.
RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP.
© 2018 RSM US LLP. All Rights Reserved.
© RSM US LLP. All Rights Reserved. | Page 35