Annual AHIAWest Coast Regional Seminar

SF IIA Fall Seminar Internal Audit's Role in the Changing Business LandscapeNovember 30th 2012, San Francisco

7:45 -8:15 amRegistration and Breakfast8:15 -8:20 amWelcome and Introductions Ed Byers, (Deloitte), Farhan Zahid, (Deloitte)

8:20 -9:00 amEmerging Hot Issues Security and Privacy Husam Brohi, Michael Corey (PWC)Vendor Compliance Byron Tatsumi, (KPMG) 09:00 -09:50 amLeveraging Data Analytics to Enhance Your Internal Audit FunctionDawei Qu, (BlueShield of California),Dale Livezey (Deloitte)

9:50 -10:10 am BREAK10:10 -11:30 amEnterprise Risk Management and Impact to Your Audit Plan CAE Panel Discussion led by Shawn Kirshner (Accretive Solutions)

Agenda11:30 -12:20 pmRisks in Social Media Anna Tchernina, Willis Kao (Deloitte)

12:20 -1:20 pm GOURMET LUNCH (provided)

1:20 -2:10 pm Fraud Risk Management The Things You Need To KnowPaul Ritchie, (Deloitte)

2:10 3:00 pm Top 10 IT Internal Audit RisksMichael Juergens (Deloitte)3:00 3:20 pm BREAK3:20 4:40 pm Understanding Your Auditee How to Communicate More EffectivelyGroup Setting Howie Cumme (URS)Ed Byers, (Deloitte)Farhan Zahid (Deloitte) AgendaWelcomeSF IIA Fall Seminar ChairEd Byers, (Deloitte) Farhan Zahid, (Deloitte)

Logistics Fire Exits and Restrooms

Breaks and Lunch

Phone calls

Questions and AnswersRules of the RoadEmerging Hot Issues08:20 09:00Various Presenters

08:20 08:40 Security and PrivacyHusam Brohi, PWCMichael Corey, PWC

08:40 09:00 Vendor ComplianceByron Tatsumi, KPMGEmerging Hot Issues Fortifying your defenses The role of internal audit in assuring data security and privacy

CEOs/Boards are no longer ignoring Information and Technology (I&T) RisksI&T Risk is an enterprise-wide issue. Specific types of risks organizations are facing include:Connected IT infrastructure exists in an environment that is increasingly under threat against unauthorized access or disclosure of sensitive data and attacks originating from cyber-criminal groups and hackers. Increase in Privacy and Security regulatory mandates in recent years, as well as expected changes in upcoming years.Boards are no longer willing to accept the risk that technology can pose to the business.Growing demand by business leaders to understand how security integrates with privacy (what data is sensitive to the business) and security (how they protect the data deemed sensitive).Increase in threats and vulnerabilities to sensitive data and corporate assets.Businesses continue to struggle to maintain accountability to their stakeholders and establish effective strategies and standards for security risk management and privacy control activities.9PwCChange and Complexity is Right Around the CornerSecurity and Privacy Hot Topics: Balancing Business Enablers vs Business Risks10Organizations looking to improve privacy management in the event of a breach have to continually plan and prepare.Organizations in all industries are under increased scrutiny by regulatory governance bodies.

While risks associated with third parties and cloud computing continue to increase, many companies are less prepared to defend their data.Privacy and Data Loss PreventionRegulatory ComplianceThird Parties and Cloud ComputingCompanies need to stay informed about the constantly changing threat environment, processes to identify potential vulnerabilities, and processes to resolve potential exposures.Mobile platforms, social media, and accelerated product life cycles are just the latest contributors to risk of an enterprise.The cyber threat landscape continues to yield an increasingly sophisticated underworld of criminals. Companies need to remain prepared for such cyber crises.Mobility and Social MediaTechnical threats and vulnerabilitiesCyber CrimePwCStakeholders want focus in all critical risk areasRisk areas in which stakeholders and CAEs want/plan to add IA capabilities11PwCThere is a continued desire to add resources in critical risk areas. Virtually no one wants IA to reduce resources in any of these areas.

Good alignment.

Interesting that data security and privacy continues to be an area where resources will be added. Although an area of significant focus in recent years, there still appears to be a need or desire to add resources. Perhaps its because of the complexity or the pace of change in this area but we also see a danger here of misallocating resources.11Acting today to protect data: The critical role ofinternal audit12What the audit committee should expect of internal auditIn the risk assessment report that it presents to the audit committee, internal audit should highlight the organizations significant data security and privacy risks, including any new risks. Further, it should identify weaknesses in policies and controls.Because the nature of information security risks is evolving continuously, internal audit functions need to stay ahead of the threat curve. stay plugged in to emerging security threats, and practices for protecting against them.Internal audits role in ensuring that information security threats are properly considered becomes especially important when a company is ready to roll out a new business process, product or information system.

Internal Audit must also keep its ear to the ground and move quickly to conduct special audits for new information security threats, which some executives consider as important as regularly scheduled audits 123Strengthen the Annual Risk Assessment to be relevantHaving the right peopleStay vigilant on key or triggering eventsPwCGiven that data security and privacy breaches can cost a company dearly in financial losses and market reputation, the firms board of directors will want to stay on top of these risks. Keeping the audit committee apprised of emerging risks and effective ways to address them is a key role of internal audit.

