INCREASING AUDIT AGILITY WITH DATA ANALYTICS AND … · Leader & SAP Champion, RSM ......

© 2018 RSM US LLP. All Rights Reserved. © 2018 RSM US LLP. All Rights Reserved.

INCREASING AUDIT AGILITY WITH DATA ANALYTICS AND AUTOMATION

2019 GFOAT Fall Conference

October 7, 2019

Arlington, TX

© 2018 RSM US LLP. All Rights Reserved.

With You Today

Director, National Risk Analytics & Automation

Leader & SAP Champion, RSM

25+ years audit analytics experience

♦ 5 years with a Big 4 in Detroit

♦ 5 years with an Internal Audit services firm, running

their national ERP Implementation practice

♦ 3 years with a large insurance firm, leading all

Internal Controls initiatives within the CFO suite

♦ 1.5 years leading Technology Risk Consulting for

international services firm

♦ 5 years with ACL services, leading the strategy and

implementation of ACL’s consulting and training

♦ 5 years as Founder of High Water Advisors;

specializing in improving GRC through technology

♦ 2.5 years with RSM in Risk Consulting

Instructor with the MIS Training Institute

Steve BiskieCGMA, CISA

[email protected]

+1 303 915 1583

www.linkedin.com/in/stevebiskie

@SteveBiskie

www.rsmus.com


Agenda

• Why Innovate?

• Level-Setting

• Demonstration

• Audit of the Future

• Wrap-Up


WHY INNOVATE?


Increased pressure to focus on more

sophisticated and relevant risks while still

responsible for traditional risks and compliance areas

“Datafied” processes and commoditized automation and analytical capabilities create a

RENEWED opportunity to scale audit and compliance

efforts

Modern Processes: Challenge & Opportunity

5

• Unprecedented velocity of change and risk

• Service offering and process changes

• Technology transformation

• Workforce changes

• Geographic coverage / expansions

• Regulatory landscape

• Data is critical to business intelligence

• Data volume, variety, velocity, and veracity

• DA becoming standard practice for regulators

• Expectation that audit to provide more value

• Opportunity for audit to challenge the status

quo

Audit must scale and adapt


Risk Creeps Into Our Modern Information Systems

Configurable system controls may be:• Disabled (past, present, future)• Misconfigured or left to default settings• Outdated/obsolete

Internal system processes may override expected controls, for example:• Sundry invoices bypass 3-way match• Auto-PO or auto-goods receipt generation• Credit and replace practices override pricing

Failed or faulty processing routines may impact data integrity and availability:• Gaps in time series• Mishandled NULL values• Changes in scale/units

• Incomplete or erroneous legacy data• Sample or test data left in the system• Faulty join and aggregation logic• Hardware/software constraints

Realistic transaction

Typos, workarounds, duplicates, unstandardized text, truncated/censored entries

Unauthorized C/R/U/D as elevated user

Managerial override

‘Dirty data’ from downstream system

Buffer overflows, transmission problems

Exception report ignored,

misinterpreted, or

unreliable

System warnings are soft, ignored, or misinterpreted

Enterprise Application

6


Benefits of Technology-Enabled Audits

7

Scale Consistency Force Multiplier

Scheduling Limit “Low Cognitive” Tasks Opportunity Cost


The Need for Innovative Auditing

Risk Analytics

Answer questions about past, present, and future• IFTTT, SoD, and business rules

• Data visualization

• Process mining

• Risk scoring, modeling, and statistics

• Text mining, machine learning, and AI

Automation

Automate and routinize key audit tasks• Scheduled jobs

• Low cognitive task automation

• Manual, repetitive or high volume tasks

• Cross-application “macros”

• Higher-order task automation (with AI)

Agile

Organize, prioritize and deliver on audits• Risk backlog vs defined plan

• Quick sprints, adaptable to changes

• Incremental work vs all at once

• Increased information and communication flow

• Client collaboration


LEVEL-SETTING


Data Analytics

Data Analytics (DA) is using technology to

automate, in part or in whole, the discovery,

interpretation and communication of actionable

insights and meaningful conclusions derived from

data

Digital Evidence + Algorithms + Technology(set of operations / procedures)(business data) (understood by computers)

Automated

• Ad hoc

• Repeatable

• Continuous

Purpose

• Descriptive

• Diagnostic

• Predictive

• Prescriptive

Rule Source

• Experts

• Statistics

• ML/AI

Focus

• Risk (KRIs)

• Performance (KPIs)

DEFINITION

SIMPLIFIED

FOR AUDIT

CORE

ELEMENTS


Audit Automation

Use of software (sometimes with AI and machine learning

capabilities) to handle high-volume, repeatable audit-related

tasks that previously required a person to perform

Tasks can include:

• Queries

• Calculations

• eGRC and audit management

• Maintenance of records and transactions (e.g., audit marts)

• Alerts and workflows

• Evidence collection (e.g., screen scraping, polling/surveys, OCR)

• Report generation and distribution

11


Robotic Process Automation

12

Developed bots are capable of

interacting with and integrating

disparate enterprise applications,

databases, and files to limit the

business need to develop custom,

application specific integrations.

