18 Application Areas-Malta-05-05 Abdolmohammadi.ppt

8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt

1/35

Continuous Auditing - Malta - 05 1

Application areas of continuous

internal auditing in financial servicesand manufacturing

Mohammad AbdolmohammadiBentley College

Ahmad Sharbatouglie

Sharif University of Technology


2/35


Presentation Plan IIA Monograph Motivation

CA Definitions A Generic CA Model Manufacturing CA Example: Truck

Manufacturing Company (TMC)

Financial Services CA Example: Anti MoneyLaundering (AML) Compliance


3/35


IIA MonographContinuous Auditing: An Operational

Model for Internal AuditorsChapter 1 IntroductionChapter 2 Continuous internal auditing conceptsChapter 3 Application areas of continuous internal

auditingChapter 4 Continuous internal auditing development

methodologyChapter 5 Data warehousing as an enabling CA

methodologyChapter 6 Data mining as an enabling CA methodologyChapter 7 Validation of a continuous internal auditing

model

Chapter 8 TrainingChapter 9 Summary and conclusions


4/35


Motivation Vasarhelyi, Kogan and Alles (2002) argue that awell-performed continuous audit would havebrought Enrons problems to light much soonerthan a traditional audit

Daigle and Lampe (2003) argue that CA can helppublic companies comply with the provisions of theUS Sarbanes-Oxley Act of 2002.

Timely Information on Business Processes

Embedding CA Technology for TransactionSystems


5/35


DefinitionsGeneric Definitions: A process or methodology that enables independent auditors to

provide written assurance on a subject matter using a series ofauditors' reports issued simultaneously with, or a short period of timeafter, the occurrence of events underlying the subject matter... Thecontinuous audit process must be automated. (Groomer 2000, 44)

A process that tests transactions based upon prescribed criteria,identifies anomalies, and is the responsibility of the auditor (Warren and Parker 2003:1)

A methodology that enables independent auditors to provide writtenassurance on a subject matter, for which an entitys management is

responsible, using a series of auditors reports issued virtuallysimultaneously with, or a short period of time after, the occurrence ofevents underlying the subject matter. (AICPA/CICA 1999)


6/35


DefinitionInternal Auditing: Used by internal auditors in a continuous or quasi-continuous fashion Continual monitoring of information systems in real-time Continual monitoring as a part of the control structure

Continual corrective measures to improve the business processes, andthe quality of the data generated from transactions and informationsystems

Enabling technology exists (XBRL, data warehousing/mining) toperform it.

CA is different from embedded audit modules (EAM) that have provento be difficult to implement in many large companies with company-wide enterprise resource planning (ERP) systems. While an EAM can beviewed as a predecessor technology to continuous auditing, itsdevelopment is very challenging (Debrency et al, 2003).


7/35


Data

Data

Data

Data

FTP

Data

DownloadData

Conversion

Data

Transformation

M e t a b a s e

M e t a b a s e

Corporate Data

Systems

Audit DataWarehouse

Figure 2: Continuous Auditing Data Acquisition and Analysis Strategy

Audit

Data

Marts

Client

Workstation

Audit Data

Server

(DBMS)

A Generic Model in the LiteratureRezaee, Z.W.; A. Sharbatoghlie; R. Elam; P.L. McMickle, 2002.

Continuous Auditing: Building Automated Auditing Capability Auditing:

A Journal of Practice and Theory 21(1): 147-163.


8/35


ETI

SAS

(COBOL)

Core

Applications

Database Server

(Stratus)

(IDMS P75)

(DB2)

Data

Transformation/

Loading

Data Extraction(AS400)

(Oracel)

(SAS)

(UNIX)

Other Mainframe

(External Files)

(Local Drive)

(WINNT)

OtherData Systems

Q&E

MS Access

MS Excel

(Sun Solaris)

Client

Workstation

Web Application Server

SAS/IntrNet: Application Dispature,

htmSQL, MDDB Report Viewer, Meta

Space Explore, SAS/CONNECT Driver

for JAVA, SAS/SHARE Driver for JDBC,

Xplore Sample, CGI

Metabase

XML Parser/

Tags

M e t a b a s e

Audit Data

Warehouse

Firewall/Authentication

M e ta b a s e

DataMart

Scalability/Parallel Processing

Single pass architecture

Easy to create databases and maintain

Data-base security (SSL)

