A Real Wake-Up Session
Kim Jones
Joe Oringel
SuperStrategies
April 16, 2009
Finding Money and Detecting Fraudwith Transaction Monitoring
2
Visual Risk IQPoints of distinction
• We do three things: data mining and analysis, continuous auditing and monitoring,and visual reporting. We help clients achieve value through:
– Educating the market through rapid, low-cost, value-focused pilot projects– Facilitating understanding of how these technologies can be applied– Turnkey through to collections, if desired
• Our clients’ business objectives and currentstate of maturity drive our recommendationsand projects
• People and process changes are primary, supported, as appropriate,with enabling technologies
• We maintain an in depth, up-to-date knowledge of all software andprocess solutions within the categories
• Key to our success are alliance relationships with leading software providers and abroad array of complementary professional service firms
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
100100 100100
200200 200200
300300
People Process Governance Technology
300300 300300 300300
200200200200
100100100
200200
300300
200200
100100
300300
200200
300300
200200
100100
300300
200200
100100100100
300300
200200
300300
200200
4
Q. ________________________________
A. Because if it were real, someone else would havepicked it up already.
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
The Category – The $100 bill on the sidewalkQuestion #1 – Ice-Breaker
5
The Category – The $100 bill on the sidewalkQuestion #1 – Ice-Breaker
Q. Why didn’t the economist pick it up?
A. Because if it were real, someone else would havepicked it up already.
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
6
Q. ________________________________
A. Materiality.
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
The Category – The $100 bill on the sidewalkQuestion #2 – Ice-Breaker
7
The Category – The $100 bill on the sidewalkQuestion #2 – Ice-Breaker
Q. Why didn’t the external auditor pick it up?
A. Materiality.
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
8
A. ________________________________
Q. Why doesn’t the internal auditor pick it up?
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
The Category – The $100 bill on the sidewalkQuestion #3 – Ice-Breaker
9
A. Risk? Disruption? Not fixing the root cause oflosing $100 in the first place? What is it?
Q. Why doesn’t the internal auditor pick it up?
Let’s talk…
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
The Category – The $100 bill on the sidewalkQuestion #3 – Ice-Breaker
10
Continuous Auditing is top of mind for today!s Chief Audit Executive**
Continuous auditing and continuous monitoring become “right time” whenthe timing and frequency of evaluation matches business requirements.What frequency is right for your revenue transactions? Supply chain?
** Source: 2007 State of the Internal Auditing Profession Copyright PricewaterhouseCoopers LLP 2006
Continuous auditing / continuous monitoring programs
Today’s continuous auditing frequency
Recap of 2008 SuperStrategies Wake-up Session
Visual Risk IQ is a leader in Continuous Auditing and Monitoring© 2007 Visual Risk IQ, LLC, All Rights Reserved
11
Questions & Answers
Q. ______________________________
A. Buy more software and/or send the audit staff tomore ACL (or IDEA, MS-Access or…) training
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
Recap of 2008 SuperStrategies Wake-up Session
12
Questions & Answers
Q. What is NOT the first step in a continuous auditingprogram?
A. Buy more software and/or send the audit staff tomore ACL (or IDEA, MS-Access or…) training
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
Recap of 2008 SuperStrategies Wake-up Session
13
Implementing continuous auditing across an internalaudit methodology is not just about technology…
Technology
Technology
The audit process
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
14
…it!s about a model that acknowledges the impact ofPeople, Audit Process and Governance also.
People Technology Governance Audit process
People Technology Governance Audit process
The audit process
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
15
A basic continuous auditing maturity model
Basic practices Level 2 practices Better practices Continuous auditing
People
Staff has some basicdata literacy. Knowshow to ask IT forinformation.
Some IT- and data-specific specialists areaccessible, either in-house or as consultants
Audit staff and leaders areIT- and data-literate. Littledistinction between IT auditand financial / operationalaudit people
No need for ad hoc dataacquisition - CA and CCMsystems are well-integratedinto finance and operations
Technology
Basic data capture andanalysis using MS-Officeor ERP Query tools.Heavy reliance onCorporate IT
Some re-usable scriptsexists and are used on-demand for relevantaudit projects
Scripts are stored,scheduled, and run atappropriate intervals
Continuous auditing andmonitoring technologiescontribute to all audit steps
Governance
Business is reactive torequests from InternalAudit and usually helpsin a timely way.
Audit can access datadirectly
IT consults with IA prior tomaking system changesthat are known to affect IA.
Data driven early warning /risk alerts include bothbusiness and controls /audit implications.
Auditmethodology
Risk assessments areconducted annually
Risk assessments areconducted morefrequently than annually
Risk assessments considerobjective and subjectivedata. Gaps betweenobjective and subjectiveassessments arehighlighted
Risk alerts are embeddedinto the IA methodologyand drive specificresponses real-time
The audit process – a maturity model approach
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
16
Moving up the curve can rarely done in large steps
Basic practices Level 2 practices Better practices Continuous auditing
People
Staff has some basicdata literacy. Knowshow to ask IT forinformation.
Some IT- and data-specific specialists areaccessible, either in-house or as consultants
Audit staff and leaders areIT- and data-literate. Littledistinction between IT auditand financial / operationalaudit people
No need for ad hoc dataacquisition - CA and CCMsystems are well-integratedinto finance and operations
Technology
Basic data capture andanalysis using MS-Officeor ERP Query tools.Heavy reliance onCorporate IT
Some re-usable scriptsexists and are used on-demand for relevantaudit projects
Scripts are stored,scheduled, and run atappropriate intervals
Continuous auditing andmonitoring technologiescontribute to all audit steps
Governance
Business is reactive torequests from InternalAudit and usually helpsin a timely way.