Across industries, RPA enables

organizations of all sizes to

efficiently scale operations with

minimal impact to existing business

processes.

RPA Value Proposition

Robotic process automation

(“RPA”) refers to a set of

modular software programs (or

“bots”) to complete structured,

repeatable, and logic-based

tasks by mimicking the actions

taken by existing human staff.Robotic Process

Automation

What is RPA

A set of scheduled bots are

capable of running on multiple

servers within a company’s

environment simultaneously with

minimal impact to resource and

network capacity.

RPA Scalability

RPA Extensibility


Consistent

execution

Team focus on

more strategic

and analytical

tasks

RPA Characteristics

13

Top and

bottom line

impact

Tasks

performed

significantly

faster

Consistent

execution

while

maintaining

accuracy

Mimics existing

activities currently

performed by

humans.

RPA does

not require

integration

with other

technologies.

Non-intrusive Automated Efficient Cost effective Empowering


Analytics and RPA: A Perfect Marriage

Analytic

• Sends transactions for which the bot will mine systems and websites for data (evidence)

RPA

• Automatically collects data and other information to feed to the analytics

14


DEMONSTRATION


Demonstration: Building the Bot

16


Demonstration: Gathering Data to Feed Dashboard

17


Analytics and RPA for Manual Journal Entry Testing

Accounting Supervisor

logs into SAP and pulls

MJE population using key

SAP report

Audit Team selects 45

samples (per yr. & location) and

requests supporting evidence

Accounting Supervisor logs

back into SAP and manually takes screenshots of

detail and approval workflow

and downloads related MJE

support.

Audit team manually reviews evidence and manually and

updates MJE testing template based on

the screenshots and other supporting

evidence provided

Audit team follows up

with Accounting Supervisor

on any potential

exceptions

Audit workpaper is finalized and ready for review

Current MJE Testing Process

Automated MJE Testing Process

MJE extracted from backend system tables

directly

Audit Team selects 45 samples

based on full population*(automated sample in

next phase)

RPA Bot pulls data from extracted tables

and logs into system to extract MJE support;. RPA Bot automates

rules based testing and highlighting potential

exceptions within workpaper.

Audit team performs testing

around non-structured

MJE support**

Audit team follows up with

Accounting Supervisor on any potential exceptions

identified by the Bot

Audit workpaper is finalized and ready for review

Key benefits

Quantitative:~250 hours of

combined savings

annually

Qualitative:Improved testing

accuracy

Value focused

talent – reduction

of time performing

manual/routine

tasks

Reduced testing

cycle time/faster

identification of

issues

Improved

employee morale

Enablement of

future automation

and SAP data

analytics

opportunities


AUDIT OF THE FUTURE


Future Process: DA and Practical Automation

Risk analytics

• Implement analytic tools (including predictive analytics) and processes to gain more extensive insight from your data and enable more effective, agile audits and assessments

Enterprise risk & Control

Monitoring

• Integrate organization-wide information about risks and controls into centralized repositories, and more automatically feed data into and evaluate data from enterprise tools

Process Automation

• Increase audit efficiency by leveraging process automation to automate manual or repetitive tasks

Artificial Intelligence

(AI)

• Integrate the capability of machines to execute tasks that are characteristic of human intelligence

20


Data Profiling: “eCorroborative Inquiry”


Text Mining: Finding Common Themes

• Exact and fuzzy key word hits in text analysis

• Themes and word counts of internal polls/surveys

• Sentiment analysis of social media posts

• Negative news analysis of business partners

• Mining key attributes of legal documents

• Analysis of call center interactions

− Disclosures

− Complaint patterns

− Protocols initiated

− Fraud indicators

22


Process Mining: Understanding the “True” Process

What process deviations don’t we know about?

What can an event log containing an event ID, timedate stamp, user ID/role, and a metric tell us about a business process?

