data mining 11-18-10
DESCRIPTION
Presentation made to the FICPA/IIA. Emphasis on fraud detection, limitations of analytical procedures, and value of DM to external auditors.TRANSCRIPT
Ed Tobias, CISA, CIANovember 18, 2010
Data Mining & The External Auditors
What we will coverCurrent PerceptionsWhat is Data Mining?How is Data Mining used?Why is Data Mining important to
the External Auditors?Questions
A little story involving …New G/L systemCurious Audit Manager Questionable accounting entries
Introduction IT Audit Manager for Hillsborough
CountyCertified as a CISA and CIASpend 50% doing Data Mining
Audit Risk AssessmentTesting control effectivenessComplianceFraud Detection
Introduction Who are you?
AccountantsAuditorsConsultants & other industries
Current Perceptions about DMWho has not heard of Data Mining?
Heard of CAATs?Computer Assisted Audit Techniques
Formerly a specialized skill for IT Auditors
Common in every auditTerm is practically obsolete
What is Data Mining?Automate the detection of relevant
patterns Look at current & historical dataPredict future trends
Efficient method for analyzing large amounts of data
Enhance key item samplingMeans for “continuous auditing”
How is Data Mining used?Proactively review business processes
– “continuous monitoring”Identify anomaliesRisk Assessment
Reactively assist law enforcement in investigations
How is Data Mining used?Outside of Audit, DM is used to
generate revenueAutomating the detection of relevant
patterns Look at current & historical dataPredict future trends – “Predictive
Analysis”aka Business Intelligence / Data
Warehouse
How is Data Mining used?Audit Process
Risk AssessmentControl Assessment
Fraud Detection and Prevention
How is Data Mining used?Risk Assessment
Data analysis for high risk areasHigh Dollar amountsPotential for fraudPotential for non-compliance
How is Data Mining used?Risk Assessment
What can be detected?Potential fraud or control weaknesses
Duplicate vendorsDuplicate invoicesDuplicate amountsBenford’s Law – identify suspicious
transactionsFocus audit on high risk areas
How is Data Mining used?Control Assessment
Traditional audit used sampling approach – SAS 39 Audit Sampling
o Sampling Risk• Detection risk – fail to detect the
misstatement• Estimation risk – actual amount of
misstatement not within the calculated confidence interval
How is Data Mining used?Auditors place disclaimers regarding the
accuracy of their statistical samplingNot affordable or available anymoreManagement wants total assurance &
clear indication of errorso “Reasonable assurance” is not enough
How is Data Mining used?Hard to detect fraud from a sample
Fraud is on the riseACFE’s 2010 Report to the Nations on
Occupational Fraud and Abuse – 1,800+ fraud cases reviewedTypical organization loses 5% of revenue Median loss is $160,000Nearly 25% of frauds > $1 millionMedian duration before detection - 18
months
How is Data Mining used?WorldCom audit – based on sophisticated
analytical procedures (AP) – SAS 56Looking at data “from the top down”Financial ratios looked normal compared to
peers (2000-2001)Data was highly aggregated
o No verification of underlying data
How is Data Mining used?APs only provide negative assurance (alert
for possible misstatement)o No assurance regarding absence of
misstatement w/ no observed deviations
How is Data Mining used?Properly designed APs cannot prevent
inherent control weaknessesEmployee collusionManagement overrides
Management manipulated the data – conform with AA‘s expectations
Cannot rely solely on APs
How is Data Mining used?To have confidence in APs – need hard
accounting numbers“Devil is in the details”
Transaction-basedSupported by accounting data
Traditional testing requiredInspectionObservationConfirmation
How is Data Mining used?DM uses 100% of transactions Increases credibility & value of auditPinpoint location of errors
Department / branchIndividual
Why is DM important to the External Auditors?Clearer audit scope / better assurance
of control effectivenessRemoves the sampling riskIncreases effectiveness of APs
Management and External Partners have a working relationship to provide the “best bang for the buck”Increases credibility & value of their audit
Why is DM important to the External Auditors?Validate the interfaces that perform data
transfers between systems Data transfers between non-core (in-house)
and ERP systems (i.e. SAP, Lawson, Oracle, etc.)
Data transfers between ERP and financial statement reporting packages (i.e. Clarity, Hyperion, etc.)
Why is DM important to the External Auditors?Reduce the need to travel to the work
siteReduce amount of business process
documentation required
Why is DM important to the External Auditors?Raymond James & KPMG
Complexity of business processes = Risk of business unit
IA performs “quarterly analytics” on selected transaction classesSubstantive testing Analytical procedures
Why is DM important to the External Auditors?How much assistance does IA provide
to the external auditors?
1,600 hoursx $100/hr =
Considerable savings for the firm
Why is DM important to the External Auditors?How to get started?
Talk with your external auditorDiscuss risk areasReview test procedures where DM could
be usedWho can perform DM?
Current skill setsFuture training
Questions
Contact Information [email protected]
LinkedIn - http://www.linkedin.com/in/ed3200