Technical and Insight
Bring Your own X (BYoX)
We are all part of a technological revolution that is changing the way we interact with technology.

We are all part of a technological revolution that is changing the way we interact with technology. 

Why BYoX? Because the X can be ‘device’, ‘technology”, ‘phone’ or even ‘PC’. The truth of the acronym is a consumer owned and managed electronic device working in the context of a business situation. This basic confusion about its own identity has not helped frame the problem for organisations or legislators who for the most part struggle with the concepts involved. 

If we were to look at this subject in a broader context it becomes apparent that the person to blame for the whole BYoD (Device) movement is ultimately the late Steve Jobs, who brought us the shiny things we all love. In fact BYoD is linked to a much broader conversation around the consumerisation of IT and its ever increasing footprint in our everyday lives. If you really look at it, we are all part of a technological revolution that is changing the way we interact with technology. 

We used to use technology as a tool to help us perform tasks at work; now we use technology to support our everyday existence, and if we extrapolate, it’s obvious to me at least that the future is BYoD. 

So let’s look at the issue in its most basic form. 

As an organisation you are allowing a device that you have no ownership of or control over inside your private networks, and providing it with access to your most sensitive data assets. Furthermore, you are then allowing this device to be totally mobile, able to traverse the organisation's information boundary without challenge or check on a daily basis. 

Ludicrous, right? 

The obvious solution to BYoD. therefore, based on this explanation, is to simply squash it and file it under ‘bad ideas I had after a few too many sherries’. Unfortunately, this is exactly the approach a large number of organisations have taken and unfortunately, it simply does not work. 

So let’s look at the consumer side of the BYoD argument: 

As a consumer you like shiny things, you have shiny things at home, you are used to working with shiny things, and you understand that shiny things always work. When you come to the office they give you one of those dull grey things that always break, so your argument is why can’t I just use my shiny thing that always works? What is it with this company and dull grey things anyway? 

It’s a fairly solid perspective: ‘my stuff works and yours doesn’t so let me use mine’. Welcome to BYoD! 

Another longstanding argument you tend to hear are the ‘cost savings’. This one, I have to say, tends to originate with those purveying BYoD solutions, and in my own humble experience I have yet to see a company that makes any cost savings in the short to medium term as the re-tooling costs to do it right simply offset any potential savings. 

It’s hard to see a future where the device you use for everyday personal ‘life management’ is not also the same one you use for ‘business management’. Granted, the business side of life will be backed up with many other systems and applications, but your basic interface or window to the technological world will be the same. 

So given this inevitability, it’s hard to understand how saying no to BYoD is anything other than burying your head in the sand. This is certainly an observation I have made again and again in countless organisations that ‘do not do BYoD’, yet when we actually take a real look and ask around, they very much do. 

Facilitating BYoD properly, however, requires a fundamental shift in the organisation’s governance, architecture, platforms and software. It’s not just a ‘quick bolt on’ if you want to do it right and ensure the boundaries of your information stay where you want them to. In fact, BYoD is best suited to a redesign of your whole IT if you want to maximise the value from it. 

This is why BYoD typically either completely fails, causes a massive security headache or fails to deliver on the massive cost savings you hear connected to it. A typical organisation’s approach to BYoD tends to follow a common path. First, someone important decides that their iPhone is better than their BlackBerry and that they only want to carry one communications device with them. IT responds by caving in to business pressure and allowing email onto the phone. Then the important user demands more data on their device, and more devices with their data. 

Soon you have the critical assets of the company sitting on various devices outside your control which drives the implementation of a ‘mobile device management’ (or MDM) platform. MDM is often billed as the saviour of BYoD, promising an all-encompassing solution that fixes the problem. Unfortunately it’s just a small part of the overall solution required, but is often considered the whole thing. MDM delivers key functionality that is part of the BYoD strategy but additional considerations need to be covered. MDM assumes the device is portable, typically a phone or pad style device and provides key features such as data segmentation, application whitelisting, remote wiping and many other highly useful features for managing portable devices.

But what about all those other devices people want to use, like their MacBooks or their shiny Asus laptops? Even if your MDM can help with these issues, fundamentally, the fabric of your network would have typically been designed within a traditional architecture that assumes that all devices on it are owned and trusted. BYoD breaks the fundamental basis of that architecture and as such the very fabric of the infrastructure is fundamentally wrong.

Then, let’s consider the governance in place: again, it is based on a set of principles that simply don’t exist in BYoD land, so all of the policy frameworks, control architectures, and documentation are all worthless. In fact, now you have to consider new issues with data ownership and monitoring devices with the ability to remotely delete data that you may not entirely own.

So how do we fix it?

Well, quite simply, we start again from an entirely different set of principles.

1)   We do not trust the endpoint
2)   We provide individual corporate services
3)   We containerise data… 


…there are more, but these three are a good starting point. 

If we fundamentally don’t trust the endpoint and assume that it is compromised before we even start, then the way in which you provide it access to a corporate service such as email is fundamentally different to the traditional approach. Equally, the way you provision corporate services is fundamentally different as well. In fact a lot of the principles you start to employ are directly loaned from building online / internet based systems instead of internal / corporate ones. 

For instance, rather than making email available to the default email client on an iPhone or Android tablet, email is provided through a third party sandboxed application instance such as ‘Good’ from Good Technology. Here the email is totally sandboxed from the end user's device, yet the user has access to it seamlessly. That way if the device is compromised, lost or stolen, access to the actual email data is restricted in such a way as it is not possible to compromise it. 

Equally, if that same user wants to access corporate email from their MacBook, rather than allowing that device to plug into the corporate network, it can be connected to an isolated BYoD network that has access to the internet and limited access to a ‘virtual desktop infrastructure’ (or VDi) platform. VDi providers such as Vmware or Citrix allow an entire corporate desktop instance or specific corporate applications and services to be provisioned in a seamless, containerised and controlled way to any device. 

In short, there are many solutions available to do BYoD well, and in fact the best example of BYoD I have ever seen is Cisco. It operates a global BYoD platform by default, so when you join, you get a voucher to go and buy yourself a new laptop of your choice and access to all corporate assets is through some of the techniques I have discussed. 

So BYoD is possible, it can be highly beneficial, and one thing for sure is it cannot be ignored. Trying to sum up BYoD in a thousand words or so is near impossible, so there are literally hundreds of details missing from this, but hopefully it’s enough of a basis to get you thinking and starting to ask the right questions. I do recommend reading through the government’s guidance on the subject from CESG. It’s pretty good. 

Jay Abbott – managing director, Advanced Security Consulting Ltd


Jay will be speaking on the advantages and disadvantages of BOYX at an ACCA UK Internal Audit Network event on the evening of 21 October.

Further information on the event will be available in early September at which time it will be possible to make bookings for this free event. 

The driver and the racing car
This CPD article discusses what internal auditors need to consider when it comes to culture and behaviours within an organisation.

This CPD article discusses what internal auditors need to consider when it comes to culture and behaviours within an organisation. 

Reading this article and answering these related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.
 
Introduction 
A few years ago I was training finance functions in risk and control assessments. My course materials focused on well-defined risks, how to best document controls, and the approach to performing impact and likelihood assessments. One of my analogies for explaining the importance of controls was to ask the participants why racing cars have brakes. The response, paradoxically, was to enable cars to go faster, remaining on the track both in control but at speed. What was never covered, however, was a crucial and hugely significant omission – a reference to the driver. 

You can create a perfectly designed racing car with fully operational systems, but errors in driver judgement, capacity and capability override all. The gathering global momentum in recognising, assessing, and – more often than not – blaming elements of people culture and behaviours, in my view represents the biggest step change in assessing operational business effectiveness since Sarbanes Oxley. Moreover internal audit is perfectly positioned to take on the challenge. 

Background and Importance
Culture and behavioural risk is all over the news, impacting on multiple industries and sectors with severe consequences. Often boards are aware of the problems but fail to identify the root causes or take tangible actions to address systematic behavioural issues. 

The increased focus on controls amongst risk professionals over the past decade has been intense to the extreme. However, fundamentally, risk management capability is often attributed to control design and operational effectiveness, focused around traditional frameworks such as the Committee of Sponsoring Organisations (COSO) or the Information Technology Infrastructure Library (ITIL). While the 2013 COSO update has sought to place a greater focus on management actions, in my experience the actual business operational changes have been limited. 

Culture is often the unspoken variable impacting on corporate performance but rarely measured due to its perceived intangible nature. It is, however, certainly being identified as one of the keys to competitive advantage, be that through reputation, resilience, innovation or customer retention. Yet strategic objectives can just as easily be derailed by cultural challenges as they can be enhanced. 

According to a recent report from TATA Consultancy (Kant, 2015) a company whose culture is strongly aligned with its strategy is likely to report a profit margin of 11.5% against 4.8% reported against firms whose organisational culture and strategy are out of sync with each other.

Strategy & (formerly Booz&Co) undertook a Culture and Change Management Survey in 2013 of more than 2,200 global organisations. The report found that while 84% believe that their organisation’s culture is critical to business success, only 45% thought that culture was being effectively managed. 

The regulators and guidance bodies are all too aware of these figures. Certainly in the UK the financial regulators have positioned culture and behaviours at the heart of their supervisory regime, with the FSA recently publishing a paper on Performance Management and Incentivisation (Financial Services Authority, 2015). A corporate governance paper (Basel Committee on Banking Supervision, 2014) refers in depth to the role culture plays, and the Financial Stability Board has long been a supporter of cultural awareness, stating that ‘the driver of bank failure is not insufficient capital but rather a bad risk culture’ (Samuels, 2014). The FSB’s risk culture paper (Financial Stability Board, 2014) highlights four indicators of a sound risk culture across tone from the top, accountability, effective communications and challenge and incentives. 

Our perspective
In agreeing there is relevance and a need to focus on culture and behaviours, management should take overall ownership through setting the intended behavioural direction. A complementary venture is developing a measurement framework to assess the effectiveness of the initiatives being implemented. Internal audit is ideally positioned to take on the challenge of supporting management through forming an assessment of culture within the organisation. 

What does this practically mean? A colleague once said to me ‘you can audit and assure anything’, provided you have a clear subject matter and defined criteria. The same is true for assessing culture. The PwC assessment model is built on social learning theory and focuses on the inter-relationship between three important components: intended, expressed and actual behaviours. 

Social learning theory (Bandura, 1977) states that behaviour is learned from the environment through the process of observational learning. Models are observed and behaviour can be encoded and may be imitated. Behaviour is more likely to be imitated if it is deemed socially acceptable and if the behaviour is rewarded it is likely to be reinforced and strengthened. It is possible to assess these reinforcers and also the actual results to determine if cultural change is really having an impact. 

Firms have intended behaviours which is who they want to be, articulated through the organisation’s purpose, vison and values (PVV). Expressed behaviours are how the organisation encourages those intended behaviours through behavioural reinforcers. 

Actual behaviour is the behaviour displayed by employees, driven by the reinforcers but also by intrinsic motivation and personal alignment to PVV. 

The key to an effective culture is to align intended, expressed and actual behaviours. The expressed behaviours relate to how you have set yourselves up as an organisation against a number of behavioural reinforcers. These are in effect the levers you have at your disposal to pull and adjust according to focus. Whilst not exhaustive, in our opinion these cover the following key themes: performance management, communication, leadership actions, people practices, organisational structure and external environment. Crucially, these reinforcers can be measured. 

Assessment activityInternal audit should bring behavioural risk into the audit universe as with any other risk component. While it is management’s responsibility to set the strategic direction, internal audit can play a valued partner role both by undertaking an assessment of management’s behavioural measurement framework, and by independently forming a view on cultural alignment by assessing effectiveness of reinforcers. 

The approach requires both quantitative and qualitative measures, and is not without its challenges, but an awareness of the catalysts and constraints will help to make informed decisions over your next steps. What is clear is that taking on a role in delivering effective risk management will position internal audit at the heart of driving future strategy and informing organisational decisions. The internal audit function can support management in providing a connected view of risk across the organisation. 

Some of the questions you need to consider: 

  • How would you reorganise yourself, how focused are you on risk, how do you derive continued value given the changing face of risk management activity and respond to the drives/needs of the organisation?
  • Are you able to gather evidence to confidently represent the whole organisation?
  • Do you need to upskill in qualitative methods such as surveys, interviews and focus groups, or co-source a provider?
  • Is there a lack of open culture that will hinder open discussions?
  • The element of subjectivity may take internal auditors out of their comfort zone. The approach used to auditing culture should quantify assertions wherever possible to mitigate this.
  • Recognise that internal audit may be part of the culture, causing the independence and credibility of IA reports to be questioned. 


And how can you best prepare for the challenge?: 

  • Making the review real, relevant and measurable is fundamental, to avoid spending extensive time in areas that won’t have significant impact.
  • Take time to perform a risk assessment of cultural issues to help focus on the priority areas.
  • Apply a behavioural lens to previous audits to help scope and plan. Consider light touch application of cultural considerations to all audits, saving the time consuming deep dives for proven areas of challenge.
  • Develop a clear understanding of identity (PVV).
  • Encourage an appetite from the top either via regulatory drive or CEOs and senior management.
  • Have robust discussions about what is and isn’t expected/ in scope.
  • Ensure confidentiality and anonymity in staff perception metric collection.
  • Develop relationships which enable the discussion on softer elements of testing, and findings.


Internal audit is in a great position to take on this challenge head on and the corporate world is waking up to the importance and relevance of culture.  A consideration of both the ‘driver’ and the ‘racing car’ will ensure your audit plans are robust, comprehensive and relevant to the challenges we face today. 

Mark Dury – senior manager, culture & behaviours, PwC 

Mark spoke at ACCA UK’s Internal Audit Network Conference on Auditing Culture in April 2015. Watch a webcast of the sessions

References:

 

Auditing the four horsemen of the apocalypse
A synopsis of three key sessions at ACCA’s annual internal audit conference, held in London in May.

A synopsis of three key sessions at ACCA’s annual internal audit conference, held in London in May. 

The Four Horsemen of the Apocalypse

The four horsemen of the apocalypse, variously interpreted as representing war, false prophets or sickness, famine and death, have their modern day equivalents, Andrew Garner, CEO of Andrew Garner Associates, told conference delegates. 

Dipping in to what he called ‘an anecdotal pot’, he used the metaphor to present and examine examples of issues framing the world today in which his audience was trying to make a living and create a safe environment for their children and generations to come. These included battles within the European Union, those on its borders and in the Middle East; overstated profits at Tesco; the Ebola virus disease; austerity measures; and organisational death. 

Homing in on the challenges facing internal auditors in their working lives, including market changes, risk in its various forms and the current behaviours of plc boards and senior commercial management, Andrew hammered home the importance of moving beyond the interpretation of data to ‘looking out of the window’. If anyone in the audience hadn’t read that morning’s papers, he said, he wouldn’t give them a job. 

‘A systemic flaw in society in modern society is the reliance on what is being fed to you in the way of data,’ he said. ‘Data is our enemy unless we use it wisely. If you are an internal auditor you can't escape it and you have to augment that by being different: by looking out the window. 

'Mathematics is presented as the language of economics. It never has been and it never will be. Economists have criminally misled the world. How long did they say that interest rates would rise? No, they haven't. Did we have the predicted double dip recession? No, we didn’t and that’s because they were looking at the wrong data. 

‘The problem is that we can’t distinguish between the weather and the climate. Linear extrapolative thinking has dominated our lives.’ 

