Finding Money and Detecting Fraud
    with Transaction Monitoring


          A Real Wake-Up Session



                  ...
Visual Risk IQ
    Points of distinction

• We do three things: data mining and analysis, continuous auditing and monitori...
People   Process   Governance   Technology

                                  100
          100         100
 100

        ...
The Category – The $100 bill on the sidewalk
         Question #1 – Ice-Breaker


Q. ________________________________



A...
The Category – The $100 bill on the sidewalk
         Question #1 – Ice-Breaker


Q. Why didn’t the economist pick it up?
...
The Category – The $100 bill on the sidewalk
         Question #2 – Ice-Breaker


Q. ________________________________



A...
The Category – The $100 bill on the sidewalk
         Question #2 – Ice-Breaker


Q. Why didn’t the external auditor pick ...
The Category – The $100 bill on the sidewalk
         Question #3 – Ice-Breaker


A. ________________________________



Q...
The Category – The $100 bill on the sidewalk
         Question #3 – Ice-Breaker


A. Risk? Disruption? Not fixing the root...
Recap of 2008 SuperStrategies Wake-up Session

       Continuous Auditing is top of mind for today!s
         Chief Audit ...
Recap of 2008 SuperStrategies Wake-up Session

       Questions & Answers



  Q. ______________________________



  A. B...
Recap of 2008 SuperStrategies Wake-up Session

       Questions & Answers



  Q. What is NOT the first step in a continuo...
The audit process

    Implementing continuous auditing across an internal
    audit methodology is not just about technol...
The audit process

  …it!s about a model that acknowledges the impact of
  People, Audit Process and Governance also.




...
The audit process – a maturity model approach

       A basic continuous auditing maturity model


                       ...
The audit process – a maturity model approach

       Moving up the curve can rarely done
          in large steps

      ...
Recap of 2008 SuperStrategies Wake-up Session

      Risk assessment should be the new
         centerpiece for the audit ...
Recap of 2008 SuperStrategies Wake-up Session

        Visual reporting can help with Continual Risk
        Assessment an...
Recap of 2008 SuperStrategies Wake-up Session


 Continual Auditing - Data Driven Risk Assessment




                  In...
Recap of 2008 SuperStrategies Wake-up Session


 Continual Auditing - Data Driven Risk Assessment




                    ...
Recap of 2008 Wake-up Session


     Some practical first steps towards
        continual risk assessment

   • Identify ar...
So what’s new in 2009? How does it affect us?



•   Lowered guidance
•   New SG&A expense control initiatives
•   “Suspen...
Question #3 - What about the Internal auditor?


    Risk / Materiality:
    - There are other areas that rated higher on ...
The Category – Real money on the sidewalk
         Question #4


Q. ________________________________



A. $1,000 for each...
The Category – Real money on the sidewalk
         Question #4


Q. What are the medians for duplicate- and over-
  paymen...
Real money on the sidewalk



• Accounts Payable and Procurement Duplicate / Overpayments
       – Best in class is betwee...
What else happens when we pick it up?
   What else can I learn?

• We are internal control and audit people first, not rec...
Continuous Auditing and Continuous
   Controls Monitoring for Transactions is real
                                       ...
What does this look like at best in class companies?

        A good continuous controls monitoring platform


           ...
Thank you!
                For more information or discussion, please contact
                                            ...
Upcoming SlideShare
Loading in …5
×

Finding Money & Detecting Fraud Super Strategies 2009 By Visual Risk Iq

560 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
560
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Finding Money & Detecting Fraud Super Strategies 2009 By Visual Risk Iq

  1. 1. Finding Money and Detecting Fraud with Transaction Monitoring A Real Wake-Up Session Kim Jones Joe Oringel SuperStrategies April 16, 2009
  2. 2. Visual Risk IQ Points of distinction • We do three things: data mining and analysis, continuous auditing and monitoring, and visual reporting. We help clients achieve value through: – Educating the market through rapid, low-cost, value-focused pilot projects – Facilitating understanding of how these technologies can be applied – Turnkey through to collections, if desired • Our clients’ business objectives and current state of maturity drive our recommendations and projects • People and process changes are primary, supported, as appropriate, with enabling technologies • We maintain an in depth, up-to-date knowledge of all software and process solutions within the categories • Key to our success are alliance relationships with leading software providers and a broad array of complementary professional service firms Visual Risk IQ – GRC thought leadership, practically applied 2 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  3. 3. People Process Governance Technology 100 100 100 100 200 200 200 200 300 300 300 300
  4. 4. The Category – The $100 bill on the sidewalk Question #1 – Ice-Breaker Q. ________________________________ A. Because if it were real, someone else would have picked it up already. Visual Risk IQ – GRC thought leadership, practically applied 4 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  5. 5. The Category – The $100 bill on the sidewalk Question #1 – Ice-Breaker Q. Why didn’t the economist pick it up? A. Because if it were real, someone else would have picked it up already. Visual Risk IQ – GRC thought leadership, practically applied 5 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  6. 6. The Category – The $100 bill on the sidewalk Question #2 – Ice-Breaker Q. ________________________________ A. Materiality. Visual Risk IQ – GRC thought leadership, practically applied 6 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  7. 7. The Category – The $100 bill on the sidewalk Question #2 – Ice-Breaker Q. Why didn’t the external auditor pick it up? A. Materiality. Visual Risk IQ – GRC thought leadership, practically applied 7 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  8. 8. The Category – The $100 bill on the sidewalk Question #3 – Ice-Breaker A. ________________________________ Q. Why doesn’t the internal auditor pick it up? Visual Risk IQ – GRC thought leadership, practically applied 8 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  9. 9. The Category – The $100 bill on the sidewalk Question #3 – Ice-Breaker A. Risk? Disruption? Not fixing the root cause of losing $100 in the first place? What is it? Q. Why doesn’t the internal auditor pick it up? Let’s talk… Visual Risk IQ – GRC thought leadership, practically applied 9 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  10. 10. Recap of 2008 SuperStrategies Wake-up Session Continuous Auditing is top of mind for today!s Chief Audit Executive** Continuous auditing / continuous Today’s continuous auditing monitoring programs frequency Continuous auditing and continuous monitoring become “right time” when the timing and frequency of evaluation matches business requirements. What frequency is right for your revenue transactions? Supply chain? ** Source: 2007 State of the Internal Auditing Profession Copyright PricewaterhouseCoopers LLP 2006 Visual Risk IQ is a leader in Continuous Auditing and Monitoring 10 © 2007 Visual Risk IQ, LLC, All Rights Reserved
  11. 11. Recap of 2008 SuperStrategies Wake-up Session Questions & Answers Q. ______________________________ A. Buy more software and/or send the audit staff to more ACL (or IDEA, MS-Access or…) training Visual Risk IQ – GRC thought leadership, practically applied 11 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  12. 12. Recap of 2008 SuperStrategies Wake-up Session Questions & Answers Q. What is NOT the first step in a continuous auditing program? A. Buy more software and/or send the audit staff to more ACL (or IDEA, MS-Access or…) training Visual Risk IQ – GRC thought leadership, practically applied 12 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  13. 13. The audit process Implementing continuous auditing across an internal audit methodology is not just about technology… Technology Technology Visual Risk IQ – GRC thought leadership, practically applied 13 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  14. 14. The audit process …it!s about a model that acknowledges the impact of People, Audit Process and Governance also. People Technology Governance Audit process People Technology Governance Audit process Visual Risk IQ – GRC thought leadership, practically applied 14 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  15. 