Audit can access datadirectly
IT consults with IA prior tomaking system changesthat are known to affect IA.
Data driven early warning /risk alerts include bothbusiness and controls /audit implications.
Auditmethodology
Risk assessments areconducted annually
Risk assessments areconducted morefrequently than annually
Risk assessments considerobjective and subjectivedata. Gaps betweenobjective and subjectiveassessments arehighlighted
Risk alerts are embeddedinto the IA methodologyand drive specificresponses real-time
The audit process – a maturity model approach
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
17
Risk assessment should be the new centerpiece for the audit process
Risk Assessment
Planning&
Scoping
Execution
Planning&
Scoping
Execution
Planning Planning&
Scoping
Execution
Reporting Reporting
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
Recap of 2008 SuperStrategies Wake-up Session
18
Visual reporting can help with Continual RiskAssessment and Continuous Controls Monitoring
CorporateData
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
Recap of 2008 SuperStrategies Wake-up Session
Enterpr ise Audit Projects
Risk Assessment
Planning &
Scoping
Execution
Planning &
Scoping
Execution
Planning Planning &
Scoping
Execution
Reporting Reporting
19
Continual Auditing - Data Driven Risk Assessment
Individualized per division with drill-down capabilityIndividualized per division with drill-down capability……
Recap of 2008 SuperStrategies Wake-up Session
20
……turning data into meaningful information.turning data into meaningful information.
Recap of 2008 SuperStrategies Wake-up Session
Continual Auditing - Data Driven Risk Assessment
21
Some practical first steps towards continual risk assessment
• Identify areas of focus and objectives for increased risk assessment and increased frequency of controls assessment?
- What measures or combinations of measures best illustrate potential risk
• Identify the sources for the data required to compute the measures
• Inventory existing tools that can be used to obtain or represent the data- Excel / Access / ACL / IDEA
• Launch a project to build out a prototype risk monitoring dashboard with 3 – 5 measures
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
Recap of 2008 Wake-up Session
22
So what’s new in 2009? How does it affect us?
• Lowered guidance• New SG&A expense control initiatives• “Suspending our 401K match…”• “Staff reductions of 10%…”• “Hiring (travel, salary) freeze”
• Think about the Fraud Triangle• Financial pressure and rationalization are on the rise• What are we doing about Opportunity
23
Question #3 - What about the Internal auditor?
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
Risk / Materiality:- There are other areas that rated higher on the annual riskassessment / audit plan. Also - other areas are higher impact /valueDisruption:- I have too few “chits” with my IT team and I hate to use any. Do Ineed to buy software or training. Do I need to host an army ofauditors to recover the $$$.Doesn’t fix root cause:- If our environment is rich with errors, I’m concerned I will see youback in year 2, year 3, etc., finding the same issues identified inyear 1.
24
Q. ________________________________
A. $1,000 for each $1,000,000 in spend and $20,000for each $1,000,000 in spend.
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
The Category – Real money on the sidewalkQuestion #4
25
The Category – Real money on the sidewalkQuestion #4
Q. What are the medians for duplicate- and over-payments in procurement /AP and for T&E andPurchase-cards?
A. $1,000 for each $1,000,000 in spend and $20,000for each $1,000,000 in spend.
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
26
• Accounts Payable and Procurement Duplicate / Overpayments
– Best in class is between .00025 and .0005, or $250 to $500 inannual purchasing spend, per million in spend
– Median is .001 (0.1%), or $1,000 for every million in spend
– These numbers are higher if you have multiple (especially disparate)ERP systems or if ERP configurable controls require improvement
• Travel and Entertainment / Purchase-Card
– Good rule of thumb is error rate of 20x the AP rate. (Your actualmileage may vary.)
– These numbers are higher depending on who / how reviews T&Eand when the most recent T&E audit has been performed
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
Real money on the sidewalk
27
• We are internal control and audit people first, not recovery auditors. Our findingsfocus on how to fix the root cause, using a mix of ERP configuration, processchange, or CCM-T technology.
• Part of our strategy includes helping transition queries from Audit to the BusinessProcess Owners. A client has prevented $400,000 in duplicate payments.
• Visual reporting helps tell the story. Audit reports based on data analytics tell amore powerful story than with sampling. See example slides from recent project.
• Some organizations have a strong business case for CCM-T, and this approachcan help support that business case. Sort of a stealth mode way to identify howdata analysis and continuous auditing may work for you, despite challengingeconomic times.
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
What else happens when we pick it up?What else can I learn?
28Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved
Continuous Auditing and ContinuousControls Monitoring for Transactions is real
2004 2005 2006 20070
50
100
150
200
250
300
350
IndiaUS
Open POs over 365 Days Old
24%22%
50%
4%
NAEMEAIndiaAPAC
Duplicate / Overpayments by Region
FY 2007 FY 2008 FY 20090
2000
4000
6000
8000
10000
12000
14000
16000
18000
29
The Platform
A good continuous controls monitoring platform
DataLocker
Reasoning& Analytics
Engine
Risk andPerformance
Checks
PlatformData & LogsVisual
Reporting /User
Interface
Systemsof
Record
WorkflowEngine
Extract& Mapping
Rules
Workflow& Platform
Configuration
Extract,Map &Load
CommonData
Models
Knowledge MaintenanceInterface
What does this look like at best in class companies?
Visual Risk IQ is a leader in Continuous Auditing and Monitoring© 2007 Visual Risk IQ, LLC, All Rights Reserved
30
Kim Jones(512) 692-7663
Joe Oringel(704) 752-6403
www.visualriskiq.comcontinuousauditing.blogspot.com
Thank you!
For more information or discussion, please contact
Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved