1. Philip Elsas ComputationalAuditing.com Vught, The Netherlands October 5-6, 2010 Dutch Research School for Information and Knowledge Systems (SIKS) 2010 Advanced Course on Smart Auditing Part I - Smart Auditing: an auditor (historical) perspective Part II - New risk control mechanisms

7. Part I Smart Auditing: an auditor (historical) perspective

10. Motivation Why now? Relevancy Points made by Frank Partnoy: Roosevelt Institute, March, 2010 US$ 600,000 Billion derivatives isn’t visible on balance sheets “ Abusive off-balance sheet accounting” “ Another F-word: Fiction” Solution direction: “Make information available to investors” diagnosis remediation

11. Motivation Why now? Relevancy Points made by Rick Bookstaber: U.S. House of Representatives, Committee on Science and Technology, Subcommittee on Investigations and Oversight, Sept. 2009 Derivatives & markets: leverage, crowding & linkages Oversight solution direction: “Get the data” “ Shareholders are [only] silent partners within the corporation” Auditor’s attention point: reliability of the data “ I don’t think – I don’t mean to be cynical – but I don’t think that leadership within a financial firm can overcome the incentives that exist” Inside solution direction: “Long-term incentives” “ Gaming the system”

14. Today’s audit challenge No.1 International Federation of Accountants (IFAC), “Financial Reporting Supply Chain” “ Shareholders should more actively pursue their ownership responsibilities” & “Align managerial behavior with the interests of the owners”, Jane Diplock, 2010 European Commission, “Corporate governance in financial institutions and remuneration policies”, green paper, June 2010, § 3.5 “The role of shareholders” “ … lead to the abstraction, or even disappearance, of the concept of ownership normally associated with holding shares” & footnote 18 General questions 5 & 3: “How to practically improve shareholder control of financial institutions, if still realistic?” & Necessary reinforcements for the external auditor Gaspar et al. “Shareholder Investment Horizon and the Market for Corporate Control” “ Shareholders have little to say in the USA” & “ Push legislators for statutory duty of care to investors, and get over the Caparo ruling (UK)”, David Webb, 2010

15. Today’s audit challenge No.2 International Federation of Accountants (IFAC), “Financial Reporting Supply Chain” “ Moving forward, national accountancy organizations should be charged with inventorying, bottom up, systemic disconnects that are difficult to voice for individual audit firms fearful of offending clients, and synthesizing them in an anonymous fashion.”, Jules Muis, 2010 See: “Preparing for an Audit Mandate to Contribute to Systemic Risk Anticipation”, ‘de Accountant’ & accountant.nl, 2009, with follow-up in 2010 Connecting ‘micro’ to ‘macro’ Rick Bookstaber’s Congressional testimonies on: - Hedge Funds, 2009 - Derivatives, 2009 - Systemic Risk, 2008 & 2007 “ My concern is that they are making themselves irrelevant.” Steven Thomas about auditors, based on the E&Y - Lehman case, 2010 See Royal NIVRA project “Sharing Knowledge” (“Kennis Delen”), NIVRA.nl with a requested comment on the new financial legislation for derivatives, June 2010

28. 1840 - 1930: Two Main Ways of Audit Owners Management Potential Owners Management-ordered audit, to attract new investors: Money inflow for management: Money inflow for owners: Owner-ordered audit, to check management: to increase credibility that profits aren’t UNDERstated: that no revenues are missing& expenses (e.g. bonuses) aren’t too high to increase credibility that profits aren’t OVERstated: that stated profits are real, and not (partly) fake USA NETH&UK maximize equity long-term ROI

31. 1930-1990: Branching scientific approaches Dutch evolutionary branch Anglo-American evolutionary branch practical- inductive theoretical- deductive Audit policies, methods and standards follow from considering a lot of performed audits; empirical Audit methods evolve from client’s business process, i.e. a normative model Originally only a mental process model; later, due to formalization, supported by an executable process model 1840-1930 foundation management-ordered audit: overstated profits 1840-1930 foundation owner-ordered audit: understated profits

34. Annual company accounts

35. Contribution by Prof. J.H. Blokdijk RA On the basis of the previous slide I may explain the Dutch approach to substantive auditing. Starting point is the completeness of revenue from sales: if sales appear to be recorded completely, the sum of receivables and cash receipts have also been recorded completely: double-entry bookkeeping! No understatements! But receivables and cash are subsequently audited for overstatements; if these appear not to have occurred, revenue from sales cannot have been overstated either. So debit balances are being audited for overstatements, and credit balances for understatements. The same goes for expenses and liabilities. The latter are audited for completeness, and expenses for overstatements. If no irregularities are found, expenses have also been completely accounted for, and liabilities do not contain non-existing debts. In practice, there are, of course, complexities and technicalities to deal with in this approach, but the principle just outlined is the basis. So there is no need to audit any item, whether in the balance sheet or in the income statement, both for under- and overstatements. This is highly efficient; it is my impression that this is not being fully recognized in the International Statements on Auditing.

