Another CFO Article on Continuous Auditing - Correct about Vocabulary. Incorrect about no one doing it well.

We appreciate CFO Magazine writing about Continuous Auditing (CA) again. This month's piece is better than previous efforts, in that it focuses much more on the process changes needed for CA, and less on the actual technology that is used to accomplish CA, as we have blogged about previously. CFO Magazine interviewed several industry and academic leaders for this article - alas they didn't reach out to Visual Risk IQ, at least yet. So in today's blog, we'll summarize some of our observations and experiences about CA and contrast them to the CFO article. The centerpiece of our thoughts on CA is our proprietary maturity model, which we use to chart company-specific actions that help organizations advance on this journey. We'll also suggest one or two other organizations that CFO Magazine might talk to so that a clearer picture of CA can develop. In any case, we certainly echo the author's point, that a common, practical definition of CA is not yet accepted in the industry.

For this article, the author interviewed HCA, Microsoft, and AEP - and profiled how each organization uses CA. We feel especially qualified to comment on the article, because Kim Jones and I have been working almost exclusively on CA since our days at PwC in 2006, where he was a key team member on the Microsoft project cited in the article. We also count both HCA and AEP among our circle of friends from the speaking and writing that we each do in the Internal Audit community.

My counsel to the author would be to separate Continuous (which is really Continual) Risk Assessment from Continuous Controls Assessment. One of the reasons that there are such varying definitions of CA, are that are a diverse number of objectives that can be accomplished with CA and especially Continuous Controls Monitoring for Transactions (CCM-T). Organizations that set out to allocate their audit resources based on more up-to-date information than an annual risk assessment are likely to begin their CA efforts here. Companies profiled publicly in articles and cases that match this CA description include McDonald's and Wells Fargo, and usually have a very large number of audit entities (i.e. Stores or Branches), that make it difficult to visit each entity in a three- or five-year audit cycle. We have assisted several organizations to be more like McDonald's and Wells Fargo, by using data to perform more frequent, data-driven risk assessments to allocate their audit resources. Most often, the data used for this activity is aggregate financial or operational information like Financial Performance vs. Budget, Performance Ratios, or Employee Turnover. While it appears from the quotes from Jay Hoffman at AEP that his team is doing Continuous Risk Assessment, the controls being tested per the article seem to be more specific to Continuous Controls Assessment, which is using data-driven techniques to provide greater depth and frequency of audit coverage.

Continuous Controls Assessment are the techniques profiled in the article at HCA, AEP, and Microsoft. Instead of auditing overtime or journal entries only once every two or three years, many organizations use repeating data analysis scripts to assess the effectiveness of a control at multiple intervals during a year. These techniques can alert management to emerging issues with fraud risk or compliance, and also assist in following up on previous audit findings.

At Visual Risk IQ, we assert that "real continuous auditing" is to more fully integrate the Continuous Controls Assessment with Continuous Risk Assessment, so that audit project selection is based on the effectiveness of frequent, data-driven control assessment activities. Example: "What should be next on the audit plan - let's go to the regional office that hit their sales budget (to the penny!), but hasn't updated their allowance for doubtful accounts since the new accounting manager was hired six months ago."

I can think of two or three organizations that are doing real continuous auditing, according to this definition. Both Arrowpoint Capital in Charlotte and RLI Corporation in Peoria have presented at national and regional IIA / MISTI conferences about their CA programs, which originated with repeating the data analysis routines that were used for control assessment. While neither is a household name like Microsoft or HCA, each have been doing CA for more than five years, and are quite mature in their use of data for both control assessment and risk assessment.

In closing the article does a good job of distinguishing between CA and CM (continuous monitoring), which are activities performed by management. The evolution of CA to CM is a particular mark of growing CA maturity. Our work with CM, and especially CCM-T, has allowed us to help management use technology to test the right controls, at the right time, to achieve spectacularly effective results in business performance and internal controls. CA is often the first step on that journey.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

CFO Magazine profiles Continuous Auditing / Continuous Controls Monitoring

CFO Magazine's June issue has a feature story on 24 x 7 continuous auditing approach that has been implemented at several organizations, including Harrah's, Siemen's Financial Services, and British Columbia's Ministry of Finance. Interestingly, the article is filed in CFO's "Technology" section and emphasizes the IT component of the respective initiatives.

Those of you who have met my partner Kim Jones or me know that we believe that technology is only part of any continuous auditing or continuous controls monitoring for transactions (CCM-T) initiative. I found that point reinforced by the first comment on the CFO.com article, about Monitoring still being a detective, and not a preventive control. At Visual Risk IQ, we believe that process is key. By designing a process (i.e. review of P-Card or Accounts Payable transactions) with sufficient time lag between resolution of CCM-T exceptions and PRIOR TO PAYMENT, such the monitoring activity actually becomes a Preventative control.

Interesting too that all companies profiled are ACL CCM customers, and that customers from Apex Analytix, Approva, Oversight Systems, and industry vertical CCM solutions like Actimize (banking) or XBR (retail) were not included in the article. I would have been even more interested to see any trends or patterns from customers of several different vendors.

Despite improvement opportunities if we were contacted for quotes (smile), it's a pleasure to see the topics of continuous auditing and continuous controls monitoring receiving such great publicity. As I write this, the article is both the most viewed and most emailed article of the day on CFO.com Check back and see what kind of staying power the subject can achieve.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Expense Management becoming Mainstream?

We've been talking about using Continuous Auditing and Continuous Monitoring as ways to improve compliance and business performance for more than two years. The approach is characterized as "ask once, satisfy many," where business process owners can satisfy compliance objectives such as segregation of duties or spending authority limits, while also evaluating operational objectives like contract compliance and pricing.

CFO Magazine's September issue is highlighting some of the technologies that can accomplish these objectives.

The CFO article is very consistent with our experiences. Clients and business partners of Visual Risk IQ know that we can help review Accounts Payable, P-Card, and T&E data, looking for duplicate payments, financial fraud, and contract compliance. In the last several months, we've been expanding our service capabilities to deliver even more value for our clients.

My favorite quote in the article talks about the costs for such services. "For $50,000 to $100,000, a horde of consultants will sift through invoices, purchase orders, and contracts and produce a report, most likely on one facet of the business. Or, for $100,000 to $500,000, you can tap software that will do it for all aspects of the business all the time." People familiar with Visual Risk IQ know that our firm uses the continuous auditing software described in the article, to help organizations test-drive and prove its value for their organization, for less than the typical fees from the "horde of consultants."

The data files that we already use to provide a 100%, in-depth review of expenses for compliance and potential fraud factors can also be used to test for spending compliance. We have partnered with firms who are expert in selling and general & administrative cost reduction, and can analyze these same data files to identify the opportunities for improving expense management.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Top CFO concern's - How Continuous Auditing (CA) can help

CFO Magazine and Duke's Fuqua School of Business published their quarterly Top 10 Concerns of CFO's on May 1, 2008, and this quarter's list seems to demonstrate the potential benefit of more frequent and more in-depth controls monitoring and auditing procedures. To read the article in full, please click thru to: http://www.cfo.com/article.cfm/11078610/c_11081639?f=insidecfo

Though most CFO concerns are repeats from previous quarters (e.g. weak consumer demand, credit markets, and the housing market fall-out), a couple of new entrants demonstrate the potential value of continuous auditing and monitoring. Specifically, Costs of Health Care, Costs of Fuel and Costs of Non-Fuel Commodities all represent opportunities, based on our current experience with Continuous Auditing (CA) and Continuous Monitoring (CM).

Visual Risk IQ is currently working with several large global enterprises on pilots of continuous auditing and monitoring in the areas of Procurement Card (P-Card), Travel and Entertainment (T&E) and Employee Health Benefits. Examples of P-Card and T&E issues identified by CA / CM include 40 and 50 gallon fuel purchases for employees who drive company cars with 15 gallon tanks. No matter what the cost of fuel per gallon, using Company funds to fuel a personal boat or the neighbors SUV(s) is not inappropriate. In the case of Employee Health Benefits, we will be using sophisticated data mining and analytics to find claims that have been paid by a Company's Third Party Administrator where the claims are not in compliance with the Summary Plan Description.

Going back to recover Health Claims, T&E or P-Card expenditures that have been paid in error is sometimes perceived as a time-consuming and costly process. However, use of modern CA and CM software can dramatically reduce the cost of detecting these errors. Further, because the errors can be detected closer to the transaction date (and often before the payments are made!), the investment in CA / CM can pay for itself many times over.

Stay tuned, as we hope to chronicle some of the specifics of these reviews....

Joe Oringel
Visual Risk IQ
Charlotte, North Carolina