15. The audit process – a maturity model approach A basic continuous auditing maturity model Basic practices Level 2 practices Better practices Continuous auditing Staff has some basic Some IT- and data- Audit staff and leaders are No need for ad hoc data data literacy. Knows specific specialists are IT- and data-literate. Little acquisition - CA and CCM how to ask IT for accessible, either in- distinction between IT audit systems are well-integrated People information. house or as consultants and financial / operational into finance and operations audit people Basic data capture and Some re-usable scripts Scripts are stored, Continuous auditing and analysis using MS-Office exists and are used on- scheduled, and run at monitoring technologies or ERP Query tools. demand for relevant appropriate intervals contribute to all audit steps Heavy reliance on audit projects Technology Corporate IT Business is reactive to Audit can access data IT consults with IA prior to Data driven early warning / requests from Internal directly making system changes risk alerts include both Audit and usually helps that are known to affect IA. business and controls / Governance in a timely way. audit implications. Risk assessments are Risk assessments are Risk assessments consider Risk alerts are embedded conducted annually conducted more objective and subjective into the IA methodology Audit frequently than annually data. Gaps between and drive specific methodology objective and subjective responses real-time assessments are highlighted Visual Risk IQ – GRC thought leadership, practically applied 15 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  16. 16. The audit process – a maturity model approach Moving up the curve can rarely done in large steps Basic practices Level 2 practices Better practices Continuous auditing Staff has some basic Some IT- and data- Audit staff and leaders are No need for ad hoc data data literacy. Knows specific specialists are IT- and data-literate. Little acquisition - CA and CCM how to ask IT for accessible, either in- distinction between IT audit systems are well-integrated People information. house or as consultants and financial / operational into finance and operations audit people Basic data capture and Some re-usable scripts Scripts are stored, Continuous auditing and analysis using MS-Office exists and are used on- scheduled, and run at monitoring technologies or ERP Query tools. demand for relevant appropriate intervals contribute to all audit steps Heavy reliance on audit projects Technology Corporate IT Business is reactive to Audit can access data IT consults with IA prior to Data driven early warning / requests from Internal directly making system changes risk alerts include both Audit and usually helps that are known to affect IA. business and controls / Governance in a timely way. audit implications. Risk assessments are Risk assessments are Risk assessments consider Risk alerts are embedded conducted annually conducted more objective and subjective into the IA methodology Audit frequently than annually data. Gaps between and drive specific methodology objective and subjective responses real-time assessments are highlighted Visual Risk IQ – GRC thought leadership, practically applied 16 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  17. 17. Recap of 2008 SuperStrategies Wake-up Session Risk assessment should be the new centerpiece for the audit process Planning Planning Planning Planning &&& Scoping Scoping Scoping Executio Executio Execution Risk Assessment nn Reporting Reporting Visual Risk IQ – GRC thought leadership, practically applied 17 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  18. 18. Recap of 2008 SuperStrategies Wake-up Session Visual reporting can help with Continual Risk Assessment and Continuous Controls Monitoring Planning Planning Planning Planning &&& Scoping Scoping Scoping Corporate Execution Execution Risk Assessment Execution Data Reporting Reporting Enterprise Audit Projects Visual Risk IQ – GRC thought leadership, practically applied 18 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  19. 19. Recap of 2008 SuperStrategies Wake-up Session Continual Auditing - Data Driven Risk Assessment Individualized per division with drill-down capability… capability… 19
  20. 20. Recap of 2008 SuperStrategies Wake-up Session Continual Auditing - Data Driven Risk Assessment …turning data into meaningful information. 20
