techniques for risk-based auditing
DESCRIPTION
Techniques for risk-based auditing. DG INFSO-02 Freddy Dezeure - Charles Macmillan. 21/1/2011 European Court of Auditors Chamber IV. Background DG INFSO. European Commission department European Digital Agenda Co-funding of cost of research projects: 1,5 bio€ per year - PowerPoint PPT PresentationTRANSCRIPT
21/1/2011 European Court of Auditors Chamber IV
Techniques for risk-based auditingDG INFSO-02 Freddy Dezeure - Charles Macmillan
Background DG INFSO
European Commission department
European Digital Agenda
Co-funding of cost of research projects: 1,5 bio€ per year
FP6, FP7, eTEN, CIP: > 7000 beneficiaries, >2000 projects
Financial audits - 200 per year
Selection of auditees
Assurance audits -> error 4%
P1
P1
Major sources of errors
Excessive overheads
Claimed salary cost not actual
Representative error rate
Risk-based auditing
Risk of intentional inflation of cost
Assessment of the organisation as a whole
Data mining – new tools and methods
Audit programme specific to the risk (ISA240 - ISA315)
CM
Data gathering
Risk assessment
Define approach
Field work
Assess next steps
Finalise
Data gatheringRisk
assessment
Data Gathering phase
Scope from risk assessment – continually reassessed
Collect available information from internal and external sources
Check for indicators and inconsistencies
Outcomes define specific audit procedures
Use and find new Indicators
Feed into control systems
Internal Sources
Project documents: proposal, description of work, deliverables, reports, reviews, emails, cost claims
Experts Database
Organisations Database
Open Sources
People Companies Communications
Google, BingGoogle Scholar, Microsoft AcademicMicrosoft EntityCubeLinkedIn, Zoominfo123People, Yasni, PIPLGoogle Magic Wheel, Timeline
Google, BingCompany registriesGoogle Maps Google Streetview
Google, BingInfobelIxquickUKPhonebookDomaintoolsDomaincrawlerRobtexWayback Machine
Find the right person
Find all the relevant information about the person
Avoid noise
Finding people
“Fake” People - Examples
Non-existent people
Existing, but
not relevant
not employed
not aware of project
People in multiple roles / companies / projects
Neuron – partner in BRAIN
Neuron: Key staff
• DoW Description
• Computer Science degree
• Experienced ICT researcher
• etc
Neuron – Key staff
Neuron – Key staff
Indicators
Not found on internet
Top management of company
Always the same names
Listed for different companies in different projects
Listed in a different country from the company
CV on LinkedIn contradicts submission
Anonymous email address (gmail, ...)
GSM phone only
Finding companies
Find the right company
Find all the relevant information about the company
Avoid noise
Even simple tools can help
34
Earth Match – partner in SOLARSYS
34
Earth Match – partner in SOLARSYS
www.cabbage.com
ONION – partner in VEGETABLE
32
• Does the website exist?
• Does the project fit the company’s core activities?
• Does the website give contact information - and does it match the official transmission documents?
• Is the website registered by the partner?
32
Company website
33
• Company registration websites
http://www.rba.co.uk/sources/registers.htm
• http://www.infobel.com/, http://www.ixquick.com/
– Cross-check the phone number with yellow/white pages
– Reverse search on the phone number
33
Company registry, phone/fax
33
• Website registration
http://www.domaintools.com/
http://www.robtex.com/dns/
• Archive
http://www.waybackmachine.org/
http://www.archive.org/web/web.php
33
Company website, history
44
• Search for company in Google
– Not reassuring if nothing found
• Translation tools
– http://translate.google.com
– http://babelfish.yahoo.com/
44
Tools - internet search
45
HOUR – partner in TIME
• Email address not <-> company domain
• Phone number = fax number
• Phone number = gsm number
• Website registered by another company
• Website or phone numbers in another country
• Corporate website without contact coordinates, “under construction”
Indicators
FD
Data Gathering Outcomes
Organisation
Cannot (financially)
Cannot (operationally)
Can do / have not
Staff
Have not done
Have done, cost inflated
Have done, cost ineligible
Outcome - Audit Procedures
Cannot (financial)
Find other income source
Check commercial agreements with others...
Cannot (operational)
Find who could have done the work
Verify working agreements / CVs / job descriptions...
Risk-based audits -> error 30%
Impact on DG INFSO
Huge effort in administrative follow-up
Litigation (EDPS, Ombudsman, TPI, ECJ)
Impossibility to recover funds
Waste of budget - impact on genuine participants
Reputation damage
Perception
Challenge
Detect problems early in the project life-cycle (PO)
Link data gathering/risk-assessment/audit programme
Manage exceptions well
Implementation of audits
Residual error
AuditedError = 0
ExtrapolatedError = non-systematic
UntouchedError = representative
Selectiveness
FacilitateSimplify
Trust
DetectCorrectPrevent