Highlights of Day 2 Rutgers WCAS

More case studies on Saturday than Friday - presenters have included Hewlett-Packard, Proctor & Gamble, IBM, and Siemens Financial, among others. Highlights from these presentations include:

• HP presented their use of monthly data extraction and a variety of CAAT-based and ERP query tools to interrogate transactions and logs. They evaluate a mix of configurable controls and transaction analysis to deliver a risk-based heat map that aids the audit team in project selection decisions. They've made excellent progress from prior years, and continue to be a leader in CA / CM, especially among SAP shops.
• P&G presented about their measurement around the business case for their CA / CM investments, which have focused primarily around order to cash (O2C). Their program's strengths are its workflow, in that audit uses "automated delivery of high quality controls tests results to the business." It's the evolution of having MANAGEMENT evaluate the test results (vs. internal audit) that was most noteworthy.
  
• IBM presented about their system that they call Enhanced Auditing with Technology, which is also focuses on O2C. They monitor more than 400 query test attributes (contrast w/ Siemens Financial, who monitors only 45!).
• Jason Gross of Siemens Financial presented their CCM program with considerable energy and enthusiasm. Jason and I had previously met at an IIA event during 2007, when he had been in Internal Audit. Interesting is that he has left audit and is now a direct report to the CFO at Siemens Financial. This option should be on the career path of most data-focused, audit professionals as it allows Jason and his team to have more responsibility for research and follow-up on CCM exceptions.
  

As additional slide decks are posted, I expect to update this and other blog posts from the weekend. - UPDATED w/ HP deck.

Best wishes,

Joe Oringel
Visual Risk IQ
Newark NJ

Top 10 Things that Go Wrong in a Continuous Auditing Project

Very nice summary from Patrick Taylor from Oversight Systems of their experiences from CA and CCM implementation. Patrick did a very good job of sharing examples and screen shots of how their tool are being configured to monitor both routine and non-routine transactions.

10. Compliance is the Lead
9. Your eyes are bigger than your stomach (you try to monitor everything)
8. Look through this report please (tedious, there's no bottom to the report)
7. Let's learn a specialized analysis language (instead of SQL)
6. Let's clean up the last two years of exceptions (10000++ exceptions. Yikes!)
5. Continuous Audit instead of Continuous Improvement (i.e. Use Reason Codes)
4. Don't know how to spell Vasarhelee, Vaserheyli, Vasarhellee, Vasarhelyi... (LOL!)
3. Only know how to Audit AP (other apps are
2. Bringing a knife to a gun fight. (re-testing what is already controlled by ERP)
1. Not Using Oversight (LOL x 2)

More from Rutgers WCAS. ACL, XBRL, and Caseware RCM (alphabet soup indeed!)

Excellent presentation by ACL's John Verver on their Data Analytics Capability model. The shout out regarding our similar CA Maturity model was much appreciated. ACL's efforts to chart the path from one-time, retrospective data analysis (i.e. Hindsight) to more frequent, even predictive data analytics (i.e. Foresight) is on-target.

Noteworthy is that their model doesn't necessarily advocate "continuous" as the desired frequency for data analysis, either for Internal Audit or for management-led monitoring efforts. The right frequency depends on the relative risk of the process and data that is being analyzed.

These slides aren't up yet on the Rutgers site (UPDATE - Link provided above), but I'll look to post a link when they're uploaded. Very good content here for building a simple path toward more frequent, data driven auditing and monitoring.

Following John was Eric Cohen from PwC who provided some excellent information on the state of tagging and XBRL as a technique for automated data acquisition. The ability to acquire external data (e.g. competitor financial results) and compare those results to our own results is an excellent management tool, and one that is now beginning to be realized.