12Overcoming the barriers to internal audit playing an effective roleEffective data privacy and security measures are not easy to effect. In fact, we commonly find four barriers in organizations that try to adopt them.13Exposures are changing constantly,policies and controls need to changealongside them.A mindset that believes adequatecontrols are already in place.1Implement cost/benefit analysis in risk assessment to assesses potential damage of various types of security breach.Cost. Achieving and maintainingeffective information security cancost significant money and effort.2Hiring & training staff to be top of their game in this arena and/or outsourcing as needed to experts that have technical skillsLow expectations. Internal Audit not viewed as capable of assessing complex security and privacy topics.3Establish responsibility and accountability. Define and assign a single point of responsibility for information security.Fragmented responsibilities. The job of maintaining effective information security controls is often split among many stakeholders4PwCThank you

For more information, please contact:

Michael Corey 415-505-2482 Michael.j.corey@us.pwc.com

Husam Brohi 415-205-8068 husam.brohi@us.pwc.com14PwC

15IIA ConferenceNovember 30, 2012Continuous Audit with Data Analytics

#1616SpeakersDale LivezeySenior Manager, NorPac Regional Technology LeaderDeloitte & Touche LLPAudit and Enterprise Risk ServicesSan Francisco, CA 415-783-4208dlivezey@deloitte.com

Dawei QuInternal Audit ManagerBlue Shield of CaliforniaInternal Audit ServicesSan Francisco, CA 415-229-6604dawei.qu@blueshieldca.com#17Benefits of Data AnalysisType of Data AnalysisAd hoc queryRepetitive AnalysisContinuous AuditingCase StudyClaims Denials AuditAccounts Payable AuditAgenda#18Benefits of Data Analytics#19More efficient and effective manual testing Assist in root cause analysisTest Validity and accuracy of reports Target and assess specific risk areas Identify control weakness / effectiveness gapsData Analytics can help in many aspects of business process testingOverall more effective control testing services for our clientsData analysis improves the quality, effectiveness and efficiency of auditsPerforms 100% recalculations and verification of transactions in a timely and repeatable fashionCompares data from multiple / disparate systemsProvides business insights and identifies process improvement opportunitiesPresents quantifiable results from analysis based on complete populationBenefits of Analyzing Data#Benefits of Analyzing DataApproachBenefitProfiling and trendingFocus on specific areas of risk or interestProvide insights into transactional history and behaviorTest internal controls effectivenessIdentify hidden relationships between people, organizations and events Customized transactional analysisGeared towards a clients specific business processReduction in manual testing proceduresPerform proactive instead of reactive auditsIdentify potentially improper or fraudulent transactionsStatistical Sample selection and evaluationMore efficient and accurate selection proceduresReduces time spent on selections of little or no interestAnalyze the full population of transactions instead of a traditional sampling approachFocus on risk!Report re-performance and metric recalculationValidate operational reporting systems and assist in the documentation of current reporting process Reduce manual testing procedures#NOTESThe IIA Exposure Draft says that technology improves managements ability to detect fraud. While many internal audit departments use data analysis in their audits, few use it to its full potential and could benefit by learning additional techniques.

We will take a few minutes to discuss each of these.

First, integrating data analytics into the internal audit approach allows the internal auditor to analyze all the transactions. You are able to run tests on the full population instead of examining a small sample. This makes it more likely that you will detect anomalies and allows you to focus your time and attention on understanding the transactions that are higher risk. For example, instead of selecting 20 entries posted by the fixed asset accountant that are likely to be monthly depreciation expense, you might identify that the CFO posted one large entry at month-end that credit depreciation expense. Isnt that entry more important to look at?

Second, lets consider hidden relationships between people, organizations and events. When we say people, we mean employees of the company in the same or different departments, various levels of management, or in different locations. We also mean relationships between employees of the company and employees of customers, vendors, government agencies and others. Relationships between organizations include joint ventures, guarantors/guarantees, lenders/borrowers, vendors/customers, etc. Events refer to the sequence of events. For example, is a large cash withdrawal followed by a face to face meeting between a procurement officer and a vendor? Does a payables clerk buy a large new house after a round of layoffs that resulted in her getting additional system access rights?

Third, data analysis can help you identify potentially improper transactions. Data analysis can result in a large number of false positives. One useful way of identifying the transactions that are most likely to be fraudulent is to run tests that look at the data in different ways and then combine the results. For example, if you were testing for ghost employees, you might run tests that look for employees with no social security number, no withholdings for 401k or medical benefits, salaried employees in departments that typically have hourly employees, multiple employees with bank accounts in common, etc. While the test for no withholdings is likely to have results, if employees identified on that test also lack social security numbers and have bank accounts in common with other employees, you should focus your attention on these employees because they are more likely to really be ghost employees. Fourth, data analysis can help you assess internal controls. They are very useful for reviewing segregation of duties. For example, you could look for people whose access rights allow them to both create and post a journal entry. Or people who have administrator rights but really should not. Later in this course you will learn how to run these tests. You would take the results of the segregation of duties tests to understand what these employees were able to do in the system. The next step would be to find out whether they used the inappropriate rights to perpetrate any fraud. Finally, data analysis can help an internal audit department perform proactive audits. The longer a fraud is perpetrated before it is detected, the larger it is likely to become. Thus, identifying fraud in its infancy can save a company a lot of money. When an internal audit department uses data analysis to look for red flags of fraud, it increases its effectiveness. A best practice is to use continuous monitoring techniques to look for potential errors and fraud. This is impossible to do well without effective automated procedures, especially in a large company. Of course, the internal audit department needs to plan to follow-up on red flags and be willing to allocate appropriate resources.

21Type of Data Analysis#22Computer Aided AuditAd-Hoc Query: One time based specific analytic query or analysis at a point of time. No intention of repetitive testing Explorative and investigative

Repetitive: Periodic analysis of processes from multiple data resources Periodical Seek to improve the efficiency , consistency, and quality of audits

#2323Ad-hoc Query Example: One time query on journal entry posted by a suspicious user One time query to search for suspicious vendors base on certain criteriaRepetitive Example: Revenue recalculation Duplicate journal entry identification Journal entries posted by unauthorized users

Continuous AuditDefinition: The independent application of automated tools to provide assuranceon financial,compliance, strategic and operational data within a company. Nature: Automated Continuous basis Specified intervals Constantly search for errors, fraud and inefficiencies Advanced analytic tool involved: SAS and ACL3) Example: Automated A/P review Automated J/E review Operational process review

#2424Analysis of the data may be performed hourly, daily, weekly, monthly, etc. depending on the need.