23


Dashboards: Visually Presenting the Facts

24


Risk-Scoring: Getting to the Issues Quickly

25


Tech-Driven Innovation Across the Audit Process

26

Develop

audit plan

Plan the

audit

Controls

testing

Substantive

procedures

Reporting

audit

findings

Follow

up on

findings

• Data profiling and

trending

• Visual and

statistical analysis

• Process mining to

understand

transactional flow

• Bots push

questionnaires to

control owners

• Data mine survey

responses

• Data-driven risk

indicators

• 1st and 2nd line

KRIs and CSA

results

• People risk

indicators to get

at residual risk

• Continuous Risk

Assessment (CRA)

• Data mine

changes and

flux

• Bots extract

evidence from

disparate systems

• Bots automate

sample selection

• Bots solicit

stakeholders for

information

• Bots monitor

unattended mailbox

for responses

• Rules-based

exception testing

• Auditors conduct

ad-hoc analysis

• Data-driven

quantification of

findings and risks

• Dynamic reporting

of risks and

findings

• Evaluate need for

additional

continuous audit

procedures

• Provide

management with

analytic prototypes

• Automated alerts of

aged issues /

exceptions

• Automated re-testing

of resolution

• Quality

• Timing

• Visual issue trending

• Ad-hoc analysis

• Remote procedure

calls to web

services (e.g.,

Google APIs)

• Recalculation and

reperformance

• Application

processing

verification

Strategic Emerging Risks can be ID’d anywhere in the audit process Granular


Tech Streamlines and Facilitates Auditor Judgment

Each mode can be ad hoc, repeatable or continuous

LEARN

Profile business activity: Who, What, Where, When, Why and How?

Report changes within the organization and systems

Conduct Exploratory Data Analysis (EDA) – what could we be looking at?

CATCH

Identify ineffective controls

Identify persistent or new risks

Detect anomalous/irregular patterns

Identify noncompliance

Detect fraudulent activity

Flag waste and abuse

CONFIRM

Attest to the effectiveness

Affirm something’s existence

Corroborate an allegation

Substantiate an audit finding

VALUATE

Assess impact of an event

Estimate likelihood or probability

Calculate level of effort, return on investment, or cost of implementation

Develop

audit plan

Plan the

audit

Controls

testing

Substantive

procedures

Reporting

audit

findings

Follow

up on

findings


Tech Ecosystem for Technology-Enabled Audits

28


WRAP-UP


Reality Check: We’ve had the tools for awhile…

• Internal Audit Automation has actually been around for decades

• Traditional audit technologies helped to automate data analysis procedures

• PC-integrated technologies helped to automate tasks

• Newer Robotic Process Automation (RPA) technologies automate where back-end system access is unavailable

Unchanged audit

processes result in the

use of analytics and

automation stagnating in

many organizations


Common Barriers to Effective Implementation

• Issues with data quality, access and permissions

• "Know how“ and critical/analytical thinking

• Staff (and stakeholder) resistance to change

• This takes time, time, planning and ‘sweat equity’

• Automated process may become unfit for purpose

• Perverse incentives: reward A, but hope for B

31


Requiring a Planned, Multiphase Implementation

2018

Make it work

2019

Make it stick

2020

Make it scale

Learning &

Culture

Operational

Stakeholders

& Partners

Financial

Outcomes

Time to competency

Audit effectiveness

Transactional coverage

Innovation

Consistently met needs Ease of doing business

Analytic ROI

Reusable, configurable components Streamlined DA portfolio

Staff engagement


Conclusion and Call to Action

• There should be no significant barriers to

beginning your transformation initiative TODAY

• Consider quick-hit process improvement

opportunities prior to automation

• Recognize the tools in your toolbox that are

right for the job

• Prioritize low-risk, low-effort areas

• Get started!


34


This document contains general information, may be based on authorities that are subject to change, and is not a substitute for professional advice or services. This document does not

constitute audit, tax, consulting, business, financial, investment, legal or other professional advice, and you should consult a qualified professional advisor before taking any action based

on the information herein. RSM US LLP, its affiliates and related entities are not responsible for any loss resulting from or relating to reliance on this document by any person. Internal

Revenue Service rules require us to inform you that this communication may be deemed a solicitation to provide tax services. This communication is being sent to individuals who have

subscribed to receive it or who we believe would have an interest in the topics discussed.

RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM

International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own

acts and omissions, and not those of any other party. Visit rsmus.com/aboutus for more information regarding RSM US LLP and RSM International.

RSM® and the RSM logo are registered trademarks of RSM International Association. The power of being understood® is a registered trademark of RSM US LLP.


© RSM US LLP. All Rights Reserved. |

INCREASING AUDIT AGILITY WITH DATA ANALYTICS AND … · Leader & SAP Champion, RSM ......

Documents

Transcript of INCREASING AUDIT AGILITY WITH DATA ANALYTICS AND … · Leader & SAP Champion, RSM ......