1) The document discusses continuous monitoring and auditing techniques using data analytics. It provides definitions and examples of continuous monitoring, auditing, and assurance.
2) Continuous monitoring involves ongoing management oversight of controls while continuous auditing involves independent testing by internal auditors. The relationship between the two is also discussed.
3) Implementing continuous monitoring and auditing can provide benefits like early detection of issues and fraud reduction but also faces challenges like obtaining the right data and tools.
Data Analytics and Continuous Monitoring in Internal Auditing
1. 4/1/2019
1
Data Analytics - 4
Analysis and Monitoring
based on Data Analytics for
Internal Auditors
by Richard Cascarino
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors (now
available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
Recipient of the IIA’s 2007 Bradford
Cadmus Memorial Award.
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
Page 2
1
2
2. 4/1/2019
2
About AuditNet® LLC
• AuditNet®, the global resource for auditors, is available on the
Web, iPad, iPhone, Windows and Android devices and features:
• Over 3,000 Reusable Templates, Audit Programs,
Questionnaires, and Control Matrices
• Training without Travel Webinars focusing on fraud, data
analytics, IT audit, and internal audit
• Audit guides, manuals, and books on audit basics and using
audit technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
• NASBA Approved CPE Sponsor
Introductions
Page 3
The views expressed by the presenters do not necessarily represent
the views, positions, or opinions of AuditNet® LLC. These materials,
and the oral presentation accompanying them, are for educational
purposes only and do not constitute accounting or legal advice or
create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is
accurate and complete, AuditNet® makes no representations,
guarantees, or warranties as to the accuracy or completeness of the
information provided via this presentation. AuditNet® specifically
disclaims all liability for any claims or damages that may result from
the information contained in this presentation, including any
websites maintained by third parties and linked to the AuditNet®
website.
Any mention of commercial products is for information only; it does
not imply recommendation or endorsement by AuditNet® LLC
3
4
3. 4/1/2019
3
About Richard Cascarino, MBA,
CIA, CISM, CFE, CRMA
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 28 years experience in IT audit
training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Data Analytics for Internal
Auditors
5
Today’s Agenda
Data analysis and Continuous Monitoring
Monitoring Tools
Implementing continuous monitoring
Potential benefits
Continuous Auditing
Implementing continuous auditing
Structuring the implementation
Perceived downside
Obtaining and maintaining support
Financial Analysis
Analyzing Financial Data
Use of ratios
Horizontal and vertical analysis
Subsidiary ledgers
Financial database analysis
Page 6
5
6
4. 4/1/2019
4
Continuous Transaction
Monitoring
Continuous monitoring defined
CM initiation and planning
Controlled monitoring selection
CM testing
CM Monitoring
7
Monitoring: Method and processes to ensure that crucial
policies/processes/internal controls are adequate and are
operating effectively
Used by operational/financial management
Internal Audit independently evaluates the adequacy of
management activities.
Auditing: The process by which the Internal Audit
team independently confirms that the internal controls are
working as intended.
Assurance: The confidence that results, due to
management’s daily oversight on all internal controls and
risks, that sets the stage for achievement of the
organization’s mission and goals.
First, Some Definitions …
8
7
8
5. 4/1/2019
5
Why Continuous Monitoring?
Advances in technology and increased business dynamics enable
businesses to change ever more rapidly,
Traditional audits and controls are no longer adequate
Key drivers
Past few years’ events (9/11, malfeasance crisis, complex and creative business
models)
Subsequent regulations (HIPAA, SOX, Patriot Act, Basel II, MiFID, etc.)
Business needs, competitive development of controls to be matched
Benefits
Immediate notification to management of problems, timely correction
Fraud reduction and improved risk management
Extensibility across multiple IT systems
Independence from operative management
9
Why Continuous Monitoring?
Growth through acquisitions wide variety of disparate IT systems
Data consolidation became a major challenge; multi-terabytes of
historical and real time data such as transaction logs, document files,
spreadsheets and financial reports stored on databases.
Security administrators were finding it impossible to monitor these
vast reservoirs of data in order to detect suspect usage patterns and
identify possible fraud before it was too late.
Non-intrusive solution needed to coexist with other IT systems
Independence from other processes to ensure impartial oversight
‘Events of interest’ are hidden across several system logs and
multiple log entries
Identification of suspicious behavior requires establishing profiles and
patterns (ex. multiple account of the same person)
10
9
10
6. 4/1/2019
6
Required of Continuous
Monitoring
Able to access and normalize disparate data from across the
enterprise
Offer comprehensive range of tests to effectively address
control objectives
Provide flexibility of tests as control opportunities change
Provide timely testing of data and reporting of results
Handle large transactional volumes with no negative impact
on operational system performance
Provide variable parameters for tests
Provide for alert notifications
Maintain security and integrity of tests and results
11
A Dramatic Change in the
Audit model
1. The continuous assurance model has many clients
2. The continuous assurance model had different Independence
considerations
3. The continuous assurance model has a different justification
4. The continuous assurance model is an element of the strategic
monitoring
5. The Continuous assurance model will turn the audit process into audit by
exception
6. A new set of analytics guides strategic monitoring
7. The continuous assurance model covers a wider set of quantitative and
qualitative non-financial data
8. The continuous assurance model has alternative materiality
considerations
9. The continuous assurance opinion has some futurity implied in it
11
12
7. 4/1/2019
7
Deficiencies of Traditional
Approach
Retrospective view
analysis frequently occurs long after transaction
has taken place, too late for action
Lack of timely visibility into control risks and
deficiencies
Alternatively
Independently test all transactions for
compliance with controls at, or soon after, point at
which they occur
13
Analytic Monitoring
Transaction
Monitoring
Rule
verification
Estimate
verification
Judgment
assurance
Rule based
evaluation
Rule heuristics Upstream /
downstream
verification
Exogenous
data
Continuity
reconciliations
Continuity
Equations
Continuity
Equations
Continuity
Equations
Transparent
markers
Structural
Knowledge
Value chain
relationships
Expert Systems
Confirmatory
extranets
Time-series /
Cross-sectional
analysis
Time-series /
Cross-sectional
analysis
Time-series /
Cross-sectional
analysis
13
14
8. 4/1/2019
8
Four levels of CA
Auditor
Process 1 Process 2 Process 3 Process 4
Process 6Process 5
MC Layer
Transaction monitoring
Object and info. flows
Rules of measurement interpretation
Formal spec
evaluation at all
points
Audit of judgments and facts
Transaction assurance
Rule assurance
Estimate assurance
Judgment assurance
Using Scripts for Continuous
Auditing
Continuous control assessment
Identification of control deficiencies
Identification of fraud, waste, abuse
Continuous risk assessment
Examination of consistency of processes
Development of enterprise audit plan
Support to individual audits
Follow-up on audit recommendations
15
16
9. 4/1/2019
9
Fraud Prevention &
Compliance
Key Drivers
Laws and Regulations
Direct P&L impact to prevent losses from fraud
Indirect P&L impact – business reputation, client
retention and acquisition
Continuous Monitoring Requirements
To detect fraudulent, unauthorized or money
laundering activities, operational systems need to be
monitored on an ongoing basis
All systems produce activity/transaction logs, but
differing formats
Centralized Monitoring Dashboard gives clear view
across all business transaction and IT systems
Evolution of Continuous
Monitoring
Manual Processing - Full User Intervention
Required (Retrospective Testing and Sampling)
Individual Macros - Some User
Intervention Required (Periodic
Testing of Selected Areas)
Menu Based Applications
- Limited User
Intervention Required
(Regular Testing Of
Identified Risk Areas)
Automated Testing /
Continuous Monitoring –
No User Intervention Required
(Frequent Testing for Leading
Indicators of Problems)
Most Organizations
Most groups
are stuck
here.
