Visual Risk IQ to Partner with Vonya Global: Providing Data-Driven Audit Services

Feedback from the Continuous Auditing Life Cycle workshop that we did with Vonya Global in Chicago was very positive; consequently, we have developed a partner relationship with them to market and deliver two services specifically focused at helping audit executives recover costs and increase margins during challenging economic times.  

The services analyze historical purchasing and sales transactions looking for overpayment, contract pricing variations, and other operational and compliance issues.  Clients benefit from tangible recoveries, while also receiving advice on monitoring controls that can be used to prevent future errors.  

On Point Data Analytics(sm), the first service provided by the two firms, is directed primarily toward internal audit and executives responsible for Governance, Risk and Compliance.  On Point Data Analyticcs analyzes client's data in the context of an internal audit project, thus providing hands-on audit software training while accomplishing specific audit objectives.  The service also includes an assessment of an organization's capabilities and readiness for continuous auditing.   

On Point Continuous Controls Monitoring (sm), the second jointly provided service, is designed to help companies understand the value of more in-depth and frequent monitoring solution.  The services includes an in-depth analysis of historical transactions using a best-in-class continuous monitoring tool, and identifies operational and compliance issues along with improvements that can prevent future errors.  

Click here to read the entire press release

Bookmark this blog to read case studies and client profiles that highlight examples of cost recovery and other savings that have paid for the services many times over.    

 

ERM Resources from NC State

During the last several months, I have been attending the Enterprise Risk Management (ERM) roundtables at NC State University in Raleigh. These ERM roundtables provide thought-provoking Continuing Professional Education (CPE) and networking opportunities for Governance, Risk and Compliance professionals on a regional and national level. Previous presentations are archived on the web at: http://mgt.ncsu.edu/erm/Roundtables.php

The purpose of the ERM program is multi-dimensional. They aspire to provide outreach (through the roundtables), research (through an outstanding web portal), and undergraduate and graduate education.

Speakers this fall included Jim Traut, Director of ERM at H.J. Heinz, and Drew Zavatsky, Office of Financial Management from the State of Washington, and the February roundtable will be in Charlotte NC. Steve Dreyer of Standard & Poors (S&P) will be presenting on their use and evaluation of ERM as part of S&P's ratings process.

Continuous Auditing combines more frequent risk assessment with more frequent and in-depth control assessment. Since ERM represents leading edge practices in risk assessment, we will continue to identify opportunities to link continuous controls monitoring to ERM, to provide more data-driven risk assessment.

Stay tuned for more information in 2009 about these initiatives.

Joe Oringel
Charlotte, NC
Visual Risk IQ

Continuous Auditing Maturity Model presented in Chicago

This past week, we presented an overview of Continuous Auditing and Monitoring to a group of internal audit and compliance executives in Chicago, IL. The session focused on the Continuous Auditing Maturity Model, and provided specific guidance on how to get started with data mining and data analysis, as well as more advanced advice on increasing frequency and progressing toward continuous auditing.

The session was attended by a diverse group of attendees from a variety of industries and functional backgrounds. Experience with data analysis ranged from "not started" to regular use of ACL and IDEA, and each attendee was able to take away practical advice to help them with their specific situation and risk profile.

Visual Risk IQ and Vonya Global, a Chicago-based consulting firm specializing in Internal Audit, co-sponsored the event, and Vonya hosted the event at their offices on N. Michigan Avenue. Feedback from attendees was very positive, and we expect to co-sponsor similar events together in the new year.

To obtain a copy of the slide deck used at the event, please email joe.oringel@visualriskiq.com or call 704-752-6403.

Regards,

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Visual Risk IQ, Vonya Global to present Continuous Auditing workshop in Chicago on November 7, 2008

One of our speaking efforts has been picked up on PRWeb. Come join us in Chicago for two hours of CPE and some lively discussion on Continuous Auditing and Monitoring

---------------------------------------------------------------------------

Vonya Global, a leader in internal audit and independent risk assurance consulting, and Visual Risk IQ, a thought leader in continuous auditing, have come together to create a training workshop on the Continuous Auditing Lifecycle.

Chicago, IL, October 17, 2008 -- Vonya Global, a leader in internal audit and independent risk assurance consulting, and Visual Risk IQ, a thought leader in continuous auditing, have come together to create a training workshop on the Continuous Auditing Lifecycle. This workshop will be held in Chicago on November 6, 2008 and is open to the public but registration is required.

Continuous auditing and continuous monitoring are hot topics in the internal audit and compliance communities. While solutions offered by technology firms in this space can be quite capable, they are often impractical unless audit processes and management are also ready to adapt. Continuous auditing is known to help achieve compliance, audit and business performance objectives, so understanding some of the steps along the journey is often essential to getting such results in a cost-effective and direct approach.

This workshop will discuss several companies' journeys toward Continuous Auditing and Monitoring, and will present a Maturity Model that charts their course. The session will provide practical strategies that can be immediately applied to business regardless of where companies are on the maturity curve.

About Vonya Global - Vonya Global is a new idea in internal audit consulting and independent risk assurance services. With expertise in Finance, IT and Operations, Vonya Global helps its clients identify and assess risk, evaluate and improve internal controls, and implement continuous monitoring systems. Vonya Global is on a mission to prove there is a better way to serve clients by focusing on the basics; providing consistent quality, responsive service, and knowledge leadership. Having locations throughout the world, Vonya Global serves as a value added alternative to the large accounting firms. There is a better way, Vonya Global will show you.

Vonya Global LLC headquarters is located at 150 N. Michigan Avenue, Suite 2935, Chicago, IL 60601. For more information please email info @ vonyaglobal.com or visit www.vonyaglobal.com.

ABOUT VISUAL RISK IQ - Visual Risk IQ specializes in helping companies plan and implement continuous auditing and monitoring solutions that help them achieve their specific business objectives through increased frequency and depth of risk and control analysis. The company works with a variety of Fortune 1000 and large non-profit enterprises across a broad range of industry sector.

Expense Management becoming Mainstream?

We've been talking about using Continuous Auditing and Continuous Monitoring as ways to improve compliance and business performance for more than two years. The approach is characterized as "ask once, satisfy many," where business process owners can satisfy compliance objectives such as segregation of duties or spending authority limits, while also evaluating operational objectives like contract compliance and pricing.

CFO Magazine's September issue is highlighting some of the technologies that can accomplish these objectives.

The CFO article is very consistent with our experiences. Clients and business partners of Visual Risk IQ know that we can help review Accounts Payable, P-Card, and T&E data, looking for duplicate payments, financial fraud, and contract compliance. In the last several months, we've been expanding our service capabilities to deliver even more value for our clients.

My favorite quote in the article talks about the costs for such services. "For $50,000 to $100,000, a horde of consultants will sift through invoices, purchase orders, and contracts and produce a report, most likely on one facet of the business. Or, for $100,000 to $500,000, you can tap software that will do it for all aspects of the business all the time." People familiar with Visual Risk IQ know that our firm uses the continuous auditing software described in the article, to help organizations test-drive and prove its value for their organization, for less than the typical fees from the "horde of consultants."

The data files that we already use to provide a 100%, in-depth review of expenses for compliance and potential fraud factors can also be used to test for spending compliance. We have partnered with firms who are expert in selling and general & administrative cost reduction, and can analyze these same data files to identify the opportunities for improving expense management.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Can I have a Waverunner with that?

Public sector abuse of P-Cards continues to be rampant.  The Dallas Independent School District, Knox County TN, Wake County NC, and more recently in Georgia, as reported in the Atlanta Journal Constitution.   In this recent Georgia case, an administrator for Georgia Tech used her P-Card to make nearly 3,000 fraudulent purchases totaling more than $300,000.  

The Georgia Tech administrator, Donna Gamble, has pled guilty to 22 counts of mail fraud and theft, and will be sentenced later this month in Federal Court.  Among her unauthorized purchases with federal grant monies included a Waverunner personal watercraft and lawn tractors.

Public and private sector organizations are replacing expensive purchase orders and procurement processes with P-Cards, as the cost per transactions is very favorable.  Aberdeen Research shows that P-Card purchases often cost less than 1/3 the amount of more traditional purchase order and invoice purchases.  Yet these P-Card purchases introduce more risk, and all types of organizations are challenged by how to best control and monitor credit card spend.  

Supervisory review, transaction review by a central p-card administrator, and limiting card usage at certain merchants and merchant types are all controls that organizations use to ensure charges are authorized and in compliance with preferred vendor agreements.   But the news headlines suggest strongly that these controls are not sufficient.

Stay tuned in coming weeks as we look to chronicle other organizations that have implemented continuous controls monitoring for frequent, in-depth, and efficient transaction review.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

How to Earn $25 Million Per Year, at Least for a While....

The answer isn't to be an NBA All-Star or an Oscar winning actress. But the good news is a college degree isn't required. Apparently limited Federal oversight over Medicare and Medicaid spending in South Florida has allowed at least one fraudster to "earn" $105 Million over four years before finally getting caught in a recent sting operation.

Clues that led to the prosecution include Department of Health and Human Services include the following:

• The South Florida region billed Medicare more than $2 billion each year for injectable HIV medications. That figure is 22 times as high as the amount of similar claims in the rest of the country, and is far out of line with demographic data in a population of 2 million people in Miami-Dade County, HHS statistics show.
• HHS investigators discovered that nearly half of 1,581 medical equipment companies they visited in the Miami area did not comply with basic Medicare requirements to be open during scheduled hours and to have a telephone number.

For more information on the specific case and some of the troubling patterns suggested, read the MSNBC story.

Those of you familiar with Visual Risk IQ's services know that we combine visual outlier analysis with continuous transaction monitoring, primarily for accounts payable, procurement card, and travel and entertainment. But since summer of 2007, we have also been developing a practice in Health Benefits auditing, in partnership with Atlanta-based Thomas Ray and Associates. Stories like this validate our decision to expand our work into this payment stream, as overpayments through errors and fraud seem much greater than with accounts payable.

More to follow this summer as we continue to continue our work in this highly visible expense area.

Joe Oringel
Visual Risk IQ
Charlotte NC 28277

Turning up the heat on FCPA, from Inside Counsel

Ever since my undergrad days at LSU in the mid-1980's, I've thought Internal Audit should report to General Counsel (GC) instead of the CFO. The GC is an advisor to the Board, and who better to provide advice, especially on matters of law and compliance. Because of this belief, I've subscribed to Inside Counsel, which is the equivalent trade magazine for in-house Legal Officers as CFO Magazine or CIO Magazine are for those executives.

This months' issue of Inside Counsel follows trends that we've been hearing throughout the internal audit world. Specifically, that enforcement of the Foreign Corrupt Practices Act (FCPA) is stepping up for large, global corporations, and that this increased focus leads to greater risk, especially those whose internal monitoring programs are judged to be sub-standard. To read the entire article, click through this link

Continuous auditing and monitoring, including monitoring of relationships between suppliers, customers, and employees is not frequent among the Global 1000. But many organizations that do such monitoring are often able to identify risky transactions or relationships well in advance of any regulators. Further, a couple of organizations who are among the leaders in continuous monitoring of FCPA have actually had to implement such programs because the monitoring has been forced upon them by regulators.

So if you're looking for one more reason to experiment with Continuous Auditing or Continuous Monitoring, see the following list of FCPA fines and payments, and ask what you're doing to make sure your organization stays off of this dubious list.

Siemen's $2 BILLION in bribes revealed, settlement pending
Baker Hughes $44 million in penalties paid (charges of bribery in Kazakhstan)
Chevron $30 million in penalties paid (Oil for Food Corruption in Iraq)
Volvo $7 million in penalties paid (Oil for Food Corruption in Iraq)
Flowserve $4 million in penalties paid (Oil for Food Corruption in Iraq)
Ingersoll-Rand $2.5 million in penalties paid (Oil for Food Corruption in Iraq)

As always, comments and suggestions are welcome.

Joe Oringel
Visual Risk IQ, LLC
Charlotte NC, USA

APEX Analytix Forms Alliance with Visual Risk IQ

Sharing some news about our firm that crossed the wire this week...

source: Triad Daily Business News

Consulting firm to represent APEX Analytix software and services as part of its advisory capabilities in continuous auditing and monitoring.

GREENSBORO – APEX Analytix, a leading provider of services and software for performance improvement, error prevention and fraud detection in accounts payable, today announced a new alliance agreement with Visual Risk IQ, a consulting and systems integration firm specializing in risk advisory services for large global businesses.

Under the terms of the agreement, Visual Risk IQ now will represent APEX Analytix recovery audit and fraud detection services, as well as the company’s industry-leading FirstStrike™ software for continuous monitoring of accounts payable for errors and fraud.

“APEX Analytix offers best-in-class people and technology, backed by a solid 20-year track record,” said Joe Oringel, managing director, Visual Risk IQ. “As a result, we now can offer our clients an innovative combination of software and services that can help them meet even their most aggressive governance, risk and compliance objectives.”

The APEX Analytix FirstStrike™ software family helps companies protect their bottom line. FirstStrikeTM Fraud Detect provides the continuous monitoring companies need to fight fraud in accounts payable disbursements. FirstStrike™ Accounts Payable and FirstStrike™ Purchasing automate the detection and prevention of errors in accounts payable and procurement. APEX Analytix also provides a broad range of recovery audit and vendor risk analysis services through its team of certified auditors and fraud examiners.

Visual Risk IQ specializes in helping companies plan and implement continuous, auditing and monitoring solutions that help them achieve their specific business objectives through increased frequency and depth of risk and control analysis. The company works with a variety of Fortune 1000 firms across a broad range of industry sectors.

“Visual Risk IQ is a great fit for us,” said Chris Siemasko, vice president of product management for APEX Analytix. “They are widely recognized as thought leaders in risk analysis, and they share our belief in the value of continuous monitoring to improve internal controls. We see them leading the evolution in this emerging market through advisory services, educational seminars and a proprietary maturity model that helps clients turn their strategic vision of the future into a reality.”

About APEX Analytix

APEX Analytix is an innovative audit recovery firm serving more than a third of the Fortune 100. The company has transformed the audit recovery industry with FirstStrike™, a highly functional family of standards-based software that detects and prevents both errors and fraud and improves performance across the procure-to-pay process. To date FirstStrike™ has saved businesses more than $1.5 billion in overpayments and is the most widely used software of its type. For more information call 800.284.4522 or visit www.apexanalytix.com.

About Visual Risk IQ

Visual Risk IQ helps people responsible for governance, risk and compliance achieve their compliance and business performance objectives through practical application of process changes and innovative technologies. The company provides value for clients using a combination of experienced-based learning and co-sourcing projects, satisfying current requirements in the context of a future vision. For more information on Visual Risk IQ, visit www.visualriskiq.com.

source: Triad Daily Business News

Top CFO concern's - How Continuous Auditing (CA) can help

CFO Magazine and Duke's Fuqua School of Business published their quarterly Top 10 Concerns of CFO's on May 1, 2008, and this quarter's list seems to demonstrate the potential benefit of more frequent and more in-depth controls monitoring and auditing procedures. To read the article in full, please click thru to: http://www.cfo.com/article.cfm/11078610/c_11081639?f=insidecfo

Though most CFO concerns are repeats from previous quarters (e.g. weak consumer demand, credit markets, and the housing market fall-out), a couple of new entrants demonstrate the potential value of continuous auditing and monitoring. Specifically, Costs of Health Care, Costs of Fuel and Costs of Non-Fuel Commodities all represent opportunities, based on our current experience with Continuous Auditing (CA) and Continuous Monitoring (CM).

Visual Risk IQ is currently working with several large global enterprises on pilots of continuous auditing and monitoring in the areas of Procurement Card (P-Card), Travel and Entertainment (T&E) and Employee Health Benefits. Examples of P-Card and T&E issues identified by CA / CM include 40 and 50 gallon fuel purchases for employees who drive company cars with 15 gallon tanks. No matter what the cost of fuel per gallon, using Company funds to fuel a personal boat or the neighbors SUV(s) is not inappropriate. In the case of Employee Health Benefits, we will be using sophisticated data mining and analytics to find claims that have been paid by a Company's Third Party Administrator where the claims are not in compliance with the Summary Plan Description.

Going back to recover Health Claims, T&E or P-Card expenditures that have been paid in error is sometimes perceived as a time-consuming and costly process. However, use of modern CA and CM software can dramatically reduce the cost of detecting these errors. Further, because the errors can be detected closer to the transaction date (and often before the payments are made!), the investment in CA / CM can pay for itself many times over.

Stay tuned, as we hope to chronicle some of the specifics of these reviews....

Joe Oringel
Visual Risk IQ
Charlotte, North Carolina

Procurement Card Fraud at the Dallas Independent School Board - Could this happen to you?

Though my Blogger account seemingly allows nearly unlimited storage, there may not be sufficient space to chronicle the P-Card Fraud at the Dallas Independent School District (ISD) and the resulting costs to the local taxpayers. The ISD suffered considerable hard-dollar costs and reputation damage that was reported during 2007 by the Dallas Morning News, and this week's audit report from Deloitte provides more details.

Yesterday's news included a report that the ISD may have to return $8 million to the Federal Government because the P-Card fraud caused the ISD to violate federal grant guidelines for education spending. Continuous monitoring doesn't sound nearly so expensive anymore.

For more complete coverage of the ISD P-Card fraud, see any or all of the following links:

May 2007 Story in Dallas Morning News

Forensic Report from Navigant Consulting regarding P-Card abuse at the Dallas ISD

This week's coverage summarizes the Deloitte audit report, which includes numerous control weaknesses and significant deficiencies.

"Weaknesses and Significant Deficiencies" cited by Deloitte & Touche:

• District policies that "do not exist, are ineffective or not consistently applied"

• Poor staff training

• Lack of oversight from superiors

• Failure to comply with grant requirements from the federal government

• Inability to reconcile some financial accounts

• "Significant" adjustments to district ledgers

• Poor record-keeping and accounting for debts, capital assets, payroll and personnel

Stay tuned - each time I think story is over, another interesting tidbit appears.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

More Continuous Auditing Software - Or is it?

As many who have met us know, Kim Jones and I keep various Google Alerts set for key phrases that relate to continuous auditing (CA) and continuous monitoring (CM). As is the case in most weeks, this week's alert had many more citations for CM than CA. But the CA alert did have a number of new and noteworthy items for us.

One of this week's most interesting CA alerts was from Atlanta-based software firm called Gideon Technologies and their SecureFusion suite. The suite should be of interest for configuration controls auditing and monitoring in the IT General Controls stack, but not for monitoring of financial transactions, as we focus on at Visual Risk IQ. Nevertheless, the alert reinforces how the analysts in the GRC space struggle when describing the capabilities and points of distinction among software firms known for CA, CM, and/or GRC. SecureFusion capabilities include IT asset detection, configuration management, and vulnerability assessment, and therefore have little if anything in common with CA and CM transaction monitoring tools like Oversight, Apex, or ACL.

Kim and I know Ken from our PwC days, and we recently saw him speak a March meeting in Atlanta, where they introduced Gideon's SecureFusion solution to a number of information security professionals. He was quick to agree that there are a number of technology solutions that share the similar names and even named features, but that they do not in fact compete in any meaningful way. Over time, hopefully the market(s) will also begin to distinguish this as well.

New Entrant - Reliant Audit Solutions

As we did in 2007, my partner Kim Jones and I attended the IIA's General Audit Management (GAM) conference. The conference provided an excellent venue to renew relationships with clients and prospects, and as always, also provided interesting opportunities to meet with other service firms and software firms.

One new entrant in the Continuous Auditing software arena emerged at the GAM conference - a software firm called Reliant Audit Solutions, from Laguna Niguel, CA. Their CEO, Dipak Shah, has assembled a team with strong enterprise software experience, including software from the GRC space. We were especially impressed with their Marketing VP, who was with Logical Apps prior to their acquisition by Oracle. While we've not done a deep dive yet on their software, we were intrigued with what we saw, and will continue to investigate and report on what we learn.

Kim and I had met Dipak Shah at an IIA technology conference in 2007, when his firm was called DBExcel. At the time, he described his vision for an integrated, real-time auditing and monitoring system that would consider both configuration controls and transaction controls. In addition to controls monitoring, it would also serve as a document repository to assist audit or GRC executives with keeping the records that could demonstrate compliance. For more infomation, see www.reliantaudit.com

From first glance, he and his team at Reliant Audit are staying true to that vision. We look forward to staying connected with them as they grow.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Observations from the IIA District Conference in Greensboro NC - it's not about Software

Visual Risk IQ presented a session on Continuous Controls Monitoring (CCM) at the IIA's District Conference in Greensboro on March 14, and we had nearly 100 people join us for a dialog about how to get started with CCM and/or Continuous Auditing (CA). Several of the audience had seen us at either Triad or Charlotte CCM / CA training sessions, either alone or with ACL, Oversight, or Apex Analytix.

So to create some distinction from other CPE sessions we've made, we focused mostly on the maturity model and recommended first steps to move from current state toward a mature, highly frequent and in-depth process for risk and control assessment. We de-emphasized that the technology components and emphasized the importance of audit process, risk assessment approach, gaining buy-in from business process owners, training for IA staff. The non-technology components of embarking on a project.

Something very interesting happened. The Q&A was more lively. The audience was highly engaged, and a couple of audit directors came up to us after the presentation to thank us for NOT talking so much about software. It seems they hear (way too often) about the ways Brand X, Brand Y, or Brand Z software can make their audit function better. But their experience is that any prior technology investments are often short-lived because the technology often requires other changes to be made, and those changes are not well understood or sustained.

So we'll continue to talk about our experiences and approach to CA and CCM, including how more modern software can often help. But any discussion of software will be a late bind, and we'll start with emphasizing how audit functions can achieve marked increases in productivity, simply by better utilizing tools they already have.

Feel free to write or comment, and we'll share our presentation with you if you were unable to attend the Conference in Greensboro.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

www.visualriskiq.com

Defining Continuous-ness. One more reason why I love my mother-in-law

Donna, my mother-in-law, is a terrific lady. I remember meeting my then future in-laws less than a month after my wife and I began dating. They were fun, light-hearted, and affectionate toward their immediate family, extended family, and each other. Throughout literally dozens of moves across the country through a military career, they remain in touch with their many friends. Often via Donna's holiday letter. Which brings me to continuous auditing. Really.

This year, as she has during their forty-plus years of marriage, Donna recounted an update of their family's travels, joys, and important life events. Included in this years business was an update on my immediate family and a brief mention of my new business. "Joe has started a business focused on continual auditing..." Which brought about an interesting discussion about continuous-ness and continual.

Our dictionary makes a clear distinction between continuous and continual. "In precise usage, continual means 'frequent, repeating at intervals' and continuous means 'going on without pause or interruption" and provides instruction to "Avoid using continuous or continuously as a way of describing something that occurs at regular or seasonal intervals: in the sentence, "The White House's tree-lighting ceremony has been held continuously since 1923, the word continuously should be replaced with continually or annually."

So my mother-in-law is right. After all, we're trying to help our clients update the frequency of their risk and control assessments to be quarterly or monthly. And to assess some key controls as frequently as weekly or daily. But not to assess risk or controls without pause or interruption.

My partner Kim Jones and I have often talked about how continuous auditing should be about working smarter, not harder. Doing more with less. So stay tuned and see how we can begin to make this new label stick.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Back on Line - Continuous Auditing and Fraud Blog

Hi - welcome. You found us.

After a six-month hiatus due to some technical challenges related an Apple iLife '06 to iLife '08 upgrade, our Continuous Auditing blog returns. Now hosted by Google's Blogger, my Visual Risk IQ partner Kim Jones and I will endeavor to keep you posted on interesting (to us) stories in the news related to internal auditing and fraud. We intend to focus on stories which demonstrate the business value of more frequent and more in-depth internal control or risk assessment.

We welcome any comments or suggestions.

Joe Oringel
Visual Risk IQ
Charlotte, North Carolina, USA

www.visualriskiq.com