Saturday, November 5, 2011

Another Saturday Morning in Newark NJ

Very energizing sessions this morning, as we heard from a Who's Who of large, multinational firms who have implemented CA and CM solutions. Siemens Financial Services led things off with their "Road to Continuous Assurance," as Jason Gross leads a mature CM function that was born in Internal Audit and has migrated to the CFO's office. His deck is downloadable at: http://raw.rutgers.edu/23WCARS

Brad Ames from HP followed with another strong presentation on using CA / CCM for assessing both IT controls and Financial Controls. @43Chase and @debreceny observed that strong IT controls help enable strong financial controls. I was focused on their use of dashboards at HP, and have asked for examples. Stay tuned.

Dave Levin of Proctor & Gamble followed with a strong session on the use of data-driven risk assessments. They compare results of Control Self Assessment and actual audit results, using outliers and differences between management's assessment (i.e. CSA) internal audit's evaluation as input into Internal Audit's risk assessment. Dave's session is available for download at this link.

Friday, November 4, 2011

Leveraging Information to Align Risk and Performance - CM, per KPMG

Jim Littley from KPMG is talking about Continuous Monitoring (CM) / Governance Risk & Compliance (GRC) / Business Intelligence (BI) etc., and all of the alphabet soup of technology tools that can be used improve controls and risk monitoring. He observes that most large organizations have multiple initiatives related to acquiring and implementing tools and technologies for point solutions that assist in this area, but these are siloed and rarely linked together. He sees Internal Audit as a potential value-creator in this area.

Good points. We see Procurement teams with supply chain analytics, Finance with BI and macro-level analytics, and Internal audit with audit data analytics, ERM or Risk with survey tools for subjective risk assessment, sometimes all in the same firm. Ideally, macro-level analytics tools like BI should work together with the exception analytic tools in the CM world to provide a single, integrated review of risk.

Jim suggests we think of Continuous Monitoring as the first line of defense, and Continuous Auditing as the second or third line of defense. Using common data sources (i.e. a single source of truth) can lower the cost of acquiring data for each initiative, and improve overall quality.

Slides aren't posted (yet?), but I'll update this post with a link if they are made available.

Opening Rutgers WCARS session - Continuous External Auditing

The opening panel was led by Greg Shields of the Canadian Institute of Chartered Accountants (CICA) and included Deloitte's National Office Partner Tom Criste, Retired Deloitte Partner Trevor Stewart, and PhD Student Paul Byrnes. A little disappointing that more signing partners from more accounting firms were not on the panel. Perhaps that would help unlock the code on the very slow adoption of use of technology to execute external audits.

Much emphasis was on the degree of change that would be needed for the firms to seriously re-engineer their processes. My favorite quote from the session was from Tom Criste, who observes that the great increases in technology have affected how audits are documented, but not how audits are performed. The work programs for Inventory, A/R, Cash, etc., are relatively unchanged even from when he entered the profession decades ago. And because many procedures (e.g. Inventory Observation, Confirmations of A/R balances) are required by professional standards, it would be difficult to re-engineer the audit.

Mr. Criste envisions an audit where statisticians and economists could review data and help form the External Auditor's opinion. He suggests that a test audit could be performed in parallel with a traditional external audit, and that the firm could compare results and findings with each other and the client. But he says, who would want to invest that time and energy, even if the second audit was free?

If that's truly the barrier, I'd suggest to start with the users of financial statements. Would MF Global's investors and creditors like to have had any assurance provided on quarterly financial results? Probably so.

I'd advocate beginning with the end in mind, and determine the desired frequency of external audit assurance. More than annual is probably good. Daily is probably way too frequent. (What CEO wants to explain slow mid-month sales to Wall Street Analysts).

If quarterly assurance was desired, how should external audit procedures be changed? Comments welcome!

Thursday, November 3, 2011

Live from Rutgers WCARS - Friends and Family meeting

Most of you reading this blog post have an awareness and even a keen interest in data analysis and/or continuous auditing, whatever we agree that means. You may not know how long this topic has been being discussed and debated.

I'm writing this from the 23rd (!) World Continuous Auditing Symposium at Rutgers Business School in Newark NJ. It's been a semi-annual meeting, so the group began gathering in 1999. All of the Big 4 firms are here, as are the AICPA, software vendors like ACL, Caseware, Oversight, and even CA. For more information on the agenda, see: http://raw.rutgers.edu/23WCARS .

Beginning tomorrow morning, I'll be blogging about the most interesting speakers, topics, and academic papers on the main agenda, so come back often for updates.

Today is the "Friends and Family" meeting, where some of the longer-standing supporters of the Rutgers program are discussing emerging issues. One topic on the agenda is the notion of Audit Data Standards, which would be a common data model for certain business processes like General Ledger and perhaps subledger like Supply Chain or Revenue.

The presenters advocate a cloud-based data store that public companies would use to load daily or at least monthly transactions, and that external auditors (and perhaps internal auditors) would access that data periodically to perform audit analytics. Glad I'm here - there's a lot of pro's and con's to consider with this standardization.