$ $ $
17
18
10. 4/1/2019
10
Obstacles to Continuous
Monitoring
1. Obtaining the data easily on a systematic basis
2. Standardizing the analysis process by identifying
key risk areas and leading indicators
3. Identifying a “champion” to spearhead creation of
custom analysis routines and allocating time to
complete the work
4. Avoiding the use of multiple applications to
produce the desired output
5. Moving to proactive monitoring from historic focus
on periodic retrospective testing
Caseware Monitor 5
Continuous controls monitoring solution
Pre-built solutions for industries that readily
monitor key controls
Auto-generate or custom build dashboards,
visualizations and reports
Captures KPIs such as root cause, money
saved and regulatory impact
Triggers an alert sent to users via email,
SMS or as notifications in apps
19
20
11. 4/1/2019
11
ACL Continuous Monitoring
Solution
http://www.acl.com/solutions/continuous_mo
nitoring.aspx
flexible and independent control review
mechanisms
management can review the exposures of
business risk
receive timely notification of control breaches
obtain summary reports
21
Infor Approva
http://www.infor.com/product-
summary/fms/approva-continuous-
monitoring/
continuous control monitoring software
management can execute repeatable processes
can handle transaction monitoring across
applications and platforms
can automate testing, track the results and
enables investigation
22
21
22
12. 4/1/2019
12
Infogix Enterprise Data
Analysis Platform
http://www.infogix.com/products/
family of software modules
enabling the organization to automatically validate
operational and financial information utilizing
standardized user-defined business rules
rule-based exception research, resolution and reporting
information from disparate reporting systems can be
centralized and personalized for individual
management requirements
23
Oversight Systems
http://www.oversightsystems.com/solutions
continuous transaction monitoring software
acts as a virtual analyst aimed at the detection of
operational variance
statistical, behavioral, Boolean, and time-based
Analytical capabilities
24
23
24
13. 4/1/2019
13
Role of continuous auditing
dependent on management’s
role in continuous monitoring of
controls
Inverse relationship: the greater
the role of management, the
less of a direct role of Internal
Audit.
True continuous assurance
Depends on effective monitoring
by management of internal
controls and Audit’s independent
assessment of that function.
Relationship of Continuous
Auditing/Monitoring/Assurance
25
Continuous Auditing
Owned and performed by Internal Audit
Primarily detective in nature (may also be
corrective)
Internal Audit is responsible for evaluating
continuous monitoring activities
Continuous Monitoring
Owned and performed by management
Can be preventative, detective, and/or
corrective in nature
Qualifies as an internal control
Summary of the Differences
26
25
26
14. 4/1/2019
14
Continuous Auditing
Required of auditors:
Ability to implement and understand IT
at an in depth level
Accumulate sufficient evidence to
communicate current status of risk-
control objectives
What is Continuous
Auditing?
Continuous auditing is a type of auditing
which produces audit results simultaneously
with, or a short period of time after, the
occurrence of relevant events.
It would be more accurate to call this type of
auditing instant rather than continuous.
Instant is not necessarily frequent.
27
28
15. 4/1/2019
15
Without Continuous
Monitoring
Management must:
Maintain an activity audit trail
Enforce access-control standards
Ban standardized administrator passwords
Enforce change management
Facilitate independent inspection of
infrastructure-management records
Auditors’ knowledge must stay current
The Auditing Process
• Traditional
• Engagement definition
• Audit planning
• Internal control
evaluation
• Substantive testing
• Opinion formulation
• Reporting
• Continuous
• MC architecture
• Analytic monitoring
structuring
• Discrepancy based audit
monitoring
• Continuous model
building and gathering
• Alarming and informing
• Discrepancy analysis
• Multilevel opinions
Continuous Auditing
29
30
16. 4/1/2019
16
Analytical Procedures in CA
Analytical procedures used in the planning, substantive
testing, and reviewing stages of an audit. We focus on
substantive testing.
In conventional auditing first apply analytical procedures to
identify potential problems, Then, focus detailed transaction
testing on the identified problem areas.
In CDA the sequence is reversed:
Use automated general transaction tests to all the transactions and
filter out identified exceptions for resolution.
Apply automated analytical procedures to the filtered transaction
stream to identify unforeseen problems.
