The Future of Auditing and Fraud Detection – Re-imagining the art and science of auditing and fraud detection is coming to the forefront of risk management functions. What was seen as a “nice to have” a few years ago has become a “must have” as digital transformation and data surrounds all aspects of the organization.
Specific learning objectives include:
o See how analytics can maximize the annual audit plan and better ensure focus is placed on top organizational risks.
o Establish a framework to using analytics and automation across the entire audit lifecycle.
o Use the general ledger as a case study to provide a digital road map for analytics for detecting fraud (and errors) within the organization.
o Define the top company areas for data integration from structured, unstructured and external data sources.
o Highlight culturally what audit and fraud detection functions must do to embrace continuous embedded analytic reviews.
Statistics notes ,it includes mean to index numbers
Future audit analytics
1. Future of Auditing
and Fraud Detection
Slide 0
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial
Award Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
1
2. About AuditNet® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 2,900 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
2
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners.
Unauthorized usage or recording of this webinar or any of its material is strictly forbidden.
If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
This Webinar is not eligible for viewing in a group setting. You must be logged in with your
unique join link.
We are recording the webinar and you will be provided access to that recording after the
webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited.
If you have indicated you would like CPE you must attend the entire Webinar to receive CPE
(no partial CPE will be awarded).
If you meet the criteria for earning CPE you will receive a link via email to download your
certificate. The official email for CPE will be issued via NoReply@gensend.io and it is
important to white list this address. It is from this email that your CPE credit will be sent.
There is a processing fee to have your CPE credit regenerated post event.
Submit questions via the chat box on your screen and we will answer them either during or at
the conclusion.
You must answer the survey questions after the Webinar or before downloading your
certificate.
3
3. IMPORTANT INFORMATION
REGARDING CPE!
SUBSCRIBERS/SITE LICENSE USERS - If you attend the entire Webinar you will receive
an email with the link to download your CPE certificate. The official email for CPE will be
issued via NoReply@gensend.io and it is important to white list this address. It is from
this email that your CPE credit will be sent. There is a processing fee to have your CPE
credit regenerated post event.
NON-SUBSCRIBERS/NON-SITE LICENSE USERS - If you attend the entire Webinar and
requested CPE you must pay a fee to receive your CPE. No exceptions!
We cannot manually generate a CPE certificate as these are handled by our 3rd party
provider. We highly recommend that you work with your IT department to identify and
correct any email delivery issues prior to attending the Webinar. Issues would include
blocks or spam filters in your email system or a firewall that will redirect or not allow
delivery of this email from Gensend.io
Anyone may register, attend and view the Webinar without fees if they opted out of
receiving CPE.
We are not responsible for any connection, audio or other computer related issues. You
must have pop-ups enabled on you computer otherwise you will not be able to answer the
polling questions which occur approximately every 20 minutes. We suggest that if you
have any pressing issues to see to that you do so immediately after a polling question.
4
The views expressed by the presenters do not necessarily represent the views,
positions, or opinions of AuditNet® LLC. These materials, and the oral
presentation accompanying them, are for educational purposes only and do not
constitute accounting or legal advice or create an accountant-client relationship.
While AuditNet® makes every effort to ensure information is accurate and
complete, AuditNet® makes no representations, guarantees, or warranties as to
the accuracy or completeness of the information provided via this presentation.
AuditNet® specifically disclaims all liability for any claims or damages that may
result from the information contained in this presentation, including any websites
maintained by third parties and linked to the AuditNet® website.
Any mention of commercial products is for information only; it does not imply
recommendation or endorsement by AuditNet® LLC
5
4. AuditNet® and cRisk Academy
If you would like forever access
to this webinar recording
If you are watching the
recording, and would like to
obtain CPE credit for this
webinar
Previous AuditNet® webinars
are also available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
6
Richard B. Lanza, CPA, CFE, CGMA
• Managing Director in Innovation for Grant Thornton, LLP
• Over 25 years of ACL, Excel and other software usage
• Received the outstanding achievement in business award by the
Association of Certified Fraud Examiners for developing the publication
Proactively Detecting Fraud Using Computer Audit Reports as a
research project for the IIA
• Recently was a contributing author of:
• Detecting Corruption with Analytics: A Roadmap – The
International Institute for Analytics
• Global Technology Audit Guide (GTAG #13) Fraud In An
Automated World – Institute Of Internal Auditors.
• Cost Recovery – Turning Your Accounts Payable Department
Into A Profit Center – Wiley And Sons.
• Data Analytics: A Roadmap for Expanding Capabilities
(published 2018 in partnership with the IIA's Internal Audit
Foundation)
• In 2015, discovered a new textual analytic technique using letters
called the Lanza Approach to Letter Analytics (LALA)TM
7
The views expressed by the
presenters do not necessarily
represent the views, positions, or
opinions of Grant Thornton, LLP.
These materials, and the oral
presentation accompanyingthem,
are for educational purposes only
and do not constitute accounting
or legal advice or create an
accountant-client relationship.
rich.lanza@us.gt.com
5. Take My Manual Audit, circa 1998
Make data analytics a priority on every audit
Data exists for every process
Try to use analytics in every audit and explain if you do not
Replace manual tests with automated ones
You need to replace to provide the time for analytics
Do one less audit and spend the time “thinking” this year
Focus on I T testing – user and segregation of duties testing
8
Today’s Agenda
See how analytics can maximize the annual audit plan and
better ensure focus is placed on top organizational risks.
Establish a framework to using analytics and automation
across the entire audit lifecycle.
Use the general ledger as a case study to provide a digital
road map for analytics for detecting fraud (and errors) within
the organization.
Define the top company areas for data integration from
structured, unstructured and external data sources.
Highlight culturally what audit and fraud detection functions
must do to embrace continuous embedded analytic reviews.
9
6. Is the Future of Auditing Simply Analytics?
10
Our perspective on the technology landscape
Source: Adapted from Forrester – Create A Road Map For A Real-Time, Agile, Self-Service Data Platform (Nov. 2017); Grant Thornton Analysis
11
So Much Time, / So Little Technology
Scratch That and Reverse It!
7. Don’t be afraid…..It is just a
C.A.A.T.
12
Monitoring & Controls Lead the Way
to Reducing Fraud
13
Source: 2018 ACFE Report to the Nation
8. An Easier Way to
Categorize Future Technologies
14
Innovation
Blockchain
Robotic Process
Automation
Data Analytics
Artificial
Intelligence
Re-imagine the Audit
15
Redesign audit
processes using
today's technology
rather than using
information
technology to
computerize legacy
audit plans and
procedures
Step
Leveraging
innovation to
perform more
effective audits and
provide new forms
of audit evidence
Step
Automate
whatever is a
consistent process
Step
More continuous
assurance and
more timely and
relevant audit
reporting
Step
9. A Shift in Internal Audit's Value
16
Projects of the past Projects of NOW and NEXT
Compliance Auditor Trusted Partner and Value Driver
Operator Human: manually complete checklist Machine with human: data and analysis driven
Scope Sample: thoroughly evaluate small portions of data Entire population of data: thoroughly analyze all data
Focus Compliance using historical data Risk-based assurance using trends and predictions
Time & value Slow & stagnant Fast, efficient & insightful
Advisory role None Drive value through focus on business outcomes and
improvements
Orientation Reactive: quarterly cadence Proactive: persistent data monitoring
Technology Limited reliance Heavy reliance
Outcome Pass / Fail Risk based actionable recommendations
Client Sentiment Check the box: “Get them out of here” Eager and excited: “Stay and help us mature this function”;
"What else can we do within IA?"
Perception:
Don't Forget the People
Data holds insight, but it is people—not data—who ensure that
analytics generates value for the company.
Advances in technology are raising expectations for leadership,
creating new needs, and transforming the way we do business.
Analytics is becoming a central focus of leadership agendas because
of its potential to improve profitability, mitigate risk, and ensure a
sustainable organization.
17
10. Desired Tech-Enabled Skills
• Passionate about technology
• Ability to reimagine the audit
• Analytic technical skills
• Data management and acquisition
• Database modeling
• Tool development and programming
• Predictive modeling and statistics
• Other Skills
• IT project management
• Selling new innovation / Change management
• Communicating a story based on the numbers 18
Where Can We Increase Analytic Usage?
19
11. Analytic Benefit in Sum:
Doing More With Less
20
2015 AuditNet® Audit Data Analysis Software Survey
Internal auditors are becoming game changers
Internal audit analytics helps internal audit departments:
Shift the perception of internal audit's value
Improve their business value and analytic maturity
Strengthen the three lines of defense
Provide insights to identify, monitor, control and mitigate risks
Create opportunities for automation and continuous auditing
21
Benefits of Internal Audit Analytics
The value to your organization
In their own words, the benefits
of internal audit analytics:
12. Types of Data Analytics
Type Audit example
Descriptive Analysis of accounts payable identifies all disbursements processed on
Saturdays for over $1,000
Diagnostic Analysis of accounts payable identifies John Smith from Dallas as the
only accounts payable manager who approved each Saturdays
disbursement over $1,000
Predictive Analysis of accounts payable expects all Saturday disbursements over
$1,000 to be approved by John Smith
Prescriptive Analysis that builds and tests scenarios around different policies to
determine what course of action would lead to a drop in the number of
disbursements over $1,000 processed on Saturday
22
Data analytics defined – AICPA
"The science and art of discovering and analyzing
patterns, identifying anomalies, and extracting
other useful information in data underlying or related
to the subject matter of an audit through analysis,
modeling, and visualization for the purpose of
planning or performing the audit".
23
13. Exploratory vs. Confirmatory
24
Exploratory analytics Confirmatory analytics
Bottom-up and inductive Top-down and deductive
What does the data suggest is happening? Is the subject matter consistent with my model
On what assertions should we focus? Are there deviations that are individually
significant or that form a pattern?
Most useful in audit planning Most useful with substantive or controls
assurance
Data Analytics Applied
25
Data analytic definition component Real-life application
Audit planning Refined risk assessment
Extracting useful information Data management application
Modeling and visualizations Statistical dashboards, techniques and analytics
Discovering, identifying and analyzing
patterns and anomalies
The continuous monitoring and investigating of
transactions
Audit execution Performing substantive procedures and testing the
operating effectiveness of controls
14. Testing the Operating
Effectiveness of Controls
26
Type of test Data analytic approach
Inquiry Leveraging statistical analysis and models present significant materials for client
discussions (i.e. insights to the client)
Observation Real time monitoring of a business process (i.e. lapses in the execution of the control
can be immediately reported)
Inspection The continuous utilization of mining event logs to test 100% of the data (i.e. identifying
payments made without approval)
Reperformance The continuous reperformance and testing on a 100 percent basis (i.e. account
reconciliations)
27
Audit
procedures
Data Analytic approach
Inspection Utilizing the process of mining event logs to inspect and corroborate the
accuracy of information
Observation Real time monitoring of a business process
Inquiry Leveraging statistical analysis and models present significant materials
for client discussions (i.e. insights to the client)
Confirmation Obtaining a information from a third party to test a specific condition
Analytics to Obtain Audit Evidence
15. 28
Audit procedures Data Analytic approach
Recalculation Using robotic process automation to check the mathematical
accuracy of documents and records
Reperformance The continuous reperformance and testing on a 100 percent basis
(i.e. account reconciliations)
Analytical
procedures
Focused and precise analytics utilized during the planning,
substantive and concluding phases of the audit that analyze the
plausibility and predictability of a given relationship and identify
differences that could give rise to a potential misstatement (i.e.
regression, volatility)
Analytics to Obtain Audit Evidence
Analytic Toolkit Case Studies
29
16. A Sampling of Toolkits
30
ACCOUNTS PAYABLE
Performs control
analysis, proactive
fraud testing and cost
recovery detection
for the procure to pay
process.
75 SCRIPTS
GENERAL LEDGER
Gain financial
insights across the
organization, and
focus efforts on
holistic view of the
company.
60 SCRIPTS
REVENUE
Performs control
analysis, proactive
fraud testing and cost
recovery detection
for the order to cash
process.
50 SCRIPTS
TRAVEL & EXPENSE
Analyze travel and
expense data to
identify inappropriate
or suspicious
employee expenses,
and manage T&E
efforts.
20 SCRIPTS
P-CARD
Identify risky P-Card
transactions and
usage behaviors.
