2. TABLE OF CONTENTS
04 Data Analytics and Audit Coverage Guide:
Sample 1
05 What is Data?
06 Data Becomes Information for Reporting
07 Reports With Data Analysis Are Designed
08 Defining Data Analysis
09 Getting Your Data
10 Where the Data Came From
11 Data Outputs
12 Choosing the Right Data Analysis Software
13 Internal Auditing Strategic Objectives
14 Provider and Implementer Support
2
15 Technical Features and Functionality
16 Cost
17 Readily Accessible Tools
18 Audit Software
19 Data Analysis Methodology
20 What Can I Do with This Stuff?
21 Where are we heading?
22 Data Analytics and Audit Coverage Guide:
Sample 2
23 Setting the Stage: Data Analysis Defined
24 What is Data?
25 Data Becomes Reports
3. TABLE OF CONTENTS
3
26 You Design Reports With Data Analysis
27 The Six Elements of Infrastructure
28 Critical Success Factors and Common Pitfalls
34 How Do we Use This and What Are Some
Good Examples?
5. WHAT IS DATA?
Name
Division Sales Amount
Employee
ID
Transaction Date Username Transaction Type
Customer
Number
Quantity
Price
General Ledger
(GL)
Account
5
6. DATA BECOMES INFORMATION FOR REPORTING
Client
Application
Program
Quantity
Part
Number
Unit Cost
Warehouse
Number
Data File
Inventory Report
Warehouse Part Description Quantity
Unit
Cost
Extended
Cost
1 xx xx xx xx xxx
1 xx xx xx xx xxx
4 xx xx xx xx xxx
4 xx xx xx xx xxx
10 xx xx xx xx xxx
10 xx xx xx xx xxx
6
7. REPORTS WITH DATA ANALYSIS ARE DESIGNED
Summarized by Part
Number
Extensions and
Footings Verified
Excess Inventory
Unusual Items
Data Analysis
Techniques
Customer Name
Customer ID
Quantity
Part
Number
Unit Cost
Warehouse
Number
Data File(s)
7
8. DEFINING DATA ANALYSIS
Data Analysis
The extraction of data from a company’s information system in order to perform data selection,
classification, ordering, filtering, translation and other functions to provide meaningful information
about business processes.
8
9. GETTING YOUR DATA
How is the data collected?
How is the data consolidated?
What system changes have happened recently?
What are the field’s restrictions?
9
10. WHERE THE DATA CAME FROM
Identified Underlying Table
• Data warehouse
• Production system
• Test environment
Parameters for Each Field That We Pulled
• What was excluded?
• What parameter takes priority?
10
11. DATA OUTPUTS
File Output Options
• Excel
• Text
• System proprietary
Delimiters
Multiple Files and Keys
Flat vs. Report Files
11
File Output Options
• Excel
• Text
• System proprietary
Delimiters
Multiple Files and Keys
Flat vs. Report Files
12. CHOOSING THE RIGHT DATA ANALYSIS SOFTWARE
With so many options (Excel,
Access, IDEA, ACL, SAS, etc.), how
do I choose?
12
13. INTERNAL AUDITING STRATEGIC OBJECTIVES
The software is easy to learn and use.
Reliance on IT professionals is minimized.
Reliability, portability and scalability occur in internal audit.
Data integrity and security occurs.
The development of automated and continuous programs is supported.
Documentation is improved and compatible with electronic workpapers.
13
14. PROVIDER AND IMPLEMENTER SUPPORT
Presence in the market exists.
A help desk (tech support) is available.
Team members understand auditing needs and business is done easily.
Regular software updates occur.
Training and user groups are available.
14
15. TECHNICAL FEATURES AND FUNCTIONALITY
The file type, volume and size handling are included.
Import data is easily reconciled and validated.
Data analysis functions are common (sorts, appends, summarization, gap
detection, aging).
Data analysis functions are advanced (correlation, trend analysis, time
series, statistical analysis).
Documentation of data actions is performed.
Reports and graphics are customized.
