1.63k likes | 1.83k Views
SF IIA Fall Seminar Internal Audit's Role in the Changing Business Landscape. November 30 th 2012, San Francisco. Agenda. 7:45 - 8:15 am Registration and Breakfast 8:15 - 8:20 am Welcome and Introductions Ed Byers, (Deloitte ) , Farhan Zahid, (Deloitte )
E N D
SF IIA Fall Seminar Internal Audit's Role in the Changing Business Landscape November 30th 2012, San Francisco
Agenda 7:45 -8:15 amRegistration and Breakfast 8:15 -8:20 amWelcome and Introductions Ed Byers, (Deloitte), Farhan Zahid, (Deloitte) 8:20 -9:00 amEmerging Hot Issues • Security and Privacy – Husam Brohi, Michael Corey (PWC) • Vendor Compliance – Byron Tatsumi, (KPMG) 09:00 -09:50 amLeveraging Data Analytics to Enhance Your Internal Audit FunctionDawei Qu, (BlueShield of California), Dale Livezey (Deloitte) 9:50 -10:10 am BREAK 10:10 -11:30 amEnterprise Risk Management and Impact to Your Audit Plan CAE Panel Discussion led by Shawn Kirshner (Accretive Solutions)
Agenda 11:30 -12:20 pmRisks in Social Media Anna Tchernina, Willis Kao (Deloitte) 12:20 -1:20 pm GOURMET LUNCH (provided) 1:20 -2:10 pm Fraud Risk Management – The Things You Need To Know Paul Ritchie, (Deloitte) 2:10 – 3:00 pm Top 10 IT Internal Audit Risks Michael Juergens (Deloitte) 3:00 – 3:20 pm BREAK 3:20 – 4:40 pm Understanding Your Auditee – How to Communicate More Effectively Group Setting Howie Cumme (URS) Ed Byers, (Deloitte) Farhan Zahid (Deloitte)
WelcomeSF IIA Fall Seminar Chair Ed Byers, (Deloitte) Farhan Zahid, (Deloitte)
Rules of the Road • Logistics – Fire Exits and Restrooms • Breaks and Lunch • Phone calls • Questions and Answers
Emerging Hot Issues 08:20 – 09:00 Various Presenters
Emerging Hot Issues 08:20 – 08:40 Security and Privacy Husam Brohi, PWC Michael Corey, PWC 08:40 – 09:00 Vendor Compliance Byron Tatsumi, KPMG
Fortifying your defenses The role of internal audit in assuring data security and privacy
CEOs/Boards are no longer ignoring Information and Technology (I&T) Risks • I&T Risk is an enterprise-wide issue. Specific types of risks organizations are facing include: • Connected IT infrastructure exists in an environment that is increasingly under threat against unauthorized access or disclosure of sensitive data and attacks originating from cyber-criminal groups and hackers. • Increase in Privacy and Security regulatory mandates in recent years, as well as expected changes in upcoming years. • Boards are no longer willing to accept the risk that technology can pose to the business. • Growing demand by business leaders to understand how security integrates with privacy (“what” data is sensitive to the business) and security (“how” they protect the data deemed sensitive). • Increase in threats and vulnerabilities to sensitive data and corporate assets. • Businesses continue to struggle to maintain accountability to their stakeholders and establish effective strategies and standards for security risk management and privacy control activities.
Change and Complexity is Right Around the Corner • Security and Privacy Hot Topics: Balancing Business Enablers vs Business Risks Privacy and Data Loss Prevention Organizations looking to improve privacy management in the event of a breach have to continually plan and prepare. Mobility and Social Media Mobile platforms, social media, and accelerated product life cycles are just the latest contributors to risk of an enterprise. Regulatory Compliance Organizations in all industries are under increased scrutiny by regulatory governance bodies. Technical threats and vulnerabilities Companies need to stay informed about the constantly changing threat environment, processes to identify potential vulnerabilities, and processes to resolve potential exposures. Third Parties and Cloud Computing While risks associated with third parties and cloud computing continue to increase, many companies are less prepared to defend their data. Cyber Crime The cyber threat landscape continues to yield an increasingly sophisticated underworld of criminals. Companies need to remain prepared for such cyber crises.
