Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Kansas Elsas Top-Cycle

1,289 views

Published on

P.I. Elsas & J. Gangolly: Enterprise-level Process Documentation incorporating Automatic Audit Analytics, Biennial Deloitte / University of Kansas Auditing Symposium, Lawrence, Kansas, USA, May 2008 (invited keynote)

  • Be the first to comment

Kansas Elsas Top-Cycle

  1. 1. Enterprise-level Process Documentation incorporating Automatic Audit Analytics Philip Elsas, ComputationalAuditing.com Jagdish Gangolly, SUNY-Albany Lawrence, Kansas May 2-3, 2008 2008 Deloitte / University of Kansas Auditing Symposium Assessing Audit Risks in an Evolving Assurance Environment
  2. 2. Introduction <ul><li>Since 2003: Company - Canada, Netherlands </li></ul><ul><li>1988 - 2003: Deloitte. with Bakkenist intermezzo, sold to Deloitte. </li></ul><ul><li>1990 - 1996: PhD Computational Auditing </li></ul>- Principal, Chief Architect & inventor of Smart Audit Support - Smart Audit Support is since 1994 key in Deloitte’s worldwide audit practice. Currently integrated in “The Deloitte Audit” - System blueprint in Chapter 5 of … - PhD in Mathematics & Computing Science on Financial Auditing - Parallel to Smart Audit project, 30% part-time - Directly after appearance awarded with the biennial Alfred Coini Prize for the best publication in Auditing Offering software and consultancy services to audit practices and audit software firms 1 Used in 2003 by Dutch Tax Office as Frame of Reference to compare Big 4 planning and decision-support models & systems to investigate how to improve audit productivity (57 page report). Considers Smart Audit Support “leader of the pack”.
  3. 3. Agenda Enterprise-level Process Documentation incorporating Automatic Audit Analytics <ul><li>Modern Auditing: Challenge, Criteria & Solution Approach (8) </li></ul><ul><li>What can you do with it? Examples of major analytics (8) </li></ul><ul><li>More on positioning this Doc Technique & Tooling (4) </li></ul>2 <ul><li>What is it? How doc looks and what it actually is (4 + movie) </li></ul><ul><li>How to prepare it? Making doc in safeguarding tool (1) </li></ul>
  4. 4. Modern Auditing: Challenge <ul><li>1. Focus on Client’s Processes </li></ul>On both Client Engagement Level & on Template Level 3 While bridging the gap in the Audit Process between: 2. Risk Analysis on Process Assertions: identify, assess & respond 3. Items in the Financial Statements In a modern top-down , risk-based Audit Approach with a focus on client’s processes the challenge boils down to: a. How to understand Client’s Top-level Business Process b. How to guide and document getting this understanding c. How to guide and document using this understanding <ul><li>Ruling standards & </li></ul><ul><li>Audit software </li></ul>1 2 3 Client’s Occurrence Risk Auditor’s Detection Risk
  5. 5. <ul><li>Deloitte’s </li></ul><ul><li>International </li></ul><ul><li>Audit </li></ul><ul><li>Approach </li></ul><ul><li>“ 40.000 feet”, nineties </li></ul><ul><li>Role of Doc: all phases </li></ul>p.62 Deloitte’s Audit Process at Engagement Level (1 of 3) 4
  6. 6. <ul><li>Doc Index </li></ul><ul><li>Planning </li></ul><ul><li>docs are </li></ul><ul><li>part of </li></ul><ul><li>Smart </li></ul><ul><li>Audit </li></ul><ul><li>Support </li></ul>Deloitte’s Audit Process at Engagement Level (2 of 3) p.336 5
  7. 7. <ul><li>Inside a </li></ul><ul><li>planning </li></ul><ul><li>document </li></ul><ul><li>“ Player” </li></ul><ul><li>system </li></ul><ul><li>Player of </li></ul><ul><li>what? </li></ul><ul><li>Guidance </li></ul><ul><li>Model </li></ul><ul><li>Where </li></ul><ul><li>does that </li></ul><ul><li>Model </li></ul><ul><li>come </li></ul><ul><li>from? </li></ul><ul><li>(=investment) </li></ul>Deloitte’s Audit Process at Engagement Level (3 of 3) p.337 6 <ul><li>Guidance is: </li></ul><ul><li>Easy-to-use & </li></ul><ul><li>Powerful </li></ul><ul><li>Easy-to-use: </li></ul><ul><li>Familiar interface: form-based </li></ul><ul><li>Answering multiple-choice questions that guide & document the audit, and… </li></ul>as a tacit side-effect of answering: safeguards the correct (de)activation of other questions, & “how to” approaches to risk assessments & responses Here questions can only be answered <ul><li>Powerful: </li></ul><ul><li>Effective: conditionally relevant risks cannot be overlooked & </li></ul><ul><li>Efficient: risks conditionally not relevant cannot be assessed </li></ul>Yearly ROI guess : 20K man-yrs/yr x $10K cost reduction/man-yr ROI <ul><li>Return is: </li></ul><ul><li>Relevant Doc & Planning, no more no less </li></ul><ul><li>Easy & strict way to get it </li></ul>Documentation = Specification Executable Specification = Source Code Executable Specification of “Auditor’s Evidence Acquisition Strategy” - David Budescu, Mark Peecher & Ira Solomon - Integrated in Interactive Documentation
  8. 8. 7 Deloitte’s Smart Audit Support( 1 ) p.324 Proven Architecture for Interactive Documentation & Guidance Audit Plan Performance Module (blueprint only) Audit Evaluation Module (blueprint only) Smart Audit Support ( 2 ) Audit Planning Module KST Definition Module Knowledge Specification Tool National Tailoring one per engagement team one in Deloitte one per country Client Tailoring Assurance Environment
  9. 9. <ul><li>p.334 </li></ul>8 Defining a planning document with its behavior “ Builder” system Builder of what? Guidance Model Builder’s primitives come from theory Here questions are made and connected Documentation = Specification Executable Specification = Source Code Deloitte’s Audit Process at Template Level (1 of 1) <ul><li>Guidance is: </li></ul><ul><li>Easy-to-use & </li></ul><ul><li>Powerful </li></ul><ul><li>Easy-to-use: </li></ul><ul><li>Familiar interface: form-based </li></ul><ul><li>Dialog box transactions: to stepwise specify an interconnected questionnaire to guide and document the audit, and… </li></ul>as a tacit side-effect of every step: safeguarding a technically correct (de)activation structure for questions & their answer choice’s impact on audit planning <ul><li>Powerful: </li></ul><ul><li>Correctness by Construction </li></ul><ul><li>Domain-specific Language </li></ul>Executable Specification of “Auditor’s Evidence Acquisition Strategy” - David Budescu, Mark Peecher & Ira Solomon - Integrated in Interactive Documentation
  10. 10. Challenge & Criteria 9 In a modern top-down , risk-based Audit Approach with a focus on client’s processes the challenge boils down to: a. How to understand Client’s Top-level Business Process b. How to guide and document getting this understanding c. How to guide and document using this understanding 3 Now we have key criteria for modern guidance in process documentation: <ul><li>Guidance: </li></ul><ul><li>Easy-to-use & </li></ul><ul><li>Powerful </li></ul><ul><li>Easy-to-use: </li></ul><ul><li>Familiar interface: close to flowcharts </li></ul><ul><li>Dialog box transactions to stepwise specify client’s business process, and… </li></ul>as a tacit side-effect of every step: safeguarding a technically correct business specification, allowing powerful automatic audit analytics “on-the-fly” & on the result <ul><li>Powerful: </li></ul><ul><li>Correctness by Construction </li></ul><ul><li>Audit-specific Diagram Language </li></ul>Engagement Level & Template Level - Effective - Scalable - Cost-Efficient
  11. 11. Solution Approach 10 <ul><li>Powerful system that supports practice and is founded in theory: </li></ul><ul><li>The world’s strongest Process-oriented Auditing Theory: Classical Dutch Auditing Theory </li></ul><ul><li>& Its Best-fitting rigorous Process Theory: Petri nets tailored for the Auditing Domain </li></ul>Top Benefits <ul><li>Major examples of Powerful Audit Analytics, impossible with old-style approaches: </li></ul><ul><li>X-Raying a body of authorizations on immunity to major classes of fraud </li></ul><ul><li>Deriving a model of enterprise-wide checks & balances, basis for automatically generating executable scripts for data analysis tools </li></ul><ul><li>Feasible: Petri net reachability analysis from initial to trial/final balance </li></ul>Stringent Application of a Correct Systematic Approach: Clarifying & Refreshing 50% added value, E&Y Typology with structured classification of audit approaches per type of industry Proven in theory & practice
  12. 12. Agenda Enterprise-level Process Documentation incorporating Automatic Audit Analytics <ul><li>Modern Auditing: Challenge, Criteria & Solution Approach </li></ul><ul><li>What can you do with it? Examples of major analytics </li></ul><ul><li>More on positioning this Doc Technique & Tooling </li></ul>11 <ul><li>What is it? How doc looks and what it actually is </li></ul><ul><li>How to prepare it? Making doc in safeguarding tool </li></ul>
  13. 13. What is it? Elementary Trade Example 12 Top-down, Leveled Diagram Enterprise-wide: Integral & Unifying Top-level is a Supercycle: one level up & connecting US cycles 200 100 Normative (‘Soll’) & Representative (‘Ist’) Mental Model = Executable Model Flow of Money Flow of Goods Static: State Balance Item S Dynamic: Transaction Profit & Loss Item T
  14. 14. What is it? Trade Diagram in detailed Audit Net 13 http://www.ComputationalAuditing.com/images/Kring.swf 1. Purchase 2. Accept 3. Sales 4. Deliver & Collect 5. Pay 6. Collect Process Steps
  15. 15. Auditing Laws of Starreveld & Frielink 14 The computational interpretation of these Laws leads to the Audit Invariant: used as preventive safeguard 1. Law of Relation between Produced & Consumed Illustrated by movie: A rational, normative relation between frequencies of business transactions in the supercycle and generated margin <ul><li>Law of Relation between State & Event </li></ul><ul><li>Illustrated by movie: BETA-equation for every State: E nd – B egin – I nflow + O utflow = 0, except Money > 0 </li></ul>
  16. 16. 15 ComputationalAuditing.com Starreveld Auditee Classification Based on Rigor in the Supercycle Audit Pack Platform Drill-down tree with downloadable packs Every node contains a supercycle pack & client-tailoring guidance Uploader, downloader & broker Client Side: “Information Rules” Pack Trade Roll Upward Roll Forward - Effective - Scalable - Cost-Efficient Audit Pack Platform Real software Release 0.5 April 2008
  17. 17. Agenda Enterprise-level Process Documentation incorporating Automatic Audit Analytics <ul><li>Modern Auditing: Challenge, Criteria & Solution Approach </li></ul><ul><li>What can you do with it? Examples of major analytics </li></ul><ul><li>More on positioning this Doc Technique & Tooling </li></ul>16 <ul><li>What is it? How doc looks and what it actually is </li></ul><ul><li>How to prepare it? Making doc in safeguarding tool </li></ul>
  18. 18. Qualitative Audit Analytics: Segregation of Duties (1 of 3) 17 50 600 5 2 3 60 10 5 300 15 40 5 Everything for SoD analysis Real case: International Network of Accountants and Auditors, INAA, SRA M: Majority Owner-Manager S: Sales department B: Buy/Purchase department F: Financial administrator T: Technical staff manager W: Warehouse manager Agent Legend Capital: Authorization - Small: Ability S f F m F t B f w F m B m f B f w M f F m F s W m t W m t W m t T m F m b F m s
  19. 19. INAA, SRA Case Output: Solo-Fraud Base 18 Potential Solo-Fraud Qualitative Audit Analytics (2 of 3) Conceptual Primitives Why is this class relevant? ISA 240 Isn’t this only interesting for SME?