30 SCRIPTS
Risk-rank vendors by elements of risk that
may result in a FCPA violation…
. . . understand the riskiness of specific vendors
using individual test results
…and use predictive analytics to predict
transactions costs by vendor
Third Party Vendor Risk Analytics
31
18. Vendor Risk Ranking
34
Two vendors in the top 5 scored vendors with over
$10K
Journal Entry Stratification
In this case, 15 of the 65
largest journal entries
make up 94% of the net
income effect
Millions of journal entries
can be compressed into a
single view.
Each of these items can
be further explored by
location, segment, and
entry process/employee.
35
19. Compressing the G/L Sequences
36
EXAMPLE DATA:
1,000 Journal Entries of:
• Debit: A/R
• Credit: Revenue
The account combination is then summarized into 1 unique account sequence:
Sequence Occurrences DR CR
ACCSEQ_1 1,000 A/R Revenue
The First and Last Letters
Tell the Story
• It deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoetnt tihng is taht the frist and lsat
ltteer be at the rghit pclae.
37
20. Letter Analysis
38
Unstructured Text and Letter Analytics
“The Benford’s Law of Words”
39
• Same words tend to occur year over
year
• Changes may indicate some change
in the client that could affect risk
assessment
21. Trending Revenue
Store sales were expected to decrease year over year
One store closed
One store had 2.3% increase overall (but that tells only
part of the story)
40
My Top Audit Savings Ever
http://bit.ly/2Fb5oOd
Over $100MM identified, $40MM recovered
Led to people, process and technology improvements
It focused on turning the “F” word into the “R” word
Was based on a simple aging report
Positive values were aged separate of negative values
41
23. Wind Damage Claims
44
Artificial Text Intelligence
45
Visualize
context
Identify key
phrase
Compare
provisions
to baseline
Score
similarity
Compile document
library
Read
documents
Text Analytics Tool:
Capture
subsequent
human review
for future
machine
learning
application
24. Working On Robot Time
46
What is Ripe for Automation?
47
https://youtu.be/o-MlJI48XX4
25. Process Characteristics for RPA
48
Robotics Process Automation
49
RPA is the use of software to mimic the actions a human user would perform on a PC at scale
to automate processes that are repetitive, rule-based and use structured data inputs.
Applicatio
n
Database
System
3270
Utility
SAP
Web
Tools
Softwar
e
26. Overcoming Data Challenges
Normalizing data is 80% of the time (in the beginning)
“By most accounts, 80 percent of the development effort in a big data project
goes into data integration and only 20 percent goes toward data analysis.” —
Intel Corporation
Data is in every process
It may not be ERP / It may be in your “Big Data”
90% of data is text
Audit (Internal & External) is the best partner to get the data
They are independent / Not proving the data is a scope limitation
Tend to establish the most secure data warehouses
50
Automated Data Normalization
• Store procedures for data cleanup once
• Create a normalized set of data fields named by YOU
• Ensure data quality tests are run prior to analysis
• Automate these routine tasks to increase analyst’s time
• Enrich the data by organizing it by type codes
51
27. Automating Data ETL
• All of the Company's data is captured in an SAP G/L
• Audit team had to budget almost 100 hours just on
importing and combining various report extracts
• Data analytics and innovation were introduced in the
current year audit
• Data import process was reduced from 25 hours
/quarter to only 2 hours/quarter
52
Automating IT Control Tests
53
User Access Review Controls
Grant Thornton automated user access control testing for the following attributes:
• Whether access was approved by appropriate personnel
• Whether the approval occurred within the required time frame
• If the access is set to be revoked then the account is flagged for immediate attention and an alert is sent to the control
owner.
Human Resources Roles Validation
The clients control stated that HR personnel with access to modify payroll information must also have a role assigned that
prevents modification of their own payroll information. Grant Thornton automated this test to verify that all HR personnel are
restricted from modifying their own payroll fields.
SQL Database Backup Jobs
Grant Thornton automated a test to verify that SQL jobs are in place to backup SQL databases on a regularly scheduled basis.
This automated test also included tests for the following attributes:
• The backup jobs are configured to backup the full database per the backup requirements
• The backup alerts are set to notify personnel when a backup fails or is completed successfully
• The alerts are configured to notify appropriate personnel
Removal of Inactive SAP account access
Grant Thornton automated a test for inactive SAP account access that is greater than the Company's specified threshold. Any
account that has not accessed the system within this threshold is flagged for immediate attention and an alert is sent to the
control owner for access to be removed.
