Don't navigate risky waters without internal auditors ... - Acl.com

acl.com

Don't navigate risky waters without internal auditors ... - Acl.com

ACL EBOOKDon’t Navigate Risky Waterswithout Internal AuditorsGuidance on Leveraging Data Analytics for Risk Assessment


ContentsIntroduction....................................................................................................................................................................................... 3What’s Risk Got To Do With It? ............................................................................................................................................. 4Internal Audit’s Evolving Risk Role....................................................................................................................................... 5Why Bother? Redefining Internal Audit as a Business Necessity..................................................................... 6Risk is Not a “4-Letter Word”.................................................................................................................................................... 7So Why Aren’t We There Yet?................................................................................................................................................. 8Enter Audit Technology............................................................................................................................................................. 9Risk Assessment Process: At a Glance.............................................................................................................................10Assessing Low, Medium and High Risk ........................................................................................................................11Prioritizing Risk with Scorecards.........................................................................................................................................12Risk-Based Audit Planning......................................................................................................................................................13Staying Current with Changing Risk Profiles..............................................................................................................14Example Analytics for Identifying Risk............................................................................................................................15Case Studies.....................................................................................................................................................................................17So Much Risk, So Little Time…............................................................................................................................................18Insurance Against High Risk..................................................................................................................................................19Continuous Risk Assessment: Where the Rubber Hits the Road...................................................................206 Steps of Applying Analytics for Risk Assessment.................................................................................................21Conclusion........................................................................................................................................................................................282Don’t Navigate Risky Waters without Internal Auditors


IntroductionDoes this sound familiar?“Risk wah wah wah risk wah. Wah wah risk.”– Miss Othmar, Peanuts ComicsThere’s an ocean ofinformation out thereabout risk. You’re likelyalready feeling thepull of the tide for internalaudit to be more consultativeand assume a strongerfocus on risk management.As organizations navigateincreasingly complex businessenvironments, audit’s role isevolving and risk acumen isvital. But what does it meanin practical terms for yourinternal audit team?Internal audit departments are in aunique position to help business leaderscomprehend and navigate risk. Traditionalassurance roles are expanding toencompass fraud and risk management, andinternal audit is expected to play a moreactive role in assessing higher-level risks inan organization.However, the problem with focusing moreon risk is that you stop paying attentionto things that have been deemed to berisk-free – and that assessment could bewrong, causing you to miss somethingsignificant. Or, conversely, you mayrecommend excessive risk mitigation andbe misaligned with corporate strategy,thereby decreasing your relevance andreducing the value you provide to yourorganization.Internal audit has access to extensiveinsight into the business via audit analytictechnology. How can this wide view of theorganization and business processes beleveraged to help pinpoint areas of risk formanagement? And how do you becomemore efficient and effective at pinpointingrisk assessments?In this eBook, we’ll outline how to leverageaudit analytics to test the controls designedto mitigate risk, identify areas where riskis not known, as well as become moreefficient at managing low risk areas.3Don’t Navigate Risky Waters without Internal Auditors


What’s Risk Got To Do With It?First, let’s be clear: Risk management is a management responsibility.Internal audit’s role is to provide assurance around risk management.Have we identified the key risks to our organization? Do we have processes,controls and strategies in place to manage or mitigate that risk?Internal audit departments already play acritical role in safeguarding organizationsfrom loss and providing assurance aroundbusiness activities. There is no betterplace for organizations to look than totheir internal audit function for a crossdepartmentalview of risk.Within the COSO-based risk managementframework, management’s role is to doa top-down risk assessment for theirorganization and identify risks that arelikely to negatively impact their objectives.Appropriate controls – be they IT-basedautomated controls or policy-enabledmanual controls – can then be put inplace to mitigate those risks. While thisis a management activity, internal auditdepartments are a key component ineffective governance and can contributesignificantly to improving overall riskmanagement assurance.Furthermore, successful internal auditdepartments have a unique understandingof business processes and the ability toanalyze the transactional data that theygenerate.This unique mix of business and IT domainsenables internal audit to evaluate theoperating effectiveness of these processesand the internal controls that have been putin place to mitigate business risks.Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve anorganization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach toevaluate and improve the effectiveness of risk management, control, and governance processes.The Institute of Internal Auditors (The IIA) “Standards and Guidance“4Don’t Navigate Risky Waters without Internal Auditors


