1. November 30th 2012, San Francisco
SF IIA Fall Seminar Internal Audit's Role in the Changing Business Landscape
November 30th 2012, San Francisco

2. Agenda 7:45 -8:15 am Registration and Breakfast
8:15 -8:20 am Welcome and Introductions
Ed Byers, (Deloitte),
Farhan Zahid, (Deloitte)
8:20 -9:00 am Emerging Hot Issues
Security and Privacy – Husam Brohi, Michael Corey (PWC)
Vendor Compliance – Byron Tatsumi, (KPMG)
09:00 -09:50 am Leveraging Data Analytics to Enhance Your Internal Audit Function Dawei Qu, (BlueShield of California), Dale Livezey (Deloitte)
9:50 -10:10 am BREAK
10:10 -11:30 am Enterprise Risk Management and Impact to Your Audit Plan
CAE Panel Discussion led by Shawn Kirshner (Accretive Solutions)

3. Agenda
11:30 -12:20 pm Risks in Social Media Anna Tchernina, Willis Kao (Deloitte) 12:20 -1:20 pm GOURMET LUNCH (provided) 1:20 -2:10 pm Fraud Risk Management – The Things You Need To Know Paul Ritchie, (Deloitte) 2:10 – 3:00 pm Top 10 IT Internal Audit Risks Michael Juergens (Deloitte) 3:00 – 3:20 pm BREAK 3:20 – 4:40 pm Understanding Your Auditee – How to Communicate More Effectively Group Setting Howie Cumme (URS) Ed Byers, (Deloitte) Farhan Zahid (Deloitte)

4. Welcome SF IIA Fall Seminar Chair
Ed Byers, (Deloitte)
Farhan Zahid, (Deloitte)

5. Rules of the Road Logistics – Fire Exits and Restrooms
Breaks and Lunch
Phone calls
Questions and Answers

6. 08:20 – 09:00 Various Presenters
Emerging Hot Issues
08:20 – 09:00
Various Presenters

7. Emerging Hot Issues 08:20 – 08:40 Security and Privacy
Husam Brohi, PWC
Michael Corey, PWC
08:40 – 09: Vendor Compliance
Byron Tatsumi, KPMG   

8. Fortifying your defenses
The role of internal audit in assuring data security and privacy

9. CEOs/Boards are no longer ignoring Information and Technology (I&T) Risks
I&T Risk is an enterprise-wide issue. Specific types of risks organizations are facing include:
Connected IT infrastructure exists in an environment that is increasingly under threat against unauthorized access or disclosure of sensitive data and attacks originating from cyber-criminal groups and hackers.
Increase in Privacy and Security regulatory mandates in recent years, as well as expected changes in upcoming years.
Boards are no longer willing to accept the risk that technology can pose to the business.
Growing demand by business leaders to understand how security integrates with privacy (“what” data is sensitive to the business) and security (“how” they protect the data deemed sensitive).
Increase in threats and vulnerabilities to sensitive data and corporate assets.
Businesses continue to struggle to maintain accountability to their stakeholders and establish effective strategies and standards for security risk management and privacy control activities.

10. Change and Complexity is Right Around the Corner
Security and Privacy Hot Topics: Balancing Business Enablers vs Business Risks
Privacy and Data Loss Prevention
Organizations looking to improve privacy management in the event of a breach have to continually plan and prepare.
Mobility and Social Media
Mobile platforms, social media, and accelerated product life cycles are just the latest contributors to risk of an enterprise.
Regulatory Compliance
Organizations in all industries are under increased scrutiny by regulatory governance bodies.
Technical threats and vulnerabilities
Companies need to stay informed about the constantly changing threat environment, processes to identify potential vulnerabilities, and processes to resolve potential exposures.
Third Parties and Cloud Computing
While risks associated with third parties and cloud computing continue to increase, many companies are less prepared to defend their data.
Cyber Crime
The cyber threat landscape continues to yield an increasingly sophisticated underworld of criminals. Companies need to remain prepared for such cyber crises.

11. Stakeholders want focus in all critical risk areas Risk areas in which stakeholders and CAEs want/plan to add IA capabilities
There is a continued desire to add resources in critical risk areas. Virtually no one wants IA to reduce resources in any of these areas.
Good alignment.
Interesting that data security and privacy continues to be an area where resources will be added. Although an area of significant focus in recent years, there still appears to be a need or desire to add resources. Perhaps it’s because of the complexity or the pace of change in this area but we also see a danger here of misallocating resources.

12. Acting today to protect data: The critical role of internal audit
What the audit committee should expect of internal audit
Strengthen the Annual Risk Assessment to be relevant
In the risk assessment report that it presents to the audit committee, internal audit should highlight the organization’s significant data security and privacy risks, including any new risks. Further, it should identify weaknesses in policies and controls. 1
Having the right people
Because the nature of information security risks is evolving continuously, internal audit functions need to stay ahead of the threat curve. stay plugged in to emerging security threats, and practices for protecting against them. 2
Given that data security and privacy breaches can cost a company dearly in financial losses and market reputation, the firm’s board of directors will want to stay on top of these risks. Keeping the audit committee apprised of emerging risks and effective ways to address them is a key role of internal audit.
Stay vigilant on key or triggering events
Internal audit’s role in ensuring that information security threats are properly considered becomes especially important when a company is ready to roll out a new business process, product or information system.
Internal Audit must also keep its ear to the ground and move quickly to conduct special audits for new information security threats, which some executives consider as important as regularly scheduled audits 3

13. Overcoming the barriers to internal audit playing an effective role
Effective data privacy and security measures are not easy to effect. In fact, we commonly find four barriers in organizations that try to adopt them.
A mindset that believes adequate
controls are already in place. 1
Exposures are changing constantly,
policies and controls need to change
alongside them.
Cost. Achieving and maintaining
effective information security can
cost significant money and effort. 2
Implement cost/benefit analysis in risk assessment to assesses potential damage of various types of security breach.
Low expectations. Internal Audit not viewed as capable of assessing complex security and privacy topics. 3
Hiring & training staff to be top of their game in this arena and/or outsourcing as needed to experts that have technical skills
Fragmented responsibilities. The job of maintaining effective information security controls is often split among many stakeholders
Establish responsibility and accountability. Define and assign a single point of responsibility for information security. 4

14. Thank you… For more information, please contact: Michael Corey Husam Brohi

16. Continuous Audit with Data Analytics
IIA Conference
November 30, 2012 16

17. Speakers Dale Livezey Dawei Qu Deloitte & Touche LLP
Senior Manager, NorPac Regional Technology Leader
Deloitte & Touche LLP
Audit and Enterprise Risk Services
San Francisco, CA
Dawei Qu
Internal Audit Manager
Blue Shield of California
Internal Audit Services
San Francisco, CA

18. Agenda Benefits of Data Analysis Type of Data Analysis Case Study
Ad hoc query
Repetitive Analysis
Continuous Auditing
Case Study
Claims Denials Audit
Accounts Payable Audit

19. Benefits of Data Analytics

20. Benefits of Analyzing Data
Data Analytics can help in many aspects of business process testing
Assist in root cause analysis
Test Validity and accuracy of reports
Target and assess specific risk areas
Identify control weakness / effectiveness gaps
Overall more effective
control testing
services for our clients
More efficient and effective manual testing
Data analysis improves the quality, effectiveness and efficiency of audits
Performs 100% recalculations and verification of transactions in a timely and repeatable fashion
Compares data from multiple / disparate systems
Provides business insights and identifies process improvement opportunities
Presents quantifiable results from analysis based on complete population

21. Benefits of Analyzing Data
Approach
Benefit
Profiling and trending
Focus on specific areas of risk or interest
Provide insights into transactional history and behavior
Test internal controls effectiveness
Identify hidden relationships between people, organizations and events
Customized transactional analysis
Geared towards a clients specific business process
Reduction in manual testing procedures
Perform proactive instead of reactive audits
Identify potentially improper or fraudulent transactions
Statistical Sample selection and evaluation
More efficient and accurate selection procedures
Reduces time spent on selections of little or no interest
Analyze the full population of transactions instead of a traditional sampling approach
Focus on risk!
Report re-performance and metric recalculation
Validate operational reporting systems and assist in the documentation of current reporting process
Reduce manual testing procedures
NOTES
The IIA Exposure Draft says that technology improves management’s ability to detect fraud. While many internal audit departments use data analysis in their audits, few use it to its full potential and could benefit by learning additional techniques.
We will take a few minutes to discuss each of these.
First, integrating data analytics into the internal audit approach allows the internal auditor to analyze all the transactions. You are able to run tests on the full population instead of examining a small sample. This makes it more likely that you will detect anomalies and allows you to focus your time and attention on understanding the transactions that are higher risk. For example, instead of selecting 20 entries posted by the fixed asset accountant that are likely to be monthly depreciation expense, you might identify that the CFO posted one large entry at month-end that credit depreciation expense. Isn’t that entry more important to look at?
Second, let’s consider hidden relationships between people, organizations and events. When we say people, we mean employees of the company in the same or different departments, various levels of management, or in different locations. We also mean relationships between employees of the company and employees of customers, vendors, government agencies and others. Relationships between organizations include joint ventures, guarantors/guarantees, lenders/borrowers, vendors/customers, etc.
Events refer to the sequence of events. For example, is a large cash withdrawal followed by a face to face meeting between a procurement officer and a vendor? Does a payables clerk buy a large new house after a round of layoffs that resulted in her getting additional system access rights?
Third, data analysis can help you identify potentially improper transactions.
Data analysis can result in a large number of false positives. One useful way of identifying the transactions that are most likely to be fraudulent is to run tests that look at the data in different ways and then combine the results. For example, if you were testing for ghost employees, you might run tests that look for employees with no social security number, no withholdings for 401k or medical benefits, salaried employees in departments that typically have hourly employees, multiple employees with bank accounts in common, etc. While the test for no withholdings is likely to have results, if employees identified on that test also lack social security numbers and have bank accounts in common with other employees, you should focus your attention on these employees because they are more likely to really be ghost employees.
Fourth, data analysis can help you assess internal controls. They are very useful for reviewing segregation of duties. For example, you could look for people whose access rights allow them to both create and post a journal entry. Or people who have administrator rights but really should not. Later in this course you will learn how to run these tests. You would take the results of the segregation of duties tests to understand what these employees were able to do in the system. The next step would be to find out whether they used the inappropriate rights to perpetrate any fraud.
Finally, data analysis can help an internal audit department perform proactive audits. The longer a fraud is perpetrated before it is detected, the larger it is likely to become. Thus, identifying fraud in its infancy can save a company a lot of money.
When an internal audit department uses data analysis to look for red flags of fraud, it increases its effectiveness. A best practice is to use continuous monitoring techniques to look for potential errors and fraud. This is impossible to do well without effective automated procedures, especially in a large company. Of course, the internal audit department needs to plan to follow-up on red flags and be willing to allocate appropriate resources.

22. Type of Data Analysis

23. Computer Aided Audit
Ad-Hoc Query: One time based specific analytic query or analysis at a point of time.
No intention of repetitive testing
Explorative and investigative
Repetitive: Periodic analysis of processes from multiple data resources
Periodical
Seek to improve the efficiency , consistency, and quality of audits
Ad-hoc Query Example:
One time query on journal entry posted by a suspicious user
One time query to search for suspicious vendors base on certain criteria
Repetitive Example:
Revenue recalculation
Duplicate journal entry identification
Journal entries posted by unauthorized users 23

