Enterprise-level Process Documentation incorporating Automatic Audit Analytics Philip Elsas, ComputationalAuditing.com Jagdish Gangolly, SUNY-Albany Lawrence, Kansas May 2-3, 2008 2008 Deloitte / University of Kansas Auditing Symposium Assessing Audit Risks in an Evolving Assurance Environment

7 Deloitte’s Smart Audit Support( 1 ) p.324 Proven Architecture for Interactive Documentation & Guidance Audit Plan Performance Module (blueprint only) Audit Evaluation Module (blueprint only) Smart Audit Support ( 2 ) Audit Planning Module KST Definition Module Knowledge Specification Tool National Tailoring one per engagement team one in Deloitte one per country Client Tailoring Assurance Environment

What is it? Elementary Trade Example 12 Top-down, Leveled Diagram Enterprise-wide: Integral & Unifying Top-level is a Supercycle: one level up & connecting US cycles 200 100 Normative (‘Soll’) & Representative (‘Ist’) Mental Model = Executable Model Flow of Money Flow of Goods Static: State Balance Item S Dynamic: Transaction Profit & Loss Item T

What is it? Trade Diagram in detailed Audit Net 13 http://www.ComputationalAuditing.com/images/Kring.swf 1. Purchase 2. Accept 3. Sales 4. Deliver & Collect 5. Pay 6. Collect Process Steps

15 ComputationalAuditing.com Starreveld Auditee Classification Based on Rigor in the Supercycle Audit Pack Platform Drill-down tree with downloadable packs Every node contains a supercycle pack & client-tailoring guidance Uploader, downloader & broker Client Side: “Information Rules” Pack Trade Roll Upward Roll Forward - Effective - Scalable - Cost-Efficient Audit Pack Platform Real software Release 0.5 April 2008

Qualitative Audit Analytics: Segregation of Duties (1 of 3) 17 50 600 5 2 3 60 10 5 300 15 40 5 Everything for SoD analysis Real case: International Network of Accountants and Auditors, INAA, SRA M: Majority Owner-Manager S: Sales department B: Buy/Purchase department F: Financial administrator T: Technical staff manager W: Warehouse manager Agent Legend Capital: Authorization - Small: Ability S f F m F t B f w F m B m f B f w M f F m F s W m t W m t W m t T m F m b F m s

INAA, SRA Case Output: Solo-Fraud Base 18 Potential Solo-Fraud Qualitative Audit Analytics (2 of 3) Conceptual Primitives Why is this class relevant? ISA 240 Isn’t this only interesting for SME?

19 Qualitative Audit Analytics - SoD (3 of 3) X-Raying Segregation of Duties: Support to Illuminate an Enterprise’s Immunity to Solo-Fraud UWCISA presentation on: http://artsms.uwaterloo.ca/accounting/uwcisa/symposium_2007/Program.htm Paper with discussions and response, appearing in the International Journal of Accounting Information Systems, June 2008

Quantitative Audit Analytics: Check Model (1 of 5) 20 Real case: Ernst & Young Everything for Check Model Book & Course flow: 1-1 normative Materiality Coverage of registration points in SoD: S & T Quantitatively motivated process decomposition 225 25 200 225 500 25 25 1,000 400 400 100 20 20 20 20 500 400

