Continuous Auditing - Making it Real

Another Saturday Morning in Newark NJ

2011-11-05T07:49:00.000-07:00

Very energizing sessions this morning, as we heard from a Who's Who of large, multinational firms who have implemented CA and CM solutions. Siemens Financial Services led things off with their "Road to Continuous Assurance," as Jason Gross leads a mature CM function that was born in Internal Audit and has migrated to the CFO's office. His deck is downloadable at: http://raw.rutgers.edu/23WCARS

Brad Ames from HP followed with another strong presentation on using CA / CCM for assessing both IT controls and Financial Controls. @43Chase and @debreceny observed that strong IT controls help enable strong financial controls. I was focused on their use of dashboards at HP, and have asked for examples. Stay tuned.

Dave Levin of Proctor & Gamble followed with a strong session on the use of data-driven risk assessments. They compare results of Control Self Assessment and actual audit results, using outliers and differences between management's assessment (i.e. CSA) internal audit's evaluation as input into Internal Audit's risk assessment. Dave's session is available for download at this link.

Leveraging Information to Align Risk and Performance - CM, per KPMG

2011-11-04T07:41:00.000-07:00

Jim Littley from KPMG is talking about Continuous Monitoring (CM) / Governance Risk & Compliance (GRC) / Business Intelligence (BI) etc., and all of the alphabet soup of technology tools that can be used improve controls and risk monitoring. He observes that most large organizations have multiple initiatives related to acquiring and implementing tools and technologies for point solutions that assist in this area, but these are siloed and rarely linked together. He sees Internal Audit as a potential value-creator in this area.

Good points. We see Procurement teams with supply chain analytics, Finance with BI and macro-level analytics, and Internal audit with audit data analytics, ERM or Risk with survey tools for subjective risk assessment, sometimes all in the same firm. Ideally, macro-level analytics tools like BI should work together with the exception analytic tools in the CM world to provide a single, integrated review of risk.

Jim suggests we think of Continuous Monitoring as the first line of defense, and Continuous Auditing as the second or third line of defense. Using common data sources (i.e. a single source of truth) can lower the cost of acquiring data for each initiative, and improve overall quality.

Slides aren't posted (yet?), but I'll update this post with a link if they are made available.

Opening Rutgers WCARS session - Continuous External Auditing

2011-11-04T06:37:00.000-07:00

The opening panel was led by Greg Shields of the Canadian Institute of Chartered Accountants (CICA) and included Deloitte's National Office Partner Tom Criste, Retired Deloitte Partner Trevor Stewart, and PhD Student Paul Byrnes. A little disappointing that more signing partners from more accounting firms were not on the panel. Perhaps that would help unlock the code on the very slow adoption of use of technology to execute external audits.

Much emphasis was on the degree of change that would be needed for the firms to seriously re-engineer their processes. My favorite quote from the session was from Tom Criste, who observes that the great increases in technology have affected how audits are documented, but not how audits are performed. The work programs for Inventory, A/R, Cash, etc., are relatively unchanged even from when he entered the profession decades ago. And because many procedures (e.g. Inventory Observation, Confirmations of A/R balances) are required by professional standards, it would be difficult to re-engineer the audit.

Mr. Criste envisions an audit where statisticians and economists could review data and help form the External Auditor's opinion. He suggests that a test audit could be performed in parallel with a traditional external audit, and that the firm could compare results and findings with each other and the client. But he says, who would want to invest that time and energy, even if the second audit was free?

If that's truly the barrier, I'd suggest to start with the users of financial statements. Would MF Global's investors and creditors like to have had any assurance provided on quarterly financial results? Probably so.

I'd advocate beginning with the end in mind, and determine the desired frequency of external audit assurance. More than annual is probably good. Daily is probably way too frequent. (What CEO wants to explain slow mid-month sales to Wall Street Analysts).

If quarterly assurance was desired, how should external audit procedures be changed? Comments welcome!

Live from Rutgers WCARS - Friends and Family meeting

2011-11-03T11:26:00.000-07:00

Most of you reading this blog post have an awareness and even a keen interest in data analysis and/or continuous auditing, whatever we agree that means. You may not know how long this topic has been being discussed and debated.

I'm writing this from the 23rd (!) World Continuous Auditing Symposium at Rutgers Business School in Newark NJ. It's been a semi-annual meeting, so the group began gathering in 1999. All of the Big 4 firms are here, as are the AICPA, software vendors like ACL, Caseware, Oversight, and even CA. For more information on the agenda, see: http://raw.rutgers.edu/23WCARS .

Beginning tomorrow morning, I'll be blogging about the most interesting speakers, topics, and academic papers on the main agenda, so come back often for updates.

Today is the "Friends and Family" meeting, where some of the longer-standing supporters of the Rutgers program are discussing emerging issues. One topic on the agenda is the notion of Audit Data Standards, which would be a common data model for certain business processes like General Ledger and perhaps subledger like Supply Chain or Revenue.

The presenters advocate a cloud-based data store that public companies would use to load daily or at least monthly transactions, and that external auditors (and perhaps internal auditors) would access that data periodically to perform audit analytics. Glad I'm here - there's a lot of pro's and con's to consider with this standardization.

Remembering 9/11/2001

2011-09-11T07:12:00.000-07:00

It was afternoon for me in Ireland, where I was working on a project with Bristol-Myers. On a conference call with our NYC offices in midtown east. "Joe we need to reschedule the call, a small single-engine plane has hit WTC. Everybody is turning to the news to see what's going on." I wish that was what had happened.

My wife was 8 months pregnant with our second child, who we named Juliana to honor the daughter and her mother, an Irish national that both lost their life on the plane that hit the towers. Juliana McCourt never saw her 5th birthday. Thankfully her uncle made it down 50+ stories of the WTC. Later that day he would learn of his sister's and niece's death.

I'll never forget the outpouring of support for NYC and the whole US from the city of Dublin and the whole country of Ireland. It took me nearly a week to return home, yet given the tragedy all around us in NY/NJ, we know we were still so very fortunate.

Where were you? What should we teach our children?

(written from 30000 feet, courtesy of Gogo. Eerie to be flying cross-country today. But very proud of our country's resilience and the feeling of safety as I travel.)

New GTAG on Data Analysis from IIA

2011-08-19T06:04:00.000-07:00

The IIA has published a new Global Technology Audit Guide, the 16th in a series. It is available for free download (IIA Members only) or purchase (for non-Members) at the following link.

Noteworthy in this GTAG is the use of a Maturity Model that outlines the progression from Basic Analytics through to Continuous Monitoring. While the model is simpler and less prescriptive than ours published previously (download WG&L article featuring Arrowpoint Capital here), we believe it represents important guidance to assist audit teams in advancing from "zero to 60" in the use of data analytics.

What do you think of the new GTAG? We'll provide more thoughts on this guidance next week...

Emerging IT Issues for Audit & Compliance Leaders

2011-08-18T15:15:00.000-07:00

In recent months, I've had the opportunity to re-kindle my professional relationship with Professor Scott Fargason. Scott and I had previously have worked together as co-instructors for a variety of training events, both while I was at Deloitte & Touche and more recently as volunteers and paid presenters for various IIA and other training conferences. We find our background and experiences dovetail quite well - his academic and legal training are top notch, and I bring a practical "here's what works" perspective from my time in both consulting and industry.

We've come together to build a customized one- or two-day CPE seminar titled "Emerging IT Issues for Audit and Compliance Leaders" that we believe offers something quite new, most notably a two-instructor format with total costs similar to courses with only a single instructor.

For more information, please download a two-page flyer on the course and contact either of us for questions about availability.

Continuous Auditing and Monitoring Bootcamp Scheduled in Houston

2011-08-11T05:39:00.000-07:00

Visual Risk IQ will be leading a one-day workshop in Houston on Tuesday 9/27, hosted by the Texas Society of CPA's. The workshop is designed to help you get started on the path to delivering measurable results with continuous monitoring and auditing. This class builds on a highly-reviewed program in Atlanta delivered earlier this year.

We will discuss overall methodology, detailed design for constructing a CA program, talk about current technology, and demonstrate how to turn “CA” into “CM” to benefit your entire organization.

Outcomes from the class will include a Company-specific roadmap, customized for your business and stakeholders, to target the risks you identify and benefits you want to achieve.

Attendees will receive up to 7.5 hours of NASBA-compliant CPE and accomplish the following learning objectives.

1. Business challenges today, and how early detection mitigates greater risks
2. Working definitions of CCM, CM and CA and supporting technologies
3. How to determine where your organization is on the CA/CM maturity model
4. Hurdles to CM/CA implementation and how to overcome them
5. How to dive deeper to determine specific needs in developing the roadmap for CM/CA implementations
6. Proven methods for engaging other stakeholders

For more information, see the following Registration page to download a more detailed program description.

Continuous Auditing and Monitoring Bootcamp Scheduled in Atlanta

2011-06-15T10:58:00.000-07:00

Visual Risk IQ will be leading a one-day workshop in Atlanta, hosted by the Georgia Society of CPA's. The workshop is designed to help you get started on the path to delivering measurable results with continuous monitoring and auditing.

We will discuss overall methodology, detailed design for constructing a CA program, talk about current technology, and demonstrate how to turn “CA” into “CM” to benefit your entire organization.

Outcomes from the class will include a Company-specific roadmap, customized for your business and stakeholders, to target the risks you identify and benefits you want to achieve.

Attendees will receive up to seven hours of NASBA-compliant CPE and accomplish the following learning objectives.

1. Business challenges today, and how early detection mitigates greater risks
2. Working definitions of CCM, CM and CA and supporting technologies
3. How to determine where your organization is on the CA/CM maturity model
4. Hurdles to CM/CA implementation and how to overcome them
5. How to dive deeper to determine specific needs in developing the roadmap for CM/CA implementations
6. Proven methods for engaging other stakeholders

For more information, see the following Registration page, or see our Events webpage to download a more detailed description.

An $8 Million Question: Why do auditors test changes to Vendor Master Files?

2011-04-04T09:11:00.000-07:00

One of the early audit tests that I was responsible for was to review who had access to change our vendor master file, and to make sure that all those changes were logged, reviewed, and approved. Our audit objective were validity - making sure that all changes to the master file(s) were properly authorized. But even authorized changes to the master file create risk.

Case in point: Conde Nast's $8 million email scam, as reported in this Forbes Magazine blog posting from William Barrett and Janet Novack.

What seems to have happened in the Conde Nast case is that a fraudster sent in a change of address / change of banking information request on behalf of a legitimate vendor. But the bank information provided was not the actual vendor; rather it was an account set up by a fraudster with a similar name and address as the real vendor. So properly authorized payments totaling nearly $8 million were misdirected. The fraud was detected when the real vendor called to ask "where's our money?"

A variety of preventive and detective controls began to visualize in my head when I read this story. How are changes to address and/or bank information communicated from your suppliers? How are these changes corroborated?

How might data analysis be used to identify mis-matches between supplier names and addresses? Seems like a good time to ask at your organization, even if an AP audit is not on the current quarter's schedule.

Joe Oringel
Visual Risk IQ
Charlotte, NC USA

Book review - a Great Read for Data Analysis Folks

2011-02-21T07:50:00.000-08:00

Just finished Malcolm Gladwell's "What the Dog Saw" on a long plane ride this weekend. Like his other books (Tipping Point, Blink, and Outliers), there are great stories and examples for those of us involved in data analysis, including internal auditing and especially continuous auditing.

Gladwell's current book is actually a collection of essays from New Yorker magazine, but they piece together nicely so the essays can be read in sequence or by selecting chapters of interest. If you have time to only read one chapter, I'd point you toward the chapter "Open Secrets. Enron, Intelligence, and the Perils of Too Much Information."

The book points out that Enron's Special Purpose Entities (SPE's) were entirely transparent. To a fault. Because each of the more than 3000 SPE's involved paperwork of an average of 1000 pages of filings. Even an executive summary of an SPE contained 40 single-spaced pages. So the challenge in understanding the financial risks of their SPE's was to understand how to filter an insanely large volume of data into a form that was manageable, comprehensible, and actionable.

As you progress on the Continuous Auditing and Continuous Monitoring Maturity Curve, you'll find that your teams are amassing a similarly overwhelming (though hopefully not as large!) set of source data and anomalies to review. How do you see the source data? How do you see the exceptions? How do you decide which ones to act on?

Most data analysis efforts that we have worked have a goal of identifying individual exceptions, or rows, in database speak. So a AP vendor shares an address or tax ID number with an employee. Or a sales invoice had a discount in excess of a contract maximum. To act, we send an email to someone, maybe with a spreadsheet attached, to research and resolve the exception row.

But let's learn from Enron's SPE's. If we send 3000 emails, how will we manage the follow-up. Can we use color and graphs to measure the magnitude of the exceptions in total? How should we identify transactions that are acceptable one-by-one (example: a $9,500 requisition from a manager with a $10,000 signing authority), but unacceptable as a larger series (say ten, $9,500 requsitions from that same manager, all within the same week)?

How to update the IIA GTAG for what's new in Continuous Auditing?

2011-01-31T15:19:00.000-08:00

Today's blog seeks to assimilate some of the things we heard at the IIA International conference last summer in Atlanta, in advance of this week's IIA Working Group discussions regarding the Global Technology Audit Guide (GTAG) on Continuous Auditing #3. The purpose of the Working Group discussions are to identify areas of the GTAG that require updating, so we are pleased to be able to participate with such an esteemed group of colleagues.

I wrote last summer about the IIA International conference, and how Data Analysis and Continuous Auditing were discussed at that three of the more interesting presentations at that conference. Those presenters Dan Kneer, Steve Biskie (ACL Services) and Robert Mainardi, and each presenter spoke on some combination of Data Analysis, Continuous Auditing, and Continuous Monitoring. Though they used many of the same words and terms, their perspective often seemed quite different.

Is Continuous Auditing about audit project selection and Risk Assessment. Yes. So techniques such as regression analysis, ratio analysis, and other analysis of aggregate data should be considered in any GTAG update. But Continuous Auditing is also about more frequent updates of subjective data, like control self-assessment, surveys, and call program activities. Similarly Continuous Auditing can and should include data analysis of transaction details. And greater frequency of data analysis, to include Visual Reporting also aid greatly in Risk and Control Assessment activity. Perhaps text analytics and analysis of unstructured data too.

Looking forward to this week's Working Group, so we can find some distinctive words to distinguish the various types of Continuous Auditing activities for inclusion in any updates to the GTAG.

Since Continuous Auditing can

Joe Oringel
Visual Risk IQ
Charlotte, NC USA

Highlights of Day 2 Rutgers WCAS

2010-11-06T08:56:00.000-07:00

More case studies on Saturday than Friday - presenters have included Hewlett-Packard, Proctor & Gamble, IBM, and Siemens Financial, among others. Highlights from these presentations include:

HP presented their use of monthly data extraction and a variety of CAAT-based and ERP query tools to interrogate transactions and logs. They evaluate a mix of configurable controls and transaction analysis to deliver a risk-based heat map that aids the audit team in project selection decisions. They've made excellent progress from prior years, and continue to be a leader in CA / CM, especially among SAP shops.
P&G presented about their measurement around the business case for their CA / CM investments, which have focused primarily around order to cash (O2C). Their program's strengths are its workflow, in that audit uses "automated delivery of high quality controls tests results to the business." It's the evolution of having MANAGEMENT evaluate the test results (vs. internal audit) that was most noteworthy.
IBM presented about their system that they call Enhanced Auditing with Technology, which is also focuses on O2C. They monitor more than 400 query test attributes (contrast w/ Siemens Financial, who monitors only 45!).
Jason Gross of Siemens Financial presented their CCM program with considerable energy and enthusiasm. Jason and I had previously met at an IIA event during 2007, when he had been in Internal Audit. Interesting is that he has left audit and is now a direct report to the CFO at Siemens Financial. This option should be on the career path of most data-focused, audit professionals as it allows Jason and his team to have more responsibility for research and follow-up on CCM exceptions.

As additional slide decks are posted, I expect to update this and other blog posts from the weekend. - UPDATED w/ HP deck.

Best wishes,

Joe Oringel
Visual Risk IQ
Newark NJ

Top 10 Things that Go Wrong in a Continuous Auditing Project

2010-11-05T09:09:00.001-07:00

Very nice summary from Patrick Taylor from Oversight Systems of their experiences from CA and CCM implementation. Patrick did a very good job of sharing examples and screen shots of how their tool are being configured to monitor both routine and non-routine transactions.

10. Compliance is the Lead
9. Your eyes are bigger than your stomach (you try to monitor everything)
8. Look through this report please (tedious, there's no bottom to the report)
7. Let's learn a specialized analysis language (instead of SQL)
6. Let's clean up the last two years of exceptions (10000++ exceptions. Yikes!)
5. Continuous Audit instead of Continuous Improvement (i.e. Use Reason Codes)
4. Don't know how to spell Vasarhelee, Vaserheyli, Vasarhellee, Vasarhelyi... (LOL!)
3. Only know how to Audit AP (other apps are
2. Bringing a knife to a gun fight. (re-testing what is already controlled by ERP)
1. Not Using Oversight (LOL x 2)

More from Rutgers WCAS. ACL, XBRL, and Caseware RCM (alphabet soup indeed!)

2010-11-05T08:31:00.000-07:00

Excellent presentation by ACL's John Verver on their Data Analytics Capability model. The shout out regarding our similar CA Maturity model was much appreciated. ACL's efforts to chart the path from one-time, retrospective data analysis (i.e. Hindsight) to more frequent, even predictive data analytics (i.e. Foresight) is on-target.

Noteworthy is that their model doesn't necessarily advocate "continuous" as the desired frequency for data analysis, either for Internal Audit or for management-led monitoring efforts. The right frequency depends on the relative risk of the process and data that is being analyzed.

These slides aren't up yet on the Rutgers site (UPDATE - Link provided above), but I'll look to post a link when they're uploaded. Very good content here for building a simple path toward more frequent, data driven auditing and monitoring.

Following John was Eric Cohen from PwC who provided some excellent information on the state of tagging and XBRL as a technique for automated data acquisition. The ability to acquire external data (e.g. competitor financial results) and compare those results to our own results is an excellent management tool, and one that is now beginning to be realized.

Following Eric Cohen was Andrew Simpson. Andrew is the Chief Operating Officer, CaseWare RCM Inc., formerly SymSure Ltd. Andrew's slide on the cycle (aka "yo-yo") of control measurement and how greater frequency yields continuously improving controls. Though CaseWare is a relatively new entrant in the CA / CM space, they seem to have excellent potential. UPDATE - link to Andrew Simpson's slides, which are now posted at WCARS site:

Rutgers WCAS - Advancing Audit Analytics. Key learnings

2010-11-05T05:55:00.000-07:00

Session Moderated by Trevor Stewart (Retired Partner, Deloitte)

Panelists:

Dr. Rod Brennan (Siemens - Risk & Internal Control Officer)
Mark Loizeaux (Deloitte - Assurance National Office)
Amy Pawlicki (AICPA - Business Reporting and XBRL)
Phil Wedemeyer (Grant Thornton, Assurance National Office)

Key Learnings:

Now that the SOX windfall is over for the large accounting firms, external audit fees are returning to the trends of fixed price work. Hence, external auditing firms are strongly encouraging their clients to increase the use of CA and data analysis, so they can review those results and gain greater assurance in the same or less number of hours.
Knowledge of data analytics varies widely among the audit teams at the largest audit firms. Even members of the most advanced engagement teams in the "best" offices work on very low-tech, (i.e. limited use of data analytics) audits in the same office.
Despite internal controls emphasis by the auditing firms and auditing standards, nearly all signing external partners have a greater level of trust in Balance Sheets than other audit procedures.
The PCAOB believes that external auditing is a standard, continuous process that must be followed. Departures from standard process should be documented in audit workpapers. Identifying anomalies and explaining them is an integral part of this process.
PCAOB Auditing Standards have been expanded to include rigorous guidance on how to do a risk assessment. Data analytics should contribute to this risk assessment.
One of the downsides (per the panelists - not IMHO!) of more rigorous analytics is that we are more inclined to find anomalies and errors in financial processes. Having to investigate and explain these anomalies can be very costly. Example: 10,000 exceptions in Travel and Entertainment Expense review cannot practically be investigated and explained.
Most auditors don't like graphics as much as columns of numbers, yet their stamina for reviewing columns of numbers isn't good enough. Graphical tools to aid in the interpretation of data is an area of interest for the panelists. We at Visual Risk IQ (emphasis added - Visual is our first name!) agree.
Data sources that can be used to aid in continuous assurance are not limited to financial statements or internal systems. External data sources and internal operational system are excellent sources for insights on business risk.
Who wants a better audit? Management, or do they want less obtrusive audits? Regulators, or do they want fewer auditor-reported issues? Auditors, or do better audits cause problem during litigation? Maybe investors, but not for greater costs. And investors may not even understand the audits they get now.
The issues of connecting financial statements to underlying business processes and recording of transactions is a limitation of the audit profession.
Auditors of public companies need to understand materiality from an investor point of view. What do investors depend on to make their investment decisions? Materiality is not merely xx% of revenue or assets for all companies, especially if much of the market cap is based on future revenue or earnings, not historical results.
Most losses in market cap relate to failure in strategic risk, not financial risk. So is the emphasis on continuous auditing of financial transactions a flawed model?
Internal auditors are challenged to access data that is needed for audit analytics.

More to follow as the Conference progresses...

Live again from Rutgers - 21st World Continuous Auditing Symposium

2010-11-05T05:47:00.000-07:00

Wow, has it been nearly four months since I've blogged? Good news is that my brevity is improving. For those of you that don't follow me on Twitter ( @VisualRiskIQ or www.Twitter.com/VisualRiskIQ ), I've been at least fairly busy reporting on Fraud, FCPA, and especially Higher Ed operational and compliance issues in the news that can be positively influenced by Continuous Auditing (CA) and Continuous Monitoring (CM) applications.

Our firm continues its implementation of CA and CM for a variety of corporate, higher ed, and non-governmental organizations, and we continue to see an uptick in investment in the still-emerging technology. With that said, it's slow and cautious investment, at least in part because the return on these investments can be mixed, especially if they are seen as technology purchases and not fuller, solution-focused change initiatives that involve people, process, and technology.

The Rutgers Conference is a confluence of academia, external auditors, software firms, and internal audit customers of data analytics, so it is a very interesting venue. I look forward to documenting some of the soundbytes and lessons learned for folks who have not been fortunate enough to attend. For those in attendance, I welcome any comments or corrections to the notes that I'll be taking.

Regards,

Joe Oringel
Visual Risk IQ
reporting from Rutgers Business School
Newark NJ

Register for Webinar on Enterprise Continuous Controls Monitoring (ECCM) on 9/1/2010

2010-08-23T14:36:00.000-07:00

I was pleased that Visual Risk IQ was invited to be on a panel titled ECCM: Past, Present, and Future. The panel is part of a virtual conference titled Enterprise Continuous Controls Management. To register for the Webinar, please see: www.controlsinstitute.org My fellow panelists will be Mike Cangemi (former President of Financial Executives Institute and current Board Member for FASB's Financial Accounting Standards Advisory Council and the Rutgers Continuous Auditing Advisory Board); Carolyn Newman (President and CEO of Audimation, the US Distributor for IDEA and CaseWare Monitor (formerly SymSure), and Sumit Nijhawan, Company Operations Leader for Infogix.

The Panel will be moderated by Dr. Sri Ramamoorti of Kennesaw State, and is intended to address the scope and sponsorship challenges that organizations often faced when starting an ECCM initiative. We also intend to cover examples of Return on Investment with both an operational and compliance lens, and provide guidance on the kinds of business questions that ECCM can answer.

Visual Risk IQ is optimistic about the business value of ECCM, as many different technical solutions can be configured to answer those business questions on a more frequent basis. We look forward to the panel and hope that you make time to join the event.

Regards,

Joe Oringel
Visual Risk IQ
Charlotte NC USA

Reflections on IIA International - Input for Continuous Auditing Global Technology Audit Guide (GTAG)

2010-06-23T06:52:00.000-07:00

At IIA International conference this month, three of the more interesting presentations were by Dan Kneer, Steve Biskie (ACL Services) and Robert Mainardi. Each presenter spoke on some combination of Continuous Auditing and Continuous Monitoring, but if you attended all three session, you could easily come away a bit confused. While some or even many of the same words were used in the same sessions, each presenter's perspective on Continuous Auditing was quite different.

Steve Biskie is Best Practices Program Director for ACL Services, who writes market-leading data analysis software for internal auditors. ACL software like its peers from IDEA and SAS, among others, is an excellent tool for exception queries and structured data. At Visual Risk IQ, we use IDEA and ACL to analyze millions of records and isolate dozens of exceptions to be investigated by internal auditors. Results are often high-value, and can be made repeatable (i.e. Continual or Continuous Auditing) by automating data extraction and combining with workflow. Caseware Monitor (formerly known as SymSure for IDEA) and ACL's AX/2 are examples of emerging tools for continuous auditing.

Dr. Dan Kneer has retired from Academia and runs a firm called Dan Kneer Advisors. The Holy Grail of auditing according to Dr. Dan is regression analysis, and he advocates using the tool "already on every auditor laptop" (i.e. Microsoft Excel). Dr. Dan focuses on trending queries (e.g. the relationship between sales and costs of sales, or between sales and commissions) to identify outliers to be investigated in greater detail. Trending queries like regression analysis are highly useful, but we would advocate their use together with exception queries. And since IDEA and ACL each have regression analysis features, we would advocate using those tools instead of Excel due to improved audit trails and logging, as well as ability to work with datasets larger than 1 million rows. Dr. Dan's emphasis on analytical procedures have merit, and should be a component of a Continuous Auditing program.

Robert Mainardi's classes on continuous auditing receive high evaluations, in part because he keeps it simple. Strengths include visual reporting of risks and controls (color-coded heatmaps in MS-Office) and consistently reporting the results of audit procedures. A downside, per SAP's Norman Marks, is that "Mainardi designs continuous audit programs for clients that has limited use of technology. Missing the boat" We respectfully disagree with Mr. Marks. Instead of focusing on what's missing, let's focus on what's there. We see Mainardi's glass as at least half full, and would recommend that trending queries and exception queries be combined as part of the continuing auditing that Mainardi recommends.

A continuous auditing program that includes one of the above techniques would add value for most any organization. A program that includes each of these techniques should be considered world-class.

The High Cost of FCPA Compliance - CCM-T as Low-cost Antidote

2010-05-14T08:51:00.001-07:00

We've been writing and tweeting about Foreign Corrupt Practices Act (FCPA) compliance for several months, after teaming with Houston-based Morgan-Garris for an innovative data-driven solution to help reduce the costs of FCPA monitoring and compliance. We'll actually be presenting next week at MISTI's SuperStrategies on using Continuous Auditing and Monitoring technology for several different applications, including FCPA.

This week's Forbes Article titled, "How Bribery Hurts Business and Enriches Insiders" shows the incredible high costs of FCPA investigations. Deloitte 1300+ project consultants billed more than 949,000 hours on their work for Siemens FCPA investigation. ABB has reserved $300 million, and Avon Products has reserved $95 million for their on-going investigations.

It is becoming increasingly common for FCPA costs to run tens, if not hundreds of millions of dollars. What takes so long? Why is it so expensive?

When Kim and I were at PwC, it was common for the data acquisition component of a Big 4 data analysis project to consume 60% or 70% or more of a project budget. Extracting flat files and fastidiously mapping them into desktop audit software tools was and still is a time-consuming process, especially for ad hoc analysis. At Visual Risk IQ, most of our data analysis projects are fixed-fee, and include time to acquire and map data into more modern audit software like Oversight, Approva, or SymSure for IDEA**. These more modern tools facilitate repeated extraction at dramatically lower costs of data acquisition, therefore allowing more time for research and review of results.

As such, each successive extract of a monthly or even daily file can be loaded into modern audit software, so that 100% of the time for the second file is spent on review of results, not loading data. Further, advances in workflow and logging can facilitate efficient review and oversight by finance or inside / outside counsel. Given the fees cited in Forbes, we know we have a much better way.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

** Author's Note - We read that ACL's AX/2 has similar automation for data extraction, through integration of Informatica for extract, transform, and load. We have not yet validated this functionality.

Speaking at Conferences in 2010, continued

2010-05-04T09:35:00.000-07:00

Excellent feedback from IIA Chapter and District meetings has resulted in several new speaking opportunities this quarter. The list of topics is broadening, though the central themes remain data analysis and continuous auditing and monitoring. Among the newest new topics are a Data-Driven Approach to Enterprise Risk Management and Social Media 101, in addition to existing programs around anti-fraud programs and continuous auditing and monitoring.

Recent speaking engagements booked include National AICPA Conferences (i.e. NAAAT's - the National Advanced Accounting and Auditing Symposium and Controller's Workshops) and industry conferences with the Association of College and University Auditors (ACUA) and Association of HealthCare Internal Audit Conference (AHIA), among others. At AHIA, we'll be co-presenting with Chase Whitaker of HCA HealthCare, and at ACUA's Annual Conference we'll be co-presenting with Scott Stevenson of Emory.

We are currently preparing for our Wake-Up session on May 19, 2010, at MISTI's SuperStrategies, the Audit Best Practices conference to be held in Orlando. Our session is entitled Hot Topics in Continuous Auditing: Fraud, FCPA, and More. We will recap a number of Continuous Auditing implementations that touch on frequent risk assessment and frequent control assessment. This session will describe ways to integrate the multitude of audit software platforms that can occasionally challenge, if not even overwhelm internal audit departments.

For more information on bringing partial-day or even full-day speaker programs to your IIA, ACFE, ISACA, or CPA society meeting, please contact us via the comment feature of this blog below.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Reflections on Mid-Atlantic District Conference - Continuous Auditing presentation

2010-03-22T03:50:00.000-07:00

Continuous Auditing meets Continuous Improvement.

Along with colleagues Dr. George Aldhizer (Wake Forest University), Kathy Hardwick (Audit Relationship Manager of Arrowpoint Capital), and David Payseur (Chief Audit Executive of Arrowpoint Capital), I helped present our Continuous Auditing Maturity Model for the Charlotte, Raleigh, and Triad IIA Chapters last week at the District Conference in Charlotte. Thanks to each of the co-presenters, and especially to David who suggested that we update the material published in WG&L's Internal Auditing in Sept / Oct 2009.

Though we had presented together before, I was struck by how the material had evolved from our prior presentations. George Aldhizer updated his segment to provide an overview of Text Analytics. Text Analytics (i.e., tools that are used to analyze unstructured data such as email and other text-based documents) can identify, classify, and parse words and clusters of words in electronic documents. These tools are more commonly used in Forensic analysis, but depending on industry and business risk, he recommended that they be considered as part of an overall Data Analysis program. We agree with his assessment, and see application in journal entry analysis and other anti-fraud programs.

Kathy and David provided an update of the Continuous Auditing program at Arrowpoint. For those of you unfamiliar with Arrowpoint, they have had a data-driven Continuous Auditing (CA) program since 2003. Their CA program is fully integrated with Enterprise Risk Management and provides monthly reporting to executive management and the Board on assessment of risks and controls. Arrowpoint is among the most advanced of all CA programs that we have met with, regardless of industry. Most noteworthy for me last week was how the depth and breadth of their data analysis routines keeps improving. Some tests have migrated to the business from Internal Audit, while other tests are run more frequently or less frequently, based on past results and risk assessment.

Our update included an overview of Visual Risk IQ's QuickStart methodology, which we use to help separate the business-focused activities in a CA program from other more technical tasks. One of the common misconceptions about data analysis is that it is an "IT Audit" activity, because some of the tasks require some intermediate or even advanced technical skills for data acquisition. QuickStart separates data acquisition and script-writing tasks from analysis and reporting, so that business auditors are primarily responsible for reviewing query results and reporting on them. Feedback from Arrowpoint, from our clients, and also training sessions like the District Conference reinforce the importance of that approach.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Green Energy / Sustainability and CCM-T?

2010-02-11T05:57:00.001-08:00

This is my first blog post in February, and first in nearly a month. I find the more active I am with Twitter / micro-blogging, the less frequently I post here. Hmmm, there's got to be a better way....Maybe a Twitter digest? But I digress...

As we have much of last year, again today we're thinking about Green Energy and Sustainability. The sociological and public good components of Green Energy and Sustainability are clear, but the growing number of new business start-ups in this space is a sign that the financial rewards of doing good are may also be rewarding. Evidence includes the Wharton School's Sustainability Program and the high ROI payback that can be obtained from Energy Audit activities in both commercial and even residential space. In the last month, we've met with BreezePlay (a Charlotte-based Green Energy start-up focusing in the residential space) and Energy Reduction Solutions (a Florida-based Engineering start-up focusing in the commerical space). Each have sparked our interest.

At Visual Risk IQ, we talk about how CCM-T reduces the marginal cost of "one more question," and helps audit and financial professionals answer important questions about internal controls, fraud, and expense management. Who are the smart people asking questions about Green Energy and Sustainability?

We'd like to meet more of them, so please drop us a line!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Speaking at Conferences in 2010

2010-01-18T07:05:00.000-08:00

Continuous auditing and data analysis were hot topics as IIA and ISACA programs for 2008 and 2009, and each remain of interest here in the new year. In the last two weeks, we have booked Continuous Auditing and Data Analysis programs in Houston on February 1, and also for the North Carolina IIA District Conference in Charlotte on March 18.

In Charlotte, we will be co-presenting with Dr. George Aldhizer and David Payseur from Arrowpoint. Each of these programs will feature the Continuous Auditing Maturity Model that was published in the Sept / Oct 2009 issue of Internal Auditing. (Reprints available on request - just leave a comment on this post or send an email).

We are also scheduled to speak at the AICPA's National Advanced Accounting and Auditing Technical Symposium, specifically about a data-driven approach to Enterprise Risk Management. This ERM topic is one that we expect will be repeated at other conferences, as using data analytics for risk assessment, whether internal audit project selection or for broader enterprise risk assessment, can be a very powerful application.

Though registration information is not yet posted for this conference, we have also received word that Visual Risk IQ has been accepted as a speaker at the AICPA's Controller's Conference, where our topic will be Social Media and its application for Finance and Audit. So look for more Tweets, Blogs, and LinkedIn updates on that topic as the arrangements are finalized.

Wishing each of you the best for a healthy, happy, and prosperous 2010.

Regards,

Joe Oringel
Visual Risk IQ
Charlotte North Carolina, USA

NC State's ERM Roundtable Date set for Charlotte

2009-12-15T12:34:00.001-08:00

Save the date for NC State's ERM Roundtable, to be held on Friday March 12, 2010, at the Westin Charlotte uptown. Instead of the usual two-hour forum, there will be two 90-minute panel discussions surrounding a networking break, and the event will run from 8:30 until noon EST.

This session allows the Charlotte business community access to NC State's renowned ERM Institute, without the nearly 3-hour drive to Raleigh, and is highly recommended to finance and compliance executives in all industries.

The first panel, titled "ERM: Lessons Learned", will feature the following Panelists:

Susie Wilson – Reynolds American Corporation
Dan Wall – RBC Centura
Marshall Croom – Lowe’s Corporation
Dave Landsittel – COSO Chairman

The second panel, titled "ERM: Directions for the Future", will feature the following Panelists:

Steve Dreyer – Standard & Poor’s
David Fox – KBR Inc.
Trent Gazzaway – Grant Thornton
Jim Traut – H.J. Heinz Corporation

For more information or to register, see NC State web site.

Why P-Card / T&E audits can be a good "first" data analysis project?

2009-12-06T19:42:00.000-08:00

For those of you who don't follow me on Twitter, (i.e. - the whole world, less 91 people), you may have missed Cal State's recent audit released on December 3 that documented that more than $150,000 in "Improper and Wasteful Expenses" were paid to a very "senior official" in the California State University system. Subsequently it has been reported by Fox 40 that the official is David Ernst, who is currently CIO of the University of California System, according to this release from June 2008. At least, until the UC Union has their way.

Given the tremendous budget challenges throughout California, including the 32% tuition hike that has been national news for most of the last month, this is a most unfortunate time for the incident to come to light. Imagine explaining this hire to the press, given the current budget climate. Reputation risk, for both Cal State and the University of California Systems, far exceeds the amount of these "Improper and Wasteful Expenses".

But there are other, numerous reasons to begin a data analysis and anti-fraud program with P-Card / T&E. More obvious answers are that the data is consistent regardless of organization or industry, that the datasets are normally simple, and that policies are generally easy to interpret. Less obvious answers are that T&E controls provided by banks, such as Merchant Category Codes and Card Limits are useful, but incomplete without comparing to enterprise data like employee leave or termination dates that can be done with modern data analysis software.

My belief is that T&E are a great place to begin a data analysis program, because they may be red flags for other transactions that should be reviewed. I learned this on a project more than 10 years ago, when I was leading an investigation of T&E fraud for an IT Director at a Fortune 500 firm. Through data analysis, we had uncovered a scheme where that Director had stolen more than $50,000, through a pattern of submitting multiple charges for a business trip. One of the team members suggested that we should look at other transactions that the fraudster had approved, and that's when everything hit the fan.

It turns out that T&E fraud at this Company wasn't enough to support the Director's spending habits, so the individual had also established a fictitious vendor scheme that netted more than $1 million in fraudulent disbursements. The investigative team discovered the second, larger fraud by reviewing all other transactions that the fraudster had approved.

So whatever the reason, if you're not using data analysis to review the entire population of P-Card and T&E spend, we recommend you consider it. And if you are reviewing the entire population of transactions, we recommend you do it more frequently. Given that the above expenses were not identified until more than four years after the "Improper and Wasteful Spending" began, and more than 18 months after the official left CSU, this will be a much more expensive and messy incident to resolve.

Stay tuned. Given the current environment, this should be an interesting one.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

IIA Releases new Guidance, including GTAG #13 - Fraud Prevention and Detection in an Automated World

2009-12-02T20:38:00.000-08:00

The IIA released its newest Guidance this morning. Both a Practice Guide titled Internal Auditing and Fraud and a Global Technology Audit Guide titled Fraud Prevention and Detection in an Automated World. Contributors include good friends Rich Lanza, Peter Millar (ACL), and Don Sparks (Audimation / IDEA).

I've downloaded both this evening, and look forward to reading each on my Chicago trip this week. We anticipate updating our proprietary QuickStart methodology for Data Analytics to consider the anti-fraud framework in the Guides.

More to follow in the coming week. Any early comments and observations on either document would be welcomed.

Conflict of Interest / External Databases, in the news again!

2009-11-24T04:41:00.000-08:00

Last week's New York Times article about Research Conflicts of Interest within the University community included a link to the US Department of Health and Human Services Office of Inspector General (OIG) audit report. The audit report identifies that financial conflicts, including equity ownership in companies in which researchers' financial interests could significantly affect the grant research. Simply stated, the doctor who reports that compound XYZ could be a breakthrough drug for treatment of disease, may profit significantly from their own research. And that personal gain may not be known to their University, the general public, or the National Institute of Health (NIH) who is often the sponsor of that research.

Though grantee institutions often require researchers to disclose conflicts of interest in research publications, the same institutions rarely reduce or eliminate the financial conflicts. Ninety percent of grantee institutions rely solely on researcher discretion to determine which interests are required to be reported. Because equity interests (i.e. stock ownership) is rarely required to be reported, the specific financial interests of NIH-funded researchers are often unknown.

The OIG audit report recommends that National Institute of Health request grantee institutions to provide detailes to NIH regarding the nature of ALL reported financial conflicts of interest, and how the conflicts are managed, reduced, or eliminated. This change, if implemented, would be a major step-up in Oversight on how the University Research community is monitored.

Stay tuned - the compliance and record keeping impact of such changes could be quite widespread. Fortunately for some universities who have implemented Continuous Controls Monitoring (CCM-T) solutions that compare data from internal to external databases, these changes may be easier to implement. For more information, see: www.VisualRiskIQ.com/HigherEd

For related posts, see: October 2009 and July 2009 blog entries.

Reflections from the Rutgers World Continuous Auditing Symposium (WCAS)

2009-11-10T12:45:00.000-08:00

I represented Visual Risk IQ as a panelist Friday 11/6 at the Rutgers WCAS event in New Jersey. Mike Cangemi, former president of FEI moderated our panel, which also included Eric Cohen from PwC / OCEG, and Dr. Virginia Cortijo from University of Huelva (Spain). Despite the presentation time on a Friday afternoon (4:00!), the panel generated nearly a dozen questions from the audience, and dialog continued into the dinner hour.

The event provided opportunity to reconnect with friends and colleagues from most of the CA / CCM software firms, from academia, and most importantly, with other early adopters of CA / CCM. Most attendees had already committed to some level of CA / CCM at their firms, each with varying levels of success. Some observations from the presentations:

External auditors opine on a balance sheet as of one day each year. Not much continuous about that. Internal Auditing should be leading the charge for Continuous Auditing.
Most CCM applications focus on a single application - P-Card, Procure to Pay, or Journal Entry review, likely because of simpler data models and availability of commercial software. Exceptions are IBM (Order to Cash) and HP (IT General Controls)
Organizations that are the best candidates for CCM are those that have a zero tolerance for Compliance exceptions and also a relentless desire for Continuous Improvement.
Internal audit can be the CA / CCM learning lab for the rest of Company. See Terry Hickman's presentation (Proctor & Gamble) for more information.
Most savings realized by audit teams through Continuous Auditing are re-directed toward emerging risks and increasing coverage.
Continuous auditing and data analytics jobs are out there, but the quantity and quality of applicants has been below expectations, according to several hiring managers.
New software entrants such as SymSure for IDEA and ACL's Audit Exchange 2 (AX2) are sparking new projects in CA, as their price point is a marked improvement relative to more comprehensive CCM tools that have previously been available.

Our presentation emphasized some of the challenges of defining Continuous Auditing. At some organizations, the term means Continuous Risk Assessment. At others, it means Control Assessment of configurable controls or Control Assessment of Transactions. If people that are doing CA / CCM use the same words for different activities, it's hard for others to follow this leadership. For more information on the conference, see: Rutgers WCAS.

Did you attend? What were your key take-aways. All comments are welcomed!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Conflicts of Interest - The Power of External Databases (part II)

2009-10-30T08:48:00.001-07:00

You may remember that I wrote about this summer about the power of external databases. How Department of Defense and UCLA had encountered compliance, financial, and reputation risk items that might have been prevented with better analytical routines that connected enterprise data with external data.

This month's New England Journal of Medicine features research on Conflicts of Interest Disclosures, specifically by physicians involved with certain Medical Devices, specifically orthopedic devices. Compliance with disclosure requirements was just over 70%, which is noteworthy. It makes me think about reputation risk for Research Universities, and whether their audit and compliance plans should specifically consider monitoring of these disclosures.

When I was in public accounting, we first had simple disclosures that asked if we had read the "Restricted List" which were securities that managers could not invest in because of the firm's audit relationship with those clients. First partners and then eventually all staff began to register all of their investments with the firm, so that conflicts could be detected more easily. After all, having an "on my honor, I promise I haven't invested in...." letter was not enough, and the firm began to require that we register our investments with the Independence Office so that regular comparisons to the "Restricted List" could be made instead. This improved information resulted in quite negative publicity when Conflicts were identified, but this was clearly the right thing to do. (see CFO Magazine circa 2000 for examples)

Back to Conflicts of Interest and medical research. Senator Grassley and others are pushing for Federal Sunshine Act disclosure, and many states now require pharmaceutical and medical device companies to register all payments to physicians for public disclosure. I wonder what will be the trigger to cause Research Universities to keep more than an annual "on my honor, I promise I haven't received any compensation..." letter on file for their faculty, when improved, detailed information on compensation is even more readily available.

What are the implications for Pharmaceutical and Medical Device companies as well?

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

Forrester Research on Continuous Controls Monitoring is Spot On

2009-10-16T07:38:00.000-07:00

Chatted with freelance writer and former CFO of one of our clients Chris McKittrick this week. Chris writes for Big Fat Finance Blog on a variety of topics, including CCM-T, which Forrester Research calls Internal Controls Monitoring. Chris pointed us to a CFO Magazine article earlier this year about CCM-T, which states the simple and profound:

“Internal controls monitoring. Technologies in this area so far have demonstrated a low level of success, or business value-add, and are on a trajectory for minimal success over their lifespan, according to Forrester. There is potential payback in error reductions, efficiency, and risk avoidance, but most installations have yet to prove what they will ultimately be worth. And while internal controls monitoring is important because of Sarbanes-Oxley and other compliance directives, "many of the solutions just raise red flags," Paul Hamerman, vice president of enterprise applications for Forrester, tells CFO.com. "Somebody has to go through these flags to figure out what they mean. If the application doesn't have the built-in intelligence to do that, it's value is diminished."

Going through the red flags is a real business challenge, and requires knowledge of technology, enterprise data, policies, business rules, and fraud. Unfortunately, many organizations who have invested in this technology do not put enough emphasis on the on-going care and feeding of the systems, and it's common for the number of red flags identified in a period to exceed the number of red flags that are fully researched and resolved. As a result, the business value add for the systems can fail to reach its potential.

Even for organizations that are managing the work queues well, it is rare to see organizations modify their rules and add more red flags for checking. Opportunities to help CCM-T users with post-implementation support, whether the tool of choice is Oversight, Approva, ACL Audit Exchange 2, or SymSure / IDEA, would seem to be a growth area.

* * * * * * * * * * *

Are you attending the Rutgers Continuous Auditing Symposium on November 6 and 7? We are. Look for us at the Conference or on a Panel at 4:00 on Day 1, and let's compare notes on the above. We're interested to share experiences with others...

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Continuous Auditing Article accepted for publication in Internal Auditing

2009-10-13T05:10:00.001-07:00

We received news that an article submitted jointly with Dr. George Aldhizer of Wake Forest University's has been accepted for publication by Thomson Reuters in their Internal Auditing publication for the September / October issue that will be mailed to subscribers shortly. Very timely, as Dr. Aldhizer, David Payseur (CAE of Arrowpoint Capital), and I are scheduled to present a Continuous Auditing CPE day in Winston-Salem NC on November 18, 2009.

The article describes Visual Risk IQ's Continuous Auditing Maturity model, and how the steps from moving from Basic data analysis toward Continuous Auditing requires more than just technology investments. Changes in audit methodology and especially reporting process are integral and equally important to such a journey.

The article profiles Arrowpoint Capital, a commercial property casualty run-off insurance carrier that is headquartered in Charlotte, NC, whose continuous auditing program is more than five years old and actually pre-dates the IIA's GTAG publication on Continuous Auditing. Arrowpoint has an established, data-driven ERM program that links the results of Continuous Auditing activities and query scripts to specific risk assessment and control assessment activities that is reported monthly to management and the board.

For more information, check back on how to order reprints and/or to come see us in Winston-Salem in November for the Triad CPE day.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

Internet Porn - Why I didn't complete my audit plan, by the National Science Foundation

2009-09-30T04:48:00.000-07:00

Regular readers of my blog know that Visual Risk IQ has been especially active in the Higher Education arena in 2009, helping adapt Continuous Controls Monitoring (CCM) for a Class One Research University. In addition to monitoring for Accounts Payable controls compliance, duplicate payments, and vendor master file integrity, we have also built an innovative Grants & Contracts module that helps track compliance with various financial and operational milestones required by various Federal Grantors.

The CCM module tests the validity of expenditures, overhead rates, and labor charges, and also can be easily extended for more complex tasks like Effort Reporting and Financial Aid compliance. But perhaps it was overkill for the job, given that one of the largest inspection functions within the Federal Government is behind on its audit plan this year.

Yep, they're too busy at the National Science Foundation investigating Internet Porn, so they're behind on their audit plan. For more information, see the Washington Times .

Maybe if their Office of the Inspector General used a more efficient method for selecting which grants and contracts to inspect. More data-driven continuous risk assessment, or perhaps more use of data analysis in controls assessment would help with their efficiency / effectiveness.

Other suggestions abound. What do you think?

Another CFO Article on Continuous Auditing - Correct about Vocabulary. Incorrect about no one doing it well.

2009-09-20T13:10:00.001-07:00

We appreciate CFO Magazine writing about Continuous Auditing (CA) again. This month's piece is better than previous efforts, in that it focuses much more on the process changes needed for CA, and less on the actual technology that is used to accomplish CA, as we have blogged about previously. CFO Magazine interviewed several industry and academic leaders for this article - alas they didn't reach out to Visual Risk IQ, at least yet. So in today's blog, we'll summarize some of our observations and experiences about CA and contrast them to the CFO article. The centerpiece of our thoughts on CA is our proprietary maturity model, which we use to chart company-specific actions that help organizations advance on this journey. We'll also suggest one or two other organizations that CFO Magazine might talk to so that a clearer picture of CA can develop. In any case, we certainly echo the author's point, that a common, practical definition of CA is not yet accepted in the industry.

For this article, the author interviewed HCA, Microsoft, and AEP - and profiled how each organization uses CA. We feel especially qualified to comment on the article, because Kim Jones and I have been working almost exclusively on CA since our days at PwC in 2006, where he was a key team member on the Microsoft project cited in the article. We also count both HCA and AEP among our circle of friends from the speaking and writing that we each do in the Internal Audit community.

My counsel to the author would be to separate Continuous (which is really Continual) Risk Assessment from Continuous Controls Assessment. One of the reasons that there are such varying definitions of CA, are that are a diverse number of objectives that can be accomplished with CA and especially Continuous Controls Monitoring for Transactions (CCM-T). Organizations that set out to allocate their audit resources based on more up-to-date information than an annual risk assessment are likely to begin their CA efforts here. Companies profiled publicly in articles and cases that match this CA description include McDonald's and Wells Fargo, and usually have a very large number of audit entities (i.e. Stores or Branches), that make it difficult to visit each entity in a three- or five-year audit cycle. We have assisted several organizations to be more like McDonald's and Wells Fargo, by using data to perform more frequent, data-driven risk assessments to allocate their audit resources. Most often, the data used for this activity is aggregate financial or operational information like Financial Performance vs. Budget, Performance Ratios, or Employee Turnover. While it appears from the quotes from Jay Hoffman at AEP that his team is doing Continuous Risk Assessment, the controls being tested per the article seem to be more specific to Continuous Controls Assessment, which is using data-driven techniques to provide greater depth and frequency of audit coverage.

Continuous Controls Assessment are the techniques profiled in the article at HCA, AEP, and Microsoft. Instead of auditing overtime or journal entries only once every two or three years, many organizations use repeating data analysis scripts to assess the effectiveness of a control at multiple intervals during a year. These techniques can alert management to emerging issues with fraud risk or compliance, and also assist in following up on previous audit findings.

At Visual Risk IQ, we assert that "real continuous auditing" is to more fully integrate the Continuous Controls Assessment with Continuous Risk Assessment, so that audit project selection is based on the effectiveness of frequent, data-driven control assessment activities. Example: "What should be next on the audit plan - let's go to the regional office that hit their sales budget (to the penny!), but hasn't updated their allowance for doubtful accounts since the new accounting manager was hired six months ago."

I can think of two or three organizations that are doing real continuous auditing, according to this definition. Both Arrowpoint Capital in Charlotte and RLI Corporation in Peoria have presented at national and regional IIA / MISTI conferences about their CA programs, which originated with repeating the data analysis routines that were used for control assessment. While neither is a household name like Microsoft or HCA, each have been doing CA for more than five years, and are quite mature in their use of data for both control assessment and risk assessment.

In closing the article does a good job of distinguishing between CA and CM (continuous monitoring), which are activities performed by management. The evolution of CA to CM is a particular mark of growing CA maturity. Our work with CM, and especially CCM-T, has allowed us to help management use technology to test the right controls, at the right time, to achieve spectacularly effective results in business performance and internal controls. CA is often the first step on that journey.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

IIA Presentation on Continuous Auditing - Thanks Baton Rouge!

2009-09-14T05:02:00.000-07:00

Thanks and congratulations to the Baton Rouge IIA, who filled the room with more than 75 people for a one-hour lunchtime CPE session on making the journey From Data Analysis and Continuous Auditing. This was a terrific turnout for most any chapter, but especially for one the size of Baton Rouge, which is a testament to the effectiveness of their officer group. Thanks much Amanda, Renee, Staci and all other volunteers for their work to encourage such great attendance.

We opened the session with the thought-provoking "Did You Know" video to help the audience appreciate the rapid growth of digital information, and challenge the audit profession on how to keep pace with this growth. Sampling 25 or even 200 transactions just isn't enough when modern software allows us to test every transaction for control effectiveness, as frequently as daily or more.

Thirty of the 75+ lunchtime attendees stayed for the remainder of the afternoon for a more detailed discussion of the journey toward continuous auditing, where we explored Visual Risk IQ's proprietary continuous auditing maturity model in greater detail. During the last hour, we brainstormed ways to use disparate data for more innovative testing for identifying fraud. The group did an outstanding job, as evidenced by some of the following creative test suggestions:

- For a finance company that makes consumer loans to consolidate debt, compare the account numbers for payments made to credit card companies against account numbers of finance company employees, to make sure that funds are not diverted at closing from the consumer making the loan.

- For almost any organization, compare vendor address and phone numbers against employee home and emergency contact information in HR and Payroll files for possible undisclosed conflicts

- For a state agency, compare external information about known deceased individuals / SSN's to benefits payments made to employees and retirees

- And many others....

In each case, the participants suspended their "I'm not sure which file to ask for" and brainstormed what data would add to the effectiveness of their testing. By thinking about risk and controls, without the restrictions of "it would be difficult because....," some really excellent ideas were explored and discussed.

Word of the Day (Month!) - Could technology be a "Gister?"

2009-08-26T19:44:00.000-07:00

I'm reading another of Dan Brown's fast-paced and thought-provoking novels. (Brown wrote DaVinci Code, Angels & Demons) It's an earlier one, titled Deception Point, and it features a character whose job is my new favorite word, even though the word seems to be made up by the author.

The character (Rachel Sexton) is a "gister" or data summarizer for the National Reconnaissance Office. A "gister" reduces complex reports into single-page briefs. After reading a few Federal OIG audit reports for Research Universities, I'd like to have Ms. Sexton's help, as even the OIG's executive summaries need a little "gisting."

Perhaps a bit like an audit executive who presents the last three months of their audit staffs' activity into a briefing for the Audit Committee. Or the auditor who uses analyzes 100,000 expense reports and uses a query tools to identify how many comply or don't comply with a particular policy.

How are you and your team reviewing complex data to get to the gist of an issue? Are there any tools that you are you using? Why? Let us know...

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Setting IIA / ISACA speaking dates this fall

2009-08-18T05:40:00.000-07:00

Continuous auditing and data analysis remains a very hot topic, as evidenced by our uptick in speaking requests this fall from IIA and ISACA chapters. Several dates are already set in the next few months, and requests continue to come in for programming and education that help audit and finance leaders understand and quickly apply latest thinking in data analysis techniques.

We have content already developed for 1/2 day and full day programs, in addition to executive briefings that are ideal for IIA District or Regional Conferences.

Some representative Data Analysis and Continuous Auditing speaking events include:

September 11, 2009 - Baton Rouge IIA Chapter. 1/2 day session
September 16, 2009 - Greensboro, NC IIA Chapter. Full-day session on Data Analysis, with Tableau software and Audimation
October 7, 2009 - Columbia, SC - ISACA Chapter. Full-day session on Data Analysis and Continuous Auditing
November 18, 2009 - Greensboro, NC IIA Chapter. Full-day session on Continuous Auditing, with David Payseur of Arrowpoint Capital and Dr. George Aldhizer from Wake Forest University.

Other events are in discussion and may soon follow. Contact us for information regarding a similar CPE event for your local chapter or district conference.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

Anything worth doing is worth doing well - and Often!

2009-08-09T07:47:00.001-07:00

I had a discussion today with a panelist who will be speaking about Continuous Auditing / Continuous Controls Monitoring at an IIA Chapter meeting later this month. The panelist's shared services group uses a leading CCM system for one very specific business area - Travel & Entertainment. They have had a very favorable ROI with their use of CCM, and users in Finance, Internal Audit, and elsewhere all appreciate the workflow capabilities of their CCM system. Users and especially management recognize that the workflow capabilities and also frequent extraction capabilities is a quantum leap forward from ERP query tools and data analysis tools like ACL and IDEA. Instead of spending time to extract data and run scripts, the CCM solution automates those steps and allows more time for research and resolving issues.

He asked me what other business processes make good applications for CCM, and I shared that it's a variety of application areas - everything from review of Manual Journal Entries to Accounts Payable Disbursements to Grants and Contracts in Higher Education. Across multiple industries and also across multiple systems.

So whether it's updating an audit plan quarterly instead of annually, or analyzing manual journal entries for fraud or error monthly instead of quarterly. If it's worth doing, ask how you might do it more frequently. With modern CCM tools, you'll find that many important financial control activities can be done well, and Often!.

When the Going Gets Tough, the Tough Go Shopping (around)

2009-08-04T12:18:00.000-07:00

You've got to like a headline like this, regardless of the substance of the article. But the good news is that the substance of this article (from the Chronicle of Higher Education) is almost as good as the headline. For both universities and for commercial enterprises. Purchasing projects, especially for indirect categories, represents an excellent opportunity to improve the bottom line. These services can be bought from traditional consulting firms like Bain, McKinsey, or Accenture, and also from niche firms who specialize in only these Purchasing services.

Also interesting, though not in the Chronicle's article. is the potential synergy between improving Purchasing and CCM-T. In the last few years, we've had deep-dive meetings with a number of firms who specialize in SG&A cost reduction and vendor negotiation. It has become clear that among their most distinctive strengths are data analysis and vendor negotiation. Their projects are net cash flow positive, funded by realized, hard-dollar savings, paid on a contingent fee.

Once new contracts are re-negotiated, the firms review actual spending and compute realized savings, to compute their fees. Which represents the opportunity for CCM-T. Just as Visual Risk IQ has implemented CCM-T to review invoices and invoice lines for suspicious, fraudulent, or duplicate payments, we also can configure CCM-T to review invoice lines for rogue or unauthorized spending from non-preferred vendors.

So if you're a CCM-T user looking for improved business value from your implementation, or a finance, audit, or procurement executive looking to improve your bottom line through an evaluation of your Purchasing group, let us know. We know some great places to shop!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Conflict of Interest - the Power of External Databases

2009-07-22T15:37:00.000-07:00

As my last post on DoD indicated, there are some real gems waiting to be mined when comparing internal data to external data for fraud and abuse. Today's Chronicle of Higher Education reports a two-month old WSJ and UPI Story about a UCLA Surgeon who received more than $450,000 in payments from Medical Device companies, but repeatedly failed to disclose that outside income on conflict of interest forms required by the University.

Representative Charles Grassley is regularly in the news for advocating a national law (i.e. Physician Payments Sunshine Act) that would require disclosure of speaking fees. Currently, state laws and specific academic institution each set their own policies and monitoring requirements.

The Chronicle opined that "Universities also need to pay more attention to whether they review research activities by their own staff that may damage their institutional reputations even though the work involves outside facilities, Ms. Chimonas said. The case of Dr. Wang may prove a strong incentive for UCLA to do so. Even within the same statewide system, she said, there are campuses such as the University of California at Davis that have taken a much more aggressive definition of how they monitor outside research by university faculty members.

Institutions such as UCLA could be realizing the danger of ignoring outside research work, Ms. Chimonas said. "This may be a wake-up call for a lot of institutions who have been thinking, 'Well, this has nothing to do with us,'" she said."

Taking information from external databases like Excluded Parties List System (the list of Federally debarred vendors), or the OFAC Watch List is a high-value audit test, especially as frequency is increased from annual to quarterly or more frequently. UCLA's situation with Dr. Wang, especially because of reputation risk, calls for better monitoring of external databases.

What external databases are your organizations monitoring? How often? What are the more interesting findings? Please comment - all input is welcomed!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

The Value of Frequency - how the Defense Department paid millions in wages to invalid accounts

2009-07-20T05:45:00.000-07:00

Last week, the Office of Inspector General for the Department of Defense (DOD) issued Report 2009-092 titled "Validity of DOD Civilian Employee Accounts." As widely reported on CNN and elsewhere, the DOD "Specifically, the DOD's Payroll System included invalid Social Security numbers, employees under the legal employment age, and multiple employee accounts that shared the same bank account. As a result, DFAS [the Finance arm of DOD) may have paid approximately $15.4 million to more than 2,300 invalid DoD civilian employee accounts from January 2002 through April 2008 (excluding 2007).

These payments represent fraud and misuse of tax dollars, but because the audit approach was a point in time audit, looking backward over a very long time period (six years!), it is highly likely that the money will never be recovered.

Had the DOD used leading edge technology like Continuous Controls Monitoring for Transactions (CCM-T), which can compare all SSN's from master files, from payment files, to the suspicious SSN lists like those at Social Security Death Index database, they could have known of the errors PRIOR to payment. The more frequently the data is compared, the more valuable the analysis becomes.

And implementation is a tiny fraction of the $15 million spent for erroneous payments. Factor in the time value of money (errors go back to 2002!) and the reputation risk associated with such errors, and CCM-T looks better and better.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

University Business - 101 Ways to Raise Revenue or Decrease Costs

2009-07-14T05:13:00.001-07:00

In addition to being a regular reader of the Chronicle of Higher Education I've also become a reader and subscriber of University Business (UB). Unlike the Chronicle, UB is free to qualified subscribers, and they have an outstanding digital archive of previously published articles.

One that grabbed my attention this week is an archived (pre-recesssion!) article titled 101 Smart Revenue Generators and Money Saving Ideas. After all, who wouldn't like a little more on the top line, and on the bottom line. Regardless of whether you're for-profit or non-profit.

What strikes me as noteworthy about the article is that most (and the first few!) Revenue Generating ideas are actually all related to expense control and expense reduction. Some are traditional vendor negotiation strategies, like Visual Risk IQ does together with its partner Third Law Sourcing, while others are P-Card. Many can benefit from CCM-T, and many are worth a fresh read / re-read, given the current state of the economy.

Feel free to add Comments on your strategies for trimming costs or raising revenue in today's challenging times. Success stories are always welcome!

Joe Oringel
Visual Risk IQ, LLC
Charlotte NC, USA

Observations from Recent, Local Frauds in Charlotte NC

2009-07-08T05:43:00.000-07:00

Several folks commented on recent tweets of local fraud and embezzlement, first at UNC-Charlotte and again at Charlotte's Mecklenburg County, specifically within the Department of Social Services. The Fraud Triangle teaches us that as long as there is Pressure / Incentive (I really need the money), Rationalization (e.g. other people do it, I'll pay it back...etc.) and Opportunity (I won't get caught because...) fraud can and will occur and recur.

My own experience is these three elements of the fraud triangle are closely related, and that Opportunity needs to be re-evaluated, especially as Incentive increases. Today's economic times are proving this need most everywhere we look, yet we still see only a few companies who are actively changing and increasing how they monitor for potential fraud, despite the availability of very effective, modern tools for fraud detection. Like CCM-T tools from Oversight and Approva.

A specific example: During my Big 4 Accounting Firm days, I led a team that audited the procedures used to produce scratch-off lottery tickets. When we started, the largest prize awarded was $5,000 or $10,000. While internal controls were always very good (i.e. Opportunity = Low), there were still a number of people at the Ticket Printer and at the Big 4 Firm who had access to information that might help locate a batch of 250 tickets that would likely contain a $5,000 or $10,000 winner.

The likelihood that a person would risk their career to steal $5,000 or $10,000 (two to six months net pay) was pretty low. But when the Ticket Printer and State Lotteries began printing tickets with $100,000 and eventually $1,000,000 tickets. That represented at least a year or even 20 years or more in net pay. What a powerful Incentive!

This change in Incentive was a trigger that we saw to re-evaluate internal controls, because now the temptation needed a corresponding decrease in opportunity. In addition to our agreed-upon procedures to evaluate controls over ticket production, we began a continual security review which included review of other controls that would identify who may be accessing information that might allow a large ticket winner to be located. We publicized the continual security review within the company (and the Big 4 team!), so that the decreased Opportunity was understood by anyone who may have been tempted.

As staffs are cut and monitoring controls become less frequent, what is your organization doing to reduce the Opportunity for Fraud. For a couple of high-profile cases in Charlotte, it's clear that more needs to be done.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Stimulus Fraud Could hit $50 Billion. How could CCM-T help?

2009-06-12T08:08:00.000-07:00

MarketWatch article quotes FBI Director Robert Mueller about the potential fraud risks related to Stimulus money. "These funds are inherently vulnerable to bribery, fraud, conflicts of interest and collusion. There is an old adage, that where there is money to be made, fraud is not far behind, like bees to honey," Mueller told an afternoon gathering of business executives.

In reviews of duplicate payments / overpayments, using CCM-T technology from Oversight, Apex Analytix, and/or ACL, we typically find an error rate of 0.1 to 0.5%, or approximately $1,000 to $5,000 for every million in spending.

Fraud statistics from FBI and ACFE suggest higher losses. Often much higher. Our experience is that the fraud losses are harder to detect, especially without more sophisticated automation provided by CCM-T. But the risk is clearly there. And reputation risk may be greater than the financial loss.

Ask your internal audit or general counsel what your firm is doing to proactively find fraud, waste, and errors in your Accounts Payable and P-Card spend. If you don't like the answers - call us. We can help.

The Red Flags Rule: What Utility Companies Need to Know About Complying with New Requirements for Fighting Identity Theft (source: www.FTC.gov)

2009-06-11T07:10:00.000-07:00

Visual Risk IQ is currently working on a continuous controls monitoring for transactions (CCM-T) project for a Utility Company, specifically focused on FACTA and the Red Flags requirement. Through a series of customized risk and performance checks, we will be assisting the Utility to monitor its new and existing customer for Red Flags related to fraud and identity theft. While the CCM-T component is only one part of a comprehensive set of policies, procedures, and new work processes, it is an integral component that will enable to Utility to achieve compliance and reduce potential fraud often associated with theft of service and bad debt.

For more information on FACTA requirements, specific to Utilities, see the article below, from the FTC's web site on the Red Flag Rules and FACTA.

The article below was originally published by Tiffany George and Pavneet Singh, from FTC.gov

As many as nine million Americans have their identities stolen each year. The crime takes many forms. Thieves may buy a car, get a credit card, or establish gas, water, or electric service using someone else’s identity. The cost to business can be staggering as well, with charges racked up by identity thieves unpaid and uncollectible. In addition, crooks may use proof of utility service to get driver’s licenses illegally or to apply for government benefits using a bogus address.

Utility companies may be the first to spot the “red flags” of identity theft, including suspicious activity suggesting that thieves may be using stolen information to establish service. That’s why you need to know about a new law – called the Red Flags Rule – that requires many businesses, including most companies that provide utility services to consumers, to spot the red flags that can be the telltale signs of identity theft. Under the Red Flags Rule, which the Federal Trade Commission (FTC) will begin enforcing on August 1, 2009, companies covered by the law must develop a written Identity Theft Prevention Program. Is your utility required to comply with the Red Flags Rule? If so, have you developed your program to detect, prevent, and minimize the damage that could result from identity theft?

WHO MUST COMPLY

Companies that provide utility services are covered by the Rule if they are “creditors” with “covered accounts.” A creditor is a business or organization that regularly defers payments for goods or services. The Rule defines a “covered account” as a consumer account that allows multiple payments or transactions – for example, a standard household utility account – or any other account with a reasonably foreseeable risk of identity theft. Even government agencies and publicly-owned utilities may be “creditors” covered by the Rule.

Because the Rule is geared to the types of accounts that are targeted by identity thieves, the determination of whether the law applies to your business or organization isn’t based on your status. Rather, it’s based on whether your organization’s activities fall within the relevant definitions. It boils down to this: If your utility regularly bills customers after services are provided, you are a creditor under the new law and will have to develop a written program to identify and address the red flags that could indicate identity theft in your covered accounts.

SPOTTING RED FLAGS

The Red Flags Rule gives utilities the flexibility to implement an identity theft prevention program that best suits the operations of their business, as long as it conforms to the Rule’s requirements. You may already have a fraud prevention or security program in place that you can use as a starting point.

If you’re covered by the Rule, your program must:

Identify the kinds of red flags that are relevant to your business;
Explain your process for detecting them;
Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
Spell out how you’ll keep your program current.

What red flags signal identity theft? There’s no standard checklist. Supplement A to the Red Flags Rule – available at ftc.gov/redflagsrule – sets out some examples, but here are a few warning signs that may be relevant to utilities:

Suspicious documents. Has a new customer given you identification documents that look altered or forged? Is the physical description on the identification inconsistent with what the customer looks like? Is other information on the identification inconsistent with what the customer has told you? Under the Red Flags Rule, you may need to ask for additional information.
Suspicious personally identifying information. Personal information that doesn’t match what you’ve learned from other sources also may be a red flag of identity theft. For example, if you pull a credit report based on the prospective customer’s Social Security number and the report comes back under someone else’s name, fraud could be afoot. A billing address that appears to be fictitious also could signal a problem.
Suspicious activities. Did a new customer fail to make the first payment or make an initial payment but no others? Did payments abruptly stop on an otherwise up-to-date account? Did a customer’s use pattern suddenly change? For example, are you detecting unusual activity on what’s always been a “snowbird” account? Is mail returned repeatedly as undeliverable even though transactions still are being conducted on the account? Are utilities still being used after a known move-out? Trust your gut when something seems questionable. These questionable activities may be red flags of identity theft.
Notices from victims of identity theft, law enforcement authorities, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.

SETTING UP YOUR IDENTITY THEFT PREVENTION PROGRAM

Once you’ve identified the red flags that are relevant to your utility, your program should include the procedures you’ve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? Will you close questionable accounts or monitor them more closely? Will you contact the customer directly? When automated systems detect red flags, will you manually review the file? If you’re notified that an identity thief has run up bills using another person’s information, how will you ensure that the debt is not charged to the victim? Your response will vary depending on the circumstances and the need to accommodate other legal obligations – for example, laws regarding the provision and termination of utility service. Finally, your program must consider how you’ll keep it current to address new risks and trends.

No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors, or if you don’t have a Board, by a senior employee. The Board may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of your service providers – for example, those who manage your debt collection operations. The key is to make sure that all members of your staff are familiar with the Rule and your new compliance procedures.

WHAT’S AT STAKE

Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your customers that you’re doing your part to fight identity theft.

Looking for more information about the Red Flags Rule? The FTC has published Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, a plain-language handbook on developing an Identity Theft Prevention Program. For a free copy of the Guide and for more information about compliance, visit ftc.gov/redflagsrule. In addition, the FTC has released a fill-in-the-blank form for businesses and organizations at low risk for identity theft. The online form offers step-by-step instructions for creating your own written Identity Theft Prevention Program. You can fill it out online and print it. The do-it-yourself form is available at ftc.gov/redflagsrule.

Questions about the Rule? Email RedFlags@ftc.gov.

Tiffany George and Pavneet Singh are attorneys with the Federal Trade Commission’s Division of Privacy and Identity Protection.

CFO Magazine profiles Continuous Auditing / Continuous Controls Monitoring

2009-06-02T10:01:00.000-07:00

CFO Magazine's June issue has a feature story on 24 x 7 continuous auditing approach that has been implemented at several organizations, including Harrah's, Siemen's Financial Services, and British Columbia's Ministry of Finance. Interestingly, the article is filed in CFO's "Technology" section and emphasizes the IT component of the respective initiatives.

Those of you who have met my partner Kim Jones or me know that we believe that technology is only part of any continuous auditing or continuous controls monitoring for transactions (CCM-T) initiative. I found that point reinforced by the first comment on the CFO.com article, about Monitoring still being a detective, and not a preventive control. At Visual Risk IQ, we believe that process is key. By designing a process (i.e. review of P-Card or Accounts Payable transactions) with sufficient time lag between resolution of CCM-T exceptions and PRIOR TO PAYMENT, such the monitoring activity actually becomes a Preventative control.

Interesting too that all companies profiled are ACL CCM customers, and that customers from Apex Analytix, Approva, Oversight Systems, and industry vertical CCM solutions like Actimize (banking) or XBR (retail) were not included in the article. I would have been even more interested to see any trends or patterns from customers of several different vendors.

Despite improvement opportunities if we were contacted for quotes (smile), it's a pleasure to see the topics of continuous auditing and continuous controls monitoring receiving such great publicity. As I write this, the article is both the most viewed and most emailed article of the day on CFO.com Check back and see what kind of staying power the subject can achieve.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Visual Risk IQ to present at Blue Cross / Blue Shield Internal Audit and Fraud Conference

2009-05-18T09:06:00.001-07:00

Just wrapped up the speaker notes for tomorrow's presentation at the National Internal Audit and Fraud conference for Blue Cross / Blue Shield. I'll be co-presenting with Chicago-based Vonya Global. Partner Veronika Fritz will be joining me for tomorrow's presentation.

As we tweeted last month, there are few industries with data challenges quite like HealthCare and this conference has many of the audit and risk officers from big, influential players. Think about the number of Explanation of Benefits (EOBs) that you've ever received. How many of them actually explained things so you understood them? Were the charge amounts right? The first time?

CCM-T is all about increasing the depth and frequency of data analysis, so anomalies and errors are identified earlier in the process. There is a large and growing subindustry within HealthCare that pays for itself simply on correcting billing errors AFTER the fact. What would it be worth to get every invoice right, the first time, before it's sent? CCM-T can help.

Our slides and Q&A from the session should be posted later this week. Or better yet, meet us in St. Louis!

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

APEX Analytix, Inc. Acquired by PNC Equity Partners, II, L.P.

2009-05-12T08:15:00.000-07:00

APEX Analytix, Inc. Acquired by PNC Equity Partners, II, L.P.

Some M&A activity in the Continuous Controls Monitoring (CCM) space this week. For those of you unfamiliar with Apex Analytix, they are an AP-focused player in CCM, with a long heritage in recovery audit services.

In our opinion, their points of distinction in the CCM space have been their move from being a services-only firm to a technology-enabled services firm. They now sell the software (called FirstStrike) that they previously developed as "internal use" for their recovery audit projects. Visual Risk IQ is an affiliate partner with Apex, and uses output from First Strike as one of many inputs for a Continuous Risk Assessment program that we've implemented for one of our clients.

Stay tuned for updates on what the acquisition may mean for Apex.

FTC Relaxes Enforcement Date on FACTA Red Flag rules. More time to implement CCM-T for Compliance

2009-05-12T05:32:00.001-07:00

FTC Grants Three-Month Delay of Enforcement of ‘Red Flags’ Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs (source: FTC.gov - April 30, 2009)

The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. This announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

As many of you know, Visual Risk IQ was a sponsor at MISTI's SuperStrategies Conference in mid-April, and the conference provided us the opportunity to network with Internal Audit and GRC professionals from all over the US, including a mix of consulting firms and medium and large businesses. The importance of FACTA compliance at the Conference was clearly mixed, with some firms such those in Utilities, Financial Services, and Healthcare having large projects or program offices established to address compliance, with other firms in the same industry being wholly unfamiliar with the regulation.

For more information on FACTA and the red flag compliance rules, please see the following resources:

FTC's web site on Red Flag Rules
FTC's Article Summary

What is happening at your organization? How is this relaxed enforcement date affecting your organization? Why?

Learning ERM from a 100-year old Start-Up - LINK TO SLIDES ADDED

2009-04-24T21:46:00.000-07:00

As mentioned earlier today, David Fox of KBR was the guest speaker at NC State's ERM Roundtable in Raleigh. His slides will be shared and linked next week, and are definitely worth a view. All good stuff.

A speaker abstract and slides are now available at NC State's website.

KBR is the Houston-based, $11+ Billion engineering and construction firm that was spun out from Halliburton in 2007. At the time of the transaction, KBR was living in the shadows of FCPA wrong-doings, more than one hundred million dollar missteps in terms of long-term projects and equity investments, and a host of cultural challenges related to being a start-up.

Unlike many previous ERM speakers, David did not advocate a complex or elaborate risk system. He sees his role as a facilitator, to help KBR management talk about key risks and mitigants that could decrease the likelihood of business objectives being achieved.

The best soundbytes relate to David's own "risk management" of raising three teen-aged boys. Values, not dashboards, are his key to helping ensure the outcomes that he wants for his teenagers. Simplicity is key. Stay tuned for more interesting information on his CPE session.

NC State ERM Roundtable - GREAT Session from David Fox of KBR

2009-04-24T07:42:00.001-07:00

Attended this morning's session in Raleigh for NC State's ERM Roundtable and had the pleasure to hear some thought-provoking ideas from both Dr. Mark Beasley (NC State) and David Fox of KBR in Houston. Thank you to Oversight Systems for their sponsorship of the event.

More on David's presentation later today, but for now here are a couple of resources that we know will be of interest to the ERM and Internal Audit community(s).

1) AICPA's Research on the Current State of Enterprise Risk Oversight, published April 2009.

Research by the American Institute of Certified Public Accountants (AICPA) and NC State ERM Initiative finds that while the volume and complexities of risks are increasing extensively, risk oversight is fairly immature, ad hoc, and the source of frustration for over 700 executives surveyed. Some great factoids from the survey...

Over 1/3 of organizations surveyed note they were caught off guard by an Operational Surprise either "Extensively" or a "A Great Deal" in the last five years. Another 1/3 of organizations faced a "Moderate" operational surprise.
Almost half (47%) stated that they are "Not at All Satisfied" or "Minimally" satisfied with the nature and extent of reporting of key risk indicators to senior executives regarding the entity's top risk exposure.

But

44% of organizations surveyed have no enterprise-wide risk management process in place and no plans to implement one.
An additional 18% without ERM processes in place indicate they are currently investigating the concept, but have made no decisions about implementing ERM.

Said in a sentence or two...Firms have been bitten by risk, they are not satisfied with executive and board-level reporting about risk, but they're not doing much about it. No wonder ERM is so hard!

Read more about Enterprise Risk Management at NC State's very thoughtful and thought-provoking Portal.

SuperStrategies 2009 Reflections

2009-04-19T19:07:00.001-07:00

Kim and I spoke at SuperStrategies 2009 in Las Vegas last week, where our topic was Finding Money and Detecting Fraud with Transaction Monitoring. The session was well-attended and provided some nice opportunities to meet some new friends and prospects, as well as connect with several alliance partners, including ACL, IDEA, and Oversight Systems.

Our conference presentation is available for download on LinkedIn and SlideShare.

Data analysis and continuous auditing clearly remained top of mind for most internal audit and ERM executives, especially as firms are all challenged to do more with less. A number of excellent presenters also shared their experience in the area, including RLI Insurance, HCA, and Continental Airlines. It was especially encouraging to hear the keynote panel's predictions for the future, and have each point toward data analysis and continuous auditing as a continued area of focus.

Conference takeaways related to data analysis included: ; comparing relative size factor on invoices and PO's (HCA); team award for the data analytic innovation of the month (Bristol-Myers Squibb); Geocoding and Q-grams (RLI); and reading your competitors' 10K for risk assessment input factors (Protiviti).

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Are you a creditor? How FACTA compliance may affect your organization

2009-04-12T06:08:00.001-07:00

It is not uncommon today for people today to rarely carry cash or coin on their person, and why would they need to? Most vendors accept credit/debit cards (one notable exception is Price’s Chicken Coop in Charlotte, NC; you must have cash and you had better know EXACTLY what you want to order when the cashier engages you. One wrong word and you get a quick rebuke!). We live in a credit society. Who are the creditors?

FACTA defines the terms “credit” and “creditor” the same as section 702 of the Equal Credit Opportunity Act:
• The term "credit" means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.
• The term "creditor" means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

This definition of creditor casts a large and wide net. In fact, the American Medical Association (AMA) recently wrote the FTC essentially pleading exemption under the FACTA covered accounts. However, in response, the FTC stated that it “believe[s] that the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services. We also believe that implementation of the Rule will help reduce the incidence of medical identity theft; and that the burden on health care professionals need not be substantial.”

We seem to be getting further from the typical line of thinking with the term creditor and identity theft, but now that electrons carry out our human fiduciary responsibilities, the door is now wide open to applying the term “creditor” to most any firm.

Firms should consider implementation of a solid continuous controls monitoring for transactions (CCM-T) framework that can help them comply with the FACTA Red Flag Rules. More information on FACTA and CCM-T's application for FACTA compliance in the coming weeks.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Presentation to IIA Charlotte with Don Sparks

2009-04-07T07:10:00.000-07:00

On March 31, Don Sparks (Audimation / IDEA) and I facilitated a day of continuing professional education (CPE) for the Charlotte IIA on the topics of data mining and continuous auditing. To the chapter's surprise and delight (and ours), more than 100 people signed up and attended, making the event a sell-out.

A common theme among the audit teams in attendance was that they are being asked to do much more with less this year, and their focus therefore is turning to data analysis. Some advanced users were in the room and contributed significantly (Thanks Mark LeRoy from Wells Fargo and the whole team from Arrowpoint Capital!). Several groups have made the transition from one-time use of data analysis to more frequent, interval-based analysis. These steps are critical on any journey toward continuous auditing, and it was energizing to hear of the successes.

Most teams are just getting started, and familiar roadblocks such as access to data were heard. The most valuable component of the session were facilitated sessions where tables collaborated on designing and identifying data analysis routines that they were running or would like to run in the near future. We distributed a list of recommended routines for common business processes, and also shared some additional lists by industry for HealthCare, Retail, Financial Services, and Manufacturing. All were particularly well received, and distributed both during the class and by email to those who requested soft copies.

For future sessions, Don and I would plan to have a larger room, with flipcharts, so participants can share both questions and successes with other participants. Look for a new and improved session at your IIA chapter in the near future, or contact one of us to bring such a presentation to your local chapter.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Monitoring and Preventing Insider Theft

2009-04-06T21:45:00.000-07:00

In the course of identifying and preventing potential identity theft incidents, it is important to consider how the information could be used for ill-gotten gain. It is also important to know how that information is accessible. For especially valuable information, it is reasonable to expect outsiders to try to gain access to this information: the call center inquiry into changing an account’s physical address, the phishing for weaknesses in procedure… but what of the insiders who have greater access to the precious information?

Blue Lance recently blogged on the vulnerability of the information security firm Symantec and their recent insider theft incident. This shows how any firm, ANY, is susceptible to insider theft. A robust continuous controls monitoring platform, especially one that considers disparate data sources, could have identified patterns between in-bound calls and account inquiries by customer service reps, providing an early warning for inappropriate behavior. Actimize is a software vendor with an innovative application for monitoring call centers, primarily in the financial services space, and this space is one with increasing competition.

Enterprises should consider the access and use of company information by company employees as valid transactions that require monitoring. When an employee (or outsider!) begins accessing credit data that is outside of his typical area of responsibility, this should be a warning. While this may occur less frequently than outsiders’ attempts to steal an identity, the magnitude of a successful theft is much more significant.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Reflections from IIA District Conference

2009-03-02T20:24:00.000-08:00

More than 100 people attended our session last week at the Carolina's IIA District Conference, where I joined Matt Cleaver, Head of Internal Audit for RH Donnelley (RHD), to talk about their journey along the Continuous Auditing maturity curve. Since Visual Risk IQ's initial continuous auditing project for them in 2007, RHD has migrated from one-time, retrospective data analysis in the Accounts Payable area to weekly review of potential duplicate payments or overpayments PRIOR to any checks being issued. An important step on the maturity curve for RHD was achieved earlier this year, as the business process owner (not internal audit!) now runs the queries that had been developed to identify the potential duplicates.

As shared at the Conference, several hundred thousands of dollar in errors have been prevented due to this weekly review, and the overpayments actually recovered from our original project have more than funded the entire annual budget of the internal audit department. The return on the project's investment has been outstanding, and the audit team is even more highly valued at the Company during these challenging times affecting media and advertising companies (and most everyone else!).

Special thanks to Matt, who was very candid about the findings that our project helped their audit team uncover, in terms of these overpayments, as well as other internal control improvements that resulted from the data analysis work. For more information on their success, or for a copy of the slide deck, please email me at the contact information below.

Here's wishing that your internal audit projects can help demonstrate the value of data analysis and continuous auditing in such a direct and tangible way.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

New acronyms in the Continuous Controls Monitoring space - CCM-T

2009-03-01T09:10:00.000-08:00

Those of you who have met Kim Jones and me, either from our PwC days or since we've founded Visual Risk IQ, know that we believe that the IT Research community has not done a great job of defining categories within Governance, Risk and Compliance software. Even the Continuous Controls Monitoring category had everything from Segregation of Duties tools like Virsa (now SAP-GRC) to IT General Control Tools (like TripWire) to more general purpose CCM tools like those from ACL, Apex, Approva, and Oversight.

But now in 2009, the Research community is getting better. Maybe much better. Gartner has published a new report on the segment of the GRC category that we specialize in, and they have named the category "Continuous Controls Monitoring for Transactions, or CCM-T" We believe this segmentation does a MUCH better job of identifying the vendors who are in this cateogory.

The report separates CCM-T from other CCM technologies, like Segregation of Duties tools, Application Controls, and Master Data tools. For a copy of the report, register on ACL's web site and download the Gartner CCM-T Report

Take a look and tell us what you think, either by commenting below, sending an email or seeing us in person. Look for Visual Risk IQ at IIA's GAM conference or at MISTI's SuperStrategies, where we will be a sponsor and speaker on Thursday morning April 16.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Now Hiring - Continuous Auditing specialists

2009-02-25T05:07:00.000-08:00

Many of you know who have heard my partner and I speak at various IIA and MISTI events have heard that we have Google alerts set up on Continuous Auditing and Continuous Monitoring. Most Continuous Monitoring alerts have been related to Medical Devices - glucose monitoring, pacemakers, but it has been rare that we actually get article posts related to Continuous Auditing or what is becoming known as Continuous Controls Monitoring.

But maybe this is changing....

For the past two weeks, I have gotten "hits" on Google Alerts for Continuous Auditing and Continuous Controls Monitoring that relate to data analysis, data mining, and continuous auditing, specifically Job Postings. Yes, despite the challenging economy, there are several Audit Groups that are hiring continuous auditing specialists. Technical skills needed include data analysis, such as working with ACL or IDEA, as well as to more modern tools such as Approva, Oversight Systems or Apex Analytix.

Not surprising, interpersonal skills, including good communication skills and technical writing are also required. You can't write a good continuous auditing test if you don't have good data. And auditors need help from someone to acquire and understand the data.

Kudos to the hiring executives who understand that increasing the depth and especially the frequency of data analysis can increase the value that internal audit brings. Two of the three job postings I've seen are in the Hospitality sector, and the third is in Healthcare. Common threads perhaps are large volumes of disparate data, and opportunities to increase top line revenue through improving data quality.

For more information on these jobs or to compare notes on data analysis and continuous auditing, please reach out via contact information below.

Regards,

Joe Oringel
Visual Risk IQ
Charlotte NC, USA
joe.oringel@visualriskiq.com

What is the cost of non-compliance? How's $579 million sound?

2009-02-11T20:21:00.000-08:00

Source: Reuters: Halliburton and KBR agree to Settlement in historic Foreign Corrupt Practices Act (FCPA) case

In the largest FCPA settlement against a US-based company, KBR and its former parent Halliburton agreed to pay $579 million in fines to settle charges that they violated Foreign Corrupt Practices Act (FCPA) as part of a plan to secure large, long-term construction contracts in Nigeria.

According to the DOJ, KBR was part of a four-company joint venture that received the contracts. As part of its plea, KBR admitted to conspiring with those partners to promise and pay bribes. They also admitted to paying tens of millions of dollars in consulting fees to two agents for use in bribing government officials.

As part of its criminal plea deal, KBR agreed to retain an independent compliance monitor for a three-year period and continue to cooperate with the DOJ's continuing investigation of this matter.

In a related civil complaint by the SEC, Halliburton and KBR jointly agreed to pay $177 million in disgorgement. The SEC had charged KBR with violating the anti-bribery provisions of the Foreign Corrupt Practices Act. It also charged Halliburton and KBR with record-keeping and internal control violations.

"As part of the resolution of the SEC investigation, Halliburton will retain an independent consultant to perform a 60-day initial and, approximately one year later, a 30-day follow-up review and evaluation of Halliburton's anti- bribery and foreign agent internal controls and record-keeping policies and to adopt any necessary improvements," the company said.

----------------------------------

The application for continuous auditing and monitoring in helping organizations monitor internally for potential FCPA violations is particularly positive, because these compliance issues can be assessed concurrent with other operational challenges such as duplicate payment or overpayment.

Joe Oringel
Visual Risk IQ LLC
Charlotte NC, USA

Check out "The Fraudies", Oversight's list of top Corporate Fraudsters

2009-02-05T09:19:00.000-08:00

The folks at Oversight Systems have announced The Fraudies, a light-hearted collection of some of the bolder attempts to defraud corporations that have been detected or deterred by continuous auditing and monitoring. My personal favorite is the individual who used their company's P-Card to purchase $3,400 worth of advice from the Psychic Hotline. Let's hope the psychic didn't tell the fraudster to join your firm.

Unfortunately, today's challenging economic times are increasing the pressures and the rationalization behind more potential fraudsters. We are working with a number of organizations in different industries, to help increase the likelihood of detection by implementing cost-effective monitoring techniques.

Using these techniques as part of regularly scheduled audits of Accounts Payable, Travel & Entertainment or P-Card audits can help organizations achieve compliance objectives while also returning money to the bottom line by reducing overpayments and re-capturing inappropriate disbursements. Further, like the Fraudies, we hope that by publicizing these instances of fraud, other future fraudsters will be deterred.

Joe Oringel

Visual Risk IQ

Charlotte NC 28277

Visual Risk IQ to Partner with Vonya Global: Providing Data-Driven Audit Services

2008-12-28T07:32:00.000-08:00

Feedback from the Continuous Auditing Life Cycle workshop that we did with Vonya Global in Chicago was very positive; consequently, we have developed a partner relationship with them to market and deliver two services specifically focused at helping audit executives recover costs and increase margins during challenging economic times.

The services analyze historical purchasing and sales transactions looking for overpayment, contract pricing variations, and other operational and compliance issues. Clients benefit from tangible recoveries, while also receiving advice on monitoring controls that can be used to prevent future errors.

On Point Data Analytics(sm), the first service provided by the two firms, is directed primarily toward internal audit and executives responsible for Governance, Risk and Compliance. On Point Data Analyticcs analyzes client's data in the context of an internal audit project, thus providing hands-on audit software training while accomplishing specific audit objectives. The service also includes an assessment of an organization's capabilities and readiness for continuous auditing.

On Point Continuous Controls Monitoring (sm), the second jointly provided service, is designed to help companies understand the value of more in-depth and frequent monitoring solution. The services includes an in-depth analysis of historical transactions using a best-in-class continuous monitoring tool, and identifies operational and compliance issues along with improvements that can prevent future errors.

Click here to read the entire press release

Bookmark this blog to read case studies and client profiles that highlight examples of cost recovery and other savings that have paid for the services many times over.

ERM Resources from NC State

2008-12-26T05:56:00.000-08:00

During the last several months, I have been attending the Enterprise Risk Management (ERM) roundtables at NC State University in Raleigh. These ERM roundtables provide thought-provoking Continuing Professional Education (CPE) and networking opportunities for Governance, Risk and Compliance professionals on a regional and national level. Previous presentations are archived on the web at: http://mgt.ncsu.edu/erm/Roundtables.php

The purpose of the ERM program is multi-dimensional. They aspire to provide outreach (through the roundtables), research (through an outstanding web portal), and undergraduate and graduate education.

Speakers this fall included Jim Traut, Director of ERM at H.J. Heinz, and Drew Zavatsky, Office of Financial Management from the State of Washington, and the February roundtable will be in Charlotte NC. Steve Dreyer of Standard & Poors (S&P) will be presenting on their use and evaluation of ERM as part of S&P's ratings process.

Continuous Auditing combines more frequent risk assessment with more frequent and in-depth control assessment. Since ERM represents leading edge practices in risk assessment, we will continue to identify opportunities to link continuous controls monitoring to ERM, to provide more data-driven risk assessment.

Stay tuned for more information in 2009 about these initiatives.

Joe Oringel
Charlotte, NC
Visual Risk IQ

Continuous Auditing Maturity Model presented in Chicago

2008-11-12T08:18:00.000-08:00

This past week, we presented an overview of Continuous Auditing and Monitoring to a group of internal audit and compliance executives in Chicago, IL. The session focused on the Continuous Auditing Maturity Model, and provided specific guidance on how to get started with data mining and data analysis, as well as more advanced advice on increasing frequency and progressing toward continuous auditing.

The session was attended by a diverse group of attendees from a variety of industries and functional backgrounds. Experience with data analysis ranged from "not started" to regular use of ACL and IDEA, and each attendee was able to take away practical advice to help them with their specific situation and risk profile.

Visual Risk IQ and Vonya Global, a Chicago-based consulting firm specializing in Internal Audit, co-sponsored the event, and Vonya hosted the event at their offices on N. Michigan Avenue. Feedback from attendees was very positive, and we expect to co-sponsor similar events together in the new year.

To obtain a copy of the slide deck used at the event, please email joe.oringel@visualriskiq.com or call 704-752-6403.

Regards,

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Visual Risk IQ, Vonya Global to present Continuous Auditing workshop in Chicago on November 7, 2008

2008-10-17T08:06:00.000-07:00

One of our speaking efforts has been picked up on PRWeb. Come join us in Chicago for two hours of CPE and some lively discussion on Continuous Auditing and Monitoring

---------------------------------------------------------------------------

Vonya Global, a leader in internal audit and independent risk assurance consulting, and Visual Risk IQ, a thought leader in continuous auditing, have come together to create a training workshop on the Continuous Auditing Lifecycle.

Chicago, IL, October 17, 2008 -- Vonya Global, a leader in internal audit and independent risk assurance consulting, and Visual Risk IQ, a thought leader in continuous auditing, have come together to create a training workshop on the Continuous Auditing Lifecycle. This workshop will be held in Chicago on November 6, 2008 and is open to the public but registration is required.

Continuous auditing and continuous monitoring are hot topics in the internal audit and compliance communities. While solutions offered by technology firms in this space can be quite capable, they are often impractical unless audit processes and management are also ready to adapt. Continuous auditing is known to help achieve compliance, audit and business performance objectives, so understanding some of the steps along the journey is often essential to getting such results in a cost-effective and direct approach.

This workshop will discuss several companies' journeys toward Continuous Auditing and Monitoring, and will present a Maturity Model that charts their course. The session will provide practical strategies that can be immediately applied to business regardless of where companies are on the maturity curve.

About Vonya Global - Vonya Global is a new idea in internal audit consulting and independent risk assurance services. With expertise in Finance, IT and Operations, Vonya Global helps its clients identify and assess risk, evaluate and improve internal controls, and implement continuous monitoring systems. Vonya Global is on a mission to prove there is a better way to serve clients by focusing on the basics; providing consistent quality, responsive service, and knowledge leadership. Having locations throughout the world, Vonya Global serves as a value added alternative to the large accounting firms. There is a better way, Vonya Global will show you.

Vonya Global LLC headquarters is located at 150 N. Michigan Avenue, Suite 2935, Chicago, IL 60601. For more information please email info @ vonyaglobal.com or visit www.vonyaglobal.com.

ABOUT VISUAL RISK IQ - Visual Risk IQ specializes in helping companies plan and implement continuous auditing and monitoring solutions that help them achieve their specific business objectives through increased frequency and depth of risk and control analysis. The company works with a variety of Fortune 1000 and large non-profit enterprises across a broad range of industry sector.

Expense Management becoming Mainstream?

2008-09-08T04:48:00.000-07:00

We've been talking about using Continuous Auditing and Continuous Monitoring as ways to improve compliance and business performance for more than two years. The approach is characterized as "ask once, satisfy many," where business process owners can satisfy compliance objectives such as segregation of duties or spending authority limits, while also evaluating operational objectives like contract compliance and pricing.

CFO Magazine's September issue is highlighting some of the technologies that can accomplish these objectives.

The CFO article is very consistent with our experiences. Clients and business partners of Visual Risk IQ know that we can help review Accounts Payable, P-Card, and T&E data, looking for duplicate payments, financial fraud, and contract compliance. In the last several months, we've been expanding our service capabilities to deliver even more value for our clients.

My favorite quote in the article talks about the costs for such services. "For $50,000 to $100,000, a horde of consultants will sift through invoices, purchase orders, and contracts and produce a report, most likely on one facet of the business. Or, for $100,000 to $500,000, you can tap software that will do it for all aspects of the business all the time." People familiar with Visual Risk IQ know that our firm uses the continuous auditing software described in the article, to help organizations test-drive and prove its value for their organization, for less than the typical fees from the "horde of consultants."

The data files that we already use to provide a 100%, in-depth review of expenses for compliance and potential fraud factors can also be used to test for spending compliance. We have partnered with firms who are expert in selling and general & administrative cost reduction, and can analyze these same data files to identify the opportunities for improving expense management.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Can I have a Waverunner with that?

2008-06-27T04:03:00.000-07:00

Public sector abuse of P-Cards continues to be rampant. The Dallas Independent School District, Knox County TN, Wake County NC, and more recently in Georgia, as reported in the Atlanta Journal Constitution. In this recent Georgia case, an administrator for Georgia Tech used her P-Card to make nearly 3,000 fraudulent purchases totaling more than $300,000.

The Georgia Tech administrator, Donna Gamble, has pled guilty to 22 counts of mail fraud and theft, and will be sentenced later this month in Federal Court. Among her unauthorized purchases with federal grant monies included a Waverunner personal watercraft and lawn tractors.

Public and private sector organizations are replacing expensive purchase orders and procurement processes with P-Cards, as the cost per transactions is very favorable. Aberdeen Research shows that P-Card purchases often cost less than 1/3 the amount of more traditional purchase order and invoice purchases. Yet these P-Card purchases introduce more risk, and all types of organizations are challenged by how to best control and monitor credit card spend.

Supervisory review, transaction review by a central p-card administrator, and limiting card usage at certain merchants and merchant types are all controls that organizations use to ensure charges are authorized and in compliance with preferred vendor agreements. But the news headlines suggest strongly that these controls are not sufficient.

Stay tuned in coming weeks as we look to chronicle other organizations that have implemented continuous controls monitoring for frequent, in-depth, and efficient transaction review.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

How to Earn $25 Million Per Year, at Least for a While....

2008-06-14T08:37:00.000-07:00

The answer isn't to be an NBA All-Star or an Oscar winning actress. But the good news is a college degree isn't required. Apparently limited Federal oversight over Medicare and Medicaid spending in South Florida has allowed at least one fraudster to "earn" $105 Million over four years before finally getting caught in a recent sting operation.

Clues that led to the prosecution include Department of Health and Human Services include the following:

The South Florida region billed Medicare more than $2 billion each year for injectable HIV medications. That figure is 22 times as high as the amount of similar claims in the rest of the country, and is far out of line with demographic data in a population of 2 million people in Miami-Dade County, HHS statistics show.
HHS investigators discovered that nearly half of 1,581 medical equipment companies they visited in the Miami area did not comply with basic Medicare requirements to be open during scheduled hours and to have a telephone number.

For more information on the specific case and some of the troubling patterns suggested, read the MSNBC story.

Those of you familiar with Visual Risk IQ's services know that we combine visual outlier analysis with continuous transaction monitoring, primarily for accounts payable, procurement card, and travel and entertainment. But since summer of 2007, we have also been developing a practice in Health Benefits auditing, in partnership with Atlanta-based Thomas Ray and Associates. Stories like this validate our decision to expand our work into this payment stream, as overpayments through errors and fraud seem much greater than with accounts payable.

More to follow this summer as we continue to continue our work in this highly visible expense area.

Joe Oringel
Visual Risk IQ
Charlotte NC 28277

Turning up the heat on FCPA, from Inside Counsel

2008-06-09T11:57:00.000-07:00

Ever since my undergrad days at LSU in the mid-1980's, I've thought Internal Audit should report to General Counsel (GC) instead of the CFO. The GC is an advisor to the Board, and who better to provide advice, especially on matters of law and compliance. Because of this belief, I've subscribed to Inside Counsel, which is the equivalent trade magazine for in-house Legal Officers as CFO Magazine or CIO Magazine are for those executives.

This months' issue of Inside Counsel follows trends that we've been hearing throughout the internal audit world. Specifically, that enforcement of the Foreign Corrupt Practices Act (FCPA) is stepping up for large, global corporations, and that this increased focus leads to greater risk, especially those whose internal monitoring programs are judged to be sub-standard. To read the entire article, click through this link

Continuous auditing and monitoring, including monitoring of relationships between suppliers, customers, and employees is not frequent among the Global 1000. But many organizations that do such monitoring are often able to identify risky transactions or relationships well in advance of any regulators. Further, a couple of organizations who are among the leaders in continuous monitoring of FCPA have actually had to implement such programs because the monitoring has been forced upon them by regulators.

So if you're looking for one more reason to experiment with Continuous Auditing or Continuous Monitoring, see the following list of FCPA fines and payments, and ask what you're doing to make sure your organization stays off of this dubious list.

Siemen's $2 BILLION in bribes revealed, settlement pending
Baker Hughes $44 million in penalties paid (charges of bribery in Kazakhstan)
Chevron $30 million in penalties paid (Oil for Food Corruption in Iraq)
Volvo $7 million in penalties paid (Oil for Food Corruption in Iraq)
Flowserve $4 million in penalties paid (Oil for Food Corruption in Iraq)
Ingersoll-Rand $2.5 million in penalties paid (Oil for Food Corruption in Iraq)

As always, comments and suggestions are welcome.

Joe Oringel
Visual Risk IQ, LLC
Charlotte NC, USA

APEX Analytix Forms Alliance with Visual Risk IQ

2008-05-15T04:16:00.001-07:00

Sharing some news about our firm that crossed the wire this week...

source: Triad Daily Business News

Consulting firm to represent APEX Analytix software and services as part of its advisory capabilities in continuous auditing and monitoring.

GREENSBORO – APEX Analytix, a leading provider of services and software for performance improvement, error prevention and fraud detection in accounts payable, today announced a new alliance agreement with Visual Risk IQ, a consulting and systems integration firm specializing in risk advisory services for large global businesses.

Under the terms of the agreement, Visual Risk IQ now will represent APEX Analytix recovery audit and fraud detection services, as well as the company’s industry-leading FirstStrike™ software for continuous monitoring of accounts payable for errors and fraud.

“APEX Analytix offers best-in-class people and technology, backed by a solid 20-year track record,” said Joe Oringel, managing director, Visual Risk IQ. “As a result, we now can offer our clients an innovative combination of software and services that can help them meet even their most aggressive governance, risk and compliance objectives.”

The APEX Analytix FirstStrike™ software family helps companies protect their bottom line. FirstStrikeTM Fraud Detect provides the continuous monitoring companies need to fight fraud in accounts payable disbursements. FirstStrike™ Accounts Payable and FirstStrike™ Purchasing automate the detection and prevention of errors in accounts payable and procurement. APEX Analytix also provides a broad range of recovery audit and vendor risk analysis services through its team of certified auditors and fraud examiners.

Visual Risk IQ specializes in helping companies plan and implement continuous, auditing and monitoring solutions that help them achieve their specific business objectives through increased frequency and depth of risk and control analysis. The company works with a variety of Fortune 1000 firms across a broad range of industry sectors.

“Visual Risk IQ is a great fit for us,” said Chris Siemasko, vice president of product management for APEX Analytix. “They are widely recognized as thought leaders in risk analysis, and they share our belief in the value of continuous monitoring to improve internal controls. We see them leading the evolution in this emerging market through advisory services, educational seminars and a proprietary maturity model that helps clients turn their strategic vision of the future into a reality.”

About APEX Analytix

APEX Analytix is an innovative audit recovery firm serving more than a third of the Fortune 100. The company has transformed the audit recovery industry with FirstStrike™, a highly functional family of standards-based software that detects and prevents both errors and fraud and improves performance across the procure-to-pay process. To date FirstStrike™ has saved businesses more than $1.5 billion in overpayments and is the most widely used software of its type. For more information call 800.284.4522 or visit www.apexanalytix.com.

About Visual Risk IQ

Visual Risk IQ helps people responsible for governance, risk and compliance achieve their compliance and business performance objectives through practical application of process changes and innovative technologies. The company provides value for clients using a combination of experienced-based learning and co-sourcing projects, satisfying current requirements in the context of a future vision. For more information on Visual Risk IQ, visit www.visualriskiq.com.

source: Triad Daily Business News

Top CFO concern's - How Continuous Auditing (CA) can help

2008-05-11T06:41:00.000-07:00

CFO Magazine and Duke's Fuqua School of Business published their quarterly Top 10 Concerns of CFO's on May 1, 2008, and this quarter's list seems to demonstrate the potential benefit of more frequent and more in-depth controls monitoring and auditing procedures. To read the article in full, please click thru to: http://www.cfo.com/article.cfm/11078610/c_11081639?f=insidecfo

Though most CFO concerns are repeats from previous quarters (e.g. weak consumer demand, credit markets, and the housing market fall-out), a couple of new entrants demonstrate the potential value of continuous auditing and monitoring. Specifically, Costs of Health Care, Costs of Fuel and Costs of Non-Fuel Commodities all represent opportunities, based on our current experience with Continuous Auditing (CA) and Continuous Monitoring (CM).

Visual Risk IQ is currently working with several large global enterprises on pilots of continuous auditing and monitoring in the areas of Procurement Card (P-Card), Travel and Entertainment (T&E) and Employee Health Benefits. Examples of P-Card and T&E issues identified by CA / CM include 40 and 50 gallon fuel purchases for employees who drive company cars with 15 gallon tanks. No matter what the cost of fuel per gallon, using Company funds to fuel a personal boat or the neighbors SUV(s) is not inappropriate. In the case of Employee Health Benefits, we will be using sophisticated data mining and analytics to find claims that have been paid by a Company's Third Party Administrator where the claims are not in compliance with the Summary Plan Description.

Going back to recover Health Claims, T&E or P-Card expenditures that have been paid in error is sometimes perceived as a time-consuming and costly process. However, use of modern CA and CM software can dramatically reduce the cost of detecting these errors. Further, because the errors can be detected closer to the transaction date (and often before the payments are made!), the investment in CA / CM can pay for itself many times over.

Stay tuned, as we hope to chronicle some of the specifics of these reviews....

Joe Oringel
Visual Risk IQ
Charlotte, North Carolina

Procurement Card Fraud at the Dallas Independent School Board - Could this happen to you?

2008-04-25T19:16:00.000-07:00

Though my Blogger account seemingly allows nearly unlimited storage, there may not be sufficient space to chronicle the P-Card Fraud at the Dallas Independent School District (ISD) and the resulting costs to the local taxpayers. The ISD suffered considerable hard-dollar costs and reputation damage that was reported during 2007 by the Dallas Morning News, and this week's audit report from Deloitte provides more details.

Yesterday's news included a report that the ISD may have to return $8 million to the Federal Government because the P-Card fraud caused the ISD to violate federal grant guidelines for education spending. Continuous monitoring doesn't sound nearly so expensive anymore.

For more complete coverage of the ISD P-Card fraud, see any or all of the following links:

May 2007 Story in Dallas Morning News

Forensic Report from Navigant Consulting regarding P-Card abuse at the Dallas ISD

This week's coverage summarizes the Deloitte audit report, which includes numerous control weaknesses and significant deficiencies.

"Weaknesses and Significant Deficiencies" cited by Deloitte & Touche:

• District policies that "do not exist, are ineffective or not consistently applied"

• Poor staff training

• Lack of oversight from superiors

• Failure to comply with grant requirements from the federal government

• Inability to reconcile some financial accounts

• "Significant" adjustments to district ledgers

• Poor record-keeping and accounting for debts, capital assets, payroll and personnel

Stay tuned - each time I think story is over, another interesting tidbit appears.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

More Continuous Auditing Software - Or is it?

2008-04-23T21:43:00.000-07:00

As many who have met us know, Kim Jones and I keep various Google Alerts set for key phrases that relate to continuous auditing (CA) and continuous monitoring (CM). As is the case in most weeks, this week's alert had many more citations for CM than CA. But the CA alert did have a number of new and noteworthy items for us.

One of this week's most interesting CA alerts was from Atlanta-based software firm called Gideon Technologies and their SecureFusion suite. The suite should be of interest for configuration controls auditing and monitoring in the IT General Controls stack, but not for monitoring of financial transactions, as we focus on at Visual Risk IQ. Nevertheless, the alert reinforces how the analysts in the GRC space struggle when describing the capabilities and points of distinction among software firms known for CA, CM, and/or GRC. SecureFusion capabilities include IT asset detection, configuration management, and vulnerability assessment, and therefore have little if anything in common with CA and CM transaction monitoring tools like Oversight, Apex, or ACL.

Kim and I know Ken from our PwC days, and we recently saw him speak a March meeting in Atlanta, where they introduced Gideon's SecureFusion solution to a number of information security professionals. He was quick to agree that there are a number of technology solutions that share the similar names and even named features, but that they do not in fact compete in any meaningful way. Over time, hopefully the market(s) will also begin to distinguish this as well.

New Entrant - Reliant Audit Solutions

2008-04-05T15:46:00.000-07:00

As we did in 2007, my partner Kim Jones and I attended the IIA's General Audit Management (GAM) conference. The conference provided an excellent venue to renew relationships with clients and prospects, and as always, also provided interesting opportunities to meet with other service firms and software firms.

One new entrant in the Continuous Auditing software arena emerged at the GAM conference - a software firm called Reliant Audit Solutions, from Laguna Niguel, CA. Their CEO, Dipak Shah, has assembled a team with strong enterprise software experience, including software from the GRC space. We were especially impressed with their Marketing VP, who was with Logical Apps prior to their acquisition by Oracle. While we've not done a deep dive yet on their software, we were intrigued with what we saw, and will continue to investigate and report on what we learn.

Kim and I had met Dipak Shah at an IIA technology conference in 2007, when his firm was called DBExcel. At the time, he described his vision for an integrated, real-time auditing and monitoring system that would consider both configuration controls and transaction controls. In addition to controls monitoring, it would also serve as a document repository to assist audit or GRC executives with keeping the records that could demonstrate compliance. For more infomation, see www.reliantaudit.com

From first glance, he and his team at Reliant Audit are staying true to that vision. We look forward to staying connected with them as they grow.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Observations from the IIA District Conference in Greensboro NC - it's not about Software

2008-03-16T11:15:00.001-07:00

Visual Risk IQ presented a session on Continuous Controls Monitoring (CCM) at the IIA's District Conference in Greensboro on March 14, and we had nearly 100 people join us for a dialog about how to get started with CCM and/or Continuous Auditing (CA). Several of the audience had seen us at either Triad or Charlotte CCM / CA training sessions, either alone or with ACL, Oversight, or Apex Analytix.

So to create some distinction from other CPE sessions we've made, we focused mostly on the maturity model and recommended first steps to move from current state toward a mature, highly frequent and in-depth process for risk and control assessment. We de-emphasized that the technology components and emphasized the importance of audit process, risk assessment approach, gaining buy-in from business process owners, training for IA staff. The non-technology components of embarking on a project.

Something very interesting happened. The Q&A was more lively. The audience was highly engaged, and a couple of audit directors came up to us after the presentation to thank us for NOT talking so much about software. It seems they hear (way too often) about the ways Brand X, Brand Y, or Brand Z software can make their audit function better. But their experience is that any prior technology investments are often short-lived because the technology often requires other changes to be made, and those changes are not well understood or sustained.

So we'll continue to talk about our experiences and approach to CA and CCM, including how more modern software can often help. But any discussion of software will be a late bind, and we'll start with emphasizing how audit functions can achieve marked increases in productivity, simply by better utilizing tools they already have.

Feel free to write or comment, and we'll share our presentation with you if you were unable to attend the Conference in Greensboro.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

www.visualriskiq.com

Defining Continuous-ness. One more reason why I love my mother-in-law

2008-03-12T10:01:00.000-07:00

Donna, my mother-in-law, is a terrific lady. I remember meeting my then future in-laws less than a month after my wife and I began dating. They were fun, light-hearted, and affectionate toward their immediate family, extended family, and each other. Throughout literally dozens of moves across the country through a military career, they remain in touch with their many friends. Often via Donna's holiday letter. Which brings me to continuous auditing. Really.

This year, as she has during their forty-plus years of marriage, Donna recounted an update of their family's travels, joys, and important life events. Included in this years business was an update on my immediate family and a brief mention of my new business. "Joe has started a business focused on continual auditing..." Which brought about an interesting discussion about continuous-ness and continual.

Our dictionary makes a clear distinction between continuous and continual. "In precise usage, continual means 'frequent, repeating at intervals' and continuous means 'going on without pause or interruption" and provides instruction to "Avoid using continuous or continuously as a way of describing something that occurs at regular or seasonal intervals: in the sentence, "The White House's tree-lighting ceremony has been held continuously since 1923, the word continuously should be replaced with continually or annually."

So my mother-in-law is right. After all, we're trying to help our clients update the frequency of their risk and control assessments to be quarterly or monthly. And to assess some key controls as frequently as weekly or daily. But not to assess risk or controls without pause or interruption.

My partner Kim Jones and I have often talked about how continuous auditing should be about working smarter, not harder. Doing more with less. So stay tuned and see how we can begin to make this new label stick.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Back on Line - Continuous Auditing and Fraud Blog

2008-02-05T09:38:00.000-08:00

Hi - welcome. You found us.

After a six-month hiatus due to some technical challenges related an Apple iLife '06 to iLife '08 upgrade, our Continuous Auditing blog returns. Now hosted by Google's Blogger, my Visual Risk IQ partner Kim Jones and I will endeavor to keep you posted on interesting (to us) stories in the news related to internal auditing and fraud. We intend to focus on stories which demonstrate the business value of more frequent and more in-depth internal control or risk assessment.

We welcome any comments or suggestions.

Joe Oringel
Visual Risk IQ
Charlotte, North Carolina, USA

www.visualriskiq.com