Andrew concluded by pointing out that brands existed and thrived by promoting their difference. In a career context internal auditors have to do the same thing. ‘There will always be another tick-boxer around,’ he said. ‘So look at how you can add value to your organisation. And keep looking out of the window.’ 

Implementing risk management – practical lessons

Rui Bastos, group head of audit & risk management at Reliance Industries, discussed the whys and wherefores of implementing ERM in a business undergoing a major transformation 

Reliance Industries Group (RIL) is India’s largest private sector company with businesses across the energy and materials value train and a strong presence in the rapidly expanding retail and communications sector. The business accounts for 17% of the country’s GDP. 

In 2012, RIL found itself at the start of a journey to transform what was essentially a family-owned business into a corporate, operating in an environment where emerging corporate governance requirements were driving higher standards relating to risk management, internal control and regulatory compliance. 

‘All the legislation you're seeing in the US and Europe is slowly migrating east into Asia,’ Rui explained. ‘Western businesses have been using quality standards as a means to protect their markets, so emerging markets are responding in the same way, raising the bar to equivalent standards in order to compete. India is going down this path.’ 

The ambitious business programme to transform RIL’s corporate governance and prepare the group for the future was not without significant challenges – starting with how to get people to understand why Enterprise Risk Management (ERM) needed to be put in place in the first place. Others Rui highlighted included: 
 

  • making the shift from a people-centric to process-centric business model
  • addressing workforce age demographics to reduce people dependency risks
  • recognising and addressing increasingly complex regulatory requirements across different industry segments and jurisdictions.


Once the business case for ERM had been made and management support and ownership secured, four core work streams were identified and addressed: 

  • formalising the corporate governance framework
  • strengthening the risk management and assurance processes
  • automating risk, controls and assurance management
  • enhancing internal audit skills and capabilities.


Rui ran through the operational challenges presented in establishing and embedding sustainable ERM processes, ensuring effective risk management discussion to drive value from risk management outcomes, and aligning the corporate risk management ecosystem – the risk management, internal control and assurance functions. 

And he had a clear message for auditors: ‘Audit plays an advisory role in the whole change management process,’ he said. ‘You play a fundamental role in helping an organisation get a sense of whether its corporate governance framework is being embedded and implemented because your work programme touches on so many different parts of it. You are the eyes and ears of the business – use them!’   

Practical auditing of project risk management

There are just thee key questions that auditors need to be able to answer when they are looking at risk management for any business project, according to Richard Archer, chief risk adviser, BT Business. These are: Are the risks known? Are the risks prioritised? Can the risks be managed?

‘To me, project risk is one of the most exciting aspects of risk management because so much is new,’ Richard said. ‘There are often new teams working together, new markets, new technology and new target customers. And “new” equals “risky”, so it is very important that enough time is spent identifying what the risks in the project are.’ 

Risk appetite has come to the fore as a key component of governance and risk management but Richard warned that it was a concept that everyone thought they had mastered but very few really had. ‘Even risk professionals struggle with this,’ he said. ‘The risk management competency of any auditor cannot be taken for granted, so it is worth checking out their maturity and level of experience.’ 

The easiest part of an auditor’s job, he said, is auditing for compliance, with a good starting point being the risk register. Common pitfalls include that key risks are not identified, the uncertainty of risks are not explicit; the risk matrix is not appropriate/risks not quantified; and controls and actions are confused. 

‘Another issue is that actions to be taken are often not defined or tracked,’ Richard noted. ‘Quite often you see a statement like “improve communication” but there is nothing explaining how this is going to be done. Revisit six months later and surprise surprise… they haven’t done it!’ 

The types of compliance violation can be varied. Richard grouped them into unintentional, routine, situational, optimising and exceptional, detailing possible causes and suggesting possible solutions. 

At the end of the audit process an auditor has to be sure that their recommendations are going to help the business. ‘But, above all, please keep risk management a creative process,’ he urged his audience.

Cyber security for internal auditors
Does your internal audit team have the knowledge and skills to play its part in the defence of shareholder value from cyber attack?

Does your internal audit team have the knowledge and skills to play its part in the defence of shareholder value from cyber attack? 

A cyber attack is ‘an attack by bad people trying to stop an organisation working, or to steal its information or to change that information for their own gain’. This was the simplified definition Darren Brooks, practice director for Wipro, offered his audience at the annual ACCA Internal Audit Conference, held earlier this year in London. 

These ‘bad people’ include: governments involved in cyber espionage; cyber activists, often focused on a particular cause; and cyber criminals, interested in making money, usually quickly. The latter, he added, represents a particular threat for any business that has exposed financial data or access to data that can influence market prices. 

‘One of the most worrying aspects of successful cyber attacks is that around 50% of the organisations affected don't know how the bad guys got in,’ Darren said. ‘There are many possible reasons – and there is no doubt that increasingly sophisticated tools are being used – but poor IT hygiene is all too often the culprit. IT departments getting outsourced and corners being cut is also a big issue. And so is the fact that, in some organisations, it is not clear who is responsible for cyber defence. These cyber attackers are waging war and that’s not good enough.’ 

Others ways perpetrators ‘get through’ might include: lack of security organisation/controls; inadequate operational security tools/capabilities; limited end user security education; and zero day or targeted attacks. 

Evolution of cyber attacks
Over the last five years cyber attacks have evolved significantly. ‘Many countries, for example, have seen this capability as a quick and cheap way of acquiring weapons which can do more damage to sophisticated enemies than conventional weapons,’ Darren explained. ‘A low level of cyber activism, which began in the mid-1980s, also remains in the background because the internet creates a platform which enables activists to reach a global audience. Cyber crime continues to grow steadily with conventional criminals realising it offers rich pickings with a lower level of risk.’ 

Moving into the anatomy of a sophisticated cyber attack, Darren explained that it could be broken down into seven stages:
 

  • reconnaissance
  • weaponisation
  • delivery
  • exploitation
  • installation
  • command and control
  • actions on the objective.


Among current trends is a convergence of cyber and fraud, evidenced by the use of a combination of denial of service (DOS) smokescreens, internal facilitation and data theft in many recent attacks on financial services companies. Proliferation of advanced cyber-attack tools, as well as a re-emergence of old techniques, such as Trojan horse malware, phishing and spearphishing (more sophisticated attacks targeted at specific organisations and/or people and originating from plausible sources) and a return to perimeter attacks are also common. 

Building a defence
So what defence can organisations make against a cyber-attack? ‘You have to assume that the bad guys will get through and understanding your company’s cyber risk is key,’ Darren told his audience. This risk might be cyber espionage, involving silent copying of commercial information, which could impact on any organisation with IP, M&A data or high-value contract data. Or it could be damage to a brand through negative publicity; sabotage; client loss; or direct fraud. 

Once the risk is determined, the next move is to make ‘an active risk decision’. There are various options under this heading, Darren explained. An ‘avoiding risk’ decision is a limited option, while ‘stopping or preventing cyber risk’ is difficult and requires significant ongoing investment of time and resources in security controls. Other options include transferring or outsourcing risk, reducing its impact or simply accepting it. 

The plan, do, check and act stages of resilience are already well understood by internal auditors but Darren highlighted checking as particularly important, explaining that under this heading comes monitoring networks, undertaking internal vulnerability scans and commissioning third party penetration tests. 

The role of internal audit
One of the most important aspects of cyber security, however, is to know who is responsible for it. Darren was clear that responsibility starts with the board. Among the many questions internal auditors need to ask its members, he said, were those covering security governance, leadership, culture, reporting and strategy. And perhaps the two most important are: ‘is the board providing leadership on cyber security?’ and ‘is it providing the “right tone from the top”?’ 

Turning next to the layer of people who manage security within any organisation, Darren said that it is the job of internal audit to check whether the organisation has a good level of understanding of risk and threat – whether cyber risks are assessed and managed based on appropriate information using the latest industry guidance – and if they are able to implement the strategy that the board has signed off. Are they compliant with regulations, legislation and agreed industry standards? Is appropriate training being offered to end-users and is it working? Who and where is the point of contact in case of a serious incident? 