Star Schema

Business and technical meta data

XML Support

Base SAS, SAS STAT,

SAS INSIGHT, SAS

ACCESS, SAS GRAPH,

SAS ENTERPRISE GUIDE

Q&E Database Editor

Microsoft Office

ACL for Windows

Identify audit controls applicable to data

Select tables and columns, and data values

Define data format and types

Calculate data storage requirements

Produce audit test model

Design RDBMS to apply audit test model

Create data flow diagrams

Complete meta data of all audit data attributes

Catalog, store, and maintain data

Append, rename, sort, copy, string functions

IF statements, looping logic, table lookups

GUI Interface to data transformation

Lists, deletes, rename partitioned data sets

Defines destinations for procedure output and log

Easy way to back up and process library data sets

SQL to retrieve and update data in tables and views

A Refined CA Model


9/35


1.

Identifying key

business and

data system

manager(s)

6.

Establishing

data access/

authorization

7.

Extracting data

based on audit

objectives

8.

Transforming

raw data and

creating audit

meta data

9.

Loading audit

data and

creating audit

tests

10.

Executing audit

tests/producing

exception

reports

11.

Exception

report

investigation

and Follow-up

12.

Audit findings

and system

control

enhancements

13.

Monitoring

implementation

of the control

enhancements

14.

Post-

implementation

audit of the

controls

2.

Reviewing

business rules

& data system

documentation

3.

Establishing a

Joint Audit

Session (JAS)

4.

Defining audit

objectives and

internal control

descriptions

5.

Identifying data

elements and

measurement

mehtods

A Methodology to Generate A CA ModelThe Continuous Auditing Process Flow using DW Approach


10/35


A Methodology to Generate A CA Model:

Determine audit objectives and scope Value to client Value to oversight organizations/data users Complexity of the business system

Complexity of data/business rules Level of data access Multiplicity of data owners Likelihood of changes in the system/business that

could effect audit outcomes

Existence of pre-existing monitoring and its levelof reporting


11/35



Determine data analysis requirements Clearly define audit test objectives; Identify data sources; Describe data attributes such as file names,

targeted columns, and data values to be used foraudit testing;

Describe any data transformation to beperformed;

Clearly state the intended data analysis reportingrequirements in terms of both the format andcontent of the report


12/35



Collect meta data Organizational model Business relationship model Business process flows Data models

Data dictionary Data owners and data users System/business interdependencies Business rules embedded in the system or being monitored

by managers Data access - direct or through a business partner File layouts, copybooks, etc.


13/35


14/35


Application Areas Vasarhelyi et al. (2003, 8) propose a four-level analysis foridentification of CA projects: Verifying atomic elements of transactions (e.g. movement of

money, information) at the data level. Assuring the appropriateness of the measurement rules used in

transaction processing (i.e. GAAP). Verifying the adequacy of estimates and their assumptions, as

well as the consistency of high-level measurements. Auditing and questioning high-level judgments and facts about

the organization. We use a generic model that is consistent with this but

covers a wide range of non-financial CA application areas.


15/35


Application Area

Considerations Development of CA applications is highlycostly; Select only the application areas that

are critical to the organization andthose that can be justified from a costbenefit perspective.

In theory embedded audit modules (EAM)can be developed for companies with ERPsystems In reality we may be years away from

developing CA applications forcomprehensive ERP systems.


16/35


Application Area

ConsiderationsSharabtouglie participated in the design of an embedded audit modules inthe brokerage systems of a large financial services company to monitorcertain high risk brokerage transactions.

He found that certain jobs fed into hundreds of other sub batcheswith a risk of a change in any one component halting the entire

main transaction processing system.

Furthermore, the cost of developing such an embedded module wasprohibitive.

The alternative to an embedded module was to develop a solution inwhich transactions were captured from the nightly cycle and

stored in an audit data warehouse. Audit modules were thendeveloped to run on the shadow files soon after the transactionshad occurred.


