Protiviti Pitch Deck Template - The Institute of Internal Auditors

Leveraging Data for Audit Planning, Execution 

and Mitigating Risk on a Continuous Basis 

Miron Marcotte and Brad Rachmiel 

March 14, 2005 

© 2005 Protiviti Inc. EOE

Agenda 

• Introductions 

• Objectives of Today’s Session 

• The Evolution of Continuous Auditing 

• Overview of Selected Tools 

• Case-Study --- Tool Demonstration 

• Summary 

• Q&A

Introductions 

• The purpose of this exercise is to allow us 

to learn a little about each of you so that 

we can tailor our presentation accordingly 

• Please take out a blank piece of paper 

• Please draw a PIG 

• Don’t talk to your neighbor 

• Don’t look at your neighbor’s paper 

• You have 2 minutes

Objective of Today’s Session 

• To present the key drivers behind the Age of 

Continuous Auditing along with the response 

from the Internal Audit community 

• To create some awareness around a variety of 

tools that Leverage Data for Continuous 

Monitoring and other Audit purposes 

• To discuss the concept of Financial Leakage, 

and present some alternatives for identifying this 

leakage 

• To provide a detailed walk-through of a 

Continuous Monitoring tool

Survey 

• Throughout our presentation, we will ask you to 

answer a number of questions related to 

today’s session. 

• We would like you to turn in the survey at the 

end of the session. 

• You may either: 

• Keep it anonymous 

• Put you name on it (or attach your business 

card) -- we will compile the results of the 

survey and email a copy of the results to you

Protiviti – Our Firm 

• Leading global firm focused on 

Risk Consulting and Internal 

Audit (1800 professionals, 37 

offices, 9 countries) 

• In addition to Internal Audit 

and Governance (SOX), there 

are 25 service lines that help 

our clients address various 

Business and Technology 

Risks

Spend Risk Solutions -- Our Practice 

• Focus on the Purchase-to-Payment (Spend) process 

•Utilizeproprietary tools and deep functional expertise to: 

• Identify both Internal Control and Operational Risks 

associated with a company’s Spend 

• Identify, recover and prevent Financial Leakage 

• Identify Spend Optimization opportunities

History of Internal Audit 

Ancient 

History 

1940’s 1992 Today Future 

Age of 

Inspection & 

Re- 

Performance 

Age of Control 

Focused 

Auditing 

Age of Risk 

Based 

Auditing 

? 

• Very substantive 

• Focus on: 

• Recounting 

• Re-performance 

• Inspection 

• Assisted external 

auditors with 

clerical tests and 

tasks 

• Victor Brink’s book 

• Modern Internal 

Auditing – 1942 

• IIA Established 

• Began “service to 

management” 

• Began Operational 

Auditing 

• Began to focus on 

adherence to 

controls & policies 

• Publication of 

COSO Internal 

Control - Integrated 

Framework 

• Broader definition 

of risk than just 

Financial Reporting 

• Focus on risk 

mitigation by proper 

design/operation of 

entity & process 

level controls

Forces Affecting Internal Auditors 

SOX - Rapid & 

Robust Reporting 

Financial Info & 

Control Issues 

Rapid 

Pace of 

Business 

Change 

New 

Factors 

Affecting 

Internal 

Auditors 

Increased 

Pressure to 

Detect/Prevent 

Fraud 

Increased 

Complexity of 

Technology

How Internal Auditors are Responding 

Need for Rapid & 

Robust Reporting 

of Financial Info 

& Control Issues 

Increased 

Pressure to 

Detect & Prevent 

Fraud 

Rapid 

Pace of Business 

Change 

Increased 

Complexity of 

Technology 

• Developing risk control specialists to assist with SOX 

• Developing processes for more rapid & robust reporting of 

control issues (i.e. – continuous monitoring) 

• Increased contact with external auditors, audit comm., etc. 

• Performing explicit fraud risk assessments 

• Monitoring “Whistleblower” hotlines 

• Increasing the use of self-assessments to improve the chance 

of someone identifying and reporting a fraud risk 

• Focusing on IA roles in Enterprise Risk Management 

• Consolidation of risk assessment initiatives (ERM, SOX, BCP, etc.) 

• Some becoming Chief Risk Officers 

• Increased use of outside IT specialists 

• Increased investment in IT audit tools and techniques 

• Increased development of automated monitoring tools

The 4 th Age -- Continuous Auditing 

“The value of continuously monitoring and auditing 

controls has been discussed and experimented with 

for a considerable time but two factors are now 

helping it to become standard practice. 

Specifically, enhanced computer technologies and 

the impact of legislative changes such as the 

Sarbanes-Oxley Act, are serving to facilitate and 

accelerate the use of continuous auditing 

approaches.” 

---The Honorable David M. Walker, Comptroller 

General of the United States

The Internal Auditor of the Future 

• Annual risk assessments will be viewed as 

untimely and obsolete 

• IA will have to develop and implement systems that 

provide continuous risk assessments and 

updates to audit plans 

• Significant risks will need to be monitored 

continually by management, and internal auditors 

will need to be able to test management’s 

monitoring process on a continuous basis 

• Audit committees and stockholders will expect 

breakdowns in significant controls to be detected 

and reported almost immediately

In the Age of Continuous Auditing 

Technology will enable a more robust leveraging of data 

to facilitate decision making throughout the enterprise 

Audit Planning 

& Execution 

Leveraging 

Data 

Risks 

Continuous 

Monitoring

Survey Question # 1 

X 

• How big was the size of your Pig’s tail???? 

Today 

Next 1-2 yrs 

• What % of your audit testing is 

performed on a sample set of data 

(vs. auditing 100% of the data)

Survey Question # 2 

Audit Planning 

and Execution 

Continuous 

Monitoring 

• Today, do you primarily 

leverage your data for Audit 

Planning and Execution or 

Continuous Monitoring?

Examples of Technology Enablers 

Application-Focused Tools: 

Process-Focused Tools:

Application-Focused Tools 

Features 

Tools 

jabIT Assure 

Solutions 

www.jabitsolutions.com 

Applimation 

Integra 

www. applimation.com 

Internal Contols 

Enforcer 

www.peoplesoft.com 

ERP 

Application 

SAP Oracle PeopleSoft 

Security 

Controls 

Configuration 

Controls 

Data Diagnostic 

Testing 

Bolt-on 

Application 

No Yes Yes

Example - 

Risk Configurable Controls Not Operating Effectively 

Benefit Automates Testing and Prioritization of Risks Identified 

Source: jabIT as used by Protiviti

Example - 

Risk Accounts Activated for Inactive Users & Policy Nonconformance 

Benefit Automates Testing and Identification of Security Issues 

User Login & Password Change Analysis Report 

Metric Analysis 

Result 

Analysis 

Total Number of User Accounts 17,677 

Total Number of Active User Accounts (As of xxx) 15,454 87.4% of total user 

accounts 

Total Number of Active User Accounts - Have Ever Logged In 12,456 80.6% of active user 

accounts 

Total Number of Active User Accounts - Have Logged In During 

Calendar Year (As of xxx) 

Total Number of Active User Accounts - Have not Logged In 

During Calendar Year (As of xxx) 

11,591 75.0% of active user 

accounts 

865 5.6% of active user 

accounts 

Total Number of Active User Accounts - Have NEVER Logged In 2,998 19.4% of active user 

accounts 

Total Number of Active User Accounts - PWD Change Policy NOT 

SET 

Total Number of Active User Accounts - PWD Change Policy Set 

to 90 Days or Less 

Total Number of Active User Accounts - PWD Change Policy Set 

to 91 Days or More 

413 2.7% of active user 

accounts 

15,041 97.3% of active user 

accounts 

- 0.0% of active user 

accounts 

Source: Applimation as used by Protiviti

Example - 

Risk 

User Access – Segregation of Duty Issues 

Benefit Automates Testing on a Continuous Basis 

The Diagnostic Manager allows you to 

compare access to a process ID (e.g. VMF) 

at multiple points in time. 

The Diagnostic Report will display the 

status of all users who have access to the 

process ID at each point in time. 

1 

2 

The Diagnostics Comparison will compare 

the user’s access at each point in time so 

that changes in access can be 

continuously monitored on command. 

Source: PeopleSoft

Process-Focused Tools (External) 

(WWW.ANGOSS.COM) 

• KnowledgeSTUDIO analyzes and models data and aids in the 

identification of business trends and risks that lie ahead 

through data mining and quick visualization of data via charts 

and graphs 

(WWW.ACL.COM) 

• ACL enables data inquiry, analysis and reporting by uploading 

data from almost any data source (database, ERP system, etc.) 

and permits users to analyze data interactively

Process-Focused Tools (Internal) 

(WWW.PROTIVITI.COM) 

• Provides an engine to create and conduct assessments by 

surveying end users and creating a repository for best 

practices and key controls 

(WWW.PROTIVITI.COM) 

• Assesses risks associated with an organization’s 

purchase-to-payment (P2P) process including 

quantification of possible financial leakage, evaluation of 

the internal control environment and helps identify 

methods to enhance processes and technologies 

associated with spend

Example - 

Risk Paying Fraudulent Insurance Claims 

Benefit Reduces the Likelihood of Fraud through Modeling 

Identify a set of “rules” to better 

predict the occurrence of fraud 

Source: KnowledgeSTUDIO as used by Protiviti

Example - 

Risk Payment Errors 

Benefit Identify Transaction Anomalies at any Point in Time 

Source: ACL

Example - 

Risk 

Unable to Interview all Parties in a Timely, Cost Efficient Manner 

Benefit Allows Organizations to Monitor and Rate Control Risks on a 

Real-Time Basis 

Source: Protiviti

Example - 

Risk Controls are not Operating Effectively Resulting in Financial Leakage 

Benefit Detect and Prevent Financial Leakage BEFORE It Occurs 

Source: Protiviti

Survey Question #3 

• How many different Continuous 

Monitoring tools do you utilize? 

• Application-focused 

• Process-focused 

Today 

Next 1-2 yrs 

• Please list the tools in place today.

Tool 

Demonstration

Benefits of Continuous Monitoring Tools 

• Improve Corporate Governance 

• Immediate Issue Notification to Management 

• Increase External Auditor Assurance 

• Leverage Data to Help Identify Risks and 

Opportunities 

• Add Value to your Organization 

• Transform data into profitable information 

that can increase revenues and reduce 

costs 

• Audit BETTER, CHEAPER, and FASTER 

• Bring the audit to you 

• Audit 100% of Transactions 

• Automated vs. Manual 

Risks

Closing Thoughts 

“In the absence of a continuous monitoring 

process, organizations may be further exposed 

to fraud, error and abuse – representing a 

significant cost as well as profit erosion 

through revenue leakage. 

--- J. Don Warren, Director of the Center for 

Continuous Auditing

Survey Question #4 

X 

• How big was the size of your Pig’s tail???? 

Yes 

No 

• Did we meet your expectations 

during today’s presentation?

Any Questions?

Contacts: 

Miron Marcotte (312) 476-6424 

Miron.Marcotte@protiviti.com 

Brad Rachmiel (312) 476-6425 

Brad.Rachmiel@protiviti.com 

John Maddente (414) 390-1715 

John.Maddente@protiviti.com

Protiviti Pitch Deck Template - The Institute of Internal Auditors

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?