Friday, April 25, 2008

Procurement Card Fraud at the Dallas Independent School Board - Could this happen to you?

Though my Blogger account seemingly allows nearly unlimited storage, there may not be sufficient space to chronicle the P-Card Fraud at the Dallas Independent School District (ISD) and the resulting costs to the local taxpayers. The ISD suffered considerable hard-dollar costs and reputation damage that was reported during 2007 by the Dallas Morning News, and this week's audit report from Deloitte provides more details.

Yesterday's news included a report that the ISD may have to return $8 million to the Federal Government because the P-Card fraud caused the ISD to violate federal grant guidelines for education spending. Continuous monitoring doesn't sound nearly so expensive anymore.

For more complete coverage of the ISD P-Card fraud, see any or all of the following links:

May 2007 Story in Dallas Morning News

Forensic Report from Navigant Consulting regarding P-Card abuse at the Dallas ISD

This week's coverage summarizes the Deloitte audit report, which includes numerous control weaknesses and significant deficiencies.

"Weaknesses and Significant Deficiencies" cited by Deloitte & Touche:

• District policies that "do not exist, are ineffective or not consistently applied"

• Poor staff training

• Lack of oversight from superiors

• Failure to comply with grant requirements from the federal government

• Inability to reconcile some financial accounts

• "Significant" adjustments to district ledgers

• Poor record-keeping and accounting for debts, capital assets, payroll and personnel

Stay tuned - each time I think story is over, another interesting tidbit appears.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Wednesday, April 23, 2008

More Continuous Auditing Software - Or is it?

As many who have met us know, Kim Jones and I keep various Google Alerts set for key phrases that relate to continuous auditing (CA) and continuous monitoring (CM). As is the case in most weeks, this week's alert had many more citations for CM than CA. But the CA alert did have a number of new and noteworthy items for us.

One of this week's most interesting CA alerts was from Atlanta-based software firm called Gideon Technologies and their SecureFusion suite. The suite should be of interest for configuration controls auditing and monitoring in the IT General Controls stack, but not for monitoring of financial transactions, as we focus on at Visual Risk IQ. Nevertheless, the alert reinforces how the analysts in the GRC space struggle when describing the capabilities and points of distinction among software firms known for CA, CM, and/or GRC. SecureFusion capabilities include IT asset detection, configuration management, and vulnerability assessment, and therefore have little if anything in common with CA and CM transaction monitoring tools like Oversight, Apex, or ACL.

Kim and I know Ken from our PwC days, and we recently saw him speak a March meeting in Atlanta, where they introduced Gideon's SecureFusion solution to a number of information security professionals. He was quick to agree that there are a number of technology solutions that share the similar names and even named features, but that they do not in fact compete in any meaningful way. Over time, hopefully the market(s) will also begin to distinguish this as well.

Saturday, April 5, 2008

New Entrant - Reliant Audit Solutions

As we did in 2007, my partner Kim Jones and I attended the IIA's General Audit Management (GAM) conference. The conference provided an excellent venue to renew relationships with clients and prospects, and as always, also provided interesting opportunities to meet with other service firms and software firms.

One new entrant in the Continuous Auditing software arena emerged at the GAM conference - a software firm called Reliant Audit Solutions, from Laguna Niguel, CA. Their CEO, Dipak Shah, has assembled a team with strong enterprise software experience, including software from the GRC space. We were especially impressed with their Marketing VP, who was with Logical Apps prior to their acquisition by Oracle. While we've not done a deep dive yet on their software, we were intrigued with what we saw, and will continue to investigate and report on what we learn.

Kim and I had met Dipak Shah at an IIA technology conference in 2007, when his firm was called DBExcel. At the time, he described his vision for an integrated, real-time auditing and monitoring system that would consider both configuration controls and transaction controls. In addition to controls monitoring, it would also serve as a document repository to assist audit or GRC executives with keeping the records that could demonstrate compliance. For more infomation, see

From first glance, he and his team at Reliant Audit are staying true to that vision. We look forward to staying connected with them as they grow.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA