Audit Testing ERP Application and Connecting with Cloud

Yoong Ee Chuan CISA, CISM, CPA, CIA

Agenda

1. Analysing how data analytics enhances audit testing of ERP applications

2. Exploring different data analytics and computer assisted audit tools and techniques

3. Understanding the risks of hosting ERP data with cloud computing

4. Questions and answers

Audit Testing – ERP Applications

What is Data Analytics? “Analysis of data is a process of inspecting, cleaning, transforming, and modeling data with the goal of highlighting useful information, suggesting conclusions, and supporting decision making. Data analysis has multiple facets and approaches, encompassing diverse techniques under a variety of names, in different business, science, and social science domains.” -- Source: http://en.wikipedia.org/wiki/Data_analysis • Some examples

• Computer-assisted-audit tools/techniques • Data mining • Business intelligence • Statistical applications

Audit Testing – ERP Applications

“Making sense out of nonsense!”

Analysing How Data Analytics Enhances Audit Testing

of ERP Applications

Audit Testing – ERP Applications Challenges of Audit Testing ERP Applications • ERP systems provide wealth of information

• If you can access it quickly, efficiently and effectively

• Challenges include

• Lack of IT knowledge and skills by auditor • Lack of knowledge of ERP package/module • Lack of SQL, query language • Overwhelming transaction volume from computerised records

• difficult to agreggate information for meaningful analysis • cannot see the forest for the trees

• Access to data usually requires help of Information Technology , Finance

and Operations to obtain reports and analysis needed

• Use of data analytics allows the stories behind the data to emerge based on the questions the auditor asks

Audit Testing – ERP Applications

Why Use Data Analytics for Audit Testing ERP Applications? • Increasing quantity and quality of data available • Larger organisations typically have Enterprise Resource Planning (ERP)

implementations • Human Resources/Payroll • Financial Accounting/Management Reporting

• Accounts Payables • Accounts Receivables • Fixed Assets/Inventory • General Ledge

• Project Management/Costing • Core business applications for operations

• Business transactions captured in the bits and bytes of data residing in

ERP systems

Audit Testing – ERP Applications • Ability to analyse the underlying data representing business transactions

in meaningful ways:

• Empowers auditors to understand the business risks • Use in audit planning and risk assessment • Surveying audit universe from financial and operating data • Summarisation of key fields by department, divisions, sections • Helps to flag out areas of interest, potential misstatement,

non-compliance and potential fraud risks

• Ascertain compliance with business policies and procedures: • Carry out detailed substantive and compliance auditing

procedures • 100% testing instead of sampling • Enhanced assurance and coverage

• Provides sufficient and appropriate evidence for audit reporting

• Exceptions are specific transactions flagged out by the data analytics tools

Exploring Different Data Analytics and Computer Assisted Audit Tools and

Techniques (CAATs)

Exploring Data Analytics & CAATs

• You already have them!

• Data analytics software

• Key characteristics

• Slice and dice to what you desire

• Filter, sort, summarise, total, count, chart, pivot

• E.g.s Microsoft Excel, Acccess, Open Office Calc, Google Docs etc.

• IDEA, ACL, SPSS etc

• There is no “perfect” tool

• Match the tools to the skillsets, experience, availability

Exploring Data Analytics & CAATs

Example: Interactive Data Extraction and Analysis (IDEA)

• Caseware IDEA - Data analysis / generalised audit software / computer-assisted audit tool

Caveats: Auditors / control professionals still need to:

• Audit objectives • Need to understand business application and data residing in system

• Need to know what is the audit issue/business problem.

• Need to define that data needed and apply the right analysis to derive

the answers

• Answers may not always be 100% conclusive, still need professional judgement and other corroborating evidence

Exploring Data Analytics & CAATs

Source: Caseware IDEA

Auditing ERP Applications – Case Study

Audit of Staff Claims

• Medical Claims • Transport Claims

Why audit ERP applications using data analytics?

• Data analysis approach allows detection of non-compliances and help

organisation achieve value-for-money • Review ALL (100%) of transactions vs sample 30 claims

How to approach audit of ERP applications

• Step 1: Import data from ERP system i.e. Excel or flat files • Step 2: Define field definition (text, numeric, date) • Step 3: Run analysis i.e. exceptions, duplicates, patterns • Step 4: Report exceptions, anomalies, patterns

Auditing ERP Applications – Case Study

Use of IDEA in Audit of Staff Claims (Medical)

Obtain list of staff medical claims from ERP system for period of interest ( e.g. all transactions for 1 year)

Identify key fields for testing i.e. “RECEIPT NO.” , “STAFF ID” and “CLINIC/HOSPITAL”

Summarise by “STAFF ID”, followed by “RECEIPT NO.” and analyse for anomalies

Run duplicates test on “RECEIPT NO.”

