2015 isaca nacacs - audit as controls factory
TRANSCRIPT
![Page 1: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/1.jpg)
Audit As A Controls Factory
Nate Anderson, Internal Audit, SearsCliff Nuxoll, Internal Audit, Sears
![Page 2: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/2.jpg)
PRESENTATION OBJECTIVES
• Overview of data analytics concepts– Summarize audit analytics concepts & tools– Reinforce concepts through examples & lessons– Analytics team best practices– Present practical tools & approaches to
analytics
• Challenge traditional view of Audit Analytics– Consider services Audit can provide while
remaining independent and objective
![Page 3: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/3.jpg)
OUTLINE
• Audit analytics – Overview
• Key ingredients to audit analytics– Methodology & Approach– Building an analytics team– Overview of commonly used tools
• Analytics in action– Monitoring controls– Audit aids– Ad-hoc analysis
• Lessons learned• Maintaining Independence & Objectivity
![Page 4: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/4.jpg)
AUDIT ANALYTICS OVERVIEW
• Definition
• Industry Insights
• Key Trends
• Key Ingredients
![Page 5: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/5.jpg)
AD-HOC ANALYSIS
Auditor obtains useful data
Data is loaded for analysis
Results of analysis
Summary insights
Goals: Test general hypothesis (e.g., determine root cause for sample of negative margin sales)
![Page 6: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/6.jpg)
AUDIT AUTOMATION
Auditor aid engaged
Automated routine
Results for auditor
Analytics Routine/Program
Goals: Improve efficiency, accuracy, or effectiveness of audit processes
![Page 7: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/7.jpg)
CONTINUOUS AUDITING / MONITORING
Analytics Routine/Program
Data feed to audit
Automated routine
Output for action/decision
Goal: Enable risk monitoring, support risk decision, and/or facilitate control activity
![Page 8: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/8.jpg)
STATISTICAL ANALYSIS / MODELINGData feed
to auditStats/modeling
routineOutput for
action/decision
Goal: Descriptive statistics procedure or modeling to test hypothesis, increase understanding, or make
prediction
![Page 9: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/9.jpg)
INDUSTRY INSIGHTS
• PwC 2014 State of the IA Profession Survey
• Protiviti 2015 IA Capabilities & Needs Survey
![Page 10: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/10.jpg)
PWC 2014 STATE OF PROFESSION SURVEYHow is Internal Audit doing?• 49% (senior mgmt) & 60% (board) believe IA is
delivering on expectations• 45% (senior mgmt) & 70% (board) believe IA adds
significant value• 29% (senior mgmt) & 51% (board) believe IA is
leveraging technology effectively in execution of audit services
Where are the opportunities for IA to improve?• #1 area respondents want greater IA involvement
in: – Increased reliance on big data & analytics (80%)
• “[IA] functions should always be looking to add value by expanding their capabilities in [data analytics].”
![Page 11: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/11.jpg)
PROTIVITI 2015 IA SURVEY
• 5 of 7 areas (out of 36 total) where audit improvement is most urgently needed relate to analytics.
• Data analytics skills were the top area of desired growth in 2013 (4 of top 5) and 2014 (6 of top 9)
“Need to Improve” Rank1 Auditing IT Security
1 (tie) Computer-assisted audit tools (CAATs)
3 Data analysis tools – data manipulation
4 Marketing internal audit internally
5 Fraud – monitoring
6 Data analysis tools – statistical analysis
7 Continuous auditing
![Page 12: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/12.jpg)
PROTIVITI 2015 IA SURVEY
• “There continues to be significant dialogue among internal audit functions about the need to leverage technology-enabled auditing tools, but they are not achieving progress.”
• “CAEs and internal audit leaders should consider whether this is becoming a never-ending journey”
• “Will [audit analytics] continue to be discussed but not implemented?”
![Page 13: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/13.jpg)
KEY TRENDS
• Democratization of data
• Visualization growth
• On-demand computing power
![Page 14: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/14.jpg)
KEY TRENDS: DEMOCRATIZATION OF DATA
Major growth in data
Unstructured Structured
80% 20%
Majority is unstructured & raises new opportunities & concerns
New methods to store, access & analyze unstructured data
![Page 15: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/15.jpg)
KEY TRENDS: DATA VISUALIZATION GROWTH
Significant advances in visualization tools
![Page 16: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/16.jpg)
KEY TRENDS: ON-DEMAND COMPUTING POWER
Leverage cloud for power & storage
![Page 17: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/17.jpg)
KEY INGREDIENTS TO AUDIT ANALYTICS
Approach
Tools
Team
Methodology
![Page 18: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/18.jpg)
AUDIT ANALYTICS METHODOLOGY
Problem to analyze
Get/Process
data
Analyze results
Measure insights
Apply learnings
![Page 19: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/19.jpg)
ELEMENTS OF AGILE PHILOSOPHY
Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.Just do it.