28. Automating Finance Functions
54
Revenue
Cycle
Information
Technology
Procure
to Pay
Order
to Cash
Record to
Report
Supply
Chain
Insurance
Authorization
Datacenter
Customer
Master
Gen. Acct. /
Close
Vendor
Master
CRM &
Customer
Service
Network
Operations
Sourcing /
Contract
Management
Reporting
Credit /
Contract
Demand
Management
Charge
Posting
Security
Admin.
PO Process
Order
Process
External
Reporting
Materials
Management
Training &
Development
Service Desk
Goods
Receipt
Treasury
Logistics /
Delivery
Capacity
Flow
Management
Write-offs
Desktop
Support
Invoice
Process
Billing / Disp.
Res.
Tax
Transport &
Logistics
Performance
Metrics
Database
Admin.
Collections
Payment
Process
FP & A
Carrier
Management
Cash PostingApplications
Cash
ApplicationControllership T & E
Returns
Management
Denials
Management
Robotic Process Automation Limitations
55
RPA cannot read any data that is non-electronic with unstructured inputs
• An example would be input such as paper invoices. In this case, RPA will only work with a collection of other implemented
technologies (such as OCR) required to make it digital and structured.
RPA requires some form of static consistency
• For example, invoices may be received in different formats, with fields placed in different areas. For a ‘Bot’ to be able to read an
invoice, all supplier invoices must be received in the same format with the same fields.
• Although robots can be trained by exception to read different fields, they cannot read multiple different formats – unless these are
all digital and configured separately.
RPA is not a cognitive computing solution
• It cannot learn from experience and therefore has a ‘shelf life’.
• As processes evolve – for example, through the introduction and use of other technologies — they may become redundant and
require changes.
• It is therefore wise for a company to examine the process prior to building a ‘Bot’. Applied to a process that is inefficient and/or on
the way out, that shelf life may be reduced to just a year.
Applying RPA to a broken and inefficient process will not fix it
• RPA is not a Business Process Management solution and does not bring an end-to-end process view
• The same goes for out of date infrastructure – RPA will only mask the underlying issues.
• Clients should focus first on addressing the root causes of their process or technology inefficiencies and then apply RPA to
maximize the benefits.
29. Data Analytics
IIA Research Guides
Other Thought Leadership
• Internal Audit Analytic Surveys – Grant Thornton partnered with the Internal Audit Foundation >>
https://www.grantthornton.com/library/articles/advisory/2017/internal-audit-new-value-data-analytics.aspx
• White Paper – Driving Enterprise Value through Data Analytics >>
https://www.grantthornton.com/library/articles/advisory/2017/enterprise-value-through-data-analytics.aspx
• Data Analytics: A Roadmap for
Expanding Capabilities (published 2018
in partnership with the IIA's Internal Audit
Foundation)
• Data Analytics: Elevating Internal Audit's
Value (published 2016 in partnership with
the IIA's Internal Audit Foundation)
Books
Slide 56
57
http://gt-us.co/2I2EK8f
Questions?
30. AuditNet® and cRisk Academy
If you would like forever access
to this webinar recording
If you are watching the
recording, and would like to
obtain CPE credit for this
webinar
Previous AuditNet® webinars
are also available on-demand for
CPE credit
http://criskacademy.com
http://ondemand.criskacademy.com
Use coupon code: 50OFF for a
discount on this webinar for one week
58
AuditSoftwareVideos.com
Now Free (But Not for Long!)
70+ Hours of videos accessible for FREE subscriptions
Repeat video and text instruction as much as you need
Sample files, scripts, and macros in ACL™, Excel™, etc.
available for purchase
Bite-size video format (3 to 10 minutes)
>> Professionally
produced videos by
instructors with over 20
years experience in
ACL™, Excel™ , and
more
59
31. Thank You!
Jim Kaplan
AuditNet® LLC
1-800-385-1625
Email: webinars@auditnet.org
www.auditnet.org
Richard B. Lanza, CPA, CFE, CGMA
Contact Information
D: +1 732 516 5527
M: +1 732 331 3494
Email: rich.lanza@us.gt.com
60