17/35


Application Area

Considerations Other examples: A CA module can compare employee

data from human resources againstvendor master file to reveal anypotential conflict of interest,

P-Card transaction monitoring

CA to ensure compliance with theanti money laundering provisions ofthe U.S. Patriot Act in the bankingand financial services sector


18/35


Manufacturing Example

Truck manufacturing subsidiary of a large European car maker (TMC) TMCs strategic plan called for: Total Quality Management (TQM). Value engineering in which, among other things,

project values are increased, customersatisfaction is enhanced, projects areperformed in the shortest time, while keepingquality high, and unnecessary expenses areidentified and eliminated.

Mechanization in which, among other things,data banks and computer information systemsare integrated.


19/35


Manufacturing Example But: Only 40% of TMCs customers were satisfied

with after sales services and many customers

complained about defective parts or mal-functioning units in their trucks. This problem indicated that the quality control

department together with the audit andinspection department did not perform their

duties well and had serious problems inmonitoring and controlling the defective parts.


20/35


TMC The needs assessment phase of a CAdevelopment for TMC included:

Documentation of audit controls in themanufacturing process.

Development of a CA model that isbased on the data warehousing

methodology with built-in audit modules.


21/35


TMC

3. To Be CA Mod el 1. CA Mod el Context

Create Project TeamSponsor (Truck Co.)

- Project Manager

- Trainer - (CA Consultant)

Defining business needs:- Purpose

- Objectives

- Scope

Gather Audit Data- Process Activities

- Work Item Types

- Metrics

- Volume and Staffing

Build CA Model

(CA Consultant)

Validate CA Model

(TruckCo. and CA Consultant)Simulate CA Model

(TruckCo. and CA Consultant)

2. Current Audi t ModelValidate Audit Results(TruckCo. and CA Consultant)

Train Operations Managers

(Trainer)

Run What-If Scenarios

(Operations Managers)

Redesign CA Process- Analyze Audit Results

- Run What-If Scenarios

- Recommend Changes

Knowledge Transfer

(Trainer)

4. Cont inuou s Moni tor ing


22/35


TMCs data banks were initially

isolated and not fully integrated

Engi-

neering

Unit

Plannin

g Unit

Sales

Quality

Control

EngineeringReports

Planning

Reports

Parts

Order Form

Purchasing

Report

Truck

Deficiency

Form

Sales

Reports

Design

Standards

Parts List

InspectionReports

Cust

ome

r

Satis

facti

on

Surv

eys


23/35


TMC

A central audit data warehousePlanning

Unit

Engi-

neering

Unit

Quality

Control

Sale

Services

Ex

t

r

a

c

t

Ex

t

r

a

c

t

Ex

t

r

a

c

t

Ex

t

r

a

c

t

CA Data

Warehouse

Transform

& Load

Re

port

Re

port

Re

port

Re

port

Re

port

DSSReportsData

Mining


24/35


TMCs New Continuous

Process Flow

Part-Acquisition

Engineering Unit

Provides Part

Specifications

Manufacturer 1

Manufacturer 2

Manufacturer 2

Truck Co. Acquires Parts fromManufacturers and Audits Parts

Planning UnitAcquires Parts

Part-List with Vendor Code Transmitted

Purchasing

Management

Quality Control

Management

Audit

Engineering

Sales Unit

Customer

CustomerSatisfaction

Survey

After SaleServices

Computerized CA/Inspection

Computerized CA/Quality

Control Workstations

Computer Network

--------LEGEND --------

TRUCK MANUFACTURING CA PROCESS FLOW

Manufacturing Data Transmission (Parts-Tracking System)

Engineering unit in collaboration with the M.I.S. department produces a Parts Tracking System. This system is

maintained in the Truck Co. computer network and can be accessed by all departments involved in truckmanufacturing such as Quality Control Management, Audit, Planning Unit, Purchasing Management, EngineeringSales, and After Sale Services . The Parts Tracking System contains a data bank with part ID, design

specifications, vendor code, Quality Control Ratings, and truck ID. The system will enable easy identification of agiven part from its manufacturing to its installation in a given truck and will be capable of generating summaryreports such as periodic defect reports by Part ID and manufacturer,

Designed by: Ahmad Sharbatoghli, ph.D.

October 3, 2003


25/35


TMC CA Validation Part manufacturers whose products consistently met engineering designspecifications, and produced the least defective parts, would be rewarded

Manufactures that produced sub-standard parts would be reprimanded, or if seriousenough, their contracts would be cancelled.

