ACC 321 MSU Final Exam

Transaction Monitoring

CCM used to continuously monitor ERP and financial application transaction information to improve governance and automate audit processes.

Machine Learning: Supervised

Can be used to label and classify known exceptions for certain fraud schemes and map these models to new data and infer new exceptions.

Machine Learning: Unsupervised

Can be used to model "normal" behavior and discover anomalies. Whenever several anomalies occur in same area, it may be grounds for suspicion.

Advanced Analytics

Cluster analysis, Fuzzy logic, regression, Vector learning, predictive modeling Suitable for Complex Patterns

Source Code Comparison

Compare the current version of the program with the original source code. Confirm that changes were authorized and correctly incorporated.

CAAT

Computer Assisted Audit Techniques, Software tools enable auditor to -access and analyze data in database -perform penetration and vulnerability tests -test application

CCM

Continuous Control Monitoring: technology enabled detective controls. Actively monitor controls, transactions and configurations. -transaction monitoring -master data monitoring -segregation of duties monitoring -configurable control monitoring

Enhancement of Controls

Control Analytics: to help enhance - process and financial risk analytics -financial statement quality - ethical fraud/fraud evidence reviews

Recurrent Neural Network: Uncharacteristic Invoices

RNN ingests a sequence of invoices for a specific vendor. Develops a model about what the next invoice will look like given what it has learned about invoices in general, and also the vendor specifically. By comparing the RNN's models to the actual next invoice we can flag invoices which are uncharacteristic of each vendor.

Inputs to the Purchasing Process

Receiving Report - count and condition of goods received Bill of Lading - accompanies the good sent, carrier assumes responsibility for the goods Packing Slip - specific goods and quantities included in shipment, included in merchandise package

Production Cycle (Conversion/Manufacturing)

Recurring set of business activities and related information processing operations associated with converting raw inputs such as materials, labor, equipment and other fixed assets into finished products. Includes: 1) product design 2) planning and scheduling 3) production operations 4) cost accounting

Expenditure Cycle (Purchasing/Acquisition)

Recurring set of business activities and related information processing operations associated with the purchase of and payment for goods and services.

Revenue Growth

Revenue Assurance Analytics: to reduce leakage from order to cash process. -predicting credit risk/exposure -trade funds - deductions and disputes -pricing, discounts and terms of trade

Social Network Analysis

Set up rules to filter internal fraud transactions (i.e. ID takeover, association to phone number, address, account, login details, password) Suitable for known and unknown associations.

Rules (FCA)

Set up rules to filter internal fraud transactions. (i.e. employee reviewing higher than average dormant accounts) Suitable for obvious and known patterns.

Audit Planing

Short Term: What do we need to audit this year? Long Term: What should we plan to audit in the future? What should we test first? -parts of business most susceptible to risk? -what IS systems are changing? -regulations to test for? -new regulations to test for?

Parallel Simulation

Similar to reprocessing except Auditor writes his own program instead of using verified source code. Can be used to test a program during implementation process.

Continuous Monitoring Examples

- Payroll (SSN tests; invalid, duplicate, dead) -A/P (duplicate payments, unclaimed credits)

Segregation of Duties Monitoring

CCM for segregation of duties is used to manage a number of access conflicts present in ERP and financial applications. C

Continuous Auditing

-Systems such as approve can identify unusual transactions that might avoid a fraudulent payment -Look for series of split transactions, avoiding the dollar cutoff for either no receipt or no approval required

What's wrong with Traditional Accounting Information?

-inaccurate cost allocations -promotes non-lean behavior -time lag -financial orientation

Cost Accounting System

-records financial effects of events occurring in the production process -initiated by the work order -cost accounting clerk creates a new cost record for the new batch and files in WIP file -the records are updated as materials and labor are used -receipt of last move ticket signals completion of the production process

Input Data Validation Checks

-sequence check -limit check -range check -validity check -completeness check -reasonableness check

Look For Patterns in Suspect Communications

-suspicious communication patterns (i.e. use of emails, external forwarding) -combine communication network analysis with sentiment scoring -method used by many intelligence agencies to detect criminal/terrorist networks -can combine other entities to enhance analysis

Techniques of Evaluation (Audit)

-use general audit s/w -flowchart automated applications -examine audit logs and reports -review documentation -interview and observe

Forensics Process

1) Acquisition - obtain possession of electronic devices and mapping 2. Identification - determine what data can be recovered. 3. Evaluation - determine if information contours illegal behavior, is evidence sufficient 4. Presentation - how to communicate evidence for lawyers, managers, etc.

