A recent survey of more than 500 audit and compliance professionals, conducted by ACL Services, provides some interesting insights into how internal auditors see their role within an organization, as well as the role of auditing technology in adding value to an organization.

The traditional role of internal auditors has evolved considerably in recent years. While still being conscious of the responsibility to provide an independent assurance function, the trend is for internal audit to work more closely with the business and to establish greater relevance to what matters most to the organization. Evidence of this is found in internal audit's increasing focus on assessing the effectiveness of an organization's risk management processes, as well as bringing specialized data analysis technology into the audit, fraud detection and compliance arena.

The ACL survey shows that while the vast majority of internal auditors perform some form of data analysis techniques, only 9% of auditors use automated and continuous auditing techniques. However, nearly 70% of auditors consider that "the highest level of desired usage" is continuous monitoring by the business.

To read the rest of John's article in BusinessFinanace and review additional insights from the ACL Survey, click here.

Results are in for the ACL Impact Awards! Now in their 14th year, the Impact Awards are open to ACL users from around the globe, recognizing excellence within a variety of categories. Our panel of judges enjoyed reading all of the stories on how our entrants used ACL technology to positively impact their organizations.

We're continually amazed at the ingenuity of the auditors and assurance providers out there who have applied ACL in their jobs to make a difference.

And this year's winners are...

Grand Prize Winner - Jayant Mavlankar and Umesh Jadhav, Essar Investments Limited (India)

Regional Winners:
ASIA - Glen Laslett, Metcash Limited (Australia)
EMEA - Glen Winn, UPC Ireland (Ireland)
LAC – Maria de los Angeles Novello and Augusto Escheguren, Cia de Alimentos Fargo SA (Argentina)
NA - Byron Enamorado, Westfield (USA)

Most Innovative Use Award:  Arnold Mendoza, GE Capital Australia and New Zealand (Australia)

Most Promising Novice Award: David Crotts, Virginia Tech (USA)

Best Use of Analytics Award: Sanjeev Mishra and Nalin Kumar Srivastava, Government of India (India)

Audit Productivity Team Award: Goodluck Ogazi, Globacom Nigeria Limited (Nigeria)

Best Application of Continuous Auditing or Monitoring Award: Carlos Eduardo de Oliveira Nogueira, Procter and Gamble (Brazil)

Congratulations to all of our winners. We look forward to hearing more from you this year!

Finding a gap in an otherwise busy day, I picked up my copy of the Internal Auditor Journal from The IIA.  I find the articles in it quite inspirational for the most part, reading on how Internal Auditors are applying their skill in the real world.

I do like the IT Audit section for a couple of reasons.  One is that it is edited by my friend, Steve Mar, who I’ve known and worked with on IIA committees for many years.  Steve is also a long time ACL customer, having used ACL in a number of past organizations he has worked for.  The other reason is simply because it’s about IT auditing and how IT can help audit gain greater insight into their organizations and help drive the efficiency of their work overall.

In the December issue of Internal Auditor, there is an interesting article about Auditing Cookies. (for IIA members, the link to the online edition is here: http://theiia.texterity.com/ia/201112#pg25) This isn’t about a bakery or grocery store inventory audit; it’s about website cookies – Browser cookies and Flash cookies to be exact.  It provides some interesting thoughts about gathering customer data, making sure it has been appropriately safeguarded and that appropriate controls are in place to keep the organization on-side. Worth the time to read – especially if your organization operates in a web-intensive environment.  Enjoy!

I think we just shook things up a bit.  A bit more than usual that is. 

I’ve always considered Audit Analytics to be a bit of a disruptive technology. By embracing the use of data analysis in audit work, one is agreeing to audit differently, thereby disrupting the “old way,” of doing things. In lieu of pulling paper dossiers out of filing cabinets to take a cursory glance at how well controls are working or to see if the business is operating efficiently, one looks to the electronic data to gain insight into what’s going on. 

Using Audit Analytics, one seeks indicators in the data that point the auditor in the right direction to investigate further and determine what is actually going on in a business process.  The data can indicate possible duplicate payments (or maybe they are just equal amount progress payments.) It might be an indicator of potential fraud – seeing employee addresses in the vendor master file – or not.  That may be the way employees are reimbursed for out of pocket expenses. You get the picture, right? 

But Audit Analytics have been around for nigh on 25 years, right.  Not that “disrupted” I hear you say.

So just last month, we introduced a new technology to the modern auditor’s tool kit – ACL Acerno. ACL Acerno is a Microsoft Excel Add-in that was purpose-built for auditing.  It provides the most efficient way to investigate your ACL results and find out what those indicators in the data are actually telling you. If you missed the news about ACL Acerno, you can get all you need right here. 

It’s all about doing good auditing and using technology to assist and help drive efficiency into audit work.  It’s a new product for a different part of the audit cycle – ACL expanding its footprint for what it can do for auditors. It shakes things up a bit.  ACL does more than just help you with analyzing data.

To borrow a phrase from a TV infomercial, “But wait! That’s not all!”

Just a few days ago, the other shoe dropped:

News Release: “ACL Services announces its expansion into the electronic work papers market.”

We made a strategic acquisition of Workpapers.com and picked up a new technology, business, team members and customers. We are really excited about what this means for what we can do for ACL users. Between ACL Desktop, ACL AuditExchange, ACL Acerno and now the Workpapers.com audit management system, we can deliver a technology solution that spans the entire audit process and helps drive efficiency into all audit work. We’ll be the first company to provide a truly integrated solution explicitly for the audit market. Press release here.

Over the coming months, we’ll be sharing with you our new strategic roadmap and vision for ACL, so stay tuned!

* Credit for this phrase goes to Stewart Rogers- our Manager, Product Management here at ACL.

Our Impact Award winners are some of the best storytellers in the ACL Community. Don’t miss these outstanding podcasts with some of the winners from recent years...

“There's a creative aspect to this type of work which is getting to build something that’s really meaningful and really being useful to those that have a chance to utilize it.” 
-David Riddell, Fidelity National Financial, Impact Award Grand Prize Winner, 2010

Listen to David's podcast

“The most innovative part of this project has in actual fact been the people… The technical component becomes much less important after you have dealt with the people component.”
-Gerrit Buitendag, Lafarge North America, Impact Award Winner, Best Application of Continuous Auditing/Monitoring, 2010

Listen to Gerrit's podcast

 
“Continuous assurance is really the vision that we work towards on a day to day basis. I think as an internal audit department, that’s the Holy Grail... And so that guides my efforts day to day.”
-Pat Ferrell, RLI Insurance Company, Impact Award Regional Winner: North America, 2010

Listen to Pat's podcast

Feeling inspired? We’re currently accepting entries for this year’s Impact Awards.Categories include Most Promising Novice, Best Use of Analytics, Audit Productivity Team, Best Application of Continuous Auditing/Monitoring and Most Innovative Use. Learn more and submit your entry today!

A Guest blog from Andrew Monroe, ACDA:

Speaking truth to power is risky. An auditor that reports a finding is sorely challenged. Clients will shoot the messenger, set about fixing the issue, spinning the story and putting as much distance as they can between their “new opportunity” and the audit department.

“Oh, we already KNEW about that item and have this action plan to address it. So, that doesn’t need to be in your audit report.” Now if you don’t report the item, the auditor bears the risk if anything goes wrong afterwards. “You just did an audit in that area, why isn’t this in your report?”

Even in the best control environments, where the virtues of commercially reasonable, effective control are hallmarks of financial discipline, auditing can still be a challenge due to the sophistication, and motives, of the client. Delivering truth to power is a high risk business- personally, politically, professionally- and is not for the faint of heart. The downside is a career ender, or a career staller. Due to this risk, audit must have solid management support at all levels of the company, otherwise the audit staff will not put forth the effort to perform brilliant work.

A solid analytic program is essential survival tool for identifying and quantifying the truth, efficiently and effectively, to a management team that values the role audit should play in the modern company. Audit’s role is to identify risk, test controls and report the results to management (as incontrovertible facts). It is management’s role to either address those risks, or live with them, with suitable explanation to the Audit Committee of the Board of Directors. Period. Full stop. Everything else is histrionics and a risky diversion from the main goal.
If this writing resonates with you, and your audit department is well on its way to building a comprehensive analytics program for the future, awesome! If you are still formulating a plan, or waffling around trying different techniques, you are running out of time. You may want to look into trade schools for a new path, like arc welding.

