NC State's ERM Roundtable Date set for Charlotte

Save the date for NC State's ERM Roundtable, to be held on Friday March 12, 2010, at the Westin Charlotte uptown. Instead of the usual two-hour forum, there will be two 90-minute panel discussions surrounding a networking break, and the event will run from 8:30 until noon EST.

This session allows the Charlotte business community access to NC State's renowned ERM Institute, without the nearly 3-hour drive to Raleigh, and is highly recommended to finance and compliance executives in all industries.

The first panel, titled "ERM: Lessons Learned", will feature the following Panelists:

Susie Wilson – Reynolds American Corporation
Dan Wall – RBC Centura
Marshall Croom – Lowe’s Corporation
Dave Landsittel – COSO Chairman

The second panel, titled "ERM: Directions for the Future", will feature the following Panelists:

Steve Dreyer – Standard & Poor’s
David Fox – KBR Inc.
Trent Gazzaway – Grant Thornton
Jim Traut – H.J. Heinz Corporation

For more information or to register, see NC State web site.

Why P-Card / T&E audits can be a good "first" data analysis project?

For those of you who don't follow me on Twitter, (i.e. - the whole world, less 91 people), you may have missed Cal State's recent audit released on December 3 that documented that more than $150,000 in "Improper and Wasteful Expenses" were paid to a very "senior official" in the California State University system. Subsequently it has been reported by Fox 40 that the official is David Ernst, who is currently CIO of the University of California System, according to this release from June 2008. At least, until the UC Union has their way.

Given the tremendous budget challenges throughout California, including the 32% tuition hike that has been national news for most of the last month, this is a most unfortunate time for the incident to come to light. Imagine explaining this hire to the press, given the current budget climate. Reputation risk, for both Cal State and the University of California Systems, far exceeds the amount of these "Improper and Wasteful Expenses".

But there are other, numerous reasons to begin a data analysis and anti-fraud program with P-Card / T&E. More obvious answers are that the data is consistent regardless of organization or industry, that the datasets are normally simple, and that policies are generally easy to interpret. Less obvious answers are that T&E controls provided by banks, such as Merchant Category Codes and Card Limits are useful, but incomplete without comparing to enterprise data like employee leave or termination dates that can be done with modern data analysis software.

My belief is that T&E are a great place to begin a data analysis program, because they may be red flags for other transactions that should be reviewed. I learned this on a project more than 10 years ago, when I was leading an investigation of T&E fraud for an IT Director at a Fortune 500 firm. Through data analysis, we had uncovered a scheme where that Director had stolen more than $50,000, through a pattern of submitting multiple charges for a business trip. One of the team members suggested that we should look at other transactions that the fraudster had approved, and that's when everything hit the fan.

It turns out that T&E fraud at this Company wasn't enough to support the Director's spending habits, so the individual had also established a fictitious vendor scheme that netted more than $1 million in fraudulent disbursements. The investigative team discovered the second, larger fraud by reviewing all other transactions that the fraudster had approved.

So whatever the reason, if you're not using data analysis to review the entire population of P-Card and T&E spend, we recommend you consider it. And if you are reviewing the entire population of transactions, we recommend you do it more frequently. Given that the above expenses were not identified until more than four years after the "Improper and Wasteful Spending" began, and more than 18 months after the official left CSU, this will be a much more expensive and messy incident to resolve.

Stay tuned. Given the current environment, this should be an interesting one.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

IIA Releases new Guidance, including GTAG #13 - Fraud Prevention and Detection in an Automated World

The IIA released its newest Guidance this morning. Both a Practice Guide titled Internal Auditing and Fraud and a Global Technology Audit Guide titled Fraud Prevention and Detection in an Automated World. Contributors include good friends Rich Lanza, Peter Millar (ACL), and Don Sparks (Audimation / IDEA).

I've downloaded both this evening, and look forward to reading each on my Chicago trip this week. We anticipate updating our proprietary QuickStart methodology for Data Analytics to consider the anti-fraud framework in the Guides.

More to follow in the coming week. Any early comments and observations on either document would be welcomed.

Conflict of Interest / External Databases, in the news again!

Last week's New York Times article about Research Conflicts of Interest within the University community included a link to the US Department of Health and Human Services Office of Inspector General (OIG) audit report. The audit report identifies that financial conflicts, including equity ownership in companies in which researchers' financial interests could significantly affect the grant research. Simply stated, the doctor who reports that compound XYZ could be a breakthrough drug for treatment of disease, may profit significantly from their own research. And that personal gain may not be known to their University, the general public, or the National Institute of Health (NIH) who is often the sponsor of that research.

Though grantee institutions often require researchers to disclose conflicts of interest in research publications, the same institutions rarely reduce or eliminate the financial conflicts. Ninety percent of grantee institutions rely solely on researcher discretion to determine which interests are required to be reported. Because equity interests (i.e. stock ownership) is rarely required to be reported, the specific financial interests of NIH-funded researchers are often unknown.

The OIG audit report recommends that National Institute of Health request grantee institutions to provide detailes to NIH regarding the nature of ALL reported financial conflicts of interest, and how the conflicts are managed, reduced, or eliminated. This change, if implemented, would be a major step-up in Oversight on how the University Research community is monitored.

Stay tuned - the compliance and record keeping impact of such changes could be quite widespread. Fortunately for some universities who have implemented Continuous Controls Monitoring (CCM-T) solutions that compare data from internal to external databases, these changes may be easier to implement. For more information, see: www.VisualRiskIQ.com/HigherEd

For related posts, see: October 2009 and July 2009 blog entries.

Reflections from the Rutgers World Continuous Auditing Symposium (WCAS)

I represented Visual Risk IQ as a panelist Friday 11/6 at the Rutgers WCAS event in New Jersey. Mike Cangemi, former president of FEI moderated our panel, which also included Eric Cohen from PwC / OCEG, and Dr. Virginia Cortijo from University of Huelva (Spain). Despite the presentation time on a Friday afternoon (4:00!), the panel generated nearly a dozen questions from the audience, and dialog continued into the dinner hour.

The event provided opportunity to reconnect with friends and colleagues from most of the CA / CCM software firms, from academia, and most importantly, with other early adopters of CA / CCM. Most attendees had already committed to some level of CA / CCM at their firms, each with varying levels of success. Some observations from the presentations:

• External auditors opine on a balance sheet as of one day each year. Not much continuous about that. Internal Auditing should be leading the charge for Continuous Auditing.
• Most CCM applications focus on a single application - P-Card, Procure to Pay, or Journal Entry review, likely because of simpler data models and availability of commercial software. Exceptions are IBM (Order to Cash) and HP (IT General Controls)
  
• Organizations that are the best candidates for CCM are those that have a zero tolerance for Compliance exceptions and also a relentless desire for Continuous Improvement.
• Internal audit can be the CA / CCM learning lab for the rest of Company. See Terry Hickman's presentation (Proctor & Gamble) for more information.
  
• Most savings realized by audit teams through Continuous Auditing are re-directed toward emerging risks and increasing coverage.
  
• Continuous auditing and data analytics jobs are out there, but the quantity and quality of applicants has been below expectations, according to several hiring managers.
  
