I attended the Rutgers Business School's 35th World Continuous Auditing and Reporting Symposium on November 6th & 7th 2015 on the Rutgers campus in Newark, NJ. This was the 3rd of these symposiums I’ve attended and they have all been very educational and thought provoking. I met attendees who traveled from the Netherlands, Brazil, Germany and even…Kansas.
Dr. Miklos Vasarhelyi (Miklos) hosts the symposium and led off the first day with an update on developments in continuous auditing (CA) and continuous monitoring (CM). The AICPA recently published an update to their “red book” (1999) which Miklos refers to as the CM "pink book" and he recommends it as a worthy addition to our research libraries.
Miklos informed us about the recently developed Rutgers Audit Analytics Certificate Program which is intended to help auditors update their skills and thereby drive the profession forward. The curses are offered online.
He also spoke with pride about the RAW Digital Library which hosts videos of lectures. Initially intended to provide a resource for Rutgers Business School (RBS) students that missed a class or wanted to review a concept explained in class, RBS decided to make these videos available to anyone that wants to explore topics. The RAW Digital Library had more than 80,000 unique visits during September 2015.
A point made by Bob Cuthbertson during his presentation of CaseWare IDEA is that they generally acquire new clients that are looking to solve “real problems” that arose in their enterprise. They do not see a lot of audit/compliance departments looking to implement CA and CM to improve their internal controls, improve efficiency and effectiveness of their process, to take their operational and compliance activities to the next level, nor to significantly reduce the occurrence of the “real problems” (e.g., scandal, fraud, material weakness) Bob mentioned initiated the search for a solution. Audit/Compliance departments are slow to adopt software tools unless there is an issue/reason. This sentiment was echoed during numerous presentations over the two days by data analysts, software solution providers, internal and external auditors. This failure to embrace CA/CM was obviously a point of frustration voiced during Q&A sessions. The audience this symposium attracts are more analytical and IT forward than internal auditors and compliance professionals in general. Unfortunately, the generally conservative nature of many internal auditors (and their colleagues in finance) has inhibited the adoption of CA/CM in most organizations. The same situation exists related to use of technology for GRC where, according to John Wheeler of Gartner “75% of companies (worldwide) are not using technology to integrate GRC.” The true advent of a CA/CM revolution requires auditors to be much more forward thinking and to fight for the budget dollars to transform the compliance function in their organizations.
Bob Cuthbertson from ACL highlighted developments in visualization for CA/CM including script tools from a scripts store that are akin to “apps”. These support quick sophisticated analysis without the need to invest the time needed to create the scripts.
Bob made reference to Gartner in describing stages of Data Analytics
- Description – what happened?
- Diagnostic - Why did it happen?
- Prescriptive - What should I do?
- Predictive - How can I prevent it?
Patrick Taylor from Oversight Systems had a very entertaining presentation that emphasized a major difference in their approach as compared to many other data analytics/monitoring application suppliers. They offer a ‘turnkey” solution for analyzing certain categories of transaction data. Meaning they take responsibility for using the proper statistical/analysis method for the data type to discover anomalies. They are selling expertise with an accompanying cloud application. I also see the majority of future growth of the cloud as taking this approach of selling solutions more so than increasing availability, security and access by hosting applications.
A government panel discussed the migration from paper to electronic submission of information to the government and the validation and fraud prevention opportunities this migration presents. They also discussed the move to transparency in data related to government spending and discussed USA Federal Spending and State of Ohio Spending as two leaders. Some Rutgers PhD candidates are a conceptualizing a range of apps to analyze government data – providing a user-friendly interactive tool for users to analyze government information databases – as part of their research work. The ultimate vision is a legion of concerned citizens that will identify questionable spending to improve governance over this spending over time. Who will do this? Well just consider the time people volunteer making Wikipedia better, translating old books into electronic versions or making genealogy records more accessible.
For auditors in the public sector, the recently released Common Body of Knowledge report was issued by the IIA. “The purpose of this initiative is to gain a global perspective and better understanding of stakeholders’ expectations of internal audit’s purpose, function, and performance. Stakeholders include members of executive management, board and audit committee members, and C-suite executives excluding chief audit executives who were included in the practitioner survey.”
Jon Spivey and Lorenz Schmid from PwC discussed the data driven audit and stressed consideration of the following Megatrends
- Demographic shifts – aging in developed countries, population growth in developing countries, many more women in the workplace;
- Shifts in Global Economic Power – realignment of economics – BRICS will have GDP twice western countries in the not too distant future;
- Accelerating Urbanization – migration from suburbs to the cities;
- Climate Change & Resource Scarcity – increasing demands for energy and water;
- Technological Breakthroughs – massive expansion of data, “90% of the data in the world today is only 2 years old.”
PwC has observed that clients are demanding a data driven audit. They note that auditors of the future must understand databases, at least Access and SQL, to do their jobs. Basically, SQL is the EXCEL for the future in their view.
Dr. Rojendra Srivastava discussed the SeekINF tool for searching online SEC filings. This is best explained in this online manual.
Dr. Hans Verkruijsse (Hans) and Dr. Angelique Koopman discussed “Process Mining & Framework for Continuous Monitoring”. Dr. Koopman defined Process Mining as “using data mining to understand the true process”. She discussed elephant paths or the human tendency to shortcut a process. She then demonstrated a software tool that uses system event logs to show the path of transactions through activities (e.g. the activities to process an invoice). The tool shows which transactions follow desired path, Hans describes as the “happy path”, and which bypass or go another path (the elephant path). Those transactions not on the “happy path” can then be audited which will identify configuration issues that allow override of system preventative controls or process issues for which additional control procedures are required. The visualization of such software quickly allows the user (e.g., auditor) to understand the “true process” (see above) as compared to the process that was described by the process owner.
Hans offered the following definition: CM + Continuous IA = Continuous Data Level Assurance with a goal to:
Identify the elephant path à put in controls to prevent this path at data level à all on “happy path”
Dr. Mieke Jans reinforced that process mining starts with event logs to discover the real process as compared to the documented or desired process. She noted the move toward the XES structure for event logs. Based on XES-structure, there are 3 categories of decisions auditors must make:
- Which process instance to follow?
- Which activities on that process instance to capture (auditor needs to make this decision)?
- Which attributes (extra characteristics) to store?
These decisions impact the resulting process mining data available for audit.
Dr. Daniel O’Leary (Dan) presented issues of privacy related to big data which was very thought-provoking. He noted that all data has a purpose, however, moving this data to other purposes can create privacy problems. He gave the example of Zest Finance and their mantra of “All data is credit data”. They mine all kinds of data from the web to help their customers make “better credit decisions”.
Dan went on to describe the concept of the “Big Data Lake” – compiling different types of data into one place à could lead to piecing data together in ways that give rise to privacy issues. The combination of traditionally available data combined with the expansion of location data and the coming explosion of internet of things data can, in Dan’s thinking, allow for tracking and/or exposing more about ourselves than should be ethically permissible.
Yoan Widjaja and Sheetal Gour, members of the CM development group within the IA function at Dell, presented their experiences from the field getting traction for CM initiatives. A CM project related to discounting and pricing at Dell provides dashboards, reporting and other analysis tools for the operational teams in the pricing function to rather easily identify potential errors, fraud and abuse for investigation. Their team develops these tools internally mainly using SQL. As noted earlier related to IA and the general resistance to change, they’ve had a similar experience with the operational teams. Even though this group is doing the work to understand the process and develop tools for these functions with no financial charge-back, they still encounter significant resistance amongst many operational areas to support a project and/or accept the tools as their own at the end of the project. This has been such a pervasive problem that they now have the function sign a Statement of Work at the planning stage of the project so all parties understand their roles and the function being assisted agrees that they will use the tools resulting from the project. Hard to believe such resistance to essentially free tools to improve the process (in this case eliminate errors/abuse and improve margins), but this was a consistent underlying theme throughout the symposium.
I keep two documents open n my computer during this symposium. One document to take notes of presentation content and the other for inspiration/”out of the box” ideas that come to me as I see approaches to certain problems that inspire ideas to improve our software or client services. I can’t say I typically do this at other conferences. The majority of attendees are forward thinking and looking for improvement. Much more so than other seminars or symposiums I attend. There is a real energy in the crowd that makes it a great place to be. There is also a frustration that arises because while the attendees are like-minded in their efforts to improve companies/departments/services/applications, the overall progress of CA/CM has been slowed by a resistance to change, and perhaps a resistance to transparency, amongst our business leaders and colleagues. This includes resistance to change of many CAEs and CFOs/Controllers. This frustration came somewhat to a head during the external audit panel where several attendees expressed frustration that the same topics are talked about year after year with little progress. This frustration was misplaced. Certainly, the external audit firms have significant talent to bring to CA/CM, however, this is not an effort that can or should be led by external parties. CA/CM must be led from the inside with appropriate resources contracted/licensed to establish the routines/reports/dashboards. We have to keep the faith. We need to keep pushing our organizations in the direction of automation to highlight potential problems and to document actions taken to resolve not only that instance but hopefully preclude future occurrences. We have to move beyond the days in which a majority of controls take place a week or two after a period close. The pace of change in modern business can no longer tolerate that. We have to find ways to convince our leaders to improve the process before a problem occurs. CA, CM and data analytics are to road to leveraging compliance.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/#CM #SOX #Audit #InternalAudit #GSM #ITaudit #Rutgers #monitoring #CA #RBS #COSO