More Related Content Similar to Finding Money & Detecting Fraud Super Strategies 2009 By Visual Risk Iq Similar to Finding Money & Detecting Fraud Super Strategies 2009 By Visual Risk Iq (20) Finding Money & Detecting Fraud Super Strategies 2009 By Visual Risk Iq1. Finding Money and Detecting Fraud
with Transaction Monitoring
A Real Wake-Up Session
Kim Jones
Joe Oringel
SuperStrategies
April 16, 2009
2. Visual Risk IQ
Points of distinction
• We do three things: data mining and analysis, continuous auditing and monitoring,
and visual reporting. We help clients achieve value through:
– Educating the market through rapid, low-cost, value-focused pilot projects
– Facilitating understanding of how these technologies can be applied
– Turnkey through to collections, if desired
• Our clients’ business objectives and current
state of maturity drive our recommendations
and projects
• People and process changes are primary, supported, as appropriate,
with enabling technologies
• We maintain an in depth, up-to-date knowledge of all software and
process solutions within the categories
• Key to our success are alliance relationships with leading software providers and a
broad array of complementary professional service firms
Visual Risk IQ – GRC thought leadership, practically applied
2
© 2008 Visual Risk IQ, LLC, All Rights Reserved
3. People Process Governance Technology
100
100 100
100
200 200
200 200
300 300 300
300
4. The Category – The $100 bill on the sidewalk
Question #1 – Ice-Breaker
Q. ________________________________
A. Because if it were real, someone else would have
picked it up already.
Visual Risk IQ – GRC thought leadership, practically applied
4
© 2008 Visual Risk IQ, LLC, All Rights Reserved
5. The Category – The $100 bill on the sidewalk
Question #1 – Ice-Breaker
Q. Why didn’t the economist pick it up?
A. Because if it were real, someone else would have
picked it up already.
Visual Risk IQ – GRC thought leadership, practically applied
5
© 2008 Visual Risk IQ, LLC, All Rights Reserved
6. The Category – The $100 bill on the sidewalk
Question #2 – Ice-Breaker
Q. ________________________________
A. Materiality.
Visual Risk IQ – GRC thought leadership, practically applied
6
© 2008 Visual Risk IQ, LLC, All Rights Reserved
7. The Category – The $100 bill on the sidewalk
Question #2 – Ice-Breaker
Q. Why didn’t the external auditor pick it up?
A. Materiality.
Visual Risk IQ – GRC thought leadership, practically applied
7
© 2008 Visual Risk IQ, LLC, All Rights Reserved
8. The Category – The $100 bill on the sidewalk
Question #3 – Ice-Breaker
A. ________________________________
Q. Why doesn’t the internal auditor pick it up?
Visual Risk IQ – GRC thought leadership, practically applied
8
© 2008 Visual Risk IQ, LLC, All Rights Reserved
9. The Category – The $100 bill on the sidewalk
Question #3 – Ice-Breaker
A. Risk? Disruption? Not fixing the root cause of
losing $100 in the first place? What is it?
Q. Why doesn’t the internal auditor pick it up?
Let’s talk…
Visual Risk IQ – GRC thought leadership, practically applied
9
© 2008 Visual Risk IQ, LLC, All Rights Reserved
10. Recap of 2008 SuperStrategies Wake-up Session
Continuous Auditing is top of mind for today!s
Chief Audit Executive**
Continuous auditing / continuous Today’s continuous auditing
monitoring programs frequency
Continuous auditing and continuous monitoring become “right time” when
the timing and frequency of evaluation matches business requirements.
What frequency is right for your revenue transactions? Supply chain?
** Source: 2007 State of the Internal Auditing Profession Copyright PricewaterhouseCoopers LLP 2006
Visual Risk IQ is a leader in Continuous Auditing and Monitoring
10
© 2007 Visual Risk IQ, LLC, All Rights Reserved
11. Recap of 2008 SuperStrategies Wake-up Session
Questions & Answers
Q. ______________________________
A. Buy more software and/or send the audit staff to
more ACL (or IDEA, MS-Access or…) training
Visual Risk IQ – GRC thought leadership, practically applied
11
© 2008 Visual Risk IQ, LLC, All Rights Reserved
12. Recap of 2008 SuperStrategies Wake-up Session
Questions & Answers
Q. What is NOT the first step in a continuous auditing
program?
A. Buy more software and/or send the audit staff to
more ACL (or IDEA, MS-Access or…) training
Visual Risk IQ – GRC thought leadership, practically applied
12
© 2008 Visual Risk IQ, LLC, All Rights Reserved
13. The audit process
Implementing continuous auditing across an internal
audit methodology is not just about technology…
Technology
Technology
Visual Risk IQ – GRC thought leadership, practically applied
13
© 2008 Visual Risk IQ, LLC, All Rights Reserved
14. The audit process
…it!s about a model that acknowledges the impact of
People, Audit Process and Governance also.