Continuous auditing is often confused withcomputer-aided auditing. The purpose and scope of the two techniques, however, are quite different. Computer-aided auditing employs end user technology including spreadsheet software, such asMicrosoft Excel, to allow traditional auditors to run audit-specific analyses as they conduct the periodic audit. Continuous auditing, on the other hand, involves advanced analytical tools that automate a majority of the auditing plan. Where auditors manually extract data and run their own analyses in computer-aided auditing during the course of their traditional audit, high-powered servers automatically extract and analyze data at specified intervals as a part of continuous auditing.

Internal Focus: To assure the integrity of transactions. Ex. A/P analysis. Claims denials audit.

2) External Disclosure Increased frequency on disclosure will drive the nature of the audit process. Ex. Journal Entry Analysis

3) Law and Regulations: To ensure compliance to the law and regulations. Ex. Medicare fraud audit. Preventive Care Audit.

4) Technology related: Data integrity and quality assurance.

What are Companies Doing?25% have CA programs in 2009, compared to 11% in 2006 *Benefits listed by survey participants :Auditors are aware of issues as they occur 100 percent of the population rather than a sample is evaluatedAllow to create preventive controls for process owners 3) Challenges listed by survey participants: Implementation takes long Auditors need to have detailed knowledge of the underlying data structures to use the tool correctly Auditors and business owners have to the determine parameters used in the CA program

Note: Statistic is based on IIA survey#2525Analysis of the data may be performed hourly, daily, weekly, monthly, etc. depending on the need.

Continuous auditing is often confused withcomputer-aided auditing. The purpose and scope of the two techniques, however, are quite different. Computer-aided auditing employs end user technology including spreadsheet software, such asMicrosoft Excel, to allow traditional auditors to run audit-specific analyses as they conduct the periodic audit. Continuous auditing, on the other hand, involves advanced analytical tools that automate a majority of the auditing plan. Where auditors manually extract data and run their own analyses in computer-aided auditing during the course of their traditional audit, high-powered servers automatically extract and analyze data at specified intervals as a part of continuous auditing.

Able to quickly identify irregularities including fraudulent transactions

Case Study 1 SAS Medical Claims Denials Analytics

Note: Numbers or findings have no meaning beyond being placeholders for the given example#26StepsAudit Planning Data Readiness Data Analysis Risk based Sampling Substantive Testing Communication of Results

#2727Audit PlanningEstablish Testing Period: Jan to June of 2012 Determine Scope: all medical claims denied from Jan to June of 2012Determine Frequency: quarterly4) Define Audit Objective: Ensure claims were appropriately denied as per provider contract, member benefit and regulation5) Select Audit Methodology: Perform data analysis to identify high risk denial areasPerform risk based sampling and substantive testing6) Know your Deliverables: An excel based deck to present data analysis resultsAn audit report to communicate findings of substantive testing

#2828Data ReadinessRequest Data: Pull data directly from corporate data martsWork with IT to extract relative data Data ReconciliationControl total Key fields (numeric fields) tie-outData Quality TestDuplicate recordsMissing values of key fieldsInvalid value of key fields. For example, billed date of 01/32/2012; negative co-pay/deductable amount

#2929Data Analysis StepsResearch the relative areas of high risks by partnering with business ownersMeasurement of compliance risk: system days per claimMeasurement of operational risk: locations per claimdenial ratio at provider level Measurement of financial risk: billed amount /claimDesign the profiling tests in relation to specific risksDetermine the list of testsMap test to risk(s)Develop testing routines in SASReview the data analysis results with business owners

#3030Data Analysis Profiling TestsPopulation overviewTrend analysis of denial rateTrend analysis of system dateDollar stratificationLocation count stratificationProfiling of providers (hospitals)Profiling of explanation of benefit (EOB) codes

#3131Data Analysis - RPM

#3232Population Overview

The average billed amount for denied claims is significant higher than paid claims Denied claims take longer to process compared to paid claim Denied claims go through more locations to complete#3333Trend Analysis Denial Rate

Facility (hospital) denial rate is significantly higher compared to overall average Denial rate in May 2012 is high driven by the higher denial rate of facility claims

#3434Trend Analysis System Day

Manual claims take longer by the processing system to reject or pay. Correlation exists between denial rate and manual system days in May May population is worth to look into

#3535Stratification

Yellow strata subjects to risk based sampling while purple might need drill down Auditors may design strata according to relative limit approval controls

Dollar StratificationStratification on location

#3636Profiling on Hospitals

The denial rate for top providers is significantly high compared the average (20%) Provider #2 has a high denial rate in May Hospitals #1, #2 and #5 are trending up on denial rate

#3737Profiling on Explanation of Benefit

11% blank EOB is noted This break-out can be compared against the industry benchmark to analyze the space of improvement#3838Profiling and Sampling Process Flow

#39Risk Based Sampling - SelectionsRisk score is calculated for each claim

Total risk score is the sum of risk weight for each failed / hit profiling tests

Samples were selected from the claims with higher risk scores

Auditors professional judgment plays an important role on finalizing samples

Average number of risks tested per sample is 5.56

#4040Communication of FindingsFinding 1:

During the data analysis, Internal Audit noted that 11% denied claims do nothave explanation of benefit (EOB) codes. This was a result of an incorrect fieldmapping between the claims processing system and Claims data mart.

Finding 2:

During the data analysis and the subsequent detail testing, Internal Audit notedthat the denial rate for hospital #2 in May is significant higher than other periodsand other hospitals. This was a result of an insufficient communication on thechanged provider contracts.

#4141BenefitIncrease testing coverage full population reviewIncrease testing frequencyEstablish an ongoing reusable automated testing routinesDecrease samples size - More effective and efficient manual testing on selectionsDetect control deficiencies and fraud red flags timelyTrack and escalate exceptions for rapid remediationTarget to high risk areasAdd value to the business

Case Study 2 Accounts Payable #42AgendaFinal AssessmentProject SnapshotRoles and ResponsibilitiesPurpose and Scope#Internal Audit engaged Deloitte to help proof of conceptAccount PayableFCPAExpenses

Purpose and ScopeDeloitte understands that the Companys objectives for this engagement are:

Assist with developing ACL scripts, to serve as queries for use by limited members of various business units, as part of routine management oversight.