  20. 20. 19 Qualitative Audit Analytics - SoD (3 of 3) X-Raying Segregation of Duties: Support to Illuminate an Enterprise’s Immunity to Solo-Fraud UWCISA presentation on: http://artsms.uwaterloo.ca/accounting/uwcisa/symposium_2007/Program.htm Paper with discussions and response, appearing in the International Journal of Accounting Information Systems, June 2008
  21. 21. Quantitative Audit Analytics: Check Model (1 of 5) 20 Real case: Ernst & Young Everything for Check Model Book & Course flow: 1-1 normative Materiality Coverage of registration points in SoD: S & T Quantitatively motivated process decomposition 225 25 200 225 500 25 25 1,000 400 400 100 20 20 20 20 500 400
  22. 22. 21 Quantitative Audit Analytics: Enterprise-level Check Model, Output E&Y Case (2 of 5) 1. Debtors ‘+’ Deb : Deb I ( Sales )*1000 + Deb B – Deb E  Deb O (Collect)* 40 *25 2. Sales Fee ‘-’ sFee : sFee O (GrantFee)*400 + sFee E – sFee B  sFee I ( Sales )*400 3. Course Orders ‘-’ cOrd : cOrd O (DeliverCourse) + cOrd E – cOrd B  cOrd I ( Sales ) 4. Book Orders ‘-’ bOrd : bOrd O (DeliverBook) + bOrd E – bOrd B  bOrd I ( Sales ) 5. Teacher Hours ‘+’ tHour : tHour I (EmployTeacher)*20 + tHour B – tHour E  tHour O (DeliverCourse)*20 6. Room Hours ‘+’ rHour : rHour I (RentRoom)*20 + rHour B – rHour E  rHour O (DeliverCourse)*20 7. Course Books ‘+’ Books : Books I (BuyBook) + Books B – Books E  Books O (DeliverBook) 8. Salaries ‘-’ Sal : Sal O (PaySalaries)*500 + Sal E – Sal B  Sal I ((GrantFee)*400+(EmployTeacher)*100) 9. Creditors ‘-’ Cred : Cred O (PayCreditors)*225 + Cred E – Cred B  Cred I ((BuyBook)*25+(RentRoom)*200) 10. Cash ‘+’ : Cash I (Collect)* 40 *25 + Cash B – Cash E  Cash O ((PayCreditors)*225+(PaySalaries)*500) B : Beginning I : Inflow E : End O : Outflow Spanning Reconciliation Checks Asset (‘+’) Buffer: I + B - E = O Liability (‘-’) Buffer: O + E - B = I Correctness = Isn’t it overstated? Completeness = Isn’t it understated? Algebraic deduction 1 st interpretation: Bold font = Completeness Regular font = Correctness 2 nd interpretation: Bold font = Correctness Regular font = Completeness 1 st interpretation: Completeness of stated debtor revenues Historical: owner-ordered audit 2 nd interpretation: Correctness of stated debtor revenues Historical: management-ordered audit Today: Management-ordered audit on behalf of both current (1 st ) and future (2 nd ) owners/shareholders “ Over-constrained”
  23. 23. 22 Frielink et al Classical Dutch Auditing Education Literature Three Example Enterprise-level Process Check Models Quantitative Audit Analytics (3 of 5) Auditor’s Evidence Acquisition Strategy - David Budescu, Mark Peecher & Ira Solomon
  24. 24. 23 Automatically generating executable scripts for data analysis tools Quantitative Audit Analytics (4 of 5) Case provided by Tom Koning, author of: “The Auditor’s New Clothes”
  25. 25. Quantitative Audit Analytics: Reachability (5 of 5) 24 A System of Spanning Reconciliation Checks, the Check Model, corresponds to the Flow Matrix of the normative Petri net Petri Net Reachability Analysis from Initial to Trial/Final Balance goes a step further then detailed Spanning Reconciliation Checks by taking into account Time Stamps in Event Registrations - Interrelating all buffer contents on a day-to-day basis - Reconciled with day-to-day external evidence - Shows deviations and associated risks  Trial Balance Spanning Reconciliation Checks can be applied in Totals or in Detail per parameter
  26. 26. Agenda Enterprise-level Process Documentation incorporating Automatic Audit Analytics <ul><li>Modern Auditing: Challenge, Criteria & Solution Approach </li></ul><ul><li>What can you do with it? Examples of major analytics </li></ul><ul><li>More on positioning this Doc Technique & Tooling </li></ul>25 <ul><li>What is it? How doc looks and what it actually is </li></ul><ul><li>How to prepare it? Making doc in safeguarding tool </li></ul>
