Data analytics

in Audit

May 17th, 2022

Thomas De Backer, [email protected]

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 1
Liese Blevi, [email protected]
Document Classification: KPMG Confidential
Your presenters

Thomas De Backer Liese Blevi

IT Audit Lead D&A in Audit Lead

KPMG Advisory KPMG Advisory

Digital Risk Management Lighthouse (D&A and
& Assurance Intelligent Automation)

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 2

Document Classification: KPMG Confidential

Agenda

• Introduction
• When to use data analytics in audit
• Technical architecture
• Use cases
o GITC Quickscan
o Process mining
o Three-way-match analysis

©2022 KPMG Advisory, a Belgian BV/SRL and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International
©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Limited, a private English company limited by guarantee. All rights reserved
3

Document Classification: KPMG Confidential

Document Classification: KPMG Confidential
Audit 2020: A focus on change
Research by Forbes Insights shows that the use of cognitive technology and data and analytics are true “mega-trends” and
will bring game-changing disruptions to the audit.

Data & Analytics (D&A)

of survey respondents
53%
93% believe “Audit needs
to better embrace
technology”1
say
is transforming how audits are
conducted, enhancing audit
quality and effectiveness1

DIGITAL ENABLEMENT IS INCREASINGLY PREVELENT

And is growing in its impact Yet, challenges remain . . .

Executives who
52% 58% consider their
enterprises to be
of high performing say they are “Highly Advanced”
organizations are using digital tools in digital
using D&A to for sophisticated enablement2
support internal analysis1 NOW
operations2

1 Forbes Insights survey: Audit 2020 – a focus on change looked at the impact of technology and the need for 2 Forbes Insights survey: Crossing the enterprise digital divide looked at the current and future technology
new skill sets in auditing. The survey was based on a survey of 151 U.S.-based audit committee chairs and challenges facing business. The survey was based on a survey of 509 US and Canada based executives from
members, C-level financial executives, external auditors, accounting professors and accounting students. a wide range of industries and company sizes.

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 4

Document Classification: KPMG Confidential

The innovation journey
Transform the core

LARGER
DATA SETS Automated
Magnitude of Change

Analysis of
Unstructured Data
Evolve the core

RAPID ANALYSIS
OF OUTLIERS PATTERN
AND ANOMALIES RECOGNITION

NATURAL LANGUAGE
PROCESSING
Sustain the core

AUTOMATION

Structured Data LIMITED PERCENTAGE

MANUAL OF TRANSACTIONS

Technology Innovations Over Time

Rule Based Automation Predictive Analytics Cognitive Technology & AI

Data & Analytics / Robotics

“Core” represents the fundamental activities of the financial reporting and audit functions.

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 5

Document Classification: KPMG Confidential

 Integration of technology in the audit
1
Alternative
The highway is the main route that transactions
processing path take through the entity’s system, passing through
General process controls, kept safe by the GITC crash
Business controls guard barriers, and ending up posted to the general
Ledger
majority of transactions ledger.

Detecting violations using rule- 2

based analysis
Data analytics will help identify those transactions
that have not followed the well controlled highway,
so that we can focus our manual audit effort on
Exceptions and the most significantoutliers.
deviations

3
Transactional analysis
and business process Using data analytics will allow us to identify
mining enables to transactions that have bypassed business controls,
explore the root-causes e.g. the manual release of a blocked invoice.
of violations

4
Alternative By analyzing transactional outliers we can advise
processingpath management on the root causes (e.g. poorly
trained staff, too rigid application controls,
processesnot optimized ...), in order for
management to drive structuralprocess
General IT Controls help ensure overall data integrity & a improvements.
consistent operation of automated controls

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 6

Document Classification: KPMG Confidential

Different views on data analytics in audit
Audit OF technology Audit WITH technology

• General IT Controls (GITC): controls that apply to all • Data Analytics and Visualization: dashboard
systems, components, processes, and data for a given IT reporting and detailed reports of underlying data
environment (access to programs & data, program change, to monitor specific processes and controls, identify
computer operations) trends, and measure the business against
• Segregation of Duties: manual as well as automated benchmarks
business controls rely on the operating effectiveness of • Process mining: mapping of the actual flow of
SAP authorizations, including the assignment of critical documents to gain insights in the actual path of
transactions to users as well as the segregation of duties transactions, providing visibility to inefficiencies,
that are enforced within the system process improvement opportunities, and
circumvented control points
• IT Application Controls (ITAC): controls that operate within
an application, based on programmed or configurable • Intelligent Automation: automation of repeatable
system logic tasks to free up capacity of the audit team to focus
• Information: system-generated reports that are relied on on more value-adding and strategic tasks
in the performance of business controls

Both approaches are complementary and support each other

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 7

Document Classification: KPMG Confidential

KPMG’s audit approach

The core of our approach is underpinned by

the testing of key IT controls over (relevant) IT
systems. We perform business process
walkthroughs to gain a deep understanding of
the process risk points in order to maximize
reliance on automated controls (i.e. General
IT Controls and IT Automated Controls) and
test entire populations of data by using
Technology.

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 8

Document Classification: KPMG Confidential

Use case selection
One size does not fit all. When integrating Data & Analytics into the audit work plan, several parameters have to be taken into account:

Availability:
No Not a likely
Is data available for the audited candidate
E.g., audit of a manually
process/area? performed control
Yes
Comprehension:
Do your resources have the business No Not a likely
knowledge available to understand the E.g., audit of a complex process
candidate
source data? without front end support of process
Yes owner or IT

Data Quality:
No
Is the data being captured consistent in Possible Candidate
nature and complete?
Yes

Risk:
Yes
Does the audited process/area represent a high Top Priority
concentration of risk?
No

Complexity:
Is the data being obtained from 3 sources or less? Yes
Is the time required to obtain and validate the data Top Priority
low?
No

Repeatability:
Will the audit be performed multiple times Yes
Top Priority
using a similar data source (e.g., same ERP
or quarterly audit)?
No
Possible Candidate

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 9

Document Classification: KPMG Confidential

Technical architecture
KPMG Clara Analytics

Extraction Processing Cubes Dashboards

SFTP

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 10

Document Classification: KPMG Confidential

What is Power BI?
Power BI is a business analytics solution that lets you visualize your data and
share insights across your organization, or embed them in your app or website. Connect to
hundreds of data sources and bring your data to life with live dashboards and reports.

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 11

Document Classification: KPMG Confidential

GITC Quickscan
Data & Analytics can
be used to automate
control testing and
facilitate continuous
control auditing.

Examples of
automated testing:
• automated testing of
password settings,
logging and other
security parameters
compared with best
practices
• automated testing of
segregation of duty
conflicts (can do
access vs did do
access) and other
user access settings

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 12

Document Classification: KPMG Confidential

Process mining

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 13

Document Classification: KPMG Confidential

Three-way-match analysis

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 14

Document Classification: KPMG Confidential

Other use cases

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. 15

Document Classification: KPMG Confidential

Key take-aways

• Increased use of data analytics and automation is inevitable – but will allow
auditors to focus on more interesting tasks
• The concept of ‘reasonable assurance’ will shift, the bar will be higher
• But as this shifts, the added value of internal audit will become even higher
• To absorb the change upskilling is necessary, not just by incorporating experts –
auditors themselves need a minimal level of understanding

©2022 KPMG Advisory, a Belgian BV/SRL and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International
©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Limited, a private English company limited by guarantee. All rights reserved
18

Document Classification: KPMG Confidential

Document Classification: KPMG Confidential
kpmg.com/be/social kpmg.com/app

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide
accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one
should act on such information without appropriate professional advice after a thorough examination of the particular situation.

©2022 KPMG Advisory, a Belgian CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG
International”), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

Document Classification: KPMG Confidential