siks smart auditing elsas

Philip ElsasComputationalAuditing.com

Vught, The Netherlands October 5-6, 2010

Dutch Research School for Information and Knowledge Systems (SIKS)2010 Advanced Course on Smart Auditing

Part I - Smart Auditing: an auditor (historical) perspective

Part II - New risk control mechanisms

ComputationalAuditing.com

Introduction• Since 2003: Company - Canada, Netherlands

• 1988-2003: Deloitte. with ’97-’99 intermezzo at Bakkenist Management Consultants, sold to Deloitte.

• 1990-1996: PhD Computational Auditing

- Principal, chief architect & inventor of Smart Audit Support - Smart Audit Support: since 1994 key in Deloitte’s worldwide audit practice. Currently integrated in ‘The Deloitte Audit’- System blueprint in chapter 5 of …

- PhD in Mathematics & Computing Science on Financial Auditing - In parallel to Smart Audit project, 30% part-time, Vrije Universiteit- Directly after appearance awarded with the biennial Alfred Coini Prize for the best publication in Auditing

Offering software and consultancy services to innovateaudit practices and audit software firms

2

The Dutch Tax Office used Computational Auditing in 2001-2003 as frame of reference to compare Big 4 planning and decision-support models & systems to investigate how to improve audit productivity (57 page report); considers Smart Audit Support ‘leader of the pack’


Organizational Context

Why is Auditing an interesting Domain for SIKS: the Dutch Research School for Information and

Knowledge Systems? And, why now?

• Auditors pass judgment on SIKS systems

3

• In doing so, auditors use their own SIKS systems

Information & Knowledge

Systems

Internal & External Auditing

• Dutch auditing embodies unique & wanted (that’s new) concepts; need smart digital support to internationalize


Agenda

• Part II - New risk control mechanisms

4

• Part I - Smart Auditing: an auditor (historical) perspective


What connects part I & II? 5

Owner-ordered auditing:dominating and integrating with management-ordered auditing

• Quantitative: completeness of management’s stated profits

• Qualitative: assess irreplaceable internal control to secure actions of agents

• assess what? long-term incentive & authorization structure• how? segregation of duties serving long-term owner interest

• Supercycle: client’s top-level business process

• from mental model to process model• unifying quantitative and qualitative

Why, and how, the present financial crisis is driving owner-ordered auditing core concepts out of a local past and into a global future

Part I

Smart Auditing: an auditor (historical) perspective

7


Abstract

Part I - Smart Auditing:

an auditor (historical) perspective • What originated the audit profession? Which mainstreams of international evolution can be distinguished?

8

• How were methods of the owner-ordered audit and management-ordered audit combined into an integral two-way audit approach? How has computational formalization been blended in?

• With special attention to the evolution of the theoretical- deductive Dutch audit doctrine and its connection to mathematics. As opposed to the practical-inductive Anglo-American audit approach.

• Why and how the originally Dutch, formalized two-way audit approach evolved into the world's strongest 'business process'-oriented audit approach. Enabling powerful audit analytics, impossible with old-style approaches.


Agenda Part I - Smart Auditing:

an auditor (historical) perspective

• 1840 - 1930: “The early years: pragmatics (UK, US, Dutch)”

• 1930 - 1990: “Developing a model-based theory (Dutch)”, with a presentation by Prof. J.H. Blokdijk RA

9

• Addressing today’s challenge: “How to improve the audit profession’s

relevancy to society (international)”

• 1990 - today: “Computational formalization of model & meta-model (outsiders)”

• Motivation & how today’s audit challenge directs a historical selection


10

Points made by Frank Partnoy:

Motivation

Why now? Relevancy

Roosevelt Institute, March, 2010

US$ 600,000 Billion derivatives isn’t visible

on balance sheets

“Abusive off-balance sheet accounting”

“Another F-word: Fiction”

Solution direction: “Make information

available to investors”

diagnosis

remediation


11

Points made byRick Bookstaber:

MotivationWhy now? Relevancy

U.S. House of Representatives, Committee on Science and Technology,

Subcommittee on Investigations and Oversight,Sept. 2009

Derivatives & markets: leverage, crowding & linkages

Oversight solution direction: “Get the data”

“Shareholders are [only] silent partners within the corporation”

Auditor’s attention point: reliability of the data

“I don’t think – I don’t mean to be cynical – but I don’t think

that leadership within a financial firm can overcome the incentives that exist”

Inside solution direction: “Long-term incentives”

“Gaming the system”


12Motivation Why now? Relevancy Prolonged “License to gaming the system”:

“Moral hazard is worse than ever”

“Wall Street's role in Greek crisis should be no surprise”, Allan Sloan, with ref. by Tom Nierop in public debate on accountant.nl, 2010

“Four Weeks that Shook the Financial World”, Edward Harrison: “Moral hazard is worse than ever”, tvo.org, 2009

Regulatory capture in the financial industry,Bob Hoogenboom & Jules Muis on accountant.nl, 2009-2010

Moral hazard in the audit profession: every crisis leads to more audit work, “Catch-22 accountancy”, Bob Hoogenboom, accountant.nl, 2010

Out of which money pot does a bailed-out banker – e.g. of AIG (And It’s Gone) –

loves to pay its lobbyists?

Indeed, out of the no-strings-attached TARP (To Avoid Regulating Politicians) pot!


13

The notes have not been and will not be registered under the United States securities act of 1933, as amended (the 'securities act'), or the securities laws of any state in the United States, and are subject to US tax law requirements. The notes may not be offered, sold or delivered at any time, directly or indirectly, within the United States or to or for the account of U.S. persons (as defined in either regulation s under the securities act or the United States internal revenue code of 1986, as amended).