IT Auditing Objectives

1) Confidentiality - preserving authorized restrictions on information access and disclosure. 2) Integrity - guarding against improper information modification or destruction. 3) Availability - ensuring timely and reliable access to and use of information.

Expenditure Cycle

1) Request Goods (purchase request) 2) Order Goods 3) Receive Goods 4) Approve invoices 5) Pay for Goods 6) Returns

Analytics in Finance/Accounting Goals:

1) Revenue Growth 2. Margin Improvement 3. Enhancement of Controls 4. Cashflow improvement

Objectives of Expenditure Cycle

1) Tracking purchases of goods/services from vendors 2) Tracking amounts owed 3) Maintaining Vendor Records 4) Controlling inventory 5) Making timely and accurate vendor payments 6) Forecasting purchases and cash outflows

Stages of Auditing Data Analytics Maturity

1. Ad-hoc: utilized when needed, limited to select individuals with limited use of tools, perhaps excel. No approach or linkage to other data sets. 2. Limited Value: Increasing adoption and perhaps use of IDEA/ACL. Some value but not integrated with other data and unpredictable results. Value add to audit not expected. 3. Limited and Valued: analytics policy and methodology in drivers seat at testing stage to validate controls. Wider usage within internal audit and value seen by stakeholders. 4. Meshed: on request data sources in place and skill set starting to be embedded within the department. Equally reliant on continuous monitoring in 2nd line evolving to form combined view. 5. Embed: metric based monitoring allowing for creating of more dynamic audit plans. Skills embedded within team, focus on root cause of issues by management not incidents. 6. Forward looking: Analytics driving audit plans with changed audit and risk behaviors based on analytics results. Fully established three lines with horizon scanning in prescriptive analysis.

Network Analysis

1. Data encoded and networked relationships 2. Generate networks of relationships (i.e. people, transactions, property) 3. Identify "normal" and unusual clusters 4. Identify potential fraud patterns 5. Search for known fraud patterns/rules

IT General Controls (Domains of Cybersecurity)

1. Legal, regulations, compliance and investigations 2. Information security and risk management 3. Security architecture and design 4. Telecommunications, network, and internet security 5. Access control 6. Operations security 7. Physical and Environmental Security 8. Application Security 9. Business continuity and disaster recovery 10. Cryptography

General Audit Procedure

1. Obtain understanding of audit subject area 2. Perform Risk assessment and prepare general audit plan/schedule 3. Add detail to audit plan 4. evaluate the audit area/subject 5. Evaluate whether controls are effective ----use Techniques of Evaluation----- 6. Perform compliance testing 7. Perform substantive testing 8. Write audit report/present (external or internal) 9. Perform follow up

Machine Learning Approach

1. Source Data 2. Data Abstraction 3. Anomaly Detection Engine (ADE) -feature creation -classification -intelligent scoring algorithm 4. Results (and feedback to ADE)

ABC Pros and Cons

Advantages -more accurate costing of products, services, customers, distribution channels -identifying the most and least profitable products and customers -accurately tracking costs of activities and processes -equipping managers with cost intelligence to drive continuous improvements -facilitating better marketing mix -identifying waste and non value added activities Disadvantages -too time consuming and complicated to be practical -promotes complex bureaucracies in conflict with lean manufacturing philosophy

Margin Improvement

Analysis of Expenses: to help reduce wastage -payables analytics -spend analytics -contract compliance

Risk Assessment Framework

Audit Universe > Inherent Risks and COSO Control Risks > Customized Checklists > Definitions of Risk Ratings > Perform Risk Assessment > Develop Risk Ratings > Assess Risk > Internal Audit Plan Based on Risk > Revisit Annually/Major Change

Computer Based Matching

Automated Matching - software matches an invoice to its related purchase order and receiving report. Advantages: reduce time, costs, errors and duplicate payments in invoice processing. Risks: system errors, unauthorized access, fraud and inadequate backup of files

Emerging Audit Techniques

Automated Work Papers: automated tools for risk/audit reporting Integrated Audit: combines financial and IS audit via team effort Continuous Audit: provides audit reports on continuous basis (not just quarterly)

Profiling (FCA)

Build statistical profiles of accounts and transactions (i.e. mean, median, std. dev, distribution) Suitable for unknown patterns.

Access control Monitoring

CCM for access control is used to monitor accesses to sensitive functions by authorized users.

Configurable Control Monitoring

CCM for application configuration is used to monitor the presence, appropriate configuration and modification of built in application controls.

Master data Monitoring

CCM for master data automates controls related to ERP and financial application data.

Objective 4: Computer Processing

DEFINITION: During computer processing, system may -fail to detect erroneous input -process erroneous input -improperly distribute or disclose output CONTROL PROCEDURES: -reconciliation of batch totals -effective error correction procedures -understandable documentation. -effective handling of data input and output by data control personnel. -maintenance of proper environmental conditions in computer facility AUDIT PROCEDURES: systems review -review admin, systems and operating documentation -review copies of error listings and batch total reports -observe computer operations and data control functions -discuss processing and output controls with operations and IS supervisory personnel. Tests of Controls: -verify processing accuracy for sample of sensitive transactions -verify processing accuracy for selected computer generated transactions -reconcile a sample of batch totals, and follow up discrepancies. -trace disposition of a sample of errors flagged by data edit routines to ensure proper handling. -evaluate adequacy and completeness of data editing controls -verify that selected application system output is properly distributed -recreate selected reports to test for accuracy and completeness. COMPENSATING CONTROLS: -processing of test data -using concurrent audit techniques -analyzing program logic

Objective 1: Overall Security

DEFINITION: Security Errors and Fraud including: -accidental or intentional damage to system -unauthorized access, disclosure or modification of data and programs -theft interruption of crucial business activities CONTROL PROCEDURE: Minimize security errors and fraud: -developing an information security plan -restricting physical and logical access -encrypting data -protecting against viruses -implement firewalls -prevent and recover from system failures or disasters AUDIT PROCEDURES: Systems review: -inspecting computer sites -interviewing personnel -reviewing policies and procedures -examining access logs, insurance policies, and the disaster recovery plan. Tests of Controls: -Auditors test security controls by: a. observing procedures b. verify that controls are in place and work as intended c. investigate errors to ensure they were handled correctly d. examine any tests previously performed COMPENSATING CONTROLS: -if security controls are seriously deficient, the organization faces substantial risks. -compensating controls aren't likely to be enough, so auditors strongly recommend that security weaknesses be corrected.

Objectives 2/3: Program Development and Acquisition and Monitoring

DEFINITION: Types of Errors and fraud -inadvertent errors due to careless programming or misunderstanding specifications -deliberate insertion of unauthorized instructions into the program CONTROL PROCEDURES: require -management and user authorization and approval -thorough testing -proper documentation AUDIT PROCEDURES: Systems review -auditor should not be involved in system development to maintain objectivity -auditor should interview management, users and IS personnel about development procedures. -auditor should review policies, procedures, standards and documentation for systems and programs. Tests of Controls: -examine all development approvals -review all documentation relating to the testing process and ascertain that all program changes were testing. -examine the test specifications, review the test data and evaluate the test results COMPENSATING CONTROLS: -strong processing controls can sometimes compensate for inadequate development controls.