  27. 27. Stringent application of correct systematic approach 26 Large model is built and used at Dutch Post Office <ul><li>Guidance is: </li></ul><ul><li>Easy-to-use & </li></ul><ul><li>Powerful </li></ul><ul><li>Easy-to-use: </li></ul><ul><li>Familiar interface: close to flowcharts </li></ul><ul><li>Pop-up box transactions to stepwise specify client’s business process, and… </li></ul>as a tacit side-effect of every step: safeguarding a technically correct business specification, allowing powerful automatic audit analytics <ul><li>Powerful: </li></ul><ul><li>Correctness by Construction </li></ul><ul><li>Audit-specific Diagram Language </li></ul>Engagement Level & Template Level 100 200 100 200
  28. 28. Agenda Enterprise-level Process Documentation incorporating Automatic Audit Analytics <ul><li>Modern Auditing: Challenge, Criteria & Solution Approach </li></ul><ul><li>What can you do with it? Examples of major analytics </li></ul><ul><li>More on positioning this Doc Technique & Tooling </li></ul>27 <ul><li>What is it? How doc looks and what it actually is </li></ul><ul><li>How to prepare it? Making doc in safeguarding tool </li></ul>
  29. 29. Con’s & Response 28 To be finalized for clients & content providing expert auditors Support is too immature 3 - ‘Type of industry’ is essential - A lot is attributable to the supercycle - Gives focus on determining normative relations Only supercycle related, and not everything is in the supercycle 2 - Reuse & extend already existing models - Gives good and visible foundation to opine upon, improving documentation quality & applicability - Large model is cumbersome to make, making it only suitable for SME - A lot of information is required 1 - Qualitative: margin size has no influence on number and structure of pot. fraud constructs - Quantitative: tolerance is allowed, but leads to weaker numerical checks, to be compensated Normative gross margin is fixed 4 Integrate these as ‘pre-processing’ transactions in client’s business model Authorizations on: - Root data: price lists, employee lists... - Filters in record keeping chain 5
  30. 30. Pro’s 29 “ The stringent application of a correct systematic approach will without any doubt improve audit quality ” A.B. Frielink, Lead author of Dutch Auditing literature, personal correspondence regarding the Computational Auditing thesis - “Mapping out the supercycle is considered clarifying and refreshing : establishing a wider look than traditional cycles” - “The schema technique is not too complex and can be well understood ” - “Guides the input preparation process by a systematic framework ” - “The support is feasible in practice ” Hans Verkruijsse & team, Partner Ernst & Young, National Director Audit Technique, Evaluation report regarding the diagram technique and application for SoD analysis More prominent references: Hans Blokdijk, Emeritus Auditing Professor, ex-KPMG partner Ruud Veenstra, former Chairman of Deloitte Netherlands Harold Kinds, National Director Audit Technique, INAA Netherlands Peter Waas, National Audit Coordinator, Dutch Tax Office
  31. 31. Comparison Audit-Specific Diagram Language Yasper/Prom (Deloitte & TUE) Audit net Editor  Criteria Tool  + Flowchart software 30 Correctness by Construction Underlying Rigor Deloitte’s Smart Audit Support – + + – + + + – +
  32. 32. 31 ComputationalAuditing.com Continuation You are an expert auditor? Why not have a facilitator to leverage your guidance impact for your audience? 1. Smart Audit Planning Forms 2. Generating Checking Scripts 3. Smart Flowcharts All Pack-based & Web-based Correctness by Construction Script Generator Typology Platform Supercycle 200 100

×