Regular readers of my blog know that Visual Risk IQ has been especially active in the Higher Education arena in 2009, helping adapt Continuous Controls Monitoring (CCM) for a Class One Research University. In addition to monitoring for Accounts Payable controls compliance, duplicate payments, and vendor master file integrity, we have also built an innovative Grants & Contracts module that helps track compliance with various financial and operational milestones required by various Federal Grantors.
The CCM module tests the validity of expenditures, overhead rates, and labor charges, and also can be easily extended for more complex tasks like Effort Reporting and Financial Aid compliance. But perhaps it was overkill for the job, given that one of the largest inspection functions within the Federal Government is behind on its audit plan this year.
Yep, they're too busy at the National Science Foundation investigating Internet Porn, so they're behind on their audit plan. For more information, see the Washington Times .
Maybe if their Office of the Inspector General used a more efficient method for selecting which grants and contracts to inspect. More data-driven continuous risk assessment, or perhaps more use of data analysis in controls assessment would help with their efficiency / effectiveness.
Other suggestions abound. What do you think?
Wednesday, September 30, 2009
Sunday, September 20, 2009
Another CFO Article on Continuous Auditing - Correct about Vocabulary. Incorrect about no one doing it well.
We appreciate CFO Magazine writing about Continuous Auditing (CA) again. This month's piece is better than previous efforts, in that it focuses much more on the process changes needed for CA, and less on the actual technology that is used to accomplish CA, as we have blogged about previously. CFO Magazine interviewed several industry and academic leaders for this article - alas they didn't reach out to Visual Risk IQ, at least yet. So in today's blog, we'll summarize some of our observations and experiences about CA and contrast them to the CFO article. The centerpiece of our thoughts on CA is our proprietary maturity model, which we use to chart company-specific actions that help organizations advance on this journey. We'll also suggest one or two other organizations that CFO Magazine might talk to so that a clearer picture of CA can develop. In any case, we certainly echo the author's point, that a common, practical definition of CA is not yet accepted in the industry.
For this article, the author interviewed HCA, Microsoft, and AEP - and profiled how each organization uses CA. We feel especially qualified to comment on the article, because Kim Jones and I have been working almost exclusively on CA since our days at PwC in 2006, where he was a key team member on the Microsoft project cited in the article. We also count both HCA and AEP among our circle of friends from the speaking and writing that we each do in the Internal Audit community.
My counsel to the author would be to separate Continuous (which is really Continual) Risk Assessment from Continuous Controls Assessment. One of the reasons that there are such varying definitions of CA, are that are a diverse number of objectives that can be accomplished with CA and especially Continuous Controls Monitoring for Transactions (CCM-T). Organizations that set out to allocate their audit resources based on more up-to-date information than an annual risk assessment are likely to begin their CA efforts here. Companies profiled publicly in articles and cases that match this CA description include McDonald's and Wells Fargo, and usually have a very large number of audit entities (i.e. Stores or Branches), that make it difficult to visit each entity in a three- or five-year audit cycle. We have assisted several organizations to be more like McDonald's and Wells Fargo, by using data to perform more frequent, data-driven risk assessments to allocate their audit resources. Most often, the data used for this activity is aggregate financial or operational information like Financial Performance vs. Budget, Performance Ratios, or Employee Turnover. While it appears from the quotes from Jay Hoffman at AEP that his team is doing Continuous Risk Assessment, the controls being tested per the article seem to be more specific to Continuous Controls Assessment, which is using data-driven techniques to provide greater depth and frequency of audit coverage.
Continuous Controls Assessment are the techniques profiled in the article at HCA, AEP, and Microsoft. Instead of auditing overtime or journal entries only once every two or three years, many organizations use repeating data analysis scripts to assess the effectiveness of a control at multiple intervals during a year. These techniques can alert management to emerging issues with fraud risk or compliance, and also assist in following up on previous audit findings.
At Visual Risk IQ, we assert that "real continuous auditing" is to more fully integrate the Continuous Controls Assessment with Continuous Risk Assessment, so that audit project selection is based on the effectiveness of frequent, data-driven control assessment activities. Example: "What should be next on the audit plan - let's go to the regional office that hit their sales budget (to the penny!), but hasn't updated their allowance for doubtful accounts since the new accounting manager was hired six months ago."
I can think of two or three organizations that are doing real continuous auditing, according to this definition. Both Arrowpoint Capital in Charlotte and RLI Corporation in Peoria have presented at national and regional IIA / MISTI conferences about their CA programs, which originated with repeating the data analysis routines that were used for control assessment. While neither is a household name like Microsoft or HCA, each have been doing CA for more than five years, and are quite mature in their use of data for both control assessment and risk assessment.
