AUDIT ANALYTICS AUDIT
1JWn3ix
1JWn3ix
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CASE STUDY B: IMPLEMENTING CONTINUOUS <strong>AUDIT</strong>ING AND CONTINUOUSMONITORING<br />
has actually been processed as promised. Exceptions are passed to<br />
Human Resources for further review.<br />
The CMR also examines cases where exceptions have been closed<br />
as "no leave owing," but leave is processed nonetheless (as a test of<br />
integrity).<br />
The CMR produces weekly activity and status summaries for<br />
executive management.<br />
The leave CMR is complex. We argue that it tests the boundaries of<br />
CA/CM and thus provides an illustration of developments in an<br />
environment with multiple data sources and a complex software and<br />
data ecosystem. Specifically, the CMR:<br />
accesses several systems to assemble and cross match the data;<br />
applies relatively complex algorithms to reduce the number of<br />
false positives; and<br />
uses multiple platforms to deliver and monitor the exceptions<br />
including ensuring that the exceptions are being actioned as<br />
advised.<br />
The value of CA/CM is diluted unless there is a robust mechanism to<br />
track and resolve exceptions. Further, the value of CA/CM is also<br />
reduced if the algorithms do not effectively address the suppression of<br />
false positives. Experience suggests that external auditors tend to find<br />
techniques of this sort to be uneconomical due to the need to incorporate<br />
the business rules of differing clients in the algorithms. For example,<br />
tools such as ACL can easily check for potential duplicate invoicing;<br />
however, ACL will potentially produce large numbers of potential<br />
exceptions unless scripts are developed to, for example, identify<br />
matching reversals. The experience at Metcash has been that multiple<br />
iterations of the algorithms are required to minimise false positives.<br />
Moving Forward—Key Risk Indicators<br />
Metcash has moved away from the AS/NZS ISO 31000 Risk Management<br />
Standard risk profiling approach, as published by the International<br />
Standards Organization. A static 5 × 5 matrix that builds on likelihood<br />
and consequences is not consistently of practical use to management.<br />
Monitoring and assessing key risks through data driven risk indicators<br />
provides a greater benefit to management. The increasing availability of<br />
data and sophisticated analytics has facilitated a more accurate<br />
identification of problems in critical areas such as Food Safety and<br />
Human Resources. The use of dashboards (see figure B-2 for example)<br />
has enabled the risk indicator data to be effectively communicated to<br />
management via various media including tablet devices.<br />
163