“The purpose of audit isn’t to poke holes in the bottom of the boat;
it’s to make sure there are no leaks.”

That was a quotation I heard some time ago and it struck me as a rather good way to position the internal audit function to both auditors and non-auditors alike.  So if we take that analogy a bit further, one can consider data analysis as a means of identifying leaks – or the absence of leaks - in the business. Here are a few examples: 

• By looking at data, one can detect revenue leakage in the form of unauthorized or excessive discounts in the Order-to-Cash cycle. 
• Another sort of “leak” could be duplicate payments to vendors.  An example of this came to my attention the other day.  This case involved the common circumstance where buying was centralized in the company’s head office.  Goods were shipped to a branch location (with a copy of the invoice attached) and the invoice was sent to head office.  As it turned out, head office was paying the invoice (as it should have), but the branch office was also paying the invoice by mistake.  That’s a leak.
• Another leak (or breach) occurred where an executive assistant gained access to his superior’s computer password.  He then went on to approve a series of false travel and expense claims – to the tune of several hundreds of thousands of dollars in fraud.
• Sometimes “holes in the boat” can be identified before water starts to get in.  One audit found a number of corporate credit cards was still active for former employees.  While there were no transactions against those accounts, it showed a significant weakness in employee termination processes.  Isn’t it better to find out this sort of weakness before it causes loss?

Perhaps explaining internal auditing in this way will gain you better cooperation with the rest of your crew.  After all, we’re all in the same boat, aren’t we?

As the Chief Audit Executive works to evolve Internal Audit to make it more integrated with an organization’s strategic initiatives, the role of the Chief Financial Officer in facilitating this transformation is an important consideration.   A visionary CFO, who understands the value of Internal Audit, can be a useful ally and catalyst agent for change.   

To be this agent of change, the CAEs needs to inform the CFO about current developments in technology-enabled auditing.   In “Financial Leadership in Challenging Times”, published by PricewaterhouseCoopers in November 2009, this report provides an influential perspective of the CFO.  “CFOs [who have] the vision to look beyond core functions of finance and the fortitude to use their financial acumen and insights to drive new value and higher levels of business transformation and performance” will be needed in these challenging times.   The report goes on to say that one key area for the CFO to drive success rather than remain in survival mode is to “achieve continuous improvement in accuracy, timeliness and cost effectiveness of control and compliance activities.”

This quote resonated with me as I have been saying much the same thing in previous articles and presentations.  Using leading edge data analysis technologies to provide an organization with improved Business Assurance is a critical way to achieve improved results for both the internal audit department and, also, for the organization as a whole. 

For example, ACL’s AuditExchange2 platform provides internal auditors with improved content management that makes for a more efficient audit team.   The ability to store key audit evidence, including data, analytics, results and all forms of working papers, in a secure and centralized location, will make audit shops more organized and better at acquiring and assessing their audit results.

The move towards more continuous assurance over controls and risks can also be achieved through AX|Exception - an optional add-on technology to the AuditExchange platform.    AX|Exception is a web based application that allows audit teams to easily distribute exceptions found during data analysis testing.  These results can be communicated to management and operational staff for further follow up – improving the overall controls and compliance environment.  Thereby allowing the CFO to take comfort that the organization’s internal controls and remediation programs are working as intended.

Visionary CAEs and CFOs, who have the foresight to innovate across an organization including adopting best practices in their internal audit departments, can be drivers to improved performance and excellence.   As stated in PwC’s report, “a sustained, focused program of financial leadership invests continually in people, process and technologies.”    It’s now up to you, supported by your CFO, to accept this mantle and truly become a change agent in transforming your internal audit department and taking your place at the leadership table.  

Download the Report

I recently spoke at an ACL Business Assurance session, following Manuel Coello from Stanley Works.  He was a tough act to follow. Manuel is Project Manager of Continuous Auditing and Monitoring and is one of those key audit professionals who has played a huge role within his organization in driving the benefits of analytics into the audit process and then beyond into the business. Not only that, but he is a highly effective and enthusiastic speaker who turns light bulbs on for his audience by clearly explaining issues and providing plenty of practical examples.

One of the main takeaways for me was his description of the repeated efforts that it took to actually get analytics used regularly within audits. It was only when the VP Audit mandated use that things took off. In many audit departments there are champions of the use of analytics - but their effectiveness is almost always going to be limited unless audit leadership declares use of analytics and automation as a key part of audit strategy.