24. Continuous Audit
Definition: The independent application of automated tools to provide assurance on financial, compliance, strategic and operational data within a company. 
Nature:
Automated
Continuous basis – Specified intervals
Constantly search for errors, fraud and inefficiencies
Advanced analytic tool involved: SAS and ACL
3) Example:
Automated A/P review
Automated J/E review
Operational process review
Analysis of the data may be performed hourly, daily, weekly, monthly, etc. depending on the need.
Continuous auditing is often confused with computer-aided auditing. The purpose and scope of the two techniques, however, are quite different. Computer-aided auditing employs end user technology including spreadsheet software, such as Microsoft Excel, to allow traditional auditors to run audit-specific analyses as they conduct the periodic audit. Continuous auditing, on the other hand, involves advanced analytical tools that automate a majority of the auditing plan. Where auditors manually extract data and run their own analyses in computer-aided auditing during the course of their traditional audit, high-powered servers automatically extract and analyze data at specified intervals as a part of continuous auditing.
Internal Focus: To assure the integrity of transactions. Ex. A/P analysis. Claims denials audit.
2) External Disclosure Increased frequency on disclosure will drive the nature of the audit process. Ex. Journal Entry Analysis
3) Law and Regulations: To ensure compliance to the law and regulations. Ex. Medicare fraud audit. Preventive Care Audit.
4) Technology related: Data integrity and quality assurance. 24

25. What are Companies Doing?
25% have CA programs in 2009, compared to 11% in 2006 *
Benefits listed by survey participants :
Auditors are aware of issues as they occur
100 percent of the population rather than a sample is evaluated
Allow to create preventive controls for process owners
3) Challenges listed by survey participants:
Implementation takes long
Auditors need to have detailed knowledge of the underlying data structures to use the tool correctly
Auditors and business owners have to the determine parameters used in the CA program
Note: Statistic is based on IIA survey
Analysis of the data may be performed hourly, daily, weekly, monthly, etc. depending on the need.
Continuous auditing is often confused with computer-aided auditing. The purpose and scope of the two techniques, however, are quite different. Computer-aided auditing employs end user technology including spreadsheet software, such as Microsoft Excel, to allow traditional auditors to run audit-specific analyses as they conduct the periodic audit. Continuous auditing, on the other hand, involves advanced analytical tools that automate a majority of the auditing plan. Where auditors manually extract data and run their own analyses in computer-aided auditing during the course of their traditional audit, high-powered servers automatically extract and analyze data at specified intervals as a part of continuous auditing.
Able to quickly identify irregularities including fraudulent transactions 25

26. Case Study 1 – SAS Medical Claims Denials Analytics
Note: Numbers or findings have no meaning beyond being placeholders for the given example

27. Steps Audit Planning Data Readiness Data Analysis Risk based Sampling
Substantive Testing
Communication of Results 27

28. Audit Planning Establish Testing Period: Jan to June of 2012
Determine Scope: all medical claims denied from Jan to June of 2012
Determine Frequency: quarterly
4) Define Audit Objective: Ensure claims were appropriately denied as per provider contract, member benefit and regulation
5) Select Audit Methodology:
Perform data analysis to identify high risk denial areas
Perform risk based sampling and substantive testing
6) Know your Deliverables:
An excel based deck to present data analysis results
An audit report to communicate findings of substantive testing 28

29. Data Readiness Request Data:
Pull data directly from corporate data marts
Work with IT to extract relative data
Data Reconciliation
Control total
Key fields (numeric fields) tie-out
Data Quality Test
Duplicate records
Missing values of key fields
Invalid value of key fields. For example, billed date of 01/32/2012; negative co-pay/deductable amount 29

30. Data Analysis Steps
Research the relative areas of high risks by partnering with business owners
Measurement of compliance risk: system days per claim
Measurement of operational risk:
locations per claim
denial ratio at provider level
Measurement of financial risk: billed amount /claim
Design the profiling tests in relation to specific risks
Determine the list of tests
Map test to risk(s)
Develop testing routines in SAS
Review the data analysis results with business owners 30

31. Data Analysis – Profiling Tests
Population overview
Trend analysis of denial rate
Trend analysis of system date
Dollar stratification
Location count stratification
Profiling of providers (hospitals)
Profiling of explanation of benefit (EOB) codes 31

32. Data Analysis - RPM 32

33. Population Overview
The average billed amount for denied claims is significant higher than paid claims
Denied claims take longer to process compared to paid claim
Denied claims go through more locations to complete 33

34. Trend Analysis – Denial Rate
Facility (hospital) denial rate is significantly higher compared to overall average
Denial rate in May 2012 is high driven by the higher denial rate of facility claims 34

35. Trend Analysis – System Day
Manual claims take longer by the processing system to reject or pay.
Correlation exists between denial rate and manual system days in May
May population is worth to look into 35

36. Stratification Dollar Stratification Stratification on location
Yellow strata subjects to risk based sampling while purple might need drill down
Auditors may design strata according to relative limit approval controls 36

37. Profiling on Hospitals
The denial rate for top providers is significantly high compared the average (20%)
Provider #2 has a high denial rate in May
Hospitals #1, #2 and #5 are trending up on denial rate 37

38. Profiling on Explanation of Benefit
11% blank EOB is noted
This break-out can be compared against the industry benchmark to analyze the space of improvement 38

39. Profiling and Sampling Process Flow

40. Risk Based Sampling - Selections
Risk score is calculated for each claim
Total risk score is the sum of risk weight for each failed / hit profiling tests
Samples were selected from the claims with higher risk scores
Auditors professional judgment plays an important role on finalizing samples
Average number of risks tested per sample is 5.56 40

41. Communication of Findings
During the data analysis, Internal Audit noted that 11% denied claims do not
have explanation of benefit (EOB) codes. This was a result of an incorrect field
mapping between the claims processing system and Claims data mart.
Finding 2:
During the data analysis and the subsequent detail testing, Internal Audit noted
that the denial rate for hospital #2 in May is significant higher than other periods
and other hospitals. This was a result of an insufficient communication on the
changed provider contracts.
Benefit
Increase testing coverage – full population review
Increase testing frequency
Establish an ongoing reusable automated testing routines
Decrease samples size - More effective and efficient manual testing on selections
Detect control deficiencies and fraud “red flags” timely
Track and escalate exceptions for rapid remediation
Target to high risk areas
Add value to the business 41

42. Case Study 2 – Accounts Payable

43. Agenda Purpose and Scope Roles and Responsibilities Project Snapshot
Final Assessment

44. Purpose and Scope Account Payable FCPA Expenses
Internal Audit engaged Deloitte to help proof of concept
Account Payable
FCPA
Expenses
Deloitte understands that the Company’s objectives for this engagement are:
Assist with developing ACL scripts, to serve as queries for use by limited members of various business units, as part of routine management oversight.
Obtain results of profiling analytics specifically on procurement and expense data provided by the Company.
Execute sample profiling scripts, as a test case, to assist with FCPA (Foreign Corrupt Privacy Act) related controls.
Assess the applicability of scripts executed, and determination of additional scripts to be considered for future development in the Procurement Cycle.

45. Project Snapshot Accounts Payable– List of Analytics performed
Vendor Analyses:
Vendor Master Check
Valid Vendor Analysis
Vendors with PO Box Addresses
Duplicate Vendor Analysis
One Time Vendor
Invoice Analyses:
Duplicate Invoices
Payment Date vs. Invoice Date Analysis
Benford Analysis
Disbursement Analyses:
Payments to Vendors not in Vendor Master or Unauthorized/Restricted
Payee Name / Vendor Name Mismatch
Duplicate Disbursements

46. Project Snapshot Analytics - VENDOR MASTER CHECK
Accounts Payable – Continued….
Analytics - VENDOR MASTER CHECK
Dennis

47. Project Snapshot Analytics – Duplicate Vendors
Accounts Payable – Continued….
Analytics – Duplicate Vendors

48. Project Snapshot Analytics – PAYMENT DATE VS. INVOICE DATE
Accounts Payable – Continued….
Analytics – PAYMENT DATE VS. INVOICE DATE

49. Project Snapshot Analytics – DUPLICATE DISBURSEMENTS
Accounts Payable – Continued….
Analytics – DUPLICATE DISBURSEMENTS

50. Project Snapshot Expense Report – List of Analytics performed
Line items flagged as “Policy Violation”
Expense booked in advance of the actual expense date.
Flight within US above $500
Hotels above $1000
Group Meals above $50
Duplicate Analysis 1 – Combination of Expense date, Expense line amount, Expense type, Employee name and Expense report number
Duplicate Analysis 2 – Combination of Expense date, Expense line amount, Expense type and Employee name
Missing Expense Receipt
Expense over Weekends
Expense over Holidays

51. Project Snapshot Analytics - Flight within US above $500
Expense Report – Continued….
Analytics - Flight within US above $500

52. Project Snapshot Analytics – Duplicate Line Items
Expense Report – Continued….
Analytics – Duplicate Line Items

53. Project Snapshot
Expense Report – Continued….
Analytics – Expenses booked in advance of the actual expense date

54. Project Snapshot FCPA Analytics– List of Analytics performed
Keyword search – Invoice line description
Keyword search – Expense line description
Payment Date vs. Invoice Date Analysis – Run as part of the AP Analytics

55. Project Snapshot Analytics – Keyword search – Expense line just
FCPA – Continued….
Analytics – Keyword search – Expense line just
Dennis

56. Final Assessment

57. Final Assessment
Continued….

58. Questions?

59. BREAK
09:50 – 10:10

60. Enterprise Risk Management and Impact to Your Audit Plan
10:10 – 11:30
CAE Panel Discussion
led by Shawn Kirshner (Accretive Solutions)

61. Panel Members Janet Chapman Cindy Overmyer Thierry Dessange Pat Sammon
General Auditor, Union Bank
Cindy Overmyer
SVP, Internal Audit Services, Kaiser Permanente
Thierry Dessange
Director, IT Audit, Safeway
Pat Sammon
Head of Audit & Advisory Services, Autodesk
Kathy Guthormsen
Director of Risk Management, Autodesk

62. Risks in Social Media Social media usage and risks
11:30 – 12:20
Willis Kao, (Deloitte)
Anna Tchernina (Deloitte)

63. Speaking with you today
Willis Kao, Senior Manager
San Jose
Anna Tchernina, Senior Manager
San Francisco

64. Agenda Welcome to the world of social business
Social media risks deep dive
Social media governance and risk management
Lessons learned from audits
Questions

65. Social Media Revolution Video http://www. youtube. com/watch

66. Welcome to the World of Social Business

67. Welcome to the world of social business!
People matter most
Transparent markets
Real-time expectations
Pervasive, mobile, cloud computing
Big data and invaluable analytics
Connected customers & ecosystem
Cross-boundary collaboration
6767

68. Are you smarter than a 5th Grader?
Do you use (personally) Facebook? LinkedIn? Twitter?
Does your Company use - Facebook? LinkedIn? Twitter?
Does your Company have a Social Media Policy?
Are your employees allowed to use Social Media?
6868

69. Social Media Includes
Wikis, Social Networks, Blogs, Presence & Microblogging, Online Sharing of Videos & Media, and Social Bookmarking & Tagging. 69

70. Social Media Defined
Social media is an umbrella term for a host of sites and technology that facilitate social interaction, sharing, and creation of user-generated content, and aggregation of users’ opinions and recommendations. Common forms of social media
Social media
Description
Popular examples
Wikis
A page or site designed to enable collaborative contribution and modification of content by users
Blogs
Short for web log; frequent online publications with commentary on current events, subjects, or one’s personal thoughts
Social networking
Site focused on building online communities, establishing connections, and providing avenues for social interaction
Presence and Microblogging
Brief real-time updates of personal commentary, news, or status (aka “Tweets”)
Online photo and video sharing
Media-centric online communities that facilitate the viewing, sharing, and “tagging,” or classification, of media content
Online forums and/review sites
Websites/Tools that allow users to search for peer reviews or advice on a product or service, as well as to contribute their own ratings and comments
7070

71. Social media benefits Social media challenges1 1
Generate
Prospects and Leads
(Sales)
Decrease time to market for new products
Increase marketing effectiveness
Develop new revenue opportunities
Leverage “interest” based marketing & advertising
Loss of Control
The voice of the customer is amplified
Companies no longer control the message or topic
Messages might include negative publicity 2 2
Decrease Costs
Decrease R&D costs for new products by listening to your customers (and prospects)
Focus on inexpensive social media tools instead of using the traditional expensive marketing channels
Decrease customer support costs
Inconsistent message
When engaging several employees in the social media world, their messages and responses may not always be consistent and aligned with the strategy of the company 3 3
Increase Loyalty
Increase customer insights and intelligence (“Voice of Customer”)
Improve customer experience responsiveness
Improve customer education, expertise and service
Direct contact with the customer instead of indirect through the retail channels
Confidential Information
The use of social media sites enables users to circumvent company controls, opening up the potential to violate communication policies
Education and training for employees is a key component to managing loss of information 4 4
Manage
Brand Reputation
Increase brand awareness through social media
Protect brand and manage reputation
Benefit from spontaneous reactions from the community by connecting like-minded peers
Productivity loss
Social media drives collaboration among co-workers but can also be a major distraction in the work place

72. Key departments affected
Advertising departments
Sales and Marketing staff
Compliance professionals
Internal Audit
Risk Management
Legal departments
Operations and IT staff
Recruiting/HR
Customer service
Senior Management 72

73. Social media risks – deep dive

74. Social Media Risk Landscape
Social Media usage presents behavioral, application and technology related risks. The risk landscape is vast and continuously evolving
Anticipated Risks
Legal & regulatory compliance
Disclosure of confidential information
Violation of copyright laws
Protection of intellectual property rights
Legal and financial ramifications for non-compliance with industry regulations
Security & Privacy
Identity theft, Social engineering
Ability to retain and log social media communication; data retention
Technical exploits: Malware, Viruses/Worms, Flash Vulnerabilities, XML injection
Brand and reputation damage
Posting unfavorable or confidential information on a public site
Unclear behavioral expectation of end users to use social media
Defamation, Copyright infringement
Productivity loss
Use of social media can be a distraction i.e. employees accessing non-work related social media sites
Acceptable use of social media 74

75. Social Media Risk Deep Dive
Malware and viruses
Data leakage/theft
“Owned” systems (zombies)
System downtime
Resources required to clean systems
Brand hijacking
Customer backlash/adverse legal actions
Exposure of customer information
Reputational damage
Targeted phishing attacks on customers or employees
Lack of control over content
Enterprise’s loss of control/legal rights of information posted to the
social media sites
Customer service dissatisfaction
Customer dissatisfaction with the responsiveness received in this arena, leading to potential reputational damage for the enterprise and customer retention issues. 75

76. Social Media Risk Deep Dive – Continued
Record retention non-compliance
Regulatory sanctions and fines
Adverse legal actions
Other threats and vulnerabilities….
Use of personal accounts to communicate work-related information
Employee posting of pictures or information that link them to the enterprise
Excessive employee use of social media in the workplace
Employee access to social media via enterprise-supplied mobile
devices 76

77. Social media governance and risk management

78. Social Media Governance and Risk Management
Strategy:
Review the social media strategy, program goals, and organization model and assess whether these have been formalized and communicated to all relevant teams.
Evaluate the alignment of the strategy with company goals.
Policy:
Review the social media policy and confirm that elements related to disclosure, ethics, community and privacy are included.
Identify gaps and test awareness of the policy.
Roadmap:
Assess the adequacy of the social media roadmap, including whether it is global, or localized and whether short-term and long-term program milestones have been defined.
Team Structure:
Assess whether the roles of key owners and stakeholders in the social media program have been defined and clearly communicated (e.g. executive sponsorship, communications / PR, employees, Legal, IT, etc).

79. Preparedness and Response
Customer Profiles and Market Analyses:
Review customer profile and market analyses and evaluate whether all products are covered, the appropriate target customers have been identified, including the desired relationship and engagement model.
Tools and Analytics:
Understand how customer interactions via social media are integrated with existing systems and databases.
Assess whether formal alerting tools have been implemented to identify key topics, comments, commentators, and sentiment from website activity.
Evaluate KPIs and metrics against best practices and alignment of metrics with the social media strategy.
Processes:
Test the policies and procedures that have been implemented to ensure that messaging is consistent with the social media strategy / plan
Review and test policies, processes and procedures used for triage, crisis response, intake and response to customer insights.
Understand how customer insights are monitored, tracked, and shared with relevant teams (product marketing, R&D, Support, etc) for resolution.

80. Training and Education / Compliance
Evaluate the types of training programs implemented to share best practices and rules of the road within the social media team
Understand how social media best practices are shared cross functionally with other functions in the organization, such as recruiting, sales, product, etc.
Monitoring and Compliance:
Understand whether compliance with the social media policy is monitored both internally and externally
Perform procedures to test compliance with the social media policy internally and externally

81. Lessons Learned from Recent Audits
Crisis Management Plan
Monitoring processes
Bloggers disclosers
Data leakage protection

82. Bottom line It is here and it’s not going away
There may be substantial business benefits with using social media to achieve business objectives
As with any opportunity there is risk 82

83. Questions?

84. GOURMET LUNCH
12:20 – 13:20

85. Fraud Risk Management: The Things You Need To Know
1:20 – 2:10
Paul Ritchie, Deloitte

86. Agenda What is Fraud and Why is it an Important Concern?
The Profile of a Fraudster
Fraud Risk Assessment, Schemes and Red Flags
Responding to Indicators of Fraud

87. What is Fraud and Why is it an Important Concern?

88. What is Fraud? As defined by the Institute of Internal Auditors:
“Any illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by parties and organizations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantage.”

89. Types of Fraud
Internal: illegal acts of employees, managers and executives against the company
External: illegal acts of outsiders (non-employees) against a company
The activity:
Is clandestine
Violates the perpetrator’s fiduciary duties to the victim organization
Is committed for the purpose of direct or indirect financial benefit to the perpetrator
Costs the employing organization assets, revenue or reserves

90. Occupational Frauds by Category - Frequency
• Asset misappropriation schemes, in which an
employee steals or misuses the organization’s
resources (e.g., theft of company cash, false
billing schemes or inflated expense reports)
• Corruption schemes, in which an employee
misuses his or her influence in a business transaction in a way that violates his or her duty to the
employer in order to gain a direct or indirect
benefit (e.g., schemes involving bribery or
conflicts of interest)
• Financial statement fraud schemes, in which an
employee intentionally causes a misstatement or
omission of material information in the organization’s financial reports (e.g., recording fictitious
revenues, understating reported expenses or
artificially inflating reported assets)
Source: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

