IIA Spring District Conference


          Data Analytics
       Fraud / Ethics Track



                              Mat...
Scheduling and Resource Overview
    Our Internal Audit Team


• Audit team of 6 FTE’s

• Annual Audit Responsibilities
  ...
Company Background


One of the nation's leading Yellow Pages and online local
commercial search companies.
       • $2.5B...
Expense Management Audit Background



     • Automated AP Processing system with decentralized
       manual invoice entr...
Company hired Visual Risk IQ for
     Data Analysis including Continuous Auditing

     • Visual Risk IQ project approach ...
Brainstorming session was an
      integral part of audit project planning


• Assume data acquisition is free
   • What o...
Audit Procedures


     • Gather and Validate Complete Population
        • Validate $ amounts against General Ledger
    ...
A basic continuous auditing maturity model


                              Basic practices          Level 2 practices     ...
Maturity Model Implications for Company


     • Strong data analysis skills created flexibility
            and capacity ...
Expense Management Analysis


• Analyzed all AP disbursements over a 24 months using ACL

• Scripts were leveraged from VR...
Root Cause Issues


     • Negligent Manual Overrides
             • Invoice # manipulation (append with numeric or alphan...
Audit Recommendations


• System enhancements to identify duplicate payments
             across all legal entities
      ...
Additional ACL Analytics


     • Pricing and Discounts
         • 1.7M transactions totalling $1.4B revenue
             ...
Questions / Wrap-up




                                                        Matt Cleaver
                             ...
Visual Risk IQ
    Points of distinction

• We focus solely on emerging enablers for continuous auditing and
  monitoring
...
Upcoming SlideShare
Loading in …5
×

Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conference 2009 Feb 26

688 views

Published on

IIA District Conference in Raleigh NC, February 2009

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
688
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Rhd + Visual Risk Iq Presentation On Continuous Auditing District Conference 2009 Feb 26