Objective 6: Data Files

DEFINITION: types of errors and fraud -destruction of stored data due to: a. inadvertent errors b. hardware or software malfunctions c. intentional acts of sabotage or vandalism -unauthorized modification or disclosure of stored data CONTROL PROCEDURES: -secure file library and restrictions on physical access to data files -logical access controls using passwords and access control matrix -proper use of file labels and write-protection mechanisms -concurrent update controls -encryption of highly confidential data -use of virus protection software -maintenance of backup copies of all data files in an off-site location AUDIT PROCEDURES: system review -review logical access policies and procedures -review operating and systems documentation to determine existing standards -examine disaster recovery plan Tests of Controls -review records of password assignment and modification -observe and evaluate file-handling procedures by operations personnel -observe preparation and off-site storage of backup files -verify effective use of virus protection procedures -verify use of concurrent update controls and data encryption. -verify completeness, currency, and testing of disaster recovery plan. -reconcile master file totals with separately maintained control totals. -observe the procedures used to control file conversion. COMPENSATING CONTROLS: -strong user controls -effective computer security controls -strong processing controls

Receive Goods

Description: -receiving and storing items that have been ordered -economic increment event in which title (ownership) of one or more products is transferred from a supplier to the enterprise Key Decisions: -deciding whether to accept a delivery -verifying the quantity and quality of goods Document: Receiving Report - documents the details of each delivery. Contains: date received, shipper, vendor, purchase order number, item number, item description, item quantity received, person who received, remarks Opportunities for Using IT: -bar coding inventory to reduce handling -radio transmission of receipt -radio frequency identification tags to eliminate scanning -satellites for locating incoming shipments

Objective 5: Source Data

DEFINITION: types of errors and fraud -inaccurate source data -unauthorized source data CONTROL PROCEDURES: -handling of source data input by control personnel -user authorization of source data input -use of turnaround documents -computer data editing routines -effective procedures for correcting resubmitting erroneous data AUDIT PROCEDURE: system review -review administrative documentation for source data control standards -review methods of authorization and examine authorization signatures -review accounting systems documentation to identify source data content and processing steps and specific source data controls used -document accounting source data controls using an input control matrix Tests of controls -observe and evaluate data control department operations and specific data control procedures -evaluate how items recorded in the error log are handled -examine samples of accounting source data for proper authorization -reconcile a sample of batch totals and follow up on discrepancies -trace disposition of a sample of errors flagged by data edit routines COMPENSATING CONTROLS: -strong user controls -strong processing controls

Production Operations

Description: -actual manufacture of products Key Decisions: -variances from planned activities -Capture of production data on a real-time basis Documents: Material Requisition and Move Ticket - goods issued from RM inventory into production, Goods transferred between work stations or from WIP to FG -Job Time Ticket and Time Card Threats: -theft of inventory -theft of fixed asset -poor performance -suboptimal investment in fixed assets -loss of inventory or fixed assets due to fire or other disasters -disruption of operations Controls: -physical access control -documentation of all inventory movement -segreation of duties -restriction of access to inventory master data -periodic physical counts of inventory and reconciliation of those counts to recorded quantities -physical inventory of all fixed assets -restriction of physical access to fixed assets -maintaining detailed records of fixed assets, including disposal -training -performance reports -proper approval of fixed asset acquisitions, including use of requests for proposals to solicit multiple competitive bids -physical safeguards -insurance -backup and disaster recovery plans

Pay for Goods

Description: -an economic decrement event where the enterprise transfers ownership of cash (or equivalent) to a supplier -paying approved vendor invoices (cash disbursements) Key Decisions: -whether or not to take vendor discounts -when to pay Documents: Checks Cash disbursement (check) register - lists al checks printed Contains: check number, check amount, vendor name Opportunities for Using IT: -Electronic funds transfer for paying vendors -combining EFT with EDI

Approve Invoices

Description: -approving vendor invoices for payment Key Decisions: -was the item actually ordered? -was the item actually received? Document: Disbursement Voucher - summarizes the information in a set of vendor invoices (authorizes payment) Contains: vendor name, outstanding invoices, net amount to be paid, general ledger accounts to be debited. Opportunities for using IT: -EDI invoicing -matching EDI invoice to computerized supporting documents -eliminating invoices entirely -procurement cards and company credit/travel cards

Request Goods

Description: -begins cycle -requesting the purchase of inventory or supplies -involves only internal agents "requestor" and "approver" Key Decisions: -what, when, and how much to purchase -but not WHO Document: Purchase Requisition - documents the need to purchase goods or supplies, contains: requisitioner name, item, description, quantities, item numbers, item prices, delivery location, date needed, suggested vendor, department, acct. number Opportunities for Using IT: -electronic purchase requisition -integrated systems allowing automatic reordering -bar coding inventory

Purchase Return

Description: -economic event in which title (ownership) for goods previously transferred from a supplier to the enterprise are transferred back from the enterprise to the supplier -returning defective items Documents: -request to return -packing list

Order Goods

Description: -mutual commitment event in which a supplier agrees to provide goods to the business and the business agrees to pay a certain price for those goods. -ordering supplies and/or materials Key Decisions -who to order from (price, quality, dependability) - what vendor? Document: Purchase Order - formally requests a vendor to sell and deliver specified products at specified prices; also a promise to pay. Contains: vendor name, purchasing agent name, order date, requested delivery date, delivery location, method of shipments, information about the items ordered. Opportunities for Using IT: -Electronic data interchange (EDI) to reduce costs associated with generating purchase orders. -linking EDI to point of sales systems -vendor managed inventory - VMI -procurement cards for miscellaneous supplies -online custom catalogues -online bidding

Planning and Scheduling

Description: -planning and scheduling production activities -two basic approaches a. push (MRP II) build to inventory/try to sell b. pull (lean) build based on customer orders Key Decisions: -make sufficient quantity of products to meet existing and short term estimated demand -do not overproduce Documents: -Master Production Schedule (MPS): uses information about orders, forecasts and inventory levels to schedule production. Contains: type of product, quantity of product, when production will occur -Production Order: authorizes the manufacture of a specific quantity of a specific product. Contains: operations needed to be performed, quantity to be produced, location to where the finished goods are delivered. Threats: over/under production Controls: -production planning systems -review and approval of production schedules and orders -restriction of access to production orders and production schedules

Product Design

Description: determining how to make a product Key Decisions: -how to meet customer requirements for quality, durability and functionality -how to minimize production costs Documents: -Bill of Materials - specifies the materials needed to make the product. Contains: part number (finished good), raw material number/description, raw material quantity -Operations List - specifies the machine and labor requirements needed to make the product; also called routing sheet Threats: poor product design resulting in excess costs Controls: -accounting analysis of costs arising from product design choices -analysis of warranty and repair costs

Cost Accounting

Description: providing information for the planning, controlling and evaluation of production operations; and to provide accurate cost data about products for use in pricing and product mix decisions Key Decisions: Cost categories, assigning and allocating costs

Substantive Testing

Detailed tests of transactions and account balances

Analysis of Program Logic

Done only as last resort (time consuming, requires programming proficiency) to do so, auditors reference: -program flowcharts, documentation, source code

Financial Forensic Engagement Examples

Economic damages calculations, post acquisition disputes, securities fraud, business valuation

Analytics

Extensive use of data, statistical and quantitative analysis, explanatory and predictive models and fact based management to drive decisions and actions.

Outputs of the Purchasing Process

Financial Statement Information Vendor Checks -supported by a voucher -signed by a person designated by management Check Register -list of all checks issued for a particular period -byproduct of batch processing

Audit Process

For Each Objective -definition -control procedure -audit procedure (review/controls testing) -compensating controls

GAS

Generalized Audit Software: -File Access: read records/file structures -File reorganization: allow sorting, indexing, merging/linking with other files -Data selection: select set of records -Statistical functions: perform sampling, stratification, frequency analysis -arithmetic functions: perform arithmetic operations on data sets

Auditing Around the Computer

In the "around the computer" approach, the processing portion of the Accounting system is ignored.

Accounting System

Input > Processing > Output

Control Framework in IT Environment

Internal Controls 1) Applications Controls > Computer Application Systems and Programs 2) General Controls > Application Systems Development or Computer Service Center

Forensic Accounting

Investigate fraud and collect evidence for civil and criminal trials. Evidence in digital format.