91. Occupational Frauds by Category – Median Loss
Source: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

92. Fraud Across Industries
Source: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

93. Corruption Across Industries
Source: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

94. Initial Detection of Occupational Frauds
Source: ACFE 2012 Report to the Nation on Occupational Fraud and Abuse.

95. Why Do Companies Need to Manage Fraud Risk?
Legal duty of care to shareholders
Statutory/regulatory requirements (SOX, SEC, FCPA, and Federal Sentencing Guidelines)
Direct financial impact to the organization
Indirect costs to the organization

96. XYZ Company Profit margin = 10%
Economics of Fraud
A $250,000 fraud loss . . .
500,000
1,000,000
1,500,000
2,000,000
2,500,000
Fraud Loss
Revenue
. . . will require an additional $2.5 million in revenue to maintain net income levels
XYZ Company Profit margin = 10%

97. The Profile of a Fraudster

98. The Fraudster – Which Department?
Statistics from the 2012 ACFE Report to the Nation on Fraud

99. The Fraudster – How Old?
Statistics from the 2012 ACFE Report to the Nation on Fraud

100. Typical Fraudster – On the Surface
Long-time employee
Position of trust
Appears to be extremely dedicated
Unexplained cash or other wealth
Always willing to help out and put in extra hours

101. Typical Fraudster – Beneath the Surface
Gambler
Drug or alcohol problem
Behavioral changes
Extramarital affairs
Hostility to management
General disenchantment with compensation

102. The Fraudster – Educational Background
Statistics from the 2012 ACFE Report to the Nation on Fraud

103. The Fraudster – Effects of Tenure
Direct correlation between length of time employed and size of fraud losses
Employees with 10 or more years of tenure caused median fraud losses of $229,000
Employees with less than one year of tenure caused median fraud losses of $25,000
Statistics from the 2012 ACFE Report to the Nation on Fraud

104. The Fraudster – Effects Of Gender
Male perpetrators accounted for 65% of cases with median fraud losses of $200,000
Female perpetrators accounted for 35% of cases with median fraud losses of $91,000
Statistics from the 2012 ACFE Report to the Nation on Fraud

105. The “10-80-10” Rule 80% of the Population:
Might engage in illegal conduct.
10% of the Population: Deviants and always on the lookout to cheat, steal, etc. (regardless of profession).
10% of the Population:
Would never engage in illegal conduct.
You have all no doubt heard of the fraud triangle -

106. Attaching false time frames. Taking advantage of perceived fears.
The Fraudster – How do they Attempt to Fool, Distract and Undermine an Auditor?
Overloading.
Attaching false time frames.
Taking advantage of perceived fears.
Killing time with trivia.
Exploiting expected scopes.
Exploiting historically low-risk areas.
Exploiting complex areas.
Predicting cycle audits.
Stalling.
Making staff unavailable.
Filtering of information.
Not updating procedures.
Discrediting the auditor.
Statistics from the 2012 ACFE Report to the Nation on Fraud

107. How to Address Maintain an attitude of professional skepticism
Investigate what does not make sense
If it seems to good to be true, it usually is – trust your instincts
Beware of trust over reason
Avoid placing faith in other people’s faith
Verify and corroborate
Good interviewing and observation skills are key
Look for signs of deceptive behavior
Do not ignore information or data
Reconciliations – so bad

108. Fraud Risk Assessment, Schemes and Red Flags

109. Internal Audit Plan The plan should be: Dynamic/Flexible.
Comprehensive/Complete.
It integrates fraud risk assessment, appropriate cycle rotations, and management insight.
It directs resources to areas with highest risk.
Reconciliations -

110. Fraud Risk Assessment Approach
2. Identify Possible Fraud Schemes and Scenarios
1. Evaluate Fraud Risk Factors
4. Evaluate Fraud Risk Assessment Results and Prioritize Residual Fraud Risks
3. Analyze Fraud Risks and Schemes and Evaluate Mitigating Controls
Reconciliations -

111. Design Tests to Identify Fraud
Reconciliations -
Color By Numbers Approach
Creativity and Thought Approach

112. What Are The Hallmarks Of An Effective FRA?
Is systematic and recurring.
Is dynamic and is updated when new or unique circumstances arise (e.g., changed operating environments, restructurings, acquisitions), at least annually.
Is performed with the involvement of appropriate personnel.
Considers possible internal and external fraud schemes and scenarios.
Considers management override (e.g., journal entries, bias of estimates, non-routine transactions).
Assesses risk at organization-wide, significant business unit, and significant account levels.
Consider historical fraud or industry fraud risks.
Results are monitored by the Audit Committee/Board.
Reconciliations -

113. Indicators in Practical Use
Where is the potential for fraud (according to interview results and survey responses)
Areas where fraud has been detected
Manual and complex processes.
Timing to register transactions
Process involving cash management
Unclear – who reviews and who approves
Lack of controls – or knowledge of procedures
Reconciliations -

114. Valuable Soft Skills for an Internal Auditor
Think like a fraudster.
Facilitate a control self assessment.
Use information gathering techniques.
Communicate and build rapport.
All segments of an audit are connected.
Use an unpredictable and flexible audit approach.
Perform and understand data analytics.
Don’t lead the interviewee.
Pay attention to the details.
Reconciliations -

115. Attention to Details
Reconciliations -

116. Interviewing Techniques – Detecting Deceptive Behavior
Deceptive behaviors
Verbal or Non-Verbal
Remember:
Disregard isolated and/or individual behaviors

117. Deceptive Behaviors – Non-verbal
Wiping Sweat
Hand Wringing
Fleeing Position
Adjusting Attire
Biting Lip
Scratching
Covering Eyes
and Face
Crossing
the Arms
Reconciliations -

118. Deceptive Behaviors – Verbal
Changing Speech Patterns
Repeating Questions
Selective Memory
Making Excuses
Repetition of Oaths
Answering with a Question
Character Testimony
Overuse of Respect
Reconciliations -

119. Responding to Indicators of Fraud

120. Internal Auditor Proficiency Standard
Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
Source: The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing (

121. When Does an Internal Audit Become a Fraud Investigation?
Expand sample, expand scope, or perform additional procedures. Look for additional instances or patterns.
Ask additional questions framed in the context of the internal audit (e.g., how could a situation like this occur?).
Maintain copies of documents and data files that support the red flags and symptoms of fraud.
When possible, maintain originals of documents.
Any indication of potential perpetrators?
Cease audit work if there appears to be a predication for suspecting fraud.

122. Forensic Accounting vs. Financial Audit
Forensic Investigation
Audit
Mindset
All cases may end in litigation
Professional Skepticism
Frequency
Non-recurring; random
Recurring; scheduled
Approach
No management planning session
Limited notification
Meet with management to plan and scope the audit
Relationship
Potentially adversarial
Professional skepticism
Scope
Document examination of particular issue;
Review of outside data, interviews of potential persons of interest.
Analysis of financial statements and/or other financial data;
Interviews with management.
Work Programs
Programs developed and amended as needed
Audit programs
“Employer”
Client’s Attorney, In-House Counsel, Special Committee
Audit Committee/Client Management
Objective
Identify responsible parties;
Quantify damages
Issue an opinion on the client’s financial statements and related disclosures
Report Audience
Report is presented to counsel
Opinions used by Board of Directors/Audit Committee/Shareholders/Public

123. Benefits of a Fraud Response Plan
Standardized response.
Consistent approach.
Clarified roles and responsibilities.
Internal and external reporting responsibilities.
Process for consensus and agreement.

124. Contact Details Paul Ritchie Senior Manager, Deloitte Forensic
Deloitte Financial Advisory Services LLP
Tel

125. Top Ten Emerging IT Audit Issues
2:10 – 3:00pm
Michael Juergens
Deloitte & Touche LLP

126. Overview
IT controls continue to increase in importance to organizations
Corporate reliance on technology increases
Compliance requirements increase
Deficiencies in IT controls can have a significant impact on the organization

127. IT Audits
Where We Need To Be
Where We Have Been

128. Top 10 IT audit issues By no means a comprehensive list
Will vary by environment
May be greater/lesser risk depending on industry, technology, business processes etc.
This list is based on what we see in the marketplace
Designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate these risks
List is in no particular order

129. 1. Omnichannel Commerce Issue
Traditional “bricks and mortar” channels are merging with e-commerce channels to create a single integrated approach to sales.
Risk
Failure to evolve could impact long term enterprise viability
Will change sales approach and systems
Large integration and master data concerns
Recommendation
Understand current and planned changes to sales channels. Determine impact on systems, specific transactions processed, accounts impacted, and master data. Evaluate risk and then plan and execute audit procedures accordingly.

130. 2. Cyber Security Reporting
Issue
As of October 2011, the SEC now requires public companies to disclose the risk of cyber incidents as part of Management’s Discussion and Analysis if "these issues are among the most significant factors that make an investment in the company speculative or risky."
Risk
Failure to comply with SEC reporting requirements
Exposure to potential shareholder litigation if requirement not met
Audit Committee exposure
Recommendation
Challenge is that the reporting requirement lacks specificity. Organizations must determine what to report, if anything. Therefore, organizations must have a process for identifying exposures, evaluating impact, and then reporting and disclosing appropriately. IT audit should perform an assessment of this process to determine if it exists, and how comprehensive it is. Additional steps should be taken to evaluate how effective the process is.

131. 3. Software Asset Management
Issue
Software licensing contracts are complicated, and software lifecycles are complex. Economic downturn has caused software vendors to aggressively pursue licensing audits.
Risk
Potential significant financial liabilities in case of an audit
Loss of potential savings
Failure to “sunset” unused applications
Recommendation
Perform a software asset management (SAM) audit. Consider use of International Organization for Standardization (ISO) and Information Technology Information Library (ITIL) SAM standards. Audit should include evaluating the process for SAM, review of contracts and software license baselines, and analysis of non-essential software and patch deployment.

132. 4. Payment Processing Issue
Emerging methods of payment processing (ISIS, GoogleWallet, PayPal).
Risk
Failure to adopt impacts potential revenue
Impact on revenue cycle processes, systems and controls
Recommendation
Determine what changes are planned or underway to adopting new payment processing technologies. Determine impact on financial systems and processes (e.g. sales audit). Evaluate integration management. Identify new security and controls considerations and execute audit steps accordingly.

133. 5. Hyper-Hybrid Cloud Issue
Adoption of heterogeneous cloud solutions creates significant issues with management and integration of processes and data, as well as leads to the need for deployment of additional management solutions.
Risk
Master data proliferation and management
Disparate cloud solutions impact business processes
Security management becomes much more complex e.g. Security Assertion Markup Language (SAML), OpenID
Need for effective service lifecycle management increases
Recommendation
Understand current and planned cloud services grid, and specific business control points, integration and workflow. Understand security management strategy, and deployment of new technologies/standards. Determine process and data risk and identify/test controls. Evaluate Service Organization Control (SOC) reports for vendors.

134. 6. Data Lifecycle Management (DLM)
Issue
2011 saw the emergence of new regulations and legislation for records management and data retention. Regulators have significantly increased their scrutiny of the data lifecycle space.
Risk
Large potential financial penalties for non-compliance
Impact on brand
Impact on customers and vendors
Recommendation
Gain an understanding of how DLM is operationalized throughout the organization, DLM awareness levels and how DLM compliance is achieved. Evaluate the organization’s DLM capability maturity and identify compliance gaps related to the DLM governance structure, policies, processes and procedures

135. 7. End User Computing (EUC)
Issue
Significant increase in evaluation of spreadsheets and other end user computing solutions by auditors and regulators. Additional regulations promulgated (e.g. Solvency II). Uncontrolled EUCs still impacting financial statements and business operations.
Risk
Loss of critical data
Potentially inaccurate financial or management reporting
Exposure to regulatory sanctions or fines
Recommendation
Perform an extensive EUC audit. Evaluate criteria such as criticality determination, governance model, and use of technical accelerators. Audits should also evaluate programming structure. A policy-based audit and/or access based audit is likely insufficient.

136. 8. IT Governance
Issue
IT Governance continues to play a large role in aligning the proliferation and use of technology with organizational objectives. Also, Institute of Internal Auditors (IIA) Standard 2210.A2 states: “The internal audit activity must assess whether the information technology governance of the organization sustains and supports the organization’s strategies and objectives.
Risk
Noncompliance with IIA standards
Potential misalignment of IT resources with organization strategy
Recommendation
Assess capabilities across IT governance capabilities: Strategic Alignment, Risk Management, Value Delivery, Performance Management and Resource Management. Establish a baseline of understanding regarding current capabilities and maturity level of IT governance processes.

137. 9. Digital Identity Issue
Deployment of emerging technologies and unification of internal/external systems creates significant identity sprawl, and difficulties managing across platforms, applications and networks. To be efficient and compliant, federated identities are emerging. Our IT access audits and analysis are becoming more reliant on review-based controls.
Risk
Unauthorized access to data or transactions
Regulatory fines or litigation
Brand impact
Recommendation
Understand corporate security perspective on identity management. Inventory systems, devices and technologies currently deployed or planned (consider external sources as well). Evaluate strategy and technical solutions for managing digital identity. Perform a detailed audit of critical technologies and controls.

138. 10. Product Duplication Issue
Proliferation of cheap 3D printing technology makes it possible to easily duplicate certain consumer products
Risk
Loss of sales, market share
Impact on brand
Recommendation
Understand current product mix; identify products susceptible to duplication (small, higher value items are typical). Understand security and controls around schematics. Peruse pirate sites to identify proliferation of schematics. Consult with loss prevention teams to understand approach to managing remote duplication.

139. Summary
Need to understand which items may be relevant in your business and technical environment
Ensure that risk assessment and audit universe address relevant items
Don’t walk the plank alone – communicate with management and the audit committee
Plan resource requirements
Be careful not to underestimate

140. Questions

141. Contact information
Michael Juergens
Principal, Deloitte & Touche LLP
juergens/2/221/988

142. This presentation contains general information only and Deloitte & Touche LLP is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

143. BREAK
2:40 – 3:00

144. Soft Skills Training Understanding your Auditee – Key Lessons on Effective Communication
3:20 – 4:40
Group Setting
Howie Cumme, URS
Ed Byers, Deloitte
Farhan Zahid, Deloitte

145. Agenda for Session Agenda and Introduction First Impressions
Building Trust
Personality Analysis – DISC Profiles
Getting The Truth
Navigating Politics
Wrapping Up

146. Intro and Background Interactive Session
Better understanding of yourself and human interactions
Building attraction and trust
Adapting to the situation
Challenging situations – tips and tricks

147. Ultimate Auditing Technique

148. First Impressions How many seconds to form a first impression?
1/10th of second, 7 seconds, 12 seconds
All the correlations between judgments made after a 1/10-second glimpse and judgments made without time constraints were high, but of all the traits, trustworthiness was the one with the highest correlation.

149. How the Mind Works Neomammalian Paleomammalian Reptilian Emotional
Logical
Complex,
Certain
Emotional
Attachment,
Uncertainty
Primal
Health/Status
Neomammalian
Paleomammalian
Reptilian

150. First Impressions
You need to cater to the brain in the order it evolved Primal, Emotional and then Logical
Health and Appearance - Primal
Behavior and Body Language - Primal
Warmth and Introductions – Emotional
Personality, Professionalism and Preparation - Logical

151. Personality Analysis – Intro to DISC
Key to effective communication is to understand the style or method of communication desired by the auditee
The auditee’s behavior style is key!
Ineffective communication typically results when an auditor communicates in THEIR style vs. the AUDITEES desired style

152. DISC Profile
The DISC profile is a simple tool to understand your behavior style and how to best work with others (e.g. SPOUSE!)
No behavior style is right/wrong – the key is to understand how to communicate effectively with others

153. Steps to filling out the DISC Profile
Select a word that MOST describes you and a word that LEAST describes you
Put an M/L next to the word – DO NOT put a big “X” for example in the MOST/LEAST column
Use a coin to gently rub the rectangle after the word in the MOST/LEAST columns
Tally up the results in the tally box on page 5
Fill out graphs I, II, and III

154. Understanding the DISC Profile
Each style has its strengths, weaknesses, and needs – a weakness is an “overextension” of a style’s strength
There are typically key success factors in communicating to different styles
Understanding how to “match styles” is important – “evolve” if necessary
Good questions to ask different styles
Note: refer to handouts which overviews these four areas

155. DISC Discussion Points
How do you communicate if you are presenting to two different styles (e.g. D & C)
Do not assume that all executives are “D’s” and all auditors are “C’s”
How can you assess a person’s behavior style by looking at their office (or other factors)
What have you learnt about yourself?
Key potential next steps

156. Building Trust Friendliness/Rapport Flow of Conversation – Comfort
Warmth
Connection
Assertiveness
Flow of Conversation – Comfort
Professionalism and preparedness
Reassurance/Implications

157. Getting The Truth Fear of the consequences
Focus on what you need to know
Professional reassurance – rationalism, unbiased
How to know if you are always getting the truth?
Sweaty palms?
Hesitation?
Avoidance of eye contact?

158. Lies
Tough to tell the difference between lies and an honest person under stress
Indicators of lying:
Level of detail being provided
Tone of voice, unusual body language
Inconsistency when changing viewpoints
Concealment of anger, distress or fear
Lifting just the inner part of the eyebrow (Distress>85%)
Eyebrows raised and pulled together (Fear)
Narrowed, tightened lips or lopsided smile (Anger)
No absolute clues to lying, only indicators.

159. Navigating Politics Is it always possible?
Internal and external politics affecting the meeting
Pressures in the room. Possibility of one on one time?
Ask questions again when necessary to each individual

160. Wrapping Up “Leave the door open” Follow up within 24 hours
Be genuine and smile
Finish with something memorable and relaxed

161. Wrapping Up

162. Seminar Wrap Up and Thanks

163. November 30th 2012, San Francisco
SF IIA Fall Seminar Internal Audit's Role in the Changing Business Landscape
November 30th 2012, San Francisco