  1. 1. IIA Spring District Conference Data Analytics Fraud / Ethics Track Matt Cleaver Joe Oringel IIA District Conference Durham NC February 26, 2009
  2. 2. Scheduling and Resource Overview Our Internal Audit Team • Audit team of 6 FTE’s • Annual Audit Responsibilities • 16 High Risk Strategic Audits • SOX 404 Compliance Testing • ERM Integration • Special Projects (10-20% of resources) • Direct Assistance to External Auditors Visual Risk IQ – GRC thought leadership, practically applied 2 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  3. 3. Company Background One of the nation's leading Yellow Pages and online local commercial search companies. • $2.5B annual revenues • 600K+ customers • 20K+ suppliers • 4K+ employees • 28 state territory Visual Risk IQ – GRC thought leadership, practically applied 3 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  4. 4. Expense Management Audit Background • Automated AP Processing system with decentralized manual invoice entry • Oracle Processing and GL environment • Over 15 separate legal and operating business entities Visual Risk IQ – GRC thought leadership, practically applied 4 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  5. 5. Company hired Visual Risk IQ for Data Analysis including Continuous Auditing • Visual Risk IQ project approach was distinctive • One-time use of a modern continuous auditing (CA) tool • Data acquisition was simple - one Oracle export • Large library of existing risk checks • Data validation was a breeze • CA Maturity model was central to service delivery • Knowledge transfer, not buying hours • Practical advice on using our existing tools • Helped us understand differences between ACL, ERP query tools, and advanced Continuous Auditing Visual Risk IQ – GRC thought leadership, practically applied 5 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  6. 6. Brainstorming session was an integral part of audit project planning • Assume data acquisition is free • What other data sources would be useful? • Is the data available internally? • Could external data sources provide additional comfort? • What are the Fraud Risk / SAS 99 implications? • Compliance, efficiency objectives? Both? Visual Risk IQ – GRC thought leadership, practically applied 6 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  7. 7. Audit Procedures • Gather and Validate Complete Population • Validate $ amounts against General Ledger • Validate user responsibilities and access rights • Validate Requisitioner/Approver and limits • Identify Potential Duplicate Payments • Identify Potential Fraudulent Purchases • Unusual relationships between Bank Accounts • Unusual relationships between Addresses Visual Risk IQ – GRC thought leadership, practically applied 7 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  8. 8. A basic continuous auditing maturity model Basic practices Level 2 practices Better practices Continuous auditing Staff has some basic Some IT- and data- Audit staff and leaders are No need for ad hoc data data literacy. Knows specific specialists are IT- and data-literate. Little acquisition - CA and CCM how to ask IT for accessible, either in- distinction between IT audit systems are well-integrated People information. house or as consultants and financial / operational into finance and operations audit people Basic data capture and Some re-usable scripts Scripts are stored, Continuous auditing and analysis using MS-Office exists and are used on- scheduled, and run at monitoring technologies or ERP Query tools. demand for relevant appropriate intervals contribute to all audit steps Heavy reliance on audit projects Technology Corporate IT Business is reactive to Audit can access data IT consults with IA prior to Data driven early warning / requests from Internal directly making system changes risk alerts include both Audit and usually helps that are known to affect IA. business and controls / Governance in a timely way. audit implications. Risk assessments are Risk assessments are Risk assessments consider Risk alerts are embedded conducted annually conducted more objective and subjective into the IA methodology Audit frequently than annually data. Gaps between and drive specific methodology objective and subjective responses real-time assessments are highlighted Visual Risk IQ – GRC thought leadership, practically applied 8 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  9. 9. Maturity Model Implications for Company • Strong data analysis skills created flexibility and capacity for what Audit could take on • Good audit charter - broad access to data • Basic data analytics technology existed, and more was available with ERP queries • Opportunity for more frequent control assessment • Make tests preventive by changing when they’re done Visual Risk IQ – GRC thought leadership, practically applied 9 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  10. 10. Expense Management Analysis • Analyzed all AP disbursements over a 24 months using ACL • Scripts were leveraged from VRIQ training session • Approximately 20 different scripts were run • Confirming over $2.5M of duplicate payments • Since identification, over $2.2M recovered Visual Risk IQ – GRC thought leadership, practically applied 10 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  11. 11. Root Cause Issues • Negligent Manual Overrides • Invoice # manipulation (append with numeric or alphanumeric characters) • Transposed Invoice / Payment date • Inconsistent vendor naming convention (ex. “Oracle” vs “Oracle Inc.”) • System Coding (single entity view) • System designed to evaluate identical invoices within single entity • Over 15 paying legal entities Visual Risk IQ – GRC thought leadership, practically applied 11 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  12. 12. Audit Recommendations • System enhancements to identify duplicate payments across all legal entities • Matching $ amounts, invoice numbers, and vendor name/invoice date as potential duplicates • Continuous monitoring by IA using ACL • Weekly 1.5 hour investment has prevented additional $300k in duplicate payment • Oracle extract query developed to identify duplicates prior to payment (process owner review) Visual Risk IQ – GRC thought leadership, practically applied 12 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  13. 13. Additional ACL Analytics • Pricing and Discounts • 1.7M transactions totalling $1.4B revenue • Trending Analysis (YoY, market, brand, item, etc.) • Price overrides through inappropriate discounting • Identification of obsolete programs • Commissions • Customer set-up • Customer classification • Calculation of commissions Visual Risk IQ – GRC thought leadership, practically applied 13 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  14. 14. Questions / Wrap-up Matt Cleaver matthew.cleaver@rhd.com (919) 447-4846 Joe Oringel (704) 752-6403 joe.oringel@visualriskiq.com Visual Risk IQ – GRC thought leadership, practically applied 14 © 2008 Visual Risk IQ, LLC, All Rights Reserved
  15. 15. Visual Risk IQ Points of distinction • We focus solely on emerging enablers for continuous auditing and monitoring – Educating the market – Rapid, low-cost, value-focused pilot projects • Our clients’ business objectives and current state of maturity drive our recommendations and projects • People and process changes are primary, supported, as appropriate, with enabling technologies • We maintain an in depth, up-to-date knowledge of all software and process solutions within the categories • Key to our success are alliance relationships with leading software providers and a broad array of complementary professional service firms Visual Risk IQ – GRC thought leadership, practically applied 15 © 2008 Visual Risk IQ, LLC, All Rights Reserved

×