Embed Size (px)
Citation preview
San Diego Chapter of ACFE
Who left the CAATs out – Alternative Uses of Data
Analytics Tools
Tim Smith, CPA CISA, CISSPMarch 28, 2013
The Corporate CaveatsThe concepts presented are my own and do
not represent LPL Financial or LPL Financial Internal Audit.
2
What we are going to coverCAATs revisited
How can they be used in new waysWhy auditors need to learn to use themWhat tools exist
CAATs Close-upLooking at security with CAATsSome IDEA functions for new tricksSome IDEA / CAATs success stories
3
4
A few things to use CAATs for Validating data entry dates / times / users to
identify postings or data entry times that are inappropriate or suspicious.
Classification to find patterns and associations among groups of data elements.
Gap testing to identify missing numbers in sequential data.
Joining different data sources to identify inappropriately matching values such as names, addresses, and account numbers in disparate systems.
5
What are you trying to test?Controls
MetadataReportsData
Transaction DetailsReportsData
ReportsOff-the-shelfCustom / ad-hoc
Before you ask IT – ask yourself
6
Metadata in an accounting systemNon-financial fields discussing the
WhoWhatWhenHow
About the fields in the records comprising financial information
Together, these data can provide a diagnostic view of the accounting system
7
What might we need to look at
RetroactivelyTransaction data – especially between systemsTransaction metadataModule or journal entriesLogs
ProspectivelySystem accessProgram change management
8
Working with system access informationLarger software vendors are targeting the small
to medium enterprise space – SAP, Oracle, Microsoft. As a result, many businesses have access listings containing thousands of lines
System access information can be complex – very granular, with difficult formatsData may cover multiple menu layers and
multiple modules within an applicationTherefore, it is vital to gain a understanding of
basic access information structure and what you want to test before starting
9
A few systems with complex security reportsOracle FinancialsSAP (SmartExporter)Microsoft Dynamics – Great PlainsSage MAS 500ADP Enterprise HR (EV5)-- Formerly
PeopleSoft HRMS
10
MS Great Plains v10 security model – four levelsSecurity Operations refers to access to all
windows, tables, reports and miscellaneous permissions
A Security Task is a set of Security Operations required to perform a specific task
A Security Role combines multiple Security Tasks required to perform a specific role
Each User and Company combination can have multiple Security Roles assigned to it
11
Complex Access From a higher level – viewed From the role
12
Unexpected functions within the roles
13
What are the tools?Excel – row limitation (was 65K lines, now
1m or so); data easily changeable
Access – data also easily changed; might also hit a size limitation (1GB for pre 2003; 2-3 GB now)
SQL Server – again, data changeability; probable need for programming knowledge (SQL)
Specific CAATs software packagesACL – Audit Command LanguageIDEA – Interactive Data Extraction and
Analysis
Key functionalities of IDEAProfiling the data ExtractionsGaps and DuplicatesAdding a new fieldSmart Analyzer (an Add-on module)Joining Databases
14
15
CAATs success stories 1GAO report 02-406Significant internal control
weaknesses in Education’s payment processes and poor physical control over its computer assets made the department vulnerable to and in some cases resulted in fraud, improper payments, and lost assets.
16
CAATs success stories 2Assisted a Federal agency evaluate problems with its accounting system, taking it from a disclaimer in year 1 to a qualified balance sheet in year 2 to a clean opinion in year 3.
17
MS GreatPlains
IIA 10/10/2012 18
19
RACF security – User Attributes
20
iSeries – Display Object
Report ReaderCan be used with formatted text files Can be used with non-picture PDF
filesCreate a template that can be used
for future files of similar constructionCrucial for work with non-columnar
reports or reports with header / trailer information to be ignored
21
22
Smart Analyzer – built in testsTests Looking at the Metadata
Journal Entries Posted on WeekendsJournal Entries Posted on Specific Dates and
TimesJournal Entries by UserJournal Entries with Specific Comments
Joining databases - concepts
23
1001 Lagos 1002 Cairo1003 New York1004 Paris
1005 Berlin 1006 Sydney 1007 Toronto 1008 Durban1009 London
1004 France1004 China
1006 Australia1007 Canada 1008 South Africa1009 UK
1010 Brazil1011 Austria1012 Peru
Primary Secondary
All records from Primarynote that ‘1004 China’ will not be included
No matches in SecondaryNote that ‘1005 Berlin’ also will be included and no empty columns from secondary database will be included
Matches Onlynote that ‘1005 Berlin’ and ‘1004 China’ will be excluded
No matches in PrimaryNote that ‘1004 China’ will NOT be included andempty record from primary will be add to these 2 columns
All records in both files
All records from secondary is not included -> select secondary file as primary file
Joining databases - results
24
All records from both files
1001 Lagos 0
1002 Cairo 0
1003 New York 0
1004 Paris 1004 France
0 1004 China
1005 Berlin 0
1006 Sydney 1006 Australia
1007 Toronto 1007 Canada
1008 Durban 1008South
Africa
1009 London 1009 UK
0 1010 Brazil
0 1011 Austria
0 1012 Peru
All records from Primary
1001 Lagos 0
1002 Cairo 0
1003 New York 0
1004 Paris 1004 France
1005 Berlin 0
1006 Sydney 1006 Australia
1007 Toronto 1007 Canada
1008 Durban 1008South
Africa
1009 London 1009 UK
Matches Only
1004 Paris 1004 France
1006 Sydney 1006 Australia
1007 Toronto 1007 Canada
1008 Durban 1008South
Africa
1009 London 1009 UK
No Secondary
1001 Lagos
1002 Cairo
1003 New York
1005 Berlin
No Primary
0 1010 Brazil
0 1011 Austria
0 1012 Peru
25
CAATs Success Stories 3Determined the extent of data changed by an
A/R manager modified data to awards for efficient A/R management
Discovered numerous instances of cash awards where the same person proposed, approved, and received.
26
MAYHEM…..and CAATsThe authors describe manipulating a major
financial accounting systems used by corporations large and small (Great Plains) to show the importance of good information security and accounting controls.
They identify information security and accounting controls needed to detect these types of attacks.
http://www.securestate.com/Research%20and%20Innovation/Pages/Tools.aspx
In this time of reduced resources….don’t leave the CAATs out.
27
Questions or Comments?
27
