Auditing ERP Applications and Cloud - TACS 2011

Uploaded on

This presentation aims to clarify how we can make use of data analytics tools and techniques to cut through the complexity of data to focus on what we want to know. …

This presentation aims to clarify how we can make use of data analytics tools and techniques to cut through the complexity of data to focus on what we want to know.

Case studies on auditing staff and medical claims as well as procurement and payments review will help illustrate the principles that one can adopt to cut through the complexity to zoom in on what is of importance to the auditor or controls professional.

It aims to share how we can “make sense out of nonsense” if we understand our data, apply basic data analytical approaches to access the data and to generate the information that we need to solve business problems or to make business decisions.

More in: Business , Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Audit Testing ERP Application and Connecting with CloudYoong Ee Chuan CISA, CISM, CPA, CIA
  • 2. Agenda1. Analysing how data analytics enhances audit testing of ERP applications2. Exploring different data analytics and computer assisted audit tools and techniques3. Understanding the risks of hosting ERP data with cloud computing4. Questions and answers
  • 3. Audit Testing – ERP ApplicationsWhat is Data Analytics?“Analysis of data is a process of inspecting, cleaning, transforming, andmodeling data with the goal of highlighting useful information, suggestingconclusions, and supporting decision making. Data analysis has multiple facetsand approaches, encompassing diverse techniques under a variety of names,in different business, science, and social science domains.” -- Source:• Some examples • Computer-assisted-audit tools/techniques • Data mining • Business intelligence • Statistical applications
  • 4. Audit Testing – ERP Applications “Making sense out of nonsense!”
  • 5. Analysing How Data Analytics Enhances Audit Testing of ERP Applications
  • 6. Audit Testing – ERP ApplicationsChallenges of Audit Testing ERP Applications• ERP systems provide wealth of information• If you can access it quickly, efficiently and effectively• Challenges include • Lack of IT knowledge and skills by auditor • Lack of knowledge of ERP package/module • Lack of SQL, query language • Overwhelming transaction volume from computerised records • difficult to agreggate information for meaningful analysis • cannot see the forest for the trees• Access to data usually requires help of Information Technology , Finance and Operations to obtain reports and analysis needed• Use of data analytics allows the stories behind the data to emerge based on the questions the auditor asks
  • 7. Audit Testing – ERP ApplicationsWhy Use Data Analytics for Audit Testing ERP Applications?• Increasing quantity and quality of data available• Larger organisations typically have Enterprise Resource Planning (ERP) implementations • Human Resources/Payroll • Financial Accounting/Management Reporting • Accounts Payables • Accounts Receivables • Fixed Assets/Inventory • General Ledge • Project Management/Costing • Core business applications for operations• Business transactions captured in the bits and bytes of data residing in ERP systems
  • 8. Audit Testing – ERP Applications• Ability to analyse the underlying data representing business transactions in meaningful ways: • Empowers auditors to understand the business risks • Use in audit planning and risk assessment • Surveying audit universe from financial and operating data • Summarisation of key fields by department, divisions, sections • Helps to flag out areas of interest, potential misstatement, non-compliance and potential fraud risks • Ascertain compliance with business policies and procedures: • Carry out detailed substantive and compliance auditing procedures • 100% testing instead of sampling • Enhanced assurance and coverage • Provides sufficient and appropriate evidence for audit reporting • Exceptions are specific transactions flagged out by the data analytics tools
  • 9. Exploring Different Data Analytics and Computer Assisted Audit Tools and Techniques (CAATs)
  • 10. Exploring Data Analytics & CAATs• You already have them!• Data analytics software • Key characteristics • Slice and dice to what you desire • Filter, sort, summarise, total, count, chart, pivot • E.g.s Microsoft Excel, Acccess, Open Office Calc, Google Docs etc. • IDEA, ACL, SPSS etc • There is no “perfect” tool • Match the tools to the skillsets, experience, availability
  • 11. Exploring Data Analytics & CAATsExample: Interactive Data Extraction and Analysis (IDEA) • Caseware IDEA - Data analysis / generalised audit software / computer- assisted audit toolCaveats: Auditors / control professionals still need to: • Audit objectives • Need to understand business application and data residing in system • Need to know what is the audit issue/business problem. • Need to define that data needed and apply the right analysis to derive the answers • Answers may not always be 100% conclusive, still need professional judgement and other corroborating evidence
  • 12. Exploring Data Analytics & CAATsSource: Caseware IDEA
  • 13. Auditing ERP Applications – Case StudyAudit of Staff Claims • Medical Claims • Transport ClaimsWhy audit ERP applications using data analytics? • Data analysis approach allows detection of non-compliances and help organisation achieve value-for-money • Review ALL (100%) of transactions vs sample 30 claimsHow to approach audit of ERP applications • Step 1: Import data from ERP system i.e. Excel or flat files • Step 2: Define field definition (text, numeric, date) • Step 3: Run analysis i.e. exceptions, duplicates, patterns • Step 4: Report exceptions, anomalies, patterns
