Leveraging Audit Analytics to Drive Business Innovation
19th April, 2016
Dubai, UAE
Data and Data Analytics Setting the Context
Case in Point Success Stories
Data Analytics in Audit How Analytics can help IA bridge the expectation Gap
Here’s the Outline…
Introducing the Data Tsunami
The Information Overload
Sell
We are drowning in a sea of data…
Advertisements
Recommendations
Anything that sells…
But Data is Opportunity
How much data? How do we deal with it?
Information to Wisdom
Data Insight Decision Making Action Unlock Value
Developing a repeatable decision-making process that leverages data through logical reasoning and analytical methods to turn insights into tangible business outcomes
Increase Efficiency and Effectiveness
Increase Breadth and Depth of
Coverage
Continuous Monitoring, Real-
time Response
Discover Unknown Unknowns
Data Analytics – Sensing to Value Creation
How Analytics is helping Businesses
How Analytics is helping Businesses
How is Analytics shaping our daily Experience
A little bit of the right information at the moment of truth is worth far more than all the information in the world two weeks after the fact.
That’s what we want to do and what consumers are beginning to expect from us.
The Analytics Value Escalator
Volume • AT&T transfers 30 PB of data / day
• Google Processes 24 PB / day
Variety • From: Structured and
Transactional
• To: Organic, Semi-Structured, Time-sensitive, Social, Multi-media
Velocity • Speed and Frequency of
collection, processing and execution of action
Why is ‘Big Data’ a Big Deal
Value • Timely, Contextual and
Actionable Insights
Why is ‘Big Data’ a Big Deal
Initial
• No formal analytics approach, procedures or methodology
• Performed occasionally
• Tools are not readily available
• Limited skills and people dependent
Repeatable
• Recognized as a value-add
• Not yet institutionalized
• Relies on a core group
• Tools are available but are not applied consistently or correctly
Defined
• Enforced Analytics Policy
• Established Analytics Methodology
• Use of Analytics Championed by IA Management
• Quality of Analytics Results are evaluated
• Understanding of the business meaning of analytics procedures of results
Managed
• Methodology is Institutionalized
• Management involved in the ongoing analytics efforts
• Management understands business issues and root causes
• Re-performance of Analytics Procedures
• Advanced Tools are used
Optimized
• Practices evolved through the first four phases are used to continually improve analytics processes, procedures and results
• Continuous Control Monitoring Tools
Ad-hoc Repetitive and Reusable Optimized
Hindsight Insight Foresight
The Analytics Maturity Model
Data and Data Analytics Setting the Context
Data Analytics in Audit How Analytics can help IA bridge the expectation Gap
The crux of the matter is…
Shift in Expectations from Internal Audit
Show me the Money
Are you changing fast enough ?
