This document summarizes a webinar about using exploratory data analytics to focus an agile audit plan on emerging risks. It discusses dispelling common myths about data analytics and using an example of analyzing employee data to identify potential issues with gender and race pay disparities. The webinar promotes using analytics to enable control owners to conduct ongoing monitoring and shifting the audit's focus to confirming controls are appropriately designed and issues are addressed.
1. 8-6-2020
1
Focused Agile Audit
Planning using Analytics
TeamMate: Leading Audit Evolution
February 2020
About Jim Kaplan, CIA, CFE
President and Founder of AuditNet®,
the global resource for auditors
(available on iOS, Android and
Windows devices)
Auditor, Web Site Guru,
Internet for Auditors Pioneer
IIA Bradford Cadmus Memorial
Award Recipient
Local Government Auditor’s Lifetime
Award
Author of “The Auditor’s Guide to
Internet Resources” 2nd Edition
1
2
2. 8-6-2020
2
About AuditNet® LLC
• AuditNet®, the global resource for auditors, serves the global audit
community as the primary resource for Web-based auditing content. As the first online
audit portal, AuditNet® has been at the forefront of websites dedicated to promoting the
use of audit technology.
• Available on the Web, iPad, iPhone, Windows and Android devices and
features:
• Over 3,100 Reusable Templates, Audit Programs, Questionnaires, and
Control Matrices
• Webinars focusing on fraud, data analytics, IT audit, and internal audit
with free CPE for subscribers and site license users.
• Audit guides, manuals, and books on audit basics and using audit
technology
• LinkedIn Networking Groups
• Monthly Newsletters with Expert Guest Columnists
• Surveys on timely topics for internal auditors
Introductions
HOUSEKEEPING
This webinar and its material are the property of AuditNet® and its Webinar partners. Unauthorized
usage or recording of this webinar or any of its material is strictly forbidden.
If you logged in with another individual’s confirmation email you will not receive CPE as the
confirmation login is linked to a specific individual
This Webinar is not eligible for viewing in a group setting. You must be logged in with your
unique join link.
We are recording the webinar and you will be provided access to that recording after the
webinar. Downloading or otherwise duplicating the webinar recording is expressly prohibited.
If you meet the criteria for earning CPE you will receive a CPE confirmation email. First you must
complete the evaluation survey and you will receive the link to download your certificate. The
official email for CPE will be issued via cpe@email.cpe.io and it is important to white list this
address. It is from this email that your CPE credit will be sent. There may be a processing fee to
have your CPE credit regenerated if you did not receive the first mailing.
Submit questions via the chat box on your screen and we will answer them either during or at
the conclusion.
You must answer the survey questions after the Webinar or before downloading your certificate.
3
4
3. 8-6-2020
3
IMPORTANT INFORMATION
REGARDING CPE!
ATTENDEES - If you attend the entire Webinar and meet the criteria for CPE you will receive a
confirmation email with a link to the evaluation survey required to download your CPE certificate.
The official email for CPE will be issued via cpe@email.cpe.io and it is important to white list this
address. It is from this email that your CPE credit will be sent. There may be a processing fee to
have your CPE credit regenerated after the initial distribution.
We cannot manually generate a CPE certificate as these are handled by our 3rd party provider. We
highly recommend that you work with your IT department to identify and correct any email delivery
issues prior to attending the Webinar. Issues would include blocks or spam filters in your email
system or a firewall that will redirect or not allow delivery of this email from Gensend.io
You must opt in for our mailing list. If you indicate you do not want to receive our emails your
registration will be cancelled and you will not be able to attend the Webinar.
We are not responsible for any connection, audio or other computer related issues. You must have
pop-ups enabled on you computer otherwise you will not be able to answer the polling questions
which occur approximately every 20 minutes. We suggest that if you have any pressing issues to see
to that you do so immediately after a polling question.
Hello. It’s nice to meet you.
Toby DeRoche
MBA, CIA, CCSA, CRMA, CICA, CFE
Manager, Solution Consultant
Toby is a Certified Internal Auditor (CIA) who holds an MBA
with an Internal Audit specialization from Louisiana State
University. He is also certified in Control Self-Assessment
(CCSA), Risk Management Assurance (CRMA), Internal
Control (CICA), and Fraud Examination (CFE). His
professional background includes identification and
documentation of weaknesses that result in heightened
business risk, while recommending solutions to such
situations. Toby began his career in internal audit with
Macy's Inc. He then worked as an implementation and
training consultant for Wolters Kluwer. As a Senior Market
Development Consultant at Wolters Kluwer, Toby works
with organizations that are looking for software solutions to
their audit, risk and compliance needs.
Jen Terry
Solutions Consultant
Jen Terry is a Market Development Consultant with Wolters Kluwer,
TeamMate. Before joining TeamMate, Jen worked in internal audit
at two Fortune 500 companies in the airline and retail industries,
where she performed operational, financial and compliance
auditing. As an internal auditor, Jen developed her knowledge and
use of data analytics to add value and drive efficiency into audits
such as expense, contract and compliance reviews. Jen also held a
role in finance where she continued to focus on data analytics to
bring value to the organization.
Prior to her work in audit and finance, Jen taught high school
mathematics before earning her Master of Science in Accounting
degree from the University of Texas at Dallas. She also holds a
Bachelor of Arts Degree in Liberal Studies with emphases in
Business and Mathematics from Northern Arizona University.
5
6
4. 8-6-2020
4
Topic Overview
As many audit departments are moving toward
agile auditing, they struggle finding an effective
technique for planning that goes beyond the
traditional risk assessment. We recommend using
exploratory data analytics to focus the agile plan
and address those risks with the greatest
exposure.
Session Objectives
After this session, participants will be able to:
Use data analytics for exploratory testing to validate a draft
plan that incorporates emerging risks
Dispel the Top 5 Analytics Myths
Develop an agile risk-based plan that aligns with senior
management objectives
Deliver a continuous monitoring plan with tools to your
control owners
7
8
5. 8-6-2020
5
Focusing Your
Audit Plan
To address emerging risks, we can apply data analytics to
focus our agile plan on the areas with the most
exposure.
What risks should we consider right now?
Emerging Risks
Emerging risks:
May develop suddenly or
Already exist but take on a higher priority very quickly
Emerging risks develop quickly, are difficult to quantify, and may have a high
loss potential.
Uncertainty makes it difficult to adequately assess the frequency and severity
of a given risk.
#TMUF19 10
9
10
6. 8-6-2020
6
Top 20 Emerging Risks
1. Increased use of artificial intelligence, robotics process
automation, and machine learning while not accounting for
human programming bias.
2. Increased competition from countries without the same
level of regulation.
3. Cultural behaviors with employees and customers
responding to innovation demanding mobile access and
real-time interactions.
4. An increase in the frequency and sophistication of cyber
threats.
5. Cybercrime including holding systems hostage: prevent the
hack or reserve to pay the fee.
6. System complexity and regulatory restrictions on data
disclosure (i.e. GDPR).
7. Increased need for rapid response and transparency with
data breaches.
8. Use of cryptocurrencies in organizational operations.
9. Political division within organizations, particularly when
senior leadership is outspoken and not in line with many of
the employees.
10. Increased access to unauthorized software purchases on
organization networks (shadow technology).
11. Gender and race equality issues among existing and
incoming staff.
12. Generational expectation differences among the various
groups of employees.
13. Need to fill skills gaps and managing obsolete knowledge in
the face of rapid technical change.
14. Upskilling the current workforce once displaced by
innovation.
15. Lack of data analytic expertise on staff to understand big
data and comparative analysis to peers and the market.
16. Employee safety concerns with active shooters, sexual
misconduct, and physical security.
17. Blurring the 2nd and 3rd lines in the Three Lines of Defense
model.
18. Lack of coordination across the lines of defense.
19. Reputational risk from employee, customer, and vendor
postings on social media.
20. Internal fraud risk increases as the traditional fraud
pyramid changes in relation to rationalization.
POLLING QUESTION 1
11
12
7. 8-6-2020
7
Top 20 Emerging Risks
1. Increased use of artificial intelligence, robotics process
automation, and machine learning while not accounting for
human programming bias.
2. Increased competition from countries without the same
level of regulation.
3. Cultural behaviors with employees and customers
responding to innovation demanding mobile access and
real-time interactions.
4. An increase in the frequency and sophistication of cyber
threats.
5. Cybercrime including holding systems hostage: prevent the
hack or reserve to pay the fee.
6. System complexity and regulatory restrictions on data
disclosure (i.e. GDPR).
7. Increased need for rapid response and transparency with
data breaches.
8. Use of cryptocurrencies in organizational operations.
9. Political division within organizations, particularly when
senior leadership is outspoken and not in line with many of
the employees.
10. Increased access to unauthorized software purchases on
organization networks (shadow technology).
11. Gender and race equality issues among existing and
incoming staff.
12. Generational expectation differences among the various
groups of employees.
13. Need to fill skills gaps and managing obsolete knowledge in
the face of rapid technical change.
14. Upskilling the current workforce once displaced by
innovation.
15. Lack of data analytic expertise on staff to understand big
data and comparative analysis to peers and the market.
16. Employee safety concerns with active shooters, sexual
misconduct, and physical security.
17. Blurring the 2nd and 3rd lines in the Three Lines of Defense
model.
18. Lack of coordination across the lines of defense.
19. Reputational risk from employee, customer, and vendor
postings on social media.
20. Internal fraud risk increases as the traditional fraud
pyramid changes in relation to rationalization.
Gender and race equality issues among
existing and incoming staff.
Risk Assessment Results
13
14
8. 8-6-2020
8
Traditional Approach
Human Resource Audit
Look at end to end process
Policies and Procedures
Systems
Documentation
Employee File Review
May or may not work from a pre-existing audit program
Document all issues, with heavy focus on compliance
Which issue does your company care most about?
Frankly, which issue do you actually care most about?
The first two issues are compliance, but the last issue
highlights significant risk exposure.
Audit Report
• Issue: We reviewed all employee files for I-9 File compliance. Of the 2 of the 200 (1%) of the files
were out of compliance. We recommend correcting the non-compliant files
• Issue: We reviewed 25 pay adjustments made in 2019, and we found 2 of 25 (8%) of the pay
adjustments received only one of the two required signatures for approval. We recommend
validating the 2 adjustments and ensuring dual approval going forward.
• Issue: We reviewed all employee salaries to ensure these were within the bands for their
position and found that, while in the band, female employees are consistently paid up to 20%
less than male employees. We recommend the adjusting the pay for the 102 impacted female
employees to eliminate the wage disparity based on gender.
15
16
9. 8-6-2020
9
Exploratory Analysis
Focused pretesting to decide if there should be an audit on the plan
Redefine the audit to looking at risks that matter most, not a 6 week
process evaluation that looks at everything – take an agile approach
Use an analytic tool for exploratory analysis!
Dispelling the Top 5 Myths
You need to know the test
before you start anything.
False: You are better off
walking into the situation
without bias.
17
18
10. 8-6-2020
10
Dispelling the Top 5 Myths
You need to be an
analytics guru to test
effectively.
False: There are tools that
make analytics easy and
don’t require weeks of
training.
Dispelling the Top 5 Myths
I have heard there are lots
of “false positives” in the
test results.
False: When you approach
the test with a specific
goal and normalize the
data, false positives are
minimized.
19
20
11. 8-6-2020
11
Dispelling the Top 5 Myths
You need to know how to
code to use an analytics
tool.
False: The tests are now
built into the application.
Dispelling the Top 5 Myths
I need to have access to
all of the IT systems to be
able to run the test.
False: Your IT team can
give you the data you
need.
21
22
12. 8-6-2020
12
Step by Step Approach
What data is available?
What story does the data tell?
What risks are exposed by the data?
What tests could you do to evaluate those risks?
Exploratory Analysis in Action
We obtained an Employee listing including:
Gender
Race
Age
Education level
Salary
Job level
Primary language
23
24
13. 8-6-2020
13
Let’s take a look
Recap of our Exploratory Analysis
We used some simple analytical procedures to do a preliminary
assessment on race and gender disparity in the organization:
Data Visualization using simple charts
Grouping
Filtering
Outlier test
25
26
14. 8-6-2020
14
What the data told us.
Gender disparity in pay and promotions
Race disparity in pay and promotions
What the data told us.
Exploratory analysis confirmed several details:
1. We do need to spend time in HR
2. We should focus on the emerging risk of race and gender pay and
promotion inequality
3. Our Risk Assessment was wrong
27
28
15. 8-6-2020
15
Actual Results
“In response to the audit,
Google compensated
10,677 employees an
additional sum totaling
$9.7 million to offset the
underpaid wages”
https://internalaudit360.com/googles-pay-gap-internal-audit-yields-surprising-result/
POLLING QUESTION 2
29
30
16. 8-6-2020
16
Agile Techniques
Audit Planning
How can Agile Planning techniques help?
Audit planning will be nimble
We will tackle emerging risk areas
Audit departments will add value!
31
32
17. 8-6-2020
17
Agile Audit Process Diagram
Risk
Assessment
Plan
Development
Plan
Execution
Reporting
Audit
Planning
Audit
Execution
Review
Reporting
Milestone
Planning
Milestone
Execution
Milestone
Review
Milestone
Reporting
Quarterly QuarterlyQuarterlyQuarterly
Exploratory
Analysis
Enabling Control Owners
33
34
18. 8-6-2020
18
Why are you doing all of this testing???
Here are the facts:
Analytics is now easier to use than ever
The tools are based on Excel to make adoption simple
Control owners are closer to the data
We only look at the past, they can test in real time
Audit does not own the concept of analytics, share your tools with others!
Time to stop.
Audit needs to put responsibility for ongoing controls on the owners.
First and second line management can use analytics to run tests.
Audit’s responsibility is now to confirm the test is designed appropriately
and the output is addresses.FM1
35
36
20. 8-6-2020
19
POLLING QUESTION 3
Follow us on www.linkedin.com/company/teammateaudit
and share your thoughts about this webinar.
Follow us on social.
#AuditEvolution @JenniferTerry @TobyDeRoche
37
38