In making an investment decision, investors must rely on their own examination of the issuer, the guarantor and the terms of the offering, including the merits and risks involved. These notes have not been recommended by any United States federal or state securities commission or regulatory authority. Furthermore, the foregoing authorities have not confirmed the accuracy or determined the adequacy of this document. Any representation to the contrary is a criminal offence.

This red flag was attached to Lehman’s toxic products, and not only Lehman’s, and was timely and publicly raised by American government and subsequently ignored by European financial oversight & most European financial institutions, see: “Hebben toezichthouders onmacht deels

zelf veroorzaakt?” (Dutch only), with ref. to Rutger Schimmelpenninck, liquidator of the Lehman Brothers Treasury, leading to questions asked in Dutch parliament, accountant.nl, 2009

Motivation Why now? Relevancy Directing the “License to Gaming”

“House of Cards”, Canadian Broadcasting Corporation (CBC), Fifth Estate, 2010, highlights US government’s knowledge built up in the 2002 law suits

Compare “tone at the top” by appointments:

résumés of Mark Carney & Nout Wellink

& compare bail-outs“Subprime primer”


14Today’s audit challenge No.1

International Federation of Accountants (IFAC), “Financial Reporting Supply Chain”

“Shareholders should more actively pursue their ownership

responsibilities” & “Align managerial behavior with

the interests of the owners”, Jane Diplock, 2010

European Commission, “Corporate governance in financial institutions and remuneration policies”, green paper, June 2010, § 3.5 “The role of

shareholders”

“ … lead to the abstraction, or even disappearance, of the concept of ownership normally

associated with holding shares” & footnote 18

General questions 5 & 3: “How to practically improve

shareholder control of financial institutions, if still realistic?” & Necessary reinforcements for

the external auditor

Gaspar et al. “Shareholder Investment Horizon and the Market for Corporate Control”

“Shareholders have little to say in the USA” &

“Push legislators for statutory duty of care to investors, and

get over the Caparo ruling (UK)”,

David Webb, 2010


15Today’s audit challenge No.2

International Federation of Accountants (IFAC), “Financial Reporting Supply Chain”

“Moving forward, national accountancy organizations should be charged with inventorying, bottom up, systemic disconnects that are difficult to voice for individual audit firms fearful of offending clients, and synthesizing them in an anonymous fashion.”, Jules Muis, 2010

See: “Preparing for an Audit Mandate to Contribute to Systemic Risk Anticipation”, ‘de Accountant’ & accountant.nl, 2009, with follow-up in 2010

Connecting ‘micro’ to ‘macro’

Rick Bookstaber’s Congressional testimonies on:

- Hedge Funds, 2009- Derivatives, 2009

- Systemic Risk, 2008 & 2007

“My concern is that they are making themselves irrelevant.”Steven Thomas about auditors,

based on the E&Y - Lehman case, 2010

See Royal NIVRA project “Sharing Knowledge” (“Kennis Delen”), NIVRA.nl

with a requested comment on the new financial legislation

for derivatives, June 2010


16

Today’s challenges

“Thus, the most important factor is society’s needs, and the related factor that interacts with it is the ability of auditing methods to meet society’s needs.

However, society’s needs are not fixed and change over time.

Also, auditing methods can change and improve over time.”

Douglas Carmichael, First and Founding Chief Auditor of thePublic Company Accounting Oversight Board (PCAOB), with reference to the Theory of Rational Expectations by

Th. Limperg Jr. (1879-1961) in “The PCAOB and the Social Responsibility of the Independent Auditor”, 2004

Th. Limperg Jr.


18

Financial institutions are exposed to more moral hazard than ever before. Why not measure systemic risk while it’s building up? Why not introduce preventive measures to reduce built-up?

Addressing today’s challenge no.2

A newborn, powerful preventive measure is the Royal NIVRA’s ‘Sharing Knowledge’ project, with supportive technology.

The auditor is positioned to attest whether internal controls and incentives are in place to provide data of adequate reliability.

A reliability emphasizing long-term ownership interests.

Anything better to neutralize management’s exposure to moral hazard than the owner-ordered audit?

Individual financial institutions might each be free of an internal systemic risk, while, as a collection, they may induce an external systemic risk. This occurs when a lot of institutions take a similar position, while the other side is not sufficiently covered. Loosely speaking: too many are on the same side of the ship, without them being able to see one another. The auditor is a pre-eminent party to make such accumulated systemic risk visible. It’s a party that is able to aggregate information into systemic risk indicators - or to certify the therefor required reporting channel - while taking professional care of confidentiality issues.

See: ‘de Accountant’, April 2010






19






1840 - 1930: United KingdomThe auditing profession originated in the second half of the nineteenth century in the United Kingdom. This development was mainly caused by the trade unrests during the 1810’s and the subsequent intensified Industrial Revolution.

Technological developments caused an increase in investments and major changes in financial markets and organisations (i.e., a separation between ownership and management). Many companies were formed during this period; as a consequence of depressions and bankruptcies, the demand for independent audits of financial information grew.

So, generally speaking, British auditors became involved in corporate activity through the need to audit bankruptcy statements, as company failures were a common feature of early industrial activity.

As a consequence, in 1844 for the first time stockholders obtained the right to audit the company accounts as prepared by management (Statutory Audit Requirement, The British Joint Stock Companies Act, 1844).

20

Based upon “Reflections on Auditing Theory”,

Hans Blokdijk et al., Limperg Institute, 1996


1840 - 1930: United States of America (1/2)

At the end of the 19th century, industrial growth also led to an increase in the demand for capital in the USA.

As a result, it became necessary for many companies to seek capital from abroad; the main source was the United Kingdom.

British investors required an audit of the financial reports by independent (British) auditors, which – unsurprisingly – led to an increase in the demand for independent auditors' opinions on reported financial positions in the United States (Littleton & Zimmerman, 1962).

In the early stages of the development of the profession, it was very important for the auditors to satisfy the specific requirements of management.

22




Until approximately 1930, the demand for audits by management, bankers and potential stockholders existed in the United States to support investment decisions and to investigate fraud.

Because the auditor was engaged to perform these specific investigations by management, instead of stockholders, auditors' attitudes became relatively client-oriented, thus management-oriented, instead of oriented towards stockholders or potential stockholders, thus society as actual users of the financial statements (the actual, ultimate client).

To attract British investment capital (‘US new style capitalization’), or to be able to get a bank loan (‘US old style capitalization’), US company management increasingly ordered an independent opinion: to improve credibility of the existence of their stated net equity and net profits.

This audit objective is known as auditing for overstatement of net profits and stockholders’ equity.

23

1840 - 1930: United States of America (2/2)




Who are owners?24

Who is management?

• Private equity vs. operational management

• Public raised equity vs. operational management

• Franchisor vs. franchisee

• Pension fund participants (contributors, ‘sleepers’ & receivers) vs. pension fund (‘mothered’ by company, industry sector, or none; defined benefit vs. defined contribution)

• Private equity firm vs. buyout (e.g. short term ownership)

• Patent or revenue rights holder vs. exploitation company

• Software developer vs. selling company (e.g. Apple store)

• Tax offices vs. tax payers (companies and others)


1840 - 1930: The Netherlands (1 of 3)

Contrary to the Anglo-American historical evolution, auditing in the Netherlands initially focused on meeting the requirements of owners and others who were entitled to the profits of an entity.

An important cause was the fact that, for a relatively long period of time, economic growth in the Netherlands was financed by equity capital (‘NL old style capitalization’) as opposed to loan capital in the USA (‘US old style capitalization’).

Moreover, raising new capital in public markets was not promoted by bankers, who were slow to adapt to the rapid developments in the business community during the 1920’s. Their so-called 'house' bankers encouraged the Dutch companies to borrow from them or to finance their operations by retaining earnings (‘NL new style capitalization’), instead of issuing stock or bonds on the capital market (Zeff, Van der Wel & Camfferman, 1992, p.352).

25




In the Netherlands, the primary reason for the origin of the independent audit was the creation of the division between management and ownership.

The theory of the independent audit was based on the insight that a potential conflict of interest exists between the management of an entity and its owners (stockholders).

It was understood that the stockholders demand that revenue be recorded completely and expenses be recorded correctly, as the difference, net profit, is the basis for their dividends and the value of their stock.

On the other hand, management might be motivated towards not reporting all of the revenue or create fake expenses or overly high expenses or bonuses. This would enable them to smooth income or withdraw the unreported revenue or faked expenses, or inflated parts of the expenses, for themselves (fraud).



Hans Blokdijk et al., Limperg Institute, 1996See:

challenge no. 1 slide 14 & 17


In other words, the independent audit in the Netherlands originated from the need to verify the accounting of the funds entrusted to management of an entity on behalf of those who had a direct financial interest in the results of the entity. It should be emphasized that these not only included the stockholders, but also other stakeholders, and, of the utmost importance, potential stock- and stakeholders, that is, society at large.

As a consequence, Dutch auditors turned their attention primarily to management's tendencies to understate revenues or overstate expenses in the income statement.

This focus is known as auditing for understatement of net profits, or, articulated one spade deeper, completeness of revenues and correctness of expenses.




The very fact that the owner-ordered audit encloses a substantiated focus on ‘society at large’, is key in recognizing

the suitability of this tradition in preventing that society ends up being

owner of last resort in company bail outs


1840 - 1930: Two Main Ways of Audit28

Owners

Management

Potential

Owners

Management-ordered audit, to attract new investors:

Money inflow for management:

Money inflow for owners:

Owner-ordered audit, to check management:

to increase credibility that profits aren’t

UNDERstated: that no revenues are missing& expenses (e.g. bonuses)

aren’t too high

to increase credibility that profits aren’t OVERstated: that stated profits are real, and not

(partly) fake

maximize equity

long-term ROI


Owner-ordered audit: an example29

Your client is a hotel franchisor. With lots of franchisees. The franchisor wants assurance that each franchisee, the operational hotel management, isn’t making money on rooms and not report it. What method substantiates the assurance you provide to your client?

The Ritz-Carlton Investing Company was established by Albert Keller, who bought and franchised the name in the United States. In 1927 he built the first Ritz-Carlton hotel in Boston, Massachusetts






30






1930-1990: Branching scientific approaches

Dutch evolutionary

branch

Anglo-Americanevolutionary branch

practical-inductive

theoretical-deductive

Audit policies, methods and standards follow from considering a lot of performed audits; empirical

Audit methods evolve from

client’s business process, i.e. a

normative model

31

Originally only a mental process model; later, due to formalization, supported by

an executable process model1840-1930 foundation

management-ordered audit:

overstated profits

1840-1930 foundation owner-ordered audit: understated profits


32

1930 - 1990: Branching approaches

• The owner-ordered audit tradition integrates the approach of the management-ordered audit, leading to an integral two-way audit approach (Dutch only)

- Theoretical-deductive on normative models, with mainstays:• Auditee’s top-level business process• Accounting Organization / Internal Control (AO/IC)

- Integral evolution of theory, practice & education; over full period; culminating into theory connecting to process math

• The management-ordered audit tradition gets government intervention (USA, 1930’s), and moves forward by setting audit standards

- Practical-inductive: early standards prescribe specific procedures, later evolving into more generic guidance - Recognition of missing a method to substantiate completeness of revenues: ‘Completeness: the Elusive Assertion’

• Whittington, Zulinski & Ledwith, 1983• Leslie, Aldersley, Cockburn & Reiter, 1986; Cockburn, 1987


Introduction Prof. J.H. Blokdijk RA

• Nestor of Dutch auditing discipline

• Inventor ‘irreplaceable internal control’ concept

• Emeritus auditing professor (VU & Nyenrode)

• Partner KPMG, member National Office

• Commissioner Royal NIVRA

33


34Annual company accounts


Contribution by Prof. J.H. Blokdijk RA35

On the basis of the previous slide I may explain the Dutch approach to substantive auditing. Starting point is the completeness of revenue from sales: if sales appear to be recorded completely, the sum of receivables and cash receipts have also been recorded completely: double-entry bookkeeping! No understatements! But receivables and cash are subsequently audited for overstatements; if these appear not to have occurred, revenue from sales cannot have been overstated either. So debit balances are being audited for overstatements, and credit balances for understatements.