Just do it.
![Page 20: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/20.jpg)
AGILE MANIFESTO
“We are uncovering ways of developing software by doing it and helping others do it. Through this work we have come to value:
That is, while there is value in the items on the right, we value the items on the left more.”
Individuals & interactions Over Processes & toolsWorking software Over Comprehensive documentationCustomer collaboration Over Contract negotiationResponding to change Over Following a plan
![Page 21: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/21.jpg)
AGILE ELEMENTS WITHIN OUR APPROACH• Agile
– Obsess over problem to be solved– No “analysis paralysis”– Delivery early, often, and modestly (small
releases)– Improve incrementally– Learn from reality quickly and with little money
• Traditional– Dangerous set up: Design everything, code
everything, promise to deliver big later.– Rigid scope and plan– Over-reliant on consultants
![Page 22: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/22.jpg)
ATTRIBUTES OF AGILE TEAMS
• Culture of transparency without penalties
• Reward early experimentation (and failure)
• Self-organizing and self-managing teams
• Cross-functional teams“I had never failed. I’ve just found 10,000 ways which do not work.”
- Thomas Edison
![Page 23: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/23.jpg)
CHANGING WITH TECHNOLOGY
Leverage data warehouses
Leverage big data
Leverage open source
1970 2015Time
Com
plex
ity
![Page 24: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/24.jpg)
AUDIT ANALYTICS TEAM
Insights
Coder
Analyst
Business
Expert
![Page 25: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/25.jpg)
SKILLSET: BUSINESS EXPERT
• Leverages personal insights and relationships• Focus on solving real world problems• Business unit experience• Prioritize risks
Problem to analyze
Get/Process
data
Analyze results
Measure insights
Apply learnings
![Page 26: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/26.jpg)
SKILLSET: CODER
• Knows where and how to gather data• Able to code in multiple languages• Works well with key IT practitioners• Developer experience
Problem to analyze
Get/Process
data
Analyze results
Measure insights
Apply learnings
![Page 27: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/27.jpg)
SKILLSET: ANALYST
• Evaluate key risks based on data• Drive solutions based on analysis• Excellent problem solver• Can visualize results
Problem to analyze
Get/Process
data
Analyze results
Measure insights
Apply learnings
![Page 28: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/28.jpg)
ANALYTICS LEADERSHIP TEAM
CAE
AnalystsBusiness Experts
Coders
• Sponsor key to success• Must be open to any approach that gets results
• Strong practitioner• Great business knowledge
• Strong practitioner• Understands how to
manage IT resources and projects
Analysts
IT Audit Lead
Corporate Audit Lead
![Page 29: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/29.jpg)
TYPICAL ANALYTICS PROCESS FLOW
Requirements
Business Expert
Coder Analyst
![Page 30: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/30.jpg)
LESSONS LEARNED: RESOURCING
1. Diversity is critical.
2. Be ready to replace key personnel.
Auditors Coders
Coders Business Experts
![Page 31: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/31.jpg)
AUDIT ANALYTICS TOOLS
Visualize
Analyze
OrganizeAcquire
![Page 32: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/32.jpg)
MICROSOFT OFFICE SUITE
Acquire / ETL Organize Analyze Visualize Price Difficult
y
![Page 33: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/33.jpg)
TOP AUDIT ANALYTICS SOFTWARE
Acquire / ETL Organize Analyze Visualize Price Difficult
y
![Page 34: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/34.jpg)
GARTNER MAGIC QUADRANT – BI TOOLS
Top tier Open source
Completeness of Vision
Abi
lity
to E
xecu
te
![Page 35: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/35.jpg)
TOP VISUALIZATION SOFTWARE
Acquire / ETL Organize Analyze Visualize Price Difficult
y
![Page 36: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/36.jpg)
MICROSOFT BI TOOLSET
Acquire / ETL Organize Analyze Visualize Price Difficult
y
![Page 37: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/37.jpg)
TOP BI OPEN SOURCE (FREE)
Acquire / ETL Organize Analyze Visualize Price Difficult
y
![Page 38: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/38.jpg)
TECHNOLOGIST TOOLS