Following Eric Cohen was Andrew Simpson. Andrew is the Chief Operating Officer, CaseWare RCM Inc., formerly SymSure Ltd. Andrew's slide on the cycle (aka "yo-yo") of control measurement and how greater frequency yields continuously improving controls. Though CaseWare is a relatively new entrant in the CA / CM space, they seem to have excellent potential. UPDATE - link to Andrew Simpson's slides, which are now posted at WCARS site:

Rutgers WCAS - Advancing Audit Analytics. Key learnings

Session Moderated by Trevor Stewart (Retired Partner, Deloitte)

Panelists:

Dr. Rod Brennan (Siemens - Risk & Internal Control Officer)
Mark Loizeaux (Deloitte - Assurance National Office)
Amy Pawlicki (AICPA - Business Reporting and XBRL)
Phil Wedemeyer (Grant Thornton, Assurance National Office)

Key Learnings:

• Now that the SOX windfall is over for the large accounting firms, external audit fees are returning to the trends of fixed price work. Hence, external auditing firms are strongly encouraging their clients to increase the use of CA and data analysis, so they can review those results and gain greater assurance in the same or less number of hours.
  
• Knowledge of data analytics varies widely among the audit teams at the largest audit firms. Even members of the most advanced engagement teams in the "best" offices work on very low-tech, (i.e. limited use of data analytics) audits in the same office.
• Despite internal controls emphasis by the auditing firms and auditing standards, nearly all signing external partners have a greater level of trust in Balance Sheets than other audit procedures.
  
• The PCAOB believes that external auditing is a standard, continuous process that must be followed. Departures from standard process should be documented in audit workpapers. Identifying anomalies and explaining them is an integral part of this process.
  
• PCAOB Auditing Standards have been expanded to include rigorous guidance on how to do a risk assessment. Data analytics should contribute to this risk assessment.
  
• One of the downsides (per the panelists - not IMHO!) of more rigorous analytics is that we are more inclined to find anomalies and errors in financial processes. Having to investigate and explain these anomalies can be very costly. Example: 10,000 exceptions in Travel and Entertainment Expense review cannot practically be investigated and explained.
  
• Most auditors don't like graphics as much as columns of numbers, yet their stamina for reviewing columns of numbers isn't good enough. Graphical tools to aid in the interpretation of data is an area of interest for the panelists. We at Visual Risk IQ (emphasis added - Visual is our first name!) agree.
• Data sources that can be used to aid in continuous assurance are not limited to financial statements or internal systems. External data sources and internal operational system are excellent sources for insights on business risk.
  
• Who wants a better audit? Management, or do they want less obtrusive audits? Regulators, or do they want fewer auditor-reported issues? Auditors, or do better audits cause problem during litigation? Maybe investors, but not for greater costs. And investors may not even understand the audits they get now.
  
• The issues of connecting financial statements to underlying business processes and recording of transactions is a limitation of the audit profession.
  
• Auditors of public companies need to understand materiality from an investor point of view. What do investors depend on to make their investment decisions? Materiality is not merely xx% of revenue or assets for all companies, especially if much of the market cap is based on future revenue or earnings, not historical results.
  
• Most losses in market cap relate to failure in strategic risk, not financial risk. So is the emphasis on continuous auditing of financial transactions a flawed model?
  
• Internal auditors are challenged to access data that is needed for audit analytics.

More to follow as the Conference progresses...

Live again from Rutgers - 21st World Continuous Auditing Symposium

Wow, has it been nearly four months since I've blogged? Good news is that my brevity is improving. For those of you that don't follow me on Twitter ( @VisualRiskIQ or www.Twitter.com/VisualRiskIQ ), I've been at least fairly busy reporting on Fraud, FCPA, and especially Higher Ed operational and compliance issues in the news that can be positively influenced by Continuous Auditing (CA) and Continuous Monitoring (CM) applications.

Our firm continues its implementation of CA and CM for a variety of corporate, higher ed, and non-governmental organizations, and we continue to see an uptick in investment in the still-emerging technology. With that said, it's slow and cautious investment, at least in part because the return on these investments can be mixed, especially if they are seen as technology purchases and not fuller, solution-focused change initiatives that involve people, process, and technology.

The Rutgers Conference is a confluence of academia, external auditors, software firms, and internal audit customers of data analytics, so it is a very interesting venue. I look forward to documenting some of the soundbytes and lessons learned for folks who have not been fortunate enough to attend. For those in attendance, I welcome any comments or corrections to the notes that I'll be taking.

