DATA ANALYTICS AND

AUDIT COVERAGE GUIDE

TABLE OF CONTENTS

04 Data Analytics and Audit Coverage Guide: 15 Technical Features and Functionality
Sample 1
16 Cost
05 What is Data? 17 Readily Accessible Tools
06 Data Becomes Information for Reporting 18 Audit Software
07 Reports With Data Analysis Are Designed 19 Data Analysis Methodology
08 Defining Data Analysis 20 What Can I Do with This Stuff?
09 Getting Your Data 21 Where are we heading?
10 Where the Data Came From
22 Data Analytics and Audit Coverage Guide:
11 Data Outputs Sample 2
12 Choosing the Right Data Analysis Software
23 Setting the Stage: Data Analysis Defined
13 Internal Auditing Strategic Objectives
24 What is Data?
14 Provider and Implementer Support
25 Data Becomes Reports

2
TABLE OF CONTENTS

26 You Design Reports With Data Analysis

27 The Six Elements of Infrastructure
28 Critical Success Factors and Common Pitfalls
34 How Do we Use This and What Are Some
Good Examples?

3
DATA ANALYTICS AND AUDIT
COVERAGE GUIDE: SAMPLE 1
WHAT IS DATA?

Employee
Name
Division Sales Amount ID

Transaction Date Username Transaction Type

General Ledger
Quantity Customer
Price (GL)
Number
Account

5
DATA BECOMES INFORMATION FOR REPORTING

Data File

Inventory Report
Quantity
Unit Extended
Warehouse Part Description Quantity
Cost Cost
1 xx xx xx xx xxx
Part
Number Client 1 xx xx xx xx xxx
Application 4 xx xx xx xx xxx
Program
4 xx xx xx xx xxx
Unit Cost
10 xx xx xx xx xxx
10 xx xx xx xx xxx
Warehouse
Number

6
REPORTS WITH DATA ANALYSIS ARE DESIGNED

Summarized by Part
Number

Data File(s)

Quantity Extensions and

Footings Verified

Part
Number Data Analysis
Techniques
Excess Inventory
Unit Cost

Warehouse
Number Customer Name
Unusual Items
Customer ID

7
DEFINING DATA ANALYSIS

Data Analysis

The extraction of data from a company’s information system in order to perform data selection,
classification, ordering, filtering, translation and other functions to provide meaningful information
about business processes.

8
GETTING YOUR DATA

How is the data collected?

How is the data consolidated?

What system changes have happened recently?

What are the field’s restrictions?

9
WHERE THE DATA CAME FROM

Identified Underlying Table

• Data warehouse
• Production system
• Test environment

Parameters for Each Field That We Pulled

• What was excluded?

• What parameter takes priority?

10
DATA OUTPUTS

File Output
File Output Options
Options
• Excel
•• Text
Text
• System proprietary
• System proprietary

Delimiters
Delimiters

Multiple Files and Keys

Flat vs. Report Files

11
CHOOSING THE RIGHT DATA ANALYSIS SOFTWARE

With so many options (Excel,

Access, IDEA, ACL, SAS, etc.), how
do I choose?

12
INTERNAL AUDITING STRATEGIC OBJECTIVES

The software is easy to learn and use.

Reliance on IT professionals is minimized.

Reliability, portability and scalability occur in internal audit.

Data integrity and security occurs.

The development of automated and continuous programs is supported.

Documentation is improved and compatible with electronic workpapers.

13
PROVIDER AND IMPLEMENTER SUPPORT

Presence in the market exists.

A help desk (tech support) is available.

Team members understand auditing needs and business is done easily.

Regular software updates occur.

Training and user groups are available.

14
TECHNICAL FEATURES AND FUNCTIONALITY

The file type, volume and size handling are included.

Import data is easily reconciled and validated.

Data analysis functions are common (sorts, appends, summarization, gap

detection, aging).

Data analysis functions are advanced (correlation, trend analysis, time

series, statistical analysis).