Alarm humans to investigate anomalies.
31
Anomolies in Auditing
False positive error (false alarm, Type I error): A non-
anomaly mistakenly detected by the model as an anomaly.
Decreases efficiency.
False negative error (Type II error): An anomaly failed to
be detected by the model. Decreases effectiveness.
Detection rate is used for clear presentation purpose: The
rate of successful detection of seeded errors.
A good analytical model is expected to have good anomaly
detection capability: low false negative error rate (i.e. high
detection rate) and low false positive error rate.
32
31
32
17. 4/1/2019
17
6 Steps of Implementation
33
2. Rule
5. Follow-up
1. Priority
Areas
6. Action and
Reaction
4. Parameterization
3. FrequencyAudit Control Panel
Perceived Downside to CA
Audit access to live data
Availability of appropriate audit tools
Untrained or unqualified auditors
The perception that continuous auditing is a
technical area
34
33
34
18. 4/1/2019
18
Obtaining and Maintaining
Support for CA
Some support has come from the Public
Company Accounting Oversight Board
(PCAOB)
Roles assignment to appropriate individuals
is fundamental to success
Technical specialists to deal with the issues of
data access or designing a complex analytic
Non-technical auditor for the business design of
the tests regarding specific audit and control
objectives tests
35
Obtaining and Maintaining
Support for CA
Critical area for gaining acceptance of the
whole concept is the manner in which false
positives are dealt with
(common during the start-up phase of continuous
auditing)
reporting can be tailored to summarize values
without specifically addressing individual minor
anomalies
36
35
36
19. 4/1/2019
19
Benefits may be in Terms of
Reduction of risk
Improvements in corporate reputation
Improved customer satisfaction
Improved profitability
Reduction in the likelihood of fraud
occurrences
37
38
Financial Statements
Balance Sheet
Income Statement
Managers and Analysts Use Financial Statements to Conduct:
- Cash Flow Analysis
- Performance (Ratio) Analysis
37
38
20. 4/1/2019
20
39
Four Key Financial
Statements
1. Balance sheet
2. Income statement
3. Statement of retained earnings
4. Statement of cash flows
Implications of Finance
ELEMENTS OF BUSINESS UNIT STRATEGY
Value chain
Pro-R&D Pur- Sales
chasing duction
Where to ___ ___ ___ ___
compete ___ ___ ___ ___
___ ___ ___ ___
___ ___ ___ ___
When to Actions
compete
How to
compete
Source: Adapted from Kevin P. Coyne et al. (2000), Gaining advantage over competitors, McKinsey Quarterly
39
40
21. 4/1/2019
21
Inter-relationships
BUSINESS UNIT STRATEGY
Where to compete How to compete When to compete
Geogra-
phic
markets SustainableValue competitivepropositionCusto- advantageChannelsmers
RelationshipRelationship with otherSupply with share-chain Products suppliers holdersstages
Source: Adapted from Kevin P. Coyne et al. (2000), Gaining advantage over competitors, McKinsey Quarterly
Key Performance Indicators
Return on assets (ROA): General
assessment of profitability (all capital
providers point of view)
ROA assesses net profitability of operating
activities per dollar of average investment,
which is a measure of how profitable a
company is regardless of how the
company’s assets are financed.
41
42
22. 4/1/2019
22
Calculated by
ROA =
Net income + Interest expense, net of income taxes
Average total assets
ROA =
Net income + Interest expense (1-t)
Average total assets
where “t” = effective (or statutory) tax rate
Ratios Used to Assess
Profitability
Return on Common Equity (ROCE):
Assessment of profitability from the viewpoint of
common stockholders
ROCE assesses net profitability, after preferred
dividends, per dollar of common stockholders’
investment
Earnings Per Share (EPS)
Reflects net income, after preferred dividends,
available to an average common share of stock
43
44
23. 4/1/2019
23
Thus
ROCE =
ROA
Common Earnings
Leverage Ratio
Capital
Structure
Leverage Ratio
Net income + [interest
expense (1-t) ]
Net income –
preferred stock
dividends
Average total
assets
Average total assets Net income +
[interest expense
(1–t)]
Average
common
stockholders’
equity
And
ROA subcomponents: Net profit margin
ratio and asset turnover ratio.