• New software entrants such as SymSure for IDEA and ACL's Audit Exchange 2 (AX2) are sparking new projects in CA, as their price point is a marked improvement relative to more comprehensive CCM tools that have previously been available.
  

Our presentation emphasized some of the challenges of defining Continuous Auditing. At some organizations, the term means Continuous Risk Assessment. At others, it means Control Assessment of configurable controls or Control Assessment of Transactions. If people that are doing CA / CCM use the same words for different activities, it's hard for others to follow this leadership. For more information on the conference, see: Rutgers WCAS.

Did you attend? What were your key take-aways. All comments are welcomed!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Conflicts of Interest - The Power of External Databases (part II)

You may remember that I wrote about this summer about the power of external databases. How Department of Defense and UCLA had encountered compliance, financial, and reputation risk items that might have been prevented with better analytical routines that connected enterprise data with external data.

This month's New England Journal of Medicine features research on Conflicts of Interest Disclosures, specifically by physicians involved with certain Medical Devices, specifically orthopedic devices. Compliance with disclosure requirements was just over 70%, which is noteworthy. It makes me think about reputation risk for Research Universities, and whether their audit and compliance plans should specifically consider monitoring of these disclosures.

When I was in public accounting, we first had simple disclosures that asked if we had read the "Restricted List" which were securities that managers could not invest in because of the firm's audit relationship with those clients. First partners and then eventually all staff began to register all of their investments with the firm, so that conflicts could be detected more easily. After all, having an "on my honor, I promise I haven't invested in...." letter was not enough, and the firm began to require that we register our investments with the Independence Office so that regular comparisons to the "Restricted List" could be made instead. This improved information resulted in quite negative publicity when Conflicts were identified, but this was clearly the right thing to do. (see CFO Magazine circa 2000 for examples)

Back to Conflicts of Interest and medical research. Senator Grassley and others are pushing for Federal Sunshine Act disclosure, and many states now require pharmaceutical and medical device companies to register all payments to physicians for public disclosure. I wonder what will be the trigger to cause Research Universities to keep more than an annual "on my honor, I promise I haven't received any compensation..." letter on file for their faculty, when improved, detailed information on compensation is even more readily available.

What are the implications for Pharmaceutical and Medical Device companies as well?

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

Forrester Research on Continuous Controls Monitoring is Spot On

Chatted with freelance writer and former CFO of one of our clients Chris McKittrick this week. Chris writes for Big Fat Finance Blog on a variety of topics, including CCM-T, which Forrester Research calls Internal Controls Monitoring. Chris pointed us to a CFO Magazine article earlier this year about CCM-T, which states the simple and profound:

“Internal controls monitoring. Technologies in this area so far have demonstrated a low level of success, or business value-add, and are on a trajectory for minimal success over their lifespan, according to Forrester. There is potential payback in error reductions, efficiency, and risk avoidance, but most installations have yet to prove what they will ultimately be worth. And while internal controls monitoring is important because of Sarbanes-Oxley and other compliance directives, "many of the solutions just raise red flags," Paul Hamerman, vice president of enterprise applications for Forrester, tells CFO.com. "Somebody has to go through these flags to figure out what they mean. If the application doesn't have the built-in intelligence to do that, it's value is diminished."

Going through the red flags is a real business challenge, and requires knowledge of technology, enterprise data, policies, business rules, and fraud. Unfortunately, many organizations who have invested in this technology do not put enough emphasis on the on-going care and feeding of the systems, and it's common for the number of red flags identified in a period to exceed the number of red flags that are fully researched and resolved. As a result, the business value add for the systems can fail to reach its potential.

Even for organizations that are managing the work queues well, it is rare to see organizations modify their rules and add more red flags for checking. Opportunities to help CCM-T users with post-implementation support, whether the tool of choice is Oversight, Approva, ACL Audit Exchange 2, or SymSure / IDEA, would seem to be a growth area.

* * * * * * * * * * *

Are you attending the Rutgers Continuous Auditing Symposium on November 6 and 7? We are. Look for us at the Conference or on a Panel at 4:00 on Day 1, and let's compare notes on the above. We're interested to share experiences with others...

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Continuous Auditing Article accepted for publication in Internal Auditing

We received news that an article submitted jointly with Dr. George Aldhizer of Wake Forest University's has been accepted for publication by Thomson Reuters in their Internal Auditing publication for the September / October issue that will be mailed to subscribers shortly. Very timely, as Dr. Aldhizer, David Payseur (CAE of Arrowpoint Capital), and I are scheduled to present a Continuous Auditing CPE day in Winston-Salem NC on November 18, 2009.

The article describes Visual Risk IQ's Continuous Auditing Maturity model, and how the steps from moving from Basic data analysis toward Continuous Auditing requires more than just technology investments. Changes in audit methodology and especially reporting process are integral and equally important to such a journey.

The article profiles Arrowpoint Capital, a commercial property casualty run-off insurance carrier that is headquartered in Charlotte, NC, whose continuous auditing program is more than five years old and actually pre-dates the IIA's GTAG publication on Continuous Auditing. Arrowpoint has an established, data-driven ERM program that links the results of Continuous Auditing activities and query scripts to specific risk assessment and control assessment activities that is reported monthly to management and the board.

For more information, check back on how to order reprints and/or to come see us in Winston-Salem in November for the Triad CPE day.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

Internet Porn - Why I didn't complete my audit plan, by the National Science Foundation

Regular readers of my blog know that Visual Risk IQ has been especially active in the Higher Education arena in 2009, helping adapt Continuous Controls Monitoring (CCM) for a Class One Research University. In addition to monitoring for Accounts Payable controls compliance, duplicate payments, and vendor master file integrity, we have also built an innovative Grants & Contracts module that helps track compliance with various financial and operational milestones required by various Federal Grantors.

The CCM module tests the validity of expenditures, overhead rates, and labor charges, and also can be easily extended for more complex tasks like Effort Reporting and Financial Aid compliance. But perhaps it was overkill for the job, given that one of the largest inspection functions within the Federal Government is behind on its audit plan this year.

Yep, they're too busy at the National Science Foundation investigating Internet Porn, so they're behind on their audit plan. For more information, see the Washington Times .

Maybe if their Office of the Inspector General used a more efficient method for selecting which grants and contracts to inspect. More data-driven continuous risk assessment, or perhaps more use of data analysis in controls assessment would help with their efficiency / effectiveness.

Other suggestions abound. What do you think?

Another CFO Article on Continuous Auditing - Correct about Vocabulary. Incorrect about no one doing it well.

We appreciate CFO Magazine writing about Continuous Auditing (CA) again. This month's piece is better than previous efforts, in that it focuses much more on the process changes needed for CA, and less on the actual technology that is used to accomplish CA, as we have blogged about previously. CFO Magazine interviewed several industry and academic leaders for this article - alas they didn't reach out to Visual Risk IQ, at least yet. So in today's blog, we'll summarize some of our observations and experiences about CA and contrast them to the CFO article. The centerpiece of our thoughts on CA is our proprietary maturity model, which we use to chart company-specific actions that help organizations advance on this journey. We'll also suggest one or two other organizations that CFO Magazine might talk to so that a clearer picture of CA can develop. In any case, we certainly echo the author's point, that a common, practical definition of CA is not yet accepted in the industry.