21 Quantitative Audit Analytics: Enterprise-level Check Model, Output E&Y Case (2 of 5) 1. Debtors ‘+’ Deb : Deb I ( Sales )*1000 + Deb B – Deb E  Deb O (Collect)* 40 *25 2. Sales Fee ‘-’ sFee : sFee O (GrantFee)*400 + sFee E – sFee B  sFee I ( Sales )*400 3. Course Orders ‘-’ cOrd : cOrd O (DeliverCourse) + cOrd E – cOrd B  cOrd I ( Sales ) 4. Book Orders ‘-’ bOrd : bOrd O (DeliverBook) + bOrd E – bOrd B  bOrd I ( Sales ) 5. Teacher Hours ‘+’ tHour : tHour I (EmployTeacher)*20 + tHour B – tHour E  tHour O (DeliverCourse)*20 6. Room Hours ‘+’ rHour : rHour I (RentRoom)*20 + rHour B – rHour E  rHour O (DeliverCourse)*20 7. Course Books ‘+’ Books : Books I (BuyBook) + Books B – Books E  Books O (DeliverBook) 8. Salaries ‘-’ Sal : Sal O (PaySalaries)*500 + Sal E – Sal B  Sal I ((GrantFee)*400+(EmployTeacher)*100) 9. Creditors ‘-’ Cred : Cred O (PayCreditors)*225 + Cred E – Cred B  Cred I ((BuyBook)*25+(RentRoom)*200) 10. Cash ‘+’ : Cash I (Collect)* 40 *25 + Cash B – Cash E  Cash O ((PayCreditors)*225+(PaySalaries)*500) B : Beginning I : Inflow E : End O : Outflow Spanning Reconciliation Checks Asset (‘+’) Buffer: I + B - E = O Liability (‘-’) Buffer: O + E - B = I Correctness = Isn’t it overstated? Completeness = Isn’t it understated? Algebraic deduction 1 st interpretation: Bold font = Completeness Regular font = Correctness 2 nd interpretation: Bold font = Correctness Regular font = Completeness 1 st interpretation: Completeness of stated debtor revenues Historical: owner-ordered audit 2 nd interpretation: Correctness of stated debtor revenues Historical: management-ordered audit Today: Management-ordered audit on behalf of both current (1 st ) and future (2 nd ) owners/shareholders “ Over-constrained”

22 Frielink et al Classical Dutch Auditing Education Literature Three Example Enterprise-level Process Check Models Quantitative Audit Analytics (3 of 5) Auditor’s Evidence Acquisition Strategy - David Budescu, Mark Peecher & Ira Solomon

23 Automatically generating executable scripts for data analysis tools Quantitative Audit Analytics (4 of 5) Case provided by Tom Koning, author of: “The Auditor’s New Clothes”

Quantitative Audit Analytics: Reachability (5 of 5) 24 A System of Spanning Reconciliation Checks, the Check Model, corresponds to the Flow Matrix of the normative Petri net Petri Net Reachability Analysis from Initial to Trial/Final Balance goes a step further then detailed Spanning Reconciliation Checks by taking into account Time Stamps in Event Registrations - Interrelating all buffer contents on a day-to-day basis - Reconciled with day-to-day external evidence - Shows deviations and associated risks  Trial Balance Spanning Reconciliation Checks can be applied in Totals or in Detail per parameter

Con’s & Response 28 To be finalized for clients & content providing expert auditors Support is too immature 3 - ‘Type of industry’ is essential - A lot is attributable to the supercycle - Gives focus on determining normative relations Only supercycle related, and not everything is in the supercycle 2 - Reuse & extend already existing models - Gives good and visible foundation to opine upon, improving documentation quality & applicability - Large model is cumbersome to make, making it only suitable for SME - A lot of information is required 1 - Qualitative: margin size has no influence on number and structure of pot. fraud constructs - Quantitative: tolerance is allowed, but leads to weaker numerical checks, to be compensated Normative gross margin is fixed 4 Integrate these as ‘pre-processing’ transactions in client’s business model Authorizations on: - Root data: price lists, employee lists... - Filters in record keeping chain 5

Pro’s 29 “ The stringent application of a correct systematic approach will without any doubt improve audit quality ” A.B. Frielink, Lead author of Dutch Auditing literature, personal correspondence regarding the Computational Auditing thesis - “Mapping out the supercycle is considered clarifying and refreshing : establishing a wider look than traditional cycles” - “The schema technique is not too complex and can be well understood ” - “Guides the input preparation process by a systematic framework ” - “The support is feasible in practice ” Hans Verkruijsse & team, Partner Ernst & Young, National Director Audit Technique, Evaluation report regarding the diagram technique and application for SoD analysis More prominent references: Hans Blokdijk, Emeritus Auditing Professor, ex-KPMG partner Ruud Veenstra, former Chairman of Deloitte Netherlands Harold Kinds, National Director Audit Technique, INAA Netherlands Peter Waas, National Audit Coordinator, Dutch Tax Office

Comparison Audit-Specific Diagram Language Yasper/Prom (Deloitte & TUE) Audit net Editor  Criteria Tool  + Flowchart software 30 Correctness by Construction Underlying Rigor Deloitte’s Smart Audit Support – + + – + + + – +

31 ComputationalAuditing.com Continuation You are an expert auditor? Why not have a facilitator to leverage your guidance impact for your audience? 1. Smart Audit Planning Forms 2. Generating Checking Scripts 3. Smart Flowcharts All Pack-based & Web-based Correctness by Construction Script Generator Typology Platform Supercycle 200 100