In July, I blogged about the importance of representing audit findings in a way that is appropriate for the intended audience (Let Me Illustrate...)  I should have really gone further, by not only describing different audience types and their required level of detail, but also the types of device they might access the results on.

How often do you read your email and calendar entries on devices that are not desktop PCs? How about news, sports and social media updates? BlackBerries, iPhones and other ‘smart’ devices are so ubiquitous in business today that, collectively they are becoming the most-used devices for viewing myriad types of information.  But are they used to view the results of data analytics? In many cases, yes.

I recently had lunch with a friend who implements analytics for healthcare professionals.  She told me that it is already commonplace for physicians to view clinical data using hand-held smart devices, especially tablet-based devices such as the iPad.  And with good reason – they are constantly on the move, require results quickly and are able to look at the results of data analytics without having to return to the office to operate a fixed workstation or laptop.  It’s not only the medical profession: from warehouse inventory counts to sales analysis and forecasting, proven business analytics are increasingly executed on the fly.  So, always up for a challenge, I set out to see if I could set up audit analytics to run and produce results in the same way. I already had the proven analytics, but could they be run and produce results using an iPad?

The answer again was yes, and it was easier to achieve than I expected.  Without going into monotonous technical detail, a small portal for my ACL analytics was designed for tactile input (rather than being designed for a mouse user) and was put on an existing ACL server. Each screen was designed to execute a script (following user-defined input on a hand-held). The script then worked behind the scenes by pulling data, analyzing it and emailing various stakeholders with the results (traditional PC and/or BlackBerry users). Provided that I was on the VPN using either the phone network or a WiFi connection, it worked every time.

The bottom line here is that you could execute and read the results of audit analytics from your smart phone, while sipping your latte on your way to work if you want to, while ensuring that results are also still available for traditional consumption.  Will such accessibility catch on in audit? Who knows? Put down your BlackBerry and send me your thoughts.

For Board Members, one key learning from the economic fallout that shook the financial community a few years ago was that companies “that escaped 2008 financial crisis relatively unscathed had CEOs who personally understood risk and made management decisions accordingly.”   

This observation, published by PricewaterhouseCoopers in “Thoughts from the Boardroom” earlier this month, suggests that Chief Audit Executives (CAEs) can help safeguard their organizations by educating the Chief Executive Officer about compliance, risk and governance issues.   In some organizations, this duty to manage risk is in the purview of the Chief Compliance Officer.   In most other organizations though, the CAE is the key executive with the requisite skills and background of experience to fill this important space.  

And, it’s not just CEOs that need this guidance.   “Boards [and audit committees] need to fully understand both the risks and potential returns of [their business].”  

It’s an opportunity for CAEs to elevate their executive profile and to add considerable value in the protection of their organization.   In doing so, the CAE should ensure that their Internal Audit department is equipped to meet this responsibility through improved risk-based auditing practices and technology enabled audits using leading software solutions to monitor risk, evaluate controls, and report non-compliance.  

CAEs can teach their CEOs about risk, and in the process, strengthening the corporate entity as well as enhancing their profile internally.  

Just the other week, I received an e-mail from the IIA about a YouTube video. (My, how times change!)  In this video, IIA Chairman for 2010-2011, Günther Meggeneder, challenges internal auditors everywhere to "Shape the Future."  Having met and spoken with Herr Meggeneder several times over the years at IIA committee meetings and conferences, I was really keen to hear what he had to say. 

I found his message positive and inspiring.  Meggeneder was articulate in the delivery of his message that by working together globally, internal audit can shape the future and be a critical component to the success of our respective organizations.  I especially liked how Meggeneder stated that Internal Audit was the cornerstone of good governance and how by living a risk-centric approach and leveraging technology, we can shape the future. 

Believe it or not, I often flip through the IIA’s International Professional Practices Framework seeking inspiration for Blog postings, Tweets, and credible references for my presentations at conferences.  I find the IPPF’s Practice Advisories (PA) ground my thinking in auditing, as opposed to software features, buzz-words and cryptic industry acronyms – as us techno-guys are apt to do.

I like to quote Standard 1220.A2 for obvious reasons,

“In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques.”

So, internal auditors must CONSIDER the use of CAATs, eh?  Is this good enough in today’s day and age of automation? Can internal audit provide effective assurance without using CAATs?  I wonder.  (Not really, I’m just trying to be rhetorical and pithy.)

