Monday, March 22, 2010

Reflections on Mid-Atlantic District Conference - Continuous Auditing presentation

Continuous Auditing meets Continuous Improvement.

Along with colleagues Dr. George Aldhizer (Wake Forest University), Kathy Hardwick (Audit Relationship Manager of Arrowpoint Capital), and David Payseur (Chief Audit Executive of Arrowpoint Capital), I helped present our Continuous Auditing Maturity Model for the Charlotte, Raleigh, and Triad IIA Chapters last week at the District Conference in Charlotte. Thanks to each of the co-presenters, and especially to David who suggested that we update the material published in WG&L's Internal Auditing in Sept / Oct 2009.

Though we had presented together before, I was struck by how the material had evolved from our prior presentations. George Aldhizer updated his segment to provide an overview of Text Analytics. Text Analytics (i.e., tools that are used to analyze unstructured data such as email and other text-based documents) can identify, classify, and parse words and clusters of words in electronic documents. These tools are more commonly used in Forensic analysis, but depending on industry and business risk, he recommended that they be considered as part of an overall Data Analysis program. We agree with his assessment, and see application in journal entry analysis and other anti-fraud programs.

Kathy and David provided an update of the Continuous Auditing program at Arrowpoint. For those of you unfamiliar with Arrowpoint, they have had a data-driven Continuous Auditing (CA) program since 2003. Their CA program is fully integrated with Enterprise Risk Management and provides monthly reporting to executive management and the Board on assessment of risks and controls. Arrowpoint is among the most advanced of all CA programs that we have met with, regardless of industry. Most noteworthy for me last week was how the depth and breadth of their data analysis routines keeps improving. Some tests have migrated to the business from Internal Audit, while other tests are run more frequently or less frequently, based on past results and risk assessment.

Our update included an overview of Visual Risk IQ's QuickStart methodology, which we use to help separate the business-focused activities in a CA program from other more technical tasks. One of the common misconceptions about data analysis is that it is an "IT Audit" activity, because some of the tasks require some intermediate or even advanced technical skills for data acquisition. QuickStart separates data acquisition and script-writing tasks from analysis and reporting, so that business auditors are primarily responsible for reviewing query results and reporting on them. Feedback from Arrowpoint, from our clients, and also training sessions like the District Conference reinforce the importance of that approach.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA