Audit & Financial

Reporting Adeptness

28 November 2023

Shahzaib Sanwal
Senior Director – EY Ford Rhodes
CONTENTS
Welcome & Introduction

Audit – Data Analytics

Walkthrough of the Analytics process

Future of Internal Audit

Audit in a Digital World–
Data Analytics/ Agile
Auditing
Setting the background - the case for change
Businesses are evolving and facing a lot of disruption

1 Organizations are managing evolving customer

expectations, dynamic ecosystems, changing industry
boundaries, disruptive business models and new
competitive domains.

2 Every industry is changing and the cycles of change

are moving ever faster.

Industry convergence is touching every market

3 segment.

From technology and climate, to geopolitics and trade,

4 the outside landscape is changing dramatically.

5 Operating models are shifting

Page 4 ACCA
 Setting the background - the case for change
Emerging technologies and new business models mean new risks and Audit function may not
be able to keep up with the pace of change in the business leaving a risk coverage gap

To be successful,
organizations will need to
shift their focus from
competencies to manage new

simply mitigating risk to

Change readiness and

embracing new upside

opportunities.
world

Striking this balance

Risk
gap
requires embedding risk
and control into strategic
decision making
Organizations will also
develop digital
capabilities that harness
2000
s
Today Next 10
years
intelligence and deliver
insights across the
Internal Business enterprise.
audit management

Page 5 ACCA
Setting the background - the case for change
Vision for the future of IA to maintain trust in the transformative age

In the future, IA will be viewed as an air traffic

control tower. Technology will enable real-time
risk monitoring and timely reporting of high-
risk findings to instill trust, support confident
decision making and ultimately contribute to
increased business value.

Page 6 ACCA
Internal Audit –
Data Analytics
Data Analytics
What is data analytics?

Data Analysis is…

► Analysis of data to identify anomalies, trends and risk
indicators
Analytics is ► Analysis is based on large population of transactions
the use of data, statistical and quantitative instead of sample
analysis, explanatory and predictive
models and fact-based management to ► Act of transforming data with the aim of extracting
drive decisions and actions within an useful information and facilitating the achievement of
organization to create strategic value. factual conclusions.
► Used to supplement or replace other procedures
► Coverage over complete populations of data
► Able to draw on multiple data sources and systems
► Objective and factual results

Page 8 ACCA
Data Analytics
IA function is also transforming and needs to account for the disruptions

There are several environmental and technological factors that are driving the need for IA to address the application of analytics:

Big Data
Big Data are the massive and varied amount of data existing in and relevant to the Business.
Related risks cannot be effectively addressed using traditional methods.
Data Analytics for IA is the
manipulation of a complete
Risk based auditing population of data to obtain
There is a need to focus on issue based audits, thematic audits, key advisory reviews including insights to:
material capital programs, mergers and acquisitions, etc.

► Risks
► Control effectiveness
Reducing costs and expanding risk coverage
IA needs to expand its scope of areas while also expanding risk coverage and reducing ► Process performance
costs ► Trends of the above over
time

Increasingly complex business processes

IA needs to respond to business processes which are becoming increasingly complex (and in
some cases automated) as the technology landscape progresses.

Page 9 ACCA
Data Analytics
Why embed IA analytics?

Testing limited samples Inability to highlight Reduced audit efficiency

Traditional instead of population insights / trends and increased travel costs
IA-
Random selection of
Challenges samples instead of risk
Limited scope test
procedures
based

► Enables fraud detection and

Improved ► Improved risk assessment
prevention procedures
IA leveraging focus ► Test 100% of transactions for many controls
analytics
► Reduced time spent on lower risk & less complex
Increased ► Minimized disruption to the business
Risk areas
during the execution of internal audit
efficiency ► Reduced travel expenses through remote auditing reviews
Cost Value
► Leverage data analytics for internal and external ► Shift the mentality of the IA team
Deep issue benchmarking from compliance to business insight
insight ► Quantification and root cause analysis of issues noted

Analytics can be utilized as source of findings, input for sample selection and better insight to the processes

Page 10 ACCA
When to apply IA Analytics
The “three yes” model

1 1 ► Do we have or can we obtain all of the data that we

require?
Can we ► Do we have the right tools and technology to
technically perform the analysis?
perform the
analysis?
2 ► Will performing the analysis make the engagement
more efficient (save time, save money)?
► Will performing the analysis make the engagement
more effective (i.e., will I get better coverage of risk
3 2 or increased insight)?
► Will performing the analysis deliver measurable
Once the Is there a
value to the client?
analysis is benefit
complete, to performing
can we act on
the results?
the analysis?
3 ► Will the results of the analysis help us meet the
objectives of the engagement (specific audit
objective, IA overall objective)?