My favourite takeaway was Manuel's description of their efforts to use ACL AuditExchange to distribute continuous auditing exceptions into the business for follow up and remediation.  Some business process people were less than enthusiastic about following up on exceptions and someone commented that "you can lead a horse to water - but you can't make them drink". The audit response was apparently that "oh yes we can - and we're going to drown the horse".

I thought Manuel’s remarks were a great illustration of the fact that it takes leadership and engagement by senior management to make substantial progress.  We hear consistently of the value and importance that the audit profession puts on data analysis, continuous auditing and monitoring – while at the same time hearing that many organizations are far from implementing these techniques at the desired level.  I believe that the reason is often that these approaches are considered to be the domain of technical specialists who are left to progress on their own with minimal overall support and infrastructure. Although many specialists are tremendous champions of analytics and produce a lot of value, unless they get clear and practical support from senior management it is unlikely that the success that is achieved is going to be sustainable or close to realizing the full potential.

Click here to view Manuel Coello's Presentation: Analytics, Unleashing the power of the audit process.

A month ago, a director of internal audit at a major credit card company told me something about his company’s suppliers that surprised me, but is becoming increasingly common practice.  Many vendors are writing into their supplier agreements a clause that prevents you from recovering payment errors that were of your own making.  So, if you accidentally pay them more than once, it’s your fault and there will be no recovery (unless you go down the legal route - the costs of which would probably eat into that recovery anyway).

Although many companies are running analytics to detect if duplicate payments have been made to vendors, it is a reactive approach when - given the above scenario - a proactive method would be better suited.  Testing can improve prevention, as well as detection. Many ERP systems already have rudimentary prevention measures where users are prevented from entering, say, duplicate invoice numbers in the payment program, but in reality the definition of a duplicate is very vague.

In terms of payment data, how can you achieve preventative duplicate testing?  Most ERP payment programs can be executed as dry-runs. Using an example from SAP, duplicate testing might be done on the Processed Items from Payment Program (REGUP) table which allows for a ‘Proposal Run’ of payments to be made. If all payments are run as proposals, testing for duplicates enables the detection of payment errors before they are made. I ran such a test recently on a real company’s SAP payment data (using REGUP/REGUH) and found an exception rate of 1.21%. This seems rather small, but on this company’s monthly payment cycle it averaged out at $19,500 per month in duplicate vendor payments.

This is a substantial dollar amount by anyone’s standards.  This week, another organization (a general insurance provider) asked for the same kinds of preventative tests to be implemented against their SQL Server data.  Once again, like many ERP ‘safeguards’ their claims database does not allow for users the ability to enter duplicate claim or payment numbers - this kind of preventative measure is woefully inadequate.

Testing should examine things like: same/similar payees, similar amounts (variance of, say 5 or 10% with n days of another payment), similar sounding payee names (eg Acme Inc, Acme Ltd)*, similar invoice numbers (123456A, 123456B, etc) and so on. Depending on the data, there could be hundreds of ways to approach the tests, so planning is key and evaluating how duplicates were caught in the past - or investigating how they could potentially be caught in the future - is highly recommended. 

One good way to QA and ensure your preventative testing works is to deliberately seed your database with test duplicates (which are similar, but not exact – that’s too easy). Do this on a regular basis with different types of duplicates to ensure that your analytics are fine-tuned enough to find them all.

*see my article on phonetic matching

Although I was surprised to see such a high number of organizations claiming to have already implemented continuous monitoring, I suspect it is a result of varying definitions of the term. I’ve found that continuous monitoring means different things to different people. On one end of the spectrum you may have someone who has automated the analysis of millions of transactions on a daily basis. On the other end, you may have someone manually analyzing a single business process on a quarterly basis. Both could make arguments for having a continuous monitoring process in place.

Definitions aside, if an organization wants to implement an effective continuous monitoring solution, regardless of scope, it will require a process by which to acquire the most up-to-date data on a recurring basis. Simply accessing the required data often represents a significant challenge for many internal audit shops. Add to that the need to repeat that process on a recurring basis, and many continuous monitoring initiatives come to an abrupt halt before they even get started.

Understanding this challenge, the ACL AuditExchange platform includes an optional component called AX Datasource. Leveraging technology from Informatica®, the worldwide leader in Extract, Transform and Load (ETL) technology, AX Datasource provides access to more enterprise data types than any other technology on the market. It also allows for the extraction of data to be automated in support of continuous monitoring using a simple visual data mapping interface.

Think of it this way, ad hoc data access is like having to walk outside to the well with a bucket every time you need water (data). Automating data access is like installing indoor plumbing so all you have to do is turn-on the tap. So regardless of how often you want to analyze your data in your continuous monitoring process, the most up-to-date and accurate data is always available to be analyzed.

I recently had a very interesting conversation with one of our most recent AuditExchange 2 (AX2) customers. Initially I was interested in how this Director of Audit planned to use the new platform and where he saw the most value. Interestingly though, the conversation turned to discussing the process by which he was able to acquire the platform. Like many others, his internal audit department didn’t have a technology budget and hadn’t made a significant investment in technology before. How was he to get the budget he needed to move ahead with an investment he knew would provide value to his team, and ultimately the company as a whole? The answer was… he needed to sell the idea outside of audit to the business.

In order to do this, he needed to put together a business case that clearly showed an attainable ROI in the near future as a result of this investment. So he did just that. First, he found an issue that was directly affecting the company’s bottom line, and one he knew he could solve through the use of data analytics. This issue involved the company offering incentives to new customers for long-term business deals. For example, if a new customer were to agree to a 2-year service agreement, that customer would receive a free netbook ($300 value). This was a successful promotional program; however, the process by which the gifts were sent was flawed. For various reasons, the company was accidentally sending multiple netbooks to individual customers. Or, customers who were not eligible to for the free offer would receive the gift in error. At $300 per netbook, this problem started to become costly for the company, and our Director of Audit knew this.

Second, he partnered with others in the organization (e.g. Finance, Marketing) that were aware of and affected by this problem. By building a coalition, he was able to put together a much stronger business case. Finally, he showed estimates that if he were able to reduce erroneous gift shipments by as a little as 10% (an intentionally modest figure to under-promise and over-deliver) through the continuous monitoring of these transactions, the organization would save considerably more than the cost of the entire platform within the first few months.

By demonstrating a strong projected ROI, our Director of Audit made the company’s decision easy. Data analytics and the AX2 platform would help the organization find money they would have otherwise lost. As a result, he easily received the funding he required and proved to be another great example of how internal audit can provide significant value to an organization’s bottom line.

I was reading through some posts on the ITauditSecurity blog and one post in particular caught my attention. It was a relatively short post titled, History of Data Analytics (a la Coderre). It provided links in reverse chronological order to articles written by David Coderre regarding the use of data analytics. David Coderre is a recognized guru when it comes to CAATTS (Computer Assisted Audit Tools and Technologies) and has authored numerous articles and books on the topic throughout the years.

The earliest article listed in the post, Computer assisted audit tools and techniques was published back in 1993. It’s amazing to think how much progress data analytics has made since then. What’s even more amazing is to think how many transactions, and the total dollar amounts of these transactions that have been analyzed by ACL software since the company was founded back in 1987. Billions? Trillions? What’s after Trillion? Anyways, this look back into the history of data analytics got me thinking. How far have we come?

With our latest release of AuditExchange, we’ve enabled the use of data analytics through a simple and easy to use web-based interface, allowing those with little to no data analytic skills to perform analysis. We’ve simplified the process of automating analysis by including a built-in analytics scheduler. We’ve even enabled exceptions found during analysis to be automatically distributed to the business via a web-based browser. What does the future of data analytics hold? I’m curious to hear what you think…

As I look out of my office window on yet another warm and sunny Winter day, my thoughts turned to how auditors will be affected by climate change and the topical issues surrounding greenhouse gas (GHG) emissions.   

At major global conferences, the debate rages over how to control GHG through political, economic and regulatory measures.   Each of these approaches will have an impact on corporations and businesses who have large carbon footprints – such as transportation, energy and other high intensive manufacturing industries.  Chief Audit Executives who work in these affected companies will need to put on their forward-thinking hats to assess the numerous business risks that will result from new regulations.  

Take for example the widely proposed “Cap and Trade” system.    As explained in a recent PricewaterhouseCoopers publication, How Your Company can Prepare to Manage Carbon as an Asset, “cap and trade programs operate over a compliance period and emissions allowances are allocated at no cost to the participants at the beginning of the period.   Participants can buy or sell allowances directly with other participants or through a broker or an exchange.   At the end of the period, each participant would be required to deliver emission allowances equal to its actual emissions” else pay fines or incur other penalties. 

A cap-and-trade system will require extensive data collection from a variety of disparate sources and validation that emissions and offsets are reliable and accurate.   The use of technology, and in particular data analysis software, will be critical in providing audit assurance that reported data emissions are accurate and complete.   The managing of carbon as an valuable asset (or in some cases creating significant liabilities and obligations) will soon become a top of mind issue for CAEs .  There will likely be other considerations related to financial statement disclosure (measurement and recognition) and the relevant tax effects that will be of interest to executive management and the audit committee of the board.  