Darren also highlighted the importance of asking questions around any plans for investment in new controls. What are they and where is the organisation in the cycle of acquiring and implementing them? ‘It is surprising how often I still come across businesses which have invested in all the latest toys but which are simply not doing what they’re supposed to do,’ he said. ‘And that means internal auditors can’t ask the next question, which is: are they providing the value for money we said they would?’ 

There are two more questions internal auditors should be asking their businesses, Darren concluded:
 

  • can we log the activities of our administrative users – are we looking at what they’re doing?
  • do we know what our valuable data is and where it is? 


‘Both are absolutely fundamental,’ said Darren.

Crisis and continuity planning - thinking outside the box
If an unplanned for and unexpected disaster befalls an organisation, how does it navigate through the three phases of crisis management, disaster recovery and business continuity?

If an unplanned for and unexpected disaster befalls an organisation, how does it navigate through the three phases of crisis management, disaster recovery and business continuity? 

When an organisation is planning for or facing a crisis, its internal auditors’ first and most important job is to challenge groupthink – a state of being in which people agree, not because the information supports the conclusion, but because they feel intimidated to disagree.  This was one of the key messages delivered by Daniel Roberts, group head of risk, FCG, to delegates attending the ACCA annual internal audit conference held earlier this year in London. 

‘There are three types of groupthink that appear when a crisis needs managing,’ he said. ‘Type 1 overestimates the power and morality of the group; type 2 is typified by close-mindedness, rationalising warnings and stereotyping those opposed to them; and the third type feel pressured into uniformity and suffer the self-censorship and illusions of unanimity that go with it. 

'These "right-thinking people" who fall victim to groupthink hold organisations back when they are facing a crisis,’ Daniel said. ‘Your organisation is full of similar right-thinking people and you have to be very careful of them. It is your job as internal auditors to challenge them when you see groupthink in action.’ 

Moving on to planning for disasters, in their many forms, Daniel pointed out that ‘anyone can predict the future, but getting the dates right is tough’. While types of disasters and business interruptions are predictable, ‘don’t plan for everything,’ he advised. ‘You can’t. But as internal auditors you have one statement that you must make again and again to the board until it starts saying it back to you: “If you don‘t test your recovery plan it will fail. It will fail the first time. It will fail the second time. But by the third time it will be pretty good.”’ 

Setting up two crisis management teams is a good idea because at some stage team ‘A’ is going to have to have a break. Further, ‘if you cannot constitute team A when a crisis occurs, then you must be able to bring in team “B” immediately,’ Daniel said. 

He offered the example of a bank in New Zealand which, recognising that at some time there would be an earthquake in Wellington, set up two boards of directors – one in Wellington and an alternative board in Auckland. If Wellington is out of contact for more than four hours, the Auckland board is empowered to be the alternate board of directors for the bank. 

Building in resilience
‘Companies and people are very resilient, but are you building that resilience into your business and supply chain?’ Daniel asked. ‘Are you saying in your plan what happens if the mains power is lost for an extended time, or your local telephone exchange is gone? One of the key lessons of this is that corporate governance matters far beyond your walls. Ask yourselves: how good is the corporate governance in your key suppliers and in the organisations that you rely upon?’ 

What if a disaster hit a key supplier elsewhere? As an example, Daniel pointed out that almost 50% of hard drives for all personal computers came from Thailand, so the disastrous flooding that happened there in 2011 had enormous consequences for many businesses – hard disk drive prices, for example, doubled. 

‘There will be future disasters,’ he said. ‘Think of the earthquakes in Christchurch, New Zealand, and more recently Nepal. There will be more earthquakes, and they will happen in funny places. In 1805 in the middle of the US an eight-point earthquake was so bad that the Mississippi river went upstream. Earthquakes are a 100% certainty. They are going to happen, but do we know where? We need to concentrate on location specific planning, which includes evacuation plans, a communications plan, basic supplies and a who to call list – not just for earthquakes, but for the range of potential events that could render a facility unstable or unusable.’ 

The advent of a pandemic is another 100% certainty, but your planning does not need to be about what to do for the end of the world. ‘You can plan for what happens if someone goes away on holiday and comes back with the norovirus, which spreads through the payment department,’ Daniel pointed out. 

‘Suddenly your entire payments team is up the creek for a week. Are you going to miss critical payments? Not if the people dealing with liquid payments are in two parts of the building. While this might not be easy, remind them that they’re not allowed to go and visit each other. Or better still, put them in another building. It’s not that difficult, they’re all doing the same thing.  

‘Of course, you can plan for a pandemic. Monitor, communicate and subscribe to alerts from a website that updates you on current disease epidemics and where they are in the world.’ A good example is ProMed, which is run by the International Society for Infectious Diseases. 

Searching out ‘Greg’
‘Recovery is good planning that has nothing to do with figuring out how fast you can reinstall Windows server on a box,’ Daniel insisted. ‘It has to do with whether your board understands and is ready for it? Is your senior manager ready for it? Do you understand the basic scenarios that may impact you? It’s all about the preparation because if you haven’t prepared for it, it’s just going to happen.’ 

His recommendations? Do not plan for each scenario, plan for scenario types and their impact on supply chain disruption, loss of access, loss of people and social upheaval. Practise your recovery plan, build in governance flexibility and question yourselves and others constantly. 

Daniel concluded with a final warning by means of an anecdote. In the early 1990s, he said, he attended a Christmas lunch held by an IT company that sold data and analytic tools. In the middle of it, the restaurant owner approached the IT director saying that he had a phone call for him. ‘The man went away and came back looking a little ashen,’ Daniel said. ‘He looked across the table at his senior network analyst and said: “Greg, the network’s down”. Greg looked up from his dessert and said “yeah, I noticed that on the way out”. All of your organisations have a Greg. Find Greg.’ 

So what is the difference between disaster recovery and business continuity? ‘Disaster recovery is how you plan and recover from the big crises,’ Daniel said. ‘Business continuity is: Have you found Greg? Are you ready for when Greg does something wrong?’

Integrated assurance – too late to integrate?
Why a more externally oriented focus is required to ensure that our profession keeps track with the pace at which industries are developing.

Why a more externally oriented focus is required to ensure that our profession keeps track with the pace at which industries are developing. 

It seems that the financial services sector is steadily recovering from the crisis and being discharged from intensive care from governments. One of the other positive developments of this journey to recovery is the discussion about the role and the responsibility of the internal audit function. 

In some countries the regulator provided more specific guidance, especially within the financial services industry, and the IIA in one way or another also initiated a good discussion with impact beyond the FS industry. 

For example the Federal Reserve in the US launched new guidance in 2013 that auditors should do more continuous risk assessments and have a wide range of business experts in their teams through rotational programs. 

The IIA in the UK launched new guidance in 2013 especially for the financial services industry requiring that IA should change the role to: 

  • ‘Challenging’: from the passive role to a more assertive ‘here is my assessment, now it is time for you to act’
  • being all-encompassing  in IA’s risk assessment and assurance coverage including strategy and the full range of risks having an impact on the organisation
  • IA being present at both the board AC and the board risk committee and any other committees
  • IA’s reporting should include an assessment of the effectiveness of the governance; risk and control framework of the organisation; and themes and trends and their impact on the organisation’s risk profile
  • ensuring the positioning and attendance of the chief audit executive at executive committee level and associated meetings.

These new developments have also initiated discussion in many companies, in and outside the financial services industry, about the primary role and focus of IA. 

Setting the scene – IA in historical perspective
If we take a more historical perspective we can say that it was maybe only at most 20-30 years ago that the mandate and scope of many IA functions moved away from merely financial towards operational types of audit. In many companies we see a very positive trend that IA has followed a rapid growth journey in maturing from ‘childhood’ to being a robust and respected ‘adult’ within the company. 