IT Audit Planning

Is the system large and complex? YES: Audit through the computer -Preliminary review of information systems controls -Review General and application controls -Perform compliance tests of computer controls NO: Audit around the computer -Perform substantive test of account balances --if computer controls are weak or nonexistent, auditors will need to do more substantive testing.

Financial Crime Analytics (FCA) Approaches

Issues: 1. Detecting unknown patterns of fraud 2. Keeping track of new fraud schemes 3. Not knowing exactly what to look for Approaches: -Rules -Profiling -Advanced Analytics -Social Network Analysis Integrated Model: Appropriate combination of all approaches

IS Components and and Audit Objectives

Objective 1. Overall Security Objective 2: Program Development and Acquisition Objective 3: Program Modification Objective 4: Computer Processing Objective 5: Source Data Objective 6: Data files

Compliance Testing

Performed to ensure that the controls are in place and working as prescribed. (this may entail using computer assisted audit techniques CAATS)

Expenditure Cycle Process

Process: -begins with request for goods/services -ends with payment of cash Primary Objectives of Purchasing Process: -purchase high quality goods at best price -pay vendors at the optimal time

Analytics: Identify Excetions

Purchase to Pay: -duplicate payments -retrospective POs -changing payment terms -same bank account usage Order to Cash: -price changes -undelivered orders -exceptional customer credits/returns -payment terms Fixed Assets: -inappropriate asset depreciation periods -misclassified capital equipment Travel Expenses: -duplicate claims -suspicious claims -ineligible items claims -repeating amounts Financial Close: -postings into prior closed periods -manual payments Trading -OFAC limitations -Sunshine act implications

Risks and Controls Cash Disbursement Process

Specific Controls over the cash receipts process: -Authorization of transactions -Segregation of duties a. adequate records and documents b. security of assets and documents c. independent checks and reconciliation d. cost-benefit considerations

Variety

Structured data (transactional) Unstructured data (social, channel, customer service, warranty) Sensor Data (temperature, RFID, QR codes, GPS) New Data Types (video, voice, digital images)

Processing Test Data

Testing a program by processing hypothetical valid and invalid transactions

Production Cycle Internal Controls

Transaction Authorization (work orders, move tickets, materials requisitions) Segregation of Duties Supervision Access Accounting records Independent verification

Structure of F/S Audit

Transactions > Accounting System ^Compliance Testing Interim Audit Financial Reports (Cash > Bank) (Receivables > Customers) Confirm Balances ^^Substantive Testing F/S Audit

Concurrent Audit Technique

Use embedded audit modules. Segments of program that: -perform audit functions -report test results to the auditor -store collected evidence for auditor review

Reprocessing

Use verified copy of the source code to reprocess data and compare that output with company's data

Auditing Through the Computer

Verification of controls in a computerized system. -General controls -Application Controls

4 V's of Analytics (IBM)

Volume, Velocity, Variety, Veracity

Cashflow Improvement

Working Capital Analytics: to help improve cashflow -logistics/inventory -source to pay - days payables outstanding analytics -order to cash - days sales outstanding analytics

Direct Labor Costs

collected by a job time card filled out by employees

Direct Equipment Costs

collected on job time card or as a by product of labor cost collected

Overhead Costs

costs not directly traceable to a product

Continuous Processing

creates a homogenous product through a continuous series of standard procedures

Direct Material Costs

determined by what is issued to production less any items not used

Activity Based Costing (ABC)

information system that provides managers with information about activities and cost objects. assumes that activities cause costs and products (and other cost objects) create a demand for activities. different from traditional accounting system since ABC has multiple activity drivers.

Make to Order Processing

involves the fabrication of discrete products in accordance with customer specifications

Three-Way Match

matching of a purchase order to the related receiving report and invoice. -time consuming/expensive -Business Process Reengineering (BPR) to improve efficiency and effectiveness. IT systems include a. Computer based matching and checking of purchasing documents -evaluated receipt settlement (ERS) -electronic forms of purchase and payment

Batch Processing

produces discrete groups (batches) of products. Each item in the batch is similar