Internal Audit’s Evolving Risk RolePrior to the downturn, manyorganizations were focusing theirGovernance, Risk and Compliance(GRC) activities on evaluating risks intheir financial controls for compliancerequirements such as Sarbanes-Oxley(SOX) or similar legislation.But, the tides have changed.With the downturn, the tide swungback to pre-SOX days. And sincethen there has also been giant leapsforward in the availability of data.Operational risks are again keepingexecutives up at night and are nowthe focus of effective GRC strategies.There’s increasing pressure onorganizations to make better, moreinformed decisions and to gain greaterinsights into business risks. Thatmeans more pressure on internal auditdepartments to provide heightenedlevels of insight into organizational risk.With that has come a shift in the riskmanagement role played by internalaudit, and the role expected to beplayed in the future:ROLE DESCRIPTION1. Informally provides consulting and adviceon risk management practices2. Is the catalyst in forming riskmanagement3. Has active participation in implementingrisk management4. Participates as part of a formal risk riskmanagement5. Provides independent assurance on riskmanagement6. Assists and advises a new, separate riskmanagement functionCurrent Role Future Role No Role77%14%Internal Auditing‘s Role in Risk Management (2011). The Institute of Internal Auditors Research Foundation,p. 9.9%48% 14% 38%45% 20% 35%43% 30% 27%40% 35% 25%28% 21%51%


Why Bother?Redefining Internal Audit as a Business NecessityWhy take on more, you ask?The IIA is calling for a self-assessment on theprofession itself. Do internal audit departmentssupport their organization’s big picture goals? Whatvalue does internal audit provide? Is internal auditregarded as relevant? With an increasing focus onrisk throughout organizations across most industries,internal audit departments are, fortunately, wellpoisedfor demonstrating their relevance and thevalue they provide to any organization. It’s time forinternal audit to embrace its unique position anddemonstrate the critical role it plays.Relevant internal auditors are regarded by their stakeholders asindispensable assets and as professionals who are tirelessly committed tohelping the organization achieve goals by providing independent, objective, andcandid audits stemming from insightful, dynamic assessments of risk. I urge allinternal auditors to mitigate their risk of obsolescence by moving quickly toself-assess how they measure up against this relevance yardstick.Denny Beran, CIA, CCSA, CPA, CFE, Chairman of the Board, The Institute of Internal AuditorsQuoted in “Assess our relevance,” Internal Auditor Magazine, August 2011.“Age of Integrity”Business owns the integrity. Internal audit’s role is to help the business identify the risks.6Don’t Navigate Risky Waters without Internal Auditors


The Story of Risk in theHundred Acre WoodOne can draw parallels by looking at thecharacters in the Winnie the Pooh stories. Somepeople are Piglets who worry, worry, worryand want to take no risks whatsoever. Othersare Eyores who are gloomy and resigned to theworst possible thing happening, so why fight it.And then some are utterly confident and wise intheir view that everything is under control andthat nothing bad could possibly happen in theirorganization – clearly Owl – until their house blowsdown.The only character who seems continuallyunperturbed is Winnie the Pooh himself. What doeshe know that others don’t? Perhaps Pooh knows thattaking risks – within your organization’s tolerance orrisk appetite – can help your organization grow andachieve its goals.Risk is Not a “4-Letter Word”What many forget is that all risk is not bad. A complete absenceof business risk virtually guarantees limited growth. Taking riskswithin your organization’s risk tolerance and risk appetite canhelp organizations grow and achieve their goals.You need to understand your organization’s risk appetitebefore you can audit it.The recent spate of business crises and ourorganizational responses to them have highlighteda surprising misconception – that risk is theopposite of reward. It is not: loss is the oppositeof reward. Risk simply represents the possibilitythat a loss or reward will occur.Shayne Gregg, Partner, Enterprise Risk, Deloitte & Touche,“The New Chief Audit Executive: Leadership in the risk intelligent organization”7Don’t Navigate Risky Waters without Internal Auditors


So Why Aren’t We There Yet?Some common obstacles that get in the way of more frequentoversight of high-risk business processes include:Lack of availability ofresourcesThere just aren’t enough auditstaff to increase assurance andvalue-add services and thereisn’t enough money to hiremore.Sheer volume ofbusiness transactionsIt is time-consuming anddifficult to scrutinize theenormous volume of datafrom complex, modernbusiness applications thatprocess all that data.CommunicationchallengesWhere internal audit hasthe ability to identifycontrol breaches orindicators of risk, how canthis be communicated tomanagement?The goal is to make these processes integral to risk assessment and audit activities, and to makethem sustainable and repeatable. How do you do that? This is where audit technology takesthe helm.8Don’t Navigate Risky Waters without Internal Auditors


Enter Analytic TechnologySo, how does data analysis technology fit in? Internal auditors can use analytics to test the operatingefficiency and effectiveness of the controls that are created by management to address risk, as well asto identify areas where risk is not known.How does technology, specifically risk and control analytictechnology, directly support the more detailed riskassessment process for auditors?99Use analytics to determine where to focus auditattention. Consider using a risk scorecard to assistwith this process.99Once an area has been selected for internal audit, thefirst step may be to perform overall analytics review ofactivities within an area to assess more specific riskpoints that warrant detailed audit investigation. Forexample:»»Why are overtime amounts significantly higher inone region than the norm?»»Why within one branch are very large volumes ofexpense transaction occurring just under thresholdwhere additional approval is required?99A drill-down approach to risk assessment can be usedto drive development of a specific audit program andidentify those areas that need greatest audit focus.99Once this has been assessed within an audit program,consideration can be given to determine whetheranalysis technology can be used to improve efficiencyand effectiveness of a given audit procedure.99By using technology to test 100% of transactions, anauditor is best able to determine that controls areeffective and risks mitigated.9 9 Leveraging analytics to address lower risk areas enablesthe reallocation of key resources for higher-stakes risk.Successfully addressing these demands requires a combination of leadership, processes andtools from internal audit. These include, most prominently, a stronger role in boosting theorganization’s overall risk management capabilities as well as greater use of automation andanalytics, such as continuous auditing, to deliver greater efficiency and effectiveness.Shayne Gregg, Partner, Enterprise Risk, Deloitte & Touche,“The New Chief Audit Executive: Leadership in the risk intelligent organization”9Don’t Navigate Risky Waters without Internal Auditors


“Basing audit plans on an annual snapshotof risk is like relying on a security camerathat films once a day for five minutes.”Richard Chambers, Responding to Change,Internal Auditor Magazine (2010)Identify areas ofrisk across theorganizationCollect input from multiplesourcesAssess & score risksby likelihood andseverityANNUALRISKSASSESS & IDENTIFYLink risks to auditareasRe-assess risks bylikelihood and severityEACH AUDIT PERIODPRIORITIZE AUDIT SCOPEBASED ON RISKPrioritize risks andaudit sites, as neededRisk Assessment Process:At a GlanceFollow-up onresolutionInvestigate findingsAssess overallTEST DATAINVESTIGATEimpact of exceptionsidentifiedEvaluate how wellcontrols are workingALLOCATE RESOURCESPLANNINGAllocate resourcesPrioritize:• Risk coverage• Financial coverage/significant sites• Operational projects10Don’t Navigate Risky Waters without Internal Auditors