No matter where you are, however, ACL has all the tools you will need to build a robust infrastructure. From the robust desktop tool during the “analysis” phase, to the automation phases with AuditExchange server solution, ACL has all the essential requirements covered. Banking on ACL will provide you an adaptable, sustainable, repeatable infrastructure that will allow your organization to thrive long into the future.

Andrew W. Monroe, ACDA, has many years experience in controls design and testing in the consumer packaged goods (CPG) industry. He has worked in the Finance, Audit and IT functions of Fortune 500 corporations identifying efficiencies and improvements in corporate performance, leading projects, and assuring compliance. He has six years experience with ACL software, including Direct Link for SAP and ACL Server of z/OS (IBM Mainframe), and his implementation project saw to the training of more than 100 users. As a product champion, he assisted in the adoption and use of ACL across a number of corporate functions.

It’s been said that there are 3 kinds of people in this world: those who can count, and those who can’t.

OK that’s an old one, but I’m going to hopefully show a new trick here that can help to reduce a company’s vendor count if they suffer from bad data quality.  One of the biggest reasons companies make erroneous or duplicate payments is bad vendor data.  An obvious example might be as follows:

 
In the above example, the 1st and 3rd records refer to the same vendor – the names and the addresses are not exactly the same, but it looks like we have a duplicate.  Extrapolate this scenario across the entire vendor master file, and you can see that there is the potential for errors throughout the procurement process. If you have say, 50000 vendors, how many duplicates do you think you have? More importantly, how can you identify them?

Here‘s one trick that might help. When ERP users enter information, they often enter company names and addresses – words, if you like - in various ways that circumvent existing duplicate controls. So if you’re looking for duplicate vendors, try looking at the numbers in the address lines and zip code.

  I’ve created a new column in the above table called JUST_NUMBERS that reads nothing but numbers from the address field and the zip field. You could also include the tax ID numbers if you have that field too, or exclude the zip if it is not always present. In ACL you would use an expression to create this column: INCLUDE(ADDRESS, ‘1234567890’) + ZIP.

From this point I can use just a simple DUPLICATE command on the JUST_NUMBERS column to find out which of my vendors are actually duplicates to get the following result:

  
If you have many thousands of vendors, this can yield some great results and is just one trick you can use to clean up your ERP’s vendor master table.
If you want to get started, and you have a vendor table imported into ACL, here’s a script you can use right now to try it out:

SET SAFETY OFF

OPEN VENDORS

DEFINE FIELD JUST_NUMBERS COMPUTED INCLUDE((ADDRESS+ZIP), '1234567890')

DUPLICATES ON JUST_NUMBERS OTHER NUMBER VENDOR ADDRESS CITY STATE TAX_ID PRESORT OPEN TO "My_Result.FIL" 
OPEN "My_Result"

SET SAFETY ON

*Just change the values in bold to match your own data.

Good luck!

We’re proud to have such a vibrant community of ACL User Groups worldwide. Whether you’re an experienced ACL user with expertise to share, or a novice looking to collaborate with your peers, ACL User Groups are one of the best resources around.

For readers who aren’t familiar with our User Group program, we sent a short list of FAQs  to a few of our most active members. Thanks to Milan, Nancy and Michael for your input!

Milan Shah, Director of Audit at conEdison and a member of the New York ACL User Group (NYAUG).
Nancy Komm, Technology Analyst at U.S Bank and a member of the Pennsylvania ACL User Group.
Michael Podemski, Manager, Advisory Services, Ernst & Young LLP and member of the Chicago ACL User Group. (Twitter: @mpodemski)

When was your User Group formed and how large is your membership now?

Milan: The New York ACL User Group (NYAUG) was formed on 6/12/09. As of 12/31/10, we maintained a distribution list which contained 184 members.

Nancy: The Pennsylvania ACL User Group was formed in the September, 2008 and is now comprised of 315 people from 98 different organizations.  Most of these organizations are based in Pennsylvania, but we also have some members from Maryland, New Jersey, Delaware, and Ohio.

Michael: We are the second incarnation of the Chicago ACL User Group.  We started again this past year around June 3rd.  There are over 50 members in our group and we are growing.

How often do you meet and where?

Milan: The New York ACL User Group meets about every two months except for summer when the meeting frequency is reduced due to the vacation schedules of our members.

