Friday, October 30, 2009

Conflicts of Interest - The Power of External Databases (part II)

You may remember that I wrote about this summer about the power of external databases. How Department of Defense and UCLA had encountered compliance, financial, and reputation risk items that might have been prevented with better analytical routines that connected enterprise data with external data.

This month's New England Journal of Medicine features research on Conflicts of Interest Disclosures, specifically by physicians involved with certain Medical Devices, specifically orthopedic devices. Compliance with disclosure requirements was just over 70%, which is noteworthy. It makes me think about reputation risk for Research Universities, and whether their audit and compliance plans should specifically consider monitoring of these disclosures.

When I was in public accounting, we first had simple disclosures that asked if we had read the "Restricted List" which were securities that managers could not invest in because of the firm's audit relationship with those clients. First partners and then eventually all staff began to register all of their investments with the firm, so that conflicts could be detected more easily. After all, having an "on my honor, I promise I haven't invested in...." letter was not enough, and the firm began to require that we register our investments with the Independence Office so that regular comparisons to the "Restricted List" could be made instead. This improved information resulted in quite negative publicity when Conflicts were identified, but this was clearly the right thing to do. (see CFO Magazine circa 2000 for examples)

Back to Conflicts of Interest and medical research. Senator Grassley and others are pushing for Federal Sunshine Act disclosure, and many states now require pharmaceutical and medical device companies to register all payments to physicians for public disclosure. I wonder what will be the trigger to cause Research Universities to keep more than an annual "on my honor, I promise I haven't received any compensation..." letter on file for their faculty, when improved, detailed information on compensation is even more readily available.

What are the implications for Pharmaceutical and Medical Device companies as well?

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Friday, October 16, 2009

Forrester Research on Continuous Controls Monitoring is Spot On

Chatted with freelance writer and former CFO of one of our clients Chris McKittrick this week. Chris writes for Big Fat Finance Blog on a variety of topics, including CCM-T, which Forrester Research calls Internal Controls Monitoring. Chris pointed us to a CFO Magazine article earlier this year about CCM-T, which states the simple and profound:

Internal controls monitoring. Technologies in this area so far have demonstrated a low level of success, or business value-add, and are on a trajectory for minimal success over their lifespan, according to Forrester. There is potential payback in error reductions, efficiency, and risk avoidance, but most installations have yet to prove what they will ultimately be worth. And while internal controls monitoring is important because of Sarbanes-Oxley and other compliance directives, "many of the solutions just raise red flags," Paul Hamerman, vice president of enterprise applications for Forrester, tells "Somebody has to go through these flags to figure out what they mean. If the application doesn't have the built-in intelligence to do that, it's value is diminished."

Going through the red flags is a real business challenge, and requires knowledge of technology, enterprise data, policies, business rules, and fraud. Unfortunately, many organizations who have invested in this technology do not put enough emphasis on the on-going care and feeding of the systems, and it's common for the number of red flags identified in a period to exceed the number of red flags that are fully researched and resolved. As a result, the business value add for the systems can fail to reach its potential.

Even for organizations that are managing the work queues well, it is rare to see organizations modify their rules and add more red flags for checking. Opportunities to help CCM-T users with post-implementation support, whether the tool of choice is Oversight, Approva, ACL Audit Exchange 2, or SymSure / IDEA, would seem to be a growth area.

* * * * * * * * * * *

Are you attending the Rutgers Continuous Auditing Symposium on November 6 and 7? We are. Look for us at the Conference or on a Panel at 4:00 on Day 1, and let's compare notes on the above. We're interested to share experiences with others...

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Tuesday, October 13, 2009

Continuous Auditing Article accepted for publication in Internal Auditing

We received news that an article submitted jointly with Dr. George Aldhizer of Wake Forest University's has been accepted for publication by Thomson Reuters in their Internal Auditing publication for the September / October issue that will be mailed to subscribers shortly. Very timely, as Dr. Aldhizer, David Payseur (CAE of Arrowpoint Capital), and I are scheduled to present a Continuous Auditing CPE day in Winston-Salem NC on November 18, 2009.

The article describes Visual Risk IQ's Continuous Auditing Maturity model, and how the steps from moving from Basic data analysis toward Continuous Auditing requires more than just technology investments. Changes in audit methodology and especially reporting process are integral and equally important to such a journey.

The article profiles Arrowpoint Capital, a commercial property casualty run-off insurance carrier that is headquartered in Charlotte, NC, whose continuous auditing program is more than five years old and actually pre-dates the IIA's GTAG publication on Continuous Auditing. Arrowpoint has an established, data-driven ERM program that links the results of Continuous Auditing activities and query scripts to specific risk assessment and control assessment activities that is reported monthly to management and the board.

For more information, check back on how to order reprints and/or to come see us in Winston-Salem in November for the Triad CPE day.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA