Visual Risk Iq + Audimation Deck For Charlotte Iia For Pdf Only

• 1. Moving up the Maturity Curve toward more Continuous Controls and Continuous Risk Assessment Joe Oringel Don Sparks, Audimation Charlotte NC March 31, 2009
  • • Data Mining and Continuous Auditing

2. Opening thoughts on Continuous Auditing

• Expectations check - how is the current state of the economy affect what my key stakeholders want from us in Internal Audit.

• Internal audit utopia - what might it look like?How are away are we?

• Maturity Model Discussion.ConsiderPeople, Process, Technology and Governance implications.What are some high-value steps that organizations can take to begin to move toward desired state?

• What are the primary challenges to implementingand how are others overcoming them?

• What can I do beginning Monday?

GRC thought leadership, practically applied 2008 Visual Risk IQ and Vonya Global - All Rights Reserved 3. What does Wall Street guidance look like? How are economic conditions affecting you?

• Lowered guidance

• New SG&A expense control initiatives

• Suspending our 401K match

• Staff reductions of 10%

• Hiring (travel, salary) freeze

• Think about the Fraud Triangle

• Financial pressure and rationalization are on the rise

• What are we doing about Opportunity

4. The IIAs GTAG was published in 2005 Where are we now? Level-setting / Review of Industry Guidance

• Continuous Auditing

• • Method used to perform audit-related activities on a continuous basis includes control and risk assessment

• • Performed by Internal Audit

• Continuous Monitoring

• • Processes to ensure policies/processes are operating effectively and to assess adequacy/effectiveness of controls

• • Performed by operational/financial management; audit independently evaluates adequacy of management activities

• Continuous Assurance

• • Combination of continuous auditing and audit oversight of continuous monitoring

• CAATs (Computer Assisted Audit Techniques)

• • Using data analysis in executing audit programs

Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved 5. Relationship between Continuous Auditing, Monitoring, and Assurance

• Role of continuous auditing dependent on managements role in continuous monitoring of controls

• • Inverse relationship: thegreater the role ofmanagement, the less ofa direct role of internalaudit

• True continuous assurance

• • Depends on effective monitoring by management of internal controls and Audits independent assessment of that function

Level-setting / Review of Industry Guidance

• How close are we?Why?

• • Distracted by SOX

• • Access to data

6. Evolution from CAATS to CA to CM CAATs Continuous Auditing Continuous Monitoring

• Greater coverage than sampling

• Deep coverage from automated testing

• Core competency of internal audit

• Created on demand, reuse is considered

• Repetitive/on-going; frequent intervals

• Not based on audit project timeline

• More in-depth automated testing

• Centralized process requires cross-audit-program focus

• Monitoring controls,responsibility of business process owners

• Periodically reviewed by IA

• Includes both transaction and controls monitoring

Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Level-setting / Review of Industry Guidance Internal Audit Business 7. Continuous Auditing is a hot topic for todaysAudit leader - but what is Continuous? Continuous auditing and continuous monitoring become right time when the timing and frequency of evaluation matches business requirements. What frequency is right for your revenue transactions?Supply chain? ** Source:2006 State of the Internal Auditing ProfessionCopyrightPricewaterhouseCoopers LLP2006 Continuous auditing / continuous monitoring programs Todays continuous auditing frequency Market View of Continuous Auditing Visual Risk IQ is a leader in Continuous Auditing and Monitoring 2007 Visual Risk IQ, LLC, All Rights Reserved 8. What is continual risk assessment and how does it relate to continuous auditing?

• Continuous means all-of-the-time (every second) without stopping

• • This is impractical and unnecessary for monitoring most risks or controls

• Continual means on a regular schedule, also without stopping

• • Once a year, every year

• • Once a quarter, every quarter

• • Once a month, every month

• Different risks / controls require different monitoringfrequencies

• • Monitoring of employee time cards should be performed bi-weekly

• • Monitoring of bank reconciliations should be performed monthly

• • Monitoring of security profiles should be performed weekly or daily

• Thus, we feel that the term continual risk assessment accuratelydescribes a realistic approach to risk and controls monitoring

Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Continual risk assessment 9. Implementing continuous auditing across an internal audit methodology is not just about technology Enterprise Audit Projects The audit process Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Technology Technology 10. its about a model that acknowledges the impact of People, Audit Process and Governance also. Enterprise Audit Projects The audit process Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved People Technology Governance Audit process People Technology Governance Audit process 11. A basic continuous auditing maturity model The audit process a maturity model approach Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Basic practices Level 2 practices Better practices Continuous auditing People Staff has some basic data literacy.Knows how to ask IT for information. Some IT- and data-specific specialists are accessible, either in-house or as consultants Audit staff and leaders are IT- and data-literate.Little distinction between IT audit and financial / operational audit people No need for ad hoc data acquisition - CA and CCM systems are well-integrated into finance and operations Technology Basic data capture and analysis using MS-Office or ERP Query tools.Heavy reliance on Corporate IT Some re-usable scripts exists and are used on-demand for relevant audit projects Scripts are stored, scheduled, and run at appropriate intervals Continuous auditing and monitoring technologies contribute to all audit steps Governance Business is reactive to requests from Internal Audit and usually helps in a timely way.Audit can access data directlyIT consults with IA prior to making system changes that are known to affect IA.Data driven early warning / risk alerts include both business and controls / audit implications.Audit methodology Risk assessments are conducted annually Risk assessments are conducted more frequently than annually Risk assessments consider objective and subjective data.Gaps between objective and subjective assessments are highlightedRisk alerts are embedded into the IA methodology and drive specific responses real-time 12. Moving up the curve can rarely donein large steps The audit process a maturity model approach Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Basic practices Level 2 practices Better practices Continuous auditing People Staff has some basic data literacy.Knows how to ask IT for information. Some IT- and data-specific specialists are accessible, either in-house or as consultants Audit staff and leaders are IT- and data-literate.Little distinction between IT audit and financial / operational audit people No need for ad hoc data acquisition - CA and CCM systems are well-integrated into finance and operations Technology Basic data capture and analysis using MS-Office or ERP Query tools.Heavy reliance on Corporate IT Some re-usable scripts exists and are used on-demand for relevant audit projects Scripts are stored, scheduled, and run at appropriate intervals Continuous auditing and monitoring technologies contribute to all audit steps Governance Business is reactive to requests from Internal Audit and usually helps in a timely way.Audit can access data directlyIT consults with IA prior to making system changes that are known to affect IA.Data driven early warning / risk alerts include both business and controls / audit implications.Audit methodology Risk assessments are conducted annually Risk assessments are conducted more frequently than annually Risk assessments consider objective and subjective data.Gaps between objective and subjective assessments are highlightedRisk alerts are embedded into the IA methodology and drive specific responses real-time 13. Risk assessment should be the newcenterpiece for the audit process Enterprise Audit Projects Risk Assessment Planning & Scoping Execution Planning & Scoping Execution Planning Planning & Scoping Execution Reporting Reporting Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Continual risk assessment 14. Visual reporting can help with Continual Risk Assessment and Continuous Controls Monitoring Corporate Data Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Continual risk assessment 15. Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Continual risk assessmentWhat are other leading companies doing? 16. What are other leading companies doing? Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Continual risk assessment 17. Presentation to the Triad Chapter of the IIAVisual Risk IQ is a leader in Continuous Auditing and Monitoring 2007 Visual Risk IQ, LLC, All Rights Reserved Regularly updated outlier dashboards canserve as a key top-level report for CRA / CCM Continual risk assessment 18. Another Client Example Individualized per division with drill-down capability Continual risk assessment 19. Another Client Example, continued turning data into meaningful information. Continual risk assessment 20. A good continuous controls monitoring platform The Platform Data Locker Reasoning & Analytics Engine Risk and Performance Checks Platform Data & Logs Visual Reporting / User Interface Systems of Record Workflow Engine Extract & Mapping Rules Workflow & Platform Configuration Extract, Map & Load Common Data Models Knowledge Maintenance Interface What does this look like at best in class companies? Visual Risk IQ is a leader in Continuous Auditing and Monitoring 2007 Visual Risk IQ, LLC, All Rights Reserved 21. What can we do on Monday?

• Assess where your audit team is on the maturity curve.Assess where you want to be?And then find a small win opportunity and get started.

• Begin with more frequent risk assessment.What questions should we ask in Q2 that will tell us whether our Q4 assessment is still on target?

• Identify an audit where we can be more in-depth and data driven.Do you use CAATs now?In fieldwork and in planning / scoping?

• Assess what management information audit relies on to gauge company financial or operational performance?How often is it available?

• Identify potential redundancies in control and performance checking.Are there areas where we can Ask Once, Satisfy Many

• Think about ways that our internal audit functions can be the R&D lab for potential innovations in continuous monitoring

Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved Takeaways 22. Joe Oringel(704) 752-6403 [email_address] Don Sparks 713-327-1877 [email_address] www.visualriskiq.com www.audimation.com Thank you!For more information or discussion, please contact Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved 23. Visual Risk IQ Points of distinction

• We focus solely on emerging enablers for continuous auditing and monitoring

• • Educating the market

• • Rapid, low-cost, value-focused pilot projects

• Our clients business objectives and current state of maturity drive our recommendations and projects

• People and process changes are primary, supported, as appropriate, with enabling technologies

• We maintain an in depth, up-to-date knowledge of all software and process solutions within the categories

• Key to our success are alliance relationships with leading software providers and a broad array of complementary professional service firms

Visual Risk IQ GRC thought leadership, practically applied 2008 Visual Risk IQ, LLC, All Rights Reserved