Documentation of data actions is performed.

Reports and graphics are customized.

15
COST

Purchase price and implementation fees

Upgrade fees

Job aids (automated scripts and specialty components)

Help desk support

16
READILY ACCESSIBLE TOOLS

Microsoft Excel

• Advantages
− Incremental costs are easy to learn but do not exist.
• Disadvantages
− Import and data processing capabilities are limited.
− A join/grouping functionality does not exist.

Microsoft Access

• Advantages
− Import capability/interfaces with other databases are improved.
− Analyses relate to one another.
• Disadvantages
− SQL knowledge is heavily relied upon.

17
AUDIT SOFTWARE

Audit Command Language (ACL)

• Advantages
− Data handling and processing speeds are efficient.
− Data analysis functionalities are built in.
• Disadvantages
− Learning curve/script writing is hard.

IDEA

• Advantages
− Graphical user interface/visual scripts are efficient.
− Audit procedures and output reporting are effective.
• Disadvantages
− Advanced statistical analysis is limited.

18
DATA ANALYSIS METHODOLOGY

Establish your objective statements.

Write your steps to achieve the objective.

Example:
Analysis Statement 1: Verify that group purchase/requisitions orders have an associated invoice in the accounts
payable system.

Step 1: Extract line items with the desired cost/group codes from all data sets.
Step 2: Group POs in access using a select query and include the PO number.
Step 3: Group ROs in access using a select query and include the RO number.
Step 4: Compare the AP data table to the PO select query (we want to capture POs that don’t have an invoice
number).
Step 5: Compare the AP data table to the RO select query (we want to capture ROs that don’t have an invoice
number).
Step 6: Review the results (noting POs and ROs that have no invoices attributed to them).

19
WHAT CAN I DO WITH THIS STUFF?

Simplify Daily Processes

• Establish templates that can aggregate your line-item data to dashboards for quick review.

Detect, Correct and Prevent

• Review past information to detect issues, correct them and establish means to prevent it from occurring again.

Avoid Association Due to Correlation

• Raw historical data forecasting should involve a level of statistics for more meaningful results.

20
WHERE ARE WE HEADING?

Emerging trends in utilizing data to optimize normal business processes are

discovered.

New ways to measure business performance are adopted.

More time for value-added tasks is spent.

21
DATA ANALYTICS AND AUDIT
COVERAGE GUIDE: SAMPLE 2
SETTING THE STAGE: DATA ANALYSIS DEFINED

Data Analysis Data Analysis

The extraction of data from a client’s information system in

order to perform data selection, classification, ordering,
Computer-Aided Audit Tools filtering, translation and other functions to provide the client
(CAATS) with information about their business processes.

Data Mining

23
WHAT IS DATA?

Name Employee ID
Division Sales Amount

Transaction Date Username Transaction Type

Quantity Customer General Ledger

Number Price (GL) Account

24
DATA BECOMES REPORTS

Sales Employee
Name Division
Amount ID

Transaction Transaction
Date Username Type

Customer Price GL
Quantity
Number Account

Data File Inventory Report

Unit Extended
Warehouse Part Description Quantity
Cost Cost
Quantity xxx xxx xxx xxx xxx xxx
xxx xxx xxx xxx xxx xxx
Client
Application xxx xxx xxx xxx xxx xxx
Part
Program xxx xxx xxx xxx xxx xxx
Number
xxx xxx xxx xxx xxx xxx
xxx xxx xxx xxx xxx xxx
Unit Cost

Warehouse
Number

25
YOU DESIGN REPORTS WITH DATA ANALYSIS

Name Division
Sales
Amount
Employee
ID
Summarized by Part
Number
Transaction Transaction
Date Username Type

Customer Price G/L

Quantity
Number Account

Data File
Excess Inventory

Quantity

Customer
Part Data Analysis Verified Extensions
Name and
Number Techniques and Footings
Customer ID

Unit Cost

Unusual Items
Warehouse
Number

26
THE SIX ELEMENTS OF INFRASTRUCTURE

Information
Processes are facilitates the Automation and
Policies define Informed decisions
assigned to key definition of data integrity meet
processes. are based on reports.
owners. controls. needs.

