1 / 60

The Future of Auditing and Audit Evidence

Learn about the proposed updates to audit evidence standards by the Auditing Standards Board (ASB), including the incorporation of emerging techniques like AI and blockchain. The article provides practical guidance for utilizing digital analytics technology and emphasizes the importance of professional skepticism in data analytics. Explore the definition of "sufficient" and "appropriate" audit evidence and the proposed effective date for these changes.

rjoyce
Download Presentation

The Future of Auditing and Audit Evidence

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Future of Auditing and Audit Evidence

  2. What’s going on at the ASB? • https://www.cpajournal.com/2019/02/25/whats-happening-at-the-auditing-standards-board/

  3. Is there an update to the audit evidence standards coming?

  4. AU-C 500 Audit Evidence exposure draft being released by the Auditing standards board • Proposed update to evidence standards due to AI, blockchain, etc. (emerging techniques and technologies) • Provides practical guidance for digital analytics technology • Uses existing principles applied to data • Professional skepticism still must be applied to data analytics • “Sufficient” and “appropriate” currently defined separately in AU-C Section 500 • Proposed definition – Audit evidence that is sufficient to persuade an experienced auditor to draw conclusions based on consideration of audit evidence • New definition of ‘internal information” – reflects all internal information that management obtains, including accounting records, to prepare financial statements • Proposed effective date for audits of financial statements for periods ending on or after December 15, 2020 (12/31/20 or 6/30/21)

  5. AU-C 500 Audit Evidence exposure draft being released by the Auditing standards board • ASB does not believe automated data analysis is an ‘audit procedure’, but is a technique that can be used to meet objectives • Proposal also includes management specialists as a source of audit evidence – • Additional material included whether sufficient appropriate audit evidence obtained. • Other text changes on what is sufficient appropriate audit evidence

  6. AU-C 500 Audit Evidence exposure draft being released by the Auditing standards board • ASB does not believe automated data analysis is an ‘audit procedure’, but is a technique that can be used to meet objectives • Proposal also includes management specialists as a source of audit evidence – • Additional material included whether sufficient appropriate audit evidence obtained. • Other text changes on what is sufficient appropriate audit evidence AICPA – attributes and factors used to evaluate whether information obtained represents appropriate audit evidence

  7. AU-C 500 Audit evidence exposure draft being released by the auditing standards board • Auditors will need to evaluate relevance and reliability in the context of the sources from which it was obtained • Whether the evidence corroborates or contradicts assertions • 22 proposed paragraphs of application guidance just on relevance and reliability

  8. AU-C 500 Audit evidence exposure draft being released by the auditing standards board • As important are the sources of information in gauging the relevance and reliability • Is it generated internally or outside the financial reporting system?

  9. AU-C 500 Audit evidence exposure draft being released by the auditing standards board • Put them both together – does the evidence have relevance and reliability considering the sources • Are they contradictory or corroborative?

  10. Using Data Analytics in Auditing- Not new to audit standards

  11. Analytics and the Standards • CAATS – Computer Aided Audit Tools or Computer Assisted Audit Techniques • Mentioned in various AICPA SAS’s • AU-C 315 “Understanding Entity & Its Environment…” • .A7-.A9 – Analytical Procedures • SAS 99 – now incorporated in clarified SAS’s • Management override • Journal Entries • COSO – Fraud Risk Management Guide • Emphasis on data analytics • Appendix E • GAO – A Framework for Managing Fraud Risks in Federal Programs

  12. AU-C 330 • .A17 The use of computer assisted audit techniques (CAATs) may enable more extensive testing of electronic transactions and account files, which may be useful when the auditor decides to modify the extent of testing (for example, in responding to the risks of material misstatement due to fraud). Such techniques can be used to select sample transactions from key electronic files, sort transactions with specific characteristics, or test an entire population instead of a sample.

  13. AU-C 330 • .A29 The nature of the particular control influences the type of audit procedure necessary to obtain audit evidence about whether the control was operating effectively. For example, if operating effectiveness is evidenced by documentation, the auditor may decide to inspect such documentation to obtain audit evidence about operating effectiveness. For other controls, however, documentation may not be available or relevant. For example, documentation of operation may not exist for some factors in the control environment, such assignment of authority and responsibility, or for some types of control activities, such as control activities performed by a computer. In such circumstances, audit evidence about operating effectiveness may be obtained through inquiry in combination with other audit procedures, such as observation or the use of CAATs.

  14. Data analytics has been around for awhile, but not widely used due to lack of technology • Frequency distribution of the first digits in data • Number 1 occurs naturally in about 30% of all transactions • Larger the digit, less frequent • Commonly used for forensics, fraud analysis and many other scientific purposes First exhibited in 1938!

