FCPA Compliance and Ethics Blog

February 4, 2015

Five Tips for Advancing with Audit Analytics-Part III

Filed under: Best Practices,Big Data,Data Analytics,Joe Oringel,Visual Risk IQ — tfoxlaw @ 12:01 am

Oringel - new pic Ed. Note-Joe Oringel, Principal at Visual Risk IQ recently wrote a series of blog posts on advancing your business through the use of data analytics and audit. I asked Joe if I could repost his articles, which he graciously allowed me to do. So today I begin a day 3-day series of blog posts which reprint his post. Today is the final post, Tip 5. 

Tip 5 – Supplement Necessary Skills with Internal or External Resources

This week we have been posting about how to succeed with data analytics in areas such as internal audit and compliance. Monday we introduced the following Body of Knowledge and indicated that each of the skills below are often needed for a data analytics project.

  • Project Management
  • Data Acquisition and Manipulation
  • Statistical techniques
  • Visual Reporting techniques
  • Communication
  • Audit and Compliance Domain expertise
  • Change Management and Strategic Thinking

Does this mean that audit teams need a statistician or visual reporting whiz in the department? Not at all. Just as audit teams co-source with supplemental resources, they can also co-source for data analytics. Better still, co-sourcing with internal company resources, in the form of a secondment or guest auditor is often possible. Reach into IT’s Business Intelligence or data warehouse group, and internal audit can find talent with excellent company and data manipulation expertise. Reach into HR or Finance for someone with domain expertise around incentive compensation and team on that important Sales commission audit project.

Will these resources have advanced audit or compliance domain expertise? Probably not, but Tom Brady doesn’t play running back or wide receiver yet he makes those players better by fitting the pieces together. Audit and compliance leaders know what questions we want to answer. It’s the “how” where we sometimes need help. At Visual Risk IQ, I have the very good fortune to work with an incredibly talented team that is deep in database design, data manipulation, programming, and visualization skills. We work together to make sure that our queries are answering the right business questions, and in turn that those answers are being communicated in a way that is precise and easy to understand.

When we have first worked in domains where our experience had been limited (e.g. Health claims in 2008, FCPA / anti-corruption in 2010, or HR in 2013), we relied heavily on domain expertise from our clients’ General Counsel’s office or on consultants to our firm, so we could bring the full expertise needed for a project, given the body of knowledge framework above. This technique has worked consistently for us, and it works for audit and compliance too.

Why are audit analytics so important? First, through the use of audit analytics as a monitoring tool it can lower audit costs by eliminating manual sampling. Second, audit analytics can improve financial governance by increasing the reliability of transactional controls and the effectiveness of anti-corruption controls. Third, they can improve actual operational performance by monitoring key financial processes.

However it may be more simply put in the context of McNulty’s Three Maxims of the three general areas of inquiry the Department Of Justice would assess regarding an enforcement action. First: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

The Visual Risk IQ studies include a case study of both accounts payable and of purchase card spend to determine if there was fraud and misuse of the cards. The key in both of these reviews, involving continuous controls monitoring situations was that of data review. This same type of testing can be utilized in reviewing foreign business partners, including agents, resellers, distributors and joint venture partners. All foreign business partner financial information can be recorded and analyzed. The analysis can be compared against an established norm which is derived from either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment out or remuneration into a foreign business partner is outside an established norm, thus creating a Red Flag, such information can be tagged for further investigation.

Many companies have yet to embrace post FCPA compliance policy audit analytics implementation as a standard part of their compliance program. They have found that it is difficult to test behavioral aspects of a FCPA compliance policy, such as whether an employee will follow a company’s FCPA-based Code of Conduct, other testing can be used to form the basis of a thorough review. For instance, it can be difficult to determine if an employee will adhere to the requirements of the FCPA. However continuous controls monitoring can be used to verify the pre-employment background check performed on an employee; the quality of the FCPA compliance training an employee receives after hire and then to review and record an employee’s annual acknowledgement of FCPA compliance. For a multi-national US company with thousands of employees across the world, the retention and availability of such records is an important component not only of the FCPA compliance program but it will also go a long way to a very positive response to McNulty’s inquiry of “What did you do to stay out of trouble?”

Good luck in 2015 with your data analytics projects! Please write or call if you’d like to compare ideas on how to excel in data analytics for audit or compliance. We’d be happy to assist in your success!

Joe Oringel is a CPA and CIA with 25 years of experience in internal auditing, fraud detection and forensics. He has over ten years of Big 4 external audit, internal audit, and advisory experience, most recently with PricewaterhouseCoopers. His corporate experience includes information security, internal auditing, and risk and control of large ERP systems for companies in highly regulated industries, including Pharmaceuticals, Utilities, and Financial Services. Partner Kim Jones and Joe founded Visual Risk IQ in 2006 as an advisory firm focused solely on Data Analytics, Visual Reporting, and Continuous Auditing and Monitoring. He can be reached at joe.oringel@visualriskiq.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.

 © Joe Oringel 2015

Blog at WordPress.com.