Detecting Duplicate Claims

Use of IDEA in Audit of Staff Claims (Medical)

Obtain data, identify fields of interest i.e. “RECEIPT NO.”, “RECEIPT DATE”, “STAFF ID”

Run duplicates test on “RECEIPT NO.” and “RECEIPT DATE”

Query HR on duplicate payment

Detecting Duplicate Claims

Use of IDEA in Audit of Staff Claims (Transport)

Audit Observation #1 Non-deduction of Normal Travel Expenses from Office to Home for journeys Starting or Ending from Home

1

• Obtain staff travel claims data for 1 year

• Identify fields of interest i.e. “FROM”, “FROM_TO_HOME”, “OFF_DAY”, “STAFF ID”

2

• Extract FROM = “Home”, FROM_TO_HOME = “N” and OFF_DAY = “N”

• Do similar for TO = “Home” etc.

3

• Flags out all transactions where staff did not deduct the cost of journeys starting or ending at “home” since reimbursement policy does not allow claims for journeys made from home to workplace

Detecting Erroneous Claims

Use of IDEA in Audit of Staff Claims (Transport)

Audit Observation #2 Possible Duplicate Taxi Claims and Claims without Valid Taxi Receipt Numbers

1 • Obtain staff travel claims data for 1 year

• Identify fields of interest i.e. “RECEIPT_NO”

2

• Extract data where “RECEIPT_NO” is not “” and test for duplicates

• Extract data where “RECEIPT_NO” is “” (blank)

3 • Flag out all exceptions to business rules and query

department responsible for anomalies

Detecting Erroneous Claims

Use of IDEA in Audit of Staff Claims (Transport)

Audit Observation #3 Unusual multiple journeys within the same day by same staff

1 • Obtain staff travel claims data for 1 year

• Identify fields of interest i.e. “RECEIPT DATE”, “STAFF ID”

2 • Summarise by “RECEIPT DATE” and “STAFF ID”

• Sort by “NO_OF_RECS” (no. of records)

3

• High “NO_OF_RECS” indicate multiple journeys made on same day by same staff. Unusual unless staff is doing delivery

Detecting Erroneous Claims

Use of IDEA in Audit of Staff Claims

• Walkthrough and document business process

• Identify key controls for testing Understand

business process

• Identify and understand data available

• Key fields for testing Obtain data of

interest

• Do field statistics or summarise all fields to get overall picture of data Get big picture

• Run analysis for exceptions to business rules Analyse for exceptions

Using a Data Driven in Auditing ERP

Understanding the Risks of Hosting ERP Data with

Cloud Computing

Connecting with Cloud

Cloud Computing is already here: • Cloud computing is the delivery of computing as a service rather than

a product, whereby shared resources, software and information are provided to computers and other devices as a utility (like the electricity grid) over a network (typically the Internet).

-- Wikipedia (http://en.wikipedia.org/wiki/Cloud_computing)

• Cloud computing in consumer space is pervasive • Email services: e.g. Google Gmail, Microsoft Hotmail • Instant messenging: e.g. Yahoo Messenger, Microsoft Live, Gmail Gtalk • Web content management: e.g. blogger, wordpress

• Cloud computing in business space is growing

• Refer to OpenCloud Taxonomy

Connecting with Cloud

Connecting with Cloud

Connecting with Cloud

Issues relating to Cloud Computing: • Key Issues: Security (Source: Trustworthy Computing: Privacy in the

Cloud Computing Era – November 2009, Microsoft)

• Are hosted data and applications within the cloud protected by suitably robust privacy policies?

• Are cloud computing provider’s technical infrastructure, applications and processes secure?

• Are processes in place to support appropriate action in the event of an incident that affects privacy or security?

Connecting with Cloud

Connecting with Cloud

Public Sector Perspective • Government Instruction Manual No. 8 (IM8) has been in force

• Policy on Infocomm Technology (ICT) Security

• Recent update (vide MICA ICT Circular No. 2/2011 on 2 June 2011):

Policy now applies to ICT security of systems used to store, process or access Government Data

• Previously related to, “Systems owned by government agencies”

• Covers new situations where data resides in commercial vendor’s systems and not systems owned by government agencies e.g. where cloud is involved

Connecting with Cloud

NP Experience • Education sector – drive towards cloud adoption

• Student Email serivces:

• From Lotus Notes MS Connectmail • Cost savings in infrastructure, security and administration

• Mobile Student Assessment for Clinical Attachment

• Health Sciences (Nursing) students • Practicums and clinical attachments to hospital big part of course

curriculum • Assessment using traditional written examination enhanced • Using assessment application developed by 3rd party vendor for iPod Touch • iPod Touch Application Database of student assessment records for

practicum on Cloud

Connecting with Cloud

NP Experience • Internal Audit’s response

• IT security control objectives do not change

• Refer to compliance model (figure 6 – Mapping the Cloud Model to the

Security Control & Compliance model) to help understand gaps

• However, cloud deployment of applications and hosting of data re-raises some of the outsourcing risks where vendors are managing your information assets

• Assess risks and sensitivity of data

• In accordance to IM8 requirements?

Questions & Answers

THANK YOU

Yoong Ee Chuan CPA CIA CISA CISM Email: yekker@gmail.com