Nancy: We meet twice per year, usually in the Spring and Fall.  A different organization volunteers to host the meeting each time, so we meet in a training room or large conference room at the hosting company's organization. 

Michael: We meet quarterly either downtown Chicago or in the Chicago suburbs.


How do you get the word out about group announcements?

Milan: We use our domain, NYAUG.com, where we maintain the NYAUG Distribution List and use Microsoft Outlook to communicate with our members.

Nancy: I send an e-mail to all Pennsylvania ACL User Group members.  Also, the IIA/ISACA chapter that I'm partnering with for the event typically sends an e-mail out to all of their members.  Sometimes I post an announcement on the User Forum as well

Michael: We are in the middle of transition from email to our LinkedIn Group as the main source of information about events, membership, and virtual discussions.

Do you have any tips for other user groups on organizing a great meet-up?

Milan: Tuesday or Wednesday afternoon meetings seem to work best for our group and result in the largest attendance. Generally, we focus on events which contain substantive detail, but are presented at a level high enough so that most of our members can learn something from the presentation and can apply any new skills or computer audit techniques quickly. We continuously obtain feedback from our members (after each event) to improve the quality, content, and presentation delivery at our future events.

Nancy: Our meetings all have the same format:  They are 3-4 hours long, free to attend, and worth CPE.  They typically consist of 3-4 volunteer speakers, a group discussion portion (people submit their questions/topics/issues for group discussion when registering for the meetings), and networking time with a snack!  This is a tried-and-true meeting format that was suggested to me at the beginning by a couple of other states' user group leaders, and it works great for us!  Another piece of advice I would have is to avoid giving details regarding the speaker's job or level at his/her organization when you are introducing your speaker...this will result in more volunteers from more people from all levels, which will result in a wider range of ACL topics that will appeal to management and staff attendees alike.

Michael: We have been really focused on what our members want to know about ACL.  We have members that are currently learning ACL to intermediate and advance users that want to take their skills to the next level.

What kinds of topics are of the most interest in your user group meetings?

Milan: Our members gave good feedback about our past presentations on “ACL and AP Data Analytics,” “10 Things You Didn’t Know You Could Do in ACL,” and “How to Identify Fuzzy Duplicates.”

Nancy: Hot topics are typically ACL AuditExchange, "new ideas for fraud detection tests," and "analytic ideas - quick hits." 

Michael: We try to cover every topic.  Our last meet-up focused on how RLI started their analytics initiative from a few programs to a full-fledged Continuous Auditing initiative.  We plan to use the ACL maturity model as a way to come up with topics for every type of user.

Do you have any advice for ACL users who are thinking of organizing a user group in their area?

Milan: There is no formula for success and we constantly learn from our members and others.  The key point is to simply get started as soon as possible and learn, grow, and improve the process along the way.  The ACL user group leaders can provide helpful feedback if you have any specific questions or simply want someone to ‘bounce’ an idea off.  Good Luck!

Nancy: 1. Partner with IIA and ISACA chapters if you can. It's a mutually beneficial partnership.  Plus, it's a way of obtaining free CPE for your meeting attendees. It also helps when you want to organize a training class because sometimes the IIA is willing to handle money management and billing for the class so that you don't have to deal with money in your group. 

2 . Work with ACL. They will be happy to notify their customers to contact you if they are interested in joining your new user group.  This is how I got my first 30 or 40 user group members right off the bat.

3 . Send a survey to your user group before organizing any meetings to ensure that you choose the meeting format (i.e., length of meeting, number of speakers desired, etc.), the meeting frequency, and the general locale (if you have multiple options) that will appeal to the majority of your distribution list.

Michael: Start small and focus on all types of members from beginners to advanced users.  Use real life examples, not text book examples.

Search for an ACL User Group in your area! Or, if you're interested in starting one, learn more here.

The HIPAA Right-to-Know Act has a number of compliance departments in a spin. In a nutshell, it is due to become law in 2012 and will mean that any customer (patient) of a healthcare provider can demand a report of who accessed their medical records, see what that employee or contractor looked at and when.