Obtain results of profiling analytics specifically on procurement and expense data provided by the Company.

Execute sample profiling scripts, as a test case, to assist with FCPA (Foreign Corrupt Privacy Act) related controls.

Assess the applicability of scripts executed, and determination of additional scripts to be considered for future development in the Procurement Cycle.

#44Project SnapshotAccounts Payable List of Analytics performedVendor Analyses:Vendor Master CheckValid Vendor AnalysisVendors with PO Box AddressesDuplicate Vendor AnalysisOne Time VendorInvoice Analyses:Duplicate InvoicesPayment Date vs. Invoice Date AnalysisBenford AnalysisDisbursement Analyses:Payments to Vendors not in Vendor Master or Unauthorized/RestrictedPayee Name / Vendor Name MismatchDuplicate DisbursementsBenford Analysis#45Project SnapshotAccounts Payable Continued.Analytics - VENDOR MASTER CHECK

#46DennisProject SnapshotAccounts Payable Continued.Analytics Duplicate Vendors

#47Project SnapshotAccounts Payable Continued.Analytics PAYMENT DATE VS. INVOICE DATE

#48Project SnapshotAccounts Payable Continued.Analytics DUPLICATE DISBURSEMENTS

#49Project SnapshotExpense Report List of Analytics performedLine items flagged as Policy ViolationExpense booked in advance of the actual expense date.Flight within US above $500 Hotels above $1000Group Meals above $50Duplicate Analysis 1 Combination of Expense date, Expense line amount, Expense type, Employee name and Expense report numberDuplicate Analysis 2 Combination of Expense date, Expense line amount, Expense type and Employee nameMissing Expense ReceiptExpense over WeekendsExpense over Holidays#50Project SnapshotExpense Report Continued.Analytics - Flight within US above $500

#51Project SnapshotExpense Report Continued.Analytics Duplicate Line Items

#52Project SnapshotExpense Report Continued.Analytics Expenses booked in advance of the actual expense date

#53Project SnapshotFCPA Analytics List of Analytics performedKeyword search Invoice line description

Keyword search Expense line description

Payment Date vs. Invoice Date Analysis Run as part of the AP Analytics

#54Project SnapshotFCPA Continued.Analytics Keyword search Expense line just

#55DennisFinal Assessment

#56Final Assessment

Continued.

#57Questions?#58BREAK09:50 10:10Enterprise Risk Management and Impact to Your Audit Plan 10:10 11:30CAE Panel Discussion led by Shawn Kirshner (Accretive Solutions)

Panel MembersJanet ChapmanGeneral Auditor, Union Bank

Cindy OvermyerSVP, Internal Audit Services, Kaiser Permanente

Thierry DessangeDirector, IT Audit, Safeway

Pat SammonHead of Audit & Advisory Services, Autodesk

Kathy GuthormsenDirector of Risk Management, Autodesk#61Risks in Social MediaSocial media usage and risks

11:30 12:20Willis Kao, (Deloitte)Anna Tchernina (Deloitte)

62Speaking with you todayWillis Kao, Senior Managerwikao@deloitte.com408 718 0566San Jose

Anna Tchernina, Senior Manageratchernina@deloitte.com415 254 4722San Francisco

63

2012 Deloitte Global Services Limited Agenda64Welcome to the world of social businessSocial media risks deep diveSocial media governance and risk managementLessons learned from auditsQuestions 2012 Deloitte Global Services Limited Social Media Revolution Videohttp://www.youtube.com/watch?v=dA5Fn_Q10Tk&feature=related65 2012 Deloitte Global Services Limited 65Welcome to the World of Social Business66 2012 Deloitte Global Services Limited 66Welcome to the world of social business!

People matter mostTransparent markets Real-time expectationsPervasive, mobile, cloud computingBig data and invaluable analyticsConnected customers & ecosystemCross-boundary collaboration6767Are you smarter than a 5th Grader?Do you use (personally) Facebook? LinkedIn? Twitter?Does your Company use - Facebook? LinkedIn? Twitter?Does your Company have a Social Media Policy?Are your employees allowed to use Social Media?

6868

Social Media IncludesWikis, Social Networks, Blogs, Presence & Microblogging, Online Sharing of Videos & Media, and Social Bookmarking & Tagging.6969Social media is an umbrella term for a host of sites and technology that facilitate socialinteraction, sharing, and creation of user-generated content, and aggregation of usersopinions and recommendations.Common forms of social mediaSocial Media DefinedSocial mediaDescriptionPopular examplesWikisA page or site designed to enable collaborative contribution and modification of content by usersBlogsShort for web log; frequent online publications with commentary on current events, subjects, or ones personal thoughts Social networkingSite focused on building online communities, establishing connections, and providing avenues for social interactionPresence and MicrobloggingBrief real-time updates of personal commentary, news, or status (aka Tweets)Online photo andvideo sharingMedia-centric online communities that facilitate the viewing, sharing, and tagging, or classification, of media contentOnline forums and/review sitesWebsites/Tools that allow users to search for peer reviews or advice on a product or service, as well as to contribute their own ratings and comments

70Social media benefits Social media challengesDecrease Costs2Generate Prospects and Leads (Sales)1Increase Loyalty3Decrease time to market for new productsIncrease marketing effectivenessDevelop new revenue opportunitiesLeverage interest based marketing & advertisingDecrease R&D costs for new products by listening to your customers (and prospects)Focus on inexpensive social media tools instead of using the traditional expensive marketing channelsDecrease customer support costsIncrease customer insights and intelligence (Voice of Customer)Improve customer experience responsivenessImprove customer education, expertise and serviceDirect contact with the customer instead of indirect through the retail channelsManage Brand Reputation4Increase brand awareness through social mediaProtect brand and manage reputationBenefit from spontaneous reactions from the community by connecting like-minded peersInconsistent message2Loss of Control1Confidential Information3The voice of the customer is amplifiedCompanies no longer control the message or topicMessages might include negative publicityWhen engaging several employees in the social media world, their messages and responses may not always be consistent and aligned with the strategy of the companyThe use of social media sites enables users to circumvent company controls, opening up the potential to violate communication policiesEducation and training for employees is a key component to managing loss of informationProductivity loss4Social media drives collaboration among co-workers but can also be a major distraction in the work placeCopyright 2012 Deloitte Development LLC. All rights reserved.#71