Regards,

Joe Oringel
Visual Risk IQ
reporting from Rutgers Business School
Newark NJ

Register for Webinar on Enterprise Continuous Controls Monitoring (ECCM) on 9/1/2010

I was pleased that Visual Risk IQ was invited to be on a panel titled ECCM: Past, Present, and Future. The panel is part of a virtual conference titled Enterprise Continuous Controls Management. To register for the Webinar, please see: www.controlsinstitute.org My fellow panelists will be Mike Cangemi (former President of Financial Executives Institute and current Board Member for FASB's Financial Accounting Standards Advisory Council and the Rutgers Continuous Auditing Advisory Board); Carolyn Newman (President and CEO of Audimation, the US Distributor for IDEA and CaseWare Monitor (formerly SymSure), and Sumit Nijhawan, Company Operations Leader for Infogix.

The Panel will be moderated by Dr. Sri Ramamoorti of Kennesaw State, and is intended to address the scope and sponsorship challenges that organizations often faced when starting an ECCM initiative. We also intend to cover examples of Return on Investment with both an operational and compliance lens, and provide guidance on the kinds of business questions that ECCM can answer.

Visual Risk IQ is optimistic about the business value of ECCM, as many different technical solutions can be configured to answer those business questions on a more frequent basis. We look forward to the panel and hope that you make time to join the event.

Regards,

Joe Oringel
Visual Risk IQ
Charlotte NC USA

Reflections on IIA International - Input for Continuous Auditing Global Technology Audit Guide (GTAG)

At IIA International conference this month, three of the more interesting presentations were by Dan Kneer, Steve Biskie (ACL Services) and Robert Mainardi. Each presenter spoke on some combination of Continuous Auditing and Continuous Monitoring, but if you attended all three session, you could easily come away a bit confused. While some or even many of the same words were used in the same sessions, each presenter's perspective on Continuous Auditing was quite different.

Steve Biskie is Best Practices Program Director for ACL Services, who writes market-leading data analysis software for internal auditors. ACL software like its peers from IDEA and SAS, among others, is an excellent tool for exception queries and structured data. At Visual Risk IQ, we use IDEA and ACL to analyze millions of records and isolate dozens of exceptions to be investigated by internal auditors. Results are often high-value, and can be made repeatable (i.e. Continual or Continuous Auditing) by automating data extraction and combining with workflow. Caseware Monitor (formerly known as SymSure for IDEA) and ACL's AX/2 are examples of emerging tools for continuous auditing.

Dr. Dan Kneer has retired from Academia and runs a firm called Dan Kneer Advisors. The Holy Grail of auditing according to Dr. Dan is regression analysis, and he advocates using the tool "already on every auditor laptop" (i.e. Microsoft Excel). Dr. Dan focuses on trending queries (e.g. the relationship between sales and costs of sales, or between sales and commissions) to identify outliers to be investigated in greater detail. Trending queries like regression analysis are highly useful, but we would advocate their use together with exception queries. And since IDEA and ACL each have regression analysis features, we would advocate using those tools instead of Excel due to improved audit trails and logging, as well as ability to work with datasets larger than 1 million rows. Dr. Dan's emphasis on analytical procedures have merit, and should be a component of a Continuous Auditing program.

Robert Mainardi's classes on continuous auditing receive high evaluations, in part because he keeps it simple. Strengths include visual reporting of risks and controls (color-coded heatmaps in MS-Office) and consistently reporting the results of audit procedures. A downside, per SAP's Norman Marks, is that "Mainardi designs continuous audit programs for clients that has limited use of technology. Missing the boat" We respectfully disagree with Mr. Marks. Instead of focusing on what's missing, let's focus on what's there. We see Mainardi's glass as at least half full, and would recommend that trending queries and exception queries be combined as part of the continuing auditing that Mainardi recommends.

A continuous auditing program that includes one of the above techniques would add value for most any organization. A program that includes each of these techniques should be considered world-class.

The High Cost of FCPA Compliance - CCM-T as Low-cost Antidote

We've been writing and tweeting about Foreign Corrupt Practices Act (FCPA) compliance for several months, after teaming with Houston-based Morgan-Garris for an innovative data-driven solution to help reduce the costs of FCPA monitoring and compliance. We'll actually be presenting next week at MISTI's SuperStrategies on using Continuous Auditing and Monitoring technology for several different applications, including FCPA.

This week's Forbes Article titled, "How Bribery Hurts Business and Enriches Insiders" shows the incredible high costs of FCPA investigations. Deloitte 1300+ project consultants billed more than 949,000 hours on their work for Siemens FCPA investigation. ABB has reserved $300 million, and Avon Products has reserved $95 million for their on-going investigations.

It is becoming increasingly common for FCPA costs to run tens, if not hundreds of millions of dollars. What takes so long? Why is it so expensive?

When Kim and I were at PwC, it was common for the data acquisition component of a Big 4 data analysis project to consume 60% or 70% or more of a project budget. Extracting flat files and fastidiously mapping them into desktop audit software tools was and still is a time-consuming process, especially for ad hoc analysis. At Visual Risk IQ, most of our data analysis projects are fixed-fee, and include time to acquire and map data into more modern audit software like Oversight, Approva, or SymSure for IDEA**. These more modern tools facilitate repeated extraction at dramatically lower costs of data acquisition, therefore allowing more time for research and review of results.

As such, each successive extract of a monthly or even daily file can be loaded into modern audit software, so that 100% of the time for the second file is spent on review of results, not loading data. Further, advances in workflow and logging can facilitate efficient review and oversight by finance or inside / outside counsel. Given the fees cited in Forbes, we know we have a much better way.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

** Author's Note - We read that ACL's AX/2 has similar automation for data extraction, through integration of Informatica for extract, transform, and load. We have not yet validated this functionality.

Speaking at Conferences in 2010, continued

Excellent feedback from IIA Chapter and District meetings has resulted in several new speaking opportunities this quarter. The list of topics is broadening, though the central themes remain data analysis and continuous auditing and monitoring. Among the newest new topics are a Data-Driven Approach to Enterprise Risk Management and Social Media 101, in addition to existing programs around anti-fraud programs and continuous auditing and monitoring.

Recent speaking engagements booked include National AICPA Conferences (i.e. NAAAT's - the National Advanced Accounting and Auditing Symposium and Controller's Workshops) and industry conferences with the Association of College and University Auditors (ACUA) and Association of HealthCare Internal Audit Conference (AHIA), among others. At AHIA, we'll be co-presenting with Chase Whitaker of HCA HealthCare, and at ACUA's Annual Conference we'll be co-presenting with Scott Stevenson of Emory.

We are currently preparing for our Wake-Up session on May 19, 2010, at MISTI's SuperStrategies, the Audit Best Practices conference to be held in Orlando. Our session is entitled Hot Topics in Continuous Auditing: Fraud, FCPA, and More. We will recap a number of Continuous Auditing implementations that touch on frequent risk assessment and frequent control assessment. This session will describe ways to integrate the multitude of audit software platforms that can occasionally challenge, if not even overwhelm internal audit departments.

For more information on bringing partial-day or even full-day speaker programs to your IIA, ACFE, ISACA, or CPA society meeting, please contact us via the comment feature of this blog below.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Reflections on Mid-Atlantic District Conference - Continuous Auditing presentation

Continuous Auditing meets Continuous Improvement.

Along with colleagues Dr. George Aldhizer (Wake Forest University), Kathy Hardwick (Audit Relationship Manager of Arrowpoint Capital), and David Payseur (Chief Audit Executive of Arrowpoint Capital), I helped present our Continuous Auditing Maturity Model for the Charlotte, Raleigh, and Triad IIA Chapters last week at the District Conference in Charlotte. Thanks to each of the co-presenters, and especially to David who suggested that we update the material published in WG&L's Internal Auditing in Sept / Oct 2009.

Though we had presented together before, I was struck by how the material had evolved from our prior presentations. George Aldhizer updated his segment to provide an overview of Text Analytics. Text Analytics (i.e., tools that are used to analyze unstructured data such as email and other text-based documents) can identify, classify, and parse words and clusters of words in electronic documents. These tools are more commonly used in Forensic analysis, but depending on industry and business risk, he recommended that they be considered as part of an overall Data Analysis program. We agree with his assessment, and see application in journal entry analysis and other anti-fraud programs.

Kathy and David provided an update of the Continuous Auditing program at Arrowpoint. For those of you unfamiliar with Arrowpoint, they have had a data-driven Continuous Auditing (CA) program since 2003. Their CA program is fully integrated with Enterprise Risk Management and provides monthly reporting to executive management and the Board on assessment of risks and controls. Arrowpoint is among the most advanced of all CA programs that we have met with, regardless of industry. Most noteworthy for me last week was how the depth and breadth of their data analysis routines keeps improving. Some tests have migrated to the business from Internal Audit, while other tests are run more frequently or less frequently, based on past results and risk assessment.

Our update included an overview of Visual Risk IQ's QuickStart methodology, which we use to help separate the business-focused activities in a CA program from other more technical tasks. One of the common misconceptions about data analysis is that it is an "IT Audit" activity, because some of the tasks require some intermediate or even advanced technical skills for data acquisition. QuickStart separates data acquisition and script-writing tasks from analysis and reporting, so that business auditors are primarily responsible for reviewing query results and reporting on them. Feedback from Arrowpoint, from our clients, and also training sessions like the District Conference reinforce the importance of that approach.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Green Energy / Sustainability and CCM-T?

This is my first blog post in February, and first in nearly a month. I find the more active I am with Twitter / micro-blogging, the less frequently I post here. Hmmm, there's got to be a better way....Maybe a Twitter digest? But I digress...

As we have much of last year, again today we're thinking about Green Energy and Sustainability. The sociological and public good components of Green Energy and Sustainability are clear, but the growing number of new business start-ups in this space is a sign that the financial rewards of doing good are may also be rewarding. Evidence includes the Wharton School's Sustainability Program and the high ROI payback that can be obtained from Energy Audit activities in both commercial and even residential space. In the last month, we've met with BreezePlay (a Charlotte-based Green Energy start-up focusing in the residential space) and Energy Reduction Solutions (a Florida-based Engineering start-up focusing in the commerical space). Each have sparked our interest.

At Visual Risk IQ, we talk about how CCM-T reduces the marginal cost of "one more question," and helps audit and financial professionals answer important questions about internal controls, fraud, and expense management. Who are the smart people asking questions about Green Energy and Sustainability?

We'd like to meet more of them, so please drop us a line!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Speaking at Conferences in 2010

Continuous auditing and data analysis were hot topics as IIA and ISACA programs for 2008 and 2009, and each remain of interest here in the new year. In the last two weeks, we have booked Continuous Auditing and Data Analysis programs in Houston on February 1, and also for the North Carolina IIA District Conference in Charlotte on March 18.

In Charlotte, we will be co-presenting with Dr. George Aldhizer and David Payseur from Arrowpoint. Each of these programs will feature the Continuous Auditing Maturity Model that was published in the Sept / Oct 2009 issue of Internal Auditing. (Reprints available on request - just leave a comment on this post or send an email).

We are also scheduled to speak at the AICPA's National Advanced Accounting and Auditing Technical Symposium, specifically about a data-driven approach to Enterprise Risk Management. This ERM topic is one that we expect will be repeated at other conferences, as using data analytics for risk assessment, whether internal audit project selection or for broader enterprise risk assessment, can be a very powerful application.

Though registration information is not yet posted for this conference, we have also received word that Visual Risk IQ has been accepted as a speaker at the AICPA's Controller's Conference, where our topic will be Social Media and its application for Finance and Audit. So look for more Tweets, Blogs, and LinkedIn updates on that topic as the arrangements are finalized.

Wishing each of you the best for a healthy, happy, and prosperous 2010.

Regards,

Joe Oringel
Visual Risk IQ
Charlotte North Carolina, USA