Integrating Data & Analytics within Internal Audit April 2016

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Restrictions on Disclosure and Use Restriction on Disclosure and Use of Data – This document contains confidential or proprietary information of KPMG LLP, the disclosure of which would provide a competitive advantage to others; therefore, the recipient shall not disclose, use, or duplicate this document, in whole or in part, for any purpose other than recipient’s consideration.

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS With You Today ■Alex Menor, Senior Specialist, Data Analytics-enabled Internal Audit (National)

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Agenda 1Importance of Data & Analytics 2Current Trends 3KPMG’s Point of View Data & Analytics-enabled Internal Audit (DAeIA) Process Analytics-based Internal Audit Maturity Model Transformation Roadmap 4Getting Started Prioritizing Your Audit Plan Analytics Development Process 5Examples Example Case Studies

Importance of Data & Analytics

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Importance of Data Analytics Knowledge Information Raw Data Value All firms have raw data; however, companies that process raw data into knowledge create a valuable organizational asset

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Why use Data & Analytics in Internal Audit? ■Continued pressure to “do more with less” ■Expectations to provide enhanced value ■Desire to improve the effectiveness and efficiency of the audit department through repeatable and sustainable methods

Current Trends

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS KPMG observations Current Trends ■Development of an Internal Audit Strategy and Roadmap for D&A –Link to enterprise initiatives –Partnering with the business, compliance, IT functions, develop joint business case ■Drive more value to the broader enterprise ■Leverage others’ resources, capabilities, tools, etc. ■Enhancing risk assessment activities with quantitative information (CRA) ■Building “repeatable and sustainable” ETL (Extract, Transform, Load process) and analysis for meaningful reporting; not long lists of anomalies. ■Trend toward leveraging BI and Visualization tools

KPMG’s Point of View

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Data & Analytics-enabled Internal Audit Process Analytics-Driven Continuous Risk Assessment Dynamic Audit Plan D&A enabled Audit Workplan D&A Audit Scoping and Planning Data & Analytics Audit Execution Enhanced Dynamic Reporting Data & Analytics ‑ enabled Internal Audit Operationalize into repeatable and sustainable analytics Business Monitoring

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Analytics-based Internal Audit Maturity Model Maturity Level II Maturity Level I Maturity Level III Maturity Level IV Maturity Level V IA Methodology Traditional Auditing Ad Hoc Integrated Analytics Continuous Risk Assessment & Continuous Auditing Integrated Continuous Auditing & Continuous Monitoring Continuous Assurance of Enterprise Risk Management Strategic Analysis Enterprise Risk Assessment IA Plan Development Execution and Reporting Continuous Improvement Data analytics are effectively and consistently used (optimized) Data analytics are partially used but are sub-optimized Data analytics are generally not used

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Data Analytics-enabled Internal Auditing Transformation Roadmap Phase I: Develop Strategic Plan Phase II: Pilot Execution Phase III: Radiate Across Audit Department and Universe Phase IV: Continuous Program Evaluation Understand internal audit management’s goals, ambitions, and vision for data and analytics Share Point of View and Market Drivers, which may include facilitating a Internal Audit team/department awareness training session and/or sharing thought leadership Prepare and conduct Internal Audit team strategy/roadmap visioning workshop(s) Perform current state assessment across people, process, technology and information dimensions within internal audit and across the organization, if appropriate Identify and understand relevant current organizational initiatives Identify the systems and relevant data required for a pilot Planning / Scoping Understand the audit objective(s) Determine what analytics are relevant in achieving the audit objective(s) Data management and analytics Design the analytics-enabled audit program Identify relevant IT systems and determine availability and quality of data Acquire and assess data quality Execution Refine (confirm the logic) and develop analytics Run analytics and perform initial validation of results to identify data and/or logic flaws; modify and re-run analytics as necessary Confirm the results of the analytics support achieving the audit objective(s) Reporting Interpret results Provide recommendations to update the audit approach to include an analytics approach for: −Modifying (where necessary) and radiating analytics across all relevant business processes and audit areas and across organization units −Transitioning, where appropriate, to continuous auditing Assist with Change Management within IA −Identify key IA resources that will drive change throughout the department −Identify major risks and/or barriers to implementing data & analytics then track the success of mitigation strategies −Design and deliver trainings focused at the different levels of involvement (awareness, planning, execution, interpretation, reporting, etc.) Regularly evaluate program for effectiveness and refine, as necessary Consider additional areas for expansion and maturity within the internal audit and compliance functions, including quantitative- enhanced continuous risk assessment Evaluate opportunities to extend into the business, including continuous monitoring Include the use of data & analytics in the employee goal-setting and review process Continuously evaluate the current and future maturity of the use of data & analytics

Prioritizing your Audit Plan & Analytics Development Process

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Prioritizing Your Audit Plan for Use of Data & Analytics Not a likely candidate Possible Candidate Top Priority Possible Candidate Not a likely candidate Top Priority Availability: Is data available for the audited process? No Comprehension: Do your resources have the business knowledge available to understand the source data? No Yes Data Quality: Is the data being captured consistent in nature and complete No Risk: Does the audited process/area represent a high concentration of risk? Complexity: Is the data being obtained from 3 sources or less? Is the time required to obtain and validate the data low? E.g., audit of a manually performed control E.g., audit of a complex process without front end support of process owner or IT No E.g., exploratory audit or profile of a process No Yes E.g., OTC or P2P audit Yes Repeatability: Will the audit be performed multiple times using a similar data source (e.g. same ERP or quarterly audit)? No Yes E.g., T&E audit E.g., P-Card audit

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Sample Audit Plan CRA Prioritization * TBD based on determination of availability and quality of data Audit AreaDescriptionHoursTiming Candidate for DAeIAAnalytics TypeFrequencyRiskComplexity (High, Medium, Low) YesLikely No / TBDCRA Scoping/ Profiling Detailed Testing Repeatable/ Periodic Risk CoverageProcessSystem Data Availability, Comprehension & Quality Procurement & Payables -Vendor analysis -Vendor setup -PO -Invoice -Payment -3-way Match -P-Card -Travel and Entertainment TBD 9 YYY Y HighMediumLowTBD Balance Sheet Review Journal entry analysis Stale account postings Unusual account pairings Contra-account activity TBD 14 NYY Y MediumLow TBD Cash Controls Determine whether cash controls and bank reconciliations are performed in ERP or performed manually. TBD 14 *N/A N MediumLowHighTBD Payroll Determine if Payroll is performed internally in ERP or using a provider such as ADP TBD 13 NYY N MediumHighTBD FCPA Include FCPA as part of other audits such as procurement or revenue cycle TBD 13 NYY Y High LowTBD IP Protection NA TBD 13 *NYY N Medium HighTBD Compliance with Customers' Requirements NA TBD 4 *YYY N LowMediumHighTBD Inventory Management Inventory obsolescence TBD 9 YYY Y Medium HighTBD Revenue & Receivables -Customer analysis -Customer setup -Sales orders -Shipments/Cutoff -Credit and Collections TBD 3 Y*TBD* Y HighMediumLowTBD Example

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Data Analytics enabled Internal Audit (DAeIA) Define Audit Objectives Draft DAeIA work program Acquire data (see detailed ETL process) Analytics scoping Validate/ Refine DAeIA work program Interpret results Acquire additional data, if necessary (see detailed ETL process) Dynamic Reporting Planning Scoping Fieldwork Reporting Business Understanding Perform audit work steps and analyze results (individually and aggregated) Develop Execute Validate Refine ETL (if necessary) Results Perform Analytics Continuous Improvement Operationalize into repeatable and sustainable analytics CRA APG Builder Tools Exception Manager

Example Case Studies

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Spend Analysis Assessing Buying Channels for Compliance and Optimization A financial services company made the decision to encourage more spend using P-Cards to reduce the number of invoices processed by AP. However, transitioning spend to P-Card without proper monitoring processes can cause inappropriate spend due to the lack of a formalized buying process. An analysis was performed to assess the overall effectiveness of the transition to P-Card as well as identify Key Observations: P-Card Spend as a percentage of total spend was substantially lower than the benchmark for the industry (2.35% vs 8%) $225K in Gift Card purchases were not included in employee income $35K in duplicate payments made simultaneously through AP and P-Card Analysis Included: P-Card Transactions including Potential performance improvement opportunities Transactions indicative of fraud, waste, and abuse Non-compliance with the established policies and procedures. Assessment of existing process against Leading Practices AP Spend Transactions 42k Expense Reports 6k Cardholders 355 Merchants 12k Total Spend $47 M

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Retail Competitive Pricing Analytics Turning Risk into Competitive Advantage A leading discount shoe retailer offers over 8,000 different styles of shoes via its physical and online stores. A key management objective is to meet or beat competitors’ pricing – but monitoring their progress against that objective was difficult. Through the use of data & analytics, these challenges were overcome to provide a complete picture of the retailer’s pricing positions on a monthly basis. Key Observations: 3 of 6 Competitors had better pricing on more than 50% of products 44% of all products did not have the lowest price among competitors A portion of products advertised as good deals were still priced higher than competitors Analysis Included: Unstructured Data from 6 Websites Natural Language Processing including Fuzzy Matching Configurable scoring algorithm Match results that included product images to allow for human review Shoe Styles 8k Competitors 6 Products 50K Low Cost Retailer 56%

© 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS Questions?

All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates. © 2016 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. NDPPS The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International. Thank You