Advertising departmentsSales and Marketing staffCompliance professionalsInternal AuditRisk ManagementLegal departmentsOperations and IT staffRecruiting/HRCustomer serviceSenior Management

Key departments affected72

72Social media risks deep dive

73 2012 Deloitte Global Services Limited

Social Media usage presents behavioral, application and technology related risks. The risklandscape is vast and continuously evolvingAnticipated RisksLegal & regulatory complianceDisclosure of confidential informationViolation of copyright lawsProtection of intellectual property rightsLegal and financial ramifications for non-compliance with industry regulationsSecurity & PrivacyIdentity theft, Social engineering Ability to retain and log social media communication; data retentionTechnical exploits: Malware, Viruses/Worms, Flash Vulnerabilities, XML injectionBrand and reputation damagePosting unfavorable or confidential information on a public siteUnclear behavioral expectation of end users to use social mediaDefamation, Copyright infringementProductivity lossUse of social media can be a distraction i.e. employees accessing non-work related social media sitesAcceptable use of social mediaSocial Media Risk Landscape74 2012 Deloitte Global Services Limited 74Malware and virusesData leakage/theftOwned systems (zombies)System downtimeResources required to clean systemsBrand hijackingCustomer backlash/adverse legal actionsExposure of customer informationReputational damageTargeted phishing attacks on customers or employees

Lack of control over contentEnterprises loss of control/legal rights of information posted to the social media sites

Customer service dissatisfactionCustomer dissatisfaction with the responsiveness received in this arena, leading to potential reputational damage for the enterprise and customer retention issues.

Social Media Risk Deep Dive75

75

Record retention non-complianceRegulatory sanctions and finesAdverse legal actions

Other threats and vulnerabilities.Use of personal accounts to communicate work-related informationEmployee posting of pictures or information that link them to the enterpriseExcessive employee use of social media in the workplaceEmployee access to social media via enterprise-supplied mobile devices

Social Media Risk Deep Dive Continued7676Social media governance and risk management77 2012 Deloitte Global Services Limited 77Social Media Governance and Risk ManagementStrategy: Review the social media strategy, program goals, and organization model and assess whether these have been formalized and communicated to all relevant teams. Evaluate the alignment of the strategy with company goals.

Policy:Review the social media policy and confirm that elements related to disclosure, ethics, community and privacy are included. Identify gaps and test awareness of the policy.

Roadmap:Assess the adequacy of the social media roadmap, including whether it is global, or localized and whether short-term and long-term program milestones have been defined.

Team Structure: Assess whether the roles of key owners and stakeholders in the social media program have been defined and clearly communicated (e.g. executive sponsorship, communications / PR, employees, Legal, IT, etc).78 2012 Deloitte Global Services Limited Preparedness and ResponseCustomer Profiles and Market Analyses: Review customer profile and market analyses and evaluate whether all products are covered, the appropriate target customers have been identified, including the desired relationship and engagement model.

Tools and Analytics:Understand how customer interactions via social media are integrated with existing systems and databases.Assess whether formal alerting tools have been implemented to identify key topics, comments, commentators, and sentiment from website activity.Evaluate KPIs and metrics against best practices and alignment of metrics with the social media strategy.

Processes:Test the policies and procedures that have been implemented to ensure that messaging is consistent with the social media strategy / planReview and test policies, processes and procedures used for triage, crisis response, intake and response to customer insights. Understand how customer insights are monitored, tracked, and shared with relevant teams (product marketing, R&D, Support, etc) for resolution.79 2012 Deloitte Global Services Limited Training and Education / ComplianceTraining and EducationEvaluate the types of training programs implemented to share best practices and rules of the road within the social media teamUnderstand how social media best practices are shared cross functionally with other functions in the organization, such as recruiting, sales, product, etc.

Monitoring and Compliance:Understand whether compliance with the social media policy is monitored both internally and externallyPerform procedures to test compliance with the social media policy internally and externally

80 2012 Deloitte Global Services Limited Lessons Learned from Recent AuditsCrisis Management PlanMonitoring processesBloggers disclosersData leakage protection

81

2012 Deloitte Global Services Limited It is here and its not going awayThere may be substantial business benefits with using social media to achieve business objectivesAs with any opportunity there is risk

Bottom line

8282Questions?83 2012 Deloitte Global Services Limited 83GOURMET LUNCH12:20 13:20

Fraud Risk Management:The Things You Need To Know1:20 2:10Paul Ritchie, Deloitte

AgendaWhat is Fraud and Why is it an Important Concern?The Profile of a FraudsterFraud Risk Assessment, Schemes and Red FlagsResponding to Indicators of Fraud86What is Fraud and Why is it an Important Concern?What is Fraud?As defined by the Institute of Internal Auditors:

Any illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage.Types of FraudInternal: illegal acts of employees, managers and executives against the companyExternal: illegal acts of outsiders (non-employees) against a companyThe activity:Is clandestineViolates the perpetrators fiduciary duties to the victim organizationIs committed for the purpose of direct or indirect financial benefit to the perpetratorCosts the employing organization assets, revenue or reserves89Occupational Frauds by Category - FrequencySource: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

Asset misappropriation schemes, in which an employee steals or misuses the organizations resources (e.g., theft of company cash, false billing schemes or inflated expense reports)Corruption schemes, in which an employee misuses his or her influence in a business transaction in a way that violates his or her duty to the employer in order to gain a direct or indirect benefit (e.g., schemes involving bribery or conflicts of interest)Financial statement fraud schemes, in which an employee intentionally causes a misstatement or omission of material information in the organizations financial reports (e.g., recording fictitious revenues, understating reported expenses or artificially inflating reported assets)90Occupational Frauds by Category Median LossSource: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

Fraud Across IndustriesSource: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

Corruption Across IndustriesSource: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

Initial Detection of Occupational FraudsSource: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

