Your Work Group Name Here EDISON INTERNATIONAL Building the Future | Human Resources Audit...
-
Upload
ella-ramsey -
Category
Documents
-
view
213 -
download
0
Transcript of Your Work Group Name Here EDISON INTERNATIONAL Building the Future | Human Resources Audit...
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Building a Successful Analytics Group
IIA Beach Cities Seminar
March 22, 2013
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Objective
• How has the SCE Audit Services Department (ASD) built a data analytics group, where are we now, and where are we going? What processes do we have and what tools are we using.
• What do you want covered?
2
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Agenda
• Introduction & what started it for us• Foundation• What we are doing and where are we
going• What tools are we using & what
training are we providing• References• Questions
3
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Introduction ─ Company
4
Edison International
Southern California Edison (SCE) is one of the largest electric utilities in California, serving more than 14 million people in a 50,000 square-mile area of central, coastal and Southern California, excluding the City of Los Angeles and certain other cities. Based in Rosemead, California, the utility has been providing electric service in the region for more than 120 years. SCE's service territory includes more than 180 cities.
Edison International, through its subsidiaries, is a generator and distributor of electric power and an investor in infrastructure and energy assets, including renewable energy. Headquartered in Rosemead, California, Edison International is the parent company of Southern California Edison—a regulated electric utility—and Edison Mission Group, a competitive power generation business.
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Introduction ─ Department
5
Audit Services
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Introduction ─ ATG
6
Audit Technology Group
Larry Hanson
An IT Audit Manager at SCE and head of "Audit Technology Group." Fifteen years at SCE. Over thirty-six years of experience, primarily in Information Technology auditing and consulting in the utility, banking, insurance, and public accounting industries, including IT management and system implementation experience. Was a Senior Manager at Deloitte and Vice President & Audit Manager at First Interstate Bank of California, where I managed 5 programmers who supported the department in analytics and continuous auditing and also performed audits.
CTO & Past President & Director ISACA LA Chapter. CPA, CIA, CISA, CRISC, CDP. BS in Business and MSMS from Graduate School of Business at USC.
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Introduction ─ ATG
7
Audit Technology Group
Corporate Auditor at SCE since 2005. Professional experience includes specializing in Information Technology data extraction, data mining, programming and other related analysis in support of audit projects, fraud investigations, and financial analytics. Has been the primary data analyst within Audit Services until John joined the group. He also participates or leads IT audits, including what we call “Blended” reviews and SOX reviews.
Victor previously was a Senior Systems Project Specialist with Automobile Club of Southern California. He is a CISA and has a Certificate in Project Management from the University of California at Irvine and a BS in Economics, California State Polytechnic University, Pomona.
Victor Alvarado
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Introduction ─ ATG
8
Audit Technology Group
Corporate Auditor at SCE since August 2011. Was a data analyst at Zurich Group/Farmers Insurance and supported over 200 auditors with Computer Assisted Audit Techniques (CAATs). Besides also performing IT audits, he conducted training for Zurich Group Audit staff on ACL/ACL scripting, their audit management tool (Auditor Assistant) and audit standards. He also prepared training materials on using ACL, Excel functions and macros, MS Access and SQL, and data mining using Weka.
He is a CPA, CIA, and CISA and also has the following certifications: ACL Data Analyst, Advanced SAS Programmer, and Advanced Lotus Notes Programmer. John has an MS in Computer Science, California State Polytechnic University, Pomona, an MBA from Boston University, and a BA in English in China.
John Lee
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
What Started the Change in Focus:ASD Strategic Plan
• ASD Strategic Plan– Value, People, &Technology– Technology:
• IT Tools & Training• Embed IT Expertise• Continuous Controls
9
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
10
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Drivers for Data AnalyticsReliability/Productivity on Top!!!
Reliability & Productivity
11
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Better Use of Auditor Resources
Increasingly, the knowledge and skill level of auditors is rising to keep pace with complex demands of comprehensive audits.
• Automation will allow the auditor to spend more time on
activities requiring the application of auditor judgment. • By having the computer handle repetitive task using data
analytics, the use of the auditor resource can be maximized.• Volumes of data can be sorted, matched, recalculated, and
analyzed to identify suspect data for additional investigation.• Scripts and/or macros can be created to make analyses and
tests replicable.