For this article, the author interviewed HCA, Microsoft, and AEP - and profiled how each organization uses CA. We feel especially qualified to comment on the article, because Kim Jones and I have been working almost exclusively on CA since our days at PwC in 2006, where he was a key team member on the Microsoft project cited in the article. We also count both HCA and AEP among our circle of friends from the speaking and writing that we each do in the Internal Audit community.

My counsel to the author would be to separate Continuous (which is really Continual) Risk Assessment from Continuous Controls Assessment. One of the reasons that there are such varying definitions of CA, are that are a diverse number of objectives that can be accomplished with CA and especially Continuous Controls Monitoring for Transactions (CCM-T). Organizations that set out to allocate their audit resources based on more up-to-date information than an annual risk assessment are likely to begin their CA efforts here. Companies profiled publicly in articles and cases that match this CA description include McDonald's and Wells Fargo, and usually have a very large number of audit entities (i.e. Stores or Branches), that make it difficult to visit each entity in a three- or five-year audit cycle. We have assisted several organizations to be more like McDonald's and Wells Fargo, by using data to perform more frequent, data-driven risk assessments to allocate their audit resources. Most often, the data used for this activity is aggregate financial or operational information like Financial Performance vs. Budget, Performance Ratios, or Employee Turnover. While it appears from the quotes from Jay Hoffman at AEP that his team is doing Continuous Risk Assessment, the controls being tested per the article seem to be more specific to Continuous Controls Assessment, which is using data-driven techniques to provide greater depth and frequency of audit coverage.

Continuous Controls Assessment are the techniques profiled in the article at HCA, AEP, and Microsoft. Instead of auditing overtime or journal entries only once every two or three years, many organizations use repeating data analysis scripts to assess the effectiveness of a control at multiple intervals during a year. These techniques can alert management to emerging issues with fraud risk or compliance, and also assist in following up on previous audit findings.

At Visual Risk IQ, we assert that "real continuous auditing" is to more fully integrate the Continuous Controls Assessment with Continuous Risk Assessment, so that audit project selection is based on the effectiveness of frequent, data-driven control assessment activities. Example: "What should be next on the audit plan - let's go to the regional office that hit their sales budget (to the penny!), but hasn't updated their allowance for doubtful accounts since the new accounting manager was hired six months ago."

I can think of two or three organizations that are doing real continuous auditing, according to this definition. Both Arrowpoint Capital in Charlotte and RLI Corporation in Peoria have presented at national and regional IIA / MISTI conferences about their CA programs, which originated with repeating the data analysis routines that were used for control assessment. While neither is a household name like Microsoft or HCA, each have been doing CA for more than five years, and are quite mature in their use of data for both control assessment and risk assessment.

In closing the article does a good job of distinguishing between CA and CM (continuous monitoring), which are activities performed by management. The evolution of CA to CM is a particular mark of growing CA maturity. Our work with CM, and especially CCM-T, has allowed us to help management use technology to test the right controls, at the right time, to achieve spectacularly effective results in business performance and internal controls. CA is often the first step on that journey.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

IIA Presentation on Continuous Auditing - Thanks Baton Rouge!

Thanks and congratulations to the Baton Rouge IIA, who filled the room with more than 75 people for a one-hour lunchtime CPE session on making the journey From Data Analysis and Continuous Auditing. This was a terrific turnout for most any chapter, but especially for one the size of Baton Rouge, which is a testament to the effectiveness of their officer group. Thanks much Amanda, Renee, Staci and all other volunteers for their work to encourage such great attendance.

We opened the session with the thought-provoking "Did You Know" video to help the audience appreciate the rapid growth of digital information, and challenge the audit profession on how to keep pace with this growth. Sampling 25 or even 200 transactions just isn't enough when modern software allows us to test every transaction for control effectiveness, as frequently as daily or more.

Thirty of the 75+ lunchtime attendees stayed for the remainder of the afternoon for a more detailed discussion of the journey toward continuous auditing, where we explored Visual Risk IQ's proprietary continuous auditing maturity model in greater detail. During the last hour, we brainstormed ways to use disparate data for more innovative testing for identifying fraud. The group did an outstanding job, as evidenced by some of the following creative test suggestions:

- For a finance company that makes consumer loans to consolidate debt, compare the account numbers for payments made to credit card companies against account numbers of finance company employees, to make sure that funds are not diverted at closing from the consumer making the loan.

- For almost any organization, compare vendor address and phone numbers against employee home and emergency contact information in HR and Payroll files for possible undisclosed conflicts

- For a state agency, compare external information about known deceased individuals / SSN's to benefits payments made to employees and retirees

- And many others....

In each case, the participants suspended their "I'm not sure which file to ask for" and brainstormed what data would add to the effectiveness of their testing. By thinking about risk and controls, without the restrictions of "it would be difficult because....," some really excellent ideas were explored and discussed.

Word of the Day (Month!) - Could technology be a "Gister?"

I'm reading another of Dan Brown's fast-paced and thought-provoking novels. (Brown wrote DaVinci Code, Angels & Demons) It's an earlier one, titled Deception Point, and it features a character whose job is my new favorite word, even though the word seems to be made up by the author.

The character (Rachel Sexton) is a "gister" or data summarizer for the National Reconnaissance Office. A "gister" reduces complex reports into single-page briefs. After reading a few Federal OIG audit reports for Research Universities, I'd like to have Ms. Sexton's help, as even the OIG's executive summaries need a little "gisting."

Perhaps a bit like an audit executive who presents the last three months of their audit staffs' activity into a briefing for the Audit Committee. Or the auditor who uses analyzes 100,000 expense reports and uses a query tools to identify how many comply or don't comply with a particular policy.

How are you and your team reviewing complex data to get to the gist of an issue? Are there any tools that you are you using? Why? Let us know...

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Setting IIA / ISACA speaking dates this fall

Continuous auditing and data analysis remains a very hot topic, as evidenced by our uptick in speaking requests this fall from IIA and ISACA chapters. Several dates are already set in the next few months, and requests continue to come in for programming and education that help audit and finance leaders understand and quickly apply latest thinking in data analysis techniques.

We have content already developed for 1/2 day and full day programs, in addition to executive briefings that are ideal for IIA District or Regional Conferences.

Some representative Data Analysis and Continuous Auditing speaking events include:

• September 11, 2009 - Baton Rouge IIA Chapter. 1/2 day session
• September 16, 2009 - Greensboro, NC IIA Chapter. Full-day session on Data Analysis, with Tableau software and Audimation
• October 7, 2009 - Columbia, SC - ISACA Chapter. Full-day session on Data Analysis and Continuous Auditing
• November 18, 2009 - Greensboro, NC IIA Chapter. Full-day session on Continuous Auditing, with David Payseur of Arrowpoint Capital and Dr. George Aldhizer from Wake Forest University.