Business Business People and Management Methodologies Systems

Policies Processes Organization Reports and Data

Risks if elements are deficient include:

Processes do not People lack the Reports do not Methodologies do Information is not
carry out established knowledge and provide information not adequately available for
policies or achieve experience to for effective analyze data and analysis and
intended results. perform the management. information. reporting.
processes.

27
CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (1/6)
Business Business People and Management Systems
Methodologies
Policies Processes Organization Reports and Data

• Focus on what matters:

− Find fraud, waste and abuse.
− Ensure compliance.
− Monitor business performance.
− Monitor risk across the organization.
• Link the program to business objectives.
• Articulate the specific benefits of investing in a program and the implementation strategy.

28
CRITICAL SUCCESS FACTORS AND COMMON PITFALLS
(2/6)
Business Business People and Management Systems
Methodologies
Policies Processes Organization Reports and Data

• Define a high-level process.

− Inputs
− Activities
− Outputs
• Identify the source of inputs.
− How is information captured?
− How will inputs be validated?
• Determine the types of activities that will be performed.
− Data analysis and investigation of anomalies
− Manual audit procedures
• Identify expected outputs and audience.
• Define periodic reporting processes.

29
CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (3/6)
Business Business People and Management Systems
Methodologies
Policies Processes Organization Reports and Data

• Obtain executive support for the program.

− Identify all key stakeholders.
− Source the champion.
− Use program management and executers.
− Utilize data providers.
− Use recipients of detailed results and periodic summaries.
• Understand the needs of key stakeholders.
• Obtain buy-in for programs from key stakeholders.
• Identify and develop required skills and competencies.
• Identify and address organizational obstacles.

30
CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (4/6)
Business Business People and Management Systems
Methodologies
Policies Processes Organization Reports and Data

• Identify data requirements for the program.

− What information is required?
− Where is that information stored?
− Who can provide the information?
• Design a standard data request format.
− Timeline
− Source and required data
− Background information
• Define data validation processes and reporting.
• Define reporting requirements by stakeholders.
− What information does the audience want and what questions do they want answered?
− How will detailed results be summarized?
− Who will make conclusions based on the results?

31
CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (5/6)
Business Business People and Management Systems
Methodologies
Policies Processes Organization Reports and Data

• Define the test scope and tolerances.

• Develop testing procedures (rules).
• Select or build an application, if applicable.
− Understand standard queries.
− Select applicable procedures.
− Embed queries into applications.
− Test logic and confirm results.
• Provide adequate training to applicable stakeholders.
• Automate as many “rules” as practical.
− Use system-based audit targets.
− Use manually-intensive audit targets.

32
CRITICAL SUCCESS FACTORS AND COMMON
PITFALLS (6/6)
Business Business People and Management Systems
Methodologies
Policies Processes Organization Reports and Data

• Understand how applicable data is captured and reported in operational and financial systems.
− Procurement is handled through payments.
− Sales are handled through cash applications.
− Payroll and expense reimbursement occur.
− General and subledgers are used.
− Bank information is utilized.
− External databases are used.
• Understand system interfaces (automated and manual).
− Advocate automating data capture where practical.
• Know the audit tools available and their capabilities.
• Select the right tools for programs/procedures.
• Focus on driving efficiency over time vs. initial investment.

33
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Data Analysis: Suggested Approach

Planning and Data Acquisition and Analysis and

Wrap-Up
Request Validation Testing

1. Identify 4. Acquire data. 7. Perform a 9. Produce a

opportunities. basic final report.
5. Load data.
analysis.
2. Research 10.Close the
6. Perform
possible 8. Present project.
validation
opportunities. findings
and proofing.
through a
3. Design an
presentation.
assessment.

