finding money & detecting fraud super strategies 2009 by visual risk iq

A Real Wake-Up Session

Kim Jones

Joe Oringel

SuperStrategies

April 16, 2009

Finding Money and Detecting Fraudwith Transaction Monitoring

2

Visual Risk IQPoints of distinction

• We do three things: data mining and analysis, continuous auditing and monitoring,and visual reporting. We help clients achieve value through:

– Educating the market through rapid, low-cost, value-focused pilot projects– Facilitating understanding of how these technologies can be applied– Turnkey through to collections, if desired

• Our clients’ business objectives and currentstate of maturity drive our recommendationsand projects

• People and process changes are primary, supported, as appropriate,with enabling technologies

• We maintain an in depth, up-to-date knowledge of all software andprocess solutions within the categories

• Key to our success are alliance relationships with leading software providers and abroad array of complementary professional service firms

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

100100 100100

200200 200200

300300

People Process Governance Technology

300300 300300 300300

200200200200

100100100

200200

300300

200200

100100

300300

200200

300300

200200

100100

300300

200200

100100100100

300300

200200

300300

200200

4

Q. ________________________________

A. Because if it were real, someone else would havepicked it up already.


The Category – The $100 bill on the sidewalkQuestion #1 – Ice-Breaker

5


Q. Why didn’t the economist pick it up?

A. Because if it were real, someone else would havepicked it up already.


6

Q. ________________________________

A. Materiality.



7


Q. Why didn’t the external auditor pick it up?

A. Materiality.


8

A. ________________________________

Q. Why doesn’t the internal auditor pick it up?



9

A. Risk? Disruption? Not fixing the root cause oflosing $100 in the first place? What is it?

Q. Why doesn’t the internal auditor pick it up?

Let’s talk…



10

Continuous Auditing is top of mind for today!s Chief Audit Executive**

Continuous auditing and continuous monitoring become “right time” whenthe timing and frequency of evaluation matches business requirements.What frequency is right for your revenue transactions? Supply chain?

** Source: 2007 State of the Internal Auditing Profession Copyright PricewaterhouseCoopers LLP 2006

Continuous auditing / continuous monitoring programs

Today’s continuous auditing frequency

Recap of 2008 SuperStrategies Wake-up Session

Visual Risk IQ is a leader in Continuous Auditing and Monitoring© 2007 Visual Risk IQ, LLC, All Rights Reserved

11

Questions & Answers

Q. ______________________________

A. Buy more software and/or send the audit staff tomore ACL (or IDEA, MS-Access or…) training



12

Questions & Answers

Q. What is NOT the first step in a continuous auditingprogram?

A. Buy more software and/or send the audit staff tomore ACL (or IDEA, MS-Access or…) training



13

Implementing continuous auditing across an internalaudit methodology is not just about technology…

Technology

Technology

The audit process


14

…it!s about a model that acknowledges the impact ofPeople, Audit Process and Governance also.

People Technology Governance Audit process

People Technology Governance Audit process

The audit process


15

A basic continuous auditing maturity model

Basic practices Level 2 practices Better practices Continuous auditing

People

Staff has some basicdata literacy. Knowshow to ask IT forinformation.

Some IT- and data-specific specialists areaccessible, either in-house or as consultants

Audit staff and leaders areIT- and data-literate. Littledistinction between IT auditand financial / operationalaudit people

No need for ad hoc dataacquisition - CA and CCMsystems are well-integratedinto finance and operations

Technology

Basic data capture andanalysis using MS-Officeor ERP Query tools.Heavy reliance onCorporate IT

Some re-usable scriptsexists and are used on-demand for relevantaudit projects

Scripts are stored,scheduled, and run atappropriate intervals

Continuous auditing andmonitoring technologiescontribute to all audit steps

Governance

Business is reactive torequests from InternalAudit and usually helpsin a timely way.

Audit can access datadirectly

IT consults with IA prior tomaking system changesthat are known to affect IA.

Data driven early warning /risk alerts include bothbusiness and controls /audit implications.

Auditmethodology

Risk assessments areconducted annually

Risk assessments areconducted morefrequently than annually

Risk assessments considerobjective and subjectivedata. Gaps betweenobjective and subjectiveassessments arehighlighted

Risk alerts are embeddedinto the IA methodologyand drive specificresponses real-time

The audit process – a maturity model approach


16

Moving up the curve can rarely done in large steps

Basic practices Level 2 practices Better practices Continuous auditing

People

Staff has some basicdata literacy. Knowshow to ask IT forinformation.

Some IT- and data-specific specialists areaccessible, either in-house or as consultants

Audit staff and leaders areIT- and data-literate. Littledistinction between IT auditand financial / operationalaudit people

No need for ad hoc dataacquisition - CA and CCMsystems are well-integratedinto finance and operations

Technology

Basic data capture andanalysis using MS-Officeor ERP Query tools.Heavy reliance onCorporate IT

Some re-usable scriptsexists and are used on-demand for relevantaudit projects

Scripts are stored,scheduled, and run atappropriate intervals

Continuous auditing andmonitoring technologiescontribute to all audit steps

Governance

Business is reactive torequests from InternalAudit and usually helpsin a timely way.

Audit can access datadirectly

IT consults with IA prior tomaking system changesthat are known to affect IA.