15
16. COST
16
Purchase price and implementation fees
Upgrade fees
Job aids (automated scripts and specialty components)
Help desk support
17. READILY ACCESSIBLE TOOLS
Microsoft Excel
• Advantages
− Incremental costs are easy to learn but do not exist.
• Disadvantages
− Import and data processing capabilities are limited.
− A join/grouping functionality does not exist.
Microsoft Access
• Advantages
− Import capability/interfaces with other databases are improved.
− Analyses relate to one another.
• Disadvantages
− SQL knowledge is heavily relied upon.
17
18. AUDIT SOFTWARE
Audit Command Language (ACL)
• Advantages
− Data handling and processing speeds are efficient.
− Data analysis functionalities are built in.
• Disadvantages
− Learning curve/script writing is hard.
IDEA
• Advantages
− Graphical user interface/visual scripts are efficient.
− Audit procedures and output reporting are effective.
• Disadvantages
− Advanced statistical analysis is limited.
18
19. DATA ANALYSIS METHODOLOGY
Example:
Analysis Statement 1: Verify that group purchase/requisitions orders have an associated invoice in the accounts
payable system.
Step 1: Extract line items with the desired cost/group codes from all data sets.
Step 2: Group POs in access using a select query and include the PO number.
Step 3: Group ROs in access using a select query and include the RO number.
Step 4: Compare the AP data table to the PO select query (we want to capture POs that don’t have an invoice
number).
Step 5: Compare the AP data table to the RO select query (we want to capture ROs that don’t have an invoice
number).
Step 6: Review the results (noting POs and ROs that have no invoices attributed to them).
Establish your objective statements.
Write your steps to achieve the objective.
19
20. WHAT CAN I DO WITH THIS STUFF?
Simplify Daily Processes
• Establish templates that can aggregate your line-item data to dashboards for quick review.
Detect, Correct and Prevent
• Review past information to detect issues, correct them and establish means to prevent it from occurring again.
Avoid Association Due to Correlation
• Raw historical data forecasting should involve a level of statistics for more meaningful results.
20
21. WHERE ARE WE HEADING?
Emerging trends in utilizing data to optimize normal business processes are
discovered.
New ways to measure business performance are adopted.
More time for value-added tasks is spent.
21
23. SETTING THE STAGE: DATA ANALYSIS DEFINED
Data Analysis
Computer-Aided Audit Tools
(CAATS)
Data Mining
Data Analysis
The extraction of data from a client’s information system in
order to perform data selection, classification, ordering,
filtering, translation and other functions to provide the client
with information about their business processes.
23
24. WHAT IS DATA?
Name
Division Sales Amount
Employee ID
Transaction Date Username Transaction Type
Customer
Number
Quantity
Price
General Ledger
(GL) Account
24
25. DATA BECOMES REPORTS
Client
Application
Program
Quantity
Part
Number
Unit Cost
Warehouse
Number
Data File Inventory Report
Warehouse Part Description Quantity
Unit
Cost
Extended
Cost
xxx xxx xxx xxx xxx xxx
xxx xxx xxx xxx xxx xxx
xxx xxx xxx xxx xxx xxx
xxx xxx xxx xxx xxx xxx
xxx xxx xxx xxx xxx xxx
xxx xxx xxx xxx xxx xxx
Name Division Sales
Amount
Employee
ID
Transaction
Date Username
Transaction
Type
Customer
Number
Quantity Price GL
Account
25
26. YOU DESIGN REPORTS WITH DATA ANALYSIS
Summarized by Part
Number
Verified Extensions
and Footings
Excess Inventory
Unusual Items
Data Analysis
Techniques
Customer
Name and
Customer ID
Quantity
Part
Number
Unit Cost
Warehouse
Number
Data File
26
Name Division Sales
Amount
Employee
ID
Transaction
Date Username
Transaction
Type
Customer
Number
Quantity Price G/L
Account
27. THE SIX ELEMENTS OF INFRASTRUCTURE
Risks if elements are deficient include:
Business
Policies
Business
Processes
People and
Organization
Management
Reports
Methodologies Systems
and Data
Information is not
available for
analysis and
reporting.
