Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Next Gen Auditor - Auditing through technological disruptions

203 views

Published on

Presentation on the risks and my ideas of audit procedures that can be executed to processes that involve technological disruptions incorporated by businesses.
This presentation consists of the newer technological risks that are to be considered by audit professionals during their audit engagements.
Thoughts and points of views are welcome to mailme@bharathraob.com

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

The Next Gen Auditor - Auditing through technological disruptions

  1. 1. The Next Gen Auditor CA Bharath Rao ACA, CISA, CEH, CHFI, BCOM 1
  2. 2. Outline 2 Disruptions Technology Way forward Risks
  3. 3. Disruptions Expanding business using Technologies 3
  4. 4. Technological disruptions resulting in a Bang!! • Analytics • Big Data • Machine Learning • Artificial Intelligence • Blockchain • Crypto currencies • Distributed Ledger Systems • Privacy • General Data Protection Regulation • Indian Data Privacy Bill • Robotics Process Automation 4
  5. 5. Analytics Data is everywhere Data can be collected and leveraged Better Analysis leads to right decision making Right decision making leads to higher profitability Question is How to identify? How to Analyze? What decisions can be made? 5
  6. 6. Analytics - Technologies • Big Data Analytics • Reporting Analytics • Predictive Analytics • Data Mining • Machine Learning • Supervised and Unsupervised Learning • Deep Learning • Artificial Intelligence • Are we ready for this? 6
  7. 7. Analytics - Fields Big Data Analytics Reporting Analytics • Summarizing Large Datasets (Dashboards) Predictive Analytics • Using existing data for predicting consumer behaviour Data Mining • Effectively seeking data from sources Machine Learning Supervised and Unsupervised Learning • Identify and learn patterns to achieve an outcome as per the objective defined Deep Learning • Presence of multiple layers of data transformation while machine learning Artificial Intelligence Intelligence demonstrated by computers in contrast with natural intelligence of Humans Are we ready for this? 7
  8. 8. Analytics Process • Discovery • Interpretation • Communication • Decision Making • Large datasets • Complex factors • Quick turnaround • Effective decisions • Identify Sources • Mining & Cleansing • Standardization • Statistical Methods HIGHLY USED BY BUSINESSES!!! 8 Analytics used by Business Issues faced by Auditors Steps to be followed
  9. 9. Statistical Theories used for Predictive Analytics Logistic Regression Linear Regression Moments Skewness Kurtosis Theoretical Distributions Testing of Hypothesis Correlation Statistical Dispersion Pareto Analysis Benford’s Law of Numbers Beneish M Score 9
  10. 10. Areas of Analytics – by businesses Demand Forecasting and Planning with Predictive Analytics Consumer Behavior and passive feedback Market penetration Revenue and cost monitoring and visualization dashboards Controls and Risk Exposure Monitoring and visualization dashboards Fraud detection during insurance, warranty 10
  11. 11. Analytics – Risks Reports generated are not as per the defined logic or has used incorrect input parameters or data is being modified during processing (IPE Risk) Potential violation of Data Localization and Privacy laws where sensitive information is being processed Extreme scenarios may not be covered and processed by analytics tools Inaccurate or incomplete patterns configured within the analytics module leading to high false positives
  12. 12. Areas of Analytics – for Auditor Identification of Vendor Collusion Predictive Analytics for determining the chances of a bad debt Process Mining and identification of process weakness Compliance Management Automation of Internal Controls Travel and Expense Claims frauds Identification of gaps and weakness in Material Management 12
  13. 13. Areas of Analytics – for Auditor Identification of anomalies in financial statements Determination of effective point of Revenue Recognition Expense Analytics and determination of provisioning Identification of Fraud for promotional items Performance Evaluation against budgeted funds and time Three way match and Payment Analytics 13 Data Patterns Models
  14. 14. Block Chain
  15. 15. Blockchain • A blockchain is a growing list of records called blocks which are linked using cryptography • an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way, hence it is not alterable • Blockchain keeps a record of all data exchange 15 Decentralized Distributed Open Ledger
  16. 16. How does cryptocurrency work? https://www.weforum.org/agenda/2016/06/blockchain- explained-simply/
  17. 17. Blockchain Use cases • Inter-organizational data management • smart contracting – P2P Process • streamlining of clearing and settlements • automating regulatory compliance (AML) • Cryptocurrencies • Bitcoin • Ethereum etc. • Digital identity • https://igniteoutsourcing.com/blockchain/blockchain- use-cases-by-industry/ 17
  18. 18. Blockchain Use cases 18 Organizational Level WIP Management Accountability in Quality Control Project Scheduling Process Control Regulatory Compliance Banking Investment Credit Services Government Services Taxes Voting Records Military Records Government Pension Records Government Healthcare Records Welfare Records Enforcement of Legal Agreements Rental Contracts Investment Contracts (Futures and Options) Powers of Attorney Sales Contracts
  19. 19. Blockchain Risks • Security vulnerabilities at the terminals • Public and Private Key security • Risk of impersonation of transactions • Risks at vendors • Lack of testing of the network on a large scale • Lack of regulation and standards • Lack of testing of code 19
  20. 20. Auditing the chain 20 Scope? Risks? Approach? Procedures?
  21. 21. Auditing the chain 21 IT General Controls • Review of adequate code testing performed • Review of process to include a new member as a part of the network • Review of terminal and network security protocols • Review of Public Key Infrastructure Management • Review of Audit Logging functionalities Application Controls • Review of Functionalities to ensure all business scenarios are covered • Review of validation controls during data input, processing, storage and output • Controls Checks of transactions based on validation of HASH Values generated (Completeness and Accuracy)
  22. 22. Privacy 22
  23. 23. Privacy and Confidentiality • Any information relating to a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification, location data, online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural or social identity of that person • Sensitive Information • PII – Personally Identifiable Information • Name, Address, Email, Phone, Health Records, Social Media Profiles etc. 23
  24. 24. Privacy – Users and Profiling 24 Data controllers/fid uciary Owners of data Responsible of data security Ensures compliance of data processors Data processors Work with the data on the instruction of controllers Data protection officers Public authorities, large scale processing of special types of personal data Profiling Any automated processing of personal data to determine certain criteria about a person
  25. 25. GDPR and Indian Data Protection Bill 25 GDPR Applicable to data pertaining to citizens/residents of the EU Applicable to entities incorporated across EU or doing business in EU Applicable to entities outside of EU involving in direct or indirect processing/use of Data Indian Data Protection Bill Natural persons Entities incorporated within India and processing personal data of Indian residents and citizens and Foreign entities conducting business in India and processing personal information of Indian residents and citizens
  26. 26. Privacy Concepts 26 ACQUIRING CONSENT FREELY (NOT IMPLIED) FOR SPECIFIC PURPOSE RIGHT TO WITHDRAW CONSENT AND PERMANENTLY DELETE INFORMATION MANDATORY BREACH NOTIFICATION PRIVACY BY DESIGN INTO THE DEVELOPMENT OF BUSINESS PROCESSES AND NEW SYSTEMS
  27. 27. Privacy Risks 27 Regulatory Non Compliance Data Leak of confidential and sensitive information Misuse of information and unauthorized transfer of information to other data processors/buyers Use of information for purposes other than for which consent was provided for
  28. 28. Auditors Procedures 28 Compliance of SA 250 on entities having business connections in the EU The auditor shall perform procedures to help identify instances of non compliance with other laws and regulations that may have material effect on the financial statements • Inquiring of management, TCWG as to whether the entity is in compliance with such laws and regulations and; • Inspecting correspondences • Obtain written representations Conduct a privacy impact assessment to determine exposure Maintain a workpaper documenting the audit procedures executed, evidences gathered to demonstrate that the GDPR and other privacy laws has been complied by the entity Perform a PIA to identify applications, databases hosting personal information Consider the participation of IoT during business processes and the data collection sources Inspect the management action plan and ensure timely completion of the activities
  29. 29. Robotic Process Automation
  30. 30. RPA use cases 30 Software robots or AI workers are configured to emulate and integrate the actions of a human interacting within applications to execute business processes Applied where high volume of routine and labor intensive activities performed on a daily basis Use cases – Vendor and Customer MDM Price Analysis and Market Intelligence Contract Terms during IR process 3 way matching Support during FSCP process Data Extractions and Analysis Reconciliation processes
  31. 31. RPA Risks • Risk of missing scenarios during simulation • Processes are not mapped correctly • Human safeguards may be removed • Incorrect data processing may go unnoticed due to incorrectly designed bot • Potential breach in controls going unnoticed 31
  32. 32. Auditors responsibilities 32 Evaluate the flowcharts and data flow diagrams of the bots Evaluate the scenarios covered by the BOTs Evaluate the design of the process (Design Effectiveness testing) Evaluate a walkthrough of the workflows covering scenarios and ensure that the risks are covered Evaluate if the BOTs have suffered downtime and appropriate human intervention was provided in a timely manner Evaluate if sensitive information is used during data processing and the safeguards are present and operating effectively
  33. 33. Other Technologies and considerations 33 Internet of things Devices capable to connect and exchange information Privacy and Security risks? Cybersecurity Protection of IT and Network Infrastructure Cloud Computing considerations Failsafe mechanisms
  34. 34. Key Takeaways 34 IT risks and risks emerging from technologies are having material impact on financials Technologies are evolving and implemented at a faster pace Consideration of data and service security (CIA Triad) Confidentiality Integrity Availability Newer forms of controls and higher level of automation Increasing forms of privacy and InfoSec risks
  35. 35. Taking the extra mile 35 Update on the newer technologies and risks and controls Increase risk assessments on ICFR Risks, IT, Cybersecurity and Privacy Risks Risk Based Audit Approach and placing reliance on ITGC controls Moving from test check to analytics Leveraging technology in executing our audit procedures
  36. 36. THANK YOU 36 The presentation and information contained therein are intended for educational purposes only and do not replace independent professional judgement. Statements, views, thoughts, and opinions expressed in the presentation belong solely to the presenter, and not necessarily to any entity with the presenter is associated with. The information contained in this presentation is of a general nature and is not intended to address the circumstances of any particular individual or entity. The presenter disclaims any liability to any person or entity in respect of anything as the technical contents. One should act on information only after seeking professional advice and after a thorough examination of facts of the particular situation. CA Bharath Rao www.bharathraob.com mailme@bharathraob.com +91 88922 29220

×