Other events are in discussion and may soon follow. Contact us for information regarding a similar CPE event for your local chapter or district conference.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

Anything worth doing is worth doing well - and Often!

I had a discussion today with a panelist who will be speaking about Continuous Auditing / Continuous Controls Monitoring at an IIA Chapter meeting later this month. The panelist's shared services group uses a leading CCM system for one very specific business area - Travel & Entertainment. They have had a very favorable ROI with their use of CCM, and users in Finance, Internal Audit, and elsewhere all appreciate the workflow capabilities of their CCM system. Users and especially management recognize that the workflow capabilities and also frequent extraction capabilities is a quantum leap forward from ERP query tools and data analysis tools like ACL and IDEA. Instead of spending time to extract data and run scripts, the CCM solution automates those steps and allows more time for research and resolving issues.

He asked me what other business processes make good applications for CCM, and I shared that it's a variety of application areas - everything from review of Manual Journal Entries to Accounts Payable Disbursements to Grants and Contracts in Higher Education. Across multiple industries and also across multiple systems.

So whether it's updating an audit plan quarterly instead of annually, or analyzing manual journal entries for fraud or error monthly instead of quarterly. If it's worth doing, ask how you might do it more frequently. With modern CCM tools, you'll find that many important financial control activities can be done well, and Often!.

When the Going Gets Tough, the Tough Go Shopping (around)

You've got to like a headline like this, regardless of the substance of the article. But the good news is that the substance of this article (from the Chronicle of Higher Education) is almost as good as the headline. For both universities and for commercial enterprises. Purchasing projects, especially for indirect categories, represents an excellent opportunity to improve the bottom line. These services can be bought from traditional consulting firms like Bain, McKinsey, or Accenture, and also from niche firms who specialize in only these Purchasing services.

Also interesting, though not in the Chronicle's article. is the potential synergy between improving Purchasing and CCM-T. In the last few years, we've had deep-dive meetings with a number of firms who specialize in SG&A cost reduction and vendor negotiation. It has become clear that among their most distinctive strengths are data analysis and vendor negotiation. Their projects are net cash flow positive, funded by realized, hard-dollar savings, paid on a contingent fee.

Once new contracts are re-negotiated, the firms review actual spending and compute realized savings, to compute their fees. Which represents the opportunity for CCM-T. Just as Visual Risk IQ has implemented CCM-T to review invoices and invoice lines for suspicious, fraudulent, or duplicate payments, we also can configure CCM-T to review invoice lines for rogue or unauthorized spending from non-preferred vendors.

So if you're a CCM-T user looking for improved business value from your implementation, or a finance, audit, or procurement executive looking to improve your bottom line through an evaluation of your Purchasing group, let us know. We know some great places to shop!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Conflict of Interest - the Power of External Databases

As my last post on DoD indicated, there are some real gems waiting to be mined when comparing internal data to external data for fraud and abuse. Today's Chronicle of Higher Education reports a two-month old WSJ and UPI Story about a UCLA Surgeon who received more than $450,000 in payments from Medical Device companies, but repeatedly failed to disclose that outside income on conflict of interest forms required by the University.

Representative Charles Grassley is regularly in the news for advocating a national law (i.e. Physician Payments Sunshine Act) that would require disclosure of speaking fees. Currently, state laws and specific academic institution each set their own policies and monitoring requirements.

The Chronicle opined that "Universities also need to pay more attention to whether they review research activities by their own staff that may damage their institutional reputations even though the work involves outside facilities, Ms. Chimonas said. The case of Dr. Wang may prove a strong incentive for UCLA to do so. Even within the same statewide system, she said, there are campuses such as the University of California at Davis that have taken a much more aggressive definition of how they monitor outside research by university faculty members.

Institutions such as UCLA could be realizing the danger of ignoring outside research work, Ms. Chimonas said. "This may be a wake-up call for a lot of institutions who have been thinking, 'Well, this has nothing to do with us,'" she said."

Taking information from external databases like Excluded Parties List System (the list of Federally debarred vendors), or the OFAC Watch List is a high-value audit test, especially as frequency is increased from annual to quarterly or more frequently. UCLA's situation with Dr. Wang, especially because of reputation risk, calls for better monitoring of external databases.

What external databases are your organizations monitoring? How often? What are the more interesting findings? Please comment - all input is welcomed!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

The Value of Frequency - how the Defense Department paid millions in wages to invalid accounts

Last week, the Office of Inspector General for the Department of Defense (DOD) issued Report 2009-092 titled "Validity of DOD Civilian Employee Accounts." As widely reported on CNN and elsewhere, the DOD "Specifically, the DOD's Payroll System included invalid Social Security numbers, employees under the legal employment age, and multiple employee accounts that shared the same bank account. As a result, DFAS [the Finance arm of DOD) may have paid approximately $15.4 million to more than 2,300 invalid DoD civilian employee accounts from January 2002 through April 2008 (excluding 2007).

These payments represent fraud and misuse of tax dollars, but because the audit approach was a point in time audit, looking backward over a very long time period (six years!), it is highly likely that the money will never be recovered.

Had the DOD used leading edge technology like Continuous Controls Monitoring for Transactions (CCM-T), which can compare all SSN's from master files, from payment files, to the suspicious SSN lists like those at Social Security Death Index database, they could have known of the errors PRIOR to payment. The more frequently the data is compared, the more valuable the analysis becomes.

And implementation is a tiny fraction of the $15 million spent for erroneous payments. Factor in the time value of money (errors go back to 2002!) and the reputation risk associated with such errors, and CCM-T looks better and better.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

University Business - 101 Ways to Raise Revenue or Decrease Costs

In addition to being a regular reader of the Chronicle of Higher Education I've also become a reader and subscriber of University Business (UB). Unlike the Chronicle, UB is free to qualified subscribers, and they have an outstanding digital archive of previously published articles.

One that grabbed my attention this week is an archived (pre-recesssion!) article titled 101 Smart Revenue Generators and Money Saving Ideas. After all, who wouldn't like a little more on the top line, and on the bottom line. Regardless of whether you're for-profit or non-profit.

What strikes me as noteworthy about the article is that most (and the first few!) Revenue Generating ideas are actually all related to expense control and expense reduction. Some are traditional vendor negotiation strategies, like Visual Risk IQ does together with its partner Third Law Sourcing, while others are P-Card. Many can benefit from CCM-T, and many are worth a fresh read / re-read, given the current state of the economy.

Feel free to add Comments on your strategies for trimming costs or raising revenue in today's challenging times. Success stories are always welcome!

Joe Oringel
Visual Risk IQ, LLC
Charlotte NC, USA

Observations from Recent, Local Frauds in Charlotte NC

Several folks commented on recent tweets of local fraud and embezzlement, first at UNC-Charlotte and again at Charlotte's Mecklenburg County, specifically within the Department of Social Services. The Fraud Triangle teaches us that as long as there is Pressure / Incentive (I really need the money), Rationalization (e.g. other people do it, I'll pay it back...etc.) and Opportunity (I won't get caught because...) fraud can and will occur and recur.