What would you say if the PA was worded this way, 

“In exercising due professional care internal auditors must make use of technology-based audit and other data analysis techniques, as appropriate, in order to more efficiently and effectively perform assurance and consulting engagements.”

I eagerly await your comments…

The final day of the conference featured sessions delivered by Steve Goepfert, Staff VP, Internal Audit, from Continental Airlines and Kim Hatley, Assistant VP, from Hospital Corporation of America (HCA).

Steve’s session focused on how Internal Audit needs to form stronger and more open relationships with the Audit Committee. He also outlined what he feels are hot-button issues that both Internal Audit and the Audit Committee need to pay attention to, including FCPA, social media, IFRS, Fraud, ERM, and mergers & acquisitions. It was timely that Steve mentioned mergers & acquisitions as we are planning to feature how ACL’s data analysis technology can successfully be utilized during a merger or acquisition in our next issue of ACL Insight. Stay tuned for that.

We at ACL are very familiar with HCA as we’ve heard some of the great things they have done using ACL technology in the past (See HCA Success Story). Kim said, “We in Internal Audit all hear the need to do more with less, but don’t let training fall by the waist side.” The audit team at HCA, like in many organizations, functions as a training ground for producing future leaders in the company. If the audit staff are well trained in fraud for example, and the controls in place to prevent it, then when they move on into management roles, they hopefully retain this knowledge and are better equipped to manage the controls they are now responsible for…a win for both management and audit.

With everyone’s busy schedules, training can often get put off indefinitely. Kim stressed the value of online training as a time and cost effective way to build skills. We at ACL have certainly noticed this based on the popularity of our Virtual Classroom Training Series.

This year’s conference was well attended and very informative. Apart from the weather (I still haven’t seen the sun yet) I’m very pleased with the IIA’s organization of this event.

See you next year!

The successful capping of the Macondo oil well that was the cause of the worst environmental spill in the Gulf of Mexico is the beginning of a lengthy cleanup process as well as an expensive legal process to sort out liability and damages.  This unfortunate incident provides many learning lessons. 

For Chief Audit Executives (CAEs) of companies with high environmental risks, one lesson from this tragic story is what reliance the CAE needs to place in outside specialists to truly understand the risk exposure to their organization.    The IIA Professional Practices Framework provides a practice advisory 1210.A1-1 that suggests “Chief Audit Executives should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.”    When engaging these specialists, opportunity exists to combine the expertise of the specialist with the data analytics skills of internal auditors.   

Internal Audit has long been exposed to data in financial systems and have become more proficient with audit analytics and other CAAT applications.    What we are observing is that operational systems are rich in data and Internal Auditors are more often using these data to audit key operational processes.    

It’s therefore important to bridge the skills of the internal auditor with that of the specialist.   And to look at areas where the application of data analysis technologies can help audit key risks.   This duality of skills of both the specialist and internal auditor is essential in today’s complex business environment and critical if CAEs want to achieve their audit outcomes.  

We cannot prevent environment disasters, like the BP spill in the Gulf of Mexico, but we can certainly learn from these events.   Please share a comment of how this is being done in your organization.

Day 2 started off with another great general session titled, The Future of Fraud, delivered by James Ratley, President of the Association of Certified Fraud Examiners.

James’ presentation focused on occupational fraud and how Internal Audit professionals need to help their organizations by being more proactive in identifying potential fraudulent behavior. He made one comment that really stood out for me. James’ said, “It’s virtually impossible to perpetrate a fraud in an organization without using a computer.” I think most people would agree…but so what? What does that mean? To me it means every fraud will always leave an electronic trail. Some form of transaction will have taken place…and by transaction I don’t just mean financial. An approval process, a system sign-in, a setting change are all transactions that will inevitably leave an electronic trail. And like we at ACL like to say, “The truth is in the transactions.” All it takes is the right technology to analyze the data and the knowledge of what questions to ask of the data.

James also stressed the age old saying, “Knowledge is power.” He urged those in the audience to invest not only in data analysis technology such as ACL, but also in the training required to use it more effectively.

The content offered at this year’s conference has been excellent so far. Now if only it would stop raining…I was hoping to enjoy some Florida sunshine while I’m down here.

An interesting trio of concepts isn’t it? A colleague of mine recently put me onto the following article through a LinkedIn ACL Community Group  about an employee of KLM airlines who defrauded his employer for more than 145,000 Euros.  Read a roughly translated version of this news story.

The long and short of it is that this fraudster worked in KLM’s Customer Service department.  He allegedly filed a series of false complaints – that resulted in payments –  which he subsequently approved.  The payments were then directed towards his own bank account.  Not only that, but he re-opened old claims, approved those and re-directed payment again to his bank account.  Other than general dismay that yet another case of an employee defrauding his own company has hit the news, I also thought that data analysis could have identified this egregious behavior long before it racked up a whopping 140,000 Euros!

How? 

Why not establish an automated test set up that looks for matches between employee bank accounts (names and/or account numbers) and those of claims recipients? There is a reasonable chance that this fraud could have been detected as soon as the first flaky payment was made.  Having safe and secure access to employee master data information like names, addresses and bank account numbers can be used for tests like this and for a range of others – such as phantom vendor identification or payroll fraud.  That would definitely help you safeguard your organization against loss and provide much better assurance around this payment process. 

Any other ideas on how this could have been detected or prevented?

This year’s conference kicked-off with a general session titled, The New Ground Rules for Internal Audit, delivered by Rod Winters, General Manager, Financial Operations, Microsoft.

Coming as no surprise to anyone in the Internal Audit profession, Rod spoke of the need to “Do more with less.” One of the best ways of accomplishing this he said was through the use of technology. The title of one of his slides, ‘Maximize use of technology to enhance efficiency, effectiveness, and quality’, sounded very familiar to me…probably because ACL has been pushing this message for quite some time now. Underneath that title he included:

• Knowledge management system
• Automate issue tracking, reporting
• Leverage data mining & analysis to detect errors & test populations
• Technology-enabled continuous assurance to embed sustained monitoring

I was excited to hear Rod not just included, but lead with the concept of the need for a centralized knowledge management system. Rod discussed the challenges and inefficiencies associated with sporadically saving audit content on numerous end-user machines. How is anyone suppose to find and leverage existing work if there is no central place to store and access it? What happens when people leave the team? How much time is wasted trying to find content from other team members? There are numerous benefits of working in a centralized environment. To read more on this topic, see a previous post titled, Internal Audit Efficiency through Centralization.

Talecris is a global biotherapeutic and biotechnology company that discovers, develops and produces critical care treatments for people with life-threatening disorders in a variety of therapeutic areas. Mary Ann Tourney, the company’s Senior Director of Internal Audit oversees a manager and 2 senior auditors, but will expand to 4 members by 2011. Tourney also uses a co-sourcing approach that adds 3 to 4 full-time equivalents, depending on the project.

Throughout her career, Tourney has used ACL for data analysis and data mining. Therefore, her first technology request at Talecris was to have ACL on every desktop in the internal audit function. ACL technology allows Tourney and her team to run 189 audit tests on a daily, weekly and monthly basis. Their project achieved such significant results that the company was the focus of a 2008 Rutgers University study that examined the organizations use of ACL technology.

The continuous monitoring technology is automated and links directly to SAP and credit card companies. Tourney has set an acceptance threshold, as well as a partnership with management that they monitor certain analyses on their own. “Instead of looking for a needle in a haystack, you just get out a metal detector,” she says. “Same objectives, different tool.”

“The most important benefit we realized from the use of the tool is our partnership with management,” she says. “We wanted to engage management right up front and establish a partnering relationship rather than an adversarial one.” Another benefit was efficiency. Since Tourney does not have many resources to devote to risk and control management, the technology allows her to “zero in” on key exposures. And finally, Tourney says that the technology has increased the overall credibility of the internal audit function at Talecris. “We don’t speak from conjecture,” she explains. “We speak from fact. We can point to factual details to verify what we say.”

“From a cost recovery standpoint, we have recovered our investment in the system, but that was not our target,” she says. “This is an interactive technology we use with management. We monitor each other. It is difficult to put an ROI on a technology that is a joint effort. If we look at it from an internal audit standpoint, then we have reduced costs, recovered costs and helped manage costs. That is our payback.”

ACL Success Stories c/o Protiviti (Part 1)