Wednesday, September 30, 2009

Internet Porn - Why I didn't complete my audit plan, by the National Science Foundation

Regular readers of my blog know that Visual Risk IQ has been especially active in the Higher Education arena in 2009, helping adapt Continuous Controls Monitoring (CCM) for a Class One Research University. In addition to monitoring for Accounts Payable controls compliance, duplicate payments, and vendor master file integrity, we have also built an innovative Grants & Contracts module that helps track compliance with various financial and operational milestones required by various Federal Grantors.

The CCM module tests the validity of expenditures, overhead rates, and labor charges, and also can be easily extended for more complex tasks like Effort Reporting and Financial Aid compliance. But perhaps it was overkill for the job, given that one of the largest inspection functions within the Federal Government is behind on its audit plan this year.

Yep, they're too busy at the National Science Foundation investigating Internet Porn, so they're behind on their audit plan. For more information, see the Washington Times .

Maybe if their Office of the Inspector General used a more efficient method for selecting which grants and contracts to inspect. More data-driven continuous risk assessment, or perhaps more use of data analysis in controls assessment would help with their efficiency / effectiveness.

Other suggestions abound. What do you think?

Sunday, September 20, 2009

Another CFO Article on Continuous Auditing - Correct about Vocabulary. Incorrect about no one doing it well.

We appreciate CFO Magazine writing about Continuous Auditing (CA) again. This month's piece is better than previous efforts, in that it focuses much more on the process changes needed for CA, and less on the actual technology that is used to accomplish CA, as we have blogged about previously. CFO Magazine interviewed several industry and academic leaders for this article - alas they didn't reach out to Visual Risk IQ, at least yet. So in today's blog, we'll summarize some of our observations and experiences about CA and contrast them to the CFO article. The centerpiece of our thoughts on CA is our proprietary maturity model, which we use to chart company-specific actions that help organizations advance on this journey. We'll also suggest one or two other organizations that CFO Magazine might talk to so that a clearer picture of CA can develop. In any case, we certainly echo the author's point, that a common, practical definition of CA is not yet accepted in the industry.

For this article, the author interviewed HCA, Microsoft, and AEP - and profiled how each organization uses CA. We feel especially qualified to comment on the article, because Kim Jones and I have been working almost exclusively on CA since our days at PwC in 2006, where he was a key team member on the Microsoft project cited in the article. We also count both HCA and AEP among our circle of friends from the speaking and writing that we each do in the Internal Audit community.

My counsel to the author would be to separate Continuous (which is really Continual) Risk Assessment from Continuous Controls Assessment. One of the reasons that there are such varying definitions of CA, are that are a diverse number of objectives that can be accomplished with CA and especially Continuous Controls Monitoring for Transactions (CCM-T). Organizations that set out to allocate their audit resources based on more up-to-date information than an annual risk assessment are likely to begin their CA efforts here. Companies profiled publicly in articles and cases that match this CA description include McDonald's and Wells Fargo, and usually have a very large number of audit entities (i.e. Stores or Branches), that make it difficult to visit each entity in a three- or five-year audit cycle. We have assisted several organizations to be more like McDonald's and Wells Fargo, by using data to perform more frequent, data-driven risk assessments to allocate their audit resources. Most often, the data used for this activity is aggregate financial or operational information like Financial Performance vs. Budget, Performance Ratios, or Employee Turnover. While it appears from the quotes from Jay Hoffman at AEP that his team is doing Continuous Risk Assessment, the controls being tested per the article seem to be more specific to Continuous Controls Assessment, which is using data-driven techniques to provide greater depth and frequency of audit coverage.

Continuous Controls Assessment are the techniques profiled in the article at HCA, AEP, and Microsoft. Instead of auditing overtime or journal entries only once every two or three years, many organizations use repeating data analysis scripts to assess the effectiveness of a control at multiple intervals during a year. These techniques can alert management to emerging issues with fraud risk or compliance, and also assist in following up on previous audit findings.

At Visual Risk IQ, we assert that "real continuous auditing" is to more fully integrate the Continuous Controls Assessment with Continuous Risk Assessment, so that audit project selection is based on the effectiveness of frequent, data-driven control assessment activities. Example: "What should be next on the audit plan - let's go to the regional office that hit their sales budget (to the penny!), but hasn't updated their allowance for doubtful accounts since the new accounting manager was hired six months ago."

I can think of two or three organizations that are doing real continuous auditing, according to this definition. Both Arrowpoint Capital in Charlotte and RLI Corporation in Peoria have presented at national and regional IIA / MISTI conferences about their CA programs, which originated with repeating the data analysis routines that were used for control assessment. While neither is a household name like Microsoft or HCA, each have been doing CA for more than five years, and are quite mature in their use of data for both control assessment and risk assessment.

In closing the article does a good job of distinguishing between CA and CM (continuous monitoring), which are activities performed by management. The evolution of CA to CM is a particular mark of growing CA maturity. Our work with CM, and especially CCM-T, has allowed us to help management use technology to test the right controls, at the right time, to achieve spectacularly effective results in business performance and internal controls. CA is often the first step on that journey.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Monday, September 14, 2009

IIA Presentation on Continuous Auditing - Thanks Baton Rouge!

Thanks and congratulations to the Baton Rouge IIA, who filled the room with more than 75 people for a one-hour lunchtime CPE session on making the journey From Data Analysis and Continuous Auditing. This was a terrific turnout for most any chapter, but especially for one the size of Baton Rouge, which is a testament to the effectiveness of their officer group. Thanks much Amanda, Renee, Staci and all other volunteers for their work to encourage such great attendance.

We opened the session with the thought-provoking "Did You Know" video to help the audience appreciate the rapid growth of digital information, and challenge the audit profession on how to keep pace with this growth. Sampling 25 or even 200 transactions just isn't enough when modern software allows us to test every transaction for control effectiveness, as frequently as daily or more.

Thirty of the 75+ lunchtime attendees stayed for the remainder of the afternoon for a more detailed discussion of the journey toward continuous auditing, where we explored Visual Risk IQ's proprietary continuous auditing maturity model in greater detail. During the last hour, we brainstormed ways to use disparate data for more innovative testing for identifying fraud. The group did an outstanding job, as evidenced by some of the following creative test suggestions:

- For a finance company that makes consumer loans to consolidate debt, compare the account numbers for payments made to credit card companies against account numbers of finance company employees, to make sure that funds are not diverted at closing from the consumer making the loan.
- For almost any organization, compare vendor address and phone numbers against employee home and emergency contact information in HR and Payroll files for possible undisclosed conflicts
- For a state agency, compare external information about known deceased individuals / SSN's to benefits payments made to employees and retirees
- And many others....

In each case, the participants suspended their "I'm not sure which file to ask for" and brainstormed what data would add to the effectiveness of their testing. By thinking about risk and controls, without the restrictions of "it would be difficult because....," some really excellent ideas were explored and discussed.