  • 14. Auditing ERP Applications – Case Study
  • 15. Use of IDEA in Audit of Staff Claims (Medical) Detecting Duplicate Claims Obtain list of staff medical claims from ERP system for period of interest ( e.g. all transactions for 1 year) Identify key fields for testing i.e. “RECEIPT NO.” , “STAFF ID” and “CLINIC/HOSPITAL” Summarise by “STAFF ID”, followed by “RECEIPT NO.” and analyse for anomalies Run duplicates test on “RECEIPT NO.”
  • 16. Use of IDEA in Audit of Staff Claims (Medical) Detecting Duplicate Claims Obtain data, identify fields of interest i.e. “RECEIPT NO.”, “RECEIPT DATE”, “STAFF ID” Run duplicates test on “RECEIPT NO.” and “RECEIPT DATE” Query HR on duplicate payment
  • 17. Use of IDEA in Audit of Staff Claims (Transport) Detecting Erroneous ClaimsAudit Observation #1Non-deduction of Normal Travel Expenses from Office to Home for journeys Starting orEnding from Home • Obtain staff travel claims data for 1 year • Identify fields of interest i.e. “FROM”, “FROM_TO_HOME”, 1 “OFF_DAY”, “STAFF ID” • Extract FROM = “Home”, FROM_TO_HOME = “N” and OFF_DAY = “N” 2 • Do similar for TO = “Home” etc. • Flags out all transactions where staff did not deduct the cost of journeys starting or ending at “home” since reimbursement policy does not allow claims for journeys 3 made from home to workplace
  • 18. Use of IDEA in Audit of Staff Claims (Transport) Detecting Erroneous ClaimsAudit Observation #2Possible Duplicate Taxi Claims and Claims without Valid Taxi Receipt Numbers • Obtain staff travel claims data for 1 year • Identify fields of interest i.e. “RECEIPT_NO” 1 • Extract data where “RECEIPT_NO” is not “” and test for duplicates 2 • Extract data where “RECEIPT_NO” is “” (blank) • Flag out all exceptions to business rules and query department responsible for anomalies 3
  • 19. Use of IDEA in Audit of Staff Claims (Transport) Detecting Erroneous ClaimsAudit Observation #3Unusual multiple journeys within the same day by same staff • Obtain staff travel claims data for 1 year • Identify fields of interest i.e. “RECEIPT DATE”, “STAFF ID” 1 • Summarise by “RECEIPT DATE” and “STAFF ID” • Sort by “NO_OF_RECS” (no. of records) 2 • High “NO_OF_RECS” indicate multiple journeys made on same day by same staff. Unusual unless staff is doing 3 delivery
  • 20. Use of IDEA in Audit of Staff ClaimsUsing a Data Driven in Auditing ERP Understand • Walkthrough and document business process • Identify key controls for testingbusiness process Obtain data of • Identify and understand data available • Key fields for testing interest • Do field statistics or summarise all fields to getGet big picture overall picture of data Analyse for • Run analysis for exceptions to business rules exceptions
  • 21. Understanding the Risks of Hosting ERP Data with Cloud Computing
  • 22. Connecting with CloudCloud Computing is already here:• Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet). -- Wikipedia (• Cloud computing in consumer space is pervasive • Email services: e.g. Google Gmail, Microsoft Hotmail • Instant messenging: e.g. Yahoo Messenger, Microsoft Live, Gmail Gtalk • Web content management: e.g. blogger, wordpress• Cloud computing in business space is growing • Refer to OpenCloud Taxonomy
  • 23. Connecting with Cloud
  • 24. Connecting with Cloud
  • 25. Connecting with CloudIssues relating to Cloud Computing:• Key Issues: Security (Source: Trustworthy Computing: Privacy in the Cloud Computing Era – November 2009, Microsoft) • Are hosted data and applications within the cloud protected by suitably robust privacy policies? • Are cloud computing provider’s technical infrastructure, applications and processes secure? • Are processes in place to support appropriate action in the event of an incident that affects privacy or security?
  • 26. Connecting with Cloud
  • 27. Connecting with CloudPublic Sector Perspective• Government Instruction Manual No. 8 (IM8) has been in force • Policy on Infocomm Technology (ICT) Security • Recent update (vide MICA ICT Circular No. 2/2011 on 2 June 2011): Policy now applies to ICT security of systems used to store, process or access Government Data • Previously related to, “Systems owned by government agencies” • Covers new situations where data resides in commercial vendor’s systems and not systems owned by government agencies e.g. where cloud is involved
  • 28. Connecting with CloudNP Experience• Education sector – drive towards cloud adoption• Student Email serivces: • From Lotus Notes  MS Connectmail • Cost savings in infrastructure, security and administration• Mobile Student Assessment for Clinical Attachment • Health Sciences (Nursing) students • Practicums and clinical attachments to hospital big part of course curriculum • Assessment using traditional written examination enhanced • Using assessment application developed by 3rd party vendor for iPod Touch • iPod Touch  Application  Database of student assessment records for practicum on Cloud
  • 29. Connecting with CloudNP Experience• Internal Audit’s response • IT security control objectives do not change • Refer to compliance model (figure 6 – Mapping the Cloud Model to the Security Control & Compliance model) to help understand gaps • However, cloud deployment of applications and hosting of data re-raises some of the outsourcing risks where vendors are managing your information assets • Assess risks and sensitivity of data • In accordance to IM8 requirements?
  • 30. Questions & Answers
  • 31. THANK YOUYoong Ee Chuan CPA CIA CISA CISMEmail: