450 likes | 664 Views
AUTOMATION OF AUDIT AND COMPLIANCE TOOLS. FIRMA 20 th ANNIVERSARY NATIONAL TRAINING CONFERENCE APRIL 9, 2006 WASHINGTON, D.C. Marilyn Smith Jim Strickland
E N D
AUTOMATION OF AUDIT AND COMPLIANCE TOOLS FIRMA 20th ANNIVERSARY NATIONAL TRAINING CONFERENCE APRIL 9, 2006 WASHINGTON, D.C. Marilyn Smith Jim Strickland VP, Chief Compliance Officer Director, Global Liaison, Audit & Risk Review HARRIS BANKCORP/ HARRIS INVESTMENT MGMT CITIGROUP
Agenda PART I • Intro/Overview • Today’s Objectives • Definition and Types of Automation • Benefits • Some Real-Life Examples You Can Use BREAK PART II • How To: Importance of Process • Example of Analysis Using MS Excel • Break Out Session: Case Study • Presentation of Findings and Discussion • Conclusion and Q&A
Today’s Objectives Gain basic understanding of the types of tools, analyses and data sources Learn how these tools are used in the audit or reviewprocess Understand the benefits of using these tools and techniques See real-life examples of retrievals and data analysis in fiduciary reviews Gain appreciation of some of the major processes when implementing automation Explore/discuss ideas and ways to apply these techniques in your organization
Survey How many from Audit? How many from Compliance? How many have at least 1 staff person/admin/more than 1/none ? Who currently uses any automation in your audit/compliance department? What tools are used today? …..
Definition of Automation • What It Is: Use of tools to extract data for the purpose of identifying… • Trends • Exceptions • Errors • Anomalies …through analyses and comparisons to pre-determined criteria… ….from data sources and extracts/retrievals • What It Does Not Have to Be: • Custom software programming • Expensive/complex advanced data mining/knowledge discovery tools and applications: Bayesian/neural networks and other artificial intelligence tools for pattern recognition, predictive/behavioral analyses, etc.
Types of Tools/Resources • Basic • MS Excel (sort, filter and comparison functions). Overdue vendor payments example later on. • Mid-Range • Audit Automation Packages (ACL, IDEA) • MS Access • Business applications with online query or ad hoc reporting functionality • More Advanced • Business Objects • SAS • Data Warehouses • Database Scanners • Operating Scripts (UNIX, LINUX, and Windows) …plus IT staff that can extract data to auditor specifications
Types of Analyses and Comparisons Trend Analysis Aging File Reconciliations Recalculations Duplicate Detection Gap Detection Reasonableness and Variance Control Exceptions – Compliance Testing with Standards or Regulatory Requirements
Types of Data Sources/Resources • Existing Production Reports • Ad-hoc Reporting Tools • Inquiry access to key application(s) • Existing Retrieval Catalogue • New retrieval request / data extracts/advanced
What/How Audit Automation is Used • What: • Cycled audits • Business monitoring • Special projects • Fraud investigations (30% of all frauds are found using data analysis!) • How: • Refine/focus statistical sample selection • Identify anomalies in data/check for data integrity • Automate manual test steps • Create new tests/ways to interrogate data
Benefits of Audit Automation Accuracy:improved reliance and provide better coverage byinterrogating entire data population (versus samples); ability to isolate areas of key risks for further examination/exploration and proactively identify trends during business monitoring. Efficiency: streamlined audit process; by automating testing; audit teams can spend more time analyzing, interviewing and understanding risks, and less time on low-level, manual tasks. Transparency: added credibility of findings based on quantitative, irrefutable results. Risk: test steps can be focused on high/serious, probable and/or unforeseen risks; ability to focus on key/strategic issues and management concerns Knowledge Management: opportunity to compile an inventory of key business, risk, compliance monitoring survey reports, for further analysis and/or exception reports. by designing key risk indicators and exception reports,
Short Falls of Current Sampling (Random &Systematic) Techniques Company processes 10 million transactions per year Even if you sampled 100,000 transactions, this would be an audit rate of 1% If 99.999% are acceptable, then 99,999 will be OK and 1 will be bad If 99% are acceptable, then 99,000 are OK and 1000 are not Sounds good, but in population, 99,000 others outside parameters will be missed Do you sample 100,000 items?? Probably you sample 31 – what are the odds you’ll find one of the bad ones?
Retrievals Tools with Sampling Functionality • ACL, IDEA, and SAS retrieval tools have user friendly automated sampling functionality which can be used to select subsets/samples from large test populations. Sampling techniques/functionality include: • Random • Statistical • Stratified • Monetary Unit • Systematic/Interval • MS Excel offers somewhat similar sampling techniques; however, this tool can only be applied against small test populations of approximately 66,000 records/transactions or less.
Examples of Retrievals You Can Use: KYC/AML Large 3rd Party Wires – Identifies 3rd party wire transfers over $ X; used to verify that the branch complies with policy requirements when processing wire requests (including call-back procedures). Enhanced Due Diligence Accounts – Identifies accounts requiring the EDD form; used to verify that EDD procedures are being followed for appropriate accounts. NRA Non-Focus Branches – Identifies NRA accounts that are set-up outside target marketto determine if branches comply with local (country) account opening and supervisory review practices.
Examples of Retrievals You Can Use: Suitability Declining Value Accounts – Highlights accounts with declining value in dollars and percentages (high risk accounts) to identify clients/accounts at risk of defection and/or potential client complaints. Accounts Without Suitability/ account objective – Identifies accounts with missing or incomplete suitability information; used to determine if unsuitable products have been sold to them. Conservative Accounts with Speculative Holdings – Identifies accountsthat have a conservative risk profile, but contains speculative positions to highlight potential suitability problems. Top Commission Accounts – Identifies top commission generating accounts; used to determine potential churning and / or fiduciary conflicts with fee-related commissions
Examples of Retrievals You Can Use: Suitability Suitability Changes – Identifies recent changes made to investment suitability screen to determine if any suitability parameters were inappropriately modified. Annuity Replacements – Identifies accounts with Annuity Replacement Disclosure form; used to determine inappropriate switching into deferred annuity investment products. Mutual Fund Product Code Extraction – Identifies active mutual fund products available for sale to verify adequate due diligence with fund families (e.g. selling agreements and marketing materials).
RACF file protection report Staff with Single Sign-on Users with select CICS Tran IDs User registration report by center User registration report by cost center Employee / employee related trading accounts with interest party info Staff list with FC#s and assigned accounts Trading accounts - money and position report Branch assigned accounts with FC names Password sharing Personnel brokerage accounts Prospectus / official statements Other Examples of Retrievals
Some Examples of Automation at Citigroup Enhance Entitlement Review System (EERS) – Lists employee system entitlements; used to determine if any employees have excessive entitlement privileges. Financial Consultant Inquiry – Provides access to customer accounts, positions, money-balances and activity; used to determine position and activity for audit testing purposes. Customer Profile Inquiry – Provides access to customer name, address and profile information; used to determine if customer profile, suitability and KYC info is up-to-date Branch Portals: BOM Portal: Gives BOM access to control reports to perform and record supervisory duties. Region Portal: used by the Region to review and track supervisory activities required in the branches. FC Linx – Intranet web-site which gives information about products, services, marketing materials and compliance policies to FC’s, branch staff and supervisory persons.
Implementation Considerations How do you support, promote and influence the use of automation and retrievals? • Get buy-in from, and report usage to, senior management • Ensure access to business apps / data for audit testing and efficiency • Fully evaluate internal vs. external resource options • Internal (change management) • Training: formal classroom and on-the-job training • Recruitment • Specialist vs. generalist roles • External (vendor management) • Use of consultants/specialized expertise • Create incentives (performance objectives) • Streamline the process! Make it easy to design, develop, access and use automation)
Process: Key to Success/Adoption of Automation • Process for developing retrievals • Process for requesting retrievals • Process for accessing the target data • Process for documenting and managing retrievals
Process for Developing Retrievals • Identify automation opportunities – consider audit steps in audit/compliance programs • Ensure creating an audit retrieval is the best strategy (don’t re-invent the wheel) • Discuss feasibility and any potential development required with IT support personal (if available) • Document retrieval specification (audit objective, application, file, data, test criteria, timing, etc)
Process for Developing Retrievals (con’t) • Understand the application processes • Understand the application data • Decide on the analytical techniques to use • Employ techniques based on auditor imagination and experience • Establish batching to automate analysis (especially if real-time queries sacrifice on-line performance)
Process for Requesting Retrievals • Formulate during business monitoring and audit planning • Include retrievals in the audit plan and audit programs • Discuss ideas with technology support • Co-ordinate the requirements with all team members • Submit, process and follow-up on the request • Keep the request process simple
Process for Accessing Data • Document Data Extract Specifications • Submit Specifications to IT Support • Import Extract into selected Retrieval Tool • Perform Analysis • Application Online Query and Ad hoc Reporting and Data Warehouse Systems
Process for Accessing Data w/o IT • Identify the data needed • Contact business unit that currently owns the data and determine the frequency of production • If not regularly produce, determine if data can be produced when you need it • If not already in a user friendly form, convert it (e.g. download to Excel) • Perform your analysis
Process for Documenting Retrievals • Include data extract request/specifications in work papers along with system support and application auditor contact names (you don’t need to include the entire data file extracts!) • Complete the Sample Rationale Document (include example) to record test: objectives, population, validation procedures for extract file completeness/integrity, types of potential/expected control exceptions and errors, sub-sample information (if applicable), and conclusion summary of test results • Maintain your newly developed retrievals in a centralized location where they can be shared or accessed • Consider establishing a global retrievals committee
MS Excel Retrieval Example Identify # Days outstanding for overdue vendor payments: • Test objective: To identify the number of days outstanding for overdue vendor payments as of the current date of testing. • Retrieval: Calculate # of days between account payment due dates and current date for payments to identify overdue items. (Note for this example ‘current date’ is 3/25/04)
MS Excel Retrieval Example Added Field - Days Overdue Added Field - Days Overdue Vendor Payable File Total Records = 2,569
MS Excel Retrieval Example Note: DAYS360 (D2,"3/25/04) is an Excel Formula to compare two dates beginning with a specific column cell E.g., =DAYS360 (D2,"3/25/04") - Comparison of Record Payable Date to “3/25/04” to identify # OF Days for Over Due Items
MS Excel Retrieval Example Date difference calculations have been computed for each record. Total overdue items = 869. (Negative numbers.) See individual records for # of days.
Business Monitoring Retrieval Case Study - 30 minutes Task – Working in break out groups, prepare a list of relevant examples of retrievals using the following information: • Inherent risk – New and amended client account information is not accurately captured in the firm accounting and billing system, may result in errors and losses. • Control Factor - Weekly account service meeting is held which includes representatives from Operations, Sales, fiduciary oversight, billing and compliance. Hints: What is the test objective? What are the key files and data fields? What is the period of activity to be reviewed?
Business Monitoring Retrieval Case Study Test Objective: Verify that client account data is accurately reflected in the client, billing, and sales applications.
Business Monitoring Retrieval Case Study Retrieval Example: Period of review – activity six months prior to audit as of date • Compare Customer Account, Billing and Sales file data fields to identify unmatched, duplicate, discrepancy items. • Missing Account Records • Account Status Code Discrepancies (Active, Inactive, Amended) • Name Discrepancies • Address Discrepancies • Blank fields • Quantity/Amount Discrepancies • SSN# & Tax ID# Discrepancies (duplicates, errors)
Business Monitoring Retrieval Case Study Bonus: Using analysis methods, other possible retrievals
Other Tests: KYC/Suitability and AML KYC and Suitability Accounts missing suitability, KYC data and/or investment objectives Accounts with high turnover/trade activity Accounts with changes to investment/risk profile Top commission generating accounts, by advisor Speculative (equities or derivatives) securities held in “conservative” accounts AML Accounts with large cash movement and no trading activity Foreign accounts with P.O. box addresses Foreign accounts with C/O addresses
Other Tests: Fiduciary Oversight Un-invested cash report; sorted by portfolio manager (frequency and size) Guideline monitoring violations, sort by portfolio manager (frequency) Margin accounts with concentrated positions Margin accounts with balances below 50% and/or top margin debit accounts Commission-based discretionary accounts Accounts with monthly performance swing of 10% or more Accounts with (3 months’ consecutive) declining values Comparison of fees across similar types of investment funds or products Portfolio turnover by fund and portfolio manager Commission fees by advisor and/or account Report on any inactive accounts (no trading for 30 or 60 day period) Accounts missing client account number or balances Assets with negative market values Accounts missing investment objectives
Other Tests: Trade Execution/Operational Risk Trades in affiliates and/or restricted securities Number of failed/unexecuted traders by trader Reversed and/or cancelled trades by trader Trading after hours or over the weekend Trading spreads of internally crossed trades Trading spreads by security across different trade venue (exchange, ECN, DMA platform, etc) Allocation of trades across different product lines and funds Monthly personal trade activity by trader Operating loss report by trade desk Breaches and errors report by investment unit Securities missing values Securities with stale values
For further questions/follow-up:Marilyn Smith, Harris Bankcorp/Harris Investment ManagementPhone: 312-461-2279marilyn2.smith@harrisbank.comJames D. Strickland, Citigroup Phone: 212-657-5279james.d.strickland@citigroup.com