Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing a Forensic Continuous Audit Model Grover S. Kearns, PhD, CPA, CFE University of South Florida St. Petersburg 1.

Similar presentations

Presentation on theme: "Developing a Forensic Continuous Audit Model Grover S. Kearns, PhD, CPA, CFE University of South Florida St. Petersburg 1."— Presentation transcript:

1 Developing a Forensic Continuous Audit Model Grover S. Kearns, PhD, CPA, CFE University of South Florida St. Petersburg 1

2 Motivation Organizations are under pressure to proactively recognize and react to potential fraud in a comprehensive and cost-efficient manner. 2

3 Background Excesses of past two decades and increase in financial statement fraud. Increased laws and regulation. Need to improve ‘tone at the top.’ Inability to provide results using traditional audit approaches. Increasing costs of IT security and forensic methods. 3

4 Corporate Fraud 4

5 Increased Laws & Regs Sarbanes Oxley Act of 2002 (SOX) Sec 404 – system of internal controls Sec 409 – acceleration of SEC filings PCAOB Statements SAS 99 COSO & COBIT Frameworks These have led to increased costs, increased pressures on management and on auditors. 5

6 PCAOB Audit Standard 5 “An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements.” Increases reliance on internal audit departments as evidence external auditors can use in order to reduce duplication of efforts and lower audit costs. Continuous auditing tools are capable of monitoring internal controls for SOX compliance reporting. 6

7 Technology and the Accountant SOX and SAS 99 encourage management and external auditors to employ technological approaches and embedded audit modules to audit financial transactions and internal controls. SOX Section 409 accelerates the SEC filings for Form 10-Q and annual report Form 10-K. The FTC’s red flag rules, effective December 31, 2010 for financial institutions and certain other firms under FTC jurisdiction including CPA firms, require companies to check for and report specific violations. 7

8 Tone at the Top Executive management sets tone. Organizational tone is most important to internal control. Committee of Sponsoring Organizations (COSO) Control Objectives for IT (COBIT) Lack of ‘tone’ can imply lack of controls 8

9 Internal Controls PCAOB Auditing Statement 2, An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, states that it is management’s responsibility to design and implement a program of controls to prevent, detect and deter fraud. 9

10 Traditional Audit Approach Tests of transactions when limited to small sample sets may not be representative and cannot be expected to detect a large percent of errors or fraudulent activities. Given the increased transaction processing for most firms and increased regulatory pressures, the traditional approaches appear inadequate and require increased substantive testing. 10

11 Q. Why did the Auditor cross the road? A. Because according to the Audit File, that’s what he did 3 years ago! 11

12 Traditional Audit Approach Ineffective for Fraud Internal and external audits combined only responsible for uncovering 19% of fraud. ACFE 2010 Report to the Nations Audits are isolated events that examine a small part of all transactions Auditors lack technical skills 12

13 Solution Use forensics in a proactive manner to continuously and methodically examine a significant number of transactions in a cost-efficient manner in order to flag incidents of error, misuse, and fraud. To do so we use a modified continuous forensics auditing approach. 13

14 Continuous Audit Defined “A continuous audit is a methodology that enables independent auditors to provide written assurance on a subject matter, for which an entity’s management is responsible, using a series of auditors’ reports issued virtually simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter.” CICA/AICPA Research Study on Continuous Auditing, 1999. 14

15 Forensic Accounting Forensic accounting offers the highest level of assurance, is suitable for legal review, and arrives at conclusions in a scientific fashion. (Crumbley) As a result of new regulatory requirements for compliance and emphasis on IT governance, auditors with forensic IT skills have been in increased demand. (Hoffman, 2004) 15

16 Judicious application of the cost/benefit rule based upon the likelihood and severity of the risk. Performing analytical procedures on a routine basis reduces cost of external auditors and time on-site. 16 Forensic Continuous Audit Timing

17 Embedded Audit Modules EAMs depends upon audit specific software that resides in the targeted application (Alles, 2002). EAM allows auditors to determine which transactions are to be tested and at what frequency. Results are collected and reported real-time. (Groomer and Murthy, 1989). Companies often do not activate the EAM because of the significant resource requirements which can slow overall processing dramatically (Kuhn and Sutton, 2010; Debreceny et al., 2005). 17

18 Embedded Audit Module (Cont) As the selected transaction is being processed by the host application, a copy of the transaction is stored in an audit file for subsequent review. The EAM approach allows selected transactions to be captured throughout the audit period, or at any time during the period, thus significantly reducing the amount of work the auditor must do to identify significant transactions for substantive testing. 18

19 Target Application Ghosted Application Production Server Audit Server Fraud Audit Tests Fraud Audit Application (Embedded Audit Module) Business Transactions Control Reports Alarms Selected Transactions Exception Handling Refinements & Modifications Management Audit Committee Internal Auditors External Auditors Continuous Fraud Auditing System 19