Preventive Reactive Response Time
Automated Manual Approach
Strategic Tactical
Diversified Traditional
Performance Assurance
Positioning
Talent Acquisition
Role
From Conformance to Performance
Boards asking us to back-up our gut feel with hard data and facts
C-Suite wants a quantitative understanding of risks and their relative importance in real numbers
Management has greater responsibility to foresee future risks long before they manifest themselves
Data Analytics is becoming a mainstream competency for all Internal Audit Professionals
Success Criteria
Linear Growth
(Ideal Scenario)
Imp
act
/ C
ove
rage
Effort / Head Count
Manual
Skill-set Dependent
People Dependent
Linear Transformation Characteristics
Limited Coverage
Individual Heroics
Effort Intensive
Error Prone
Repetitive and scales
Linearly
Efficient and Automated
Platforms, Tools and
Library
People Independent
Non Linear Transformation Characteristics
Increased Assurance
and Confidence
Intrinsic Culture within the team
Reusable Knowledge
Base
Focus on Strategic Activities
Scales non-linearly
Linear vs. Non Linear Transformation of IA
Linear Growth
(Ideal Scenario)
Imp
act
/ C
ove
rage
Effort / Head Count
Linear Growth followed by diminishing returns
(Reality)
Manual
Skill-set Dependent
People Dependent
Linear Transformation Characteristics
Limited Coverage
Individual Heroics
Effort Intensive
Error Prone
Repetitive and scales
Linearly
Linear vs. Non Linear Transformation of IA
Linear Growth
(Ideal Scenario)
Imp
act
/ C
ove
rage
Effort / Head Count
Linear Growth followed by diminishing returns
(Reality)
Non Linear Growth (Desired State)
Manual
Skill-set Dependent
People Dependent
Linear Transformation Characteristics
Limited Coverage
Individual Heroics
Effort Intensive
Error Prone
Repetitive and scales
Linearly
Efficient and Automated
Platforms, Tools and
Library
People Independent
Non Linear Transformation Characteristics
Increased Assurance
and Confidence
Intrinsic Culture within the team
Reusable Knowledge
Base
Focus on Strategic Activities
Scales non-linearly
Linear vs. Non Linear Transformation of IA
CAAT or CAATs – Computer Assisted Audit Techniques or CATTs – Computer Assisted Audit Tools and Techniques refers to the practice of using computer, software applications, tools and techniques to automate specific elements within the audit process, bring about efficiency and increase reliability of audit results.
Utility Programs / Productivity
Software:
E.g. Spreadsheet,
Word Processing, Text
Editing, Data Browsing
Risk and Audit Management
Software:
E.g. TeamMate, Protiviti
Governance Portal
Analytics Tools:
E.g. ACL, IDEA,
TeamMate Analytics, ISS CG Solutions, ESG Analytics, Main
Data Group
Advanced Analytics and
Statistical Tools:
E.g. R, SPSS,
Statistical Sampling &
Data Modeling Tools
Reporting and
Dashboard Applications:
E.g. Tableau,
Qlikview, Crystal Reports
Data Management
Tools:
E.g. Pentaho, ETL Platforms
Technology Evolution in Internal Audit
Historical Perspective
What happened?
How many, how often, where?
Current Perspective
Where is the problem?
What actions are needed?
Why this is happening?
Future Perspective
What if these trends continue?
What will happen next?
What is the best action that can be taken to prevent / mitigate a potential risk?
Error Detection and Quantification – Targeted Analytic Applications to
detect anomalies – Business Unit Reviews, IA
Risk Dashboard, Continuous Monitoring, How are we currently
doing ? What is our current risk profile?
Early Warning Systems, Key Risk Indicators – What-If- How will this
decision affect our risk
Questions Analytics can Answer
Benefits of Data Analytics in Audit
Mitigating Budget and Resource
CONSTRAINTS
DISCOVER UNKNOWN UNKNOWNS
Reduce DEPENDENCY on
SME / Consultants
100% COVERAGE resulting in increase in breadth and depth of coverage
PROACTIVE MONITORING of risks, REAL TIME response
Once Process is setup AVAILABILITY and RELIABILITY of data is ascertained
Benefits of Data
Analytics
Increase VISIBILITY and CREDIBILITY within the organization
2016 IA Capabilities and Needs Survey
The Perceptual Map
Industry Speak: CAE Focus
Industry Speak: Knowledge Gap
Fraud Indicators and Investigations
Continuous and Proactive Alerting
The Analytics Advantage
DATA ANALYTICS
Validate Risk Models
Predict Risks and Revenue Loss
Quantification of Risks
Simulation for Independent Testing
Control Performance and Adequacy Testing
Sampling and 100% Population Coverage
Risk Assessments and Audit Focus
Test Data Creation
Procure to Pay
Travel and Expenses Inventory Management
Receivables/ Cash & Collection, Capex
Treasury Management Process and EFT Security
User Access Management
Journal Entry Testing (General Accounting
Testing)
Customer Care
Customer Lifecycle Management
Sales (Direct and Indirect)
Finance Supply Chain Network and IT Customer / Sales
Segregation of Duties
Vulnerability and Access Control
Application: Continuous Audit Analytics
NOTE: The above is only an indicative list and is not meant to be exhaustive.