  15. Report to the Nations - ACFE

  16. Report to the Nations - ACFE

  17. The speedy conversion to data-driven fraud detection • Traditional fraud detection is expert-based and usually ineffective (see previous on Fraud) • Industry is moving quickly to data-driven fraud detection using analytics / ‘big data’ • More precise – uses volumes of information to uncover fraud patterns usually invisible • More efficient – can comply with strict time constraints • Cost efficient – less paper, less decision-making • Changes the fraud cycle Process without analytics Automated process using analytics

  18. Where to start • Data needs to be categorized • Transactional data – usually structured and detailed – relational databases may be used • Contractual or account data – categorization by • Type of expense / revenue • Length of service (contract length) • Socio / demographic • Gender • Marital status • Income level • Education level • Occupation • Many others • Data is then pooled and linked – think of what credit agencies do

  19. What do these show? Wiley, 2015, 2018, Descriptive, Predictive and Social Network Techniques (Fraud analysis)

  20. Where it is heading • Behavioral information • Using pooled data – where does the person exist • Shopping • Social media / web surfing • Living conditions / lifestyle • Merge the data to predict result • Show outliers – focus there on potential fraud – becomes a shift toward auditing by exception • Using big data and focus on outliers then shifts assurance to: • Automation / AI • Bots • Integrity of transaction / process (DLT / Blockchain)

  21. Pitfalls • GIGO • Data Governance • Where is the data from / what sources? • How secure is it? (Does it comply with GDPR)? • Is the analysis being performed internally or by third parties? • Data privacy based on results • Incorrect analysis conclusion (jumping to the answer without evaluation) • Is the analysis hindsight (forensic) or foresight (predictive)

  22. Putting data analytics into practice • Jane has worked with the State Department of Revenue for 28 years. Her husband Dick is retired. They live a quiet life. Their credit scores are 760-790. Their house is fully paid. Two kids are fully grown, married and out of the house. Dick and Jane have various hobbies that keep them busy. • While Jane was out of the house at the outlets buying an outfit for an upcoming family event, Dick made reservations on a two week cruise for Jane’s birthday. It’s on the same cruise line they went on six months ago and the company gave Dick an offer to the top suite for a special price. Dick gave his credit card and it was declined. Jane swiped her credit card at the outlets and it was declined.

  23. Putting data analytics into practice • Take 10 minutes • What databases might have the credit card company(ies) used? • If a D/A system is used in Internal Audit for the State DOR, what red flags would the systems ideally notice? • Are there pitfalls here?

  24. Example - journal entry testing • Parameters on 61,825 journal entries in sample • Sample size based on audit risk = 33 • Predictive dates that could cause anomalies • Federal holidays (New Years, MLK day, President’s day, Memorial day, July 4th, Labor Day etc.) • Days of the week loaded where transactions unlikely (Saturday / Sunday) • Specific words searched for as well and within words • Plug • Fix • Correct • Balance • Fraud • Variance • Asdfirgagggeerrorlllop • Many others..

  25. Data Mining Journal Entries • Who  •  Summarize journal entries by the persons entering to determine if they’re authorized. • What  • Extract nonstandard or manual journal entries (versus system entries such as an accounts payable ledger posting) for further analysis. • Stratify size of journal entries based on amount (using the debit side of the transaction). • Summarize journal entries by general ledger account to identify repetitive and unique account sequences used in the journal entry (based on the first five debit and credit account postings). • Summarize general ledger activity on the amount field (absolute value of debit or credit) to identify the top occurring amounts. • When • Extract journal entries posted on weekends and holidays. • Extract Journal entries posted an odd times (after hours, way early) • Extract journal entries relating to the prior year that were made just immediately following a fiscal year-end. • Summarize journal entry credits and debits processing by day, month and year.

  26. Data Mining Journal Entries • Where  • Extract journal entries made summarize by the person entering and corresponding account numbers. • Extract journal entries to general ledger accounts known to be problems or complex based on past issues (errors of accounting in journal subsequently corrected by accounting staff or auditors). • Extract debits in revenue and summarize by general ledger account. • Why (Unusual Activity)  • Extract general ledger transaction amounts (debit or credit) that exceed the average amounts for that general ledger account by a specified percentage. (Five times the average is a good starting point.) • Extract journal entries that equate to round/even multiples . • Extract journal entries with key texts such as “plug” and “net to zero” anywhere in the record. • Extract journal entries that are made below set accounting department approval limits, especially multiple entries of amounts below such limits. • Also perform benford analysis • Extract journal entries that don’t net to zero/balance (debits less credits).

  27. Data Mining • Vendors and accounts payable • Expense reimbursements • Payroll • Journal Entries (see previous slides0 • Pension Census Data • Grants • And anywhere you have data!!!