Reports do not
provide information
for effective
management.
People lack the
knowledge and
experience to
perform the
processes.
Methodologies do
not adequately
analyze data and
information.
Processes do not
carry out established
policies or achieve
intended results.
Automation and
data integrity meet
needs.
Informed decisions
are based on reports.
Processes are
assigned to key
owners.
Information
facilitates the
definition of
controls.
Policies define
processes.
27
28. CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (1/6)
Business
Policies
Business
Processes
People and
Organization
Management
Reports
Methodologies
Systems
and Data
• Focus on what matters:
− Find fraud, waste and abuse.
− Ensure compliance.
− Monitor business performance.
− Monitor risk across the organization.
• Link the program to business objectives.
• Articulate the specific benefits of investing in a program and the implementation strategy.
28
29. CRITICAL SUCCESS FACTORS AND COMMON PITFALLS
(2/6)
Business
Policies
Business
Processes
People and
Organization
Management
Reports
Methodologies
Systems
and Data
• Define a high-level process.
− Inputs
− Activities
− Outputs
• Identify the source of inputs.
− How is information captured?
− How will inputs be validated?
• Determine the types of activities that will be performed.
− Data analysis and investigation of anomalies
− Manual audit procedures
• Identify expected outputs and audience.
• Define periodic reporting processes.
29
30. CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (3/6)
Business
Policies
Business
Processes
People and
Organization
Management
Reports
Methodologies
Systems
and Data
• Obtain executive support for the program.
− Identify all key stakeholders.
− Source the champion.
− Use program management and executers.
− Utilize data providers.
− Use recipients of detailed results and periodic summaries.
• Understand the needs of key stakeholders.
• Obtain buy-in for programs from key stakeholders.
• Identify and develop required skills and competencies.
• Identify and address organizational obstacles.
30
31. CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (4/6)
• Identify data requirements for the program.
− What information is required?
− Where is that information stored?
− Who can provide the information?
• Design a standard data request format.
− Timeline
− Source and required data
− Background information
• Define data validation processes and reporting.
• Define reporting requirements by stakeholders.
− What information does the audience want and what questions do they want answered?
− How will detailed results be summarized?
− Who will make conclusions based on the results?
Business
Policies
Business
Processes
People and
Organization
Management
Reports
Methodologies
Systems
and Data
31
32. CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (5/6)
Business
Policies
Business
Processes
People and
Organization
Management
Reports
Methodologies
Systems
and Data
• Define the test scope and tolerances.
• Develop testing procedures (rules).
• Select or build an application, if applicable.
− Understand standard queries.
− Select applicable procedures.
− Embed queries into applications.
− Test logic and confirm results.
• Provide adequate training to applicable stakeholders.
• Automate as many “rules” as practical.
− Use system-based audit targets.
− Use manually-intensive audit targets.
32
33. CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (6/6)
Business
Policies
Business
Processes
People and
Organization
Management
Reports
Methodologies
Systems
and Data
• Understand how applicable data is captured and reported in operational and financial systems.
− Procurement is handled through payments.
− Sales are handled through cash applications.
− Payroll and expense reimbursement occur.
− General and subledgers are used.
− Bank information is utilized.
− External databases are used.
• Understand system interfaces (automated and manual).
− Advocate automating data capture where practical.
• Know the audit tools available and their capabilities.
• Select the right tools for programs/procedures.
• Focus on driving efficiency over time vs. initial investment.
33
34. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Data Analysis: Suggested Approach
34
1. Identify
opportunities.
2. Research
possible
opportunities.
3. Design an
assessment.
Planning and Data
Request
4. Acquire data.
5. Load data.
6. Perform
validation and
proofing.
Acquisition and
Validation
7. Perform a
basic
analysis.
8. Present
findings
through a
presentation.
Analysis and
Testing
9. Produce a
final report.
10.Close the
project.
Wrap-Up
35. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Possible Examples for Consideration
35
GL and Journal Entry Examples
• Benford’s Law on Journal Entries
by User
• Journal Entries Identifying Outliers
(Uncommon Accounts, Profit
Centers and Cost Centers)
• Manual-Round Dollar Entries
• Unusual Posting Dates/Times
• Split Entries Analysis (Entries Just
Below Approval Threshold)
• Suspense, Clearing and
Intercompany Accounts Analysis
• Credits Vs. Aged Invoices Analysis
• Reversed Month-End Journal
Entries
• Entries Within Accounts
• Inactive Accounts Entries
• Percentage Variances in GL
Accounts Between Periods
Travel and Entertainment Examples
• Spend by Employee
• Expenses by Employee
Analysis (Just Below
Threshold, Comparison of
Employees Expensing
Duplicates, Expensing Airfare
but No Hotel Vice Versa,
Expensing Car But No Airfare,
Etc.)
• MCCG and MCC of T&E or P-
Card Transactions
• Benford’s Law Analysis on
Employee Expenses
• Expense Dollar and Volume
Stratification
• Inactive Employee Spend
Analysis
• Spend by Expense Type
• Large-Dollar Expenses
Identification
• Nontimely Expense
Submission
• Expense Analysis by Category
(E.g., Airfare, Office Supply,
Cell Phone and Professional
Dues)
• Per Diem Expense
Identification and Comparison
to Trips, Policy Threshold and
Potential Duplicates in Meal
Reimbursement and Per Diem
• Duplicate Expense Submission
• Weekend Transaction Dates
Analysis
• Activity From Personnel in
Expense-Centric Departments
Analysis
36. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Case Study 1
36
Background
• Global management consulting, technology services, and companies with offices and
operations in more than 50 countries and annual revenues in excess of $21 billion are
outsourced.
• Internal audit (IA) personnel used ACL to perform limited analyses as part of quarterly
companywide journal entry (JE) reviews of more than 13 million journal entry lines. All
analyses were performed manually through the ACL graphical user interface.
• IA personnel were using Excel to perform limited analyses for employee time and expense
(T&E) testing.
Project
Objectives
• Implement routines (e.g., scripts) in ACL to automate the existing limited JE and T&E
analytics.
• Create additional automated testing routines to be executed as quarterly continuous controls
monitoring (CCM) procedures.
37. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
JE Testing Overview
37
• Quarterly Companywide JE Review
− Data integrity testing, such as reconciliation to control totals, analysis of
reporting period and search for blanks in key fields is done.
− An analysis of JE approvers on an authorized list and an analysis of
manual and automated entries by document type were performed.
Entries where the document header or line item text is blank were
identified.
• CCM: Data Exploration
− Classify unique values for key data fields, including company code,
transaction code, manual vs. automated flag, year/period and currency.
− Statistics on amount and posting date fields are used.
• CCM: Duplicates Testing
− Identify duplicates (same account and amount) for manual JEs.
• CCM: Fraud Analytics
− Keyword search for items, such as “plug,” “miscellaneous,”
“temporary,” “adjust,” etc.
− Entries posted in the top 10 countries in the corruption perceptions
index listing are evaluated.
− The same person should enter and post all manual JEs.
• CCM: High-Risk Account Entries
− Identify all entries posted to “high-risk” accounts.
• CCM: Timeliness of Postings Analysis
− Calculate the number of days between journal entries and posting
dates.
38. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
T&E Testing Overview
38
• General Data Overview
− Create record count and dollar amount totals by year and month (i.e.,
to reconcile to control totals).
− Classify unique values for key data fields, including expense type and
entry date.
− Identify the top 100 highest and lowest transaction amounts.
− Use the statistics on amount field.
• T&E Population Analyses
− Identify transactions just under $XX threshold for receipts per U.S.
policy.
− Extract all transactions that are around multiples of $XXX.
− Perform approval threshold analyses for certain expense types per
policy, including training/publication greater than $XXX, business deals
greater than $XXX and travel/other greater than $XXX.
− Identify potential duplicates using multiple sets of criteria.
• Expense Type Analyses
− Identify all transactions for certain expense types assessed to be high-
risk, including “Gifts, Floral, Tickets and Promotional Items,”
“Miscellaneous,” “Non-Standard Office Supplies,” “Technology
Supplies” and “Charitable Contributions.”
• Keyword Search
− Keyword search for items assessed to be high-risk, such as “gift,” “car
repair,” “rent,” “pet,” “movie,” “apartment,” “doctor,” “furniture,” “laptop,”
“clothes,” “tuition,” “laundry,” etc.
39. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Summary of Value
39
JE Testing: Sample Results From One Quarter
• The amount of time to perform quarterly JE review procedures, including manual analyses through the ACL GUI,
was reduced from approximately XX-XX hours to XX-XX hours.
• Additional CCM test results include:
– XXX journal entries (more than XXX journal entry lines) where the same individual entered and posted the JE
occurred.
– Nearly XXX JE lines were just under the $XX approval threshold.
– XXX JE lines with the word “plug” were entered, XXX JE lines with the word “miscellaneous” were entered and
nearly XXX JE lines with the word “temporary” were entered.
– XXX JEs where the posting date was more than XX days before the entry date occurred.
– More than XXX journal entries were posted in countries in the top 10 of the corruption perceptions index,
including nearly XX journal entries with line amounts greater than $XXX.
T&E Testing: Sample Results From One Quarter
• More than XXX expense transactions with the word “wine,” XX containing the word “laundry,” more than XXX with
the word “golf,” XX with the words “doctor” or “surgery,” XX with the word “clothes” and XX with the word “iPod”
were identified.
• Nearly XXX transactions with round dollar amounts that are multiples of $XXX were identified.
• All transactions requiring separate approvals per policy, including XXX transactions exceeding the business meal
threshold, XXX above the training/publications threshold and more than XXX exceeding the “other expense”
threshold were identified for additional testing.
• More than XXX potential duplicate transactions with the same personnel number, expense date, charge code,
expense type and amount were identified.
40. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
More Examples for Consideration
40
Procure-to-Pay Examples
• Vendor Master File Analysis
• Number of Inactive Vendors With
Activity
• Payments to Inactive Vendors
• Duplicate Vendors, Invoices and
Payments
• Vendor to Employee Match
• Benford’s Law Analysis – Invoice,
Payments, PO and/or Credit
Analysis
• Missed Discounts: Late Payments
• Authorization and Analysis of PR,
PO, Invoice and Payment
• Aging AP and Credit Processing
Analysis
• Holiday Activity
• Void/Reissue Payment Analysis
• Payment Gap Analysis
• User Analysis Between Vendor
Setup, Voucher and Payment
Processing
• Debit Memos/Adjustments Analysis
• Overpayments/Refunds Analysis
(Unused Credits)
Order-to-Cash Examples
• Cash Receipts and Timely Posting
Analysis
• Customer Credit Ranking Analysis
(Amounts and Authorization) and
Customer Activity Analysis
(Payments and Credits)
• Write-Off Transactions Analysis
(Authorization and Timeliness)
• DSO Analysis by Order Date, Bill
Date and Payment Received Date
• Unfulfilled Customer Purchas
Orders Analysis
• User Analysis
• Customer Account Aging Analysis
• Holiday Activity
Information Technology
• Access Rights Analysis
• Multisystem Segregation of Duties
Analysis
• Last User Sign-On Analysis
• Employee Master Records Analysis
• Duplicate Employee IDs Analysis
• Change Management Authorization
• New Hires/Terminations
• Problem Management Analysis
• System Logic Analysis (Write-Offs
and Refunds)
• Benchmarking Reports (Determine
the accuracy of system reports by
utilizing actual transactional and
master data [i.e., compute what the
values should be based on
business rules and then compare
them to actual monthly reports].)
41. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Sample Results: Supplier Statement Audits
41
ERP 1 ERP 2 ERP 3
Root Cause Count Dollar Count Dollar Count Dollar
Adjustment XX XX XX XX XX XX
Duplicate payment XX XX XX XX XX XX
Overpayment XX XX XX XX XX XX
Rebate XX XX XX XX XX XX
Return XX XX XX XX XX XX
Unapplied cash XX XX XX XX XX XX
Unknown XX XX XX XX XX XX
Total XX XX XX XX XX XX
Example Vendor Credit Summary
Example Key Findings
• Aged items on accounts were surfaced to the organization to enable them to readdress these with the vendor for
more immediate resolution.
• Credits are being received by plant locations but are not being sent to the shared services centers for processing.
• Unapplied cash and returns were the most prominent root causes of credits.
Supplier statement reviews can be a significant driver for identifying unused credits or outstanding checks, which result
in near-term cash recovery.
Received responses from xx%
of suppliers totaling xx% of
spend.
XX Suppliers With
Credits
$XXX
Recovered
XXX Suppliers
XXX Responses
XXX Credits
42. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Sample Results: Payment Terms
42
Nonstandard or “unfavorable” payment terms should be analyzed to determine opportunities for either payment
discounts or extending to more favorable terms.
0
20
40
60
80
100
120
140
Net 0 Net 7 Net
10
Net
15
Net
20
Net
30
1/10
Net
10
2/15
Net
15
2/10
Net
10
All
Other
Number
of
Invoices
(000's)
Invoice Team
Payment Demographics
xx, x%
xx, x% xx, x%
xx, x%
xx, x%
xx, x%
xx, x%
xx, xx%
xx, x%
Unfavorable Terms
xxx Invoices (xx%)
xx, x%
XX Invoices,
$XXM
XX Invoices,
$XX M
XX Invoices,
$XXM
Invoice Spend Totals by Payment Term
Less than 30
Days No
Discount
43%
Discounted
Terms
17%
Less than 30
Days No
Discount
Net 30+
No
Discount
40%
Discounted
Terms
17%
Net 30+
No
Discount
40%
Observations
• XX% of all nondiscount invoice terms required payment in less than the standard 30-day payment terms.
• $XXX in invoice spend (XX%) had immediate payment terms.
43. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Fixed Assets
43
• Estimate/recalculate depreciation.
• Verify that accumulated depreciation does not
exceed cost for any asset.
• Identify “credit” assets.
• Identify land that is depreciating.
• Identify assets assigned out of the useful lives
policy.
• Determine the assets setup with the cost below
the capitalization threshold.
• Estimate the impact to P&L of
increasing/decreasing capitalization threshold.
• Review for duplicate asset setups.
• Look out for aging CIP.
• Facilitate item master cleanup.
• Search for negative depreciation.
• Use inconsistent/outlier useful lives/depreciation
methods.
• Perform a post-addition percentage analysis (how
much more cost added after depreciation
started).
• Search for aged and fully depreciated assets.
• Perform an asset-classification analysis (leased
vs. fixed or long-term vs. short-term).
• Compare the asset turnover ratio to the industry
average.
44. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Inventory
44
• Inventory by type summary is identified.
• Inconsistent costing is identified.
• Inconsistent units of measure with the same unit
costs are used.
• Category types are verified.
• Cost analysis is extended.
• A quantity analysis is done.
• A per unit cost analysis is performed.
• Current vs. prior-year cost comparison setup is
performed.
• Reports of unit cost changes are used based on
prior-year quantities and current-year unit costs.
• Sales analysis is done.
• Inventory vs. sales analysis is done.
• Potential excess inventory is identified.
• Margin review occurs.
• A user analysis between the purchase order and
receipt is done.
• An inventory adjustment analysis (write-offs) by
items, users, locations, transaction type and time
of day is performed.
• An inventory adjustment analysis (returns) by
items, users, locations, transaction type and time
of day is done.
• A scrap activity analysis is performed.
• Negative inventory balances and/or inconsistent
fluctuations in inventory accounts between
months are identified.
45. HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Lessons Learned
45
You have a tremendous opportunity to drive value and be an agent of positive change in your
organization!
Senior management buy-in is crucial for the success of any controls
monitoring projects.
Requirements, documentation and change request procedures are defined.
IT should be involved earlier on during the project.
Ensure to test, test and test.
Focus on high-risk processes.