1 / 50

Techniques for risk-based auditing

Techniques for risk-based auditing. DG INFSO-02 Freddy Dezeure - Charles Macmillan. 21/1/2011 European Court of Auditors Chamber IV. Background DG INFSO. European Commission department European Digital Agenda Co-funding of cost of research projects: 1,5 bio€ per year

rbettencourt
Download Presentation

Techniques for risk-based auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Techniques for risk-based auditing • DG INFSO-02 Freddy Dezeure - Charles Macmillan 21/1/2011 European Court of Auditors Chamber IV

  2. Background DG INFSO • European Commission department • European Digital Agenda • Co-funding of cost of research projects: 1,5 bio€ per year • FP6, FP7, eTEN, CIP: > 7000 beneficiaries, >2000 projects • Financial audits - 200 per year

  3. Selection of auditees

  4. Assurance audits -> error 4%

  5. P1 P1 Claimed salary cost not actual Excessive overheads Major sources of errors

  6. Representative error rate

  7. Risk-based auditing • Risk of intentional inflation of cost • Assessment of the organisation as a whole • Data mining – new tools and methods • Audit programme specific to the risk (ISA240 - ISA315)

  8. CM

  9. Data gathering Risk assessment Define approach Field work Assess next steps Finalise

  10. Risk assessment Data gathering

  11. Data Gathering phase • Scope from risk assessment – continually reassessed • Collect available information from internal and external sources • Check for indicators and inconsistencies • Outcomes define specific audit procedures • Use and find new Indicators • Feed into control systems

  12. Internal Sources • Project documents: proposal, description of work, deliverables, reports, reviews, emails, cost claims • Experts Database • Organisations Database

  13. Open Sources

  14. Finding people • Find the right person • Find all the relevant information about the person • Avoid noise

  15. “Fake” People - Examples • Non-existent people • Existing, but • not relevant • not employed • not aware of project • People in multiple roles / companies / projects

  16. Neuron – partner in BRAIN

  17. Neuron: Key staff • DoW Description • Computer Science degree • Experienced ICT researcher • etc

  18. Neuron – Key staff

  19. Neuron – Key staff

  20. Indicators • Not found on internet • Top management of company • Always the same names • Listed for different companies in different projects • Listed in a different country from the company • CV on LinkedIn contradicts submission • Anonymous email address (gmail, ...) • GSM phone only

  21. Finding companies • Find the right company • Find all the relevant information about the company • Avoid noise

  22. Even simple tools can help

  23. Earth Match – partner in SOLARSYS 34

  24. www.emsoft.com

  25. Earth Match – partner in SOLARSYS 34

  26. www.earthmatch.com.mt

  27. www.cabbage.com

  28. ONION – partner in VEGETABLE

  29. Company website • Does the website exist? • Does the project fit the company’s core activities? • Does the website give contact information - and does it match the official transmission documents? • Is the website registered by the partner? 32 32

  30. Company registry, phone/fax • Company registration websites • http://www.rba.co.uk/sources/registers.htm • http://www.infobel.com/, http://www.ixquick.com/ • Cross-check the phone number with yellow/white pages • Reverse search on the phone number 33 33

  31. Company website, history • Website registration • http://www.domaintools.com/ • http://www.robtex.com/dns/ • Archive • http://www.waybackmachine.org/ • http://www.archive.org/web/web.php 33 33

  32. Tools - internet search • Search for company in Google • Not reassuring if nothing found • Translation tools • http://translate.google.com • http://babelfish.yahoo.com/ 44 44

  33. 45

  34. HOUR – partner in TIME

  35. Indicators • Email address not <-> company domain • Phone number = fax number • Phone number = gsm number • Website registered by another company • Website or phone numbers in another country • Corporate website without contact coordinates, “under construction”

  36. FD

  37. Organisation Cannot (financially) Cannot (operationally) Can do / have not Staff Have not done Have done, cost inflated Have done, cost ineligible Data Gathering Outcomes

  38. Outcome - Audit Procedures • Cannot (financial) • Find other income source • Check commercial agreements with others... • Cannot (operational) • Find who could have done the work • Verify working agreements / CVs / job descriptions...

  39. Risk-based audits -> error 30%

  40. Impact on DG INFSO • Huge effort in administrative follow-up • Litigation (EDPS, Ombudsman, TPI, ECJ) • Impossibility to recover funds • Waste of budget - impact on genuine participants • Reputation damage

  41. Perception

  42. Challenge • Detect problems early in the project life-cycle (PO) • Link data gathering/risk-assessment/audit programme • Manage exceptions well

  43. Implementation of audits

  44. Residual error Audited Error = 0 Untouched Error = representative Extrapolated Error = non-systematic

  45. Selectiveness Detect Correct Prevent Facilitate Simplify Trust

More Related