Stakeholders want focus in all critical risk areasRisk areas in which stakeholders and CAEs want/plan to add IA capabilities
Acting today to protect data: The critical role ofinternal audit What the audit committee should expect of internal audit • In the risk assessment report that it presents to the audit committee, internal audit should highlight the organization’s significant data security and privacy risks, including any new risks. Further, it should identify weaknesses in policies and controls. Strengthen the Annual Risk Assessment to be relevant 1 • Because the nature of information security risks is evolving continuously, internal audit functions need to stay ahead of the threat curve. stay plugged in to emerging security threats, and practices for protecting against them. Having the right people 2 • Internal audit’s role in ensuring that information security threats are properly considered becomes especially important when a company is ready to roll out a new business process, product or information system. • Internal Audit must also keep its ear to the ground and move quickly to conduct special audits for new information security threats, which some executives consider as important as regularly scheduled audits Stay vigilant on key or triggering events 3
Overcoming the barriers to internal audit playing an effective role • Effective data privacy and security measures are not easy to effect. In fact, we commonly find four barriers in organizations that try to adopt them. A mindset that believes adequate controls are already in place. Exposures are changing constantly, policies and controls need to change alongside them. 1 Cost. Achieving and maintaining effective information security can cost significant money and effort. Implement cost/benefit analysis in risk assessment to assesses potential damage of various types of security breach. 2 Low expectations. Internal Audit not viewed as capable of assessing complex security and privacy topics. Hiring & training staff to be top of their game in this arena and/or outsourcing as needed to experts that have technical skills 3 Fragmented responsibilities. The job of maintaining effective information security controls is often split among many stakeholders Establish responsibility and accountability. Define and assign a single point of responsibility for information security. 4
Thank you… For more information, please contact: Michael Corey 415-505-2482 Michael.j.corey@us.pwc.comHusam Brohi 415-205-8068 husam.brohi@us.pwc.com
Continuous Audit with Data Analytics IIA Conference November 30, 2012
Speakers • Dale Livezey • Senior Manager, NorPac Regional Technology Leader • Deloitte & Touche LLP • Audit and Enterprise Risk Services • San Francisco, CA 415-783-4208 • dlivezey@deloitte.com • Dawei Qu • Internal Audit Manager • Blue Shield of California • Internal Audit Services • San Francisco, CA 415-229-6604 • dawei.qu@blueshieldca.com
Agenda • Benefits of Data Analysis • Type of Data Analysis • Ad hoc query • Repetitive Analysis • Continuous Auditing • Case Study • Claims Denials Audit • Accounts Payable Audit
Assist in root cause analysis Test Validity and accuracy of reports Identify control weakness / effectiveness gaps Target and assess specific risk areas Benefits of Analyzing Data Data Analytics can help in many aspects of business process testing Overall more effective control testing services for our clients More efficient and effective manual testing • Data analysis improves the quality, effectiveness and efficiency of audits • Performs 100% recalculations and verification of transactions in a timely and repeatable fashion • Compares data from multiple / disparate systems • Provides business insights and identifies process improvement opportunities • Presents quantifiable results from analysis based on complete population
Computer Aided Audit • Ad-Hoc Query: One time based specific analytic query or analysis at a point of time. • No intention of repetitive testing • Explorative and investigative • Repetitive: Periodic analysis of processes from multiple data resources • Periodical • Seek to improve the efficiency , consistency, and quality of audits
Continuous Audit • Definition: The independent application of automated tools to provide assurance on financial, compliance, strategic and operational data within a company. • Nature: • Automated • Continuous basis – Specified intervals • Constantly search for errors, fraud and inefficiencies • Advanced analytic tool involved: SAS and ACL • 3) Example: • Automated A/P review • Automated J/E review • Operational process review
What are Companies Doing? • 25% have CA programs in 2009, compared to 11% in 2006 * • Benefits listed by survey participants : • Auditors are aware of issues as they occur • 100 percent of the population rather than a sample is evaluated • Allow to create preventive controls for process owners • 3) Challenges listed by survey participants: • Implementation takes long • Auditors need to have detailed knowledge of the underlying data structures to use the tool correctly • Auditors and business owners have to the determine parameters used in the CA program • Note: Statistic is based on IIA survey
Case Study 1 – SAS Medical Claims Denials Analytics Note: Numbers or findings have no meaning beyond being placeholders for the given example
Steps • Audit Planning • Data Readiness • Data Analysis • Risk based Sampling • Substantive Testing • Communication of Results