34
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Possible Examples for Consideration
GL and Journal Entry Examples
• Benford’s Law on Journal Entries
by User
• Journal Entries Identifying Outliers
(Uncommon Accounts, Profit
Centers and Cost Centers)
• Manual-Round Dollar Entries
• Unusual Posting Dates/Times
• Split Entries Analysis (Entries Just
Below Approval Threshold)
• Suspense, Clearing and
Intercompany Accounts Analysis
• Credits Vs. Aged Invoices
Analysis
• Reversed Month-End Journal
Entries
• Entries Within Accounts
• Inactive Accounts Entries
• Percentage Variances in GL
Accounts Between Periods
35
Travel and Entertainment Examples
• Spend by Employee
• Expenses by Employee
Analysis (Just Below
Threshold, Comparison of
Employees Expensing
Duplicates, Expensing Airfare
but No Hotel Vice Versa,
Expensing Car But No Airfare,
Etc.)
• MCCG and MCC of T&E or P-
Card Transactions
• Benford’s Law Analysis on
Employee Expenses
• Expense Dollar and Volume
Stratification
• Inactive Employee Spend
Analysis
• Spend by Expense Type
• Large-Dollar Expenses
Identification
• Nontimely Expense
Submission
• Expense Analysis by Category
(E.g., Airfare, Office Supply,
Cell Phone and Professional
Dues)
• Per Diem Expense
Identification and Comparison
to Trips, Policy Threshold and
Potential Duplicates in Meal
Reimbursement and Per Diem
• Duplicate Expense Submission
• Weekend Transaction Dates
Analysis
• Activity From Personnel in
Expense-Centric Departments
Analysis
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Case Study 1

• Global management consulting, technology services, and companies with offices and
operations in more than 50 countries and annual revenues in excess of $21 billion are
outsourced.
• Internal audit (IA) personnel used ACL to perform limited analyses as part of quarterly
Background companywide journal entry (JE) reviews of more than 13 million journal entry lines. All
analyses were performed manually through the ACL graphical user interface.
• IA personnel were using Excel to perform limited analyses for employee time and expense
(T&E) testing.

• Implement routines (e.g., scripts) in ACL to automate the existing limited JE and T&E
analytics.
Project • Create additional automated testing routines to be executed as quarterly continuous controls
Objectives monitoring (CCM) procedures.

36
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
JE Testing Overview
• Quarterly Companywide JE Review
− Data integrity testing, such as reconciliation to control totals, analysis
of reporting period and search for blanks in key fields is done.
− An analysis of JE approvers on an authorized list and an analysis of
manual and automated entries by document type were performed.
Entries where the document header or line item text is blank were
identified.
• CCM: Data Exploration
− Classify unique values for key data fields, including company code,
transaction code, manual vs. automated flag, year/period and
currency.
− Statistics on amount and posting date fields are used.
• CCM: Duplicates Testing
− Identify duplicates (same account and amount) for manual JEs.
• CCM: Fraud Analytics
− Keyword search for items, such as “plug,” “miscellaneous,”
“temporary,” “adjust,” etc.
− Entries posted in the top 10 countries in the corruption perceptions
index listing are evaluated.
− The same person should enter and post all manual JEs.
• CCM: High-Risk Account Entries
− Identify all entries posted to “high-risk” accounts.
• CCM: Timeliness of Postings Analysis
− Calculate the number of days between journal entries and posting
dates.

37
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
T&E Testing Overview
• General Data Overview
− Create record count and dollar amount totals by year and month (i.e.,
to reconcile to control totals).
− Classify unique values for key data fields, including expense type and
entry date.
− Identify the top 100 highest and lowest transaction amounts.
− Use the statistics on amount field.
• T&E Population Analyses
− Identify transactions just under $XX threshold for receipts per U.S.
policy.
− Extract all transactions that are around multiples of $XXX.
− Perform approval threshold analyses for certain expense types per
policy, including training/publication greater than $XXX, business deals
greater than $XXX and travel/other greater than $XXX.
− Identify potential duplicates using multiple sets of criteria.
• Expense Type Analyses
− Identify all transactions for certain expense types assessed to be high-
risk, including “Gifts, Floral, Tickets and Promotional Items,”
“Miscellaneous,” “Non-Standard Office Supplies,” “Technology
Supplies” and “Charitable Contributions.”
• Keyword Search
− Keyword search for items assessed to be high-risk, such as “gift,” “car
repair,” “rent,” “pet,” “movie,” “apartment,” “doctor,” “furniture,” “laptop,”
“clothes,” “tuition,” “laundry,” etc.