People Technology Governance Audit process
People Technology Governance Audit process
Visual Risk IQ – GRC thought leadership, practically applied
14
© 2008 Visual Risk IQ, LLC, All Rights Reserved
15. The audit process – a maturity model approach
A basic continuous auditing maturity model
Basic practices Level 2 practices Better practices Continuous auditing
Staff has some basic Some IT- and data- Audit staff and leaders are No need for ad hoc data
data literacy. Knows specific specialists are IT- and data-literate. Little acquisition - CA and CCM
how to ask IT for accessible, either in- distinction between IT audit systems are well-integrated
People
information. house or as consultants and financial / operational into finance and operations
audit people
Basic data capture and Some re-usable scripts Scripts are stored, Continuous auditing and
analysis using MS-Office exists and are used on- scheduled, and run at monitoring technologies
or ERP Query tools. demand for relevant appropriate intervals contribute to all audit steps
Heavy reliance on audit projects
Technology Corporate IT
Business is reactive to Audit can access data IT consults with IA prior to Data driven early warning /
requests from Internal directly making system changes risk alerts include both
Audit and usually helps that are known to affect IA. business and controls /
Governance
in a timely way. audit implications.
Risk assessments are Risk assessments are Risk assessments consider Risk alerts are embedded
conducted annually conducted more objective and subjective into the IA methodology
Audit frequently than annually data. Gaps between and drive specific
methodology objective and subjective responses real-time
assessments are
highlighted
Visual Risk IQ – GRC thought leadership, practically applied
15
© 2008 Visual Risk IQ, LLC, All Rights Reserved
16. The audit process – a maturity model approach
Moving up the curve can rarely done
in large steps
Basic practices Level 2 practices Better practices Continuous auditing
Staff has some basic Some IT- and data- Audit staff and leaders are No need for ad hoc data
data literacy. Knows specific specialists are IT- and data-literate. Little acquisition - CA and CCM
how to ask IT for accessible, either in- distinction between IT audit systems are well-integrated
People
information. house or as consultants and financial / operational into finance and operations
audit people
Basic data capture and Some re-usable scripts Scripts are stored, Continuous auditing and
analysis using MS-Office exists and are used on- scheduled, and run at monitoring technologies
or ERP Query tools. demand for relevant appropriate intervals contribute to all audit steps
Heavy reliance on audit projects
Technology Corporate IT
Business is reactive to Audit can access data IT consults with IA prior to Data driven early warning /
requests from Internal directly making system changes risk alerts include both
Audit and usually helps that are known to affect IA. business and controls /
Governance
in a timely way. audit implications.
Risk assessments are Risk assessments are Risk assessments consider Risk alerts are embedded
conducted annually conducted more objective and subjective into the IA methodology
Audit frequently than annually data. Gaps between and drive specific
methodology objective and subjective responses real-time
assessments are
highlighted
Visual Risk IQ – GRC thought leadership, practically applied
16
© 2008 Visual Risk IQ, LLC, All Rights Reserved
17. Recap of 2008 SuperStrategies Wake-up Session
Risk assessment should be the new
centerpiece for the audit process
Planning Planning
Planning
Planning
&&&
Scoping
Scoping
Scoping
Executio
Executio
Execution
Risk Assessment nn
Reporting
Reporting
Visual Risk IQ – GRC thought leadership, practically applied
17
© 2008 Visual Risk IQ, LLC, All Rights Reserved
18. Recap of 2008 SuperStrategies Wake-up Session
Visual reporting can help with Continual Risk
Assessment and Continuous Controls Monitoring
Planning Planning
Planning
Planning
&&&
Scoping
Scoping
Scoping
Corporate Execution
Execution
Risk Assessment Execution
Data
Reporting
Reporting
Enterprise Audit Projects
Visual Risk IQ – GRC thought leadership, practically applied
18
© 2008 Visual Risk IQ, LLC, All Rights Reserved
19. Recap of 2008 SuperStrategies Wake-up Session
Continual Auditing - Data Driven Risk Assessment
Individualized per division with drill-down capability…
capability…
19
20. Recap of 2008 SuperStrategies Wake-up Session
Continual Auditing - Data Driven Risk Assessment
…turning data into meaningful information.
20
21. Recap of 2008 Wake-up Session
Some practical first steps towards
continual risk assessment
• Identify areas of focus and objectives for increased risk assessment and
increased frequency of controls assessment?
- What measures or combinations of measures best illustrate
potential risk
• Identify the sources for the data required to compute the measures
• Inventory existing tools that can be used to obtain or represent the data
- Excel / Access / ACL / IDEA
• Launch a project to build out a prototype risk monitoring dashboard with
3 – 5 measures
Visual Risk IQ – GRC thought leadership, practically applied
21
© 2008 Visual Risk IQ, LLC, All Rights Reserved
22. So what’s new in 2009? How does it affect us?
• Lowered guidance
• New SG&A expense control initiatives
• “Suspending our 401K match…”
• “Staff reductions of 10%…”
• “Hiring (travel, salary) freeze”
• Think about the Fraud Triangle
• Financial pressure and rationalization are on the rise
• What are we doing about Opportunity
22
23. Question #3 - What about the Internal auditor?
Risk / Materiality:
- There are other areas that rated higher on the annual risk
assessment / audit plan. Also - other areas are higher impact /
value
Disruption:
- I have too few “chits” with my IT team and I hate to use any. Do I
need to buy software or training. Do I need to host an army of
auditors to recover the $$$.
Doesn’t fix root cause:
- If our environment is rich with errors, I’m concerned I will see you
back in year 2, year 3, etc., finding the same issues identified in
year 1.
Visual Risk IQ – GRC thought leadership, practically applied
23
© 2008 Visual Risk IQ, LLC, All Rights Reserved
24. The Category – Real money on the sidewalk
Question #4
Q. ________________________________
A. $1,000 for each $1,000,000 in spend and $20,000
for each $1,000,000 in spend.
Visual Risk IQ – GRC thought leadership, practically applied
24
© 2008 Visual Risk IQ, LLC, All Rights Reserved
25. The Category – Real money on the sidewalk
Question #4
Q. What are the medians for duplicate- and over-
payments in procurement /AP and for T&E and
Purchase-cards?
A. $1,000 for each $1,000,000 in spend and $20,000
for each $1,000,000 in spend.
Visual Risk IQ – GRC thought leadership, practically applied
25
© 2008 Visual Risk IQ, LLC, All Rights Reserved
26. Real money on the sidewalk
• Accounts Payable and Procurement Duplicate / Overpayments
– Best in class is between .00025 and .0005, or $250 to $500 in
annual purchasing spend, per million in spend
– Median is .001 (0.1%), or $1,000 for every million in spend
– These numbers are higher if you have multiple (especially disparate)
ERP systems or if ERP configurable controls require improvement
• Travel and Entertainment / Purchase-Card
– Good rule of thumb is error rate of 20x the AP rate. (Your actual
mileage may vary.)
– These numbers are higher depending on who / how reviews T&E
and when the most recent T&E audit has been performed
Visual Risk IQ – GRC thought leadership, practically applied
26
© 2008 Visual Risk IQ, LLC, All Rights Reserved
27. What else happens when we pick it up?
What else can I learn?
• We are internal control and audit people first, not recovery auditors. Our findings
focus on how to fix the root cause, using a mix of ERP configuration, process
change, or CCM-T technology.
• Part of our strategy includes helping transition queries from Audit to the Business
Process Owners. A client has prevented $400,000 in duplicate payments.
• Visual reporting helps tell the story. Audit reports based on data analytics tell a
more powerful story than with sampling. See example slides from recent project.
• Some organizations have a strong business case for CCM-T, and this approach
can help support that business case. Sort of a stealth mode way to identify how
data analysis and continuous auditing may work for you, despite challenging
economic times.
Visual Risk IQ – GRC thought leadership, practically applied
27
© 2008 Visual Risk IQ, LLC, All Rights Reserved
28. Continuous Auditing and Continuous
Controls Monitoring for Transactions is real
Open POs over 365 Days Old
Duplicate / Overpayments by Region 350
300
22% 250
24%
200
India
NA US
150
EMEA
4%
India 100
APAC
50
0
50%
2004 2005 2006 2007
18000
16000
14000
12000
10000
8000
6000
4000
2000
Visual Risk IQ – GRC thought leadership, practically applied
28
0
© 2008 Visual Risk IQ, LLC, All Rights Reserved
FY 2007 FY 2008 FY 2009
29. What does this look like at best in class companies?
A good continuous controls monitoring platform
Knowledge Maintenance
Interface
Systems
of
Record Extract Common Risk and Workflow
& Mapping Data Performance & Platform
Rules Models Checks Configuration
Extract, Reasoning Workflow
Data
Map & & Analytics Engine
Locker
Load Engine
The Platform
Platform
Visual Data & Logs
Reporting /
User
Interface
Visual Risk IQ is a leader in Continuous Auditing and Monitoring
29
© 2007 Visual Risk IQ, LLC, All Rights Reserved
30. Thank you!
For more information or discussion, please contact
Kim Jones
(512) 692-7663
kim.jones@visualriskiq.com
Joe Oringel
(704) 752-6403
joe.oringel@visualriskiq.com
www.visualriskiq.com
continuousauditing.blogspot.com
Visual Risk IQ – GRC thought leadership, practically applied
30
© 2008 Visual Risk IQ, LLC, All Rights Reserved