  28. Data Mining Vendor Analysis • Analyze vendors population for recurring vendors (ex. utilities, monthly services, etc.) • Establish trends or average for certain vendors. • Also consider types of expenditures • Supplies • Construction Projects • Equipment • Look for unusual payments above average. • Identify Vendors that may create a conflict of interest • Compare Vendor Master File address to Employee file • Vend File: 320 My St. , 73160 HR file – 320 My Street, 73160 • Clean data: 320 , 73160

  29. Data Mining VendorAnalysis • Look for increases in amount and payment frequency over time. • Look for professional services or consulting contracts. • Duplicate invoices or duplicate payments for same services. (invoice #, Amounts, Sequential invoicing) • Multiple Vendors with Same Address • Split Purchases

  30. Data Mining VendorAnalysis • Split Purchases • Invoice Date created before PO Date • Frequent Changes to Vendor Master

  31. Data Mining VendorAnalysis • Unusual vendors or payees • High dollar /low frequency payments • High frequency /low dollar payments

  32. Data Mining Expense Reimbursements • Reimbursements to employees • Unusual activity • Duplicate reimbursement • Personal Use reimbursement • Travel reimbursements • Duplicate claims for same expense • Unallowable expenses • Expense claimed but paid on procard

  33. Data Mining Payroll Analysis • Summarize payments by month for each employee. Calculate approximate biweekly net based on approved compensation. • Identify outliers or unusual payment amounts. • Look for unusual coding for small number of payments.

  34. Data Mining Payroll Analysis • Review Overtime • Abnormal or exceeding policy limits • Received overtime payment but exempt • Paid before hire date • Paid after termination

  35. Data Mining Payroll Analysis • Look for extra payments. One time payments for “special projects” or “additional duties” or “stipends” which were not approved. • Look for Holiday bonuses!!!!! • Compare employees receiving payments to current employees. • Identify duplicate employees with same direct deposit account. • Inflated salaries or hours • Statutory or board approved salaries for upper management

  36. Data Mining Pension Census Data • Census Data: • Comparison/Reconciliation of Prior Year to Current Year file: • Identify Additions/deletion of participants • Identify Null Fields • Compare Participants information and identify changes: • Salary • Age • Sex • Birthdate • Hire Date • Termination/Retirement Date • Marital Status • Job classification

  37. Data Mining Pension Census Data • Census Data: • Comparing pension system/actuary data files to outside sources • Department of Public Safety – Drivers license database • Age (date of birth) • Gender • Department of Health • Record of death

  38. Procurement CardsThere is fraud, waste, & abuse … have you found it?

  39. Procurement Cards • P-Card programs are expanding: • Promote efficiency in purchasing process • Reduce cost • Rebate ($) • Difficulty in monitoring • Resources for review & training may be lacking • Promotes Fraud, Waste, & Abuse

  40. Procurement Card Testing • Perform Cardholder Analysis • Identify unusual activity ($) • Identify underutilization • Identify individuals more prone to circumvent purchasing rules • Identification of Split Purchases • Splits based on Single Transaction Limits • Splits based on Purchasing limits • Identification of splits over multiple days • Collusion: • Splits by departmental staff

  41. Procurement Card Testing • Day of the Week Test • Identifying weekend activity • Identification of Potential Budget abuse • Joining information from HR/Payroll • Leave activity (Annual/Sick) • Office Holiday’s/Office Closed • Analysis on Fuel purchases • Level II use avg fuel rates to calculate anomalies • Level III use actual detail on fuel purchases ($ & Gallons)

  42. Procurement Card Testing • Creation of Keyword Search • Create listing of items that are more incline to be personal purchase or violation of policies • Join listing with Level III data to identify red flag transactions • Identify high risk MCC Codes/Vendors • Think “Headline in the Paper”

  43. Example Activity

  44. Example Split Transaction

  45. Example Cardholder Profile More likely to Circumvent Purchasing Rules

  46. Comparing Activity • Easily establish comparisons to identify potential issues • Usage by Cardholder • MCC • Vendor • Ability to perform monthly, quarterly, yearly comparisons

  47. Fraud Examples • Executive Director, State CASA Association • “I cooked the books.” “I had no fear.” • Charged with 148 felony counts of • embezzlement and 1 count of conspiracy. • Estimated loss: $650,000 over 7 years. • Pretender – used stolen funds to buy lavish • lifestyle. • Likelihood to Recover the Money? 0%

  48. CASA issued credit card swiped for 3,368 transactions totaling $471,980.50 from July 1, 2002 through November 21, 2008.

  49. More Questionable Expenses Unrelated to Association Business Cash Advances (5) $13,000 Funjet Vacations (3) $ 4,022 Cozumel Charges (22) $ 1,964 Visiting Veterinarian (12) $ 1,801

More Related