38
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Summary of Value
JE Testing: Sample Results From One Quarter

• The amount of time to perform quarterly JE review procedures, including manual analyses through the ACL GUI,
was reduced from approximately XX-XX hours to XX-XX hours.
• Additional CCM test results include:
– XXX journal entries (more than XXX journal entry lines) where the same individual entered and posted the JE
occurred.
– Nearly XXX JE lines were just under the $XX approval threshold.
– XXX JE lines with the word “plug” were entered, XXX JE lines with the word “miscellaneous” were entered and
nearly XXX JE lines with the word “temporary” were entered.
– XXX JEs where the posting date was more than XX days before the entry date occurred.
– More than XXX journal entries were posted in countries in the top 10 of the corruption perceptions index,
including nearly XX journal entries with line amounts greater than $XXX.

T&E Testing: Sample Results From One Quarter

• More than XXX expense transactions with the word “wine,” XX containing the word “laundry,” more than XXX with
the word “golf,” XX with the words “doctor” or “surgery,” XX with the word “clothes” and XX with the word “iPod”
were identified.
• Nearly XXX transactions with round dollar amounts that are multiples of $XXX were identified.
• All transactions requiring separate approvals per policy, including XXX transactions exceeding the business meal
threshold, XXX above the training/publications threshold and more than XXX exceeding the “other expense”
threshold were identified for additional testing.
• More than XXX potential duplicate transactions with the same personnel number, expense date, charge code,
expense type and amount were identified.

39
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
More Examples for Consideration
Procure-to-Pay Examples
• Vendor Master File Analysis
• Number of Inactive Vendors With
Activity
• Payments to Inactive Vendors
• Duplicate Vendors, Invoices and
Payments
• Vendor to Employee Match
• Benford’s Law Analysis – Invoice,
Payments, PO and/or Credit
Analysis
• Missed Discounts: Late
Payments
• Authorization and Analysis of PR,
PO, Invoice and Payment
• Aging AP and Credit Processing
Analysis
• Holiday Activity
• Void/Reissue Payment Analysis
• Payment Gap Analysis
• User Analysis Between Vendor
Setup, Voucher and Payment
Processing
• Debit Memos/Adjustments Analysis
• Overpayments/Refunds Analysis
(Unused Credits)
40
Order-to-Cash Examples
• Cash Receipts and Timely Posting
Analysis
• Customer Credit Ranking Analysis
(Amounts and Authorization) and
Customer Activity Analysis
(Payments and Credits)
• Write-Off Transactions Analysis
(Authorization and Timeliness)
• DSO Analysis by Order Date, Bill
Date and Payment Received Date
• Unfulfilled Customer Purchas
Orders Analysis
• User Analysis
• Customer Account Aging Analysis
• Holiday Activity
Information Technology
• Access Rights Analysis
• Multisystem Segregation of Duties
Analysis
• Last User Sign-On Analysis
• Employee Master Records Analysis
• Duplicate Employee IDs Analysis
• Change Management Authorization
• New Hires/Terminations
• Problem Management Analysis
• System Logic Analysis (Write-Offs
and Refunds)
• Benchmarking Reports (Determine
the accuracy of system reports by
utilizing actual transactional and
master data [i.e., compute what the
values should be based on
business rules and then compare
them to actual monthly reports].)
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Sample Results: Supplier Statement Audits
Supplier statement reviews can be a significant driver for identifying unused credits or outstanding checks, which
result in near-term cash recovery.