My own experience is these three elements of the fraud triangle are closely related, and that Opportunity needs to be re-evaluated, especially as Incentive increases. Today's economic times are proving this need most everywhere we look, yet we still see only a few companies who are actively changing and increasing how they monitor for potential fraud, despite the availability of very effective, modern tools for fraud detection. Like CCM-T tools from Oversight and Approva.

A specific example: During my Big 4 Accounting Firm days, I led a team that audited the procedures used to produce scratch-off lottery tickets. When we started, the largest prize awarded was $5,000 or $10,000. While internal controls were always very good (i.e. Opportunity = Low), there were still a number of people at the Ticket Printer and at the Big 4 Firm who had access to information that might help locate a batch of 250 tickets that would likely contain a $5,000 or $10,000 winner.

The likelihood that a person would risk their career to steal $5,000 or $10,000 (two to six months net pay) was pretty low. But when the Ticket Printer and State Lotteries began printing tickets with $100,000 and eventually $1,000,000 tickets. That represented at least a year or even 20 years or more in net pay. What a powerful Incentive!

This change in Incentive was a trigger that we saw to re-evaluate internal controls, because now the temptation needed a corresponding decrease in opportunity. In addition to our agreed-upon procedures to evaluate controls over ticket production, we began a continual security review which included review of other controls that would identify who may be accessing information that might allow a large ticket winner to be located. We publicized the continual security review within the company (and the Big 4 team!), so that the decreased Opportunity was understood by anyone who may have been tempted.

As staffs are cut and monitoring controls become less frequent, what is your organization doing to reduce the Opportunity for Fraud. For a couple of high-profile cases in Charlotte, it's clear that more needs to be done.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Stimulus Fraud Could hit $50 Billion. How could CCM-T help?

MarketWatch article quotes FBI Director Robert Mueller about the potential fraud risks related to Stimulus money. "These funds are inherently vulnerable to bribery, fraud, conflicts of interest and collusion. There is an old adage, that where there is money to be made, fraud is not far behind, like bees to honey," Mueller told an afternoon gathering of business executives.

In reviews of duplicate payments / overpayments, using CCM-T technology from Oversight, Apex Analytix, and/or ACL, we typically find an error rate of 0.1 to 0.5%, or approximately $1,000 to $5,000 for every million in spending.

Fraud statistics from FBI and ACFE suggest higher losses. Often much higher. Our experience is that the fraud losses are harder to detect, especially without more sophisticated automation provided by CCM-T. But the risk is clearly there. And reputation risk may be greater than the financial loss.

Ask your internal audit or general counsel what your firm is doing to proactively find fraud, waste, and errors in your Accounts Payable and P-Card spend. If you don't like the answers - call us. We can help.

The Red Flags Rule: What Utility Companies Need to Know About Complying with New Requirements for Fighting Identity Theft (source: www.FTC.gov)

Visual Risk IQ is currently working on a continuous controls monitoring for transactions (CCM-T) project for a Utility Company, specifically focused on FACTA and the Red Flags requirement. Through a series of customized risk and performance checks, we will be assisting the Utility to monitor its new and existing customer for Red Flags related to fraud and identity theft. While the CCM-T component is only one part of a comprehensive set of policies, procedures, and new work processes, it is an integral component that will enable to Utility to achieve compliance and reduce potential fraud often associated with theft of service and bad debt.

For more information on FACTA requirements, specific to Utilities, see the article below, from the FTC's web site on the Red Flag Rules and FACTA.

The article below was originally published by Tiffany George and Pavneet Singh, from FTC.gov

As many as nine million Americans have their identities stolen each year. The crime takes many forms. Thieves may buy a car, get a credit card, or establish gas, water, or electric service using someone else’s identity. The cost to business can be staggering as well, with charges racked up by identity thieves unpaid and uncollectible. In addition, crooks may use proof of utility service to get driver’s licenses illegally or to apply for government benefits using a bogus address.

Utility companies may be the first to spot the “red flags” of identity theft, including suspicious activity suggesting that thieves may be using stolen information to establish service. That’s why you need to know about a new law – called the Red Flags Rule – that requires many businesses, including most companies that provide utility services to consumers, to spot the red flags that can be the telltale signs of identity theft. Under the Red Flags Rule, which the Federal Trade Commission (FTC) will begin enforcing on August 1, 2009, companies covered by the law must develop a written Identity Theft Prevention Program. Is your utility required to comply with the Red Flags Rule? If so, have you developed your program to detect, prevent, and minimize the damage that could result from identity theft?

WHO MUST COMPLY

Companies that provide utility services are covered by the Rule if they are “creditors” with “covered accounts.” A creditor is a business or organization that regularly defers payments for goods or services. The Rule defines a “covered account” as a consumer account that allows multiple payments or transactions – for example, a standard household utility account – or any other account with a reasonably foreseeable risk of identity theft. Even government agencies and publicly-owned utilities may be “creditors” covered by the Rule.

Because the Rule is geared to the types of accounts that are targeted by identity thieves, the determination of whether the law applies to your business or organization isn’t based on your status. Rather, it’s based on whether your organization’s activities fall within the relevant definitions. It boils down to this: If your utility regularly bills customers after services are provided, you are a creditor under the new law and will have to develop a written program to identify and address the red flags that could indicate identity theft in your covered accounts.

SPOTTING RED FLAGS

The Red Flags Rule gives utilities the flexibility to implement an identity theft prevention program that best suits the operations of their business, as long as it conforms to the Rule’s requirements. You may already have a fraud prevention or security program in place that you can use as a starting point.

If you’re covered by the Rule, your program must:

1. Identify the kinds of red flags that are relevant to your business;
2. Explain your process for detecting them;
3. Describe how you’ll respond to red flags to prevent and mitigate identity theft; and
4. Spell out how you’ll keep your program current.

What red flags signal identity theft? There’s no standard checklist. Supplement A to the Red Flags Rule – available at ftc.gov/redflagsrule – sets out some examples, but here are a few warning signs that may be relevant to utilities:

• Suspicious documents. Has a new customer given you identification documents that look altered or forged? Is the physical description on the identification inconsistent with what the customer looks like? Is other information on the identification inconsistent with what the customer has told you? Under the Red Flags Rule, you may need to ask for additional information.
• Suspicious personally identifying information. Personal information that doesn’t match what you’ve learned from other sources also may be a red flag of identity theft. For example, if you pull a credit report based on the prospective customer’s Social Security number and the report comes back under someone else’s name, fraud could be afoot. A billing address that appears to be fictitious also could signal a problem.
• Suspicious activities. Did a new customer fail to make the first payment or make an initial payment but no others? Did payments abruptly stop on an otherwise up-to-date account? Did a customer’s use pattern suddenly change? For example, are you detecting unusual activity on what’s always been a “snowbird” account? Is mail returned repeatedly as undeliverable even though transactions still are being conducted on the account? Are utilities still being used after a known move-out? Trust your gut when something seems questionable. These questionable activities may be red flags of identity theft.
• Notices from victims of identity theft, law enforcement authorities, or others suggesting possible identity theft. Have you received word about identity theft from another source? Cooperation is key. Heed warnings from others that identity theft may be ongoing.

