Monday, February 21, 2011

Book review - a Great Read for Data Analysis Folks

Just finished Malcolm Gladwell's "What the Dog Saw" on a long plane ride this weekend. Like his other books (Tipping Point, Blink, and Outliers), there are great stories and examples for those of us involved in data analysis, including internal auditing and especially continuous auditing.

Gladwell's current book is actually a collection of essays from New Yorker magazine, but they piece together nicely so the essays can be read in sequence or by selecting chapters of interest. If you have time to only read one chapter, I'd point you toward the chapter "Open Secrets. Enron, Intelligence, and the Perils of Too Much Information."

The book points out that Enron's Special Purpose Entities (SPE's) were entirely transparent. To a fault. Because each of the more than 3000 SPE's involved paperwork of an average of 1000 pages of filings. Even an executive summary of an SPE contained 40 single-spaced pages. So the challenge in understanding the financial risks of their SPE's was to understand how to filter an insanely large volume of data into a form that was manageable, comprehensible, and actionable.

As you progress on the Continuous Auditing and Continuous Monitoring Maturity Curve, you'll find that your teams are amassing a similarly overwhelming (though hopefully not as large!) set of source data and anomalies to review. How do you see the source data? How do you see the exceptions? How do you decide which ones to act on?

Most data analysis efforts that we have worked have a goal of identifying individual exceptions, or rows, in database speak. So a AP vendor shares an address or tax ID number with an employee. Or a sales invoice had a discount in excess of a contract maximum. To act, we send an email to someone, maybe with a spreadsheet attached, to research and resolve the exception row.

But let's learn from Enron's SPE's. If we send 3000 emails, how will we manage the follow-up. Can we use color and graphs to measure the magnitude of the exceptions in total? How should we identify transactions that are acceptable one-by-one (example: a $9,500 requisition from a manager with a $10,000 signing authority), but unacceptable as a larger series (say ten, $9,500 requsitions from that same manager, all within the same week)?