Page 11 ACCA
Data Analytics
Debunking myths about IA analytics

► Myth #1: Analytics is expensive and will make my audit margin thin

► Myth #2: Analytics is nice-to-have but not a requirement to deliver coverage to the client

► Myth #3: Analytics takes a lot of time to set up and implement and my audit does not have that
much runway

► Myth #4: I do not need analytics since I have done similar audits many times in the past successfully
without analytics

Page 12 ACCA
Data Analytics
How can IA deliver data Analytics?

Feedback Loop

Risk Assessment Audit Planning Audit Execution Audit Reporting Monitoring

► Identify risk assessment ► Preliminary “scan” of ► Identify anomalies, ► Provide quantifiable, ► Provide an automated basis
Key activity

priorities relevant audit information trends and potential fraud fact-based information for for continuous auditing &
► Determine scope of audit to drive project scope, indicators reportable issues and controls monitoring.
plan activities sampling and fieldwork ► Replace sample testing exceptions ► Provide analytical input for
procedures approaches with full- ► Visualization of audit follow-up Risk
coverage data analytics findings Assessment.

Risk Ranking Regional benchmarking Red Flags / Observations Report Visualizations Controls Monitoring
Example analytics

Value at Risk Analysis Key Risk Indicators Robotic Process Risk Quantification Risk / Action Monitoring
Automation

Page 13 ACCA
Data Analytics
Same techniques for purpose and scope across the three lines of defense

Performance
Continuous
Process optimization

Monitoring
End-to-end process
and Risk reduction performance

Continuous Monitoring
Process level (KPI’s)
(1st line of defence)

Continuous Assurance
Efficiency in Internal Confirming controls

Continuous

Monitoring
Controls
Control and effectiveness
Risk Advisory & Compliance Risk Management (KCI’s)
(2nd line of defence)

Identification of control

*Analytics and
Optimization of

Continuous
failures by testing

Auditing
audits to enhance
audit efficiency and entire populations
Internal Audit and Investigations (KCI’s and KRI’s)
(3rd line of defence) effectiveness and
deliver value

* For Continuous Audit to be effectively implemented, it is essential that a functioning and mature analytics capability exists.
* Continuous Audit capability is usually implemented through BI or reporting capabilities already existing within the business

Page 14 ACCA
Data Analytics
How can IA deliver data Analytics?

Summary and Details

Visualization

Analytics deliverables include:

► Observation Description
► Interpretation
► Potential Impact
► Suggested follow-up /
consideration

Page 15 ACCA
Data Analytics
Why Invest into Internal Audit Data Analytics?

1. Maximizing enterprise risk coverage

2. Building sustainable and repeatable methods of control assessment

3. Increasing the focus on fraud detection and monitoring

4. Efficient and focused deployment of resource

5. Enhancing foundation and expert competencies (Career opportunities)

6. Achieve high management satisfaction tangible business value and

develop partnering relationships to heighten the position of Internal Audit

Page 16 ACCA
Data Analytics – The Impact Model

Identify
Track
1. Identify the questions outcomes
the
questions
2. Master the data
3. Perform the test plan
4. Address and refine results
Communicate Master
5. Communicate insights insights the data

6. Track outcomes

Address
and Perform
refine test plan
results

Page 17 ACCA
The Impact Model
Step 1: Identify the Questions

Understand the business problems that need to be addressed.

▪ Are employees circumventing internal controls over payments?

▪ Are there any suspicious travel and entertainment expenses?
▪ How can we increase the amount of add-on sales of additional goods to our customers? Are our customers
paying us in a timely manner?
▪ How can we predict the allowance for loan losses for our bank loans?
▪ How can we find transactions that are risky in terms of accounting issues?
▪ Who authorizes checks above $100,000? How can errors be identified?

Page 18 ACCA
The Impact Model
Step 2: Master the Data

Know what data are available and how they relate to the problem.

▪ Internal ERP systems

▪ External networks and data warehouses
▪ Data dictionaries
▪ Extraction, transformation, and loading
▪ Data validation and completeness
▪ Data preparation

Page 19 ACCA
Master the Data
What does it mean to extract, transform, and load?

The Requesting data is an iterative practice involving 5 steps:

► Step 1: Determine the purpose and scope of the data request.

► Step 2: Obtain the data.

► Step 3: Validate the data for completeness and integrity.

► Step 4: Clean the data.

