Wednesday, January 16, 2013

Rutgers WCAS 26 - January 2013, part 1

Back again at Rutgers for the 26th World Continuous Auditing and Reporting Symposium (WCARS), which was delayed from November 2012 due to Hurricane Sandy. Yes, it's been a while since we've updated this blog, but we've become much more active in using Twitter ( @VisualRiskIQ ) to highlight what's new in the world of continuous auditing, continuous controls monitoring, compliance monitoring, and anti-fraud analytics. And though we'll be tweeting from #WCARS26 also, we feel that the Rutgers symposium is too important to cover in only 140 characters.

Presenters and sponsors at the 26th WCARS event include the AICPA and ISACA, all of the Big 4, and software providers such as ACL, CaseWare, CA, CCH, Greenlight, Oversight, and Trintech. Throughout the conference, we expect to see a wonderful mix of software and process case studies, standards reports, and academic papers, all on the subject of Continuous Auditing. The Rutgers definition of CA includes continuous data monitoring (i.e. embedded audit routines), continuous controls monitoring, and also continuous risk assessment, and presenters will cover all these topics. An important addition has been newly minted PhD Kevin Moffitt, who adds deep expertise in unstructured data analytics and text mining to Rutgers long history of data analytics of structured data.

Corporate attendees and presenters include advanced users of CA including Siemens, Verizon, Proctor & Gamble, HP, and more. More on the agenda, including selected slides, is available at: .

The conference has begun with a nice introduction from Miklos on the status of numerous research and practical CA applications at Rutgers, and is transitioning to Eric Cohen, PwC's XBRL expert. More to come...

Joe Oringel
Harrison, NJ
January 16, 2013

Tuesday, September 11, 2012

Remembering 9/11/2001

It was afternoon for me in Ireland, where I was working on a project with Bristol-Myers. On a conference call with our NYC offices in midtown east. "Joe we need to reschedule the call, a small single-engine plane has hit WTC. Everybody is turning to the news to see what's going on." I wish that was what had happened. My wife was 8 months pregnant with our second child, who we named Juliana to honor the daughter and her mother, an Irish national that both lost their life on the plane that hit the towers. Juliana McCourt never saw her 5th birthday. Thankfully her uncle made it down 50+ stories of the WTC. Later that day he would learn of his sister's and niece's death. I'll never forget the outpouring of support for NYC and the whole US from the city of Dublin and the whole country of Ireland. It took me nearly a week to return home, yet given the tragedy all around us in NY/NJ, we know we were still so very fortunate. Where were you? What should we teach our children? Originally posted on 9/11/11, but an appropriate re-post.

Tuesday, March 27, 2012

IIA General Audit Management - highlights / action plans

Along with more than 1,200 other audit and compliance professionals, I had the pleasure of attending IIA's General Audit Management (GAM) conference last week in Orlando. The GAM Conference is the marquis training and networking event for Internal Audit executives, and as such provides excellent opportunities to interact with industry colleagues and understand the issues that are on the top of their lists for action.

Personally, I look for themes and even short sound bites from conferences such as this. Sequentially, the first memorable sound bite was Sunday evening, when IIA CEO Richard Chambers reported the results of the IIA's "Pulse of the Profession Survey." Richard reported that the two most sought after skills among Fortune 500 internal auditors are: (1) critical/analytic thinking, and (2) data mining and analytics. Being a firm that focuses on audit data analytics, that fits our sweet spot very, very well. Importantly too, his point was not only about the sought-after technical skill. Yes, knowing "how do I answer the question" is important, but also knowing "what is the right question" is critical. Asking the right question is the responsibility of audit and executive management, and is not purely a technical skill.

The second sound bite was from the same session Sunday, when Richard reported that 89% of audit executives are "definitely not getting the most from existing audit technology investments." Scary, but perhaps not surprising. Yes internal audit software vendors bring knowledge of how their tools work, but how well do they understand internal auditing? Have you been satisfied with the amount of industry knowledge and/or business acumen that your software vendor's implementation team has brought to your most recent project? Why or why not?

Finally, my favorite sound bite came from Audit Committee Chair Jim Brady during a panel on Tuesday morning on the relationship between Audit Executives and the Audit Committee. When asked "what keeps him up at night," Brady replied unequivocally that it was "Cybersecurity and Emerging IT Risks". This resonated with me because like audit data analytics, understanding Cybersecurity and Emerging IT Risks are not an "IT Audit job," but rather everyone's job.

What were your personal highlights from IIA's GAM Conference? Any sound bites more memorable than these. Plus please stay tuned for future posts on the importance of understanding Cloud Computing, Mobile Computing, and other Emerging IT Risks that we believe all internal audit professionals need to be more aware of.


Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Saturday, November 5, 2011

Another Saturday Morning in Newark NJ

Very energizing sessions this morning, as we heard from a Who's Who of large, multinational firms who have implemented CA and CM solutions. Siemens Financial Services led things off with their "Road to Continuous Assurance," as Jason Gross leads a mature CM function that was born in Internal Audit and has migrated to the CFO's office. His deck is downloadable at:

Brad Ames from HP followed with another strong presentation on using CA / CCM for assessing both IT controls and Financial Controls. @43Chase and @debreceny observed that strong IT controls help enable strong financial controls. I was focused on their use of dashboards at HP, and have asked for examples. Stay tuned.

Dave Levin of Proctor & Gamble followed with a strong session on the use of data-driven risk assessments. They compare results of Control Self Assessment and actual audit results, using outliers and differences between management's assessment (i.e. CSA) internal audit's evaluation as input into Internal Audit's risk assessment. Dave's session is available for download at this link.

Friday, November 4, 2011

Leveraging Information to Align Risk and Performance - CM, per KPMG

Jim Littley from KPMG is talking about Continuous Monitoring (CM) / Governance Risk & Compliance (GRC) / Business Intelligence (BI) etc., and all of the alphabet soup of technology tools that can be used improve controls and risk monitoring. He observes that most large organizations have multiple initiatives related to acquiring and implementing tools and technologies for point solutions that assist in this area, but these are siloed and rarely linked together. He sees Internal Audit as a potential value-creator in this area.

Good points. We see Procurement teams with supply chain analytics, Finance with BI and macro-level analytics, and Internal audit with audit data analytics, ERM or Risk with survey tools for subjective risk assessment, sometimes all in the same firm. Ideally, macro-level analytics tools like BI should work together with the exception analytic tools in the CM world to provide a single, integrated review of risk.

Jim suggests we think of Continuous Monitoring as the first line of defense, and Continuous Auditing as the second or third line of defense. Using common data sources (i.e. a single source of truth) can lower the cost of acquiring data for each initiative, and improve overall quality.

Slides aren't posted (yet?), but I'll update this post with a link if they are made available.

Opening Rutgers WCARS session - Continuous External Auditing

The opening panel was led by Greg Shields of the Canadian Institute of Chartered Accountants (CICA) and included Deloitte's National Office Partner Tom Criste, Retired Deloitte Partner Trevor Stewart, and PhD Student Paul Byrnes. A little disappointing that more signing partners from more accounting firms were not on the panel. Perhaps that would help unlock the code on the very slow adoption of use of technology to execute external audits.

Much emphasis was on the degree of change that would be needed for the firms to seriously re-engineer their processes. My favorite quote from the session was from Tom Criste, who observes that the great increases in technology have affected how audits are documented, but not how audits are performed. The work programs for Inventory, A/R, Cash, etc., are relatively unchanged even from when he entered the profession decades ago. And because many procedures (e.g. Inventory Observation, Confirmations of A/R balances) are required by professional standards, it would be difficult to re-engineer the audit.

Mr. Criste envisions an audit where statisticians and economists could review data and help form the External Auditor's opinion. He suggests that a test audit could be performed in parallel with a traditional external audit, and that the firm could compare results and findings with each other and the client. But he says, who would want to invest that time and energy, even if the second audit was free?

If that's truly the barrier, I'd suggest to start with the users of financial statements. Would MF Global's investors and creditors like to have had any assurance provided on quarterly financial results? Probably so.

I'd advocate beginning with the end in mind, and determine the desired frequency of external audit assurance. More than annual is probably good. Daily is probably way too frequent. (What CEO wants to explain slow mid-month sales to Wall Street Analysts).

If quarterly assurance was desired, how should external audit procedures be changed? Comments welcome!

Thursday, November 3, 2011

Live from Rutgers WCARS - Friends and Family meeting

Most of you reading this blog post have an awareness and even a keen interest in data analysis and/or continuous auditing, whatever we agree that means. You may not know how long this topic has been being discussed and debated.

I'm writing this from the 23rd (!) World Continuous Auditing Symposium at Rutgers Business School in Newark NJ. It's been a semi-annual meeting, so the group began gathering in 1999. All of the Big 4 firms are here, as are the AICPA, software vendors like ACL, Caseware, Oversight, and even CA. For more information on the agenda, see: .

Beginning tomorrow morning, I'll be blogging about the most interesting speakers, topics, and academic papers on the main agenda, so come back often for updates.

Today is the "Friends and Family" meeting, where some of the longer-standing supporters of the Rutgers program are discussing emerging issues. One topic on the agenda is the notion of Audit Data Standards, which would be a common data model for certain business processes like General Ledger and perhaps subledger like Supply Chain or Revenue.

The presenters advocate a cloud-based data store that public companies would use to load daily or at least monthly transactions, and that external auditors (and perhaps internal auditors) would access that data periodically to perform audit analytics. Glad I'm here - there's a lot of pro's and con's to consider with this standardization.