Acquire / ETL Organize Analyze Visualize Price
![Page 39: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/39.jpg)
ANALYTICS SOLUTION EXAMPLES
• Monitoring Controls– Patriot Act Compliance – Pharmacy Compliance – Gift Card Compliance
• Audit Enhancement– Access Benchmark
• Ad-Hoc Risk Analytics– Gift card analytics– Employee Store Risks– Telecom spend
![Page 40: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/40.jpg)
MONITORING CONTROLS
• Hosted web applications– Patriot act compliance– Pharmacy compliance– Gift Card compliance
• Collaboration between business & audit
• Aid business in mitigating significant risks
![Page 41: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/41.jpg)
PATRIOT ACT COMPLIANCE
• Replaced pre-existing weekly Excel reports with continuous online tracking system – accuracy improvement of 500%
• Findings are generated nightly and appended to the current report
• Related transaction details are populated under each finding
![Page 42: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/42.jpg)
PHARMACY POLICY COMPLIANCE
• Requested by Legal to protect against costly fines• LDAP-authenticated system requires Pharmacists
and Pharmacy Managers to agree/ disagree to policy on a weekly basis
• Users sign in and enter pharmacy location number
![Page 43: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/43.jpg)
PHARMACY POLICY COMPLIANCE
• Once signed into the system with a user id and location number, users come to the policy page
• Upon agreement, user information and pharmacy location are logged
• In the case of a disagreement, Managers & Directors are notified via email to take appropriate action
![Page 44: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/44.jpg)
GIFT CARD COMPLIANCE
Periodic review and action (sign-off) on potential risk events:
• Required sign-off
• Business unit management oversight of sign-off, participation, risk events
![Page 45: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/45.jpg)
AUDIT ENHANCEMENT
• Hosted web application– Access benchmark
• Improves audit activities
• Typically enhances: – Efficiency– Effectiveness– Uniformity of approach
![Page 46: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/46.jpg)
ACCESS BENCHMARK
Concept: - Access list repository for audit & IT compliance- Regular snapshots of access for critical IT assets- Enables self-service access reviews by control owners
![Page 47: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/47.jpg)
ACCESS BENCHMARK – COVERAGE
Sarbanes-Oxley IT Components
Count
Environments (LDAP, AD, etc.) 10+
Applications 50+
Databases 150+
Systems 200+
Datasets 50+
Production Directories 50+
Utilities 5+
• Implemented across LDAP, Active Directory, mainframe hosts, Sun, AIX, Linux, HP-UX, Windows, AS/400, MySQL, SQL Server, DB2, Oracle, Teradata, Informix, PeopleSoft, etc.
![Page 48: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/48.jpg)
ACCESS BENCHMARK – WALK-THROUGH• Primary functions:
– Admin – Add IT assets, map reviewers, manage access
– Reviewer – Down/upload of mapped access reviews– Auditor – Download of completed reviews
![Page 49: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/49.jpg)
ACCESS BENCHMARK – REVIEWER VIEW
# of accounts requiring review
All IT assets related to
user
Download current list
Relevant technology layer
![Page 50: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/50.jpg)
ACCESS BENCHMARK – REVIEWER VIEW
Enabled drag and drop of completed access reviews
![Page 51: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/51.jpg)
Upload occurs; data validation performed
ACCESS BENCHMARK – REVIEWER VIEW
![Page 52: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/52.jpg)
ACCESS BENCHMARK – AUDITOR VIEW
Download List
Select technology layer
Select review “as of” date
![Page 53: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/53.jpg)
ACCESS BENCHMARK – BENEFITS
• Effective access reviews and re-certifications
• Uniformity in approach & quality
• Enables 100% coverage (all IT assets & accounts)
• Solution is scalable (can leverage for SOX, PCI, etc.)
• Accurate “critical information asset” inventory
• Value of weekly access snapshots
![Page 54: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/54.jpg)
AUDIT ENHANCEMENT “MUST HAVES”• Ready access to:
– employee & contractor data– Key transactional data access (e.g., point-of-sale)
• Statistical aides (assist with sample selection, etc.)
• Focus on repetitive activities in areas such as compliance
![Page 55: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/55.jpg)
AD-HOC RISK ANALYTICS
• Conducted with desktop software– Gift card analytics (tableau)– Store employee risks (power bi)– Telecom spend (tableau)
• Enhances risk assessments, audits
• Requires savvy & assertive auditors
![Page 56: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/56.jpg)
GIFT CARD ACTIVITY OVER TIME
Day Dt
2014
Q3 Q4
2015
Q1
Aug 11 Aug 26 Sep 10 Sep 25Day of Day Dt [2014]
Oct 1 Nov 1 Dec 1 Jan 1Day of Day Dt [2014]
Jan 14 Jan 29 Feb 13Day of Day Dt [2015]
0
10
20
30
40
50
60
Gift Cards Issued
Gift Card Trend by Date
Continuous control implemented Flawed program
launched; quickly addressed
![Page 57: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/57.jpg)
145
126
114
75
15
4515
59
49
78
48
88
63
33
27
2716
36
76
60
24
64
34
1211
91
41
5
5
9
3
7
6
4
4
2
2
1
1
Gift Card by State
SUSPICIOUS ACTIVITY BY STATE
States with significant activity
States where no activity is allowed
![Page 58: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/58.jpg)
Dist Mgt Name
0 10 20 30 40 50 60 70 80 90 100 110 120 130 140 150Gift Cards Issued
Abraham
Bill Joe
Billy Bob
Billy Jack
Billy Jean
Bobbie Sue
Carl
Carol Sue
Cliff
Dan
Jason
Jasper
John Boy
Johnny
Joya
Kelly
Krista
Krueger
Larry
Lea
Leroy
Lucy
Mack
Nate
Patty
Richard
Ricky Bobby
Tim Bo
Virgil
Wilber
Wyatt
Zeb
Gift Card by District Manager
SUSPICIOUS ACTIVITY BY DISTRICTDistricts with significant suspicious activity
![Page 59: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/59.jpg)
STORE EMPLOYEE RISKS
Shifts < 3 hours
Qty of edits
Qty of self-corrects
Qty of self-corrects
![Page 60: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/60.jpg)
STORE EMPLOYEE RISKSHigh qty of self-corrections to hours
High qty of manual hours edits
High qty of both concerns
![Page 61: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/61.jpg)
TELECOM SPEND
• Where is biggest cost recovery opportunity?– Over allocation / overcharge– Obscure service charges– International call/text usage– Unneeded feature removal– Closed sites / lines not in use– Call/text/data plan optimization– General use overage
![Page 62: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/62.jpg)
TELECOM SPEND: VENDOR 1Quickly highlight key cost recovery opportunities
~$350k savings proposed
![Page 63: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/63.jpg)
TELECOM SPEND: VENDOR 2Quick overview of amount of recovery by reason
~$2.2m savings proposed
Top recovery reason: Unused lines/circuits
![Page 64: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/64.jpg)
TELECOM SPEND: CLOSED SITE/ UNUSED LINES
SHMC-38445 and SHMC-99999 may be false positives; need more data
Abnormally large sites: - Store- Corporate
![Page 65: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/65.jpg)
Significant number relate to corporate
TELECOM SPEND: BY SITE
![Page 66: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/66.jpg)
Identify greatest opportunities for preventive controls
TELECOM SPEND: DRILL-DOWN ON CORPORATE
Visualization Summary: • Quick, big-picture view• Convey conclusions & approach to key stakeholders
![Page 67: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/67.jpg)
LESSONS LEARNED
• Most valuable technical skill
• Toolbox approach
• Affordably sourcing team
![Page 68: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/68.jpg)
MOST VALUABLE TECHNICAL SKILLS1. SQL. And then really advanced SQL.Learn it.Love it.Live it.Essential for finding, browsing, evaluating, analyzing, and filtering data
2. Excel – Lots can be done before limitations emerge
3. Tableau – Includes all essential ingredients
4. Depends on the need, familiarity, etc.
![Page 69: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/69.jpg)
TOOLBOX APPROACH: BEST TOOL WINS• What step are you on in your data analytics
journey?
• How to move forward without:– Looking too far ahead– Spending unnecessary $$$
• Successful tools for Sears Holdings:– Everyone: Excel, Access– Front-end team: ACL, Tableau– Back-end team
• Linux servers (free, powerful server)• MySQL (free, powerful database)• Cassandra (free, powerful NoSQL database)
![Page 70: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/70.jpg)
AFFORDABLY SOURCING TEAM
1. Coders as interns– Freedom and creativity of role should appeal to
them– Do not ask them to be auditors
2. Data analysts as interns – Subject matter is attractive (fraud, security, etc.)
3. Auditors with coding background– Increases likelihood of obtaining versatile data
analytics practitioners
![Page 71: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/71.jpg)
ENTERPRISE RISK MANAGEMENT FAN
* Internal Audit acts as facilitator and host only
![Page 72: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/72.jpg)
INDEPENDENCE & OBJECTIVITY
“Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.”
“Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others.”
– Section 1100 – Independence and ObjectivityInternational Standards for the Professional
Practice of Internal Auditing
![Page 73: 2015 ISACA NACACS - Audit as Controls Factory](https://reader036.vdocuments.us/reader036/viewer/2022062503/58e7437e1a28ab49038b6065/html5/thumbnails/73.jpg)
INDEPENDENCE IMPAIRMENT THOUGHTS• Are we “implementing risk responses on management’s
behalf”? • Are we “taking accountability for risk management”?• Are we remaining able to audit these controls without
bias?
1. We are remaining independent of the performance of the control, we are unbiased, while we are increasing our control oversight.
2. We do not make risk response decisions; we do not manage risk for management.
Most Importantly: If we never have to answer these questions, how much value are we adding?