In many companies we have seen more or less a similar journey of how the IA function ‘grew up’ by originating with a focus of identifying gaps in the financial control area and helping to, or advising management to, implement a sound financial control framework to address weaknesses and gaps. 

Through this ‘educational role’ IA helped the business to develop sound financial control frameworks within the business. IA quite often also played a role in helping the business to build and mature other controls and assurance activities and we have seen that many companies adopted the three lines of defence approach. In these three lines of defence, the business has implemented controls execution and business assurance/review activities in the first and second lines. 

In many companies this has now come to a stage where management asks challenging questions about whether there is ‘too much compliance’, and if we still need ‘checkers to check the checkers’ etc. It is not part of the scope of this discussion note to challenge those comments in the light of the fact that it was just a couple of years ago that the crisis started in the financial services industry as well as in other industries due to the lack of strong governance (read controls and checks and balances). But what is part of the scope of this article is the movement in many companies to explore if and where they can reduce the so-called compliance burden by integrating those ‘compliance/assurance activities’. 

The discussion I would like to embark on in our profession is whether IA should invest a lot of time and effort in supporting management's quest to find ‘lean’ opportunities to reduce the cost of control and assurance; or whether we should focus on other priorities supporting management in preventing other failures. Hence the question arises whether IA should challenge the business on the topic of integrated assurance, by assessing firstly if it is ‘too late to integrate’. 

The pitfall of too much focus on integrated assurance
If we look at integrated assurance from a cost saving or efficiency perspective on one side or providing better or more effective assurance on the other there is always the risk/pitfall that we focus too much on the topic from the current state perspective. This so-called ‘As – Is’ perspective might identify overlap in control and or assurance activities or even opportunities to get rid of redundant controls. It also might lead to an even better or more focused scoping of IA. But what it will probably never lead to is a real ‘future’ perspective orientation and asking ourselves questions like: 
 

  • how will or should controls operations and testing look in five or ten years from now?
  • will we still use fully fledged control frameworks (quite often documented in huge spreadsheets or off the shelf tooling designed in a same way as traditional spreadsheet frameworks) and most often manually tested in a monthly or quarterly cycle pattern?
  • will internal audit still audit the control effectiveness or the effectiveness of the first and second line activities on a rotational cycle based approach?
  • do we focus too much on control effectiveness and efficiency (second line of defence reviews) or should we focus more on quality of governance and risk management (risk intelligence of the business)?


Of course many companies are exploring the automation potential of their control and assurance activities to try to move to a sort of continuous control monitoring in conjunction with substantive testing through data analytics. 

However, not many companies have really looked ahead to what the future should or will look like. If we consider how rapidly digital technology is changing entire business models, enterprises and even wiping out complete industry players (‘Blockbuster effect’, Ali Baba, Air BNB etc.), we as the IA profession should also be aware of these influences on the business control and assurance activities and hence the way we should adapt our audit approach. 

Are we as the IA profession ready to advise management how the lines of defence model including our own activities will have to change as a consequence of exponential changes in the business caused for instance by new digital technology? Or in short is IA ready for the new digital disruption and ready to prevent a ‘Blockbuster’ event in our audit model? 

We should not think that this is only the case in certain industries like media and telecom or fast moving consumer goods, and that our audit activities will be affected only in those rapidly changing industries. Even in highly capital intense industries like power and utilities or oil and gas the business is more and more controlled by high tech systems and software. Smart grids, smart meters and applying drilling analytics are just a couple of examples to illustrate this. The very traditional business model of the global taxi business was highly disrupted by a simple app invented by Uber. 

Imagine just some thoughts about how drones, Google glass, or iPads used in field work could change the way business is executing oversight, controls, collecting evidence and following manuals and procedures by sophisticated knowledge management systems via push down techniques brought to the business wherever they are and exactly on time when they need it. In this perspective we should challenge ourselves as a profession and also in our role as auditors. And we should not forget we should challenge the first and second line function how they want that same business to execute and document controls in the future. 

In this context we should ask ourselves questions like:
 

  • how will it affect our resource strategy or model; do we need a completely different mix of resources and skillsets in our IA team?
  • how will it affect our methodology of executing the audits, documenting evidence etc.?
  • how much time should be spent on independent risk assessment and discussing with key stakeholders in the business key changes, versus executing audits?
  • how will it affect our board and audit committee interactions and reporting?
  • should we move to more real time reporting?


Based on our experience we know that change management is the most difficult part of these efforts. Therefore it would make sense if we recognise that it will take time to make the abovementioned changes in our IA delivery model. However, in the current environment ‘time’ is one of the factors which is the next disruptive element ... 

Some considerations on challenges for our IA
Most IA organisations have managed to establish a good brand within the company they serve, and are recognised as strong independent assurance providers, supporting the business board and AC in addressing high risk areas, delivering added value etc.  

But IA functions face the same risks as large companies that could not adjust quickly enough their governance, risk and compliance environment to the continuous flow of changes in the business and external landscape. 

Besides the challenge of following the pace of the business, another challenge is the best operational model to ensure that your audit scoping and planning as well as execution is geared to the new world of continuous change and more volatile risk environment. Where risks are volatile not only from a size or likelihood perspective but also from a timing perspective the ‘speed of risk’ (risk velocity) is a new dimension which deserves a permanent ‘seat’ in the design of risk heat-maps. 

Many audit departments already have a rolling forward approach in planning audits. In addition most often they also have a solution to adapt and include new risks or ad hoc audit demand from management in the audit plan. The question, however, is whether this is agile enough to move from a relatively ‘static’ approach to a more ‘dynamic’ audit approach. 

Applying an audit continuum approach where you can select from a large variety of ways to execute the audit could bring a more dynamic approach. The agile approach will certainly also demand much more flexible resource models including a constant, broad, flexible pool of guest auditors, as well as short and longer term business rotators. 

Co-source models with other providers to deliver subject matter expertise is another option to make the delivery model agile. The co-source providers should not necessarily come from the ‘traditional arena’ (the big four or similar firms). In the light of being close to the business, it makes a lot of sense to expand the co-source relationship to companies like strategy firms, digital technology firms etc. 

Being more agile could also require that traditional reporting schemes need to change. Quarterly audit committee meetings, where IA presents outcomes of audits over the past 3-6 months covering an audit period of dates even further in the past, will not give timely enough input for management to make necessary improvements and changes in a rapidly and constantly changing environment. Add to that the time it takes to start improvement projects on the recommendations going forward and it will not be sufficient to continue the traditional way of reporting. 

All the previous considerations could be captured under the umbrella of one central question:
 

  • do we have an IA strategy?


Most IA functions have a sound methodology and a well organised annual audit planning approach, but the question I would like to pose in this article is whether we spend enough time on developing a good IA strategy and whether we pay sufficient focus and attention in this strategy to topics such as:
 

  • how to become more agile (follow the pace of change in the business and become more dynamic)
  • how and where to innovate (continuous auditing etc.)
  • how to change our communication and reporting approach (marketing our brand and do more knowledge sharing versus plain reporting of findings and recommendations).


Conclusion
While it is clear that integrated assurance is still an important topic and could bring additional benefits in terms of efficiencies and more focused controls and assurance, I emphasise that a more externally oriented focus is required to ensure that our profession keeps track with the enormous pace at which most industries are developing themselves, and that we make sure that we are ready for the new future. A new future that will be driven more and more by technology and almost constantly facing disruptive events. 

If our stakeholders in those businesses (read auditees) have to follow this pace and make sure that they stay in control of their strategy, it is surely the same for us as IA professionals. 

Otherwise we might face another challenge that business will legitimately pose comments on the execution of our audit approach like: ‘you do not understand the business’, or ‘you are putting too much compliance around my processes’ etc. 

It is now time to come up with our own future proof strategy (as our stakeholders in the business do in their standard planning and control cycles) and engage with our stakeholders (boards and audit committees) early in the process to send them the right signals etc. 

Strategise, innovate and accelerate is very common language if you read companies' vision and mission statements. Why shouldn’t this be our language and bring more substance to our profession than only adopting new analytical tools in our existing methodology and ways of working? 

Siebe Postuma CIA – Partner, Deloitte Risk Advisory

Frauditing for internal auditors
Three experts provide an insight into fraud, including a look at the role of data analytics.

Three experts provide an insight into fraud, including a look at the role of data analytics. 

ACCA UK’s Internal Audit Network Panel recently organised a webinar on ‘Frauditing for internal auditors’. A panel of three experts from CIFAS, NHS Protect and Grant Thornton explored the fraud landscape and the webinar is available on demand here. Below is an overview of the event. 


Internal fraud - the view from the Fraud Prevention Service
Sophie Keen is the business engagement manager at CIFAS which involves helping organisations from both the private and public sectors to see the benefits gained from data sharing to combat both customer and internal fraud. Before taking on this role, she was the manager of the Internal Fraud Database, purely focusing on the insider threats and working with organisations across all sectors to help combat these. 

By examining the cases of internal fraud filed with CIFAS in 2014, Sophie gave an overview of what threats are on the increase and what steps can be taken to help counter these. 

What is CIFAS?
CIFAS is a not-for-profit membership organisation which allows organisations to share information with one another on confirmed frauds to prevent the same identities and addresses from being re-used for fraud. CIFAS operates on the basis that fraud data is non-competitive and that co-operation and communication in the interests of crime prevention. 

The Internal Fraud Database (IFD)
CIFAS runs an Internal Fraud Database that members can access for the purposes of filing data on confirmed internal fraud cases, and searching applicants and current staff against the database as part of their vetting and screening process. There are currently over 130 organisations using the database and they collectively filed 751 cases in 2014. All cases filed are live and available for matching on for six years before automatically dropping off. Members also have the advantage of being able to match on over 90,000 cases of confirmed fraud risk with the majority of these being made up of immigration cases supplied by the Home Office. 

How does it work?
All of the cases filed with CIFAS are confirmed frauds that have been investigated and are backed by evidence. All of these cases are proven and every individual involved has been notified by way of a Fair Processing Notification. 

All of the cases filed by CIFAS members are categorised into five general fraud types: 

  • account fraud
  • dishonest action to obtain a benefit by theft or deception
  • employment application fraud
  • unauthorised obtaining or disclosure of personal or commercial information
  • bribery and corruption.


IFD cases recorded in 2014
Employment application fraud made up the greatest proportion of cases filed in 2014 with dishonest action by staff coming second. All organisations are at risk of these fraud types whereas something like an account fraud is likely to affect banks over other types of organisation. These two fraud types were also the most filed in 2013. 

A total of 751 cases was filed in 2014 – an increase of nearly 18% on 2013. The biggest percentage increase came from the successful employment application frauds where 51 of the 77 cases were filed due to concealed unspent criminal convictions. With DBS checks often taking time to come back, organisations often have to start employing an individual before all the checks take place.
 

Internal Fraud Type

2013

2014

% Change

Account Fraud

46

30

-34.8

Being Bribed

-

1

-

Dishonest Actions

268

227

-10.6

Employment application fraud- Successful

31

77

148.4

Employment application fraud- Unsuccessful

293

396

35.2

Unauthorised disclosure of commercial data

4

1

-75.0

Unauthorised disclosure of personal data

48

53

10.4

Total Cases

638

751

17.7

 
Employment application fraud
Looking at both successful and unsuccessful employment application frauds, they accounted for 63% of cases recorded in 2014. These include the concealment of unspent criminal convictions but also things such as concealed employment record, material falsehoods such as immigration status, qualifications and references. 

The consistent high level of filing emphasises the need for proper vetting and screening of candidates. 

Dishonest action by staff to obtain a benefit by theft or deception
The next most frequently filed fraud on the database in 2014 was dishonest action by staff to obtain a benefit by theft or deception and accounted for 30% of cases. This covers a broad range of fraud such as theft of cash, false expenses, procurement fraud and facilitating fraudulent applications. Theft of cash from either the customer or the employer has continually been the most common reason for filing. However the number of these cases in 2014 dropped by 63% over the number of cases filed in 2013. 

The only reason for filing a case of dishonest action that did increase in 2014 was the manipulation of their own accounts. To carry out fraud involving the manipulation of accounts requires knowledge of company systems and processes which is perhaps why the length of service for these employees remains the highest across all fraud types at 6.9 years. 

Account fraud
The amount of account frauds filed in 2014 accounted for 4% of cases and dropped by just over a third compared to 2013. This appears to be a continuing downward trend where 2013 say a drop of 16% compared to 2012. Tighter controls and increased account monitoring implemented by organisations could be having a strong deterrent effect. In addition, the increased ease with which consumers can control and access their own accounts through online and mobile banking and text alerts, may be discouraging employees from attempting this type of fraud. Employees who are going to commit this type of fraud may therefore be choosing to target more elderly or vulnerable customers who are more likely to be using the traditional methods of banking. 

Unlawful obtaining or disclosure of personal or commercial data
Whilst the number of these cases has always been lower compared to other fraud types apart from account fraud at 7% of cases, these cases need to be viewed in the context that one single instance of data disclosure can have huge effects, not only on the organisation but also on customers and other members of staff. Filings relating to commercial data theft have always been the lowest with only one filed in 2014. 

Organisations and membership have consistently reported that whilst they believe these frauds are occurring, it is very hard for them to prove the case and gain the appropriate evidence to enable them to share with others. Staff awareness is an important part of any internal fraud prevention policy but with frauds involving the obtaining and disclosure of data, understanding the human element is key. 

The highest reason for filing under this fraud type was disclosure of customer data to a third party, with the next being fraudulent personal use of customer data. This is a continuing trend from 2013. This data can be extremely valuable and has the potential to be used for far more frauds once it has been harvested and subsequently placed in the wrong hands. 

Reporting of cases
Whilst all of the cases filed on the Internal Fraud Database must be of a standard where they could be reported to the police, there is no obligation to do so. In 2014, only 15% of the 751 cases filed were reported to Law Enforcement and only 3% went on to court. This is a drop in Law Enforcement reporting compared to 2013 which was just under a quarter of cases. It is not always going to be possible to gain criminal convictions due to the resources of the police and the time organisations have to complete police reports. Relying on DBS checks is not therefore not going to be a sufficient mechanism on its own to prevent fraudsters entering a company. 

In summary, the number of cases being filed at CIFAS is increasing with the threat coming from both prospective and current employees. To help mitigate these risks, it is vital to have a fraud prevention strategy which includes staff awareness and education, strict access controls, and collaboration across all sectors to help share experiences and warn of known serial offenders. 

NHS Protect
Nicole McLaughlin is the area anti-fraud specialist for the South East and provides advice, guidance and direction in matters relating to counter fraud arrangements within NHS health bodies, particularly to Local Counter Fraud Specialists (LCFS) and Directors of Finance (DOF). Main elements of this work comprise developing and promoting an anti-fraud culture, supporting deterrence work, prevention detection, supporting LCFS in their conducting of investigations, promoting the application of a full range of sanctions and promoting the pursuit of redress. 

Nicole talked about how NHS Protect deals with fraud within the NHS and highlighted some recent cases that made the national press:
 

  • ‘Manchester practice manager jailed for £150K fraud’
  • ‘GP Practice Manager jailed for £350K theft’
  • ‘Medically unqualified clinical director ordered to pay £250K to NHS’
  • ‘Former NHS Director jailed for CV lies’
  • ‘NHS Financial analyst and four accomplices jailed for conspiracy’


NHS Protect works predominantly on using two pieces of legislation:   

Fraud Act 2006

  • Section 2 – Fraud by false representation (eg. lying about the number of hours worked)
  • Section 3 – Fraud by failing to disclose information (eg. not disclosing an unspent criminal conviction in a job application)
  • Section 4 – Fraud by abuse of position (when you in a position where you are expected to safeguard the financial interests of another person).


Bribery (Corruption) Act 2010
under which individuals and organisations can both be prosecuted: 

  • giving or rewarding by financial or other advantage
  • requesting, agreeing to receive or accepting the advantage
  • corporate failure to prevent bribery.


Fraud by false representation is the biggest area of work for NHS Protect. 

How do we protect the NHS?
All health bodies within the NHS – both providers and commissioners - are issued with the NHS Protect Standards. The standards are broken down into four areas – strategic governance, informing and involving, preventing & deterring, and hold to account which is where a person is held to account following an investigation. NHS will work with professional regulatory bodies where the member of staff involved is a professional. 

Compliance with the standards is the starting point for any NHS Protect investigation - organisations not complying with the standards are deemed to be higher risk. The NHS is one of the biggest employers in Europe and within any NHS organisation, NHS Protect expects to see:
 

  • robust adherence to corporate procedures
  • application of NHS Protect Standards
  • all members of staff personally applying the Codes of Conduct
  • creation of an anti-crime culture
  • promotion of best practice at all times
  • sharing of breaches openly and quickly.


Fraud in the NHS
Fraud in the NHS is not widespread but there is a dishonest minority and fraud can be perpetrated by any of the following: 
 

  • Doctors / Dentists (claiming to provide treatment that they have not provided to real clients or clients that do not exist, or claiming for the same treatment several times)
  • Opticians (claiming for glasses or eye tests that they have not provided to real clients or clients that do not exist)
  • Pharmacists (claiming that a prescription was completed but the client was unable to pay when payment was in fact received)
  • Consultants (treating private patients using NHS facilities)
  • Staff (payroll fraud for expenses and hours worked, false references/qualifications/papers on job applications, non-declaration of convictions)
  • Patients (registering under false names to obtain prescription drugs, claiming for taxis to the hospital when they took the bus
  • Contractors (inflating invoices, invoicing for work they have not done, procurement fraud).


In addition to those above, there are external fraud threats such as: 

  • Bank mandate fraud (where organisations are misled into paying fraudsters instead of suppliers)
  • Procurement fraud (numerous contracts for building works, catering, portering – a high risk area)
  • Bribery.


Case study – Operation GRANITE
This case happened 2-3 years ago:
 

  • A director of finance submitted a number of copy documents in support of the trust’s alleged financial status to the Department of Health and External Auditors. These documents were subsequently found to be forgeries of genuine valuation reports supplied to him by HMRC (Valuation Office Agency)
  • The forgeries showed lower valuations for Trust land/property sold during that financial year which if not discovered would have created false financial information in the Trust’s revenue account effectively clearing its financial liabilities and creating a £1,000,000 surplus for the 2006/07 financial year
  • His fingerprints revealed a number of previous criminal convictions recorded against him which were not declared on his original application for employment
  • Upon conviction (after trial) he was sentenced to 12 months imprisonment on each of the four counts. Although he did not benefit personally, he caused a loss and committed multiple types of fraud.

 
Using data analytics in fraud auditing
Tim Foster-Key is a director at Grant Thornton’s Business Risk Services practice. He has a wide variety of experience in both IT audit and risk based assignment. His client base covers Large corporate through to public sector and not for profit organisations. His technology and accounting background gives him the ability to provide practical solutions, such as through the use of data analytics to identify trends or exceptions that help identify process and control weaknesses. 

Tim discussed the issues and subsequent approach used to follow through an audit delivery when data analytics are used as part of your internal audit approach and data issues that have been identified that may suggest weak processes/controls or potential fraud. 

Benefits over the use of data analytics in frauditing

  • Higher levels of assurance
  • Identify more trends with larger samples
  • Increased quantification of control and process issues
  • Less resource hungry – let technology do the work whilst you step back and appraise the situation
  • Repeatable tests – easy to repeat tests in different ways
  • Early warning – identify issues before they come fraudulent and make recoverability difficult
  • Create more customised tests that immediately add value e.g. fraud analytic testing for acquisition due diligence
  • Identify potential fraud indicators on large projects e.g. replacement of accounting/finance system


Use of data analytics within fraud audits
To mitigate fraud there are a number of instances where data analytics assists:
 

  • New vendor/supplier management or duplicate accounts
  • Gifts and entertainment logging and conformance to policy
  • Irregular payments to suppliers or general transactions
  • Irregular journal entries and adjustments
  • Payments to non-approved suppliers or compliance with dual sign off
  • Irregular timings of bookings and payments
  • Abnormal or 'too good to be true' transactions


Bear in mind that data analytics is very rarely the silver bullet or the solution to the work that you are doing either in a pure fraud context or a consequence of an internal audit assignment. It is more to do with giving you that focussed output that puts you onto a path to follow up with your other activities.

Evolution of data analytics maturity
Where do you sit in the evolution of data analytics? You will sit somewhere on this scale:
 

  1. Ad-hoc - utilised when needed but limited to select individuals with limited use of tools perhaps Excel. No agreed approach or linkage to other data sets.
  2. Limited value - increasing adoption and perhaps use of IDEA/ACL. Some value but not integrated with other data and unpredictable results. A value add to the audit not expected.
  3. Limited and valued - Analytics policy and methodology and in the 'driving seat' at the testing stage to validate controls. Wider usage within Internal Audit and value seen by stakeholders.
  4. Meshed - on request data sources in place and skillset starting to be embedded within the audit department and allows for customised tests
  5. Embed - metric based monitoring allowing for the creation of more customised tests with blended different data sets e.g. vendor testing linking accounts payable system to Companies House
  6. Forward looking - analytics driving audit plans with changed audit and risk behaviours based on analytics results. Reviewing the process of anomalous events rather than full end to end data testing.


Techniques that can be used for frauditing with data analytics
There are a number of different data driven techniques to identify fraud:
 

  • Duplicate transactions such as same invoice or supplier number
  • Rounded/even amounts e.g. £5,000 or £200
  • Ratio analysis on spread of values:
    –     Spread of product prices from maximum to minimum that may highlight over-charging and kickbacks
    –     Difference between maximum and 2nd highest price
    –     Differences between sales people (international vs. domestic or between product sales teams)
    –     Year on year trend analysis between teams or products
  • Benfords Law: First digit in a large number of transactions will be more likely than a later number e.g. a '1' is more likely than a '9', or expense claims just under £500 where an authorisation policy for claims over £500 exists
  • Matching structured internal data to public sources e.g. suppliers address on internal systems to postcode data


Approach to using data analytics in frauditing 

  • Test creation & definition
    Identify the required tests linked to fraud risk indicators - be clear what you want to do and do not get side-tracked. Understand the tests that you are trying to do
    Link to business operations including your sector
    Link to fraud triangle overview (perceived opportunity, pressure or motive, and the rationalisation of the act – get into the head of the fraudster)

  • Data identification
    Identify the required datasets to achieve the tests – you need to have a good relationship with the business and speak to the IT department
    Agree on data extraction needs – you should only go for a test sample at this stage. Do not request the full data set – you should test your approach with a small subset of data to ensure that it has all of the fields that it needs so that you are not requesting the data time after time

  • Cleanse and normalise
    Scrub data to ensure its accuracy – prepare the data for the tests that you want to do
    Identify data anomalies and their root cause

  • Data analytics and insight
    Perform data analytics using tools. eg. IDEA

  • Report and monitor
    Provide fraud reports and findings in a format that the user can utilise


The more advanced your data skills the more you can move to customised data testing to best identify and quantify fraudulent behaviour.


Common types of data issues that identify weak processes/controls

  • Purchase to pay
    –       employee initiated purchase orders for own benefit
    –       fraudulent disbursements through 'ghost' vendors
  • Corporate credit cards
    –       use of corporate cards for personal gain
  • Payroll
    –       'ghost' employees or payments to terminated or dead employees
    –       excessive overtime payments
  • Sales and receivables
    –       vendor and employee collusion
    –       sales inflation for higher bonuses/commissions
  • Information systems and critical data
    –       Theft of critical data to be used for fraudulent purposes
    –       Selling of corporate data to external parties


Summary
Use a professional data analytical tool. Keep to the basics and build your skills up gradually. Work with your team on a wider context because the best output is as part of the wider team delivering the audit or the fraud review and letting them take the exceptions and investigating those but working with the teams to get a rounded answer. 

Moving your skills on, look to improve things so you are informing third line of defence but think about scripting in the long run because that will be a very powerful use of data analytics.

NEWS
Survey: the UK and the EU
ACCA wants to understand members’ views on the EU.
The outcome of the EU referendum will have an impact on every single business in the UK. 

As a membership organisation, it is important that we reflect the view of our members; we are therefore asking you to complete this short survey to help us understand our members’ views on the EU.
Inspire a trainee accountant!
Become a workplace mentor for an ACCA trainee.
CPD
Register for ACCA - CIA challenge exam
Are you working in internal audit and interested in exploring the profession further?

Are you working in internal audit and interested in exploring the profession further? 

We have partnered with The Institute of Internal Auditors (IIA) to provide you with a unique opportunity to earn the globally recognised Certified Internal Auditor® (CIA®) designation.  

Take the challenge
The IIA is giving ACCA members an exclusive one-time opportunity to take an accelerated version of the CIA exam in November 2015. This is an excellent opportunity which allows you to further develop your internal audit expertise, build upon your existing skills, and enhance your ACCA membership status. It could also open up new avenues for professional growth and upward mobility for you. 

Key benefits

  • earn the CIA credential through an expedited and streamlined exam process
  • receive savings on exam preparation materials and fees through a bundled package
  • gain globally recognised status of IIA certification.


Save time and money
The ACCA-CIA challenge exam offers significant savings to you. The all-inclusive fee is just US$1,195 for non-IIA members and US$995 for existing IIA members. The exclusive exam offer includes:
 

  • CIA exam application and registration fee
  • the IIA’s ACCA Challenge Exam Study Guide in downloadable e-book format
  • a 12-month membership in the local Institute or IIA Global.

 
APPLY NOW


Applications to sit for the exam will close on 30 September. 

Remember that exams need to be taken in November 2015. Those eligible can sit for the exam at any PearsonVUE test centre around the world. To locate the centre nearest you, visit the Pearson VUE website. Please note candidates will have only ONE opportunity to pass. 

If you have any queries please contact ACCA Connect on members@accaglobal.com or call +44 (0)141 582 2000.  

For more information about this exclusive offer including FAQs, please visit the ACCA website.  

APPLY NOW


Pass first time 
You will only get one chance to pass the exam, so why not maximise your chances of success?

The Chartered IIA is running an intensive two-day exam prep workshop in London to support your studies. It will cover the whole CIA syllabus. Places are limited so book your place today.

Assurance on outsourced services
Join our next event which will ask how is assurance maintained when services are outsourced?

Date: Thursday10 September
Time: 18:00 – 20:00 followed by refreshments
Venue: ACCA, 29 Lincolns’ Inn Fields, London WC2A 3EE
Fee: Free
CPD Units:

Topic overview
How is assurance maintained when services are outsourced? Paul Blantern – chief executive of Northamptonshire County Council – has overseen the outsourcing of all the Council’s services including internal audit. Paul will talk about what he has done, why, and how he gets assurance on commercial delivery and contract management. 

Speaker
Dr Paul Blantern has been chief executive officer of Northamptonshire County Council since March 2010. Paul started his career in the private sector, rising to become managing director of a commercial arm of Severn Trent plc. He has worked with a number of major utility, business and public sector clients, delivering significant improvements through a range of projects at a strategic level, including company creations, de-mergers and large scale re-engineering projects, including the creation of Network Rail. 

Paul has brought this innovative approach to the public sector. During his tenure at NCC, he instigated and was the first MD of the council’s innovative shared services partnership with Cambridgeshire County Council known as LGSS which is now one of the largest in the country. 

Paul has overseen the creation of Olympus Care Services Ltd, the impending launch of breeze-e.com, as well as the complete transformation of many council services. For example, LibraryPlus now has all Northamptonshire libraries with seven day opening, significant increases in footfall and multi-use, including over 115 business start-ups from Enterprise Hubs during the last 12 months. 

Paul is Chair of the national library taskforce, ‘Leadership for Libraries’ on the future of libraries in England, looking to provide a strategic framework to help reinvigorate libraries and deliver the recommendations of William Sieghart's independent library review. 

This event is free but bookings must be made in advance

 

Online learning opportunities
Take advantage of our online learning opportunities this summer.

Take advantage of our online learning opportunities this summer. 

This August’s* offer from accountingcpd.net lets you:

Buy one IFRS online CPD course and get 10% off*
Buy two IFRS online CPD courses and get 20% off*
Buy three or more IFRS CPD online courses and get 30% off*


(*please use the relevant promotional codes on the accountingcpd.net website; offer expires 31 August)

Microsoft Office Specialist 
Do you want to increase your employability and differentiate yourself in today's competitive job market? Or maybe you are looking for a productive and flexible approach to meeting your annual CPD requirements?

The 15 hours of online video training offers 100s of tips and techniques allowing you to increase efficiency and productivity in your day-to-day Excel use, plus there is the exciting opportunity to gain the official MOS – Excel certification for your CV – all at a discounted ACCA member rate!

Microsoft Office Specialist – Excel 2010

Microsoft Office Specialist – Excel 2013

The productive and flexible approach to meeting your annual CPD requirements!

 
Sector specific learning bundles
New sector specific learning bundles from BPP and accountingcpd.net:
 

Oil and gas bundle – 22 hours of learning for £299

Oil and gas bundle – 11.5 hours of learning for £195

Oil and gas bundle – 6 hours of learning for £99

Support for the oil and gas sector – 21 hours of learning for £262.50

 

 

 

 

RESOURCES
Frauditing webinar available on demand
Watch our recent webinar on frauditing now.

ACCA UK’s Internal Audit Network Panel recently organised a webinar on ‘Frauditing for internal auditors’. 

A panel of three experts from CIFAS, NHS Protect and Grant Thornton explored the fraud landscape and the webinar is available on demand

An overview of the event is summarised here

 

Internal audit hub – a new resource for ACCA members
ACCA’s new hub for members working in internal audit has many benefits.

ACCA’s new hub for members working in internal audit has many benefits. 

The internal audit hub provides resources for those wishing to learn about internal audit, improve their technique, undertake CPD, and can help with internal audit trainees. 

It contains a section called ‘learning about internal audit’ and its aim is to supplement the International Standards for the Professional Practice of Internal Auditing with articles and guides that are easy to read and outline what internal auditing is like in practice and the pitfalls that often arise. 

This resource – which is broken down further into sections for beginners, the management team, and the audit committee – can help you learn about internal audit or improve your technique, provide you with CPD, or assist in the training of a staff member on internal audit. 

The hub also has podcasts of events that our Internal Audit Network has held as well as further sections on ‘auditing specific risks’ and ‘auditing in different industries’. 

Access this new resource now

 

Guide to working with other assurance providers

Our latest internal audit practitioner guide helps explain how to work with other assurance providers.


Our latest internal audit practitioner guide helps explain how to work with other assurance providers. 

ACCA UK has produced a series of Internal Audit Practitioner Guides which can be found in the new internal audit hub. These guides are easy to read and outline what internal auditing is like in practice and the pitfalls that often arise. 

Our latest guide is on how to work with other assurance providers