Upload
chinh-le-dinh
View
215
Download
0
Embed Size (px)
Citation preview
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
1/35
Continuous Auditing - Malta - 05 1
Application areas of continuous
internal auditing in financial servicesand manufacturing
Mohammad AbdolmohammadiBentley College
Ahmad Sharbatouglie
Sharif University of Technology
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
2/35
Continuous Auditing - Malta - 05 2
Presentation Plan IIA Monograph Motivation
CA Definitions A Generic CA Model Manufacturing CA Example: Truck
Manufacturing Company (TMC)
Financial Services CA Example: Anti MoneyLaundering (AML) Compliance
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
3/35
Continuous Auditing - Malta - 05 3
IIA MonographContinuous Auditing: An Operational
Model for Internal AuditorsChapter 1 IntroductionChapter 2 Continuous internal auditing conceptsChapter 3 Application areas of continuous internal
auditingChapter 4 Continuous internal auditing development
methodologyChapter 5 Data warehousing as an enabling CA
methodologyChapter 6 Data mining as an enabling CA methodologyChapter 7 Validation of a continuous internal auditing
model
Chapter 8 TrainingChapter 9 Summary and conclusions
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
4/35
Continuous Auditing - Malta - 05 4
Motivation Vasarhelyi, Kogan and Alles (2002) argue that awell-performed continuous audit would havebrought Enrons problems to light much soonerthan a traditional audit
Daigle and Lampe (2003) argue that CA can helppublic companies comply with the provisions of theUS Sarbanes-Oxley Act of 2002.
Timely Information on Business Processes
Embedding CA Technology for TransactionSystems
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
5/35
Continuous Auditing - Malta - 05 5
DefinitionsGeneric Definitions: A process or methodology that enables independent auditors to
provide written assurance on a subject matter using a series ofauditors' reports issued simultaneously with, or a short period of timeafter, the occurrence of events underlying the subject matter... Thecontinuous audit process must be automated. (Groomer 2000, 44)
A process that tests transactions based upon prescribed criteria,identifies anomalies, and is the responsibility of the auditor (Warren and Parker 2003:1)
A methodology that enables independent auditors to provide writtenassurance on a subject matter, for which an entitys management is
responsible, using a series of auditors reports issued virtuallysimultaneously with, or a short period of time after, the occurrence ofevents underlying the subject matter. (AICPA/CICA 1999)
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
6/35
Continuous Auditing - Malta - 05 6
DefinitionInternal Auditing: Used by internal auditors in a continuous or quasi-continuous fashion Continual monitoring of information systems in real-time Continual monitoring as a part of the control structure
Continual corrective measures to improve the business processes, andthe quality of the data generated from transactions and informationsystems
Enabling technology exists (XBRL, data warehousing/mining) toperform it.
CA is different from embedded audit modules (EAM) that have provento be difficult to implement in many large companies with company-wide enterprise resource planning (ERP) systems. While an EAM can beviewed as a predecessor technology to continuous auditing, itsdevelopment is very challenging (Debrency et al, 2003).
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
7/35
Continuous Auditing - Malta - 05 7
Data
Data
Data
Data
FTP
Data
DownloadData
Conversion
Data
Transformation
M e t a b a s e
M e t a b a s e
Corporate Data
Systems
Audit DataWarehouse
Figure 2: Continuous Auditing Data Acquisition and Analysis Strategy
Audit
Data
Marts
Client
Workstation
Audit Data
Server
(DBMS)
A Generic Model in the LiteratureRezaee, Z.W.; A. Sharbatoghlie; R. Elam; P.L. McMickle, 2002.
Continuous Auditing: Building Automated Auditing Capability Auditing:
A Journal of Practice and Theory 21(1): 147-163.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
8/35
Continuous Auditing - Malta - 05 8
ETI
SAS
(COBOL)
Core
Applications
Database Server
(Stratus)
(IDMS P75)
(DB2)
Data
Transformation/
Loading
Data Extraction(AS400)
(Oracel)
(SAS)
(UNIX)
Other Mainframe
(External Files)
(Local Drive)
(WINNT)
OtherData Systems
Q&E
MS Access
MS Excel
(Sun Solaris)
Client
Workstation
Web Application Server
SAS/IntrNet: Application Dispature,
htmSQL, MDDB Report Viewer, Meta
Space Explore, SAS/CONNECT Driver
for JAVA, SAS/SHARE Driver for JDBC,
Xplore Sample, CGI
Metabase
XML Parser/
Tags
M e t a b a s e
Audit Data
Warehouse
Firewall/Authentication
M e ta b a s e
DataMart
Scalability/Parallel Processing
Single pass architecture
Easy to create databases and maintain
Data-base security (SSL)
Star Schema
Business and technical meta data
XML Support
Base SAS, SAS STAT,
SAS INSIGHT, SAS
ACCESS, SAS GRAPH,
SAS ENTERPRISE GUIDE
Q&E Database Editor
Microsoft Office
ACL for Windows
Identify audit controls applicable to data
Select tables and columns, and data values
Define data format and types
Calculate data storage requirements
Produce audit test model
Design RDBMS to apply audit test model
Create data flow diagrams
Complete meta data of all audit data attributes
Catalog, store, and maintain data
Append, rename, sort, copy, string functions
IF statements, looping logic, table lookups
GUI Interface to data transformation
Lists, deletes, rename partitioned data sets
Defines destinations for procedure output and log
Easy way to back up and process library data sets
SQL to retrieve and update data in tables and views
A Refined CA Model
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
9/35
Continuous Auditing - Malta - 05 9
1.