The same goes for expenses and liabilities. The latter are audited for completeness, and expenses for overstatements. If no irregularities are found, expenses have also been completely accounted for, and liabilities do not contain non-existing debts.

In practice, there are, of course, complexities and technicalities to deal with in this approach, but the principle just outlined is the basis.

So there is no need to audit any item, whether in the balance sheet or in the income statement, both for under- and overstatements. This is highly efficient; it is my impression that this is not being fully recognized in the International Statements on Auditing.



Dutch auditors have also given thought to something called ‘auditability’. For the audit of ‘assertions’ in the books the auditor should have ‘evidence’, especially for auditing for overstatements. An important source is: documents. But an invoice from a supplier is not sufficient in itself: the supplier may have overstated the price and/or the amount of goods purportedly delivered. The invoice should be reviewed and authorized internally. Here is where ‘internal control’ comes in.

Performance of internal controls in that stage should normally be evidenced in some form, by stamps, initials on a voucher, and the like. The control should be performed by the appropriate employee: the system should provide for an adequate segregation of duties. Evidence of performance should include the identity of the employee.

But how conclusive is that evidence? International Standards on Auditing mention several inherent limitations of internal control, such as human error, circumvention of internal controls through collusion, and management override. In performing tests of control, can the auditor detect this? This would only be possible if the auditor were able to repeat performing the internal controls involved.



The problem can be illustrated with the following example. It involves invoices for goods or services received. It does not yet deal with the circumstance that many internal controls in this stage are no longer evidenced in visible form, but are embedded in the automated systems.

Regarding those invoices, the auditor can easily reproduce the computation of the final amount and of a sales tax amount included in it. Reproducing the internal control on the price invoiced is more difficult: it may be in agreement with a price list from the supplier that the auditor may consult, but employees in the purchasing department are paid by the employing entity to obtain a better price. The difference may partly or wholly end up in their own pockets by way of the infamous kick-backs. Only a thorough knowledge of that particular market would enable the auditor to uncover such a defalcation; as he/she cannot be expected to have such expertise on all the markets where his/her clients do business, he/she must rely on the system of internal control.



Similar considerations apply to the receipt of goods and the performance of services. Some goods could be traced afterwards, though that may be highly impractical. Most office supplies, however, are simply used up, and as to services, it is virtually impossible to ascertain that the windows actually have been cleaned if the audit takes place three months after. For the most important aspects of those purchases, the auditor cannot do much more than look for evidence of the performance of internal control.

So, there are internal controls that cannot be reproduced by the auditor. The issues raised by this circumstance have been explored extensively in Dutch auditing literature. The best English translation I have been able to find for this type of internal controls is: 'non-reproducible' internal controls (in Dutch: “onvervangbare interne controle”).

Sometimes, investigative techniques designed to overcome the restrictions outlined above, do exist, but an independent auditor is not allowed to use them. An example is the situation in which an auditor has suspicions about a credit note purportedly granted by his/her client to another company audited by a partner of his/her own audit firm. The professional rule of confidentiality does not permit the former auditor to consult the latter on this document.



‘Non-reproducible’ internal controlsEven though there are internal controls that can be reproduced, such as those

involving arithmetical operations, the most important ones often cannot be reproduced. The fundamental causes have been categorized as follows:

(1) expertise: the auditor cannot possibly acquire sufficient expertise to form, entirely by himself, a conclusive opinion on all the technical and/or commercial events that are to be reflected in the financial statements (e.g., product yield rates, purchase prices);

(2) presence: the auditor cannot possibly be continuously present on the client's premises in order to ensure the completeness of the recording of transactions and (relevant) events; apart from economic considerations, this is unacceptable in that it would jeopardize the client's and/or the auditor's independence; and

(3) inadmissibility of investigative techniques: the independent auditor is not entitled to use certain techniques that are available to government auditors (such as informing other government auditors about other taxpayers), or that may be used by police authorities (such as wiretaps, search of private premises and the like).



So what should auditors do about ‘the system of internal control’? Firstly, they should evaluate the design of the system. Especially important is the segregation of duties; e.g., no single person should be able to authorize payment of invoices, and persons charged with the authorization of separate elements (quantity, quality, prices) of invoices should not have an interest in collusion with each other, or with suppliers or other parties outside the auditee.

In order to better evaluate the design of the internal control system, dr. Elsas has developed a very promising automated technique, which he will be glad to further explain.


41Owner-ordered audit concepts & methods: ‘Crown jewels’

• Supercycle concept– client’s top-level business process model– typology of supercycles

• Mainstays of supercycle-based audit method – qualitative: AO/IC in design, implementation & operation, focusing on irreplaceable & indispensable internal control– quantitative: spanning reconciliation checks, or,

alternatively phrased, comprehensive coherence

testing

• Limperg’s theory of rational expectations

Unfortunately, hardly translated into English, except for Limperg’s theory, in the 1970’s.In the public domain only Blokdijk et al. ‘96, and Elsas ‘96.