SETTING UP YOUR IDENTITY THEFT PREVENTION PROGRAM

Once you’ve identified the red flags that are relevant to your utility, your program should include the procedures you’ve put in place to detect them in your day-to-day operations. Your program also should describe how you plan to prevent and mitigate identity theft. How will you respond when you spot the red flags of identity theft? Will you close questionable accounts or monitor them more closely? Will you contact the customer directly? When automated systems detect red flags, will you manually review the file? If you’re notified that an identity thief has run up bills using another person’s information, how will you ensure that the debt is not charged to the victim? Your response will vary depending on the circumstances and the need to accommodate other legal obligations – for example, laws regarding the provision and termination of utility service. Finally, your program must consider how you’ll keep it current to address new risks and trends.

No matter how good your program looks on paper, the true test is how it works. According to the Red Flags Rule, your program must be approved by your Board of Directors, or if you don’t have a Board, by a senior employee. The Board may oversee the administration of the program, including approving any important changes, or designate a senior employee to take on these duties. Your program should include information about training your staff and provide a way for you to monitor the work of your service providers – for example, those who manage your debt collection operations. The key is to make sure that all members of your staff are familiar with the Rule and your new compliance procedures.

WHAT’S AT STAKE

Although there are no criminal penalties for failing to comply with the Rule, violators may be subject to financial penalties. But even more important, compliance with the Red Flags Rule assures your customers that you’re doing your part to fight identity theft.

Looking for more information about the Red Flags Rule? The FTC has published Fighting Fraud with the Red Flags Rule: A How-To Guide for Business, a plain-language handbook on developing an Identity Theft Prevention Program. For a free copy of the Guide and for more information about compliance, visit ftc.gov/redflagsrule. In addition, the FTC has released a fill-in-the-blank form for businesses and organizations at low risk for identity theft. The online form offers step-by-step instructions for creating your own written Identity Theft Prevention Program. You can fill it out online and print it. The do-it-yourself form is available at ftc.gov/redflagsrule.

Questions about the Rule? Email RedFlags@ftc.gov.

Tiffany George and Pavneet Singh are attorneys with the Federal Trade Commission’s Division of Privacy and Identity Protection.

CFO Magazine profiles Continuous Auditing / Continuous Controls Monitoring

CFO Magazine's June issue has a feature story on 24 x 7 continuous auditing approach that has been implemented at several organizations, including Harrah's, Siemen's Financial Services, and British Columbia's Ministry of Finance. Interestingly, the article is filed in CFO's "Technology" section and emphasizes the IT component of the respective initiatives.

Those of you who have met my partner Kim Jones or me know that we believe that technology is only part of any continuous auditing or continuous controls monitoring for transactions (CCM-T) initiative. I found that point reinforced by the first comment on the CFO.com article, about Monitoring still being a detective, and not a preventive control. At Visual Risk IQ, we believe that process is key. By designing a process (i.e. review of P-Card or Accounts Payable transactions) with sufficient time lag between resolution of CCM-T exceptions and PRIOR TO PAYMENT, such the monitoring activity actually becomes a Preventative control.

Interesting too that all companies profiled are ACL CCM customers, and that customers from Apex Analytix, Approva, Oversight Systems, and industry vertical CCM solutions like Actimize (banking) or XBR (retail) were not included in the article. I would have been even more interested to see any trends or patterns from customers of several different vendors.

Despite improvement opportunities if we were contacted for quotes (smile), it's a pleasure to see the topics of continuous auditing and continuous controls monitoring receiving such great publicity. As I write this, the article is both the most viewed and most emailed article of the day on CFO.com Check back and see what kind of staying power the subject can achieve.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Visual Risk IQ to present at Blue Cross / Blue Shield Internal Audit and Fraud Conference

Just wrapped up the speaker notes for tomorrow's presentation at the National Internal Audit and Fraud conference for Blue Cross / Blue Shield.  I'll be co-presenting with Chicago-based Vonya Global.  Partner Veronika Fritz will be joining me for tomorrow's presentation. 

As we tweeted last month, there are few industries with data challenges quite like HealthCare and this conference has many of the audit and risk officers from big, influential players.  Think about the number of Explanation of Benefits (EOBs) that you've ever received.  How many of them actually explained things so you understood them?  Were the charge amounts right?  The first time?  

CCM-T is all about increasing the depth and frequency of data analysis, so anomalies and errors are identified earlier in the process.  There is a large and growing subindustry within HealthCare that pays for itself simply on correcting billing errors AFTER the fact.  What would it be worth to get every invoice right, the first time, before it's sent?  CCM-T can help.    

Our slides and Q&A from the session should be posted later this week.   Or better yet, meet us in St. Louis!

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

APEX Analytix, Inc. Acquired by PNC Equity Partners, II, L.P.

APEX Analytix, Inc. Acquired by PNC Equity Partners, II, L.P.

Some M&A activity in the Continuous Controls Monitoring (CCM) space this week. For those of you unfamiliar with Apex Analytix, they are an AP-focused player in CCM, with a long heritage in recovery audit services.

In our opinion, their points of distinction in the CCM space have been their move from being a services-only firm to a technology-enabled services firm. They now sell the software (called FirstStrike) that they previously developed as "internal use" for their recovery audit projects. Visual Risk IQ is an affiliate partner with Apex, and uses output from First Strike as one of many inputs for a Continuous Risk Assessment program that we've implemented for one of our clients.

Stay tuned for updates on what the acquisition may mean for Apex.

FTC Relaxes Enforcement Date on FACTA Red Flag rules. More time to implement CCM-T for Compliance

FTC Grants Three-Month Delay of Enforcement of ‘Red Flags’ Rule Requiring Creditors and Financial Institutions to Adopt Identity Theft Prevention Programs (source: FTC.gov - April 30, 2009)

The Federal Trade Commission will delay enforcement of the new “Red Flags Rule” until August 1, 2009, to give creditors and financial institutions more time to develop and implement written identity theft prevention programs. For entities that have a low risk of identity theft, such as businesses that know their customers personally, the Commission will soon release a template to help them comply with the law. This announcement does not affect other federal agencies’ enforcement of the original November 1, 2008 compliance deadline for institutions subject to their oversight.

As many of you know, Visual Risk IQ was a sponsor at MISTI's SuperStrategies Conference in mid-April, and the conference provided us the opportunity to network with Internal Audit and GRC professionals from all over the US, including a mix of consulting firms and medium and large businesses. The importance of FACTA compliance at the Conference was clearly mixed, with some firms such those in Utilities, Financial Services, and Healthcare having large projects or program offices established to address compliance, with other firms in the same industry being wholly unfamiliar with the regulation.

For more information on FACTA and the red flag compliance rules, please see the following resources:

FTC's web site on Red Flag Rules
FTC's Article Summary

What is happening at your organization? How is this relaxed enforcement date affecting your organization? Why?

Learning ERM from a 100-year old Start-Up - LINK TO SLIDES ADDED

As mentioned earlier today, David Fox of KBR was the guest speaker at NC State's ERM Roundtable in Raleigh. His slides will be shared and linked next week, and are definitely worth a view. All good stuff.

