siks smart auditing elsas
DESCRIPTION
Contribution to Smart Auditing PhD courseTRANSCRIPT
Philip ElsasComputationalAuditing.com
Vught, The Netherlands October 5-6, 2010
Dutch Research School for Information and Knowledge Systems (SIKS)2010 Advanced Course on Smart Auditing
Part I - Smart Auditing: an auditor (historical) perspective
Part II - New risk control mechanisms
ComputationalAuditing.com
Introduction• Since 2003: Company - Canada, Netherlands
• 1988-2003: Deloitte. with ’97-’99 intermezzo at Bakkenist Management Consultants, sold to Deloitte.
• 1990-1996: PhD Computational Auditing
- Principal, chief architect & inventor of Smart Audit Support - Smart Audit Support: since 1994 key in Deloitte’s worldwide audit practice. Currently integrated in ‘The Deloitte Audit’- System blueprint in chapter 5 of …
- PhD in Mathematics & Computing Science on Financial Auditing - In parallel to Smart Audit project, 30% part-time, Vrije Universiteit- Directly after appearance awarded with the biennial Alfred Coini Prize for the best publication in Auditing
Offering software and consultancy services to innovateaudit practices and audit software firms
2
The Dutch Tax Office used Computational Auditing in 2001-2003 as frame of reference to compare Big 4 planning and decision-support models & systems to investigate how to improve audit productivity (57 page report); considers Smart Audit Support ‘leader of the pack’
ComputationalAuditing.com
Organizational Context
Why is Auditing an interesting Domain for SIKS: the Dutch Research School for Information and
Knowledge Systems? And, why now?
• Auditors pass judgment on SIKS systems
3
• In doing so, auditors use their own SIKS systems
Information & Knowledge
Systems
Internal & External Auditing
• Dutch auditing embodies unique & wanted (that’s new) concepts; need smart digital support to internationalize
ComputationalAuditing.com
Agenda
• Part II - New risk control mechanisms
4
• Part I - Smart Auditing: an auditor (historical) perspective
ComputationalAuditing.com
What connects part I & II? 5
Owner-ordered auditing:dominating and integrating with management-ordered auditing
• Quantitative: completeness of management’s stated profits
• Qualitative: assess irreplaceable internal control to secure actions of agents
• assess what? long-term incentive & authorization structure• how? segregation of duties serving long-term owner interest
• Supercycle: client’s top-level business process
• from mental model to process model• unifying quantitative and qualitative
Why, and how, the present financial crisis is driving owner-ordered auditing core concepts out of a local past and into a global future
ComputationalAuditing.com
Part I
Smart Auditing: an auditor (historical) perspective
7
ComputationalAuditing.com
Abstract
Part I - Smart Auditing:
an auditor (historical) perspective • What originated the audit profession? Which mainstreams of international evolution can be distinguished?
8
• How were methods of the owner-ordered audit and management-ordered audit combined into an integral two-way audit approach? How has computational formalization been blended in?
• With special attention to the evolution of the theoretical- deductive Dutch audit doctrine and its connection to mathematics. As opposed to the practical-inductive Anglo-American audit approach.
• Why and how the originally Dutch, formalized two-way audit approach evolved into the world's strongest 'business process'-oriented audit approach. Enabling powerful audit analytics, impossible with old-style approaches.
ComputationalAuditing.com
Agenda Part I - Smart Auditing:
an auditor (historical) perspective
• 1840 - 1930: “The early years: pragmatics (UK, US, Dutch)”
• 1930 - 1990: “Developing a model-based theory (Dutch)”, with a presentation by Prof. J.H. Blokdijk RA
9
• Addressing today’s challenge: “How to improve the audit profession’s
relevancy to society (international)”
• 1990 - today: “Computational formalization of model & meta-model (outsiders)”
• Motivation & how today’s audit challenge directs a historical selection
ComputationalAuditing.com
10
Points made by Frank Partnoy:
Motivation
Why now? Relevancy
Roosevelt Institute, March, 2010
US$ 600,000 Billion derivatives isn’t visible
on balance sheets
“Abusive off-balance sheet accounting”
“Another F-word: Fiction”
Solution direction: “Make information
available to investors”
diagnosis
remediation
ComputationalAuditing.com
11
Points made byRick Bookstaber:
MotivationWhy now? Relevancy
U.S. House of Representatives, Committee on Science and Technology,
Subcommittee on Investigations and Oversight,Sept. 2009
Derivatives & markets: leverage, crowding & linkages
Oversight solution direction: “Get the data”
“Shareholders are [only] silent partners within the corporation”
Auditor’s attention point: reliability of the data
“I don’t think – I don’t mean to be cynical – but I don’t think
that leadership within a financial firm can overcome the incentives that exist”
Inside solution direction: “Long-term incentives”
“Gaming the system”
ComputationalAuditing.com
12Motivation Why now? Relevancy Prolonged “License to gaming the system”:
“Moral hazard is worse than ever”
“Wall Street's role in Greek crisis should be no surprise”, Allan Sloan, with ref. by Tom Nierop in public debate on accountant.nl, 2010
“Four Weeks that Shook the Financial World”, Edward Harrison: “Moral hazard is worse than ever”, tvo.org, 2009
Regulatory capture in the financial industry,Bob Hoogenboom & Jules Muis on accountant.nl, 2009-2010
Moral hazard in the audit profession: every crisis leads to more audit work, “Catch-22 accountancy”, Bob Hoogenboom, accountant.nl, 2010
Out of which money pot does a bailed-out banker – e.g. of AIG (And It’s Gone) –
loves to pay its lobbyists?
Indeed, out of the no-strings-attached TARP (To Avoid Regulating Politicians) pot!
ComputationalAuditing.com
13
The notes have not been and will not be registered under the United States securities act of 1933, as amended (the 'securities act'), or the securities laws of any state in the United States, and are subject to US tax law requirements. The notes may not be offered, sold or delivered at any time, directly or indirectly, within the United States or to or for the account of U.S. persons (as defined in either regulation s under the securities act or the United States internal revenue code of 1986, as amended).
In making an investment decision, investors must rely on their own examination of the issuer, the guarantor and the terms of the offering, including the merits and risks involved. These notes have not been recommended by any United States federal or state securities commission or regulatory authority. Furthermore, the foregoing authorities have not confirmed the accuracy or determined the adequacy of this document. Any representation to the contrary is a criminal offence.
This red flag was attached to Lehman’s toxic products, and not only Lehman’s, and was timely and publicly raised by American government and subsequently ignored by European financial oversight & most European financial institutions, see: “Hebben toezichthouders onmacht deels
zelf veroorzaakt?” (Dutch only), with ref. to Rutger Schimmelpenninck, liquidator of the Lehman Brothers Treasury, leading to questions asked in Dutch parliament, accountant.nl, 2009
Motivation Why now? Relevancy Directing the “License to Gaming”
“House of Cards”, Canadian Broadcasting Corporation (CBC), Fifth Estate, 2010, highlights US government’s knowledge built up in the 2002 law suits
Compare “tone at the top” by appointments:
résumés of Mark Carney & Nout Wellink
& compare bail-outs“Subprime primer”
ComputationalAuditing.com
14Today’s audit challenge No.1
International Federation of Accountants (IFAC), “Financial Reporting Supply Chain”
“Shareholders should more actively pursue their ownership
responsibilities” & “Align managerial behavior with
the interests of the owners”, Jane Diplock, 2010
European Commission, “Corporate governance in financial institutions and remuneration policies”, green paper, June 2010, § 3.5 “The role of
shareholders”
“ … lead to the abstraction, or even disappearance, of the concept of ownership normally
associated with holding shares” & footnote 18
General questions 5 & 3: “How to practically improve
shareholder control of financial institutions, if still realistic?” & Necessary reinforcements for
the external auditor
Gaspar et al. “Shareholder Investment Horizon and the Market for Corporate Control”
“Shareholders have little to say in the USA” &
“Push legislators for statutory duty of care to investors, and
get over the Caparo ruling (UK)”,
David Webb, 2010
ComputationalAuditing.com
15Today’s audit challenge No.2
International Federation of Accountants (IFAC), “Financial Reporting Supply Chain”
“Moving forward, national accountancy organizations should be charged with inventorying, bottom up, systemic disconnects that are difficult to voice for individual audit firms fearful of offending clients, and synthesizing them in an anonymous fashion.”, Jules Muis, 2010
See: “Preparing for an Audit Mandate to Contribute to Systemic Risk Anticipation”, ‘de Accountant’ & accountant.nl, 2009, with follow-up in 2010
Connecting ‘micro’ to ‘macro’
Rick Bookstaber’s Congressional testimonies on:
- Hedge Funds, 2009- Derivatives, 2009
- Systemic Risk, 2008 & 2007
“My concern is that they are making themselves irrelevant.”Steven Thomas about auditors,
based on the E&Y - Lehman case, 2010
See Royal NIVRA project “Sharing Knowledge” (“Kennis Delen”), NIVRA.nl
with a requested comment on the new financial legislation
for derivatives, June 2010
ComputationalAuditing.com
16
Today’s challenges
“Thus, the most important factor is society’s needs, and the related factor that interacts with it is the ability of auditing methods to meet society’s needs.
However, society’s needs are not fixed and change over time.
Also, auditing methods can change and improve over time.”
Douglas Carmichael, First and Founding Chief Auditor of thePublic Company Accounting Oversight Board (PCAOB), with reference to the Theory of Rational Expectations by
Th. Limperg Jr. (1879-1961) in “The PCAOB and the Social Responsibility of the Independent Auditor”, 2004
Th. Limperg Jr.
ComputationalAuditing.com
ComputationalAuditing.com
18
Financial institutions are exposed to more moral hazard than ever before. Why not measure systemic risk while it’s building up? Why not introduce preventive measures to reduce built-up?
Addressing today’s challenge no.2
A newborn, powerful preventive measure is the Royal NIVRA’s ‘Sharing Knowledge’ project, with supportive technology.
The auditor is positioned to attest whether internal controls and incentives are in place to provide data of adequate reliability.
A reliability emphasizing long-term ownership interests.
Anything better to neutralize management’s exposure to moral hazard than the owner-ordered audit?
Individual financial institutions might each be free of an internal systemic risk, while, as a collection, they may induce an external systemic risk. This occurs when a lot of institutions take a similar position, while the other side is not sufficiently covered. Loosely speaking: too many are on the same side of the ship, without them being able to see one another. The auditor is a pre-eminent party to make such accumulated systemic risk visible. It’s a party that is able to aggregate information into systemic risk indicators - or to certify the therefor required reporting channel - while taking professional care of confidentiality issues.
See: ‘de Accountant’, April 2010
ComputationalAuditing.com
Agenda Part I - Smart Auditing:
an auditor (historical) perspective
• 1840 - 1930: “The early years: pragmatics (UK, US, Dutch)”
• 1930 - 1990: “Developing a model-based theory (Dutch)”, with a presentation by Prof. J.H. Blokdijk RA
19
• Addressing today’s challenge: “How to improve the audit profession’s
relevancy to society (international)”
• 1990 - today: “Computational formalization of model & meta-model (outsiders)”
• Motivation & how today’s audit challenge directs a historical selection
ComputationalAuditing.com
1840 - 1930: United KingdomThe auditing profession originated in the second half of the nineteenth century in the United Kingdom. This development was mainly caused by the trade unrests during the 1810’s and the subsequent intensified Industrial Revolution.
Technological developments caused an increase in investments and major changes in financial markets and organisations (i.e., a separation between ownership and management). Many companies were formed during this period; as a consequence of depressions and bankruptcies, the demand for independent audits of financial information grew.
So, generally speaking, British auditors became involved in corporate activity through the need to audit bankruptcy statements, as company failures were a common feature of early industrial activity.
As a consequence, in 1844 for the first time stockholders obtained the right to audit the company accounts as prepared by management (Statutory Audit Requirement, The British Joint Stock Companies Act, 1844).
20
Based upon “Reflections on Auditing Theory”,
Hans Blokdijk et al., Limperg Institute, 1996
ComputationalAuditing.com
ComputationalAuditing.com
1840 - 1930: United States of America (1/2)
At the end of the 19th century, industrial growth also led to an increase in the demand for capital in the USA.
As a result, it became necessary for many companies to seek capital from abroad; the main source was the United Kingdom.
British investors required an audit of the financial reports by independent (British) auditors, which – unsurprisingly – led to an increase in the demand for independent auditors' opinions on reported financial positions in the United States (Littleton & Zimmerman, 1962).
In the early stages of the development of the profession, it was very important for the auditors to satisfy the specific requirements of management.
22
Based upon “Reflections on Auditing Theory”,
Hans Blokdijk et al., Limperg Institute, 1996
ComputationalAuditing.com
Until approximately 1930, the demand for audits by management, bankers and potential stockholders existed in the United States to support investment decisions and to investigate fraud.
Because the auditor was engaged to perform these specific investigations by management, instead of stockholders, auditors' attitudes became relatively client-oriented, thus management-oriented, instead of oriented towards stockholders or potential stockholders, thus society as actual users of the financial statements (the actual, ultimate client).
To attract British investment capital (‘US new style capitalization’), or to be able to get a bank loan (‘US old style capitalization’), US company management increasingly ordered an independent opinion: to improve credibility of the existence of their stated net equity and net profits.
This audit objective is known as auditing for overstatement of net profits and stockholders’ equity.
23
1840 - 1930: United States of America (2/2)
Based upon “Reflections on Auditing Theory”,
Hans Blokdijk et al., Limperg Institute, 1996
ComputationalAuditing.com
Who are owners?24
Who is management?
• Private equity vs. operational management
• Public raised equity vs. operational management
• Franchisor vs. franchisee
• Pension fund participants (contributors, ‘sleepers’ & receivers) vs. pension fund (‘mothered’ by company, industry sector, or none; defined benefit vs. defined contribution)
• Private equity firm vs. buyout (e.g. short term ownership)
• Patent or revenue rights holder vs. exploitation company
• Software developer vs. selling company (e.g. Apple store)
• Tax offices vs. tax payers (companies and others)
ComputationalAuditing.com
1840 - 1930: The Netherlands (1 of 3)
Contrary to the Anglo-American historical evolution, auditing in the Netherlands initially focused on meeting the requirements of owners and others who were entitled to the profits of an entity.
An important cause was the fact that, for a relatively long period of time, economic growth in the Netherlands was financed by equity capital (‘NL old style capitalization’) as opposed to loan capital in the USA (‘US old style capitalization’).
Moreover, raising new capital in public markets was not promoted by bankers, who were slow to adapt to the rapid developments in the business community during the 1920’s. Their so-called 'house' bankers encouraged the Dutch companies to borrow from them or to finance their operations by retaining earnings (‘NL new style capitalization’), instead of issuing stock or bonds on the capital market (Zeff, Van der Wel & Camfferman, 1992, p.352).
25
Based upon “Reflections on Auditing Theory”,
Hans Blokdijk et al., Limperg Institute, 1996
ComputationalAuditing.com
In the Netherlands, the primary reason for the origin of the independent audit was the creation of the division between management and ownership.
The theory of the independent audit was based on the insight that a potential conflict of interest exists between the management of an entity and its owners (stockholders).
It was understood that the stockholders demand that revenue be recorded completely and expenses be recorded correctly, as the difference, net profit, is the basis for their dividends and the value of their stock.
On the other hand, management might be motivated towards not reporting all of the revenue or create fake expenses or overly high expenses or bonuses. This would enable them to smooth income or withdraw the unreported revenue or faked expenses, or inflated parts of the expenses, for themselves (fraud).
261840 - 1930: The Netherlands (2 of 3)
Based upon “Reflections on Auditing Theory”,
Hans Blokdijk et al., Limperg Institute, 1996See:
challenge no. 1 slide 14 & 17
ComputationalAuditing.com
In other words, the independent audit in the Netherlands originated from the need to verify the accounting of the funds entrusted to management of an entity on behalf of those who had a direct financial interest in the results of the entity. It should be emphasized that these not only included the stockholders, but also other stakeholders, and, of the utmost importance, potential stock- and stakeholders, that is, society at large.
As a consequence, Dutch auditors turned their attention primarily to management's tendencies to understate revenues or overstate expenses in the income statement.
This focus is known as auditing for understatement of net profits, or, articulated one spade deeper, completeness of revenues and correctness of expenses.
271840 - 1930: The Netherlands (3 of 3)
Based upon “Reflections on Auditing Theory”,
Hans Blokdijk et al., Limperg Institute, 1996
The very fact that the owner-ordered audit encloses a substantiated focus on ‘society at large’, is key in recognizing
the suitability of this tradition in preventing that society ends up being
owner of last resort in company bail outs
ComputationalAuditing.com
1840 - 1930: Two Main Ways of Audit28
Owners
Management
Potential
Owners
Management-ordered audit, to attract new investors:
Money inflow for management:
Money inflow for owners:
Owner-ordered audit, to check management:
to increase credibility that profits aren’t
UNDERstated: that no revenues are missing& expenses (e.g. bonuses)
aren’t too high
to increase credibility that profits aren’t OVERstated: that stated profits are real, and not
(partly) fake
maximize equity
long-term ROI
ComputationalAuditing.com
Owner-ordered audit: an example29
Your client is a hotel franchisor. With lots of franchisees. The franchisor wants assurance that each franchisee, the operational hotel management, isn’t making money on rooms and not report it. What method substantiates the assurance you provide to your client?
The Ritz-Carlton Investing Company was established by Albert Keller, who bought and franchised the name in the United States. In 1927 he built the first Ritz-Carlton hotel in Boston, Massachusetts
ComputationalAuditing.com
Agenda Part I - Smart Auditing:
an auditor (historical) perspective
• 1840 - 1930: “The early years: pragmatics (UK, US, Dutch)”
• 1930 - 1990: “Developing a model-based theory (Dutch)”, with a presentation by Prof. J.H. Blokdijk RA
30
• Addressing today’s challenge: “How to improve the audit profession’s
relevancy to society (international)”
• 1990 - today: “Computational formalization of model & meta-model (outsiders)”
• Motivation & how today’s audit challenge directs a historical selection
ComputationalAuditing.com
1930-1990: Branching scientific approaches
Dutch evolutionary
branch
Anglo-Americanevolutionary branch
practical-inductive
theoretical-deductive
Audit policies, methods and standards follow from considering a lot of performed audits; empirical
Audit methods evolve from
client’s business process, i.e. a
normative model
31
Originally only a mental process model; later, due to formalization, supported by
an executable process model1840-1930 foundation
management-ordered audit:
overstated profits
1840-1930 foundation owner-ordered audit: understated profits
ComputationalAuditing.com
32
1930 - 1990: Branching approaches
• The owner-ordered audit tradition integrates the approach of the management-ordered audit, leading to an integral two-way audit approach (Dutch only)
- Theoretical-deductive on normative models, with mainstays:• Auditee’s top-level business process• Accounting Organization / Internal Control (AO/IC)
- Integral evolution of theory, practice & education; over full period; culminating into theory connecting to process math
• The management-ordered audit tradition gets government intervention (USA, 1930’s), and moves forward by setting audit standards
- Practical-inductive: early standards prescribe specific procedures, later evolving into more generic guidance - Recognition of missing a method to substantiate complete- ness of revenues: ‘Completeness: the Elusive Assertion’
• Whittington, Zulinski & Ledwith, 1983• Leslie, Aldersley, Cockburn & Reiter, 1986; Cockburn, 1987
ComputationalAuditing.com
Introduction Prof. J.H. Blokdijk RA
• Nestor of Dutch auditing discipline
• Inventor ‘irreplaceable internal control’ concept
• Emeritus auditing professor (VU & Nyenrode)
• Partner KPMG, member National Office
• Commissioner Royal NIVRA
33
ComputationalAuditing.com
34Annual company accounts
ComputationalAuditing.com
Contribution by Prof. J.H. Blokdijk RA35
On the basis of the previous slide I may explain the Dutch approach to substantive auditing. Starting point is the completeness of revenue from sales: if sales appear to be recorded completely, the sum of receivables and cash receipts have also been recorded completely: double-entry bookkeeping! No understatements! But receivables and cash are subsequently audited for overstatements; if these appear not to have occurred, revenue from sales cannot have been overstated either. So debit balances are being audited for overstatements, and credit balances for understatements.