  21. 21. Recap of 2008 Wake-up Session Some practical first steps towards continual risk assessment • Identify areas of focus and objectives for increased risk assessment and increased frequency of controls assessment? - What measures or combinations of measures best illustrate potential risk • Identify the sources for the data required to compute the measures • Inventory existing tools that can be used to obtain or represent the data - Excel / Access / ACL / IDEA • Launch a project to build out a prototype risk monitoring dashboard with 3 – 5 measures Visual Risk IQ – GRC thought leadership, practically applied 21 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  22. 22. So what’s new in 2009? How does it affect us? • Lowered guidance • New SG&A expense control initiatives • “Suspending our 401K match…” • “Staff reductions of 10%…” • “Hiring (travel, salary) freeze” • Think about the Fraud Triangle • Financial pressure and rationalization are on the rise • What are we doing about Opportunity 22
  23. 23. Question #3 - What about the Internal auditor? Risk / Materiality: - There are other areas that rated higher on the annual risk assessment / audit plan. Also - other areas are higher impact / value Disruption: - I have too few “chits” with my IT team and I hate to use any. Do I need to buy software or training. Do I need to host an army of auditors to recover the $$$. Doesn’t fix root cause: - If our environment is rich with errors, I’m concerned I will see you back in year 2, year 3, etc., finding the same issues identified in year 1. Visual Risk IQ – GRC thought leadership, practically applied 23 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  24. 24. The Category – Real money on the sidewalk Question #4 Q. ________________________________ A. $1,000 for each $1,000,000 in spend and $20,000 for each $1,000,000 in spend. Visual Risk IQ – GRC thought leadership, practically applied 24 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  25. 25. The Category – Real money on the sidewalk Question #4 Q. What are the medians for duplicate- and over- payments in procurement /AP and for T&E and Purchase-cards? A. $1,000 for each $1,000,000 in spend and $20,000 for each $1,000,000 in spend. Visual Risk IQ – GRC thought leadership, practically applied 25 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  26. 26. Real money on the sidewalk • Accounts Payable and Procurement Duplicate / Overpayments – Best in class is between .00025 and .0005, or $250 to $500 in annual purchasing spend, per million in spend – Median is .001 (0.1%), or $1,000 for every million in spend – These numbers are higher if you have multiple (especially disparate) ERP systems or if ERP configurable controls require improvement • Travel and Entertainment / Purchase-Card – Good rule of thumb is error rate of 20x the AP rate. (Your actual mileage may vary.) – These numbers are higher depending on who / how reviews T&E and when the most recent T&E audit has been performed Visual Risk IQ – GRC thought leadership, practically applied 26 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  27. 27. What else happens when we pick it up? What else can I learn? • We are internal control and audit people first, not recovery auditors. Our findings focus on how to fix the root cause, using a mix of ERP configuration, process change, or CCM-T technology. • Part of our strategy includes helping transition queries from Audit to the Business Process Owners. A client has prevented $400,000 in duplicate payments. • Visual reporting helps tell the story. Audit reports based on data analytics tell a more powerful story than with sampling. See example slides from recent project. • Some organizations have a strong business case for CCM-T, and this approach can help support that business case. Sort of a stealth mode way to identify how data analysis and continuous auditing may work for you, despite challenging economic times. Visual Risk IQ – GRC thought leadership, practically applied 27 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  28. 28. Continuous Auditing and Continuous Controls Monitoring for Transactions is real Open POs over 365 Days Old Duplicate / Overpayments by Region 350 300 22% 250 24% 200 India NA US 150 EMEA 4% India 100 APAC 50 0 50% 2004 2005 2006 2007 18000 16000 14000 12000 10000 8000 6000 4000 2000 Visual Risk IQ – GRC thought leadership, practically applied 28 0 © 2008 Visual Risk IQ, LLC, All Rights Reserved FY 2007 FY 2008 FY 2009
  29. 29. What does this look like at best in class companies? A good continuous controls monitoring platform Knowledge Maintenance Interface Systems of Record Extract Common Risk and Workflow & Mapping Data Performance & Platform Rules Models Checks Configuration Extract, Reasoning Workflow Data Map & & Analytics Engine Locker Load Engine The Platform Platform Visual Data & Logs Reporting / User Interface Visual Risk IQ is a leader in Continuous Auditing and Monitoring 29 © 2007 Visual Risk IQ, LLC, All Rights Reserved
  30. 30. Thank you! For more information or discussion, please contact Kim Jones (512) 692-7663 kim.jones@visualriskiq.com Joe Oringel (704) 752-6403 joe.oringel@visualriskiq.com www.visualriskiq.com continuousauditing.blogspot.com Visual Risk IQ – GRC thought leadership, practically applied 30 © 2008 Visual Risk IQ, LLC, All Rights Reserved

×