Identifying key
business and
data system
manager(s)
6.
Establishing
data access/
authorization
7.
Extracting data
based on audit
objectives
8.
Transforming
raw data and
creating audit
meta data
9.
Loading audit
data and
creating audit
tests
10.
Executing audit
tests/producing
exception
reports
11.
Exception
report
investigation
and Follow-up
12.
Audit findings
and system
control
enhancements
13.
Monitoring
implementation
of the control
enhancements
14.
Post-
implementation
audit of the
controls
2.
Reviewing
business rules
& data system
documentation
3.
Establishing a
Joint Audit
Session (JAS)
4.
Defining audit
objectives and
internal control
descriptions
5.
Identifying data
elements and
measurement
mehtods
A Methodology to Generate A CA ModelThe Continuous Auditing Process Flow using DW Approach
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
10/35
Continuous Auditing - Malta - 05 10
A Methodology to Generate A CA Model:
Determine audit objectives and scope Value to client Value to oversight organizations/data users Complexity of the business system
Complexity of data/business rules Level of data access Multiplicity of data owners Likelihood of changes in the system/business that
could effect audit outcomes
Existence of pre-existing monitoring and its levelof reporting
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
11/35
Continuous Auditing - Malta - 05 11
A Methodology to Generate A CA Model:
Determine data analysis requirements Clearly define audit test objectives; Identify data sources; Describe data attributes such as file names,
targeted columns, and data values to be used foraudit testing;
Describe any data transformation to beperformed;
Clearly state the intended data analysis reportingrequirements in terms of both the format andcontent of the report
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
12/35
Continuous Auditing - Malta - 05 12
A Methodology to Generate A CA Model:
Collect meta data Organizational model Business relationship model Business process flows Data models
Data dictionary Data owners and data users System/business interdependencies Business rules embedded in the system or being monitored
by managers Data access - direct or through a business partner File layouts, copybooks, etc.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
13/35
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
14/35
Continuous Auditing - Malta - 05 14
Application Areas Vasarhelyi et al. (2003, 8) propose a four-level analysis foridentification of CA projects: Verifying atomic elements of transactions (e.g. movement of
money, information) at the data level. Assuring the appropriateness of the measurement rules used in
transaction processing (i.e. GAAP). Verifying the adequacy of estimates and their assumptions, as
well as the consistency of high-level measurements. Auditing and questioning high-level judgments and facts about
the organization. We use a generic model that is consistent with this but
covers a wide range of non-financial CA application areas.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
15/35
Continuous Auditing - Malta - 05 15
Application Area
Considerations Development of CA applications is highlycostly; Select only the application areas that
are critical to the organization andthose that can be justified from a costbenefit perspective.
In theory embedded audit modules (EAM)can be developed for companies with ERPsystems In reality we may be years away from
developing CA applications forcomprehensive ERP systems.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
16/35
Continuous Auditing - Malta - 05 16
Application Area
ConsiderationsSharabtouglie participated in the design of an embedded audit modules inthe brokerage systems of a large financial services company to monitorcertain high risk brokerage transactions.
He found that certain jobs fed into hundreds of other sub batcheswith a risk of a change in any one component halting the entire
main transaction processing system.
Furthermore, the cost of developing such an embedded module wasprohibitive.
The alternative to an embedded module was to develop a solution inwhich transactions were captured from the nightly cycle and
stored in an audit data warehouse. Audit modules were thendeveloped to run on the shadow files soon after the transactionshad occurred.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
17/35
Continuous Auditing - Malta - 05 17
Application Area
Considerations Other examples: A CA module can compare employee
data from human resources againstvendor master file to reveal anypotential conflict of interest,
P-Card transaction monitoring
CA to ensure compliance with theanti money laundering provisions ofthe U.S. Patriot Act in the bankingand financial services sector
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
18/35
Continuous Auditing - Malta - 05 18
Manufacturing Example
Truck manufacturing subsidiary of a large European car maker (TMC) TMCs strategic plan called for: Total Quality Management (TQM). Value engineering in which, among other things,
project values are increased, customersatisfaction is enhanced, projects areperformed in the shortest time, while keepingquality high, and unnecessary expenses areidentified and eliminated.