The net profit margin ratio measures the
prefinancing income per dollar of sales.
Net profit margin ratio =
Net income + [interest expense x (1-t)]
sales
45
46
24. 4/1/2019
24
Ratios Used to Assess
Profitability
EBIT
Earnings before Interest and Tax
EBITA
Earnings before Interest, Tax and Amortization of Goodwill
ROI
Return on Investment
MVA
MVA = Market Value of the Firm - Book Value of the Firm
Market Value = (# shares of stock) (price per share) + Value of
debt
Book Value = Total common equity + Value of debt
If the market value of debt is close to the book value of debt, then
MVA is:
MVA = Market value of equity – book value of equity
Funds Analysis, Cash-Flow
Analysis, and Financial Planning
Funds Analysis, Cash-Flow
Analysis, and Financial Planning
Flow of Funds (Sources and Uses)
Statement
Accounting Statement of Cash Flows
Cash-Flow Forecasting
Range of Cash-Flow Estimates
Forecasting Financial Statements
Flow of Funds (Sources and Uses)
Statement
Accounting Statement of Cash Flows
Cash-Flow Forecasting
Range of Cash-Flow Estimates
Forecasting Financial Statements
47
48
25. 4/1/2019
25
Types Of Financial Ratios
49
Liquidity Ratios
Current Ratio
Quick Ratio
Turnover Ratios
Collection/Payment Period
Debt-to-Equity Ratio
Times Interest Earned Ratio
Gross Margin
EPS
P/E Ratio
Market-to-Book Ratio
Activity Ratios
Debt Ratios
Profitability Ratios
Market Ratios
Liquidity Ratios
50
seitilibailcurrent
assetscurrent
=ratioCurrent
seitilibailcurrent
inventoryassets-current
=ratioQuick
49
50
28. 4/1/2019
28
Financial Ratios For Cross-
Sectional and Trend Analysis
55
Cross-Sectional Analysis: Comparing
Different Firms’ Financial Ratios at the
Same Point in Time
Compared to firms in same industry
Benchmarking - compares a company’s ratio
values to those of competitors that company
wishes to emulate
Trend Analysis - Performance Evaluation
Over Time
Developing trends can be seen using multiyear
comparison
Financial Statements and
Financial Ratios
56
Balance Sheet
Income Statement
Liquidity Ratios
Activity Ratios
Debt Ratios
Profitability Ratios
Market Ratios
55
56
29. 4/1/2019
29
Strategies for Future
Shift to proactive monitoring
Automate any tests that can be run without user
intervention
start with the weekly file maintenance tests
Using information from exiting audit tests, identify
additional leading indicators of potential problems
Create/adapt test to search for these events on a more frequent
basis
Use the results from the automated tests in the risk
assessment process to help determine the focus of on-
going audit activities.
Questions?
Any Questions?
Don’t be Shy!
57
58
30. 4/1/2019
30
AuditNet® and cRisk Academy
If you would like
forever access to this
webinar recording
If you are watching
the recording, and
would like to obtain
CPE credit for this
webinar
Previous AuditNet®
webinars are also
available on-demand
for CPE credit
http://criskacademy.com
http://ondemand.criskacade
my.com
Use coupon code: 50OFF
for a discount on this
webinar for one week
Thank You!
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email:info@auditnet.org
www.auditnet.org
Follow Me on Twitter for Special Offers - @auditnet
Join my LinkedIn Group –
https://www.linkedin.com/groups/44252/
Like my Facebook business page
https://www.facebook.com/pg/AuditNetLLC
Richard Cascarino & Associates
Cell: +1 970 819 7963
Tel +1 303 747 6087 (Skype Worldwide)
Tel: +1 970 367 5429
eMail: rcasc@rcascarino.com
Web: http://www.rcascarino.com
Skype: Richard.Cascarino
Page 60
59
60