42Supercycle: top-level business process

Schmalenbach (1929), Limperg (1926, 1930’s), Abr. Mey (1936), Burgert (1957), Starreveld (1962, 1980’s), Frielink (1980’s), Blokdijk (1975), Veenstra (1972, p.41)

Bu

y S

ide S

ell S

ide

Inside (cost price)

Sell priceBuy price

A rectangle represents a state, a balance sheet item

A circle represents a (trans)action, an activity, a mutation to connected

states

‘Soll’ (To Be) &‘Ist’ (As Is) modalities


Law 1. Rational relation between consumed resources & produced products and/or services:

per type of products or services (categorized) with a cost price based on activity in the supercycle (Limperg,

ABC, …)

Alternatively phrased, normative relation between: generated margin &

frequency of business transactions

Supercycle-based Auditing Laws 43

Starreveld et al. & Frielink et al. “De wet van het rationeel verband tussen

opgeofferde en verkregen zaken” &“De wet van de samenhang tussen

toestand en gebeuren”, the BETA formula

Begin - End + Inflow - Outflow = 0,

Gross Margin = Sales price - Cost price, Replacement Cost Accounting

Activity Based Costing

Law 2. Rational relation between states at time points & mutation streams over the enclosed time period:

per state except: Money > 0


Supercycle-based auditing,model-based auditing

…

44

Begin End

Purchase price

Sales price

Buy transaction

Money buffer

Goodsbuffer

Sell transaction

What happened in between? What is the normative relation?


Supercycle-based auditing

45

10,000’s man years of conceptualization and abstraction, integrated with

proof in practice, over decades

Worldwide recognized high quality audit

education: 3-years post-Master

Integrating owner-ordered audit method

& management-ordered audit method

into two-wayaudit approach

Traditional Dutch audit education literature,

Frielink et al.

Mathematical framework: system of

linear equations,

based on the BETA-formula

World’s scientifically

strongest audit approach, due to its

mathematical foundation

How the spanning reconciliation checks,

based on spanning equations, relate to

the supercycle

Superbly suited for powerful

computational support


Accounting Organization / Internal Control (AO/IC)

47

The Accounting Organization (AO) can be envisaged as the information infrastructure of an organization, as it is formed by:(i) the organization’s Information System, and,(ii) the procedural embedding of this Information System into

the organization, e.g. managerial and logistic control, judgment and decision-making.

The organization’s Information System is considered to embody all economical and financial information and information processing services required for both: (i) the functioning of, and control over, the surrounding

organization, and(ii) the rendering of account over that functioning, as is done

in the financial statements.

p.37



48

The AO is the producer of the financial statements. Since error proneness in organizational production processes is inevitable, it necessitates control over this error proneness. For this purpose, a system of Internal Control (IC) is identified, whose goal is twofold, namely:(i) to secure trustworthiness of accounting information in the

organization, and,(ii) to control (potential) error in both accounting and business

operation.The IC can be considered the “immune system” of the organization, in particular the AO; i.e., immunity to error in an organizational context. AO & IC are not considered disjunct systems.

pp.37-39



49

Internal Control (IC) consists of:(i) internal control measures, including organizational rules &

incentives structures, intended to be continuously present(ii) internal check & control activities, taking only a relatively

short amount of time, as compared to the audit period

pp.38-42

Internal control measures are refined into:(i) preventive protection of enterprise values(ii) preventive securing of actions of agents(iii) creation of opportunities for detective and corrective

check & control activities

‘Securing actions of agents’ is refined by restricting authorizations to different agents for:(i) actions directly changing values: intern, inflow & outflow(ii) actions involving no direct change of values


50

• Restrict every agent’s access to only a limited amount of links in the supercycle

• Impose non-coinciding, preferably opposite, agent interests; especially for, but not limited to, recording activities

• Avoid in one hand authorizations & duties of the following types:

Audit-technical segregation of duties

• Custodial

pp.43-46

• Directive• Operative• Recording• Checking

Potential risk: management overriding of internal control &mitigation methods from the owner-ordered audit tradition

The authorization restrictions to secure actions of agents involving no direct change of value, is refined into segregation of duties (SoD): audit-technical SoD & other SoD

Leading to powerful conceptualization: in particular securing of actions of agents, and ownership-oriented segregation of duties, thus including managerial duties from a critical point of view (!), therefore key in the irreplaceable and indispensable internal

control

See: challenge no. 1 slide 14 & 17

The owner-ordered audit tradition substantiates the concept of internal control from the perspective of the owners’ original and authentic long-term interests


51Supercycle & AO/IC

The owner-ordered tradition introduces the concept of a quasi-goods stream for bonus rights – integrated within the regular stream of goods and services (see diagram) – allowing for an integral assessment of the authorization and incentive structure,

as key component of the irreplaceable and indispensable internal control

Here we’re in a smart auditing course, which may raise the question “Is there dumb auditing?”

See: challenge no. 1, slide 14 & 17


52

1. Control measures vs. check & control activities

2. Preventive, detective & corrective

5. Irreplaceable vs. replaceable; indispensable


4. First-time recording vs. using existing recordings

6. Preventive securing of actions of agents vs. values; check point

7. Direct change of value vs. no direct change of value; outside

8. Segregation of duties; audit-technical vs. business-economical

pp.38-43

3. Design, implementation & operation


Owner-ordered audit: an example53

Your client is a beer brewing company. Delivering to retailers, pubs and events. When delivering to an event it’s commonly as a sponsor. The brewery wants assurance that the operational management of the event isn’t making extra money with their beer and not report it. What method substantiates the assurance you provide to your client? Hint: span & reconcile information over buy side & sell side.

Haarlem beer barrel race, 2009, event sponsored by beer breweries






54






Computational formalization, with fullycontinued, proven & improved software base

55

• 1990 - 1996: Initiated in Smart Audit Support project collaboration between Deloitte and faculty of Math & Computing Science of Free University of Amsterdam, ignited by sampling support system for the Dutch practice (’88-’90), based on adapted TMYCIN sources

• 1997 - 2002: Continued in process-based costing project, facilitating end-user tooling to specify and analyze enterprise-wide process model diagrams; at Bakkenist Management Consultants for privatizing Dutch Post Office in its merger with TNT. In collaboration with the faculties of Math & Computing Science of Amsterdam & Eindhoven

• 2003 - today: Continued in ComputationalAuditing.com with example formalizations & applications in Part II: New risk control mechanisms


Smart Audit Support’sdocument index related toDeloitte’s International Audit Approach(1990’s)

p.336

57

PERFORM PRE-ENGAGEMENTACTIVITIES

Assess Engagement Risk

Establish Terms of Engagement

Perform Preliminary Analytical Procedures

Understand the Client's Business

Understand the Accounting Process

Determine Planning Materiality

Develop Client-Service Objectives

Understand the Control Environment

Assess Risk at the Account and Potential-Error Level

Rely on Controls ? Control Reliance Strategy ?

Identify ControlsIdentify Controls and,if Efficient, Establisha Rotation Plan

Test Controls

Perform FocusedSubstantive Tests

Perform Basic Levelof Substantive Tests

Perform IntermediateLevel of

Substantive Tests

Evaluate Results of Tests

Perform Financial Statement Review

Perform Subsequent Events Review

Obtain Management Representations

Report on Financial Statementsand Render Management Letter

PERFORMPRELIMINARYPLANNING

ASSESSRISK

DEVELOPAUDITPLAN

PERFORMAUDITPLAN

CONCLUDEANDREPORT

That Mitigate Risk

Specific Identified Risk No Specific Identified Risk

NO YES YES NO

p.62

All planning docs are smart forms





All planning docs are smart forms with built-in

Conditional Relevancy

Example audit pack

In addition to $200M yearly cost reduction ROI is:- Relevant Doc & Planning, no more no less- Comfortable & stringent way to get it

Yearly ROI guess: 20K man-yrs/yr x $10K cost reduction/man-yr = $200M

Deloitte’s approach


Process-based Cost Price: connector for stream of money and stream of goods & services

58

volu

me c

ost

pri

ce

spanning supercycle

Forecasted volumevs. realized volume

Planning & Control

The cost price captures the quantitative

relation between resource use &

produced products

Relating the stream of goods

and the stream of money, answering “What’s the gross

margin per product type?”,as required for

auditing the completeness

assertion






59






60

Match-making between ‘pull’ & ‘push’

Internationalize the owner-ordered audit method. This requires deep computational support. Why?

To minimize international, educational burden (3-years post-Master)

To streamline train-the-trainer, roll-out & getting ROI fast

• Improve the audit profession’s relevancy to society

Pull side

– Individual audit: ownership orientation (chall. 1)– Contribute to systemic risk mitigation (chall. 2)

Push side• R&D of supportive concepts and technology

Addressing today’s challenge

Part II

New risk control mechanisms


What connects part I & II? 62

Owner-ordered auditing:dominating and integrating with management-ordered auditing

• Quantitative: completeness of management’s stated profits

• Qualitative: assess irreplaceable internal control to secure actions of agents

• assess what? long-term incentive & authorization structure• how? segregation of duties serving long-term owner interest

• Supercycle: client’s top-level business process

• from mental model to process model• unifying quantitative and qualitative

Why, and how, the present financial crisis is driving owner-ordered auditing core concepts out of a local past and into a global future


Abstract

Part II - New risk control mechanisms

• The current financial crisis -- from bank balances to state balances -- challenges the audit profession to increase its societal relevancy

63

• How to contribute to preventing that aggregated positions of individual financial institutions accumulate into systemic risks?

• Why is the formalized two-way audit approach the best to address such actual and persistent questions? Why is co-operation between SIKS researchers and the auditing discipline opportune?

• Another driver for audit innovation is found in sustainability audits: Has no part of realized waste and pollution been left unstated? Alternatively articulated: How to audit the completeness assertion of stated financial impact of produced waste and pollution?


Agenda

Part II - New risk control mechanisms • Supercycle: interface between organization & auditor

• Jacquard project: “Next Generation Auditing”, 2010-2014, with a software demo by Jacques de Swart & Paul Griffioen

64

• Nexus micro-macro, consolidated

• Qualitative: internal control to secure actions of agents • Quantitative: “completeness, the elusive assertion”

• Financials: ‘incentives thread’ of owner-ordered audit• Sustainability: ‘completeness thread’ of owner-ordered audit

• Soll & Ist

• Public digital infrastructure for financial utility functions & to facilitate SWOOPs: Self Web-Organized Owning Parties

• Golden opportunity for the Netherlands

• Your questions


Supercycle: interface between organization & auditor

65

http://www.ComputationalAuditing.com/images/Kring.swf

1. Purchase2. Accept3. Sales4. Deliver & Collect5. Pay6. Collect

Process Steps


66

Soll: To Be, normative

Ist: As Is, representative

Soll & Ist modalities


Agenda



67




• Soll & Ist



• Your questions


Qualitative: Cake cutting70

Mathematics, game theory

How to use segregation of duties to let a group take care of getting an equal size of the cake for each member?

Indeed, one cutter and the others are choosers:1. Cutter cuts2. Choosers choose3. Cutter chooses

If we look closer, it’s not only about duties, but also about sequence & parallelism of duty involvement. Switch steps 2 & 3 and it won’t work anymore. Protocol design & verification?

Hint: use opposite interests to enforce fairness


73Qualitative Audit Analytics - SoD

X-Raying Segregation of Duties: Support to Illuminate an Enterprise’s Immunity to Solo-Fraud

Paper with two discussion articles, one by K. Matcham and one by R.S. Sriram, and with a response article, appeared as four separate articles together in

the International Journal of Accounting Information Systems, June 2008

Quote from the response article:

“Adequate SoD assessment and SoD design appears to be much more

complex than could have been assumed without this methodical analysis”

with thanks to P.M. Ott de Vries for discussing this quoted response

Introduces an algebraic analysis technique that takes a supercycle-based body of authorizations

as input, and delivers a complete linear basis that spans a space of singleton ‘black hole’

weak spots in the supercycle system of internal control, extensible from 1-agent, to 2-agent,

etc.

The concept of irreplaceable and indispensable internal control, especially segregation of duties and securing actions of agents,

as developed in the owner-ordered audit tradition, allows a rationally rigorous analysis method, impossible with the segregation of duties

concept from the management-ordered audit tradition

Method answering the question if a body of authorizations is free of opportunities for traceless embezzlement, without need to collude

Alternatively stated: Method locating who has too many authorizations in one hand creating a dangerous opportunity for traceless embezzlement, jeopardizing the integrity of financial statements

See: challenge no. 1

slide 14 & 17


Agenda



74




• Soll & Ist



• Your questions


Quantitative: Completeness by Spanning Reconciliation Checks

76

7) (A/R)B + Sales + TS – (A/R)E C/R

6) COGS + Gross Profit Sales

3) (Inv)B + P – (Inv)E COGS

2) C/D – (A/P)B + (A/P)E – TP P

1) (Cash)B + C/R – TO – (Cash)E C/D

8) (VAT)B + TS – TP – TO (VAT)E

- Cf. slide 34, part I: equation numbers, audit literature, etc.- Equation set is automatically generated from supercycle diagramSub-scripts ‘B’ and ‘E’ stand for Begin and End; C/R: Cash Receipts; A/R: Accounts Receivable; TS: value added Taxes received on Sales; COGS: Cost of Goods Sold; Inv: Inventory; P: Purchases during the period; A/P: Accounts Payable; TP: value added Taxes Paid on purchases during the period; C/D: Cash Disbursements; VAT: Value Added Taxes; TO: Taxes payment Outflow (with thanks to Raj Srivastava)

pp.244-265

Integrating owner-ordered audit

method (quantities in

boldface font on understatement & quantities in regular font on overstatement)

& management-ordered audit

method (just the reverse audit direction)

into two-way audit approach


Owner-ordered audit: an example 77

Your client, the hotel franchisor, with lots of franchisees, hears from an acquainted real estate agent that quite a lot of centrally located parking lots are (unofficially) rented to employees of nearby offices. What information can you use to offer your client the assurance that his franchisees don’t abuse his parking lots in such a way?


Agenda



78




• Soll & Ist



• Your questions


Jacquard project: Next Generation Auditing:

Data Assurance as a Service

79

• Project lead: CWI, the Dutch national Center of Mathematics & Computing Science, Paul Klint, Tijs van der Storm & Paul Griffioen

• Project partners:

• Project result: Domain-Specific Language (DSL) in Software as a Service (SaaS) architecture

http://www.cwi.nl/en/2010/1064/Software-engineering-researchers-and-audit-experts

• PricewaterhouseCoopers, Jacques de Swart & Mona Mashaie• The Dutch Tax Office, Marc van Hilvoorde• ComputationalAuditing.com, Philip Elsas

• Current project sketch: model-based audit support


Jacquard: key audit phases 80

1. Ist supercycle mining Extend process mining to focus on client’s top-level business process

2. Soll supercycle identification Identify Soll supercycle in Ist smart flowchart

3. Continuous auditing Confront a stream of business events to Soll, close-to-real-time

4. Collect, collate & aggregate deviations automatically

5. Publish deviation top-10 on interactive supercycle dashboard. Interface to query the enterprise. iPhone app

Next Generation Auditing: Data Assurance as a Service


Jacquard: project goals 81

1. Design and implementation of DSL for representing supercycle business models

2. Querying of models: Pacioli DSL

3. Visualization of models

Next Generation Auditing: Data Assurance as a Service

4. Parsing, extraction & analysis of business data

5. Interpretation & inclusion of business data in model

6. DSL for structured auditing interviews via interactive audit documentation (expert vs. engagement team)

7. Facilitating automatic generation of XBRL & XBRL Formula (Standard Business Reporting, SBR): XBRL for data, DSL for analysis


82

Input: event log with journals, e.g. SAP

Output: smart flowchart

Based on: “Towards a Computer-Assisted Audit Analysis of Business Processes: Process Mining as Tool for IT Auditors”, Maria Bezverhaya,Emiel Caron & Piet Goeyenbier, ‘de EDP-Auditor’, NOREA, 2009

Push signal from Technical University of Eindhoven, ProM, Fluxicon & Anne Rozinat

Pull signal from audit practitioners & IT audit educators, e.g. “Process Mining” by Mieke Jans & CARLAB, Rutgers, 2010

Computational Auditing: - focus on discovery of supercycle - framing stand-alone workflows- connecting to cost price theory:

- activity-based costing - process-based costing - supercycle-based costing

Phase 1: Ist supercycle mining


84

Identify Soll supercycle by excluding Ist flows, based on automatically identified candidate Ist flows

Based on: “Towards a Computer-Assisted Audit Analysis of Business Processes: Process Mining as Tool for IT Auditors”, Maria Bezverhaya, Emiel Caron & Piet Goeyenbier, ‘de EDP-Auditor’, NOREA, 2009

D

A

C

B

Push signal from Technical University of Eindhoven, ProM, Fluxicon & Anne Rozinat

Apply constraints to check if remaining model is a valid Soll

Phase 2: Identify Soll in Ist

Analyzing 3232 cases, classi-fying casualties (red arrows):A. Invoice receipt without prior approval (2537x)B. Approval acquired after purchase completion (261x)C. Purchase order established for rejected request (9x)D. Handled order status skip- ping receipt (875x), etc.

Design-time workflowvs. run-time workflow

Pull signal from audit practitioners & IT audit educators, e.g. “Process Mining” by Mieke Jans & CARLAB, Rutgers, 2010


85

Scientific foundation: rationally rigorous. With mathematical & computational formalization.Superbly suited for the digital age. Recognized as such in accelerating pace. Easy by new tech

Top-cycle: normative backbone of the ‘business process’-oriented audit approach

Top-cycle concept & typology: Central result of integral evolution. Of ‘business process’-oriented Auditing Theory, Auditing Practice & Auditing Education. Over 60-80 years

Typology of top-cycles: ordered by the strength of the backbone

Unfortunately hardly translated into English

Phase 2: Identify Soll supercycle in Ist

Soll identification is supported by a typology of top-cycles


86

http://www.ComputationalAuditing.com/images/Kring.swf

Phase 3: Continuous auditing

Confront a stream of business events to Soll

Interrelate all buffer contents

Reconcile with external evidence

On-the-fly, close-to-real-time checking of spanning business equations

Especially spanning buy side & sell side

Triangulation

Capture deviations and associated risks

3rd party evidence processing

“Continuity Equations”

Miklos Vasarhelyi et al. CARLAB, Rutgers, 2010


89

Based on:

Sun,Srivastava& Mock,2006

“An Informa-tion SystemsSecurity RiskAssessment Model”,pp. 43-48

This can be realized in Deloitte’s Smart Audit Support with a plug-in for Dempster-Shafer-Srivastava confidence-level computations

Phase 4: Aggregate deviations


90

2 Receivables

3 Inventories+ =

Aggregation in XBRL: - Calculation linkbase- XBRL Formula

Plug-in: transferable ‘type polymorphism’ mechanism for XBRL Assurance Builder & Player

Domain-Specific Language (DSL) for auditing: Pacioli, developed by Dutch software partner in cooperation with national research center for mathematics and computer science in the Netherlands (CWI) & University of Amsterdam

5 Assets

5 Current Assets

At least one non-current inventory

All three inventories are current

{XBRL US GAAP Taxonomy

or

Articulate XBRL Assurance functionality using a dedicated website builder (plug-ins) instead of handcrafting XBRL Formula’s

Type Polymorphism: Least Upper Bound in the Taxonomy

Phase 4: Aggregate deviations

See: “On Positioning XBRL Assurance Business Rules in a Computational Infrastructure for Modern Auditing”, 2009, University of Kansas, Annual International Conference on XBRL


C b f t

F m d

D s t

A tL f t

P t

P t

W t

A t

A t

S

A

AL F

L F

L F

MM D F

D

C

B F

B F

W

P

P

P

P

W

A

A

A

A

C mD f t

S t

A t

F t

B f t B f t

P t

W t

L f

225

25 200

225

500

25

25

1,000400

400100

20

20

20

20

500

400

Publish on interactive dashboard

91Phase 5: Publish deviation top-10

Supercycle as dashboard

Drill-down on analytics

Planning & Control

Key Performance Indicators (KPI’s)

Key Control Indicators (KCI’s)


Jacquard project: Next Generation Auditing:

Data Assurance as a Service

92

demo by

Jacques de Swart, PricewaterhouseCoopers

&Paul Griffioen, CWI

More on the Jacquard project at the 21st World Continuous Auditing & Reporting Symposium,

Rutgers, New Jersey, November 5-6, 2010


Agenda



93




• Soll & Ist



• Your questions


95Nexus micro-macro: sustainability

Now you’ve had your crash course in owner-ordered auditing. Can someone explain to me why the method of assessing the

completeness assertion is so very well transferable from ‘completeness of revenues’ to ‘completeness of pollution’?

Any hints wanted?


96Nexus micro-macro: Web infrastructure

• Banking & rating agency utility functions: - fund transfers, account keeping, account access, etc. - tracking & tracing of who owes what to whom, etc. - tracking & tracing bar-coded financial products, etc. Why not with scientific security and code base?

• Audit & oversight mechanisms: - web platform for audit support: interactive audit forms - access audit methods, CAATTs - access auditee’s accounting system Why not let aggregated XBRL-tagged data streams enable double-entry bookkeeping on macro-economic level? Why not for both financial and non-financial information?

Why not have a public digital infrastructure for financial utility functions? With additional commercial functions?

Computer Assisted Audit Tools & Techniques

à la Skype


97Nexus micro-macro: SWOOPs Facilitate launching of Self Web-Organized Owning Parties

97

• Which owner group has clear ROI (Return On Investment)?

• How to empower downplayed owners? SWOOPs

• Launching mechanism: agent technology, agency theory

• Example focus group: individual pension fund participants

• Ownership control spectrum: from franchisor (strong) till individual pension fund participant (weak)

• Auditor applies web-based owner-ordered audit method

• contributor• ‘sleeper’ • receiver

“The South-Koreans didn’t understand the advanced American derivatives, so they didn’t bought them and weren’t hit by the crisis”,

portfolio manager at big Dutch institutional investor for big Dutch pension fund who made big losses, Safe magazine, summer 2010


Agenda



98




• Soll & Ist

• Public digital infrastructure for financial utility functions & facilitating SWOOPs: Self Web-Organized Owning Parties


• Your questions


99

Match-making between ‘pull’ & ‘push’

Internationalize the owner-ordered audit method. This requires deep computational support. Why?

To minimize international, educational burden (3-years post-Master)

To streamline train-the-trainer, roll-out & getting ROI fast

• Improve the audit profession’s relevancy to society

Pull side

– Individual audit: ownership orientation (chall. 1)– Contribute to systemic risk mitigation (chall. 2)

Push side• R&D of supportive concepts and technology

Golden opportunity for the Netherlands


101

Your Questions

siks smart auditing elsas

Economy & Finance

t f t b f t b f t p

f t p t p t w t

d f t s t

todays audit

smart audit project

audit practices

financial auditing

audit productivity