The Center for Audit Quality Leveraging Technology to

The Center for Audit Quality Leveraging Technology to Provide More Frequent and Standardized Forensic Analysis Christopher Rossie Oversight Systems, Inc. 16 June 2007 1

Agenda The “Expectations Gap” The Center for Audit Quality (CAQ) Fraud Task Force Actions State of the Art Implementations Questions 2

The Global Auditors’ Perspective Global Public Policy Symposium – Paris, November 7 -8, 2006 – Driven by the six largest international firms • • • BDO Deloitte Ernst & Young Grant Thornton KPMG Pricewaterhouse. Coopers Key Barriers – “Expectations Gap” relating to fraud and the ability of auditors to uncover it at a reasonable cost – The need to develop talent and expertise to deliver consistent, high-quality services – Legal and regulatory impediments adversely affecting clients and auditors 3

The “Expectations Gap” “Allegations of fraud are central in the ongoing lawsuits brought by investors against individuals and companies, as well as against audit networks for alleged failures to uncover them” “…there is a significant “expectations gap” between what various stakeholders believe auditors do or should do in detecting fraud, and what audit networks are actually capable of doing, at the prices that companies or investors are willing to pay for audits” “But there are limits to what auditors can reasonably uncover, given the limits inherent in today’s audits. ” 4

The “Expectations Gap” “…the ‘expectations gap’ arises because many investors, policy makers and the media believe that the auditor’s main function is to detect all fraud, and thus, where it materializes and auditors have failed to find it, the auditors are often presumed to be at fault. ” “Given the inherent limitations of any outside party to discover the presence of fraud, the restrictions governing the methods auditors are allowed to use, and the cost constraints of the audit itself, this presumption is not aligned with the current auditing standards. ” “What is sorely needed is a constructive dialogue among investors, other company stakeholders, policy makers and our own professionals about what should be done to close or at least narrow the ‘expectations gap’ relating to fraud. ” 5

Audit Firm CEO Proposals Subject All Public Companies to a Forensic Audit on a Regular Basis Subject All Public Companies to a Forensic Audit on a Random Basis Other “Choice-Based” Options 6

The Center for Audit Quality Announced January 31, 2007 AICPA joined by BDO, Crowe Chizek, Deloitte, Ernst & Young, Grant Thornton, KPMG, RSM Mc. Gladrey, and Pricewaterhouse. Coopers Successor to Center for Public Company Audit Firms (CPCAF) Fraud Task Force – Narrowing the expectation gap between investors understanding of auditors’ responsibility for detecting fraud and that outlined by current rules and standards – Work together as a profession to better detect fraud – Proactively work with and make recommendations to the Public Company Accounting Oversight Board (PCAOB) 7

Fraud Task Force Actions Improving fraud detection capabilities through the use of forensic specialists and technology/tools Manual Journal Entry Analysis – Extracting and mapping data is challenging – LOE is high for auditors and clients Current State – – – Burden is on the auditor not the client Not part of Clients’ Routine Process Clients often don’t validate submissions Lack of Client incentive and expertise Data usually needs to be manipulated (e. g. develop unique JE identifiers) – Labor intensive (not automated) – Cross Border Privacy – Multiple client systems & ERP vendors 8

One-off Manually Generated Files Current State Audit Firm Tools Manual Processes The Back Room (Data Collection) Client Data Environments (examples) The Front Room (Data Analysis) Data Acquisition and Preparation (required for each data review) Auditor data requests The Presentation Area (ADW/Analytics) Mapping to Client-specific File Data Problems Relational Database Systems Audit Firm Analytics Finance requests from IT Data Valid Misc. Flat Files IT schedules extract Audit Firm Users Finance validates data Mainframe Tapes (VSAM) File sent to auditor • Browsing and Analysis • Standard Reports • Ad hoc Queries & Reports • Dashboards • Workflow Auditor reviews format & checks content 9

CAQ Fraud Task Force Solution Common Data Model for GL – – Pre-defined format for all GL data Independent of ERP systems’ formats Focused on key requirements for evaluating journal entries Multiple contributors • • XBRL-GL Pricewaterhouse. Coopers Center for Advanced Research Oversight System Financial Accounting and Reporting ontology Input from Deloitte, E&Y, and KPMG Firm-specific Analytics – Each firm has advanced analytics in use – Various software platforms are available to supplement firms’ tools – 80% of time requirement is in extraction and mapping – CDM-GL and software community involvement should positively impact this – Wide-spread application is anticipated before 2010 10

Organize and Store Data in a Business View Source System Data Model(s) Business Entity Model Common Data Model 11

Common Data Model Extraction and Analysis Source Client Production System Extract Stage Map & Augment Extraction and Mapping Entities Fraud Analytics Results UI & Reports Analysis and Reporting 12

CAQ Forensic-in-the-Audit The Back Room (Data Management) Target Audit Systems (examples) Relational Database Systems Misc. Flat Files Proprietary Software Vendor or Auditor The Front Room (Data Access) The Staging Area (CDM/OXM) Open. Source e. Xtractor/Mapper (OXM) Open Source Dimensional Tables Ready for Delivery The Presentation Area (ADW/Analytics) Audit Data Warehouse Analytics Common Data Models (CDM) e. Xtractor -Data access -Retrieval -Format -Dimensions • Browsing and Analysis • Standard Reports • Ad hoc Queries & Reports • Dashboards • Workflow Audit and User Community Mapper Mainframe Tapes (VSAM) -Conversion - Keys -Integrity -Revisions -Delivery 13

CAQ Model Benefits Greatly improves audit effectiveness Addresses multi-platform issues Automates the validation and completeness testing process Reduces the client data acquisition burden Great example of transaction monitoring for audit, albeit only at a frequency of quarterly Companies have the opportunity to use the same extraction and mapping process to build their own audit data warehouses (ADW) and analyze their own general ledger activities Sub ledger common data models using the same approach can be leveraged for broader auditing and monitoring purposes 14

State-of-the-art Continuous Transaction Monitoring Continuous Auditing/Monitoring Data Management Operational Audit Data Source Warehouse Systems Data Acquisiti on and Mapping • Secure • Complete transaction and workflow history • Trusted “work of others” Audit Data Warehous e Custo Other m Syste Apps ms IT & Securit y Logs RDBMS – Flat File Mainframe LDAP AI-Based Analytics Intelligent Workflow Reusable Analytic Operations Risks s Compliance Risks Material Risk Email Alerts Exceptio n Database Control Risks Vendor Ven. Real-Time Risk Management Vendor Supplier Full Transaction Detail High Risk Control Reports Compliance Reports Control Objective Weakness Workflow Audit Management Dashboard Correction Validation 15

Management Dashboard Views 16

Thank you Oversight Systems, Inc. 3625 Cumberland Blvd. Suite 350 Atlanta, Georgia 30339 www. oversightsystems. com Chris Rossie VP, Business Development chris. rossie@oversightsystems. com 770 984 4609 17