Assessing Low, Medium and High RiskSupplement subjective evaluation with analysisControls exist to address risks, minimize surprisesand pitfalls, and help an organization achieve itsobjectives. Many risks happen every day, but areinconsequential. Others are a big deal. With somany controls and so many areas of a business,it’s only logical that you should look at the onesthat can bite you. In other words, look at the risksthat have a high impact on the organization and/or a high probability of occurring.The challenge is that ‘impact’ and ‘probability’are highly subjective. Ask three different peopleand they’ll have three different opinions. Analyticscan help to quantify risk, and help eliminate thesubjectivity around topics like ‘likelihood’ and‘impact.’ By analyzing 100% of the data, we canquantify this risk in a way that wasn’t possiblebefore. In fact, we can eliminate the subjectivityof the “how likely is this?” conversation by saying“last year this happened X% of the time.” Andin some cases we can quantify the bottom lineimpact with “given both the direct costs of thistype of error and the indirect costs of fixing it, thecost is roughly $XXX,XXX.”Analytics can help make a low/medium/highdetermination. This doesn’t apply to all risks(e.g., risks that have not impacted us but mayin the future, such as the likelihood of a watershortage in a key supplier region). But, wherepossible, analytics can be used to supplement thesubjectivity of the risk assessment process, andadd facts to areas where we also need to makeeducated guesses.Internal audit seems to be taking a pragmatic approach to the challenge ofreduced budgets and has adopted a targeted approach to managing the risks:72% are narrowing audit scope to target key risks, 33% are usingquestionnaires to identify higher-risk entities, and 29% are conducting fewerlocal business unit visits.Just the facts, ma’am:A real world exampleAcme Inc. had quite a few people with active IDsin their SAP financial reporting system who wereno longer with the organization – a risk manyorganizations see. They felt the risk was low, becausethey: a) took people’s swipe cards when they left sothey couldn’t enter the building, and b) removedtheir network access so they couldn’t log in to accessSAP. However, their external audit firm argued thatthe risk was high because people could have sharedpasswords, could possibly remotely access thesystem, etc. They could have spent weeks debatingand not gotten anywhere, because both of the riskarguments were based on subjective assumptions.Using a fairly simple set of analytics, they were ableto quantify the exposure in a way that no one couldargue with it. They ran a test to see, of the terminatedemployees that still had access to SAP, if there wereany IDs that were used after the date of termination(which tells us the ‘likelihood’ of this risk). They alsowere able to look at what those IDs had done (whichtells us the ‘impact’ of this risk).Now they could talk facts instead of assumptions, andagree together upon an appropriate course of action.Ernst & Young, Driving ethical growth – new markets, new challenges: 11th Global Fraud Survey11Don’t Navigate Risky Waters without Internal Auditors


Prioritizing Risk with ScorecardsAs you begin to use analytics to measurerisk in your organization, at some point youmay find that the more data you collect,the more challenging it may be to makesense of that data. Ultimately your objectivefrom this exercise should be to help answerthe question “where should I focus myaudit attention next?” Here’s where a riskscorecard can come into play.The concept of a risk scorecard is simple.Using a scorecard, you aggregate theresults of each risk indicator that isimportant to you to come up with a risk‘score.’ Depending on how you choose toaggregate your risks (e.g., by location, bydivision, by manager, etc.), you can thenbegin to compare these segments relativeto one another and quickly highlight riskyareas, as well as those where risk is suddenlychanging. In a more advanced version of arisk scorecard, you can even weight theserisks given their overall importance in yourrisk landscape. While it can take some effortto get your model right, the outcomescan be a game-changer when it comes toprioritizing audit resources. In the illustrationbelow, for example, you don’t need to knowa whole lot about this business to quicklysee that the entity specified by the red linehas something very different happening,and probably warrants some attention.A Case Study in Continuous MonitoringFor a detailed look at how to create a riskscorecard, download this presentationby Anthony Chalker, Managing Directorat Protiviti, given at Rutgers University’sWorld Continuous Auditing and ReportingSymposium.» View Presentation12Don’t Navigate Risky Waters without Internal Auditors