The same goes for expenses and liabilities. The latter are audited for completeness, and expenses for overstatements. If no irregularities are found, expenses have also been completely accounted for, and liabilities do not contain non-existing debts.
In practice, there are, of course, complexities and technicalities to deal with in this approach, but the principle just outlined is the basis.
So there is no need to audit any item, whether in the balance sheet or in the income statement, both for under- and overstatements. This is highly efficient; it is my impression that this is not being fully recognized in the International Statements on Auditing.
ComputationalAuditing.com
Contribution by Prof. J.H. Blokdijk RA36
Dutch auditors have also given thought to something called ‘auditability’. For the audit of ‘assertions’ in the books the auditor should have ‘evidence’, especially for auditing for overstatements. An important source is: documents. But an invoice from a supplier is not sufficient in itself: the supplier may have overstated the price and/or the amount of goods purportedly delivered. The invoice should be reviewed and authorized internally. Here is where ‘internal control’ comes in.
Performance of internal controls in that stage should normally be evidenced in some form, by stamps, initials on a voucher, and the like. The control should be performed by the appropriate employee: the system should provide for an adequate segregation of duties. Evidence of performance should include the identity of the employee.
But how conclusive is that evidence? International Standards on Auditing mention several inherent limitations of internal control, such as human error, circumvention of internal controls through collusion, and management override. In performing tests of control, can the auditor detect this? This would only be possible if the auditor were able to repeat performing the internal controls involved.
ComputationalAuditing.com
Contribution by Prof. J.H. Blokdijk RA37
The problem can be illustrated with the following example. It involves invoices for goods or services received. It does not yet deal with the circumstance that many internal controls in this stage are no longer evidenced in visible form, but are embedded in the automated systems.
Regarding those invoices, the auditor can easily reproduce the computation of the final amount and of a sales tax amount included in it. Reproducing the internal control on the price invoiced is more difficult: it may be in agreement with a price list from the supplier that the auditor may consult, but employees in the purchasing department are paid by the employing entity to obtain a better price. The difference may partly or wholly end up in their own pockets by way of the infamous kick-backs. Only a thorough knowledge of that particular market would enable the auditor to uncover such a defalcation; as he/she cannot be expected to have such expertise on all the markets where his/her clients do business, he/she must rely on the system of internal control.
ComputationalAuditing.com
Contribution by Prof. J.H. Blokdijk RA38
Similar considerations apply to the receipt of goods and the performance of services. Some goods could be traced afterwards, though that may be highly impractical. Most office supplies, however, are simply used up, and as to services, it is virtually impossible to ascertain that the windows actually have been cleaned if the audit takes place three months after. For the most important aspects of those purchases, the auditor cannot do much more than look for evidence of the performance of internal control.
So, there are internal controls that cannot be reproduced by the auditor. The issues raised by this circumstance have been explored extensively in Dutch auditing literature. The best English translation I have been able to find for this type of internal controls is: 'non-reproducible' internal controls (in Dutch: “onvervangbare interne controle”).
Sometimes, investigative techniques designed to overcome the restrictions outlined above, do exist, but an independent auditor is not allowed to use them. An example is the situation in which an auditor has suspicions about a credit note purportedly granted by his/her client to another company audited by a partner of his/her own audit firm. The professional rule of confidentiality does not permit the former auditor to consult the latter on this document.
ComputationalAuditing.com
Contribution by Prof. J.H. Blokdijk RA39
‘Non-reproducible’ internal controlsEven though there are internal controls that can be reproduced, such as those
involving arithmetical operations, the most important ones often cannot be reproduced. The fundamental causes have been categorized as follows:
(1) expertise: the auditor cannot possibly acquire sufficient expertise to form, entirely by himself, a conclusive opinion on all the technical and/or commercial events that are to be reflected in the financial statements (e.g., product yield rates, purchase prices);
(2) presence: the auditor cannot possibly be continuously present on the client's premises in order to ensure the completeness of the recording of transactions and (relevant) events; apart from economic considerations, this is unacceptable in that it would jeopardize the client's and/or the auditor's independence; and
(3) inadmissibility of investigative techniques: the independent auditor is not entitled to use certain techniques that are available to government auditors (such as informing other government auditors about other taxpayers), or that may be used by police authorities (such as wiretaps, search of private premises and the like).
ComputationalAuditing.com
Contribution by Prof. J.H. Blokdijk RA40
So what should auditors do about ‘the system of internal control’? Firstly, they should evaluate the design of the system. Especially important is the segregation of duties; e.g., no single person should be able to authorize payment of invoices, and persons charged with the authorization of separate elements (quantity, quality, prices) of invoices should not have an interest in collusion with each other, or with suppliers or other parties outside the auditee.
In order to better evaluate the design of the internal control system, dr. Elsas has developed a very promising automated technique, which he will be glad to further explain.
ComputationalAuditing.com
41Owner-ordered audit concepts & methods: ‘Crown jewels’
• Supercycle concept– client’s top-level business process model– typology of supercycles
• Mainstays of supercycle-based audit method – qualitative: AO/IC in design, implementation & operation, focusing on irreplaceable & indispensable internal control– quantitative: spanning reconciliation checks, or,
alternatively phrased, comprehensive coherence
testing
• Limperg’s theory of rational expectations
Unfortunately, hardly translated into English, except for Limperg’s theory, in the 1970’s.In the public domain only Blokdijk et al. ‘96, and Elsas ‘96.
ComputationalAuditing.com
42Supercycle: top-level business process
Schmalenbach (1929), Limperg (1926, 1930’s), Abr. Mey (1936), Burgert (1957), Starreveld (1962, 1980’s), Frielink (1980’s), Blokdijk (1975), Veenstra (1972, p.41)
Bu
y S
ide S
ell S
ide
Inside (cost price)
Sell priceBuy price
A rectangle represents a state, a balance sheet item
A circle represents a (trans)action, an activity, a mutation to connected
states
‘Soll’ (To Be) &‘Ist’ (As Is) modalities
ComputationalAuditing.com
Law 1. Rational relation between consumed resources & produced products and/or services:
per type of products or services (categorized) with a cost price based on activity in the supercycle (Limperg,
ABC, …)
Alternatively phrased, normative relation between: generated margin &
frequency of business transactions
Supercycle-based Auditing Laws 43
Starreveld et al. & Frielink et al. “De wet van het rationeel verband tussen
opgeofferde en verkregen zaken” &“De wet van de samenhang tussen
toestand en gebeuren”, the BETA formula
Begin - End + Inflow - Outflow = 0,
Gross Margin = Sales price - Cost price, Replacement Cost Accounting
Activity Based Costing
Law 2. Rational relation between states at time points & mutation streams over the enclosed time period:
per state except: Money > 0
ComputationalAuditing.com
Supercycle-based auditing,model-based auditing
…
44
Begin End
Purchase price
Sales price
Buy transaction
Money buffer
Goodsbuffer
Sell transaction
What happened in between? What is the normative relation?
ComputationalAuditing.com
Supercycle-based auditing
45
10,000’s man years of conceptualization and abstraction, integrated with
proof in practice, over decades
Worldwide recognized high quality audit
education: 3-years post-Master
Integrating owner-ordered audit method
& management-ordered audit method
into two-wayaudit approach
Traditional Dutch audit education literature,
Frielink et al.
Mathematical framework: system of
linear equations,
based on the BETA-formula
World’s scientifically
strongest audit approach, due to its
mathematical foundation
How the spanning reconciliation checks,
based on spanning equations, relate to
the supercycle
Superbly suited for powerful
computational support
ComputationalAuditing.com
ComputationalAuditing.com
Accounting Organization / Internal Control (AO/IC)
47
The Accounting Organization (AO) can be envisaged as the information infrastructure of an organization, as it is formed by:(i) the organization’s Information System, and,(ii) the procedural embedding of this Information System into
the organization, e.g. managerial and logistic control, judgment and decision-making.
The organization’s Information System is considered to embody all economical and financial information and information processing services required for both: (i) the functioning of, and control over, the surrounding
organization, and(ii) the rendering of account over that functioning, as is done
in the financial statements.
p.37
ComputationalAuditing.com
Accounting Organization / Internal Control (AO/IC)
48
The AO is the producer of the financial statements. Since error proneness in organizational production processes is inevitable, it necessitates control over this error proneness. For this purpose, a system of Internal Control (IC) is identified, whose goal is twofold, namely:(i) to secure trustworthiness of accounting information in the
organization, and,(ii) to control (potential) error in both accounting and business
operation.The IC can be considered the “immune system” of the organization, in particular the AO; i.e., immunity to error in an organizational context. AO & IC are not considered disjunct systems.
pp.37-39
ComputationalAuditing.com
Accounting Organization / Internal Control (AO/IC)
49
Internal Control (IC) consists of:(i) internal control measures, including organizational rules &
incentives structures, intended to be continuously present(ii) internal check & control activities, taking only a relatively
short amount of time, as compared to the audit period
pp.38-42
Internal control measures are refined into:(i) preventive protection of enterprise values(ii) preventive securing of actions of agents(iii) creation of opportunities for detective and corrective
check & control activities
‘Securing actions of agents’ is refined by restricting authorizations to different agents for:(i) actions directly changing values: intern, inflow & outflow(ii) actions involving no direct change of values
ComputationalAuditing.com
50
• Restrict every agent’s access to only a limited amount of links in the supercycle
• Impose non-coinciding, preferably opposite, agent interests; especially for, but not limited to, recording activities
• Avoid in one hand authorizations & duties of the following types:
Audit-technical segregation of duties
• Custodial
pp.43-46
• Directive• Operative• Recording• Checking
Potential risk: management overriding of internal control &mitigation methods from the owner-ordered audit tradition
The authorization restrictions to secure actions of agents involving no direct change of value, is refined into segregation of duties (SoD): audit-technical SoD & other SoD
Leading to powerful conceptualization: in particular securing of actions of agents, and ownership-oriented segregation of duties, thus including managerial duties from a critical point of view (!), therefore key in the irreplaceable and indispensable internal
control
See: challenge no. 1 slide 14 & 17
The owner-ordered audit tradition substantiates the concept of internal control from the perspective of the owners’ original and authentic long-term interests
ComputationalAuditing.com
51Supercycle & AO/IC
The owner-ordered tradition introduces the concept of a quasi-goods stream for bonus rights – integrated within the regular stream of goods and services (see diagram) – allowing for an integral assessment of the authorization and incentive structure,
as key component of the irreplaceable and indispensable internal control
Here we’re in a smart auditing course, which may raise the question “Is there dumb auditing?”
See: challenge no. 1, slide 14 & 17
ComputationalAuditing.com
52
1. Control measures vs. check & control activities
2. Preventive, detective & corrective
5. Irreplaceable vs. replaceable; indispensable
Accounting Organization / Internal Control (AO/IC)
4. First-time recording vs. using existing recordings
6. Preventive securing of actions of agents vs. values; check point
7. Direct change of value vs. no direct change of value; outside
8. Segregation of duties; audit-technical vs. business-economical
pp.38-43
3. Design, implementation & operation
ComputationalAuditing.com
Owner-ordered audit: an example53
Your client is a beer brewing company. Delivering to retailers, pubs and events. When delivering to an event it’s commonly as a sponsor. The brewery wants assurance that the operational management of the event isn’t making extra money with their beer and not report it. What method substantiates the assurance you provide to your client? Hint: span & reconcile information over buy side & sell side.
Haarlem beer barrel race, 2009, event sponsored by beer breweries
ComputationalAuditing.com
Agenda Part I - Smart Auditing:
an auditor (historical) perspective
• 1840 - 1930: “The early years: pragmatics (UK, US, Dutch)”
• 1930 - 1990: “Developing a model-based theory (Dutch)”, with a presentation by Prof. J.H. Blokdijk RA
54
• Addressing today’s challenge: “How to improve the audit profession’s
relevancy to society (international)”
• 1990 - today: “Computational formalization of model & meta-model (outsiders)”
• Motivation & how today’s audit challenge directs a historical selection
ComputationalAuditing.com
Computational formalization, with fullycontinued, proven & improved software base
55
• 1990 - 1996: Initiated in Smart Audit Support project collaboration between Deloitte and faculty of Math & Computing Science of Free University of Amsterdam, ignited by sampling support system for the Dutch practice (’88-’90), based on adapted TMYCIN sources
• 1997 - 2002: Continued in process-based costing project, facilitating end-user tooling to specify and analyze enterprise-wide process model diagrams; at Bakkenist Management Consultants for privatizing Dutch Post Office in its merger with TNT. In collaboration with the faculties of Math & Computing Science of Amsterdam & Eindhoven
• 2003 - today: Continued in ComputationalAuditing.com with example formalizations & applications in Part II: New risk control mechanisms
ComputationalAuditing.com
ComputationalAuditing.com
Smart Audit Support’sdocument index related toDeloitte’s International Audit Approach(1990’s)
p.336
57
PERFORM PRE-ENGAGEMENTACTIVITIES
Assess Engagement Risk
Establish Terms of Engagement
Perform Preliminary Analytical Procedures
Understand the Client's Business
Understand the Accounting Process
Determine Planning Materiality
Develop Client-Service Objectives
Understand the Control Environment
Assess Risk at the Account and Potential-Error Level
Rely on Controls ? Control Reliance Strategy ?
Identify ControlsIdentify Controls and,if Efficient, Establisha Rotation Plan
Test Controls
Perform FocusedSubstantive Tests
Perform Basic Levelof Substantive Tests
Perform IntermediateLevel of
Substantive Tests
Evaluate Results of Tests
Perform Financial Statement Review
Perform Subsequent Events Review
Obtain Management Representations
Report on Financial Statementsand Render Management Letter
PERFORMPRELIMINARYPLANNING
ASSESSRISK
DEVELOPAUDITPLAN
PERFORMAUDITPLAN
CONCLUDEANDREPORT
That Mitigate Risk
Specific Identified Risk No Specific Identified Risk
NO YES YES NO
p.62
All planning docs are smart forms
All planning docs are smart forms
All planning docs are smart forms
All planning docs are smart forms
All planning docs are smart forms
All planning docs are smart forms with built-in
Conditional Relevancy
Example audit pack
In addition to $200M yearly cost reduction ROI is:- Relevant Doc & Planning, no more no less- Comfortable & stringent way to get it
Yearly ROI guess: 20K man-yrs/yr x $10K cost reduction/man-yr = $200M
Deloitte’s approach
ComputationalAuditing.com
Process-based Cost Price: connector for stream of money and stream of goods & services
58
volu
me c
ost
pri
ce
spanning supercycle
Forecasted volumevs. realized volume
Planning & Control
The cost price captures the quantitative
relation between resource use &
produced products
Relating the stream of goods
and the stream of money, answering “What’s the gross
margin per product type?”,as required for
auditing the completeness
assertion
ComputationalAuditing.com
Agenda Part I - Smart Auditing:
an auditor (historical) perspective
• 1840 - 1930: “The early years: pragmatics (UK, US, Dutch)”
• 1930 - 1990: “Developing a model-based theory (Dutch)”, with a presentation by Prof. J.H. Blokdijk RA
59
• Addressing today’s challenge: “How to improve the audit profession’s
relevancy to society (international)”
• 1990 - today: “Computational formalization of model & meta-model (outsiders)”
• Motivation & how today’s audit challenge directs a historical selection
ComputationalAuditing.com
60
Match-making between ‘pull’ & ‘push’
Internationalize the owner-ordered audit method. This requires deep computational support. Why?
To minimize international, educational burden (3-years post-Master)
To streamline train-the-trainer, roll-out & getting ROI fast
• Improve the audit profession’s relevancy to society
Pull side
– Individual audit: ownership orientation (chall. 1)– Contribute to systemic risk mitigation (chall. 2)
Push side• R&D of supportive concepts and technology
Addressing today’s challenge
Part II
New risk control mechanisms
ComputationalAuditing.com
What connects part I & II? 62
Owner-ordered auditing:dominating and integrating with management-ordered auditing
• Quantitative: completeness of management’s stated profits
• Qualitative: assess irreplaceable internal control to secure actions of agents
• assess what? long-term incentive & authorization structure• how? segregation of duties serving long-term owner interest
• Supercycle: client’s top-level business process
• from mental model to process model• unifying quantitative and qualitative
Why, and how, the present financial crisis is driving owner-ordered auditing core concepts out of a local past and into a global future
ComputationalAuditing.com
Abstract
Part II - New risk control mechanisms
• The current financial crisis -- from bank balances to state balances -- challenges the audit profession to increase its societal relevancy
63
• How to contribute to preventing that aggregated positions of individual financial institutions accumulate into systemic risks?
• Why is the formalized two-way audit approach the best to address such actual and persistent questions? Why is co-operation between SIKS researchers and the auditing discipline opportune?
• Another driver for audit innovation is found in sustainability audits: Has no part of realized waste and pollution been left unstated? Alternatively articulated: How to audit the completeness assertion of stated financial impact of produced waste and pollution?
ComputationalAuditing.com
Agenda
Part II - New risk control mechanisms • Supercycle: interface between organization & auditor
• Jacquard project: “Next Generation Auditing”, 2010-2014, with a software demo by Jacques de Swart & Paul Griffioen
64
• Nexus micro-macro, consolidated
• Qualitative: internal control to secure actions of agents • Quantitative: “completeness, the elusive assertion”
• Financials: ‘incentives thread’ of owner-ordered audit• Sustainability: ‘completeness thread’ of owner-ordered audit
• Soll & Ist
• Public digital infrastructure for financial utility functions & to facilitate SWOOPs: Self Web-Organized Owning Parties
• Golden opportunity for the Netherlands
• Your questions
ComputationalAuditing.com
Supercycle: interface between organization & auditor
65
http://www.ComputationalAuditing.com/images/Kring.swf
1. Purchase2. Accept3. Sales4. Deliver & Collect5. Pay6. Collect
Process Steps
ComputationalAuditing.com
66
Soll: To Be, normative
Ist: As Is, representative
Soll & Ist modalities
ComputationalAuditing.com
Agenda
Part II - New risk control mechanisms • Supercycle: interface between organization & auditor
• Jacquard project: “Next Generation Auditing”, 2010-2014, with a software demo by Jacques de Swart & Paul Griffioen
67
• Nexus micro-macro, consolidated
• Qualitative: internal control to secure actions of agents • Quantitative: “completeness, the elusive assertion”
• Financials: ‘incentives thread’ of owner-ordered audit• Sustainability: ‘completeness thread’ of owner-ordered audit
• Soll & Ist
• Public digital infrastructure for financial utility functions & to facilitate SWOOPs: Self Web-Organized Owning Parties
• Golden opportunity for the Netherlands
• Your questions
ComputationalAuditing.com
ComputationalAuditing.com
ComputationalAuditing.com
Qualitative: Cake cutting70
Mathematics, game theory
How to use segregation of duties to let a group take care of getting an equal size of the cake for each member?
Indeed, one cutter and the others are choosers:1. Cutter cuts2. Choosers choose3. Cutter chooses
If we look closer, it’s not only about duties, but also about sequence & parallelism of duty involvement. Switch steps 2 & 3 and it won’t work anymore. Protocol design & verification?
Hint: use opposite interests to enforce fairness
ComputationalAuditing.com
ComputationalAuditing.com
ComputationalAuditing.com
73Qualitative Audit Analytics - SoD
X-Raying Segregation of Duties: Support to Illuminate an Enterprise’s Immunity to Solo-Fraud
Paper with two discussion articles, one by K. Matcham and one by R.S. Sriram, and with a response article, appeared as four separate articles together in
the International Journal of Accounting Information Systems, June 2008
Quote from the response article:
“Adequate SoD assessment and SoD design appears to be much more
complex than could have been assumed without this methodical analysis”
with thanks to P.M. Ott de Vries for discussing this quoted response
Introduces an algebraic analysis technique that takes a supercycle-based body of authorizations
as input, and delivers a complete linear basis that spans a space of singleton ‘black hole’
weak spots in the supercycle system of internal control, extensible from 1-agent, to 2-agent,
etc.
The concept of irreplaceable and indispensable internal control, especially segregation of duties and securing actions of agents,
as developed in the owner-ordered audit tradition, allows a rationally rigorous analysis method, impossible with the segregation of duties
concept from the management-ordered audit tradition
Method answering the question if a body of authorizations is free of opportunities for traceless embezzlement, without need to collude
Alternatively stated: Method locating who has too many authorizations in one hand creating a dangerous opportunity for traceless embezzlement, jeopardizing the integrity of financial statements
See: challenge no. 1
slide 14 & 17
ComputationalAuditing.com
Agenda
Part II - New risk control mechanisms • Supercycle: interface between organization & auditor
• Jacquard project: “Next Generation Auditing”, 2010-2014, with a software demo by Jacques de Swart & Paul Griffioen
74
• Nexus micro-macro, consolidated
• Qualitative: internal control to secure actions of agents • Quantitative: “completeness, the elusive assertion”
• Financials: ‘incentives thread’ of owner-ordered audit• Sustainability: ‘completeness thread’ of owner-ordered audit
• Soll & Ist
• Public digital infrastructure for financial utility functions & to facilitate SWOOPs: Self Web-Organized Owning Parties
• Golden opportunity for the Netherlands
• Your questions
ComputationalAuditing.com
ComputationalAuditing.com
Quantitative: Completeness by Spanning Reconciliation Checks
76
7) (A/R)B + Sales + TS – (A/R)E C/R
6) COGS + Gross Profit Sales
3) (Inv)B + P – (Inv)E COGS
2) C/D – (A/P)B + (A/P)E – TP P
1) (Cash)B + C/R – TO – (Cash)E C/D
8) (VAT)B + TS – TP – TO (VAT)E
- Cf. slide 34, part I: equation numbers, audit literature, etc.- Equation set is automatically generated from supercycle diagramSub-scripts ‘B’ and ‘E’ stand for Begin and End; C/R: Cash Receipts; A/R: Accounts Receivable; TS: value added Taxes received on Sales; COGS: Cost of Goods Sold; Inv: Inventory; P: Purchases during the period; A/P: Accounts Payable; TP: value added Taxes Paid on purchases during the period; C/D: Cash Disbursements; VAT: Value Added Taxes; TO: Taxes payment Outflow (with thanks to Raj Srivastava)
pp.244-265
Integrating owner-ordered audit
method (quantities in
boldface font on understatement & quantities in regular font on overstatement)
& management-ordered audit
method (just the reverse audit direction)
into two-way audit approach
ComputationalAuditing.com
Owner-ordered audit: an example 77
Your client, the hotel franchisor, with lots of franchisees, hears from an acquainted real estate agent that quite a lot of centrally located parking lots are (unofficially) rented to employees of nearby offices. What information can you use to offer your client the assurance that his franchisees don’t abuse his parking lots in such a way?
ComputationalAuditing.com
Agenda
Part II - New risk control mechanisms • Supercycle: interface between organization & auditor
• Jacquard project: “Next Generation Auditing”, 2010-2014, with a software demo by Jacques de Swart & Paul Griffioen
78
• Nexus micro-macro, consolidated
• Qualitative: internal control to secure actions of agents • Quantitative: “completeness, the elusive assertion”
• Financials: ‘incentives thread’ of owner-ordered audit• Sustainability: ‘completeness thread’ of owner-ordered audit
• Soll & Ist
• Public digital infrastructure for financial utility functions & to facilitate SWOOPs: Self Web-Organized Owning Parties
• Golden opportunity for the Netherlands
• Your questions
ComputationalAuditing.com
Jacquard project: Next Generation Auditing:
Data Assurance as a Service
79
• Project lead: CWI, the Dutch national Center of Mathematics & Computing Science, Paul Klint, Tijs van der Storm & Paul Griffioen
• Project partners:
• Project result: Domain-Specific Language (DSL) in Software as a Service (SaaS) architecture
http://www.cwi.nl/en/2010/1064/Software-engineering-researchers-and-audit-experts
• PricewaterhouseCoopers, Jacques de Swart & Mona Mashaie• The Dutch Tax Office, Marc van Hilvoorde• ComputationalAuditing.com, Philip Elsas
• Current project sketch: model-based audit support
ComputationalAuditing.com
Jacquard: key audit phases 80
1. Ist supercycle mining Extend process mining to focus on client’s top-level business process
2. Soll supercycle identification Identify Soll supercycle in Ist smart flowchart
3. Continuous auditing Confront a stream of business events to Soll, close-to-real-time
4. Collect, collate & aggregate deviations automatically
5. Publish deviation top-10 on interactive supercycle dashboard. Interface to query the enterprise. iPhone app
Next Generation Auditing: Data Assurance as a Service
ComputationalAuditing.com
Jacquard: project goals 81
1. Design and implementation of DSL for representing supercycle business models
2. Querying of models: Pacioli DSL
3. Visualization of models
Next Generation Auditing: Data Assurance as a Service
4. Parsing, extraction & analysis of business data
5. Interpretation & inclusion of business data in model
6. DSL for structured auditing interviews via interactive audit documentation (expert vs. engagement team)
7. Facilitating automatic generation of XBRL & XBRL Formula (Standard Business Reporting, SBR): XBRL for data, DSL for analysis
ComputationalAuditing.com
82
Input: event log with journals, e.g. SAP
Output: smart flowchart
Based on: “Towards a Computer-Assisted Audit Analysis of Business Processes: Process Mining as Tool for IT Auditors”, Maria Bezverhaya,Emiel Caron & Piet Goeyenbier, ‘de EDP-Auditor’, NOREA, 2009
Push signal from Technical University of Eindhoven, ProM, Fluxicon & Anne Rozinat
Pull signal from audit practitioners & IT audit educators, e.g. “Process Mining” by Mieke Jans & CARLAB, Rutgers, 2010
Computational Auditing: - focus on discovery of supercycle - framing stand-alone workflows- connecting to cost price theory:
- activity-based costing - process-based costing - supercycle-based costing
Phase 1: Ist supercycle mining
ComputationalAuditing.com
ComputationalAuditing.com
84
Identify Soll supercycle by excluding Ist flows, based on automatically identified candidate Ist flows
Based on: “Towards a Computer-Assisted Audit Analysis of Business Processes: Process Mining as Tool for IT Auditors”, Maria Bezverhaya, Emiel Caron & Piet Goeyenbier, ‘de EDP-Auditor’, NOREA, 2009
D
A
C
B
Push signal from Technical University of Eindhoven, ProM, Fluxicon & Anne Rozinat
Apply constraints to check if remaining model is a valid Soll
Phase 2: Identify Soll in Ist
Analyzing 3232 cases, classi-fying casualties (red arrows):A. Invoice receipt without prior approval (2537x)B. Approval acquired after pur- chase completion (261x)C. Purchase order established for rejected request (9x)D. Handled order status skip- ping receipt (875x), etc.
Design-time workflowvs. run-time workflow
Pull signal from audit practitioners & IT audit educators, e.g. “Process Mining” by Mieke Jans & CARLAB, Rutgers, 2010
ComputationalAuditing.com
85
Scientific foundation: rationally rigorous. With mathematical & computational formalization.Superbly suited for the digital age. Recognized as such in accelerating pace. Easy by new tech
Top-cycle: normative backbone of the ‘business process’-oriented audit approach
Top-cycle concept & typology: Central result of integral evolution. Of ‘business process’-oriented Auditing Theory, Auditing Practice & Auditing Education. Over 60-80 years
Typology of top-cycles: ordered by the strength of the backbone
Unfortunately hardly translated into English
Phase 2: Identify Soll supercycle in Ist
Soll identification is supported by a typology of top-cycles
ComputationalAuditing.com
86
http://www.ComputationalAuditing.com/images/Kring.swf
Phase 3: Continuous auditing
Confront a stream of business events to Soll
Interrelate all buffer contents
Reconcile with external evidence
On-the-fly, close-to-real-time checking of spanning business equations
Especially spanning buy side & sell side
Triangulation
Capture deviations and associated risks
3rd party evidence processing
“Continuity Equations”
Miklos Vasarhelyi et al. CARLAB, Rutgers, 2010
ComputationalAuditing.com
ComputationalAuditing.com
ComputationalAuditing.com
89
Based on:
Sun,Srivastava& Mock,2006
“An Informa-tion SystemsSecurity RiskAssessment Model”,pp. 43-48
This can be realized in Deloitte’s Smart Audit Support with a plug-in for Dempster-Shafer-Srivastava confidence-level computations
Phase 4: Aggregate deviations
ComputationalAuditing.com
90
2 Receivables
3 Inventories+ =
Aggregation in XBRL: - Calculation linkbase- XBRL Formula
Plug-in: transferable ‘type polymorphism’ mechanism for XBRL Assurance Builder & Player
Domain-Specific Language (DSL) for auditing: Pacioli, developed by Dutch software partner in cooperation with national research center for mathematics and computer science in the Netherlands (CWI) & University of Amsterdam
5 Assets
5 Current Assets
At least one non-current inventory
All three inventories are current
{XBRL US GAAP Taxonomy
or
Articulate XBRL Assurance functionality using a dedicated website builder (plug-ins) instead of handcrafting XBRL Formula’s
Type Polymorphism: Least Upper Bound in the Taxonomy
Phase 4: Aggregate deviations
See: “On Positioning XBRL Assurance Business Rules in a Computational Infrastructure for Modern Auditing”, 2009, University of Kansas, Annual International Conference on XBRL
ComputationalAuditing.com
C b f t
F m d
D s t
A tL f t
P t
P t
W t
A t
A t
S
A
AL F
L F
L F
MM D F
D
C
B F
B F
W
P
P
P
P
W
A
A
A
A
C mD f t
S t
A t
F t
B f t B f t
P t
W t
L f
225
25 200
225
500
25
25
1,000400
400100
20
20
20
20
500
400
Publish on interactive dashboard
91Phase 5: Publish deviation top-10
Supercycle as dashboard
Drill-down on analytics
Planning & Control
Key Performance Indicators (KPI’s)
Key Control Indicators (KCI’s)
ComputationalAuditing.com
Jacquard project: Next Generation Auditing:
Data Assurance as a Service
92
demo by
Jacques de Swart, PricewaterhouseCoopers
&Paul Griffioen, CWI
More on the Jacquard project at the 21st World Continuous Auditing & Reporting Symposium,
Rutgers, New Jersey, November 5-6, 2010
ComputationalAuditing.com
Agenda
Part II - New risk control mechanisms • Supercycle: interface between organization & auditor
• Jacquard project: “Next Generation Auditing”, 2010-2014, with a software demo by Jacques de Swart & Paul Griffioen
93
• Nexus micro-macro, consolidated
• Qualitative: internal control to secure actions of agents • Quantitative: “completeness, the elusive assertion”
• Financials: ‘incentives thread’ of owner-ordered audit• Sustainability: ‘completeness thread’ of owner-ordered audit
• Soll & Ist
• Public digital infrastructure for financial utility functions & to facilitate SWOOPs: Self Web-Organized Owning Parties
• Golden opportunity for the Netherlands
• Your questions
ComputationalAuditing.com
ComputationalAuditing.com
95Nexus micro-macro: sustainability
Now you’ve had your crash course in owner-ordered auditing. Can someone explain to me why the method of assessing the
completeness assertion is so very well transferable from ‘completeness of revenues’ to ‘completeness of pollution’?
Any hints wanted?
ComputationalAuditing.com
96Nexus micro-macro: Web infrastructure
• Banking & rating agency utility functions: - fund transfers, account keeping, account access, etc. - tracking & tracing of who owes what to whom, etc. - tracking & tracing bar-coded financial products, etc. Why not with scientific security and code base?
• Audit & oversight mechanisms: - web platform for audit support: interactive audit forms - access audit methods, CAATTs - access auditee’s accounting system Why not let aggregated XBRL-tagged data streams enable double-entry bookkeeping on macro-economic level? Why not for both financial and non-financial information?
Why not have a public digital infrastructure for financial utility functions? With additional commercial functions?
Computer Assisted Audit Tools & Techniques
à la Skype
ComputationalAuditing.com
97Nexus micro-macro: SWOOPs Facilitate launching of Self Web-Organized Owning Parties
97
• Which owner group has clear ROI (Return On Investment)?
• How to empower downplayed owners? SWOOPs
• Launching mechanism: agent technology, agency theory
• Example focus group: individual pension fund participants
• Ownership control spectrum: from franchisor (strong) till individual pension fund participant (weak)
• Auditor applies web-based owner-ordered audit method
• contributor• ‘sleeper’ • receiver
“The South-Koreans didn’t understand the advanced American derivatives, so they didn’t bought them and weren’t hit by the crisis”,
portfolio manager at big Dutch institutional investor for big Dutch pension fund who made big losses, Safe magazine, summer 2010
ComputationalAuditing.com
Agenda
Part II - New risk control mechanisms • Supercycle: interface between organization & auditor
• Jacquard project: “Next Generation Auditing”, 2010-2014, with a software demo by Jacques de Swart & Paul Griffioen
98
• Nexus micro-macro, consolidated
• Qualitative: internal control to secure actions of agents • Quantitative: “completeness, the elusive assertion”
• Financials: ‘incentives thread’ of owner-ordered audit• Sustainability: ‘completeness thread’ of owner-ordered audit
• Soll & Ist
• Public digital infrastructure for financial utility functions & facilitating SWOOPs: Self Web-Organized Owning Parties
• Golden opportunity for the Netherlands
• Your questions
ComputationalAuditing.com
99
Match-making between ‘pull’ & ‘push’
Internationalize the owner-ordered audit method. This requires deep computational support. Why?
To minimize international, educational burden (3-years post-Master)
To streamline train-the-trainer, roll-out & getting ROI fast
• Improve the audit profession’s relevancy to society
Pull side
– Individual audit: ownership orientation (chall. 1)– Contribute to systemic risk mitigation (chall. 2)
Push side• R&D of supportive concepts and technology
Golden opportunity for the Netherlands
ComputationalAuditing.com
ComputationalAuditing.com
101
Your Questions