► Step 5: Load the data for data analysis.

Page 20 ACCA
Master the Data
Example Data Request Form

SECTION 1: REQUEST DETAILS

One-Off Annually Termly
Requestor Name: Frequency (circle one)
Other:___________
Requestor Contact
Number:
Spreadsheet
Requestor Email Format you wish the
Word Document
Address: data to be delivered
Text File
Please provide a description of the information in(circle one):
Other: ____________
needed (indicate which tables and which fields you
require): Request Date:
Required Date:
What will the information be used for?
Intended Audience:
Customer
(if not requestor):

Page 21 ACCA
Master the Data
Example Data Request Form

SECTION 2: TO BE COMPLETED BY INFORMATION SECTION 3: COMPLETION DETAILS

SYSTEMS DEPARTMENT

Date
Request Number Date Date
Received
Completed Provided
Received by Assigned to
Initial review comments (discussion with client— Revisions
revisions required? agreement to proceed? etc.) Required

Feedback from client (if applicable)

Work in progress comments (additional notes and

comments during production of data)

Page 22 ACCA
The Impact Model
Step 3: Perform the Test Plan

Descriptive analytics summarize activity Predictive analytics help auditors

or master data on specific attributes. discover hidden patterns linked to
abnormal behavior.

Diagnostic analytics look for correlations Prescriptive analytics make

or patterns of interest. recommendations based on past data.

Page 23 ACCA
Perform the Test Plan
Predictive Analysis

Regression—predicts specific
dependent values based on
independent variable inputs Sentiment analysis—evaluates
text for positive or negative
sentiment to predict positive
or negative outcomes
Classification—predicts a
category for a record

Page 24 ACCA
The Impact Model
Step 4: Address and Refine the Results

Different models will produce different results, for example:

▪ High risk transactions

▪ Users with conflicting roles
▪ Exceptions to standard procedure

Page 25 ACCA
The Impact Model
Step 5: Communicate Insights

Communicate effectively using clear

language and visualizations:

▪ Dashboards
▪ Static reports
▪ Summaries

Page 26 ACCA
The Impact Model
Step 6: Track Outcomes

Follow up on the results of the analysis.

▪ How frequently should the analysis be performed?

▪ Have the analytics changed?
▪ What are the trends?

Page 27 ACCA
Beyond Analytics
IA’s use of technology has expanded beyond data analytics and governance risk and compliance tools

Robotics process automation Artificial Intelligence (AI): Other:

A software solution that runs unattended, Software-driven intelligence that mimics human Complementary technologies, tools and
working like a virtual employee with legacy cognition, behavior, and thought processing to architectures that can be combined with
applications performing repetitive tasks reliably replicate more complex tasks that include other layers on the spectrum to automate
at the UI level professional judgment and historical knowledge a business process or human experience

Machine learning
Comparing data sets
Deep learning
Composing and sending emails
Macros Conversational Agents (chat bots)
Automation of clicks, data entry
Natural language
Completion of auditable activity logs Processing Unmanned Aerial Systems (Drones)

Reading, copying, aggregating data Internet of Things

Entering data into a system Sensors

Rules-based processing and decision Predictive algorithms

making

ACCA
28
LOGO DELETED
Potential Areas for Auditor Focus
Key Steps for Auditors in a Changing Technology Environment

► Maintain sufficient professional scepticism when reviewing

management’s risk assessment for new systems
Understand the direct and indirect effects of new
As auditors obtain an ►
technology and determine how its use by the entity
understanding of the impact of impacts the auditor’s overall risk assessment
technology on a company’s ► Understand how the technologies impact the flow of
business, its systems of internal transactions, assess the completeness of the in-scope
ICFR systems, and design a sufficient and appropriate
control, and its financial audit response
reporting. ► Assess the appropriateness of management’s processes to
select, develop, operate, and maintain controls related to
the organization’s technology based on the extent the
technology is used

ACCA
29
LOGO DELETED
Future of Internal Audit
Digital auditing enables real time analysis of business performance and unmitigated risk
exposure

Flexible Pool of resources

Data Analytics enables the flight tower

to effectively monitor global operations
and allocate resources where they are
needed.

Robots helps to extract and migrate

information from multiple and diverse
ERP system which lays the foundation to
enable Analytics procedures.

Audit teams performs validation and

root cause analysis. Findings and
recommendations are uploaded to the
audit management tool for timely
reporting to key stakeholders.

The Audit Plan becomes flexible as it will respond

to the risks and needs identified on a continuous
basis.

Page 30 ACCA
Thank You!