Source: Internal Audit – Efficiency Through Automation – David Coderre12
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Benefits of Data Analytics
• Close control loopholes before fraud escalates• Quantifies the impact of fraud• Cost-effective• Acts as a deterrent• Can be automated for continuous auditing• Provide focus based on risk and probability of fraud• Direct pointers to critical evidence• Support for regulator compliance
Source: ACL Services Ltd. 13
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Data Analytics Processing Benefits
• Review 100 percent of transactions• No limit of file size• Compare data from different applications & systems• Perform tests that are designed for audit and control
purposes• Conduct tests proactively• Ability to automate high-risk areas to catch fraud before it
escalates• Maintain comprehensive logs of all activities performed
Source: ACL Services Ltd. 14
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
ASD Strategic Plan & New Role• New Role, New Group – Audit
Technology Group (ATG)Using automation & analytics to help focus audits on areas of greater risk; allowing us to continuously detect issues rather than maybe once a year or over a longer period; allowing us to look at 100% rather than samples in many cases:– Data Mining/Data Analytics– Continuous Control Monitoring/Auditing– Fraud Detection using automation
Also:– Training on IT Risks & Controls plus Tools &
Techniques– Access to data (SAP and more)– Working with IT on support escalation, AIMS
technical issues, large IT projects, Windows 7… 15
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Foundation• Set up Audit Technology Group• Hired John as experienced data analyst—so now
have 2• Met with each ASD Director and then presented
to their All Hands meetings on new role and how we could help them
• On a particular procurement review provided much more analytics than asked for. Presented results near end of audit to General Auditor. Results lead to future follow-up reviews.
• Reached out to multiple other compliance related groups, including Ethics & Compliance (responsible for investigations), Information Security, and internal control groups.
• Set up internal training sessions• Implemented various tools• Established an Analytics & Monitoring Committee 16
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
17
• Audit Manager & Team engage ATG early on possible analytics• Include ATG in Walk-throughs with client• Agree on budget hours for ATG involvement• Be aware of data challenges, sensitivity & confidentiality• Data Analytics is only the starting point. Data will need to be
analyzed & verified and may require additional work.• If possible perform 100% population testing. If not, use data
analytics to sample smarter.• As data is retrieved with clients, ask them what SAP
T-Codes they use or other tools they use for extracting the data and reports.
• ATG is enhancing our SAP roles and data access capabilities. We want the capability of performing all our data extracts with limited IT support.
What we are doing ─ Data Analytic Approach
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
18
• Hire external data specialist• Develop a central team of experts• Develop analytics skills across the
entire audit function
Possible Approaches vs. Ours
There is no ‘one-size-fits-all’ model to building a team of analytics experts.
Audit Director’s Roundtable of Corporate Executive Board:http://cebviews.com/2010/08/02/developing-a-data-analytics-team/
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Using Data Analytics in Recent ASD Engagements
• Trading Operations– Data Analytics on Excel Spreadsheet Data
• Administration of Benefit Plans – Payroll Data Feeds – Data Analytics on Accuracy / Completeness on Data
• HR Payroll Systems – Reconciliation – Data Analytics on identification of “Ghost Employees”
• Inventory Audits – Data Analytics on suspect inventory data and improve sampling
• Supply Chain Process – Bidding through Contract Admin– Data Analytics on approval dollar limits – help identify contracts that deviate
from master agreements with vendors• Fleet Gas Card and Gas Pump Usage
– Data Analytics on data indicating potential fraud• Cloud Computing Risk Assessment
19
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Generic Data Analytics Opportunities
• Split Transactions • Incorrect Totals • Even Dollar
Transactions • Transaction Aging • Fuzzy Name Matches
• Matched Join • High Standard Deviation • Transaction Volume
Summary • Duplicate Transactions • Suspicious Date Range
Generic data analytic tests are applicable to numerous audit and fraud detection situations.