36. Contribution by Prof. J.H. Blokdijk RA Dutch auditors have also given thought to something called ‘auditability’. For the audit of ‘assertions’ in the books the auditor should have ‘evidence’, especially for auditing for overstatements. An important source is: documents. But an invoice from a supplier is not sufficient in itself: the supplier may have overstated the price and/or the amount of goods purportedly delivered. The invoice should be reviewed and authorized internally. Here is where ‘internal control’ comes in. Performance of internal controls in that stage should normally be evidenced in some form, by stamps, initials on a voucher, and the like. The control should be performed by the appropriate employee: the system should provide for an adequate segregation of duties. Evidence of performance should include the identity of the employee. But how conclusive is that evidence? International Standards on Auditing mention several inherent limitations of internal control, such as human error, circumvention of internal controls through collusion, and management override. In performing tests of control, can the auditor detect this? This would only be possible if the auditor were able to repeat performing the internal controls involved.

37. Contribution by Prof. J.H. Blokdijk RA The problem can be illustrated with the following example. It involves invoices for goods or services received. It does not yet deal with the circumstance that many internal controls in this stage are no longer evidenced in visible form, but are embedded in the automated systems. Regarding those invoices, the auditor can easily reproduce the computation of the final amount and of a sales tax amount included in it. Reproducing the internal control on the price invoiced is more difficult: it may be in agreement with a price list from the supplier that the auditor may consult, but employees in the purchasing department are paid by the employing entity to obtain a better price. The difference may partly or wholly end up in their own pockets by way of the infamous kick-backs. Only a thorough knowledge of that particular market would enable the auditor to uncover such a defalcation; as he/she cannot be expected to have such expertise on all the markets where his/her clients do business, he/she must rely on the system of internal control.

38. Contribution by Prof. J.H. Blokdijk RA Similar considerations apply to the receipt of goods and the performance of services. Some goods could be traced afterwards, though that may be highly impractical. Most office supplies, however, are simply used up, and as to services, it is virtually impossible to ascertain that the windows actually have been cleaned if the audit takes place three months after. For the most important aspects of those purchases, the auditor cannot do much more than look for evidence of the performance of internal control. So, there are internal controls that cannot be reproduced by the auditor. The issues raised by this circumstance have been explored extensively in Dutch auditing literature. The best English translation I have been able to find for this type of internal controls is: 'non-reproducible' internal controls (in Dutch: “onvervangbare interne controle”). Sometimes, investigative techniques designed to overcome the restrictions outlined above, do exist, but an independent auditor is not allowed to use them. An example is the situation in which an auditor has suspicions about a credit note purportedly granted by his/her client to another company audited by a partner of his/her own audit firm. The professional rule of confidentiality does not permit the former auditor to consult the latter on this document.

39. Contribution by Prof. J.H. Blokdijk RA ‘ Non-reproducible’ internal controls Even though there are internal controls that can be reproduced, such as those involving arithmetical operations, the most important ones often cannot be reproduced. The fundamental causes have been categorized as follows: (1) expertise: the auditor cannot possibly acquire sufficient expertise to form, entirely by himself, a conclusive opinion on all the technical and/or commercial events that are to be reflected in the financial statements (e.g., product yield rates, purchase prices); (2) presence: the auditor cannot possibly be continuously present on the client's premises in order to ensure the completeness of the recording of transactions and (relevant) events; apart from economic considerations, this is unacceptable in that it would jeopardize the client's and/or the auditor's independence; and (3) inadmissibility of investigative techniques: the independent auditor is not entitled to use certain techniques that are available to government auditors (such as informing other government auditors about other taxpayers), or that may be used by police authorities (such as wiretaps, search of private premises and the like).

40. Contribution by Prof. J.H. Blokdijk RA So what should auditors do about ‘the system of internal control’? Firstly, they should evaluate the design of the system. Especially important is the segregation of duties; e.g., no single person should be able to authorize payment of invoices, and persons charged with the authorization of separate elements (quantity, quality, prices) of invoices should not have an interest in collusion with each other, or with suppliers or other parties outside the auditee. In order to better evaluate the design of the internal control system, dr. Elsas has developed a very promising automated technique, which he will be glad to further explain.