Mechanization in which, among other things,data banks and computer information systemsare integrated.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
19/35
Continuous Auditing - Malta - 05 19
Manufacturing Example But: Only 40% of TMCs customers were satisfied
with after sales services and many customers
complained about defective parts or mal-functioning units in their trucks. This problem indicated that the quality control
department together with the audit andinspection department did not perform their
duties well and had serious problems inmonitoring and controlling the defective parts.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
20/35
Continuous Auditing - Malta - 05 20
TMC The needs assessment phase of a CAdevelopment for TMC included:
Documentation of audit controls in themanufacturing process.
Development of a CA model that isbased on the data warehousing
methodology with built-in audit modules.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
21/35
Continuous Auditing - Malta - 05 21
TMC
3. To Be CA Mod el 1. CA Mod el Context
Create Project TeamSponsor (Truck Co.)
- Project Manager
- Trainer - (CA Consultant)
Defining business needs:- Purpose
- Objectives
- Scope
Gather Audit Data- Process Activities
- Work Item Types
- Metrics
- Volume and Staffing
Build CA Model
(CA Consultant)
Validate CA Model
(TruckCo. and CA Consultant)Simulate CA Model
(TruckCo. and CA Consultant)
2. Current Audi t ModelValidate Audit Results(TruckCo. and CA Consultant)
Train Operations Managers
(Trainer)
Run What-If Scenarios
(Operations Managers)
Redesign CA Process- Analyze Audit Results
- Run What-If Scenarios
- Recommend Changes
Knowledge Transfer
(Trainer)
4. Cont inuou s Moni tor ing
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
22/35
Continuous Auditing - Malta - 05 22
TMCs data banks were initially
isolated and not fully integrated
Engi-
neering
Unit
Plannin
g Unit
Sales
Quality
Control
EngineeringReports
Planning
Reports
Parts
Order Form
Purchasing
Report
Truck
Deficiency
Form
Sales
Reports
Design
Standards
Parts List
InspectionReports
Cust
ome
r
Satis
facti
on
Surv
eys
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
23/35
Continuous Auditing - Malta - 05 23
TMC
A central audit data warehousePlanning
Unit
Engi-
neering
Unit
Quality
Control
Sale
Services
Ex
t
r
a
c
t
Ex
t
r
a
c
t
Ex
t
r
a
c
t
Ex
t
r
a
c
t
CA Data
Warehouse
Transform
& Load
Re
port
Re
port
Re
port
Re
port
Re
port
DSSReportsData
Mining
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
24/35
Continuous Auditing - Malta - 05 24
TMCs New Continuous
Process Flow
Part-Acquisition
Engineering Unit
Provides Part
Specifications
Manufacturer 1
Manufacturer 2
Manufacturer 2
Truck Co. Acquires Parts fromManufacturers and Audits Parts
Planning UnitAcquires Parts
Part-List with Vendor Code Transmitted
Purchasing
Management
Quality Control
Management
Audit
Engineering
Sales Unit
Customer
CustomerSatisfaction
Survey
After SaleServices
Computerized CA/Inspection
Computerized CA/Quality
Control Workstations
Computer Network
--------LEGEND --------
TRUCK MANUFACTURING CA PROCESS FLOW
Manufacturing Data Transmission (Parts-Tracking System)
Engineering unit in collaboration with the M.I.S. department produces a Parts Tracking System. This system is
maintained in the Truck Co. computer network and can be accessed by all departments involved in truckmanufacturing such as Quality Control Management, Audit, Planning Unit, Purchasing Management, EngineeringSales, and After Sale Services . The Parts Tracking System contains a data bank with part ID, design
specifications, vendor code, Quality Control Ratings, and truck ID. The system will enable easy identification of agiven part from its manufacturing to its installation in a given truck and will be capable of generating summaryreports such as periodic defect reports by Part ID and manufacturer,
Designed by: Ahmad Sharbatoghli, ph.D.
October 3, 2003
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
25/35
Continuous Auditing - Malta - 05 25
TMC CA Validation Part manufacturers whose products consistently met engineering designspecifications, and produced the least defective parts, would be rewarded
Manufactures that produced sub-standard parts would be reprimanded, or if seriousenough, their contracts would be cancelled.