This emerging risk continues to become more likely and the impacts more material.    Already 23 US states have or are in the process of developing cap-and-trade programs.  The US federal government is also considering similar action.   And, this emphasis on protecting the environment is becoming more common in many other North American and European jurisdictions.

The advice for CAEs is to be aware and involved in your organization’s carbon management process so that you can understand the impacts, both financial and operational, of cap-and-trade.   Then to consider what technologies and technical skills will be required to be able to audit this process effectively.  

To learn more, visit: http://bit.ly/b4ZNuM

I am a frequent reader of Richard Chamber’s blog, Chambers on the Profession. As President and CEO of the IIA, his posts often give great insight into the trends affecting the internal audit profession. One particular post I found tremendously valuable was Internal Audit Solutions for Tough Times. In it, Chambers listed what he felt would be the top ten challenges faced by internal audit in 2010. Apparently I was not the only one that found this list of interest. Compliance Week recently ran an article titled, Internal Auditors Face New Challenges in 2010, where Chamber’s list was quoted and other industry experts gave their own perspectives. One of those industry experts was Eric Holt, from KPMG. Excerpts with Holt’s comments are below:

Companies have already assigned internal audit departments to identify ways to reduce costs throughout the organization, even as internal auditors suffered the same staff and budget cuts that other departments have experienced. “This forced internal audit functions to audit smarter, by leveraging technology,” said Eric Holt, a partner at KPMG who focuses on internal audit.

Departments are making greater use of computer-assisted audit technologies and are pushing to develop continuous auditing frameworks to help identify potential control and performance issues, Holt says. That, in turn, helps to identify where diminished auditing resources should go.

“And internal audit will continue to be asked to do more with less, which will continue to drive internal auditors to better leverage technology across all their key processes,” Holt says.

Now we at ACL are obvious proponents of how technology can improve an audit team’s efficiency. We build our solutions with that in mind and have seen countless of our customers do more with less. But the right technology can not only help departments do more, it can help them do more of the right things. As Holt suggested, prioritizing areas to spend their limited resources creates a much more effective audit team.

 Sometimes the best way to tackle an ever-growing list of to-dos is to focus on what’s really important. Data analysis and continuous auditing can be used to determine the areas of greatest risk and materiality, allowing audit to focus resources on high-priority audit goals and objectives.

 It’s just another way audit departments can better align their coverage to meet the new expectations of the audit committee, the board and the organization as a whole, which happens to be the #1 challenge listed by Chambers.

Compared with others, English is a simple language in terms of grammatical rules, but its spelling is absurd and confusing to those for whom English is not their native tongue. To illustrate the irregularities of English, consider the collection of letters ghoti. A non-native English speaker could quite rightly pronounce this word fish.

gh is pronounced f as in cough.

o is pronounced i as in women.

ti is pronounced sh as in motion.

So, fish it is then. But what relevance does this linguistic exercise have to data analytics?  It is becoming increasingly important to analyze names and addresses in such a way to find matches where some values sound like others: where it is unlikely that an exact match exists but where the values correspond nonetheless. Some call this ‘fuzzy matching’, but ‘phonetic matching’ is more accurate. Common applications for this would include:

• Comparing vendor master files against employee records.
• Comparing contractor data, vendor master and employee records against the OFAC SDN List
• Analyzing a vendor file for possible duplicates (multiple spellings or addresses for the same vendor, resulting in potential overpayments).
• And so on ...

In 1970, the New York State Division of Criminal Justice Services devised an algorithm that looks to match words and phrases phonetically in order to find matches. The algorithm, known as the New York State Identification and Intelligence System Phonetic Code is more accurate than a soundex function (which is a common feature of data analytics tools and programming languages). Because it has clearly defined rules, it can and has been frequently used as an ACL analytic. The test can trawl through 100% of data to find phonetic matches across tables of diverse business areas. If the vendor master file is in one ERP system, employee data is in another, and the OFAC SDN List is a downloaded flat file, the test can run without modification against all 3 tables and produce results in minutes. Unlike most programmatical algorithms, it can be edited, fine-tuned and refined to reduce false-positives or look at different areas if requirements change.

Automated phonetic matching is very good at uncovering errors and duplication in an unlimited amount of electronic data. It is also an effective fraud detection tool used by both the private and public sectors. No matter how you use it, the potential savings can make for a great catch.