42. Supercycle: top-level business process Schmalenbach (1929), Limperg (1926, 1930’s), Abr. Mey (1936), Burgert (1957), Starreveld (1962, 1980’s), Frielink (1980’s), Blokdijk (1975), Veenstra (1972, p.41) Buy Side Sell Side Inside (cost price) Sell price Buy price A rectangle represents a state, a balance sheet item A circle represents a (trans)action, an activity, a mutation to connected states ‘ Soll’ (To Be) & ‘Ist’ (As Is) modalities

44. Supercycle-based auditing, model-based auditing … Begin End Purchase price Sales price Buy transaction Money buffer Goodsbuffer Sell transaction What happened in between? What is the normative relation?

45. Supercycle-based auditing 10,000’s man years of conceptualization and abstraction, integrated with proof in practice, over decades Worldwide recognized high quality audit education: 3-years post-Master Integrating owner-ordered audit method & management-ordered audit method into two-way audit approach Traditional Dutch audit education literature, Frielink et al. Mathematical framework: system of linear equations, based on the BETA-formula World’s scientifically strongest audit approach, due to its mathematical foundation How the spanning reconciliation checks, based on spanning equations, relate to the supercycle Superbly suited for powerful computational support

51. Supercycle & AO/IC The owner-ordered tradition introduces the concept of a quasi-goods stream for bonus rights – integrated within the regular stream of goods and services (see diagram) – allowing for an integral assessment of the authorization and incentive structure, as key component of the irreplaceable and indispensable internal control Here we’re in a smart auditing course, which may raise the question “Is there dumb auditing?” See: challenge no. 1, slide 14 & 17

52. Accounting Organization / Internal Control (AO/IC) 1. Control measures vs. check & control activities 2. Preventive, detective & corrective 5. Irreplaceable vs. replaceable; indispensable 4. First-time recording vs. using existing recordings 6. Preventive securing of actions of agents vs. values; check point 7. Direct change of value vs. no direct change of value; outside 8. Segregation of duties; audit-technical vs. business-economical pp.38-43 3. Design, implementation & operation

58. Process-based Cost Price: connector for stream of money and stream of goods & services volume cost price spanning supercycle Forecasted volume vs. realized volume Planning & Control The cost price captures the quantitative relation between resource use & produced products Relating the stream of goods and the stream of money, answering “What’s the gross margin per product type?”, as required for auditing the completeness assertion

61. Part II New risk control mechanisms

65. Supercycle: interface between organization & auditor http://www.ComputationalAuditing.com/images/Kring.swf 1. Purchase 2. Accept 3. Sales 4. Deliver & Collect 5. Pay 6. Collect Process Steps

66. Soll: To Be, normative Ist: As Is, representative Soll & Ist modalities

70. Qualitative: Cake cutting Mathematics, game theory How to use segregation of duties to let a group take care of getting an equal size of the cake for each member? Indeed, one cutter and the others are choosers: 1. Cutter cuts 2. Choosers choose 3. Cutter chooses If we look closer, it’s not only about duties, but also about sequence & parallelism of duty involvement. Switch steps 2 & 3 and it won’t work anymore. Protocol design & verification? Hint: use opposite interests to enforce fairness

73. Qualitative Audit Analytics - SoD X-Raying Segregation of Duties: Support to Illuminate an Enterprise’s Immunity to Solo-Fraud Paper with two discussion articles, one by K. Matcham and one by R.S. Sriram, and with a response article, appeared as four separate articles together in the International Journal of Accounting Information Systems, June 2008 Quote from the response article: “Adequate SoD assessment and SoD design appears to be much more complex than could have been assumed without this methodical analysis” with thanks to P.M. Ott de Vries for discussing this quoted response Introduces an algebraic analysis technique that takes a supercycle-based body of authorizations as input, and delivers a complete linear basis that spans a space of singleton ‘black hole’ weak spots in the supercycle system of internal control, extensible from 1-agent, to 2-agent, etc. The concept of irreplaceable and indispensable internal control, especially segregation of duties and securing actions of agents, as developed in the owner-ordered audit tradition, allows a rationally rigorous analysis method, impossible with the segregation of duties concept from the management-ordered audit tradition Method answering the question if a body of authorizations is free of opportunities for traceless embezzlement, without need to collude Alternatively stated: Method locating who has too many authorizations in one hand creating a dangerous opportunity for traceless embezzlement, jeopardizing the integrity of financial statements See: challenge no. 1 slide 14 & 17

80. Jacquard: key audit phases 1. Ist supercycle mining Extend process mining to focus on client’s top-level business process 2. Soll supercycle identification Identify Soll supercycle in Ist smart flowchart 3. Continuous auditing Confront a stream of business events to Soll, close-to-real-time 4. Collect, collate & aggregate deviations automatically 5. Publish deviation top-10 on interactive supercycle dashboard. Interface to query the enterprise. iPhone app Next Generation Auditing: Data Assurance as a Service

81. Jacquard: project goals 1. Design and implementation of DSL for representing supercycle business models 2. Querying of models: Pacioli DSL 3. Visualization of models Next Generation Auditing: Data Assurance as a Service 4. Parsing, extraction & analysis of business data 5. Interpretation & inclusion of business data in model 6. DSL for structured auditing interviews via interactive audit documentation (expert vs. engagement team) 7. Facilitating automatic generation of XBRL & XBRL Formula (Standard Business Reporting, SBR): XBRL for data, DSL for analysis

82. Phase 1: Ist supercycle mining Input : event log with journals, e.g. SAP Output : smart flowchart Based on: “Towards a Computer-Assisted Audit Analysis of Business Processes: Process Mining as Tool for IT Auditors”, Maria Bezverhaya, Emiel Caron & Piet Goeyenbier, ‘de EDP-Auditor’, NOREA, 2009 Push signal from Technical University of Eindhoven, ProM, Fluxicon & Anne Rozinat Pull signal from audit practitioners & IT audit educators, e.g. “Process Mining” by Mieke Jans & CARLAB, Rutgers, 2010 Computational Auditing: - focus on discovery of supercycle - framing stand-alone workflows - connecting to cost price theory: - activity-based costing - process-based costing - supercycle-based costing

84. Phase 2: Identify Soll in Ist Identify Soll supercycle by excluding Ist flows, based on automatically identified candidate Ist flows Based on: “Towards a Computer-Assisted Audit Analysis of Business Processes: Process Mining as Tool for IT Auditors”, Maria Bezverhaya, Emiel Caron & Piet Goeyenbier, ‘de EDP-Auditor’, NOREA, 2009 Push signal from Technical University of Eindhoven, ProM, Fluxicon & Anne Rozinat Apply constraints to check if remaining model is a valid Soll Analyzing 3232 cases, classi-fying casualties (red arrows): A . Invoice receipt without prior approval (2537x) B . Approval acquired after pur- chase completion (261x) C . Purchase order established for rejected request (9x) D . Handled order status skip- ping receipt (875x), etc. Design-time workflow vs. run-time workflow Pull signal from audit practitioners & IT audit educators, e.g. “Process Mining” by Mieke Jans & CARLAB, Rutgers, 2010 D A C B

85. Scientific foundation: rationally rigorous. With mathematical & computational formalization. Superbly suited for the digital age. Recognized as such in accelerating pace. Easy by new tech Top-cycle: normative backbone of the ‘business process’-oriented audit approach Top-cycle concept & typology: Central result of integral evolution. Of ‘business process’-oriented Auditing Theory , Auditing Practice & Auditing Education . Over 60-80 years Typology of top-cycles: ordered by the strength of the backbone Unfortunately hardly translated into English Phase 2: Identify Soll supercycle in Ist Soll identification is supported by a typology of top-cycles

86. Phase 3: Continuous auditing http://www.ComputationalAuditing.com/images/Kring.swf Confront a stream of business events to Soll Interrelate all buffer contents Reconcile with external evidence On-the-fly, close-to-real-time checking of spanning business equations Especially spanning buy side & sell side Triangulation Capture deviations and associated risks 3rd party evidence processing “ Continuity Equations” Miklos Vasarhelyi et al. CARLAB, Rutgers, 2010

89. Phase 4: Aggregate deviations Based on: Sun, Srivastava & Mock, 2006 “An Informa-tion Systems Security Risk Assessment Model”, pp. 43-48 Fully Automatic Semi Automatic This can be realized in Deloitte’s Smart Audit Support with a plug-in for Dempster-Shafer-Srivastava confidence-level computations Manual Player

91. Phase 5: Publish deviation top-10 Publish on interactive dashboard Supercycle as dashboard Drill-down on analytics Planning & Control Key Performance Indicators (KPI’s) Key Control Indicators (KCI’s) C b f t F m d D s t A t L f t P t P t W t A t A t S A A L F L F L F M M D F D C B F B F W P P P P W A A A A C m D f t S t A t F t B f t B f t P t W t L f 225 25 200 225 500 25 25 1,000 400 400 100 20 20 20 20 500 400

92. Jacquard project: Next Generation Auditing: Data Assurance as a Service demo by Jacques de Swart, PricewaterhouseCoopers & Paul Griffioen, CWI More on the Jacquard project at the 21st World Continuous Auditing & Reporting Symposium, Rutgers, New Jersey, November 5-6, 2010