P A R T N E R

P A R T N E R

Don SparksVP Industry Relations

(888) 641-2800 x 1877dons@audimation.com

Shorten the Auditing Life Cycle

P A R T N E R

Nothing moves auditors into the board room faster than finding previously undetected anomalies in

corporate data!

P A R T N E R

“..it Happens”

• March 11, 2015, a chief audit & compliance officer received an anonymous, hand-written letter stating a vendor account needs investigated.

Findings:• Back in March, 2001, an employee created a shell

vendor mail box and bank account. For the next 14 years this same employee submitted and approved over 200 invoices totaling almost $10 million.

P A R T N E R

What is the response?

• Financial Auditors– Are the transactions properly recorded and presented in the financial statements? Did we look at any of these transactions? [historical view]

• Operational Auditors – Was the VMF in the audit universe? Do we have this area in our current or future audit plans? [future view]

• Board & Senior Mgmt – Were controls side-stepped or missing? When do you tell them? [Want answers now!]

• What do your customers think?

P A R T N E R

Study & Understand the International Professional Practices Framework - IPPF

P A R T N E R

Study & Understand the IPPF• 1000.A1 – assurance services defined in audit committee charter• 1000.C1 – consulting services defined in audit committee charter• 1300 – Quality Assurance and Improvement Program – CAE must

develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity

• 2010 – CAE must establish a risk based plan and determine the priority of activity using management’s framework and risk appetitive levels. If none exists, the CAE uses his/her own.

• 2010.A1 – The CAE must use a documented framework, undertaken at least annually

• 2050 – Coordination between internal and external audit to ensure coverage and minimize duplication of efforts

• 2210 – Engagement Objectives - Objectives must be established for each engagement.

• 2210.A1 – IA must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.

P A R T N E R

Study & Understand the IPPF pg22120.A1 – The IA activity must evaluate risk

exposures relating to the organization’s governance, operations, and information systems regarding the following: • Achievement of the organization’s strategic objectives; • Reliability and integrity of financial and operational information; • Effectiveness and efficiency of operations and programs; • Safeguarding of assets; and • Compliance with laws, regulations, policies, procedures, and

contracts.

2120.A2 – The IA activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

P A R T N E R

Study & Understand the IPPF pg3

• Impact, Likelihood, Dollar materiality• Asset liquidity• Quality of internal controls• Degree of change or stability• Complexity• Management competence• Results of last audit • Government relations

Practice Advisory 2010-1: Linking the Audit Plan to Risk and Exposures, suggests the following risk factors, among others, should be considered:

P A R T N E R

The Role of Internal Audit in ERM

P A R T N E R

Internal Auditing Governance Questions:

1. When does your staff first “LOOK” at data files used by the audit client?

2. Have you standardized on a performance metric? Do you need one?

3. Do you have a deadline for presenting your “next plan”? If yes, to whom? Do you include external audit and/or regulators in the plan process?

4. Quick Demo of Data Analysis with IDEA

P A R T N E R

Question 1:Closing the Gap between Strategy & Execution

P A R T N E R

April 2015 PwC State of the IA Profession Study

P A R T N E R

Consider the Impact of Continuous Auditing – Second Edition GTAG 3

P A R T N E R

Include Data Analysis in your Audit Program

P A R T N E R

Question 2:Does Internal Audit Need a Performance Metric?

P A R T N E R

IPPF – Practice Guide: Measuring IA Effectiveness and EfficiencyThe simple answer is “Yes”. Once key

effectiveness and efficiency measurements and targets have been identified, a monitoring process and method of reporting to stakeholders should be established (format, timing and metrics)

Note: the standards do not address IA maintaining a time

keeping process and functions have drastically simplified or completely eliminated them.

P A R T N E R

The Internal Audit “Stakeholders” Have Different Needs

P A R T N E R

Performance Metrics to Consider

• Contribution level of improving risk management GRC processes• Achievement of key goals and objectives• Evaluation of progress against audit activity plan• Improvement in staff productivity• Increase in efficiency of the audit process• Increase in number of action plans for process improvements• Adequacy of engagement planning and supervision• Effectiveness in meeting stakeholders’ needs• Results of QA assessments and IA activity’s quality improvement

program• Effectiveness in conducting the audit• Clarity of communications with the audit client and the board

P A R T N E R

Annual Auditing Function Planning

Planning

Testing

Report Writing

Open Issue Follow-up

QA before OpeningConference

QA before ClosingConference

Validate test planswith audit clientClient/Auditor

meeting on Data Analysis E&E

1. Performance Metric

P A R T N E R

Question 3:How Can Data Analytics Improve PerformanceEfficiency & Effectiveness?