Why Do Companies Need to Manage Fraud Risk?Legal duty of care to shareholdersStatutory/regulatory requirements (SOX, SEC, FCPA, and Federal Sentencing Guidelines)Direct financial impact to the organizationIndirect costs to the organizationEconomics of FraudA $250,000 fraud loss . . .XYZ Company Profit margin = 10%0500,0001,000,0001,500,0002,000,0002,500,000Fraud LossRevenueFraud LossRevenue. . . will require an additional $2.5 million in revenue to maintain net income levelsThe Profile of a FraudsterThe Fraudster Which Department?Statistics from the 2012 ACFE Report to the Nation on Fraud

The Fraudster How Old?Statistics from the 2012 ACFE Report to the Nation on Fraud

Typical Fraudster On the SurfaceLong-time employeePosition of trustAppears to be extremely dedicatedUnexplained cash or other wealthAlways willing to help out and put in extra hours

Typical Fraudster Beneath the SurfaceGamblerDrug or alcohol problemBehavioral changesExtramarital affairsHostility to managementGeneral disenchantment with compensationThe Fraudster Educational BackgroundStatistics from the 2012 ACFE Report to the Nation on Fraud

The Fraudster Effects of TenureDirect correlation between length of time employed and size of fraud lossesEmployees with 10 or more years of tenure caused median fraud losses of $229,000Employees with less than one year of tenure caused median fraud losses of $25,000Statistics from the 2012 ACFE Report to the Nation on FraudThe Fraudster Effects Of GenderMale perpetrators accounted for 65% of cases with median fraud losses of $200,000Female perpetrators accounted for 35% of cases with median fraud losses of $91,000Statistics from the 2012 ACFE Report to the Nation on FraudThe 10-80-10 Rule10% of the Population:Would never engage in illegal conduct.80% of the Population:Might engage in illegal conduct.10% of the Population: Deviants and always on the lookout to cheat, steal, etc. (regardless of profession).You have all no doubt heard of the fraud triangle- 105The Fraudster How do they Attempt to Fool, Distract and Undermine an Auditor?Overloading.Attaching false time frames. Taking advantage of perceived fears.Killing time with trivia.Exploiting expected scopes.Exploiting historically low-risk areas.Statistics from the 2012 ACFE Report to the Nation on FraudExploiting complex areas.Predicting cycle audits.Stalling.Making staff unavailable.Filtering of information.Not updating procedures.Discrediting the auditor.How to AddressMaintain an attitude of professional skepticismInvestigate what does not make senseIf it seems to good to be true, it usually is trust your instinctsBeware of trust over reasonAvoid placing faith in other peoples faithVerify and corroborateGood interviewing and observation skills are keyLook for signs of deceptive behaviorDo not ignore information or dataReconciliations so bad107Fraud Risk Assessment, Schemes and Red FlagsInternal Audit PlanThe plan should be:Dynamic/Flexible.Comprehensive/Complete.It integrates fraud risk assessment, appropriate cycle rotations, and management insight.It directs resources to areas with highest risk.Reconciliations - 109Fraud Risk Assessment Approach1. Evaluate Fraud Risk Factors3. Analyze Fraud Risks and Schemes and Evaluate Mitigating Controls

4. Evaluate Fraud Risk Assessment Results and Prioritize Residual Fraud Risks2. Identify Possible Fraud Schemes and ScenariosReconciliations - 110Design Tests to Identify Fraud

Color By Numbers ApproachCreativity and Thought ApproachReconciliations - 111What Are The Hallmarks Of An Effective FRA?Is systematic and recurring.Is dynamic and is updated when new or unique circumstances arise (e.g., changed operating environments, restructurings, acquisitions), at least annually.Is performed with the involvement of appropriate personnel.Considers possible internal and external fraud schemes and scenarios.Considers management override (e.g., journal entries, bias of estimates, non-routine transactions).Assesses risk at organization-wide, significant business unit, and significant account levels.Consider historical fraud or industry fraud risks.Results are monitored by the Audit Committee/Board.Reconciliations - 112Indicators in Practical UseWhere is the potential for fraud (according to interview results and survey responses)Areas where fraud has been detectedManual and complex processes.Timing to register transactionsProcess involving cash managementUnclear who reviews and who approvesLack of controls or knowledge of proceduresReconciliations - 113Valuable Soft Skills for an Internal AuditorThink like a fraudster.Facilitate a control self assessment.Use information gathering techniques.Communicate and build rapport.All segments of an audit are connected.Use an unpredictable and flexible audit approach.Perform and understand data analytics.Dont lead the interviewee.Pay attention to the details.Reconciliations - 114Attention to Details

Reconciliations - 115Interviewing Techniques Detecting Deceptive BehaviorDeceptive behaviorsVerbal or Non-VerbalRemember:Disregard isolated and/or individual behaviors

Deceptive Behaviors Non-verbal

Adjusting Attire

Fleeing PositionWiping Sweat

Hand Wringing

Scratching

Covering Eyesand Face

Biting Lip

Crossingthe ArmsReconciliations - 117Deceptive Behaviors VerbalCharacter Testimony