Example Vendor Credit Summary

XXX Suppliers
ERP 1 ERP 2 ERP 3
Root Cause Count Dollar Count Dollar Count Dollar Received responses from xx%
Adjustment XX XX XX XX XX XX of suppliers totaling xx% of
spend.
Duplicate payment XX XX XX XX XX XX
Overpayment XX XX XX XX XX XX XXX Responses
Rebate XX XX XX XX XX XX
XX Suppliers With
Return XX XX XX XX XX XX
Credits
Unapplied cash XX XX XX XX XX XX
XXX Credits
Unknown XX XX XX XX XX XX
Total XX XX XX XX XX XX $XXX
Recovered

Example Key Findings

• Aged items on accounts were surfaced to the organization to enable them to readdress these with the vendor for
more immediate resolution.
• Credits are being received by plant locations but are not being sent to the shared services centers for
processing.
• Unapplied cash and returns were the most prominent root causes of credits.

41
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Sample Results: Payment Terms
Nonstandard or “unfavorable” payment terms should be analyzed to determine opportunities for either payment
discounts or extending to more favorable terms.

xx, x%

Discounted
Discounted Terms
Unfavorable Terms Terms
17%
xxx Invoices (xx%) 17%
Less than
30 Days No
Net 30+ Discount
No
Discount Less than
xx, xx% 30 Days No
xx, x% xx, x% xx, x% 40%
Net 30+ Discount
xx, x% xx, x% No
xx, x% xx, x% 43%
Discount
xx, x%
40%

Observations
• XX% of all nondiscount invoice terms required payment in less than the standard 30-day payment terms.
• $XXX in invoice spend (XX%) had immediate payment terms.

42
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Fixed Assets
• Estimate/recalculate depreciation.
• Verify that accumulated depreciation does not
exceed cost for any asset.
• Identify “credit” assets.
• Identify land that is depreciating.
• Identify assets assigned out of the useful lives
policy.
• Determine the assets setup with the cost below
the capitalization threshold.
• Estimate the impact to P&L of
increasing/decreasing capitalization threshold.
• Review for duplicate asset setups.
43
• Look out for aging CIP.
• Facilitate item master cleanup.
• Search for negative depreciation.
• Use inconsistent/outlier useful lives/depreciation
methods.
• Perform a post-addition percentage analysis
(how much more cost added after depreciation
started).
• Search for aged and fully depreciated assets.
• Perform an asset-classification analysis (leased
vs. fixed or long-term vs. short-term).
• Compare the asset turnover ratio to the industry
average.
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Inventory
• Inventory by type summary is identified.
• Inconsistent costing is identified.
• Inconsistent units of measure with the same unit
costs are used.
• Category types are verified.
• Cost analysis is extended.
• A quantity analysis is done.
• A per unit cost analysis is performed.
• Current vs. prior-year cost comparison setup is
performed.
• Reports of unit cost changes are used based on
prior-year quantities and current-year unit costs.
• Sales analysis is done.
44
• Inventory vs. sales analysis is done.
• Potential excess inventory is identified.
• Margin review occurs.
• A user analysis between the purchase order and
receipt is done.
• An inventory adjustment analysis (write-offs) by
items, users, locations, transaction type and time
of day is performed.
• An inventory adjustment analysis (returns) by
items, users, locations, transaction type and time
of day is done.
• A scrap activity analysis is performed.
• Negative inventory balances and/or inconsistent
fluctuations in inventory accounts between
months are identified.
HOW DO WE USE THIS AND WHAT ARE SOME GOOD
EXAMPLES?
Lessons Learned
Senior management buy-in is crucial for the success of any controls
monitoring projects.

Requirements, documentation and change request procedures are defined.

IT should be involved earlier on during the project.

Ensure to test, test and test.

Focus on high-risk processes.

You have a tremendous opportunity to drive value and be an agent of positive change in your
organization!

45