Data driven early warning /risk alerts include bothbusiness and controls /audit implications.

Auditmethodology

Risk assessments areconducted annually

Risk assessments areconducted morefrequently than annually

Risk assessments considerobjective and subjectivedata. Gaps betweenobjective and subjectiveassessments arehighlighted

Risk alerts are embeddedinto the IA methodologyand drive specificresponses real-time

The audit process – a maturity model approach


17

Risk assessment should be the new centerpiece for the audit process

Risk Assessment

Planning&

Scoping

Execution

Planning&

Scoping

Execution

Planning Planning&

Scoping

Execution

Reporting Reporting



18

Visual reporting can help with Continual RiskAssessment and Continuous Controls Monitoring

CorporateData



Enterpr ise Audit Projects

Risk Assessment

Planning &

Scoping

Execution

Planning &

Scoping

Execution

Planning Planning &

Scoping

Execution

Reporting Reporting

19

Continual Auditing - Data Driven Risk Assessment

Individualized per division with drill-down capabilityIndividualized per division with drill-down capability……


20

……turning data into meaningful information.turning data into meaningful information.


Continual Auditing - Data Driven Risk Assessment

21

Some practical first steps towards continual risk assessment

• Identify areas of focus and objectives for increased risk assessment and increased frequency of controls assessment?

- What measures or combinations of measures best illustrate potential risk

• Identify the sources for the data required to compute the measures

• Inventory existing tools that can be used to obtain or represent the data- Excel / Access / ACL / IDEA

• Launch a project to build out a prototype risk monitoring dashboard with 3 – 5 measures


Recap of 2008 Wake-up Session

22

So what’s new in 2009? How does it affect us?

• Lowered guidance• New SG&A expense control initiatives• “Suspending our 401K match…”• “Staff reductions of 10%…”• “Hiring (travel, salary) freeze”

• Think about the Fraud Triangle• Financial pressure and rationalization are on the rise• What are we doing about Opportunity

23

Question #3 - What about the Internal auditor?


Risk / Materiality:- There are other areas that rated higher on the annual riskassessment / audit plan. Also - other areas are higher impact /valueDisruption:- I have too few “chits” with my IT team and I hate to use any. Do Ineed to buy software or training. Do I need to host an army ofauditors to recover the $$$.Doesn’t fix root cause:- If our environment is rich with errors, I’m concerned I will see youback in year 2, year 3, etc., finding the same issues identified inyear 1.

24

Q. ________________________________

A. $1,000 for each $1,000,000 in spend and $20,000for each $1,000,000 in spend.


The Category – Real money on the sidewalkQuestion #4

25

The Category – Real money on the sidewalkQuestion #4

Q. What are the medians for duplicate- and over-payments in procurement /AP and for T&E andPurchase-cards?

A. $1,000 for each $1,000,000 in spend and $20,000for each $1,000,000 in spend.


26

• Accounts Payable and Procurement Duplicate / Overpayments

– Best in class is between .00025 and .0005, or $250 to $500 inannual purchasing spend, per million in spend

– Median is .001 (0.1%), or $1,000 for every million in spend

– These numbers are higher if you have multiple (especially disparate)ERP systems or if ERP configurable controls require improvement

• Travel and Entertainment / Purchase-Card

– Good rule of thumb is error rate of 20x the AP rate. (Your actualmileage may vary.)

– These numbers are higher depending on who / how reviews T&Eand when the most recent T&E audit has been performed


Real money on the sidewalk

27

• We are internal control and audit people first, not recovery auditors. Our findingsfocus on how to fix the root cause, using a mix of ERP configuration, processchange, or CCM-T technology.

• Part of our strategy includes helping transition queries from Audit to the BusinessProcess Owners. A client has prevented $400,000 in duplicate payments.

• Visual reporting helps tell the story. Audit reports based on data analytics tell amore powerful story than with sampling. See example slides from recent project.

• Some organizations have a strong business case for CCM-T, and this approachcan help support that business case. Sort of a stealth mode way to identify howdata analysis and continuous auditing may work for you, despite challengingeconomic times.


What else happens when we pick it up?What else can I learn?

28Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

Continuous Auditing and ContinuousControls Monitoring for Transactions is real

2004 2005 2006 20070

50

100

150

200

250

300

350

IndiaUS

Open POs over 365 Days Old

24%22%

50%

4%

NAEMEAIndiaAPAC

Duplicate / Overpayments by Region

FY 2007 FY 2008 FY 20090

2000

4000

6000

8000

10000

12000

14000

16000

18000

29

The Platform

A good continuous controls monitoring platform

DataLocker

Reasoning& Analytics

Engine

Risk andPerformance

Checks

PlatformData & LogsVisual

Reporting /User

Interface

Systemsof

Record

WorkflowEngine

Extract& Mapping

Rules

Workflow& Platform

Configuration

Extract,Map &Load

CommonData

Models

Knowledge MaintenanceInterface

What does this look like at best in class companies?

Visual Risk IQ is a leader in Continuous Auditing and Monitoring© 2007 Visual Risk IQ, LLC, All Rights Reserved

30

Kim Jones(512) 692-7663

[email protected]

Joe Oringel(704) 752-6403

[email protected]

www.visualriskiq.comcontinuousauditing.blogspot.com

Thank you!

For more information or discussion, please contact
