P.I. Elsas & J. Gangolly: Enterprise-level Process Documentation incorporating Automatic Audit Analytics, Biennial Deloitte / University of Kansas Auditing Symposium, Lawrence, Kansas, USA, May 2008 (invited keynote)
Enterprise-level Process Documentation incorporating Automatic Audit Analytics Philip Elsas, ComputationalAuditing.com Jagdish Gangolly, SUNY-Albany Lawrence, Kansas May 2-3, 2008 2008 Deloitte / University of Kansas Auditing Symposium Assessing Audit Risks in an Evolving Assurance Environment
7 Deloitte’s Smart Audit Support( 1 ) p.324 Proven Architecture for Interactive Documentation & Guidance Audit Plan Performance Module (blueprint only) Audit Evaluation Module (blueprint only) Smart Audit Support ( 2 ) Audit Planning Module KST Definition Module Knowledge Specification Tool National Tailoring one per engagement team one in Deloitte one per country Client Tailoring Assurance Environment
What is it? Elementary Trade Example 12 Top-down, Leveled Diagram Enterprise-wide: Integral & Unifying Top-level is a Supercycle: one level up & connecting US cycles 200 100 Normative (‘Soll’) & Representative (‘Ist’) Mental Model = Executable Model Flow of Money Flow of Goods Static: State Balance Item S Dynamic: Transaction Profit & Loss Item T
What is it? Trade Diagram in detailed Audit Net 13 http://www.ComputationalAuditing.com/images/Kring.swf 1. Purchase 2. Accept 3. Sales 4. Deliver & Collect 5. Pay 6. Collect Process Steps
15 ComputationalAuditing.com Starreveld Auditee Classification Based on Rigor in the Supercycle Audit Pack Platform Drill-down tree with downloadable packs Every node contains a supercycle pack & client-tailoring guidance Uploader, downloader & broker Client Side: “Information Rules” Pack Trade Roll Upward Roll Forward - Effective - Scalable - Cost-Efficient Audit Pack Platform Real software Release 0.5 April 2008
Qualitative Audit Analytics: Segregation of Duties (1 of 3) 17 50 600 5 2 3 60 10 5 300 15 40 5 Everything for SoD analysis Real case: International Network of Accountants and Auditors, INAA, SRA M: Majority Owner-Manager S: Sales department B: Buy/Purchase department F: Financial administrator T: Technical staff manager W: Warehouse manager Agent Legend Capital: Authorization - Small: Ability S f F m F t B f w F m B m f B f w M f F m F s W m t W m t W m t T m F m b F m s
INAA, SRA Case Output: Solo-Fraud Base 18 Potential Solo-Fraud Qualitative Audit Analytics (2 of 3) Conceptual Primitives Why is this class relevant? ISA 240 Isn’t this only interesting for SME?
19 Qualitative Audit Analytics - SoD (3 of 3) X-Raying Segregation of Duties: Support to Illuminate an Enterprise’s Immunity to Solo-Fraud UWCISA presentation on: http://artsms.uwaterloo.ca/accounting/uwcisa/symposium_2007/Program.htm Paper with discussions and response, appearing in the International Journal of Accounting Information Systems, June 2008
Quantitative Audit Analytics: Check Model (1 of 5) 20 Real case: Ernst & Young Everything for Check Model Book & Course flow: 1-1 normative Materiality Coverage of registration points in SoD: S & T Quantitatively motivated process decomposition 225 25 200 225 500 25 25 1,000 400 400 100 20 20 20 20 500 400
21 Quantitative Audit Analytics: Enterprise-level Check Model, Output E&Y Case (2 of 5) 1. Debtors ‘+’ Deb : Deb I ( Sales )*1000 + Deb B – Deb E Deb O (Collect)* 40 *25 2. Sales Fee ‘-’ sFee : sFee O (GrantFee)*400 + sFee E – sFee B sFee I ( Sales )*400 3. Course Orders ‘-’ cOrd : cOrd O (DeliverCourse) + cOrd E – cOrd B cOrd I ( Sales ) 4. Book Orders ‘-’ bOrd : bOrd O (DeliverBook) + bOrd E – bOrd B bOrd I ( Sales ) 5. Teacher Hours ‘+’ tHour : tHour I (EmployTeacher)*20 + tHour B – tHour E tHour O (DeliverCourse)*20 6. Room Hours ‘+’ rHour : rHour I (RentRoom)*20 + rHour B – rHour E rHour O (DeliverCourse)*20 7. Course Books ‘+’ Books : Books I (BuyBook) + Books B – Books E Books O (DeliverBook) 8. Salaries ‘-’ Sal : Sal O (PaySalaries)*500 + Sal E – Sal B Sal I ((GrantFee)*400+(EmployTeacher)*100) 9. Creditors ‘-’ Cred : Cred O (PayCreditors)*225 + Cred E – Cred B Cred I ((BuyBook)*25+(RentRoom)*200) 10. Cash ‘+’ : Cash I (Collect)* 40 *25 + Cash B – Cash E Cash O ((PayCreditors)*225+(PaySalaries)*500) B : Beginning I : Inflow E : End O : Outflow Spanning Reconciliation Checks Asset (‘+’) Buffer: I + B - E = O Liability (‘-’) Buffer: O + E - B = I Correctness = Isn’t it overstated? Completeness = Isn’t it understated? Algebraic deduction 1 st interpretation: Bold font = Completeness Regular font = Correctness 2 nd interpretation: Bold font = Correctness Regular font = Completeness 1 st interpretation: Completeness of stated debtor revenues Historical: owner-ordered audit 2 nd interpretation: Correctness of stated debtor revenues Historical: management-ordered audit Today: Management-ordered audit on behalf of both current (1 st ) and future (2 nd ) owners/shareholders “ Over-constrained”
22 Frielink et al Classical Dutch Auditing Education Literature Three Example Enterprise-level Process Check Models Quantitative Audit Analytics (3 of 5) Auditor’s Evidence Acquisition Strategy - David Budescu, Mark Peecher & Ira Solomon
23 Automatically generating executable scripts for data analysis tools Quantitative Audit Analytics (4 of 5) Case provided by Tom Koning, author of: “The Auditor’s New Clothes”
Quantitative Audit Analytics: Reachability (5 of 5) 24 A System of Spanning Reconciliation Checks, the Check Model, corresponds to the Flow Matrix of the normative Petri net Petri Net Reachability Analysis from Initial to Trial/Final Balance goes a step further then detailed Spanning Reconciliation Checks by taking into account Time Stamps in Event Registrations - Interrelating all buffer contents on a day-to-day basis - Reconciled with day-to-day external evidence - Shows deviations and associated risks Trial Balance Spanning Reconciliation Checks can be applied in Totals or in Detail per parameter
Con’s & Response 28 To be finalized for clients & content providing expert auditors Support is too immature 3 - ‘Type of industry’ is essential - A lot is attributable to the supercycle - Gives focus on determining normative relations Only supercycle related, and not everything is in the supercycle 2 - Reuse & extend already existing models - Gives good and visible foundation to opine upon, improving documentation quality & applicability - Large model is cumbersome to make, making it only suitable for SME - A lot of information is required 1 - Qualitative: margin size has no influence on number and structure of pot. fraud constructs - Quantitative: tolerance is allowed, but leads to weaker numerical checks, to be compensated Normative gross margin is fixed 4 Integrate these as ‘pre-processing’ transactions in client’s business model Authorizations on: - Root data: price lists, employee lists... - Filters in record keeping chain 5
Pro’s 29 “ The stringent application of a correct systematic approach will without any doubt improve audit quality ” A.B. Frielink, Lead author of Dutch Auditing literature, personal correspondence regarding the Computational Auditing thesis - “Mapping out the supercycle is considered clarifying and refreshing : establishing a wider look than traditional cycles” - “The schema technique is not too complex and can be well understood ” - “Guides the input preparation process by a systematic framework ” - “The support is feasible in practice ” Hans Verkruijsse & team, Partner Ernst & Young, National Director Audit Technique, Evaluation report regarding the diagram technique and application for SoD analysis More prominent references: Hans Blokdijk, Emeritus Auditing Professor, ex-KPMG partner Ruud Veenstra, former Chairman of Deloitte Netherlands Harold Kinds, National Director Audit Technique, INAA Netherlands Peter Waas, National Audit Coordinator, Dutch Tax Office
Comparison Audit-Specific Diagram Language Yasper/Prom (Deloitte & TUE) Audit net Editor Criteria Tool + Flowchart software 30 Correctness by Construction Underlying Rigor Deloitte’s Smart Audit Support – + + – + + + – +
31 ComputationalAuditing.com Continuation You are an expert auditor? Why not have a facilitator to leverage your guidance impact for your audience? 1. Smart Audit Planning Forms 2. Generating Checking Scripts 3. Smart Flowcharts All Pack-based & Web-based Correctness by Construction Script Generator Typology Platform Supercycle 200 100
0. Good morning, my name is Philip Elsas from ComputationalAuditing.com. 1. I would like to start by thanking Professor Ed O’Donnell for organizing this Symposium & inviting me. Thank you, Ed. 2. And I would like to excuse Professor Jagdish Gangolly, who is not able to attend, for his co-operation preparing a paper where the presented material is treated in more depth. Thank you Jagdish. Please feel free to ask your questions during the presentation at special points (21x)
Smart Audit Support - Build & Apply - Industry Templates - for the Audit Planning Process. International & National - Build is done by auditors only - no ITers involved. Dutch Tax Office, Center for Process & Product Development, report “Optimizing Audit Decisions” in fiscal audit; an approach relying on audit documentation; relevant for audit oversight approaches. Personally at Deloitte - first half Internal Audit Staff - second half External Management Consultant Intermezzo late nineties at Bakkenist Management Consultants as consultant & shareholder - sold to Deloitte
First 8: set the stage & check to see if we are all on the same page
Professor Ira Solomon’s March interview arguing Massive Overhaul of Auditing Practices: financial statement fraud tend to rise during economic downturns + Increasing irritation in North-America’s Corporate Management: Weakening of US international competitive position due to overhead caused by Sarbanes-Oxley; Value/Cost ratio of audits is declining as perceived by corporate management (lower added value, higher cost). “ Irritation, and not necessity, is the mother of invention”, Henry Petroski: The Evolution of Useful Things, introducing a convincing theory of technological innovation as a response to perceived failures of existing products or services.
Financial Statement Level Risk
Relevant issues are active, and has to be touched upon. Anything else is inactive and omitted. Relevant issues can not be missed (to avoid blunders). Anything else cannot be accessed (to avoid waste of time). Issues: questions, forms, sections, tables, tasks in the audit plan, etc. etc. Any active question can be chosen for answering. As a prefab consequence of answering a multiple-choice question, the set of active questions may grow or shrink (as predefined). The decisions about what to consider and not to consider as a consequence of a possible answer are conditionally predefined in the guidance model.
The template for the document shown earlier. The decisions about what to consider and not to consider are conditionally predefined in this guidance model. The Player is the operational semantics of the specification in the Builder. In the Builder the specification is structured data that is analyzed on desirable properties (e.g. cycle freeness). In the Player the specification is also data but interpreted in a different way: as code to be executed. More details on the difference between data, code, interpreters, models, etc. Also applying to diagrams as sentences.
Audit Support Objectives stated in Deloitte’s reaction to SEC S7-11-06 Criteria for guidance & support: system bridging theory & practice . Flowchart: schematic representation of a process.
X-Raying: expert level (letter SRA -> CaseWare). Schematic representation of a process: Flowchart & Petri net. Petri nets are currently very successfully applied in business workflow. How to make a start with getting an understanding of Dutch auditing theory? Chapter 2 of CA. How to make a start with getting an understanding of Petri net theory? Wikipedia, start at flowchart, refers to petri net.
State, Buffer, Place or Stock are all synonyms for the Static Primitive: a container of units: typed business values Transactions occur, even concurrently; occurrences are registered at transactions Event: synonym to transaction occurrence Buffer sign ‘+’: Asset; ‘-’: Liability Value Cycle Structure is synonym for Supercycle Structure; ‘Structure’, or its synonym ‘Definition’, is often omitted An arrow is either from a buffer to a transaction: inflow/consume; or from a transaction to a buffer: outflow/produce; never directly to the same type; the arc weight indicates amount of units involved, with default 1, that may not be shown. When a transaction occurs it consumes the weighted amounts of units from all its inflow and produces on all its outflow. Diagram that is an abbreviation, short-hand notation for a pair of more complex underlying diagrams (Soll & Ist). Smart Flowchart. Schmalenbach diagram. Mental model coinciding with Executable model. The block arrows are just comments, just as the call-out text balloons. A unit buffer may either contain physical units (money, goods, etc.) or non-physical units (debt, credit, etc.), accompanied by zero or more mutually independent (SoD) registrations. A Sales results on one hand in a Sales Order and on the other hand in a $2 Debtor. A Purchase results in a $1 Creditor and a Purchase Order. Etc. Interpretation from transaction perspective versus interpretation from buffer perspective (dual). The mnemonics, S & T, are handy to remember that States are represented by circles and Transactions are represented by boxes. Turbo add-on to American cycle-oriented audit approach.
The Flow of Money is presented above the horizontal line “from right to left”. The Flow of Goods/Services is below and “from left to right”. Animation. Not for simulation: real data. Diagram of the value cycle for a commercial business in a format the computer can understand and analyze. A sales results on one hand in a sales order and on the other hand in a $2 debtor. A purchase results in a $1 creditor and a purchase order. Section I contains money due FROM others (debts of others, other companies, to this company; the debtors, the company’s accounts receivable); Section II , contains money due TO others (other companies; the creditors, the company’s accounts payable). Section III contains goods/services due FROM other companies, and Section IV contains goods/services due TO other companies, or private individuals. The two Sections N show the company’s possessions in cash and goods. The diagram shows the value cycle in an error-free Soll modality. However, this value cycle also exists in an Ist modality, in which also erroneous, illegitimate transactions are recognized in addition to the error-free, legitimate ones. These erroneous transactions may or may not be intentional. The diagram for the Ist value cycle is automatically generated from that for the Soll. The cash flow runs above the horizontal line; the flow of goods and services, below it. Section I contains the company’s accounts receivable; Section II , its accounts payable. Section III contains goods and services due from other companies and Section IV contains goods and services due to other companies. The two Sections N show the company’s possessions in cash and goods.
Starreveld Typology; proven conceptualization; proven in practice, over decades. Recognized High Quality Audit. Very well suited for automated support. As is already done + pilots.
Constraints. E.g. on associating agents to buffers, for Auth & Able. Alert for Able: ‘ Other maintenance resources’: include ‘f’ ‘ Maintenance man-hours’: include ‘f’ No alerts for agent associations to transactions.
No alerts for agent associations to buffers. No alerts for agent associations to transactions.
Yasper: no audit theory, no inspection facilities in specification time for constraint verification (supercycle A-invariant check per rewrite) Why didn’t Deloitte build it: already leader & difficult blueprint