The ultimate goal is to achieve defective PPM (parts per million) approaching zero.General Motors tried in the 1990s to achieve zero PPM defects (Smith, 1997).

A company delivering 6,000 PPM wastes approximately 25 percent of each salesdollar on extra labor, inspections, tests, equipment, repair, excessive cycle time, floorspace and inventory (Keenan 1996)

TMC was wasting approximately 20 percent of its total 2002 sales of diesel trucks todefective parts. The implementation of a CA system had the promise of cutting this

cost to a fraction of 2002 levels.


26/35


TMC CA Validation:

Other Gains The CA model generates valuable manufacturing controlknowledge base.

Detailed electronic audit control charts enables the controlmanagers to better monitor the manufacturing processes.

Creation of multiple internal control data banks (such asparts-supplier internal control data base) enables bettermonitoring of the performance of the part-manufacturersand the status of the defective parts.

Generation of control interdependency charts helps inoptimal integration of manufacturing control data banks.

An evaluation of the internal control reports leads topractical solutions for cost-reduction and productionefficiency.


27/35


Financial Services Example:

Real time Disclosure to Comply with the US Patriot Act

Real time disclosure has been arequirement of the Securities ExchangeAct of 1934:

REAL TIME ISSUER DISCLOSURES.Each issuerreporting under section 13(a) or 15(d) shall discloseto the public on a rapid and current basis suchadditional information concerning material changes inthe financial condition or operations of the issuer, in

plain English (Cohen 2003).


28/35


Financial Services Example:Real time Disclosure to Comply with laws

Two important application areas of the CAin banking and financial services that aremandated by recent laws in the US are: compliance with the provisions of the

Sarbanes-Oxley Act of 2002,

Implementation of the Anti Money Laundering(AML) provisions of the US Patriot Act of

2001.


29/35


AMLTitle III of the US Patriot Act is titled International Money Laundering Abatementand Anti-terrorist Financial Act of 2001It delineates specific regulations regarding counter money laundering and relatedmeasures.

Sec. 312. Special due diligence for correspondent accounts and private banking accounts.

Sec. 313. Prohibition on United States correspondent accounts with foreign shell banks. Sec. 314. Cooperative efforts to deter money laundering. Sec. 318. Laundering money through a foreign bank. Sec. 325. Concentration accounts at financial institutions. Sec. 326. Verification of identification. Sec. 327. Consideration of anti-money laundering record. Sec. 328. International cooperation on identification of originators of wire transfers. Sec. 330. International cooperation in investigations of money laundering, financial crimes, and

the finances of terrorist groups.

CA can help in complying with these requirements, a traditional audit may not be.


30/35


AML Requires identification of the origins anddestinations of each transaction and itscorresponding client location High risk locations are monitored Customers that engage in suspect activities receive a

higher risk score. Some transaction types (e.g., third party redemptions)

are riskier and provide risk scores based on their types.

CA enables seamless processing, assessment, andrisk scoring of transactions for money laundering.


31/35


A Basic AML CA Model Transactions pass through a Compliance Monitoring System which is essentially a

pre-written rule-based engine to test for suspect moneylaundering transactions;

a data mining discovery engine which runs several jobroutines to identify potentially suspect patterns in thetransactional data base.

The exceptions reported from the Compliance MonitoringSystem will then go to an investigations unit for furtheranalysis. If there were confirmed cases of moneylaundering, the profiles of these cases are fed to the data-

mining system for learning and reducing the number offalse positives.


32/35


A Basic AML CA Model Traditional statistical methods are not efficient There is a need for more sophisticated techniques such as:

cluster analysis/profiling, outlier detection, link analysis, decision trees, association and sequence analysis, neural networks

For example: in a cluster analysis/profiling it is possible to segment a heterogeneous

population into a number of sub-populations that share profiles ofmoney launderers.

an account that historically did not have any wire transfer or cashdeposits but suddenly engaged in incidences of these activities can beflagged and investigated.


33/35


AML Sequence Matching

,

SenderAccount

HouseholdReceiverAccount

Bank Agent Account

Owner

,


34/35


35/35

Continuous Auditing Malta 05 35

AML: Neural Networks

Documents

18 Application Areas-Malta-05-05 Abdolmohammadi.ppt