Risk-Based Audit PlanningLet your data do the drivingUse data analytics during your next audit planningphase with an eye for assessing risk through datadriven indicators.Focus on today’s and tomorrow’s risks. Effective useof analytics helps internal auditors identify changes ininternal processes and provide timely insight into thebusiness. With data analysis, you can monitor businessrisks to ensure you are auditing today’s risks, not justthose identified yesterday.Prioritized Risk: Do Less With LessIt’s not about doing more – It’s actually okay to do less, as long asthe less is comprised of more impactful audits.Rod Winters, Microsoft, speech at The IIA GRC Conference 2010Audits don’t need to be cyclical, they just need to address where the risk is.Depending on your organization and the industry thatyou’re in, consider:• Revenue by location, division or product line• Revenue backlogs – by value and age• Personnel changes in key positions (legal, finance,R&D)• Volume of manual Journal Entries or credit notes• Aging A/R balances or Inventory levels• Vendor management (# vendors, volume oftransactions)• P-Card vs. PO procurement• Average days for customer payment• Travel & Entertainment expenses reimbursement• Fraud riskA focus on risk can intelligently determine where the resources go. A risk-based audit plan executed with theright technology to improve efficiency can allow an audit team to do less with less, while providing a higherlevel of assurance.Interview with Ted Walter,Internal Audit ManagerTed Walter at Scripps Health highlightssome of the key risk areas inherent tohealthcare and talks about the movefrom manual to electronic-based medicalrecords and charges, and how usingaudit analytics in this area has a directimpact on the bottom line. (7 Minutes)Listen to the PodcastInterview with Laura Flandrick,National Association ofPurchasing Card ProfessionalsLaura Flandrick, Managing Director,NAPCP shares her thoughts on howtechnology is quickly becoming a priorityamongst P-Card professionals thathave recognized the need to automatetransactional monitoring to properlymitigate risk. (5 Minutes)Listen to the Podcast13Don’t Navigate Risky Waters without Internal Auditors


Staying Current with Changing Risk ProfilesWith a top-down approach, managementidentifies the risks. What internal auditneeds to ask, for example in the case ofcompliance risks, is: Do we have sufficientcontrols to prevent regulatory breeches?Or in the case of financial risks, an internalauditor can look at the volume of manualjournal entries or credit notes; a highoccurrence of either may be an indicatorof fraud risk, or the risk of errors beingmade by manual human intervention.There are many different types of risk.To understand your risks, you need tounderstand your business. The internalauditor needs to understand operational,reputational, financial, fraud and otherrisks relevant to the business and identifyopportunities for testing. Using analyticsto look at 100% of the transactionsprovides a fairly precise understanding ofthe risk.Rather than thinking of a control as fixed,consider that the control is only relevantinasmuch as it addresses a risk. If we’velooked at 100% of the transactions andwe haven’t seen evidence of the risk, itcan only mean one of two things: 1) Thecontrol is working, or 2) Even if the controlisn’t working, the risk is low and thereforewe may not need a control here.The results of this analysis can be used toperiodically review controls to assure riskmanagement and to make adjustmentsas needed.Podcast: An Interview with Pat Ferrell, Audit DirectorLearn how RLI Insurance used scripting along with an innovative “red flag theory” to implementcontinuous auditing and account for false positives. Uncover some of the important lessonslearned from their revenue leakage audits and how they use audit analytics to recover nearly $4million in lost deductibles.Hear how RLI weights their risksSome typically high risk areas by industry:• Manufacturing: Vendors, Supply Chain,Inventory• Banking: Loans, Debt Liability, Assets, GeneralLedger• Health Care: Medicare Billing Fraud14Don’t Navigate Risky Waters without Internal Auditors


Example Analytics for Identifying RiskTo determine what to test with data analytics, consider: What should your data looklike if a mitigating control is in place and working? And what might be anomalousin the data if a risk is not being successfully managed?Also, be aware that what you don’t know is risky. Think about how reliable yourmaster data is – bad data is in itself a risky scenario.Simply put:1) Know your risks.2) Test data to ensure risks are identified and managed.Let’s have a look at some potential risks and audit analytic testing opportunities insome example business areas:Travel & Entertainment: Duplicate ReimbursementRisk ScenarioEmployees may make charges on a corporate procurement card, and inaddition to running these through the P-card payment process also submitthese for cash reimbursement as part of the T&E process.ChallengeTravel & expense payment management systems are oriented towards timelycapture and processing of employee claims and are rarely integrated withP-card processing and payment systems.Analytic SolutionUsing both exact matching and similar matching techniques, identifyclaims submitted for reimbursement on both corporate purchase cards andemployee T& E expense reports.15Don’t Navigate Risky Waters without Internal Auditors


Travel & Entertainment: Supplier Spend Report (i.e. Hotels)Payroll: Ghost EmployeesRisk ScenarioEmployees may not be using approved travel suppliers such as hotelsand airlines, negating the impact of negotiated discounts with thesesuppliers.Risk ScenarioPayroll disbursements may be generated for fictitious employees.ChallengeAccumulating useful management information from the detailed traveland entertainment expense data is often difficult to do.ChallengeManagement is typically responsible for verifying employees, but thereis a potential risk of management collusion.Analytic SolutionUtilize the travel & expense data gathered for control testing togenerate key performance indicators and other summary informationwhich has value to decision makers.Analytic SolutionPerform a variety of tests to detect potential ghost employees, such asmultiple disbursements to the same bank account, or employees withno system activity.FCPA: Suspicious Vendors & CustomersPayroll: P2P Examples: Split Purchase OrdersRisk ScenarioThe Foreign Corrupt Practices Act (FCPA) imposes penalties on USCompanies who engage in corrupt practices with foreign business orgovernment entities.Risk ScenarioEmployees are circumventing individual purchase authorization limitsby splitting a single purchase activity across multiple POs.ChallengePotential problems can be hidden within large volumes of transactions,but only a single violation can result in penalties.ChallengeNo automated way of knowing when two or more POs togetherexceed an authorization limit. Manual review of POs is not practical.Analytic SolutionAlert compliance teams to suspicious vendors using techniquesincluding comparison of vendor name & address details againstexternal prohibited vendor lists (GSA, OFAC), Politically Exposed Personsdatabases, payment method and country of origin.Analytic SolutionIdentify cases where multiple POs relate to the same purchasing activity& direct to an appropriate individual for investigation & follow-up.16Don’t Navigate Risky Waters without Internal Auditors


Case StudiesLet’s look at some examples of how a few companies are leveraging riskand control analytic technology to meet their risk assurance goals.17Don’t Navigate Risky Waters without Internal Auditors


So Much Risk, So Little Time…Profile• Food Lion LLC is one of the largestsupermarket chains in the U.S., with 1200stores in 11 Southeastern and Mid-Atlantic states and 73,000 employees.• Company stores sell more than 28,000different products, including a growingnumber of private label productsmanufactured and packaged exclusivelyfor Food Lion.Risk issue• With retail stores located in 11 states, theFood Lion internal audit departmentneeded an efficient way to conductindividual store audits.• They needed a reliable risk assessmentsolution that would select stores basedon weighted risk factors and specificcriteria in order to effectively audit all1200 locations.With ACL technology, we can now choose stores based on weightedrisk factors, which results in more effective scheduling and timelyaudit planning. The application runs within seconds and provides storeswith a level of detail that has never been seen before in one report.It’s as simple as one mouse click.Solution• Internal audit team used ACL auditanalytics to implement and run a StoreAudit Risk Assessment application thatquickly identifies the most susceptiblestores based on weighted risk factors.• The audit team worked withmanagement to select these factors,which include: Food safety, last auditdate, falling store sales, etc.• Now the internal audit team can quicklypinpoint stores with highest degree ofrisk.• Results of the analytics also used toprovide business management (i.e.,Marketing, Loss Prevention) withdetailed reports that outline in-store riskexposures.• Using audit analytic technology, FoodLion has enhanced business controlsand gained critical transparency intoretail operations through targeted riskassessments.Danielle Kragnes, Internal Audit Supervisor18Don’t Navigate Risky Waters without Internal Auditors


Insurance Against High RiskProfile• Fidelity National Financial isthe largest title insurancecompany in the UnitedStates, insuring over 40% ofthe real estate transactions inthe country.• The Audit ServicesDepartment’s (ASD) scope isto provide audit services for:direct title operations, agencytitle operations and the widerangingcorporate function.Risk issue• Direct title operationsrepresent highest level ofbusiness risk with greatestpotential for processimprovements.• To mitigate this risk, ASDwanted to move frommanaged analytics tocontinuous auditing in this area.Solution• Full population visibility enables the audit team to see ongoingissues, avoid errors, and detect potential fraud schemes on anear real-time basis.• ACL analytics investigate escrow files for fraud, fundmisappropriation, suspicious ledger activity, and patterns ofknown fraud schemes.• Each analyzed file is automatically assigned an overall score,matched against a risk tolerance matrix. If a test score exceeds adesignated threshold or an individual test with a high risk factorreports an exception, the anomaly is flagged for follow up andresolution.• ASD’s work with audit analytics and continuous auditing hasheightened interest across the organization. The solutionprovides unprecedented visibility into some of Fidelity’s mostcritical business risks.• For the first time, the team can quantify production-side risksand potential control issues.PodcastListen to a podcast interview with David Riddell,Automated Audit Solutions Manager at FNF onhow they do it.ACL technology has transformed how weassess risk in our organization.David Riddell, Automated Audit Solutions Manager19Don’t Navigate Risky Waters without Internal Auditors


Continuous Risk Assessment:Where the Rubber Hits the RoadProfile• Fortune 100 firm with 180-200 corporate stores, DollarThrifty has 400 franchiseoperations and manages500,000 transactions eachmonth.• Together, Dollar and Thriftyhave operations in over 70countries around the world,including approximately 836corporate and franchisedlocations in the United Statesand Canada.Risk issue• Overextended staff resources.• Suspected fraud and securitybreaches.• Inadequate random samplingprocedures.There is no way we could have been assuccessful assessing risk and detecting fraudwithout using ACL.Alan Nixon, Staff VP and General AuditorSolution• Charged with developing a continuous auditing environment forDollar Thrifty, the team initially built five ACL analytics.• Today, they have over 30 fully automated analytics – which theteam refers to as “living analytics” – to monitor payroll, retailtransactions, uncover fraudulent activities and ensure compliancewith Sarbanes-Oxley regulations. These analytics monitor forchanges in the process or data and notify the team whenchanges to the scripts may be needed to accommodate abusiness requirement change.• Payroll analyses include 35 specific tests for each and everyemployee cheque. The audit team is currently working onanother 15 tests, which will bring the total up to 50. Sales agentsreceive incentives for selected sales, so it’s critical for Dollar Thriftyto monitor the retail environment for compliance with corporatepolicy and fraud.• Once a new process is automated, staff can move on to otherareas and apply a rule of thumb that the average analysis can befully automated with four to five additional hours of work.• Dollar Thrifty has already saved over 10,000 hours of manual stafflabor, reduced commission expense by $750,000 annually, andpinpointed cases of fraud.20Don’t Navigate Risky Waters without Internal Auditors