P A R T N E R

Annual Auditing Function Planning

• Hot Line Analysis• Audit Client Satisfaction Survey Analysis• Officer T&E Expenses• Code of Conduct Return Analysis• Officer Payroll• Officer Bonus Plan review• Stock Program (Phantom) Allocation• Prior Year Results (include repeat issues)• Update Anti-Fraud Review from prior years

P A R T N E R

• Training• Staffing – including 3rd party resources• Tools/Technologies• IA Charter update• Consider graphical or table representations in

final audit reports – picture can save time• Update Audit Universe – always take a complete

quick list to every board meeting• Effective use of Management Letters instead of

lengthy time consuming reports

Annual Auditing Function Planning – pg2

P A R T N E R

Develop a Risk Based Audit Plan

1. Determine & Update the Audit Universe2. Identify events that raise risks and opportunities3. Score events of probability and impact (after

mgmt actions to mitigate risk)*4. Use priority factors to rank audit plan5. Present & defend strategic directives and audit

work plan for management review

* Must be accomplished even if management does not maintain a risk register

P A R T N E R

Risk Assess Top Down vs. Bottom Up?

• Level 0: Data • Level 1: Process• Level 2: Project/Department• Level 3: Vertical/Functional• Level 4: Business Unit• Level 5: Organization

Internal Auditing

Management

P A R T N E R

Characteristics Red Yellow Green

Spend Amount >1m >500k >100k

Type of Spend Labor, allocations Material, equip Services

Contract Complexity High Med Low

Contract Type Cost Plus Hybrid Fixed Fee

Relationship Origin Sole sourced Hybrid Competitive bid

Historical Relationship Poor Neutral Trusted Advisor

Business Results/Issues Open civil/ criminal,bankruptcy

Multiple undisclosed related entities

No undisclosed related entities

Analytical Results/Issues Many exceptions Some exceptions No exceptions

Audit Rights None Standard Strong

Vendors Structure Decentralized Some issues Centralized billing and accounting

“Better” Risk Profile; Risk Rank Vendor

P A R T N E R

Risk Profiling – Selection Framework

P A R T N E R

Question 4:Data Analytics to address the VMF issue?

P A R T N E R

“Traditional” Selection Descending

P A R T N E R

“Best” Solution – Transactional Tests

• It is important to analyze the data from several different perspectives. For example, duplicate testing on different combinations of fields (name, address, bank account number, tax ID number), as well as sophisticated matching methods (e.g. full name match, part name match, sounds like match) between employee and vendor files. 

• Auditing vendor files is generally the best way to quickly risk assess where the issues may lie, as auditing transactional data can be overwhelming. Therefore, once you’ve cleaned house within the vendor master file, you’ll be ready to move on to analyzing transactional data, now armed with a list of vendors that are most likely to cause failure.

P A R T N E R

VMF Tech-Enabled Tests1. Scope analysis of top ## vendors during

a three year period looking for vendors in the top replaced without good reason

2. Risk assessing your current vendor master file

3. Vendor Setup walk through4. Process for revalidating approved Vendor

list [False (shell) Vendors]5. After the fact purchase orders6. Test round sum of payments7. Payments almost immediately after setup

P A R T N E R31

Tech-Enabled Tests (cont.)

8. Payments from inactive vendors9. Stratification or pivot table payables approval levels10. Benford's law11. Holding credit balances on inactive accounts 12. Inconsistent invoice number length test13. Nepotism - adding “relatives” living in same house14. Payments to PO boxes15. Round number tests16. Payments on weekends or late at night

P A R T N E R

Key Accounts Audit Solutions “Ready to Run” Tests (total 183)• Accounts Payable (15 total tests)• Expense Controls (17 total tests) • Fixed Assets (18 total tests) • General Ledger Controls (20 total tests) • Inventory Controls (21 total tests) • Journal Entries (14 total tests)• Payroll Controls (33 total tests) • Procurement Controls (23 total tests)• Travel Expense Controls (22 total tests)

P A R T N E R

Introduction to AuditNet.Org

A Digital Online Resource for Auditors•Join over 200,000 global users•More than 2,000 audit templates•15,000+ audit procedures and work papers•More articles and Surveys posted monthly

P A R T N E R

Demonstration VMF Tests

• Create Managed Project – VMF• Store Client provided VMF & import• Set screen, check data fields & reconcile• Top 5 vendors test

– Add auditor tickmark block– Add auditor comment block

• Find all payments sent to a PO Box• Make the tests repeatable for follow-up

P A R T N E R

Questions?

If it takes you more than 20 minutes to

utilize any IDEA function or feature,

contact us for assistance.

IDEA Help Desk888.641.2800 Option 4helpdesk@audimation.c

omDon Sparks

VP Industry Relations(888) 641-2800 x 1877

dons@audimation.com