A speaker abstract and slides are now available at NC State's website.

KBR is the Houston-based, $11+ Billion engineering and construction firm that was spun out from Halliburton in 2007. At the time of the transaction, KBR was living in the shadows of FCPA wrong-doings, more than one hundred million dollar missteps in terms of long-term projects and equity investments, and a host of cultural challenges related to being a start-up.

Unlike many previous ERM speakers, David did not advocate a complex or elaborate risk system. He sees his role as a facilitator, to help KBR management talk about key risks and mitigants that could decrease the likelihood of business objectives being achieved.

The best soundbytes relate to David's own "risk management" of raising three teen-aged boys. Values, not dashboards, are his key to helping ensure the outcomes that he wants for his teenagers. Simplicity is key. Stay tuned for more interesting information on his CPE session.

NC State ERM Roundtable - GREAT Session from David Fox of KBR

Attended this morning's session in Raleigh for NC State's ERM Roundtable and had the pleasure to hear some thought-provoking ideas from both Dr. Mark Beasley (NC State) and David Fox of KBR in Houston. Thank you to Oversight Systems for their sponsorship of the event.

More on David's presentation later today, but for now here are a couple of resources that we know will be of interest to the ERM and Internal Audit community(s).

1) AICPA's Research on the Current State of Enterprise Risk Oversight, published April 2009.

Research by the American Institute of Certified Public Accountants (AICPA) and NC State ERM Initiative finds that while the volume and complexities of risks are increasing extensively, risk oversight is fairly immature, ad hoc, and the source of frustration for over 700 executives surveyed. Some great factoids from the survey...

• Over 1/3 of organizations surveyed note they were caught off guard by an Operational Surprise either "Extensively" or a "A Great Deal" in the last five years. Another 1/3 of organizations faced a "Moderate" operational surprise.
  
• Almost half (47%) stated that they are "Not at All Satisfied" or "Minimally" satisfied with the nature and extent of reporting of key risk indicators to senior executives regarding the entity's top risk exposure.
  

But

• 44% of organizations surveyed have no enterprise-wide risk management process in place and no plans to implement one.
  
• An additional 18% without ERM processes in place indicate they are currently investigating the concept, but have made no decisions about implementing ERM.

Said in a sentence or two...Firms have been bitten by risk, they are not satisfied with executive and board-level reporting about risk, but they're not doing much about it. No wonder ERM is so hard!

Read more about Enterprise Risk Management at NC State's very thoughtful and thought-provoking Portal.

SuperStrategies 2009 Reflections

Kim and I spoke at SuperStrategies 2009 in Las Vegas last week, where our topic was Finding Money and Detecting Fraud with Transaction Monitoring. The session was well-attended and provided some nice opportunities to meet some new friends and prospects, as well as connect with several alliance partners, including ACL, IDEA, and Oversight Systems.

Our conference presentation is available for download on LinkedIn and SlideShare.

Data analysis and continuous auditing clearly remained top of mind for most internal audit and ERM executives, especially as firms are all challenged to do more with less. A number of excellent presenters also shared their experience in the area, including RLI Insurance, HCA, and Continental Airlines. It was especially encouraging to hear the keynote panel's predictions for the future, and have each point toward data analysis and continuous auditing as a continued area of focus.

Conference takeaways related to data analysis included: ; comparing relative size factor on invoices and PO's (HCA); team award for the data analytic innovation of the month (Bristol-Myers Squibb); Geocoding and Q-grams (RLI); and reading your competitors' 10K for risk assessment input factors (Protiviti).

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Are you a creditor? How FACTA compliance may affect your organization

It is not uncommon today for people today to rarely carry cash or coin on their person, and why would they need to? Most vendors accept credit/debit cards (one notable exception is Price’s Chicken Coop in Charlotte, NC; you must have cash and you had better know EXACTLY what you want to order when the cashier engages you. One wrong word and you get a quick rebuke!). We live in a credit society. Who are the creditors?

FACTA defines the terms “credit” and “creditor” the same as section 702 of the Equal Credit Opportunity Act:
• The term "credit" means the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefore.
• The term "creditor" means any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew, or continue credit.

This definition of creditor casts a large and wide net. In fact, the American Medical Association (AMA) recently wrote the FTC essentially pleading exemption under the FACTA covered accounts. However, in response, the FTC stated that it “believe[s] that the plain language and purpose of the Rule dictate that health care professionals are covered by the Rule when they regularly defer payment for goods or services. We also believe that implementation of the Rule will help reduce the incidence of medical identity theft; and that the burden on health care professionals need not be substantial.”

We seem to be getting further from the typical line of thinking with the term creditor and identity theft, but now that electrons carry out our human fiduciary responsibilities, the door is now wide open to applying the term “creditor” to most any firm.

Firms should consider implementation of a solid continuous controls monitoring for transactions (CCM-T) framework that can help them comply with the FACTA Red Flag Rules. More information on FACTA and CCM-T's application for FACTA compliance in the coming weeks.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Presentation to IIA Charlotte with Don Sparks

On March 31, Don Sparks (Audimation / IDEA) and I facilitated a day of continuing professional education (CPE) for the Charlotte IIA on the topics of data mining and continuous auditing. To the chapter's surprise and delight (and ours), more than 100 people signed up and attended, making the event a sell-out.

A common theme among the audit teams in attendance was that they are being asked to do much more with less this year, and their focus therefore is turning to data analysis. Some advanced users were in the room and contributed significantly (Thanks Mark LeRoy from Wells Fargo and the whole team from Arrowpoint Capital!). Several groups have made the transition from one-time use of data analysis to more frequent, interval-based analysis. These steps are critical on any journey toward continuous auditing, and it was energizing to hear of the successes.

Most teams are just getting started, and familiar roadblocks such as access to data were heard. The most valuable component of the session were facilitated sessions where tables collaborated on designing and identifying data analysis routines that they were running or would like to run in the near future. We distributed a list of recommended routines for common business processes, and also shared some additional lists by industry for HealthCare, Retail, Financial Services, and Manufacturing. All were particularly well received, and distributed both during the class and by email to those who requested soft copies.

For future sessions, Don and I would plan to have a larger room, with flipcharts, so participants can share both questions and successes with other participants. Look for a new and improved session at your IIA chapter in the near future, or contact one of us to bring such a presentation to your local chapter.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Monitoring and Preventing Insider Theft

In the course of identifying and preventing potential identity theft incidents, it is important to consider how the information could be used for ill-gotten gain. It is also important to know how that information is accessible. For especially valuable information, it is reasonable to expect outsiders to try to gain access to this information: the call center inquiry into changing an account’s physical address, the phishing for weaknesses in procedure… but what of the insiders who have greater access to the precious information?

Blue Lance recently blogged on the vulnerability of the information security firm Symantec and their recent insider theft incident. This shows how any firm, ANY, is susceptible to insider theft. A robust continuous controls monitoring platform, especially one that considers disparate data sources, could have identified patterns between in-bound calls and account inquiries by customer service reps, providing an early warning for inappropriate behavior. Actimize is a software vendor with an innovative application for monitoring call centers, primarily in the financial services space, and this space is one with increasing competition.