6 Stepsof Applying Analytics forRisk AssessmentSo, where do you start? Step by step, here’s a basic framework of how youcan begin to apply data analytics to assess controls in your organization...While generic analysis software can get you started, purpose-built packageswill support more complex and value-added testing and issue management,and longer-term sustainability.21Don’t Navigate Risky Waters without Internal Auditors


Build a profile of potential risks• Develop a profile of potential risks as part of a risk assessment.• Consider using a risk scorecard.22Don’t Navigate Risky Waters without Internal Auditors


Test data for possible indicators• Include ad hoc testing in addition to more formalized or regular tests.• Consider the spectrum of automated testing ranging from ad hoc torepetitive through to continuous, where appropriate.23Don’t Navigate Risky Waters without Internal Auditors


Improve the process by implementingcontinuous analysis• Use continuous analysis to test and validate the effectiveness of yourcontrols – on a timely basis.• Provide management with immediate notification.• Create processes for control remediation.• Implement on a comprehensive basis across business process areas.24Don’t Navigate Risky Waters without Internal Auditors


Review Results• Investigate patterns and indicators that emerge from your analyses.• Quantify the risks.• Identify and target high risk areas.• Consider risk monitoring dashboards.25Don’t Navigate Risky Waters without Internal Auditors


Expand scope and repeat • The process of building a profile, testing data, improvingcontrols and reviewing information needs to be done on aregular basis.26Don’t Navigate Risky Waters without Internal Auditors


Report• Make recommendations on how to tighten controls or change processes toreduce the likelihood of non-compliance.• Follow-up and see if those recommendations have been acted upon and ifthey have had the desired effect.• Communicate – “Tone at the Top.”• Why? Because unresolved exceptions have a negative impact on the business.27Don’t Navigate Risky Waters without Internal Auditors


If you don’t have the time or the in-house expertiseto figure out where data analytics fit into yourorganization’s risk assurance, it may be time to talk tosomeone who can help.Contact an ACL expert for a free consultation on howyou can get the most out of audit analytics.sales@acl.com1-888-669-4225ConclusionWe’ve looked at how to start applying audit analytics to risk assurance. What’s next?Use risk and control analytics to assist in assessing risks in your organization; it will helpdrive increased efficiency into your audit work and identify data driven indicators ofemerging risks.Organizations that have gained the most from this process are those in which internalaudit leadership at the CAE level has been a strong advocate.Take your maiden voyage by applying the six steps to a risk area in your organization.There’s a lot to do, but you can always find help. You’re now charting a course towardsgreater, and much more efficient, risk assurance.28Don’t Navigate Risky Waters without Internal Auditors


Interested in learning moreabout our products and services?Call 1-888-669-4225 to speakwith a representativeVisit our website at acl.comEmail us at info@acl.comAbout ACLACL delivers technology solutions that are transforming audit and risk management. Through a combination of software and expert content, ACLenables powerful internal controls that identify and mitigate risk, protect profits, and accelerate performance.Driven by a desire to expand the horizons of audit and risk management so they can deliver greater strategic business value, we develop and advocatetechnology that strengthens results, simplifies adoption, and improves usability. ACL’s integrated family of products—including our cloud-basedgovernance, risk management and compliance (GRC) solution and flagship data analytics products—combine all vital components of audit and risk, andare used seamlessly at all levels of the organization, from the C-suite to front line audit and risk professionals and the business managers they interfacewith. Enhanced reporting and dashboards provide transparency and business context that allows organizations to focus on what matters.And, thanks to 25 years of experience and our consultative approach, we ensure fast, effective implementation, so customers realize concrete businessresults fast at low risk. Our actively engaged community of more than 14,000 customers around the globe—including 89% of the Fortune 500—tells ourstory best.Visit us online at www.acl.com29© 2013 ACL Services Ltd.ACL and the ACL logo are trademarks or registered trademarks of ACL Services Ltd. All other trademarks are the property of their respective owners.

More magazines by this user
Similar magazines