Wow, has it been nearly four months since I've blogged? Good news is that my brevity is improving. For those of you that don't follow me on Twitter ( @VisualRiskIQ or www.Twitter.com/VisualRiskIQ ), I've been at least fairly busy reporting on Fraud, FCPA, and especially Higher Ed operational and compliance issues in the news that can be positively influenced by Continuous Auditing (CA) and Continuous Monitoring (CM) applications.
Our firm continues its implementation of CA and CM for a variety of corporate, higher ed, and non-governmental organizations, and we continue to see an uptick in investment in the still-emerging technology. With that said, it's slow and cautious investment, at least in part because the return on these investments can be mixed, especially if they are seen as technology purchases and not fuller, solution-focused change initiatives that involve people, process, and technology.
The Rutgers Conference is a confluence of academia, external auditors, software firms, and internal audit customers of data analytics, so it is a very interesting venue. I look forward to documenting some of the soundbytes and lessons learned for folks who have not been fortunate enough to attend. For those in attendance, I welcome any comments or corrections to the notes that I'll be taking.
Regards,
Joe Oringel
Visual Risk IQ
reporting from Rutgers Business School
Newark NJ
Friday, November 5, 2010
Monday, August 23, 2010
Register for Webinar on Enterprise Continuous Controls Monitoring (ECCM) on 9/1/2010
I was pleased that Visual Risk IQ was invited to be on a panel titled ECCM: Past, Present, and Future. The panel is part of a virtual conference titled Enterprise Continuous Controls Management. To register for the Webinar, please see: www.controlsinstitute.org My fellow panelists will be Mike Cangemi (former President of Financial Executives Institute and current Board Member for FASB's Financial Accounting Standards Advisory Council and the Rutgers Continuous Auditing Advisory Board); Carolyn Newman (President and CEO of Audimation, the US Distributor for IDEA and CaseWare Monitor (formerly SymSure), and Sumit Nijhawan, Company Operations Leader for Infogix.
The Panel will be moderated by Dr. Sri Ramamoorti of Kennesaw State, and is intended to address the scope and sponsorship challenges that organizations often faced when starting an ECCM initiative. We also intend to cover examples of Return on Investment with both an operational and compliance lens, and provide guidance on the kinds of business questions that ECCM can answer.
Visual Risk IQ is optimistic about the business value of ECCM, as many different technical solutions can be configured to answer those business questions on a more frequent basis. We look forward to the panel and hope that you make time to join the event.
Regards,
Joe Oringel
Visual Risk IQ
Charlotte NC USA
The Panel will be moderated by Dr. Sri Ramamoorti of Kennesaw State, and is intended to address the scope and sponsorship challenges that organizations often faced when starting an ECCM initiative. We also intend to cover examples of Return on Investment with both an operational and compliance lens, and provide guidance on the kinds of business questions that ECCM can answer.
Visual Risk IQ is optimistic about the business value of ECCM, as many different technical solutions can be configured to answer those business questions on a more frequent basis. We look forward to the panel and hope that you make time to join the event.
Regards,
Joe Oringel
Visual Risk IQ
Charlotte NC USA
Wednesday, June 23, 2010
Reflections on IIA International - Input for Continuous Auditing Global Technology Audit Guide (GTAG)
At IIA International conference this month, three of the more interesting presentations were by Dan Kneer, Steve Biskie (ACL Services) and Robert Mainardi. Each presenter spoke on some combination of Continuous Auditing and Continuous Monitoring, but if you attended all three session, you could easily come away a bit confused. While some or even many of the same words were used in the same sessions, each presenter's perspective on Continuous Auditing was quite different.
Steve Biskie is Best Practices Program Director for ACL Services, who writes market-leading data analysis software for internal auditors. ACL software like its peers from IDEA and SAS, among others, is an excellent tool for exception queries and structured data. At Visual Risk IQ, we use IDEA and ACL to analyze millions of records and isolate dozens of exceptions to be investigated by internal auditors. Results are often high-value, and can be made repeatable (i.e. Continual or Continuous Auditing) by automating data extraction and combining with workflow. Caseware Monitor (formerly known as SymSure for IDEA) and ACL's AX/2 are examples of emerging tools for continuous auditing.
Dr. Dan Kneer has retired from Academia and runs a firm called Dan Kneer Advisors. The Holy Grail of auditing according to Dr. Dan is regression analysis, and he advocates using the tool "already on every auditor laptop" (i.e. Microsoft Excel). Dr. Dan focuses on trending queries (e.g. the relationship between sales and costs of sales, or between sales and commissions) to identify outliers to be investigated in greater detail. Trending queries like regression analysis are highly useful, but we would advocate their use together with exception queries. And since IDEA and ACL each have regression analysis features, we would advocate using those tools instead of Excel due to improved audit trails and logging, as well as ability to work with datasets larger than 1 million rows. Dr. Dan's emphasis on analytical procedures have merit, and should be a component of a Continuous Auditing program.
Robert Mainardi's classes on continuous auditing receive high evaluations, in part because he keeps it simple. Strengths include visual reporting of risks and controls (color-coded heatmaps in MS-Office) and consistently reporting the results of audit procedures. A downside, per SAP's Norman Marks, is that "Mainardi designs continuous audit programs for clients that has limited use of technology. Missing the boat" We respectfully disagree with Mr. Marks. Instead of focusing on what's missing, let's focus on what's there. We see Mainardi's glass as at least half full, and would recommend that trending queries and exception queries be combined as part of the continuing auditing that Mainardi recommends.
Steve Biskie is Best Practices Program Director for ACL Services, who writes market-leading data analysis software for internal auditors. ACL software like its peers from IDEA and SAS, among others, is an excellent tool for exception queries and structured data. At Visual Risk IQ, we use IDEA and ACL to analyze millions of records and isolate dozens of exceptions to be investigated by internal auditors. Results are often high-value, and can be made repeatable (i.e. Continual or Continuous Auditing) by automating data extraction and combining with workflow. Caseware Monitor (formerly known as SymSure for IDEA) and ACL's AX/2 are examples of emerging tools for continuous auditing.
Dr. Dan Kneer has retired from Academia and runs a firm called Dan Kneer Advisors. The Holy Grail of auditing according to Dr. Dan is regression analysis, and he advocates using the tool "already on every auditor laptop" (i.e. Microsoft Excel). Dr. Dan focuses on trending queries (e.g. the relationship between sales and costs of sales, or between sales and commissions) to identify outliers to be investigated in greater detail. Trending queries like regression analysis are highly useful, but we would advocate their use together with exception queries. And since IDEA and ACL each have regression analysis features, we would advocate using those tools instead of Excel due to improved audit trails and logging, as well as ability to work with datasets larger than 1 million rows. Dr. Dan's emphasis on analytical procedures have merit, and should be a component of a Continuous Auditing program.
Robert Mainardi's classes on continuous auditing receive high evaluations, in part because he keeps it simple. Strengths include visual reporting of risks and controls (color-coded heatmaps in MS-Office) and consistently reporting the results of audit procedures. A downside, per SAP's Norman Marks, is that "Mainardi designs continuous audit programs for clients that has limited use of technology. Missing the boat" We respectfully disagree with Mr. Marks. Instead of focusing on what's missing, let's focus on what's there. We see Mainardi's glass as at least half full, and would recommend that trending queries and exception queries be combined as part of the continuing auditing that Mainardi recommends.
A continuous auditing program that includes one of the above techniques would add value for most any organization. A program that includes each of these techniques should be considered world-class.
Friday, May 14, 2010
The High Cost of FCPA Compliance - CCM-T as Low-cost Antidote
We've been writing and tweeting about Foreign Corrupt Practices Act (FCPA) compliance for several months, after teaming with Houston-based Morgan-Garris for an innovative data-driven solution to help reduce the costs of FCPA monitoring and compliance. We'll actually be presenting next week at MISTI's SuperStrategies on using Continuous Auditing and Monitoring technology for several different applications, including FCPA.
This week's Forbes Article titled, "How Bribery Hurts Business and Enriches Insiders" shows the incredible high costs of FCPA investigations. Deloitte 1300+ project consultants billed more than 949,000 hours on their work for Siemens FCPA investigation. ABB has reserved $300 million, and Avon Products has reserved $95 million for their on-going investigations.
It is becoming increasingly common for FCPA costs to run tens, if not hundreds of millions of dollars. What takes so long? Why is it so expensive?
When Kim and I were at PwC, it was common for the data acquisition component of a Big 4 data analysis project to consume 60% or 70% or more of a project budget. Extracting flat files and fastidiously mapping them into desktop audit software tools was and still is a time-consuming process, especially for ad hoc analysis. At Visual Risk IQ, most of our data analysis projects are fixed-fee, and include time to acquire and map data into more modern audit software like Oversight, Approva, or SymSure for IDEA**. These more modern tools facilitate repeated extraction at dramatically lower costs of data acquisition, therefore allowing more time for research and review of results.
As such, each successive extract of a monthly or even daily file can be loaded into modern audit software, so that 100% of the time for the second file is spent on review of results, not loading data. Further, advances in workflow and logging can facilitate efficient review and oversight by finance or inside / outside counsel. Given the fees cited in Forbes, we know we have a much better way.