20 Exception Handling CA performs a large number of tests over a much higher percentage of transactions and can reduce reliance upon analytical procedures (Alles et al., 2008). It will also result in a large number of selected transactions that have failed the audit tests. Exception handling of selected transactions is key to the effectiveness of the fraud audit system. 20

21 Impact of a Continuous Forensic Audit System Continuous Forensic Auditing Exception Handling Forensic Evaluation Refinement of Rules Decreased Governance Costs Heightened Internal Controls Decreased Risk of Fraudulent Transactions 21

22 Things that won’t stay in Vegas 22

23 Irrational Ratios Ratios that signify an inconsistent relationship or outlier that requires investigation. Can be based on relationships, trends, deviations from standards. Must be fine-tuned to prevent too many false positives. Should reflect audit objectives. 23

24 Irrational Ratios (cont.) Days Sales in Receivables Accounts Receivable t-1 / Sales t-1 Gross Margin Index Sales t-1 – COGS t-1 / Sales t-1 Sales Growth Index Sales t / Sales t-1 Accruals to Assets Index Changes: (Working Capital – Cash – Current Taxes Payable) – Depr. & Amortiz. / Total Assets Adapted from Grove and Cook, 2004 24

25 25

26 26

27 27

28 Data Analysis using Forensic Continuous Audit Model Risk Assessment – examination of key performance metrics and risk indicators to determine if the risk profile of a particular function has changed. For a finance function you might look at the following. Cash balance compared to plan and prior period Cash transactions that exceed authority limit Significant differences identified between planned and actual taxes Significant unexplained financial fluctuations 28

29 Fraud detection – examine data for potential fraud indicators. Vendor/Employee/Agent address comparison Vendor SSN/EIN validation Employee name/Payee comparison Benford analysis (expected frequency) Ratio analysis Supplemental payments under authority 29 Data Analysis using Forensic Continuous Audit Model

30 Control evaluation – tests of specific controls to determine if they are working as intended. Access control to a particular system Payments exceeding authority limits Appropriate approvals of transactions Review of entries that may indicate a management override of controls Recovery opportunities Duplicate payments Travel expense irregularities 30 Data Analysis using Forensic Continuous Audit Model

31 Where No Data Has Gone Before 31

32 Technology and the Accountant Traditional audit approaches and sampling methods cannot be expected to uncover the majority of transactional errors or occupational fraud (Wells, 2011; Oringel and Aldhizer, 2009). Technology offers opportunities to perform detect and deter fraud more efficiently and effectively. SAS 99, Consideration of Fraud in a Financial Statement Audit, codifies many fraud detection procedures and encourages their use by auditors to detect client fraud risk and identify transactions to be tested Technological skills, however, often exceed the competency of auditors causing them to resort to less effective manual approaches. 32

33 PCAOB Audit Standard 2 “An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements.” CPAs will have to become more knowledgeable and competent concerning IT controls and IT auditing Auditing “around” the computer is dead Auditing “through” the computer requires technical skills 33

34 CAAT’S Regulatory standards encourage the use of computer assisted audit tools (CAATs) for accessing and analyzing data files and suggest that risk assessment reflect the client IT standards (AICPA 2001, 2006). Research indicates only a minority of firms use CAATs for substantive testing because of high level of complexity (Janvrin et al., 2009). CA can provide much of this testing and relieve auditors from the more complex tasks. 34

35 CAATs  ACL and IDEA widely used.  AKA Data Extraction Software – can import data with various filetypes  An important use is in performing substantive tests.  Most audit testing occurs in the substantive- testing phase of the audit.  Used to substantiate dollar amounts in account balances. 35

36 CAATs Functionality Importing and cleansing data Stratifying and classifying Statistical analysis Benford’s Law analysis Duplicates and Gaps Sampling Graphical analysis 36

37 Substantive Tests  Determining the correct value of inventory  Determining the accuracy of prepayments and accruals  Confirming accounts receivable with customers  Searching for unrecorded liabilities examples... # shipments received = # P.O.s sent inventory t = (inventory - sales + purchases) t-1 37

38 Substantive Tests (Cont)  In an IT environment, the records needed to perform these tests are stored in various databases  Before substantive tests can be performed, the data need to be extracted from the host system and presented to the auditor in a usable format 38

39 Refinement of Audit Tests Based on results and back-testing, Reduce transaction sets Increased attention on areas of interest Change granularity of formulas example … # shipments received = # P.O.s sent to # shipments received t = δ # P.O.s sent t + ε # vouchers processed t = δ# shipments received t 39

40 Questions? Grover S. Kearns, PhD, CPA, CFE University of South Florida St. Petersburg Thank you for your attention! 40

Download ppt "Developing a Forensic Continuous Audit Model Grover S. Kearns, PhD, CPA, CFE University of South Florida St. Petersburg 1."

Similar presentations

Ads by Google