20
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Cost Management Data Analytics Opportunities
• Vendor Payments • Duplicate Payments • Phantom Vendors • Vendor Master • Vendor Discounts • Purchase Authorization
Limits
• Customer Credit • Sales Orders to Purchase
Orders • Payroll • Corporate Credit Cards • Travel & Entertainment
Expenses
Designed to investigate large data sets in order to identify fraud, errors, risk and inefficiencies within organizations, Cost Management analytics have helped organizations find money, increase operational efficiencies and address key areas within their audit plan. They include analytics to address the following areas:
21
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
General Ledger Data Analytics Opportunities
• Validation of Trial Balance • Temporary Accounts • Validation of Control Accounts • Analysis of Month End Balances • Profiling of Suspense Accounts • Data Validity • Segregation of Duties • Duplicate Journal Entries
• Suspicious General Ledger Accounts• Suspicious Journal Entry Dates • Invalid Account Classification • Suspicious Journal Entry Amounts • Suspicious Journal Entry Description • Period Close Cut-off • Reversed Journal Entries • Unreconciled Journal Entries
Designed to enhance an auditor’s effectiveness in identifying errors and fraud in financial statements, data analytic scripts are available to examine General Ledger data based on the Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit (SAS 99). These powerful analytics scripts allow auditors to conduct more efficient, consistent and comprehensive general ledger audits and provide an increased level assurance of the integrity of an organization’s financial statements. They include:
22
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
LIMITS OF DATA ANALYTICS IN CONTINIOUS CONTROLS MONITORING, DATA MINING, AND FRAUD DETECTION:
The only limits on what can be accomplished are the limits of your imagination, creativity, and access to the data.
23
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
24
ASD End State• Data Analytics
– All auditors consider data analytics on all audits• Data Analytics on ERA IT Risk Questionnaire or part of Work
Program• Audit Managers & Team engage ATG early in review• All Auditors trained in analytic tools, plus some super-users• Individual All Hands meeting topic/training & brown-bag meetings• ASD Analytics & Monitoring Committee
• Continuous Control Monitoring & Auditing– Due to SAP CCM monitoring, eliminate F&C annual SOX testing of
configuration controls– Use CCM/A for risk assessments to know which areas to focus on
and not focus on– Automate scripts to continually monitor for potential fraud
situations
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
25
Data Analysis in Procurement Audit
• Including:– Compare Service vs. Material Spent – Reassemble PO line items into PO– Match PO by Vendor and Contract– Summarize Non-PO line items by Vendor– Assemble PO Change History– Identify Duplicate Vendor– Fraud related analyses– Material cost variance analysis– Employee Vendor match by Tel, Tax ID, and Address.
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
26
Price/Cost Variance Analysis
• Including:– Ratio analysis: Max/2nd Max, Max/Min
• Help pinpoint suspect transactions and trends
– Benford law: Leading two-digit analysis– Completeness and Integrity: Wrong data type or
mandatory field blank– Cross-Tabulation: Vendor and PO Category
• Organizing data to find trends
– Data Profile: Sum, Count, Mean, Median, Std. Dev.– Identify the cost difference of the same material,
purchased by different plant.
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
27
Benford Analysis
• Help identify anomalous data.
10 14 18 22 26 30 34 38 42 46 50 54 58 62 66 70 74 78 82 86 90 94 980
1000
2000
3000
4000
5000
6000Benford Leading 2 Digits
Actual_Count Expected_Count Zstat_Ratio
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
28
Vendor/Employee Match
• Identify whether a current employee is also a vendor/contractor. – Matching employee to vendor by telephone number.– Matching employee to vendor by Tax ID.– Matching employee to vendor by home or mailing
address.
• Identify prior employee as current vendor/contractor and determine the basis for award.
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
29
Red Flags of Ghost Employees
• Use of a common name, e.g., Smith• No physical address• No personal or vacation leave• No deductions for voluntary deductions (i.e., health insurance,
pension, etc.)• High withholding allowance to minimize income tax withholding• Missing employee information• Invalid social security numbers• IRS notice regarding invalid social security numbers• No evidence of work performance• Changes to direct deposit bank account numbers• Payroll checks that are cashed in company accounts• Duplicate bank accounts for direct deposits
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
30
CA and CCM: An Integrated Approach
From ACL Webinar: Continuous Auditing: A Core Competency for Regulatory Compliance
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
31
Continuous Auditing/Monitoring
• ASD has gained direct access in production to the top 20 SAP tables used by auditors (headers and transactional) via ACL Direct Link.
• ATG is in the process of implementing ACL scripts using Direct Link to potentially continuously analyze these key tables for trends and anomalies using summarization, classification, stratification, aging, and other audit techniques.
• ATG is at the same time is looking for good CA opportunities. This is ongoing but also in conjunction with Analytics & Monitoring Committee.
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
32
Continuous Auditing/Monitoring
• Working with the CCI* Compliance & Process Controls group on implementing Continuous Controls Monitoring (CCM) on SAP GRC version 10.
• Looking for opportunities to continuously monitor risks to help either move up or out the start of audits.
* “Center for Continuous Improvement” (CCI) is equivalent to what other companies with SAP refer to as “Center of Excellence” or COE.
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Continuous Monitoring Queries
• Corporate Credit Cards
• Conflict of Interest (Employees and Vendors)
• Top 100 PO and Non-PO Vendors
33
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
Copyright © 2008 ACL Services Ltd. 7
Continuum of Audit Analytics
ad hoc repetitive
24 7 365
continuous
• One-off analysis and testing
• Automated analyses and tests
• Managed and deployed from a central environment
• Continual execution of automated audit and monitoring tests to identify errors, fraud and anomalies on a timely basis
From ACL Webinar: ACL Solutions for Continuous Auditing & Monitoring
34
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
5 Levels of Capability Model
From ACL Whitepaper: The ACL Audit Analytic Capability Model 35
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
ACL’s AuditExchange Managed Analytics Platform for Audit
Management & Automation• Audit repository• User access & rights, data security• Centralized tests and processing• Continuous auditing management• Configuration & management
Query & Analysis• In-depth analysis• Audit-specific commands & scripting• Advanced analytics and predictive
modeling• Centralized logging
Data Access• Access, extract, transform, load• Specialized format connectors• Audit data repository
Reporting & Presentation• Templates, charting• Dashboard integration• Report deployment and maintenance
Analytic Library• Packaged analytics, key business
processes
Copyright © 2008 ACL Services Ltd. 7
From ACL Webinar: ACL Solutions for Continuous Auditing & Monitoring
36
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
37
Tools and Training
• Use ACL Network version (3 concurrent users)• Held ACL 105-Foundations class on-site for super-
users• Implemented ACL DirectLink (for efficient and
effective access to SAP production data)• Held Visio and Excel Analytics training sessions• Working on using SAP Business Object
development tools (Crystal Reports, SAS, Xcelsius, Webi).
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
38
Tools and Training
• Implemented Dell Precision T7500 workstation with SQL Server 2008 Express.
• Implementing IBM’s SPSS Modeler for data and text mining. Other open-source versions: KNIME & Weka 3
• Implemented “R” which is a free software environment for statistical computing and graphics.
• Using SCE’s Vovici Enterprise survey tool for independent assessments.
• Other: Monarch, Acrobat 9 Standard, SnagIt, Camtasia
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
39
Tools ─ “R”
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
40
Tools ─ KNIMEKNIME, pronounced [naim], is open-source and a modern data analytics platform that allows you to perform sophisticated statistics and data mining on your data to analyze trends and predict potential results. Its visual workbench combines data access, data transformation, initial investigation, powerful predictive analytics and visualization. KNIME also provides the ability to develop reports based on your information or automate the application of new insight back into production systems.
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
41
References and Sources
• ACL (www.acl.com)• Richard Lanza of AuditSoftware.net• David Coderre’s Fraud Analysis Techniques Using
ACL• Idea (www.caseware.com/products/idea)• R language (www.r-project.org)• Edward R. Tufte’s The Visual Display of
Quantitative Information• SPSS (www-01.ibm.com/software/analytics/spss)• KNIME (www.knime.org)• Weka 3 (www.cs.waikato.ac.nz/ml/weka)• Dr. Nigrini on Benford’s Law (www.nigrini.com)
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
42
More References
• Audit Director Roundtable of Corporate Executive Board (www.executiveboard.com/corporate-integrity/audit-director-roundtable/index.html)
Example in 3/21/13 CEB Email:
Your Work Group Name Here EDISON INTERNATIONAL
Building the Future | Human Resources
Audit Technology Group SOUTHERN CALIFORNIA EDISON®
SM
43
Audit Technology Group:– Larry Hanson ([email protected])– Victor Alvarado ([email protected])– John Y Lee ([email protected])
Questions