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
** Author's Note - We read that ACL's AX/2 has similar automation for data extraction, through integration of Informatica for extract, transform, and load. We have not yet validated this functionality.
Tuesday, May 4, 2010
Speaking at Conferences in 2010, continued
Excellent feedback from IIA Chapter and District meetings has resulted in several new speaking opportunities this quarter. The list of topics is broadening, though the central themes remain data analysis and continuous auditing and monitoring. Among the newest new topics are a Data-Driven Approach to Enterprise Risk Management and Social Media 101, in addition to existing programs around anti-fraud programs and continuous auditing and monitoring.
Recent speaking engagements booked include National AICPA Conferences (i.e. NAAAT's - the National Advanced Accounting and Auditing Symposium and Controller's Workshops) and industry conferences with the Association of College and University Auditors (ACUA) and Association of HealthCare Internal Audit Conference (AHIA), among others. At AHIA, we'll be co-presenting with Chase Whitaker of HCA HealthCare, and at ACUA's Annual Conference we'll be co-presenting with Scott Stevenson of Emory.
We are currently preparing for our Wake-Up session on May 19, 2010, at MISTI's SuperStrategies, the Audit Best Practices conference to be held in Orlando. Our session is entitled Hot Topics in Continuous Auditing: Fraud, FCPA, and More. We will recap a number of Continuous Auditing implementations that touch on frequent risk assessment and frequent control assessment. This session will describe ways to integrate the multitude of audit software platforms that can occasionally challenge, if not even overwhelm internal audit departments.
For more information on bringing partial-day or even full-day speaker programs to your IIA, ACFE, ISACA, or CPA society meeting, please contact us via the comment feature of this blog below.
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Recent speaking engagements booked include National AICPA Conferences (i.e. NAAAT's - the National Advanced Accounting and Auditing Symposium and Controller's Workshops) and industry conferences with the Association of College and University Auditors (ACUA) and Association of HealthCare Internal Audit Conference (AHIA), among others. At AHIA, we'll be co-presenting with Chase Whitaker of HCA HealthCare, and at ACUA's Annual Conference we'll be co-presenting with Scott Stevenson of Emory.
We are currently preparing for our Wake-Up session on May 19, 2010, at MISTI's SuperStrategies, the Audit Best Practices conference to be held in Orlando. Our session is entitled Hot Topics in Continuous Auditing: Fraud, FCPA, and More. We will recap a number of Continuous Auditing implementations that touch on frequent risk assessment and frequent control assessment. This session will describe ways to integrate the multitude of audit software platforms that can occasionally challenge, if not even overwhelm internal audit departments.
For more information on bringing partial-day or even full-day speaker programs to your IIA, ACFE, ISACA, or CPA society meeting, please contact us via the comment feature of this blog below.
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Monday, March 22, 2010
Reflections on Mid-Atlantic District Conference - Continuous Auditing presentation
Continuous Auditing meets Continuous Improvement.
Along with colleagues Dr. George Aldhizer (Wake Forest University), Kathy Hardwick (Audit Relationship Manager of Arrowpoint Capital), and David Payseur (Chief Audit Executive of Arrowpoint Capital), I helped present our Continuous Auditing Maturity Model for the Charlotte, Raleigh, and Triad IIA Chapters last week at the District Conference in Charlotte. Thanks to each of the co-presenters, and especially to David who suggested that we update the material published in WG&L's Internal Auditing in Sept / Oct 2009.
Though we had presented together before, I was struck by how the material had evolved from our prior presentations. George Aldhizer updated his segment to provide an overview of Text Analytics. Text Analytics (i.e., tools that are used to analyze unstructured data such as email and other text-based documents) can identify, classify, and parse words and clusters of words in electronic documents. These tools are more commonly used in Forensic analysis, but depending on industry and business risk, he recommended that they be considered as part of an overall Data Analysis program. We agree with his assessment, and see application in journal entry analysis and other anti-fraud programs.
Kathy and David provided an update of the Continuous Auditing program at Arrowpoint. For those of you unfamiliar with Arrowpoint, they have had a data-driven Continuous Auditing (CA) program since 2003. Their CA program is fully integrated with Enterprise Risk Management and provides monthly reporting to executive management and the Board on assessment of risks and controls. Arrowpoint is among the most advanced of all CA programs that we have met with, regardless of industry. Most noteworthy for me last week was how the depth and breadth of their data analysis routines keeps improving. Some tests have migrated to the business from Internal Audit, while other tests are run more frequently or less frequently, based on past results and risk assessment.
Our update included an overview of Visual Risk IQ's QuickStart methodology, which we use to help separate the business-focused activities in a CA program from other more technical tasks. One of the common misconceptions about data analysis is that it is an "IT Audit" activity, because some of the tasks require some intermediate or even advanced technical skills for data acquisition. QuickStart separates data acquisition and script-writing tasks from analysis and reporting, so that business auditors are primarily responsible for reviewing query results and reporting on them. Feedback from Arrowpoint, from our clients, and also training sessions like the District Conference reinforce the importance of that approach.
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Along with colleagues Dr. George Aldhizer (Wake Forest University), Kathy Hardwick (Audit Relationship Manager of Arrowpoint Capital), and David Payseur (Chief Audit Executive of Arrowpoint Capital), I helped present our Continuous Auditing Maturity Model for the Charlotte, Raleigh, and Triad IIA Chapters last week at the District Conference in Charlotte. Thanks to each of the co-presenters, and especially to David who suggested that we update the material published in WG&L's Internal Auditing in Sept / Oct 2009.
Though we had presented together before, I was struck by how the material had evolved from our prior presentations. George Aldhizer updated his segment to provide an overview of Text Analytics. Text Analytics (i.e., tools that are used to analyze unstructured data such as email and other text-based documents) can identify, classify, and parse words and clusters of words in electronic documents. These tools are more commonly used in Forensic analysis, but depending on industry and business risk, he recommended that they be considered as part of an overall Data Analysis program. We agree with his assessment, and see application in journal entry analysis and other anti-fraud programs.
Kathy and David provided an update of the Continuous Auditing program at Arrowpoint. For those of you unfamiliar with Arrowpoint, they have had a data-driven Continuous Auditing (CA) program since 2003. Their CA program is fully integrated with Enterprise Risk Management and provides monthly reporting to executive management and the Board on assessment of risks and controls. Arrowpoint is among the most advanced of all CA programs that we have met with, regardless of industry. Most noteworthy for me last week was how the depth and breadth of their data analysis routines keeps improving. Some tests have migrated to the business from Internal Audit, while other tests are run more frequently or less frequently, based on past results and risk assessment.
Our update included an overview of Visual Risk IQ's QuickStart methodology, which we use to help separate the business-focused activities in a CA program from other more technical tasks. One of the common misconceptions about data analysis is that it is an "IT Audit" activity, because some of the tasks require some intermediate or even advanced technical skills for data acquisition. QuickStart separates data acquisition and script-writing tasks from analysis and reporting, so that business auditors are primarily responsible for reviewing query results and reporting on them. Feedback from Arrowpoint, from our clients, and also training sessions like the District Conference reinforce the importance of that approach.
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Thursday, February 11, 2010
Green Energy / Sustainability and CCM-T?
This is my first blog post in February, and first in nearly a month. I find the more active I am with Twitter / micro-blogging, the less frequently I post here. Hmmm, there's got to be a better way....Maybe a Twitter digest? But I digress...
As we have much of last year, again today we're thinking about Green Energy and Sustainability. The sociological and public good components of Green Energy and Sustainability are clear, but the growing number of new business start-ups in this space is a sign that the financial rewards of doing good are may also be rewarding. Evidence includes the Wharton School's Sustainability Program and the high ROI payback that can be obtained from Energy Audit activities in both commercial and even residential space. In the last month, we've met with BreezePlay (a Charlotte-based Green Energy start-up focusing in the residential space) and Energy Reduction Solutions (a Florida-based Engineering start-up focusing in the commerical space). Each have sparked our interest.
At Visual Risk IQ, we talk about how CCM-T reduces the marginal cost of "one more question," and helps audit and financial professionals answer important questions about internal controls, fraud, and expense management. Who are the smart people asking questions about Green Energy and Sustainability?
We'd like to meet more of them, so please drop us a line!
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
As we have much of last year, again today we're thinking about Green Energy and Sustainability. The sociological and public good components of Green Energy and Sustainability are clear, but the growing number of new business start-ups in this space is a sign that the financial rewards of doing good are may also be rewarding. Evidence includes the Wharton School's Sustainability Program and the high ROI payback that can be obtained from Energy Audit activities in both commercial and even residential space. In the last month, we've met with BreezePlay (a Charlotte-based Green Energy start-up focusing in the residential space) and Energy Reduction Solutions (a Florida-based Engineering start-up focusing in the commerical space). Each have sparked our interest.
At Visual Risk IQ, we talk about how CCM-T reduces the marginal cost of "one more question," and helps audit and financial professionals answer important questions about internal controls, fraud, and expense management. Who are the smart people asking questions about Green Energy and Sustainability?
We'd like to meet more of them, so please drop us a line!
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Subscribe to:
Posts (Atom)