The ultimate goal is to achieve defective PPM (parts per million) approaching zero.General Motors tried in the 1990s to achieve zero PPM defects (Smith, 1997).
A company delivering 6,000 PPM wastes approximately 25 percent of each salesdollar on extra labor, inspections, tests, equipment, repair, excessive cycle time, floorspace and inventory (Keenan 1996)
TMC was wasting approximately 20 percent of its total 2002 sales of diesel trucks todefective parts. The implementation of a CA system had the promise of cutting this
cost to a fraction of 2002 levels.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
26/35
Continuous Auditing - Malta - 05 26
TMC CA Validation:
Other Gains The CA model generates valuable manufacturing controlknowledge base.
Detailed electronic audit control charts enables the controlmanagers to better monitor the manufacturing processes.
Creation of multiple internal control data banks (such asparts-supplier internal control data base) enables bettermonitoring of the performance of the part-manufacturersand the status of the defective parts.
Generation of control interdependency charts helps inoptimal integration of manufacturing control data banks.
An evaluation of the internal control reports leads topractical solutions for cost-reduction and productionefficiency.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
27/35
Continuous Auditing - Malta - 05 27
Financial Services Example:
Real time Disclosure to Comply with the US Patriot Act
Real time disclosure has been arequirement of the Securities ExchangeAct of 1934:
REAL TIME ISSUER DISCLOSURES.Each issuerreporting under section 13(a) or 15(d) shall discloseto the public on a rapid and current basis suchadditional information concerning material changes inthe financial condition or operations of the issuer, in
plain English (Cohen 2003).
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
28/35
Continuous Auditing - Malta - 05 28
Financial Services Example:Real time Disclosure to Comply with laws
Two important application areas of the CAin banking and financial services that aremandated by recent laws in the US are: compliance with the provisions of the
Sarbanes-Oxley Act of 2002,
Implementation of the Anti Money Laundering(AML) provisions of the US Patriot Act of
2001.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
29/35
Continuous Auditing - Malta - 05 29
AMLTitle III of the US Patriot Act is titled International Money Laundering Abatementand Anti-terrorist Financial Act of 2001It delineates specific regulations regarding counter money laundering and relatedmeasures.
Sec. 312. Special due diligence for correspondent accounts and private banking accounts.
Sec. 313. Prohibition on United States correspondent accounts with foreign shell banks. Sec. 314. Cooperative efforts to deter money laundering. Sec. 318. Laundering money through a foreign bank. Sec. 325. Concentration accounts at financial institutions. Sec. 326. Verification of identification. Sec. 327. Consideration of anti-money laundering record. Sec. 328. International cooperation on identification of originators of wire transfers. Sec. 330. International cooperation in investigations of money laundering, financial crimes, and
the finances of terrorist groups.
CA can help in complying with these requirements, a traditional audit may not be.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
30/35
Continuous Auditing - Malta - 05 30
AML Requires identification of the origins anddestinations of each transaction and itscorresponding client location High risk locations are monitored Customers that engage in suspect activities receive a
higher risk score. Some transaction types (e.g., third party redemptions)
are riskier and provide risk scores based on their types.
CA enables seamless processing, assessment, andrisk scoring of transactions for money laundering.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
31/35
Continuous Auditing - Malta - 05 31
A Basic AML CA Model Transactions pass through a Compliance Monitoring System which is essentially a
pre-written rule-based engine to test for suspect moneylaundering transactions;
a data mining discovery engine which runs several jobroutines to identify potentially suspect patterns in thetransactional data base.
The exceptions reported from the Compliance MonitoringSystem will then go to an investigations unit for furtheranalysis. If there were confirmed cases of moneylaundering, the profiles of these cases are fed to the data-
mining system for learning and reducing the number offalse positives.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
32/35
Continuous Auditing - Malta - 05 32
A Basic AML CA Model Traditional statistical methods are not efficient There is a need for more sophisticated techniques such as:
cluster analysis/profiling, outlier detection, link analysis, decision trees, association and sequence analysis, neural networks
For example: in a cluster analysis/profiling it is possible to segment a heterogeneous
population into a number of sub-populations that share profiles ofmoney launderers.
an account that historically did not have any wire transfer or cashdeposits but suddenly engaged in incidences of these activities can beflagged and investigated.
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
33/35
Continuous Auditing - Malta - 05 33
AML Sequence Matching
,
SenderAccount
HouseholdReceiverAccount
Bank Agent Account
Owner
,
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
34/35
8/11/2019 18 Application Areas-Malta-05-05 Abdolmohammadi.ppt
35/35
Continuous Auditing Malta 05 35
AML: Neural Networks