AuditPlanning • Establish Testing Period: Jan to June of 2012 • Determine Scope: all medical claims denied from Jan to June of 2012 • Determine Frequency: quarterly • 4) Define Audit Objective: Ensure claims were appropriately denied as per provider contract, member benefit and regulation • 5) Select Audit Methodology: • Perform data analysis to identify high risk denial areas • Perform risk based sampling and substantive testing • 6) Know your Deliverables: • An excel based deck to present data analysis results • An audit report to communicate findings of substantive testing
Data Readiness • Request Data: • Pull data directly from corporate data marts • Work with IT to extract relative data • Data Reconciliation • Control total • Key fields (numeric fields) tie-out • Data Quality Test • Duplicate records • Missing values of key fields • Invalid value of key fields. For example, billed date of 01/32/2012; negative co-pay/deductable amount
Data Analysis Steps • Research the relative areas of high risks by partnering with business owners • Measurement of compliance risk: system days per claim • Measurement of operational risk: • locations per claim • denial ratio at provider level • Measurement of financial risk: billed amount /claim • Design the profiling tests in relation to specific risks • Determine the list of tests • Map test to risk(s) • Develop testing routines in SAS • Review the data analysis results with business owners
Data Analysis – Profiling Tests • Population overview • Trend analysis of denial rate • Trend analysis of system date • Dollar stratification • Location count stratification • Profiling of providers (hospitals) • Profiling of explanation of benefit (EOB) codes
Population Overview • The average billed amount for denied claims is significant higher than paid claims • Denied claims take longer to process compared to paid claim • Denied claims go through more locations to complete
Trend Analysis – Denial Rate • Facility (hospital) denial rate is significantly higher compared to overall average • Denial rate in May 2012 is high driven by the higher denial rate of facility claims
Trend Analysis – System Day • Manual claims take longer by the processing system to reject or pay. • Correlation exists between denial rate and manual system days in May • May population is worth to look into
Stratification Dollar Stratification Stratification on location • Yellow strata subjects to risk based sampling while purple might need drill down • Auditors may design strata according to relative limit approval controls
Profiling on Hospitals • The denial rate for top providers is significantly high compared the average (20%) • Provider #2 has a high denial rate in May • Hospitals #1, #2 and #5 are trending up on denial rate
Profiling on Explanation of Benefit • 11% blank EOB is noted • This break-out can be compared against the industry benchmark to analyze the space of improvement
Risk Based Sampling - Selections Risk score is calculated for each claim Total risk score is the sum of risk weight for each failed / hit profiling tests Samples were selected from the claims with higher risk scores Auditors professional judgment plays an important role on finalizing samples Average number of risks tested per sample is 5.56
Communication of Findings Finding 1: During the data analysis, Internal Audit noted that 11% denied claims do not have explanation of benefit (EOB) codes. This was a result of an incorrect field mapping between the claims processing system and Claims data mart. Finding 2: During the data analysis and the subsequent detail testing, Internal Audit noted that the denial rate for hospital #2 in May is significant higher than other periods and other hospitals. This was a result of an insufficient communication on the changed provider contracts.
Agenda Purpose and Scope Roles and Responsibilities Project Snapshot Final Assessment
Purpose and Scope • Internal Audit engaged Deloitte to help proof of concept • Account Payable • FCPA • Expenses Deloitte understands that the Company’s objectives for this engagement are: • Assist with developing ACL scripts, to serve as queries for use by limited members of various business units, as part of routine management oversight. • Obtain results of profiling analytics specifically on procurement and expense data provided by the Company. • Execute sample profiling scripts, as a test case, to assist with FCPA (Foreign Corrupt Privacy Act) related controls. • Assess the applicability of scripts executed, and determination of additional scripts to be considered for future development in the Procurement Cycle.
Project Snapshot Accounts Payable– List of Analytics performed • Vendor Analyses: • Vendor Master Check • Valid Vendor Analysis • Vendors with PO Box Addresses • Duplicate Vendor Analysis • One Time Vendor • Invoice Analyses: • Duplicate Invoices • Payment Date vs. Invoice Date Analysis • Benford Analysis • Disbursement Analyses: • Payments to Vendors not in Vendor Master or Unauthorized/Restricted • Payee Name / Vendor Name Mismatch • Duplicate Disbursements • Benford Analysis
Project Snapshot Accounts Payable – Continued…. Analytics - VENDOR MASTER CHECK
Project Snapshot Accounts Payable – Continued…. Analytics – Duplicate Vendors
Project Snapshot Accounts Payable – Continued…. Analytics – PAYMENT DATE VS. INVOICE DATE
Project Snapshot Accounts Payable – Continued…. Analytics – DUPLICATE DISBURSEMENTS
Project Snapshot Expense Report – List of Analytics performed • Line items flagged as “Policy Violation” • Expense booked in advance of the actual expense date. • Flight within US above $500 • Hotels above $1000 • Group Meals above $50 • Duplicate Analysis 1 – Combination of Expense date, Expense line amount, Expense type, Employee name and Expense report number • Duplicate Analysis 2 – Combination of Expense date, Expense line amount, Expense type and Employee name • Missing Expense Receipt • Expense over Weekends • Expense over Holidays