In closing the article does a good job of distinguishing between CA and CM (continuous monitoring), which are activities performed by management. The evolution of CA to CM is a particular mark of growing CA maturity. Our work with CM, and especially CCM-T, has allowed us to help management use technology to test the right controls, at the right time, to achieve spectacularly effective results in business performance and internal controls. CA is often the first step on that journey.
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Monday, September 14, 2009
IIA Presentation on Continuous Auditing - Thanks Baton Rouge!
Thanks and congratulations to the Baton Rouge IIA, who filled the room with more than 75 people for a one-hour lunchtime CPE session on making the journey From Data Analysis and Continuous Auditing. This was a terrific turnout for most any chapter, but especially for one the size of Baton Rouge, which is a testament to the effectiveness of their officer group. Thanks much Amanda, Renee, Staci and all other volunteers for their work to encourage such great attendance.
We opened the session with the thought-provoking "Did You Know" video to help the audience appreciate the rapid growth of digital information, and challenge the audit profession on how to keep pace with this growth. Sampling 25 or even 200 transactions just isn't enough when modern software allows us to test every transaction for control effectiveness, as frequently as daily or more.
Thirty of the 75+ lunchtime attendees stayed for the remainder of the afternoon for a more detailed discussion of the journey toward continuous auditing, where we explored Visual Risk IQ's proprietary continuous auditing maturity model in greater detail. During the last hour, we brainstormed ways to use disparate data for more innovative testing for identifying fraud. The group did an outstanding job, as evidenced by some of the following creative test suggestions:
- For a finance company that makes consumer loans to consolidate debt, compare the account numbers for payments made to credit card companies against account numbers of finance company employees, to make sure that funds are not diverted at closing from the consumer making the loan.
- For almost any organization, compare vendor address and phone numbers against employee home and emergency contact information in HR and Payroll files for possible undisclosed conflicts
- For a state agency, compare external information about known deceased individuals / SSN's to benefits payments made to employees and retirees
- And many others....
In each case, the participants suspended their "I'm not sure which file to ask for" and brainstormed what data would add to the effectiveness of their testing. By thinking about risk and controls, without the restrictions of "it would be difficult because....," some really excellent ideas were explored and discussed.
Wednesday, August 26, 2009
Word of the Day (Month!) - Could technology be a "Gister?"
I'm reading another of Dan Brown's fast-paced and thought-provoking novels. (Brown wrote DaVinci Code, Angels & Demons) It's an earlier one, titled Deception Point, and it features a character whose job is my new favorite word, even though the word seems to be made up by the author.
The character (Rachel Sexton) is a "gister" or data summarizer for the National Reconnaissance Office. A "gister" reduces complex reports into single-page briefs. After reading a few Federal OIG audit reports for Research Universities, I'd like to have Ms. Sexton's help, as even the OIG's executive summaries need a little "gisting."
Perhaps a bit like an audit executive who presents the last three months of their audit staffs' activity into a briefing for the Audit Committee. Or the auditor who uses analyzes 100,000 expense reports and uses a query tools to identify how many comply or don't comply with a particular policy.
How are you and your team reviewing complex data to get to the gist of an issue? Are there any tools that you are you using? Why? Let us know...
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
The character (Rachel Sexton) is a "gister" or data summarizer for the National Reconnaissance Office. A "gister" reduces complex reports into single-page briefs. After reading a few Federal OIG audit reports for Research Universities, I'd like to have Ms. Sexton's help, as even the OIG's executive summaries need a little "gisting."
Perhaps a bit like an audit executive who presents the last three months of their audit staffs' activity into a briefing for the Audit Committee. Or the auditor who uses analyzes 100,000 expense reports and uses a query tools to identify how many comply or don't comply with a particular policy.
How are you and your team reviewing complex data to get to the gist of an issue? Are there any tools that you are you using? Why? Let us know...
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Tuesday, August 18, 2009
Setting IIA / ISACA speaking dates this fall
Continuous auditing and data analysis remains a very hot topic, as evidenced by our uptick in speaking requests this fall from IIA and ISACA chapters. Several dates are already set in the next few months, and requests continue to come in for programming and education that help audit and finance leaders understand and quickly apply latest thinking in data analysis techniques.
We have content already developed for 1/2 day and full day programs, in addition to executive briefings that are ideal for IIA District or Regional Conferences.
Some representative Data Analysis and Continuous Auditing speaking events include:
- September 11, 2009 - Baton Rouge IIA Chapter. 1/2 day session
- September 16, 2009 - Greensboro, NC IIA Chapter. Full-day session on Data Analysis, with Tableau software and Audimation
- October 7, 2009 - Columbia, SC - ISACA Chapter. Full-day session on Data Analysis and Continuous Auditing
- November 18, 2009 - Greensboro, NC IIA Chapter. Full-day session on Continuous Auditing, with David Payseur of Arrowpoint Capital and Dr. George Aldhizer from Wake Forest University.
Other events are in discussion and may soon follow. Contact us for information regarding a similar CPE event for your local chapter or district conference.
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Sunday, August 9, 2009
Anything worth doing is worth doing well - and Often!
I had a discussion today with a panelist who will be speaking about Continuous Auditing / Continuous Controls Monitoring at an IIA Chapter meeting later this month. The panelist's shared services group uses a leading CCM system for one very specific business area - Travel & Entertainment. They have had a very favorable ROI with their use of CCM, and users in Finance, Internal Audit, and elsewhere all appreciate the workflow capabilities of their CCM system. Users and especially management recognize that the workflow capabilities and also frequent extraction capabilities is a quantum leap forward from ERP query tools and data analysis tools like ACL and IDEA. Instead of spending time to extract data and run scripts, the CCM solution automates those steps and allows more time for research and resolving issues.
He asked me what other business processes make good applications for CCM, and I shared that it's a variety of application areas - everything from review of Manual Journal Entries to Accounts Payable Disbursements to Grants and Contracts in Higher Education. Across multiple industries and also across multiple systems.
So whether it's updating an audit plan quarterly instead of annually, or analyzing manual journal entries for fraud or error monthly instead of quarterly. If it's worth doing, ask how you might do it more frequently. With modern CCM tools, you'll find that many important financial control activities can be done well, and Often!.
He asked me what other business processes make good applications for CCM, and I shared that it's a variety of application areas - everything from review of Manual Journal Entries to Accounts Payable Disbursements to Grants and Contracts in Higher Education. Across multiple industries and also across multiple systems.
So whether it's updating an audit plan quarterly instead of annually, or analyzing manual journal entries for fraud or error monthly instead of quarterly. If it's worth doing, ask how you might do it more frequently. With modern CCM tools, you'll find that many important financial control activities can be done well, and Often!.
Tuesday, August 4, 2009
When the Going Gets Tough, the Tough Go Shopping (around)
You've got to like a headline like this, regardless of the substance of the article. But the good news is that the substance of this article (from the Chronicle of Higher Education) is almost as good as the headline. For both universities and for commercial enterprises. Purchasing projects, especially for indirect categories, represents an excellent opportunity to improve the bottom line. These services can be bought from traditional consulting firms like Bain, McKinsey, or Accenture, and also from niche firms who specialize in only these Purchasing services.
Also interesting, though not in the Chronicle's article. is the potential synergy between improving Purchasing and CCM-T. In the last few years, we've had deep-dive meetings with a number of firms who specialize in SG&A cost reduction and vendor negotiation. It has become clear that among their most distinctive strengths are data analysis and vendor negotiation. Their projects are net cash flow positive, funded by realized, hard-dollar savings, paid on a contingent fee.
Once new contracts are re-negotiated, the firms review actual spending and compute realized savings, to compute their fees. Which represents the opportunity for CCM-T. Just as Visual Risk IQ has implemented CCM-T to review invoices and invoice lines for suspicious, fraudulent, or duplicate payments, we also can configure CCM-T to review invoice lines for rogue or unauthorized spending from non-preferred vendors.
So if you're a CCM-T user looking for improved business value from your implementation, or a finance, audit, or procurement executive looking to improve your bottom line through an evaluation of your Purchasing group, let us know. We know some great places to shop!
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Also interesting, though not in the Chronicle's article. is the potential synergy between improving Purchasing and CCM-T. In the last few years, we've had deep-dive meetings with a number of firms who specialize in SG&A cost reduction and vendor negotiation. It has become clear that among their most distinctive strengths are data analysis and vendor negotiation. Their projects are net cash flow positive, funded by realized, hard-dollar savings, paid on a contingent fee.
Once new contracts are re-negotiated, the firms review actual spending and compute realized savings, to compute their fees. Which represents the opportunity for CCM-T. Just as Visual Risk IQ has implemented CCM-T to review invoices and invoice lines for suspicious, fraudulent, or duplicate payments, we also can configure CCM-T to review invoice lines for rogue or unauthorized spending from non-preferred vendors.
So if you're a CCM-T user looking for improved business value from your implementation, or a finance, audit, or procurement executive looking to improve your bottom line through an evaluation of your Purchasing group, let us know. We know some great places to shop!
Joe Oringel
Visual Risk IQ
Charlotte NC, USA
Subscribe to:
Posts (Atom)
