Setting IIA / ISACA speaking dates this fall

Continuous auditing and data analysis remains a very hot topic, as evidenced by our uptick in speaking requests this fall from IIA and ISACA chapters. Several dates are already set in the next few months, and requests continue to come in for programming and education that help audit and finance leaders understand and quickly apply latest thinking in data analysis techniques.

We have content already developed for 1/2 day and full day programs, in addition to executive briefings that are ideal for IIA District or Regional Conferences.

Some representative Data Analysis and Continuous Auditing speaking events include:

• September 11, 2009 - Baton Rouge IIA Chapter. 1/2 day session
• September 16, 2009 - Greensboro, NC IIA Chapter. Full-day session on Data Analysis, with Tableau software and Audimation
• October 7, 2009 - Columbia, SC - ISACA Chapter. Full-day session on Data Analysis and Continuous Auditing
• November 18, 2009 - Greensboro, NC IIA Chapter. Full-day session on Continuous Auditing, with David Payseur of Arrowpoint Capital and Dr. George Aldhizer from Wake Forest University.

Other events are in discussion and may soon follow. Contact us for information regarding a similar CPE event for your local chapter or district conference.

Joe Oringel

Visual Risk IQ

Charlotte NC, USA

Anything worth doing is worth doing well - and Often!

I had a discussion today with a panelist who will be speaking about Continuous Auditing / Continuous Controls Monitoring at an IIA Chapter meeting later this month. The panelist's shared services group uses a leading CCM system for one very specific business area - Travel & Entertainment. They have had a very favorable ROI with their use of CCM, and users in Finance, Internal Audit, and elsewhere all appreciate the workflow capabilities of their CCM system. Users and especially management recognize that the workflow capabilities and also frequent extraction capabilities is a quantum leap forward from ERP query tools and data analysis tools like ACL and IDEA. Instead of spending time to extract data and run scripts, the CCM solution automates those steps and allows more time for research and resolving issues.

He asked me what other business processes make good applications for CCM, and I shared that it's a variety of application areas - everything from review of Manual Journal Entries to Accounts Payable Disbursements to Grants and Contracts in Higher Education. Across multiple industries and also across multiple systems.

So whether it's updating an audit plan quarterly instead of annually, or analyzing manual journal entries for fraud or error monthly instead of quarterly. If it's worth doing, ask how you might do it more frequently. With modern CCM tools, you'll find that many important financial control activities can be done well, and Often!.

When the Going Gets Tough, the Tough Go Shopping (around)

You've got to like a headline like this, regardless of the substance of the article. But the good news is that the substance of this article (from the Chronicle of Higher Education) is almost as good as the headline. For both universities and for commercial enterprises. Purchasing projects, especially for indirect categories, represents an excellent opportunity to improve the bottom line. These services can be bought from traditional consulting firms like Bain, McKinsey, or Accenture, and also from niche firms who specialize in only these Purchasing services.

Also interesting, though not in the Chronicle's article. is the potential synergy between improving Purchasing and CCM-T. In the last few years, we've had deep-dive meetings with a number of firms who specialize in SG&A cost reduction and vendor negotiation. It has become clear that among their most distinctive strengths are data analysis and vendor negotiation. Their projects are net cash flow positive, funded by realized, hard-dollar savings, paid on a contingent fee.

Once new contracts are re-negotiated, the firms review actual spending and compute realized savings, to compute their fees. Which represents the opportunity for CCM-T. Just as Visual Risk IQ has implemented CCM-T to review invoices and invoice lines for suspicious, fraudulent, or duplicate payments, we also can configure CCM-T to review invoice lines for rogue or unauthorized spending from non-preferred vendors.

So if you're a CCM-T user looking for improved business value from your implementation, or a finance, audit, or procurement executive looking to improve your bottom line through an evaluation of your Purchasing group, let us know. We know some great places to shop!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

Conflict of Interest - the Power of External Databases

As my last post on DoD indicated, there are some real gems waiting to be mined when comparing internal data to external data for fraud and abuse. Today's Chronicle of Higher Education reports a two-month old WSJ and UPI Story about a UCLA Surgeon who received more than $450,000 in payments from Medical Device companies, but repeatedly failed to disclose that outside income on conflict of interest forms required by the University.

Representative Charles Grassley is regularly in the news for advocating a national law (i.e. Physician Payments Sunshine Act) that would require disclosure of speaking fees. Currently, state laws and specific academic institution each set their own policies and monitoring requirements.

The Chronicle opined that "Universities also need to pay more attention to whether they review research activities by their own staff that may damage their institutional reputations even though the work involves outside facilities, Ms. Chimonas said. The case of Dr. Wang may prove a strong incentive for UCLA to do so. Even within the same statewide system, she said, there are campuses such as the University of California at Davis that have taken a much more aggressive definition of how they monitor outside research by university faculty members.

Institutions such as UCLA could be realizing the danger of ignoring outside research work, Ms. Chimonas said. "This may be a wake-up call for a lot of institutions who have been thinking, 'Well, this has nothing to do with us,'" she said."

Taking information from external databases like Excluded Parties List System (the list of Federally debarred vendors), or the OFAC Watch List is a high-value audit test, especially as frequency is increased from annual to quarterly or more frequently. UCLA's situation with Dr. Wang, especially because of reputation risk, calls for better monitoring of external databases.

What external databases are your organizations monitoring? How often? What are the more interesting findings? Please comment - all input is welcomed!

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

The Value of Frequency - how the Defense Department paid millions in wages to invalid accounts

Last week, the Office of Inspector General for the Department of Defense (DOD) issued Report 2009-092 titled "Validity of DOD Civilian Employee Accounts." As widely reported on CNN and elsewhere, the DOD "Specifically, the DOD's Payroll System included invalid Social Security numbers, employees under the legal employment age, and multiple employee accounts that shared the same bank account. As a result, DFAS [the Finance arm of DOD) may have paid approximately $15.4 million to more than 2,300 invalid DoD civilian employee accounts from January 2002 through April 2008 (excluding 2007).

These payments represent fraud and misuse of tax dollars, but because the audit approach was a point in time audit, looking backward over a very long time period (six years!), it is highly likely that the money will never be recovered.

Had the DOD used leading edge technology like Continuous Controls Monitoring for Transactions (CCM-T), which can compare all SSN's from master files, from payment files, to the suspicious SSN lists like those at Social Security Death Index database, they could have known of the errors PRIOR to payment. The more frequently the data is compared, the more valuable the analysis becomes.

And implementation is a tiny fraction of the $15 million spent for erroneous payments. Factor in the time value of money (errors go back to 2002!) and the reputation risk associated with such errors, and CCM-T looks better and better.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA

University Business - 101 Ways to Raise Revenue or Decrease Costs

In addition to being a regular reader of the Chronicle of Higher Education I've also become a reader and subscriber of University Business (UB). Unlike the Chronicle, UB is free to qualified subscribers, and they have an outstanding digital archive of previously published articles.

One that grabbed my attention this week is an archived (pre-recesssion!) article titled 101 Smart Revenue Generators and Money Saving Ideas. After all, who wouldn't like a little more on the top line, and on the bottom line. Regardless of whether you're for-profit or non-profit.

What strikes me as noteworthy about the article is that most (and the first few!) Revenue Generating ideas are actually all related to expense control and expense reduction. Some are traditional vendor negotiation strategies, like Visual Risk IQ does together with its partner Third Law Sourcing, while others are P-Card. Many can benefit from CCM-T, and many are worth a fresh read / re-read, given the current state of the economy.

Feel free to add Comments on your strategies for trimming costs or raising revenue in today's challenging times. Success stories are always welcome!

Joe Oringel
Visual Risk IQ, LLC
Charlotte NC, USA

Observations from Recent, Local Frauds in Charlotte NC

Several folks commented on recent tweets of local fraud and embezzlement, first at UNC-Charlotte and again at Charlotte's Mecklenburg County, specifically within the Department of Social Services. The Fraud Triangle teaches us that as long as there is Pressure / Incentive (I really need the money), Rationalization (e.g. other people do it, I'll pay it back...etc.) and Opportunity (I won't get caught because...) fraud can and will occur and recur.

My own experience is these three elements of the fraud triangle are closely related, and that Opportunity needs to be re-evaluated, especially as Incentive increases. Today's economic times are proving this need most everywhere we look, yet we still see only a few companies who are actively changing and increasing how they monitor for potential fraud, despite the availability of very effective, modern tools for fraud detection. Like CCM-T tools from Oversight and Approva.

A specific example: During my Big 4 Accounting Firm days, I led a team that audited the procedures used to produce scratch-off lottery tickets. When we started, the largest prize awarded was $5,000 or $10,000. While internal controls were always very good (i.e. Opportunity = Low), there were still a number of people at the Ticket Printer and at the Big 4 Firm who had access to information that might help locate a batch of 250 tickets that would likely contain a $5,000 or $10,000 winner.

The likelihood that a person would risk their career to steal $5,000 or $10,000 (two to six months net pay) was pretty low. But when the Ticket Printer and State Lotteries began printing tickets with $100,000 and eventually $1,000,000 tickets. That represented at least a year or even 20 years or more in net pay. What a powerful Incentive!

This change in Incentive was a trigger that we saw to re-evaluate internal controls, because now the temptation needed a corresponding decrease in opportunity. In addition to our agreed-upon procedures to evaluate controls over ticket production, we began a continual security review which included review of other controls that would identify who may be accessing information that might allow a large ticket winner to be located. We publicized the continual security review within the company (and the Big 4 team!), so that the decreased Opportunity was understood by anyone who may have been tempted.

As staffs are cut and monitoring controls become less frequent, what is your organization doing to reduce the Opportunity for Fraud. For a couple of high-profile cases in Charlotte, it's clear that more needs to be done.

Joe Oringel
Visual Risk IQ
Charlotte NC, USA