Continuous Auditing Software Project

County of San Diego

Presented by Christine Nahimana

Executive Summary

The Project is part of an “Integrated Internal Controls Assurance Initiative” by the Office of the Auditor and Controller at the County of San Diego.

Proactive approach to applying standards consistent with regulatory and compliance requirements, such as those produced by the Institute of Internal Auditors (IIA), the SEC and various Federal, State and Local Agencies

Existence of a Manual Auditing System - actual material value of audit findings that indicate fraud, waste or misuse tends to be small (typically, 1% -2% of total transactions)

Problem Statement

Manual reviews (Audits) to monitor fiscal transactions often have a high cost associated with them and only provide a “point in time” analysis, based on only a sample of all the transactions involved.

Findings from internal audit activity prove that the current system often fail to detect discrepancies, irregularities, and indicators of susceptibility of fraud in some business processes especially the P-card usage.

Project Objectives

Automating the current manual approach to monitoring the procurement process, reducing the staff, time and costs that would be required to analyze 100% of related transactions

Providing increased oversight into the County’s internal financial controls enhancing thereby their ability to attest to the effectiveness of internal controls

PROJECT SCOPE

Justification: Reducing the material and

political risk related to waste, fraud and misuse of public funds

Enabling a proactive vs reactive approach to fraud

Fraud Prevention vs Fraud Detection

Scope limitation : The project is for the

monitoring of Purchase Cards transactions not other financial transactions

Project Scope- CAS Technical Requirements

Web browser based operating in the following system environment: TCP/IP network, MS Server 2003 SP1, MS SQL Server 2000 database, Microsoft IIS servers and Windows XP SP2 workstations, or later versions.

Test transaction data at the source level using industry standard formats for internal controls

Compatible with current sources of data at the County such as Oracle, PeopleSoft, US Banks

Allow County administrators to easily modify exception thresholds and tolerances

provide internal data and security controls to restrict access base on specified user identification

Capability of displaying and printing customizable reports Use of Benford’s Law, number patterns, ratios, and duplications to look for

anomalous patterns, differences, matches, and anomalies

Project Scope – more – Functional Project Scope – more – Functional RequirementsRequirements

•Unauthorized, invalid, or inactive Unauthorized, invalid, or inactive employeesemployees

•Unauthorized, debarred, or Unauthorized, debarred, or suspicious Merchantssuspicious Merchants

•Improper segregation of dutiesImproper segregation of duties

•Split TransactionsSplit Transactions

•Duplicates (requisitions, POs, or Duplicates (requisitions, POs, or payments)payments)

•Mismatched quantities or dollars Mismatched quantities or dollars (requisitions, POs, or payments)(requisitions, POs, or payments)

•Improper authorizationsImproper authorizations

•Untimely resolution of holdsUntimely resolution of holds

•Sequences or timing anomalies

•Spending limits exceeded

•Restricted items

•Unexpected patterns or amounts

•Vendor/employee associations

•Suspicious data values or formats

•Suspicious adjustments, credits or refunds

•Unauthorized or deactivated card numbers

Return on Investment Analysis – Return on Investment Analysis – Benefits EstimateBenefits Estimate

Audit Budget Hours 1 Full time Senior Auditor 60,000 1 Full time Associate Auditor 45,000

Total Audits Costs Savings 105,000 Potential Fraudulent Activity Cost Estimate 300,000

Total Fraudulent Activities Costs Savings 300,000 Total Benefits 405,000

Return on Investment – Costs Estimates

One Time Fees Licence Fees 50,000 (Includes unlimited user's access to CCM web base reporting tools) Implementation Fees 65,000

Total One Time Fees 115,000 On-Going Fees Annual Maintenance and Support (20% of Licence Fees) 10,000 Application Assurance (Optional) 5,000 (10% of Licence Fees)

Total Ongoing Fees 18,000 Total Initial Fees 133,000

Measures of Success

Meet all the functional and technical requirements Software must be user friendly Software should allow to analyze 100% of data Delivery of the software should be within time estimate

Implementation and Development

Tech Support

Application Maintenance

Releases to User Interface

Ongoing

PHASE 1 PHASE 2 PHASE 3Technical and Functional Requirement Design

Vendor Selection based on specified Criteria

Confirm detailed technical requirements and configuration design

Competitive Bid Analysis

Configuration of the Software

Configure data / application / UI for each test

Format views / configure alerts

Configure application in test environment

QA and Validation

User & System Training

Test data extraction (monitor for system performance)

Test and validate functionality

User acceptance

Configuration Design Implementation

PHASE 4PHASE 3 PHASE 4

6-8 Weeks

All Skateholders at the County: Project manager- 2 Auditors – 2 IT staff, Vendors

4-6 Weeks

The Program Manager as well as 1 IT representative work closely with Vendor

2-3 Weeks

All skateholders are involved in this phase

Configuration

Risk Management Strategy in Contracts Specifications

Quality testing and assurance at each phase of project development or implementation

Provide unlimited daytime support while under maintenance Provide updates, upgrades, forms and workarounds while under

maintenance Provide up to date user/training manual. Updates to the

user/training manuals shall be included under maintenance Training session, or instructions, on revised and new forms and

on each new version of the software

Communication Management Strategy

Project Manager with ManagementEvery week managers will receive a progress report by a meeting with the Project Manager. Daily problems and questions will be best communicated by email.

Project Team and Project ManagerOnce tasks are assigned among team members, they will meet twice a week during the Configuration Design and implementation phase. Daily problems and questions will be best communicated by email

Project Manager and Vendor’s CommunicationFor clarity, configuration and implementation services include on-going communications with the vendor by meetings, correspondence for confirmation of requirements, emails, phones or faxes, training. Same during the Support and maintenance phase.