UNFPA Remote Audit and Monitoring .pdf

Remote Audit and Monitoring
(RAM)
Process
A poor person’s approach
to continuous assurance

Our challenge
 Address key
stakeholder
expectations

USD 1 Billion programme

Reduce audit cycle
(i.e., more audit)
Issue overall GRC
opinion
Early detection of
outliers

 Large geographical
footprint
 150+ locations
Large number of
small & medium size
programmes
Significant variations
in expenses by region

Avg $1.1M
$ 300 M

Avg $ 6.6M

Avg $5.2M

Avg $6.3M
Avg 1.7M

Avg $ 8.1M

1800 + Implementing Partners
Average field office expense: USD 4.8M

RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

Our challenge
 Highly
decentralized
operations
 Relatively weak
controls
Limited ERP
system
capabilities
Ad-hoc second
line of defense
controls

USD 1 Billion programme
Avg $1.1M
$ 300 M

Avg $ 6.6M

Avg $5.2M

Avg $6.3M
Avg 1.7M

Avg $ 8.1M

1800 + Implementing Partners
Average field office expense: USD 4.8M

 Small team – 10
Atlas
RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

How did we approach it?
Still a long road ahead
Assess

Improve

Expand

Implement

….

Move tests into the right tool (Cognos? Which ERP?)
At the right time, “graduate” some tests to Management
Implementation of additional tests
Move to “continuous” mode
Pilot (2 regions - not truly continuous)

Significant
management
attention and
flexibility !

Issue first RAM report (Rating? Negative assurance?)

2017
2016

Designed additional tests
Designed initial test portfolio (GL data)
Recruited experienced data analyst

Developed proof of concept (MS Excel + Google tools)

Clear vision
and design
principles

•
•
•
•
•
•

Leverage existing tools
Integrate analytics into regular audits
Provide meaningful assurance from Day 1
Identifiable product (i.e., report)
Gradual implementation by region
Enable future “graduation” to management

2nd H 2015

1st H 2015
(Day 1)

RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

How did we approach it?
Initial test portfolio
500 ‘test cases’ created around 16 ‘transaction clusters’
 Predominantly GL module data
 Separate portfolios for DEX / NEX
 Material transactions (individually / aggregate)
 1st line of defense controls (predominantly manual)
 Limited exception tests  potentially ‘abnormal
transactions’ identified based on ‘transaction cluster’ /
transaction type / vendor type combinations
 Ability to sustain process if needed
(i.e., if we cannot afford additional development work)
RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

How did we approach it?
Proof of concept
 MS Excel power pivot tables
 Automated selection of material transactions
 Region-specific thresholds

 Sampling of transactions below materiality thresholds



Sampling (probability) proportionate to size
Ability to override selection

 Identification of potentially ‘abnormal’ transactions
 Reports for aggregation and tracking
 Google collaboration tools
 Google sheets – transaction information & details
 Google drive – supporting documents
RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

DEX test approach
Atlas data

UNFPA
execution?

Vendor

GL

Chartfield Information
 Department  Project / Activity
 GL Account
 Fund
 IP
Transaction Type (TT) information
 Payroll
 FX
 APV
 Inventory  Voucher
 APJV
 Treasury  YECJ
 AM
 Deposits  KK adjust.
 Billing
 External
 Contracts  GLJE
 Revenue  Purchasing
Vendor Types (VT) information
 Consultant
 Supplier
 Govt/NGO  Employee
 Meeting participant

Materiality
thresholds

NEX test portfolio

NO

YES

Assets, Inventory, Procurement (Goods, recurring services, other
services), Travel (DSA, travel services) , Consultancies (SC, IC), …

Transaction clusters

TT
exception?

YES

Low risk system
generated transactions
automatically excluded
VT
exception?

YES

RAM testing
programs &
templates

E.G.:
Assets -> VT =/= Supplier
SC-IC -> VT =/= Consultant
Transactions =/= grants ->
VT = Govt / NGO

NO

Above
threshold?

NO

Select
sample

YES

Google tools

Preliminary
management
inquires

E.G.:
APJVs & GLJEs
Payroll -> TT =/= Payroll
Staff AR -> TT =/= Payroll
or Deposits

Testing
required?

Based on red flags,
materiality or other
relevant
considerations

YES

Management inquiries

Detailed testing

RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

KCs - Procure-to-pay cycle
(business purpose authorization - solicitation
- contract award - receipt
- AP - accounting)

7

How did we approach it?

Links
RAM application
Google Sheet template
Testing template

RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

NEX test approach
Test case

Scope of testing

First advance to IPs

 IP agreement in place & uploaded in IPMS
 IP assessment completed
 Workplan signed

Large advances to IPs







Workplan signed
Advance review & approval by authorized staff
Timeliness of advance request & payment
Accurate recording of advances
For selected activities
 Linkage to approved workplan & budget

Large IP expenses






Timeliness of FACE form submission & processing
FACE form review & approval by authorized staff
Accurate recording of expenses
For selected activities
 Linkage to approved workplan & budget
 Evidence of implementation
 Workplan progress report
 Other
 Adequate documentary support

RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

The test portfolio will be
expanded over time
Data from other systems
 Procurement
 GPS
 Payroll .....

….
2017

Additional exception tests
E.g., Non-PO vouchers
• Coverage of corporate initiatives
E.g., HACT assurance

Selected second line of defense
controls
1. E.g., Atlas quality dashboard

2016

2016

Gradual implementation
(i.e., quarterly)
RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

10

The issue aggregation process is
the cornerstone of RAM reporting
 Audit coverage is monitored on a regular basis
 To ensure sufficient coverage & prevent overloading BUs
 RAM scope is adjusted as required

 Issues are reported to Management as soon as identified
 Google Docs
 Initial determination of root cause & corrective measures by BU

 Issues are aggregated by office, region and process
 By RAM cycle
 On a cumulative basis

 Reportable issues are identified
 The nature of the exceptions
 Their materiality & frequency

 Regional Offices are involved up-front
RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

Publicly disclosed reports will
be issued for each RAM cycle
 Same look and feel as those issued for regular audits
 Most decisions related to the content of the RAM
reports are still work-in-progress
 Audit rating? Most likely not
 Positive versus negative assurance?
 Quarterly?
 By region? Aggregate?

RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

How do we go forward?





Lessons learned from pilots
Fine tune templates and programs
Frequency of tests
Timeline for incorporating
additional BUs
 Frequency and scope of reporting
 Go-forward tool
 How to and when to transfer
ownership to Management
Vision & design principles
Assess

Improve

Expand

Implement

Continuous improvement mindset
RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach

RAM Process

Thanks for your attention!
Questions?
Feedback?
RIAS 2016 – Big data, usage of CAATs & continuous auditing – UNFPA approach