Matt CleaverJoe Oringel

IIA District ConferenceDurham NCFebruary 26, 2009

IIA Spring District Conference

Data AnalyticsFraud / Ethics Track

2

Scheduling and Resource OverviewOur Internal Audit Team

• Audit team of 6 FTE’s

• Annual Audit Responsibilities• 16 High Risk Strategic Audits• SOX 404 Compliance Testing• ERM Integration• Special Projects (10-20% of resources)• Direct Assistance to External Auditors

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

3

Company Background

One of the nation's leading Yellow Pages and online local commercial search companies.

• $2.5B annual revenues• 600K+ customers• 20K+ suppliers• 4K+ employees• 28 state territory

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

4

Expense Management Audit Background

• Automated AP Processing system with decentralized manual invoice entry

• Oracle Processing and GL environment

• Over 15 separate legal and operating business entities

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

5

Company hired Visual Risk IQ forData Analysis including Continuous Auditing

• Visual Risk IQ project approach was distinctive• One-time use of a modern continuous auditing (CA) tool • Data acquisition was simple - one Oracle export• Large library of existing risk checks• Data validation was a breeze

• CA Maturity model was central to service delivery• Knowledge transfer, not buying hours• Practical advice on using our existing tools• Helped us understand differences between ACL, ERP query tools, and advanced Continuous Auditing

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

6

Brainstorming session was anintegral part of audit project planning

• Assume data acquisition is free• What other data sources would be useful?• Is the data available internally? • Could external data sources provide additional comfort?• What are the Fraud Risk / SAS 99 implications? • Compliance, efficiency objectives? Both?

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

7

Audit Procedures

• Gather and Validate Complete Population• Validate $ amounts against General Ledger• Validate user responsibilities and access rights• Validate Requisitioner/Approver and limits• Identify Potential Duplicate Payments• Identify Potential Fraudulent Purchases

• Unusual relationships between Bank Accounts • Unusual relationships between Addresses

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

8

A basic continuous auditing maturity model

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

Basic practices Level 2 practices Better practices Continuous auditing

People

Staff has some basicdata literacy. Knowshow to ask IT forinformation.

Some IT- and data-specific specialists areaccessible, either in-house or as consultants

Audit staff and leaders areIT- and data-literate. Littledistinction between IT auditand financial / operationalaudit people

No need for ad hoc dataacquisition - CA and CCMsystems are well-integratedinto finance and operations

Technology

Basic data capture andanalysis using MS-Officeor ERP Query tools.Heavy reliance onCorporate IT

Some re-usable scriptsexists and are used on-demand for relevantaudit projects

Scripts are stored,scheduled, and run atappropriate intervals

Continuous auditing andmonitoring technologiescontribute to all audit steps

Governance

Business is reactive torequests from InternalAudit and usually helpsin a timely way.

Audit can access datadirectly

IT consults with IA prior tomaking system changesthat are known to affect IA.

Data driven early warning /risk alerts include bothbusiness and controls /audit implications.

Auditmethodology

Risk assessments areconducted annually

Risk assessments areconducted morefrequently than annually

Risk assessments considerobjective and subjectivedata. Gaps betweenobjective and subjectiveassessments arehighlighted

Risk alerts are embeddedinto the IA methodologyand drive specificresponses real-time

9

Maturity Model Implications for Company

• Strong data analysis skills created flexibility and capacity for what Audit could take on

• Good audit charter - broad access to data• Basic data analytics technology existed, and more was available with ERP queries• Opportunity for more frequent control assessment• Make tests preventive by changing when they’re done

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

10

Expense Management Analysis

• Analyzed all AP disbursements over a 24 months using ACL

• Scripts were leveraged from VRIQ training session

• Approximately 20 different scripts were run• Confirming over $2.5M of duplicate payments• Since identification, over $2.2M recovered

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

11

Root Cause Issues

• Negligent Manual Overrides • Invoice # manipulation (append with numeric or alphanumeric characters)• Transposed Invoice / Payment date• Inconsistent vendor naming convention (ex. “Oracle” vs “Oracle Inc.”)

• System Coding (single entity view)• System designed to evaluate identical invoices within single entity• Over 15 paying legal entities

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

12

Audit Recommendations

• System enhancements to identify duplicate payments across all legal entities• Matching $ amounts, invoice numbers, and vendor

name/invoice date as potential duplicates

• Continuous monitoring by IA using ACL• Weekly 1.5 hour investment has prevented additional

$300k in duplicate payment

• Oracle extract query developed to identify duplicates prior to payment (process owner review)

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

13

Additional ACL Analytics

• Pricing and Discounts• 1.7M transactions totalling $1.4B revenue

• Trending Analysis (YoY, market, brand, item, etc.)• Price overrides through inappropriate discounting• Identification of obsolete programs

• Commissions• Customer set-up• Customer classification• Calculation of commissions

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

14

Matt Cleavermatthew.cleaver@rhd.com

(919) 447-4846

Joe Oringel(704) 752-6403

joe.oringel@visualriskiq.comVisual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved

Questions / Wrap-up

15

Visual Risk IQPoints of distinction

• We focus solely on emerging enablers for continuous auditing andmonitoring

– Educating the market– Rapid, low-cost, value-focused pilot projects

• Our clients’ business objectives and currentstate of maturity drive our recommendationsand projects

• People and process changes are primary, supported, as appropriate,with enabling technologies

• We maintain an in depth, up-to-date knowledge of all software andprocess solutions within the categories

• Key to our success are alliance relationships with leading softwareproviders and a broad array of complementary professional service firms

Visual Risk IQ – GRC thought leadership, practically applied© 2008 Visual Risk IQ, LLC, All Rights Reserved