Enterprises should consider the access and use of company information by company employees as valid transactions that require monitoring. When an employee (or outsider!) begins accessing credit data that is outside of his typical area of responsibility, this should be a warning. While this may occur less frequently than outsiders’ attempts to steal an identity, the magnitude of a successful theft is much more significant.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Reflections from IIA District Conference

More than 100 people attended our session last week at the Carolina's IIA District Conference, where I joined Matt Cleaver, Head of Internal Audit for RH Donnelley (RHD), to talk about their journey along the Continuous Auditing maturity curve. Since Visual Risk IQ's initial continuous auditing project for them in 2007, RHD has migrated from one-time, retrospective data analysis in the Accounts Payable area to weekly review of potential duplicate payments or overpayments PRIOR to any checks being issued. An important step on the maturity curve for RHD was achieved earlier this year, as the business process owner (not internal audit!) now runs the queries that had been developed to identify the potential duplicates.

As shared at the Conference, several hundred thousands of dollar in errors have been prevented due to this weekly review, and the overpayments actually recovered from our original project have more than funded the entire annual budget of the internal audit department. The return on the project's investment has been outstanding, and the audit team is even more highly valued at the Company during these challenging times affecting media and advertising companies (and most everyone else!).

Special thanks to Matt, who was very candid about the findings that our project helped their audit team uncover, in terms of these overpayments, as well as other internal control improvements that resulted from the data analysis work. For more information on their success, or for a copy of the slide deck, please email me at the contact information below.

Here's wishing that your internal audit projects can help demonstrate the value of data analysis and continuous auditing in such a direct and tangible way.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

New acronyms in the Continuous Controls Monitoring space - CCM-T

Those of you who have met Kim Jones and me, either from our PwC days or since we've founded Visual Risk IQ, know that we believe that the IT Research community has not done a great job of defining categories within Governance, Risk and Compliance software. Even the Continuous Controls Monitoring category had everything from Segregation of Duties tools like Virsa (now SAP-GRC) to IT General Control Tools (like TripWire) to more general purpose CCM tools like those from ACL, Apex, Approva, and Oversight.

But now in 2009, the Research community is getting better. Maybe much better. Gartner has published a new report on the segment of the GRC category that we specialize in, and they have named the category "Continuous Controls Monitoring for Transactions, or CCM-T" We believe this segmentation does a MUCH better job of identifying the vendors who are in this cateogory.

The report separates CCM-T from other CCM technologies, like Segregation of Duties tools, Application Controls, and Master Data tools. For a copy of the report, register on ACL's web site and download the Gartner CCM-T Report

Take a look and tell us what you think, either by commenting below, sending an email or seeing us in person. Look for Visual Risk IQ at IIA's GAM conference or at MISTI's SuperStrategies, where we will be a sponsor and speaker on Thursday morning April 16.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Now Hiring - Continuous Auditing specialists

Many of you know who have heard my partner and I speak at various IIA and MISTI events have heard that we have Google alerts set up on Continuous Auditing and Continuous Monitoring. Most Continuous Monitoring alerts have been related to Medical Devices - glucose monitoring, pacemakers, but it has been rare that we actually get article posts related to Continuous Auditing or what is becoming known as Continuous Controls Monitoring.

But maybe this is changing....

For the past two weeks, I have gotten "hits" on Google Alerts for Continuous Auditing and Continuous Controls Monitoring that relate to data analysis, data mining, and continuous auditing, specifically Job Postings. Yes, despite the challenging economy, there are several Audit Groups that are hiring continuous auditing specialists. Technical skills needed include data analysis, such as working with ACL or IDEA, as well as to more modern tools such as Approva, Oversight Systems or Apex Analytix.

Not surprising, interpersonal skills, including good communication skills and technical writing are also required. You can't write a good continuous auditing test if you don't have good data. And auditors need help from someone to acquire and understand the data.

Kudos to the hiring executives who understand that increasing the depth and especially the frequency of data analysis can increase the value that internal audit brings. Two of the three job postings I've seen are in the Hospitality sector, and the third is in Healthcare. Common threads perhaps are large volumes of disparate data, and opportunities to increase top line revenue through improving data quality.

For more information on these jobs or to compare notes on data analysis and continuous auditing, please reach out via contact information below.

Regards,

Joe Oringel
Visual Risk IQ
Charlotte NC, USA
joe.oringel@visualriskiq.com

What is the cost of non-compliance? How's $579 million sound?

Source: Reuters: Halliburton and KBR agree to Settlement in historic Foreign Corrupt Practices Act (FCPA) case

In the largest FCPA settlement against a US-based company, KBR and its former parent Halliburton agreed to pay $579 million in fines to settle charges that they violated Foreign Corrupt Practices Act (FCPA) as part of a plan to secure large, long-term construction contracts in Nigeria.

According to the DOJ, KBR was part of a four-company joint venture that received the contracts. As part of its plea, KBR admitted to conspiring with those partners to promise and pay bribes. They also admitted to paying tens of millions of dollars in consulting fees to two agents for use in bribing government officials.

As part of its criminal plea deal, KBR agreed to retain an independent compliance monitor for a three-year period and continue to cooperate with the DOJ's continuing investigation of this matter.

In a related civil complaint by the SEC, Halliburton and KBR jointly agreed to pay $177 million in disgorgement. The SEC had charged KBR with violating the anti-bribery provisions of the Foreign Corrupt Practices Act. It also charged Halliburton and KBR with record-keeping and internal control violations.

"As part of the resolution of the SEC investigation, Halliburton will retain an independent consultant to perform a 60-day initial and, approximately one year later, a 30-day follow-up review and evaluation of Halliburton's anti- bribery and foreign agent internal controls and record-keeping policies and to adopt any necessary improvements," the company said.

----------------------------------

The application for continuous auditing and monitoring in helping organizations monitor internally for potential FCPA violations is particularly positive, because these compliance issues can be assessed concurrent with other operational challenges such as duplicate payment or overpayment.

Joe Oringel
Visual Risk IQ LLC
Charlotte NC, USA

Check out "The Fraudies", Oversight's list of top Corporate Fraudsters

The folks at Oversight Systems have announced The Fraudies, a light-hearted collection of some of the bolder attempts to defraud corporations that have been detected or deterred by continuous auditing and monitoring. My personal favorite is the individual who used their company's P-Card to purchase $3,400 worth of advice from the Psychic Hotline. Let's hope the psychic didn't tell the fraudster to join your firm.

Unfortunately, today's challenging economic times are increasing the pressures and the rationalization behind more potential fraudsters.  We are working with a number of organizations in different industries, to help increase the likelihood of detection by implementing cost-effective monitoring techniques.

Using these techniques as part of regularly scheduled audits of Accounts Payable, Travel & Entertainment or P-Card audits can help organizations achieve compliance objectives while also returning money to the bottom line by reducing overpayments and re-capturing inappropriate disbursements.  Further, like the Fraudies, we hope that by publicizing these instances of fraud, other future fraudsters will be deterred.   

Joe Oringel

Visual Risk IQ

Charlotte NC 28277