Say on Pay
Equity Dilution Computations
Shareholder Voting Analytics
Pay for Performance Analytics
Anomaly Detection and Root Cause Investigation
Trends and Exploratory Analysis
Corporate Governance Rewards Benchmarking Peer Group Comparison Financial Reporting
Peer Group Benchmarking
NOTE: The above is only an indicative list and is not meant to be exhaustive.
Clawback Provisions Analysis
Wealth Accumulation Pay Mix
Retirement Plan Data Analysis
Incentive Pay Analytics
Executive Compensation Analytics
Board Member Pay Analysis
Application: Governance Analytics
SOX
Solvency II
Basel III
Stress Testing
Data Privacy Breaches
Ethical Hacking
Compliance Risk Modeling Fraud Risks Information Security
Insurance Fraud
NOTE: The above is only an indicative list and is not meant to be exhaustive.
Dodd-Frank Cash Flow at Risk and Commodity Modeling
Liquidity Risk Modeling
Asset and Portfolio Risk Modeling
Credit Risk Modeling
Credit Risk Modeling RMORSA
Identity Theft
Financial Crime Analytics
AML
Vulnerability and Penetration Testing
Simulation and Test Drives
Application: Risk and Compliance Analytics
Audit Universe for a Bank: Illustrative
Audit Universe for a Bank: Illustrative
1. Does your area of work require you to look at data fetched from various IT and Business systems?
2. Do you struggle with large volumes of data across fragmented systems which cannot be handled using MS Excel or
Access?
3. Do you often doubt the integrity and reliability of the data you use for your assessment?
4. Are response times from process owners / IT related to data / information request too long?
5. Are you limited in your coverage due to systems or resource constraints?
6. Is your sampling strategy is based on qualitative guesstimates?
7. Is knowledge of a particular area restricted within a specific group / person within your team?
8. Is the frequency of your reviews based on business need and risk assessment or purely governed by availability of
resources?
9. Do you spend significantly more time in collecting and managing data as opposed to actual analysis or
investigations?
10. Do you think you can free yourself for strategic activities if the tactical work is automated?
11. Would a continuous assessment of risk for each process area help you prioritize your area of focus?
12. Is most of your conclusions driven by instincts and experience as opposed to data?
13. Do you have to grapple with complex internal and external factors affecting risk assessments that you perform?
14. Are you expected to predict and not just report?
The ‘Yes’ Test
NOTE: The above is only an indicative list which is by no means exhaustive.
The following areas are indicative Continuous Monitoring, Audit Analytics and Audit Automation areas that can be implemented at a typical Bank
Personal Banking Business Banking Private Banking Online Banking
Suspicious Activity Monitoring
Transaction Monitoring Receivables/ Cash &
Collection, Capex
Collateral Management
User Access Management
Journal Entry (General Accounting) Testing
Customer Care
Customer Experience
Sales ( Direct and Indirect)
Customer & Product Analytics
Portfolio Valuation Operations Analytics
Gifts and Entertainment
Consumer/Employee Fraud
Liquidity & Treasury Management
Process monitoring and KPI Analytics
Data Error Control
Security Failure
False implementation (error code)
Product Profitability
Consumer Fraud
Risk & Financial Analytics Fraud, Regulatory & AML
Analytics Data Management &
Security Analytics
Regulatory Reporting
Trader Mandates
Spend by Vendor
Travel & Expenses Credit & Market Risk
Customer Lifecycle Management
Customer Profiling Network & Information
Security
Cyber crime
The Applicability Matrix: Banking
Developing an Audit Analytics Strategy
Continuous Audit Process Maturity and Readiness Assessment (CAAT Strategy Development, Roadmap and Joint Working Group formation)
Information Analysis and Design (Solution Blueprint, System Understanding and Review of Data Maturity and As-Is Processes)
Setting up of foundational platform and Implementation and Configuration of ACL for different ERP and Source System module
Continuous Audit Policy and Procedures pertaining to recommendations on Standard Operating procedures, Team Setup and Exception Management
The Protiviti Approach:
For a successful deployment and functioning of an Audit Analytics Solution people, process, and technology perspectives needs to be considered. A five step approach to establish a Continuous Audit Platform:
1
2
3
4
Training on Tools and Handover sessions to be organized for knowledge transfer 5
Data Collection Engine
Data Analytics Systems and Tools Data Store
Reporting and Dashboard Layer
Financial Audit
Operations Audit
Technology Audit
Forensic Audit
Pre-defined Rules and Queries, Control
Mapping Configurable Rules, Custom Analytics
Algorithms
Business Applications, IT Systems viz. (ERP, Data Warehouse, BI, Financial Systems, Sales Channels, etc.)
Solution End State
Crossing the Chasm
-- - -- - -- - -- - -- -
30 %
25 %
20 %
15 %
10 %
5 %
Competitors in the region
have not Upgraded
Vague ROI, Hard to get
Management Approval
Expensive to Implement
Takes too much
Effort or Time
Trust in current Audit
Practices
Failed Starts / Learning Curve / Lacking Skillsets
Comparison of actual case
studies pertaining to your industry
Adoption improves internal
processes Demonstrable
Achievement of ROI Inexpensive
Solutions
Quick Wins
Partnership Strategy
Protiviti Analytics Center of Excellence
Resistance to Adoption – Survey Results
Data and Data Analytics Setting the Context
Case in Point Success Stories
Data Analytics in Audit How Analytics can help IA bridge the expectation Gap
Almost there…
Largest Oil And Gas Company in GCC CONTINUOUS AUDIT STRATEGY DEVELOPMENT AND IMPLEMENTATION
THE CHALLENGE
$ 3M
250+ AUDITS
10+ SAP Instances
Cost of failure of false starts to set up a
Continuous Auditing and Analytics Framework
Complex Organization and Large Audit
Universe
THE RESULT
85%
65%
6
Increase in predictive risk detection capability
Percentage of Automation achieved within the Audit Universe
Quick Wins Delivered • Materials and Supplies • Revenue Recognition • Plant Maintenance • Asset lifecycle Mgmt. • Capital Projects • HR
1. Bootstrapped the formation of the Continuous Audit and Data Analytics Division with IA
2. Increased Credibility of IA
3. Improved visibility into Operational Processes and Data
APPROACH
Since 2 previous attempts failed, delivery of Quick Wins were prioritized to achieve management buy-in
Continuous Audit and Data Analytics strategy was developed to supplement the 5 year audit plan
Implemented the solution based on a 3-tier architecture aimed at achieving progressive scalability with IT buy-in
Fragmented IT Infrastructure
Multinational Consumer Electronics Company AUDIT ANALYTICS AS A SERVICE: CENTRALIZED SHARED SERVICE CENTER SETUP
THE CHALLENGE
55%
75%
90%
Lack of Accuracy: Large number of false
positives
Timeliness Challenges:
Most of the findings were reactive in nature
Lack of Automation:
Mostly Manual Processes resulting in inefficiencies
and coverage gaps
THE RESULT
147%
100%
65%
Increase in efficiency and timeliness of anomaly detection
Comprehensive coverage of transactions and control points
Increased accuracy and reduction of false positives through automation
APPROACH
Deployed end-to-end solution architecture from data extraction to report generation
Ongoing support and Managed Services to monitored exceptions work with internal stakeholders for corrective actions
1. Reduced Dependency on Process Owners (through direct integration with key data sources)
2. Discovery of ‘unknown unknowns’ (through heuristic and knowledge based analytics techniques)
3. Turnkey Solution (through advisory, implementation and managed services)
Develop a Continuous Audit Automation Blueprint
PROCUREMENT FRAUD AND FORENSICS ANALYTICS
• Fraud management team involved in manual investigation of reports of suspicious activity, unable to ascertain fraud scenarios.
BENEFITS ACHIEVED
• Developed KPI, benchmarks and thresholds to analyze and contrast vendor relationships
• Design scenario analytics framework to identify suspicious activity across all global regions.
• Square in on non-bonafide vendors with suspicious relationships with internal personnel in authority.
APPROACH
Business identified scenarios, previously unmonitored such as company sponsored
resort hires.
Delivered a framework to
perform P2P fraud analysis using latest
client focused techniques.
$5.5M 17 $ 1.5M Amount classified under suspicious
activities
Employees posing as Vendors Identified
In claims from decentralized
locations red-flagged
• Client operates in 96 locations, with more than 36,000 vendors engaged in various contractual engagements, for varying durations.
Leading Airlines In GCC
SUSPICIOUS TRANSACTIONS MONITORING
THE CHALLENGE
55%
95%
1:4
Manual Audit Oversight: Percent of suspicious
activity overlooked by client’s existing processes
Non Proactive
Percent findings were reactive in nature (post
loss)
Audit focus vs. Actual areas of suspicion:
Ratio between issues identified by existing
audit process and issues identified by our analytics
THE RESULT
70+
2K
7K
Transaction patterns that allowed fraud schemes were identified
Suspicious transactions were identified and red-flagged
Manual entries of amounts and other details directly from unmonitored systems identified
APPROACH
Developed proprietary tools to read Bank’s data files as data size and handling capability was too low.
Ongoing support and Managed Services to monitored exceptions work with internal stakeholders for corrective actions.
1. Our analysis identified that the Manual entries made to balance/initiate Payables, were the largest chunk of direct manual intervention and entry.
2. Several suspect payables identified values between USD 4,000 USD 75,000 that were logged under “Gifts, Business Travel, allowance, Incentives, settlements, and ad-hoc payments”.
Performed transaction analytics for transaction occurring through Inter-branch accounts and identified manual and other suspicious transactions
A Large Islamic Bank In GCC
Key
Ch
alle
nge
s Lack of Management Buy-In and Leadership to drive Analytics within IA
General lack of understanding of Analytics and availability of Talent
Data Quality and Availability, cost of data cleansing vs. perceived benefits
The ‘Big Bang’ Approach – trying to do everything is a recipe for failure
Collaboration with IT, Operations and Senior Leadership
Lack of a well-defined analytics objective and dealing with False Positives
Getting the right Partner – ‘If you have to wrestle with an elephant, get help’
Challenges and Lessons Learnt
Alignment with Strategic Business Goals
• Improve Performance
• Improve Customer Experience
• Improve Brand Value
Demonstrate Business Foresight
• How will the analytics be implemented
• What actions will the analytics enable
• How to measure results
• What is the success criteria
Assess Data Maturity
• What data is available
• What data is needed
• Is the data available in the right form
• How can the data be transformed into the right form
Leverage Cross-Industry Best Practices
• Look at adjacent industries with higher maturity curve in the kind of analytics you want to do
• Adapt success in other Industries. Customize for context and need
Build a Partner Strategy
• Build a Analytics Roadmap
• Build new capabilities, hire talent with different skill base
• Invest in cutting edge tools
• Get professional services for non-core Technology activities
Building the Analytics Business Case
Building the Business Case
3,500
professionals
Over 20 countries in the Americas, Europe,
the Middle East and Asia-Pacific
70+ offices
Our revenue: More than
USD 620 million
in 2014
Contact Us
Amit Ray
Managing Director
D : +965 2295 7821
M: +965 9725 3608
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit. Through our network of more than 70 offices in over 20 countries, we have served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.
Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.