Making Excuses

Repetition of Oaths

Answering with a Question

Repeating Questions

Overuse of Respect

Selective Memory

Changing Speech Patterns

Reconciliations - 118Responding to Indicators of FraudInternal Auditor Proficiency StandardInternal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.Source: The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (www.theiia.org)When Does an Internal Audit Become a Fraud Investigation?Expand sample, expand scope, or perform additional procedures. Look for additional instances or patterns.Ask additional questions framed in the context of the internal audit (e.g., how could a situation like this occur?).Maintain copies of documents and data files that support the red flags and symptoms of fraud.When possible, maintain originals of documents.Any indication of potential perpetrators?Cease audit work if there appears to be a predication for suspecting fraud.Forensic Accounting vs. Financial AuditForensic Investigation AuditMindsetAll cases may end in litigationProfessional SkepticismFrequencyNon-recurring; randomRecurring; scheduledApproachNo management planning sessionLimited notificationMeet with management to plan and scope the auditRelationshipPotentially adversarialProfessional skepticismScopeDocument examination of particular issue; Review of outside data, interviews of potential persons of interest.Analysis of financial statements and/or other financial data; Interviews with management.Work ProgramsPrograms developed and amended as neededAudit programsEmployerClients Attorney, In-House Counsel, Special CommitteeAudit Committee/Client ManagementObjectiveIdentify responsible parties;Quantify damagesIssue an opinion on the clients financial statements and related disclosuresReport AudienceReport is presented to counselOpinions used by Board of Directors/Audit Committee/Shareholders/PublicBenefits of a Fraud Response PlanStandardized response.Consistent approach.Clarified roles and responsibilities.Internal and external reporting responsibilities.Process for consensus and agreement.Contact DetailsPaul RitchieSenior Manager, Deloitte ForensicDeloitte Financial Advisory Services LLPTel. 415-783-6474pritchie@deloitte.com 124Top Ten Emerging IT Audit Issues

2:10 3:00pm

Michael JuergensDeloitte & Touche LLP

OverviewIT controls continue to increase in importance to organizationsCorporate reliance on technology increasesCompliance requirements increaseDeficiencies in IT controls can have a significant impact on the organization126IT Audits

Where We Have BeenWhere We Need To BeTop 10 IT audit issuesBy no means a comprehensive listWill vary by environmentMay be greater/lesser risk depending on industry, technology, business processes etc.This list is based on what we see in the marketplaceDesigned to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate these risksList is in no particular order1281. Omnichannel CommerceIssueTraditional bricks and mortar channels are merging with e-commerce channels to create a single integrated approach to sales.

Risk Failure to evolve could impact long term enterprise viability Will change sales approach and systems Large integration and master data concerns

RecommendationUnderstand current and planned changes to sales channels. Determine impact on systems, specific transactions processed, accounts impacted, and master data. Evaluate risk and then plan and execute audit procedures accordingly.2. Cyber Security ReportingIssueAs of October 2011, the SEC now requires public companies to disclose the risk of cyber incidents as part of Managements Discussion and Analysis if "these issues are among the most significant factors that make an investment in the company speculative or risky."Risk Failure to comply with SEC reporting requirements Exposure to potential shareholder litigation if requirement not met Audit Committee exposureRecommendationChallenge is that the reporting requirement lacks specificity. Organizations must determine what to report, if anything. Therefore, organizations must have a process for identifying exposures, evaluating impact, and then reporting and disclosing appropriately. IT audit should perform an assessment of this process to determine if it exists, and how comprehensive it is. Additional steps should be taken to evaluate how effective the process is.3. Software Asset ManagementIssueSoftware licensing contracts are complicated, and software lifecycles are complex. Economic downturn has caused software vendors to aggressively pursue licensing audits.

RiskPotential significant financial liabilities in case of an auditLoss of potential savingsFailure to sunset unused applications

RecommendationPerform a software asset management (SAM) audit. Consider use of International Organization for Standardization (ISO) and Information Technology Information Library (ITIL) SAM standards. Audit should include evaluating the process for SAM, review of contracts and software license baselines, and analysis of non-essential software and patch deployment.1314. Payment ProcessingIssueEmerging methods of payment processing (ISIS, GoogleWallet, PayPal).

RiskFailure to adopt impacts potential revenueImpact on revenue cycle processes, systems and controls

RecommendationDetermine what changes are planned or underway to adopting new payment processing technologies. Determine impact on financial systems and processes (e.g. sales audit). Evaluate integration management. Identify new security and controls considerations and execute audit steps accordingly.1325. Hyper-Hybrid CloudIssueAdoption of heterogeneous cloud solutions creates significant issues with management and integration of processes and data, as well as leads to the need for deployment of additional management solutions.

RiskMaster data proliferation and managementDisparate cloud solutions impact business processesSecurity management becomes much more complex e.g. Security Assertion Markup Language (SAML), OpenIDNeed for effective service lifecycle management increases

RecommendationUnderstand current and planned cloud services grid, and specific business control points, integration and workflow. Understand security management strategy, and deployment of new technologies/standards. Determine process and data risk and identify/test controls. Evaluate Service Organization Control (SOC) reports for vendors.1336. Data Lifecycle Management (DLM)Issue2011 saw the emergence of new regulations and legislation for records management and data retention. Regulators have significantly increased their scrutiny of the data lifecycle space.

Risk Large potential financial penalties for non-compliance Impact on brand Impact on customers and vendors

RecommendationGain an understanding of how DLM is operationalized throughout the organization, DLM awareness levels and how DLM compliance is achieved. Evaluate the organizations DLM capability maturity and identify compliance gaps related to the DLM governance structure, policies, processes and procedures

7. End User Computing (EUC)IssueSignificant increase in evaluation of spreadsheets and other end user computing solutions by auditors and regulators. Additional regulations promulgated (e.g. Solvency II). Uncontrolled EUCs still impacting financial statements and business operations.

Risk Loss of critical data Potentially inaccurate financial or management reporting Exposure to regulatory sanctions or fines

RecommendationPerform an extensive EUC audit. Evaluate criteria such as criticality determination, governance model, and use of technical accelerators. Audits should also evaluate programming structure. A policy-based audit and/or access based audit is likely insufficient. 8. IT GovernanceIssueIT Governance continues to play a large role in aligning the proliferation and use of technology with organizational objectives. Also, Institute of Internal Auditors (IIA) Standard 2210.A2 states: The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organizations strategies and objectives.

Risk Noncompliance with IIA standards Potential misalignment of IT resources with organization strategy

RecommendationAssess capabilities across IT governance capabilities: Strategic Alignment, Risk Management, Value Delivery, Performance Management and Resource Management. Establish a baseline of understanding regarding current capabilities and maturity level of IT governance processes.

9. Digital IdentityIssueDeployment of emerging technologies and unification of internal/external systems creates significant identity sprawl, and difficulties managing across platforms, applications and networks. To be efficient and compliant, federated identities are emerging. Our IT access audits and analysis are becoming more reliant on review-based controls.

Risk Unauthorized access to data or transactions Regulatory fines or litigation Brand impact

RecommendationUnderstand corporate security perspective on identity management. Inventory systems, devices and technologies currently deployed or planned (consider external sources as well). Evaluate strategy and technical solutions for managing digital identity. Perform a detailed audit of critical technologies and controls.10. Product DuplicationIssueProliferation of cheap 3D printing technology makes it possible to easily duplicate certain consumer products

Risk Loss of sales, market share Impact on brand

RecommendationUnderstand current product mix; identify products susceptible to duplication (small, higher value items are typical). Understand security and controls around schematics. Peruse pirate sites to identify proliferation of schematics. Consult with loss prevention teams to understand approach to managing remote duplication.SummaryNeed to understand which items may be relevant in your business and technical environmentEnsure that risk assessment and audit universe address relevant itemsDont walk the plank alone communicate with management and the audit committeePlan resource requirementsBe careful not to underestimate

QuestionsContact information Michael JuergensPrincipal, Deloitte & Touche LLP213-688-5338

michaelj@deloitte.comwww.linkedin.com/pub/michael-juergens/2/221/988This presentation contains general information only and Deloitte & Touche LLP is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.BREAK2:40 3:00Soft Skills TrainingUnderstanding your Auditee Key Lessons on Effective Communication

3:20 4:40Group Setting

Howie Cumme, URSEd Byers, DeloitteFarhan Zahid, Deloitte

Agenda and IntroductionFirst ImpressionsBuilding TrustPersonality Analysis DISC ProfilesGetting The TruthNavigating PoliticsWrapping UpAgenda for SessionInteractive SessionBetter understanding of yourself and human interactionsBuilding attraction and trustAdapting to the situationChallenging situations tips and tricksIntro and Background

Ultimate Auditing TechniqueHow many seconds to form a first impression?1/10th of second, 7 seconds, 12 secondsAll the correlations between judgments made after a 1/10-second glimpse and judgments made without time constraints were high, but of all the traits, trustworthiness was the one with the highest correlation.First Impressions

How the Mind WorksReptilianPaleomammalianNeomammalianYou need to cater to the brain in the order it evolved Primal, Emotional and then LogicalHealth and Appearance - PrimalBehavior and Body Language - PrimalWarmth and Introductions EmotionalPersonality, Professionalism and Preparation - Logical

First ImpressionsKey to effective communication is to understand the style or method of communication desired by the auditeeThe auditees behavior style is key!Ineffective communication typically results when an auditor communicates in THEIR style vs. the AUDITEES desired style

Personality Analysis Intro to DISCThe DISC profile is a simple tool to understand your behavior style and how to best work with others (e.g. SPOUSE!) No behavior style is right/wrong the key is to understand how to communicate effectively with others

DISC ProfileSelect a word that MOST describes you and a word that LEAST describes youPut an M/L next to the word DO NOT put a big X for example in the MOST/LEAST columnUse a coin to gently rub the rectangle after the word in the MOST/LEAST columnsTally up the results in the tally box on page 5Fill out graphs I, II, and III

Steps to filling out the DISC ProfileEach style has its strengths, weaknesses, and needs a weakness is an overextension of a styles strengthThere are typically key success factors in communicating to different stylesUnderstanding how to match styles is important evolve if necessaryGood questions to ask different styles

Note: refer to handouts which overviews these four areas

Understanding the DISC ProfileHow do you communicate if you are presenting to two different styles (e.g. D & C)Do not assume that all executives are Ds and all auditors are CsHow can you assess a persons behavior style by looking at their office (or other factors)What have you learnt about yourself?Key potential next steps

DISC Discussion PointsFriendliness/RapportWarmthConnectionAssertivenessFlow of Conversation ComfortProfessionalism and preparednessReassurance/Implications

Building TrustFear of the consequencesFocus on what you need to knowProfessional reassurance rationalism, unbiasedHow to know if you are always getting the truth?Sweaty palms?Hesitation?Avoidance of eye contact?

Getting The TruthTough to tell the difference between lies and an honest person under stressIndicators of lying:Level of detail being providedTone of voice, unusual body languageInconsistency when changing viewpointsConcealment of anger, distress or fearLifting just the inner part of the eyebrow (Distress>85%)Eyebrows raised and pulled together (Fear)Narrowed, tightened lips or lopsided smile (Anger)No absolute clues to lying, only indicators.

LiesIs it always possible?Internal and external politics affecting the meetingPressures in the room. Possibility of one on one time?Ask questions again when necessary to each individualNavigating PoliticsLeave the door openFollow up within 24 hoursBe genuine and smileFinish with something memorable and relaxedWrapping Up

Wrapping Up

Seminar Wrap Up and Thanks

SF IIA Fall Seminar Internal Audit's Role in the Changing Business LandscapeNovember 30th 2012, San Francisco

Denial Claims with EOB Desc

Analysis 1

Population Overview

SAS Programming - Analyze the Claims Data

Analysis 2

Trend by Denial Rate

Analysis 3

Trend by System Date

Analysis 4

Datamart

Logics to define denials

Score: 0

EOB Desc File

SAS Programming Pull In Scope Denied Claims Data

Population Overview

Dollar Stratification

25 Claim Selections

Risk Assessment - Assign Risk Score to Sub-Population of Each Analysis

Analysis 5

System Day Stratification

Analysis 6

Location Stratification

Analysis 7

COB Profiling

Analysis 8

ER Visits Profiling

Analysis 9

Provider Profiling

Analysis 10

EOB Profiling

Analysis 11

IPA / MG Drill Down

Score: 1

Trend by Denial Rate

Score: 1

Trend by System Date

Score: 1

Dollar Stratification

Score: 1-2

System Day Stratification

Score: 1-2

Location Stratification

Score: 0

COB Profiling

Score: 1

ER Visits Profiling

100% Test

Provider Profiling

Score: 1-3

EOB Profiling

100% Test

DOFR Drill Down

SAS Programming: Claims Scoring and Sampling

12 Provider Selections

Input:

Subject to Detail Testing

Output: