Tuesday, December 15, 2009

NC State's ERM Roundtable Date set for Charlotte

Save the date for NC State's ERM Roundtable, to be held on Friday March 12, 2010, at the Westin Charlotte uptown. Instead of the usual two-hour forum, there will be two 90-minute panel discussions surrounding a networking break, and the event will run from 8:30 until noon EST.

This session allows the Charlotte business community access to NC State's renowned ERM Institute, without the nearly 3-hour drive to Raleigh, and is highly recommended to finance and compliance executives in all industries.

The first panel, titled "ERM: Lessons Learned", will feature the following Panelists:

Susie Wilson – Reynolds American Corporation
Dan Wall –
RBC Centura
Marshall Croom – Lowe’s Corporation
Dave Landsittel – COSO Chairman

The second panel, titled "ERM: Directions for the Future", will feature the following Panelists:

Steve Dreyer – Standard & Poor’s
David Fox –
KBR Inc.
Trent Gazzaway – Grant Thornton
Jim Traut – H.J. Heinz Corporation

For more information or to register, see NC State web site.

Sunday, December 6, 2009

Why P-Card / T&E audits can be a good "first" data analysis project?

For those of you who don't follow me on Twitter, (i.e. - the whole world, less 91 people), you may have missed Cal State's recent audit released on December 3 that documented that more than $150,000 in "Improper and Wasteful Expenses" were paid to a very "senior official" in the California State University system. Subsequently it has been reported by Fox 40 that the official is David Ernst, who is currently CIO of the University of California System, according to this release from June 2008. At least, until the UC Union has their way.

Given the tremendous budget challenges throughout California, including the 32% tuition hike that has been national news for most of the last month, this is a most unfortunate time for the incident to come to light. Imagine explaining this hire to the press, given the current budget climate. Reputation risk, for both Cal State and the University of California Systems, far exceeds the amount of these "Improper and Wasteful Expenses".

But there are other, numerous reasons to begin a data analysis and anti-fraud program with P-Card / T&E. More obvious answers are that the data is consistent regardless of organization or industry, that the datasets are normally simple, and that policies are generally easy to interpret. Less obvious answers are that T&E controls provided by banks, such as Merchant Category Codes and Card Limits are useful, but incomplete without comparing to enterprise data like employee leave or termination dates that can be done with modern data analysis software.

My belief is that T&E are a great place to begin a data analysis program, because they may be red flags for other transactions that should be reviewed. I learned this on a project more than 10 years ago, when I was leading an investigation of T&E fraud for an IT Director at a Fortune 500 firm. Through data analysis, we had uncovered a scheme where that Director had stolen more than $50,000, through a pattern of submitting multiple charges for a business trip. One of the team members suggested that we should look at other transactions that the fraudster had approved, and that's when everything hit the fan.

It turns out that T&E fraud at this Company wasn't enough to support the Director's spending habits, so the individual had also established a fictitious vendor scheme that netted more than $1 million in fraudulent disbursements. The investigative team discovered the second, larger fraud by reviewing all other transactions that the fraudster had approved.

So whatever the reason, if you're not using data analysis to review the entire population of P-Card and T&E spend, we recommend you consider it. And if you are reviewing the entire population of transactions, we recommend you do it more frequently. Given that the above expenses were not identified until more than four years after the "Improper and Wasteful Spending" began, and more than 18 months after the official left CSU, this will be a much more expensive and messy incident to resolve.

Stay tuned. Given the current environment, this should be an interesting one.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Wednesday, December 2, 2009

IIA Releases new Guidance, including GTAG #13 - Fraud Prevention and Detection in an Automated World

The IIA released its newest Guidance this morning. Both a Practice Guide titled Internal Auditing and Fraud and a Global Technology Audit Guide titled Fraud Prevention and Detection in an Automated World. Contributors include good friends Rich Lanza, Peter Millar (ACL), and Don Sparks (Audimation / IDEA).

I've downloaded both this evening, and look forward to reading each on my Chicago trip this week. We anticipate updating our proprietary QuickStart methodology for Data Analytics to consider the anti-fraud framework in the Guides.

More to follow in the coming week. Any early comments and observations on either document would be welcomed.