Top Cycle Mining
-
Upload
philip-elsas -
Category
Business
-
view
712 -
download
1
description
Transcript of Top Cycle Mining
Top Cycle Mining
Philip Elsas, ComputationalAuditing.comHans Blokdijk, Limperg Institute
Robert Nehmer, Oakland University
SIKS Master Class on Smart Auditing
March 21, 2012, Vught
1
• Process mining is a technique that takes business event logs as input and generates a smart flow chart as output
• The business case for process mining:– Automatically generated flow chart– Flow chart is not documentation-only
2
Introduction
Process Mining• References
– Aalst, W. van der (2011). Process Mining: Discovery, Conformance and Enhancement of Business Processes. Springer Verlag, Berlin (ISBN 978-3-642-19344-6).
– Jans, M., van der Werf, J.M., Lybaert, N., Vanhoof, K. (2011) A business process mining application for internal transaction fraud mitigation, Expert Systems with Applications, 38 (10), 13351-13359
– http://www.processmining.org/
3
• Our approach is to strategically position process mining for the cash-to-cash top cycle by assessing and assuring completeness of loggings
• The cash-to-cash cycle is central in the integrated owner-ordered and management-ordered audit approach– To Be modality ('Soll')– As Is modality ('Ist')
4
Our Approach
• Owner-ordered auditing addresses understatement of profits: whether revenues are understated and expenses are overstated As an owner you want assurance that management, who you entrusted your money, is not making profits while keeping parts of it unstated, since profits are the basis of your dividends and stock quotation
• Management-ordered auditing addresses overstatement of profitsAs management you want to attract investment capital by increasing your credibility that the profits you state are all real, not overstated, and so you hire the independent auditor to provide this assurance
• Management's illegitimate interest (overstating or understating profits) determines the direction of the audit from a market-driven value-adding perspective 5
Owners
Management
Potential Owners
Owner-ordered audit: to check management
Management-ordered audit: to attract new investors
to increase credibility that profits aren't overstated
to increase credibility that profits aren't understated
Money-inflow for management
maximize equity
Money-inflow for owners
long-term ROI
6
• In the owner-ordered audit tradition the auditor determines completeness of profits using the cash-to-cash top cycle
• Quantitative: enterprise-level spanning reconciliation checks (also known as: comprehensive coherence tests): central norm connecting: - ‘buy side’ and ‘sell side’ transaction volumes - generated ‘gross profit’ margins
• Qualitative: enterprise-level segregation of duties: non-identical and preferably opposite interests in top cycle logging locations
7
Cash-to-cash top cycle
8
Top cycle represented as a smart flow chart:transaction, or flow, as a box with adjacent arrows (active), state or stock as a circle (passive)
9
Top cycle represented as matrices with quantitative aspects (prices & volumes) and qualitative aspects (authorizations by
agents/departments: S,B,F,D,C,W)10
Top cycle represented as a set of equations with the primary audit direction per equation parameter in an owner-ordered audit: overstatement (overlining in dark orange color) or understatement (underlining in light orange color)
11
unstated revenues, spanning reconciliation checks & detectability
$0 + $30 * (900+100) - $0 => $27,000+$3,000
0 + 900+100 - 0 => 900+100
$0 + $18,000+$2,000 - $0 => $20 * (900+100)
$0 + $27,000+$3,000 - $9,000+$1,000 => $18,000+$2,000
0 + 900+100 - 0 => 900+100
$0 + $27,000+$3,000 - $9,000+$1,000 => $18,000+$2,000
recording + omitted recording reality + omitted reality
$0 + $18,000+$2,000 - $0 => $20 * (900+100)
12
$0 + $30 * (900+100) - $0 => $27,000+$3,000
Economic substance of the business can be represented by a
‘Web of equations’
which inevitably includes:‘stocks’ and ‘flows’ outside of the basic cash-to-cash top cycle, such as transactions regarding:
- fixed assets; - financing; - general expenses.
13
The complete ‘web of equations’ is indispensableto compose an ‘audit plan’, for all the ‘stocks’ and ‘ flows’.
Main question:
Should a particular ‘stock’ or ‘flow’ be tested- for: overstatement,- or: understatement?
Requires different auditing techniques.
14
The analysis in owner-ordered auditing starts with:
testing sales for understatement
Equation:
Inv[B] + Pur – Inv[E] → Sales
But then, testing Sales for understatement means:
testing Inv[E] for overstatement!
15
The analysis should be pursued for all equations, and there is no need to audit any item, in either B/S or P&L, for both under- and overstatement.
The general result is:
test all debits for overstatements (assets in the B/S and expenditures in the P&L),
and
test all credits for understatements (liabilities in the B/S and revenues in the P&L).
16
The International Standards on Auditing (ISA’s)do not specify audit plans.
However, they require that all items in the accountsare tested both for over- and understatements.
But this does not generally require two differenttests on an item:
if a debit is tested for overstatement, thecorresponding credit is implicitly tested for overstatement as well!
Double-entry bookkeeping.17
One specific challenge in every audit:
Equation: Inv[B] + Pur – Inv[E] → Sales
is right in terms of quantities (of goods or services),not in terms of money, like all the other equations!
The difference: ‘Gross Profit’,
which is to be audited for understatement.
Main challenge to be solved in every audit.
18
Mapping out the cash-to-cash top cycle enables the auditor to perform:
‘comprehensive coherence testing’ (CCT)
extensively described in
‘Reflections on Auditing Theory’, chapter 3
(Kluwer Bedrijfswetenschappen, Limperg Instituut, 1995).
19
But: CCT does not discover ‘shop in the shop’:Entire cycle of purchases, sales, payments and receipts fraudulently omitted from the accounting records.
To be prevented by segregation of duties.
Mapping out the top cycle enables the evaluation of internal controls.
20
System Logging in Our Approach
• Information System (IS) server software is developed with built in logging capabilities and default log levels
• Log levels specify the amount of details logged
• The IS function uses logs to help control day-to-day operations and maintenance
• Auditors can mine existing logs for audit evidence in our approach
21
Benefits of the approach
• Uses existing logs as a baseline• Allows a critique of existing controls when
combined with the top cycle approach• IS personnel are already familiar with
logging and require little or no additional training
22
Example: Database server logging
• Access logging– Logs data about connections to a data base server:
time stamp, duration, user ID, table accessed, etc. This data can be used to test separation of duties and appropriate access from the audit perspective.
• Write-ahead logging– Logs transaction details for transactions still in
volatile areas of the system. Used to recover data in case of system failure but can be mined for transaction details. This data can include purchase cost, direct labor, and overhead details.
23
Full Coverage of LoggingsAccess log
Write-ahead log
24
Logs Mapped to Matrix
25
Assessment with Top Cycle: Partial Coverage
26
Partial Coverage Mapped to Matrix
27
Assessment Part 1
Absent logged measures can be corrected in one of two ways: 1) Increase logging levels and have the
built in logging capture the measures 2) Write a custom system to capture the
measures• In either case, costs are determinable and
comparable with the value of the missing measures
28
Assessment Part 2
• Problems in qualitative design of the system of segregation of duties would be discovered by setting expectation for access to the database and that necessary transactions are occurring.
• The logs can be checked to make sure these access points exist and are being routinely used.
29
30
http://www.promtools.org/prom5/
Mining the top cycle business process
31
• Based on existing logs in appropriate segregation of duties an organization may already be very close to boost audit power by process mining
• Additionally required logging detail or additional segregation of duties is systematically identified using the cash-to-cash top cycle from the proven owner-ordered audit tradition
32
Concluding remarks