Most business systems with any kind of security will record who logged in and accessed records, whether they are ERPs, accounting or other record management systems (RMS). They usually also record what the user did with that record, besides just view it. Some of these systems have specific, built-in audit areas so that departments (usually IT) can investigate user access. That’s the easy bit. But what if you want to get a picture of what a user (or users) has viewed across myriad systems in multiple departments across your organization? Sure, compliance can partner with audit and IT to form a team to investigate user-access, and discover that Chris logged into System A, B and C and viewed all of these records, before looking at related information elsewhere. But if you’re a healthcare provider, it’s not just the business who wants to know - it’s your customers. And if you’re reading this in 2012, they want to know NOW*.

From 2012 under HIPAA regulations, any patient can demand a report of who accessed their records in all areas. So if they had treatment in multiple departments (eg Radiology, Surgery, ICU then Pharmacy) who use different ERP systems (eg McKesson, Oracle, Epic, MUMPS), how are you going to weave together the access logs or database tables from all of these systems, for that patient’s records into a human-readable report of record access if they demand it within the week? If you are a healthcare provider, do you have all your database systems in-house, or are some hosted by 3^rd party providers or in the cloud? Guess what? You’ll have to provide patient access information relating to the employees of those providers too if they have accessed your system, not just those that relate to your own employees and contractors. If you’re a healthcare provider, you’ll need to figure out how or find someone who can.

The good news is that it’s not technically difficult to create an on-demand reporting system for when patients start exercising their demands if you have the data, the right data analytics platform, and the will to start the project. But, as I keep saying, IT is your partner in getting the ball rolling so that your department can manage and ultimately own the process.

* As I write, I’m currently traveling in the Mid-West and I’ve met with some of America’s largest healthcare companies. They’re keeping a close watch on the act and are hoping it will be repealed before 2012. Some think it will, some don’t want to take the chance. We’ll have to wait and see.

Guest blogger Andrew Monroe, ACDA, has provided us with one of his many stories about "data analysis to the rescue." In this case, it was in response to a fraud hotline whistleblower tip on T&E Fraud...

The call came into the compliance hotline alleging that a person was making profit on rental cars through the expense reimbursement system. How could anyone do that? The only way to get money from the expense system is to turn in receipts. If they have a receipt for a rental car, then a person just gets reimbursed. Other than collusion with a rental car company, I could not imagine how this was possible.

The company has production plants in several, mid-sized US cities. There is air service between these cities, but it can involve changing planes and once there, a person still has to rent a car to get to the plant. Air travel from city “A” to city “B” can take six hours, which are about 250 miles apart. Driving that distance can take about five hours. A person can either drive their own car and submit mileage (at $0.51 per mile, the reimbursement would be about $255), or they can rent a car and turn in the receipts for gas, rental and tolls, if any. Renting a car at corporate rates can cost $35-$45 per day.

The person was renting a car, driving to city “B” and back over several days, turning in the mileage and pocketing the difference –about $85 per trip. This was profitable so long as the rental period did not exceed 5 days in duration, assuming gas cost $2.75 per gallon and 20 miles per gallon fuel economy.
The objective of travel reimbursement is to reimburse a person for expenses incurred on company business. People are not supposed to profit from it. Management wanted to know if this allegation was true. And, if it was true, how many trips did the person profit from? What should be the reimbursement to the company? And, was anyone else doing this type of scam?

The challenge was to integrate travel expense data from two sources: the T&E system and the corporate travel-card data. ACL was used to first extract data from SAP using Direct Link and then to interrogate the data to identify all “mileage” trips more than 500 miles. Our person of interest had nearly a dozen trips for the time period. We then interrogated charge card data. Rental car charges showed up in nearly all of the instances. Trip dates and rental dates were proximate. We then provided human resources the information they needed to conduct their interview. The person reimbursed the company for excessive charges. With ACL, we were able to provide speedy results, through both extraction and analysis.

Andrew W. Monroe, ACDA, has many years experience in controls design and testing in the consumer packaged goods (CPG) industry. He has worked in the Finance, Audit and IT functions of Fortune 500 corporations identifying efficiencies and improvements in corporate performance, leading projects, and assuring compliance. He has six years experience with ACL software, including Direct Link for SAP and ACL Server of z/OS (IBM Mainframe), and his implementation project saw to the training of more than 100 users. As a product champion, he assisted in the adoption and use of ACL across a number of corporate functions.