Detecting Fraud in the Information Age

Patrick Taylor
President and CEO
Oversight Technologies
Atlanta, Ga.

The advent of enterprise resource planning (ERP) applications and e-commerce have streamlined many business processes, reducing overhead and improving productivity. However, the technology that drives business in the digital world has also created a new level of corporate fraud, as corporate insiders are becoming savvy at manipulating it. In addition to eliminating the audit paper trail, new technologies have also increased the number of employees accessing corporate systems, which opens the door for insider deceit, theft, and fraud. To combat these issues, management and internal auditors can perform real-time continuous transaction monitoring and analysis to identify suspicious activity that may indicate internal fraud, misuse, and errors. The technology's quick and decisive responses can help reduce the risk of loss.

Internal auditors who understand the growing risk of systems-based fraud also recognize their role in meeting the accompanying audit challenges and regulatory requirements. In conjunction with their company's risk management process, internal auditors in progressive organizations are deploying solutions for continuous transaction monitoring, empowering the auditors to reduce their dependence on sampling-based audits and dedicate more of their time to investigating suspicious transactions flagged by the system.

Fraud From the Inside

While Internet-related hackers make news headlines for disrupting business, stealing intellectual assets, and putting personal information at risk, internal computer fraud remains a dirty little secret of many businesses. Industry experts agree that 60 percent to 70 percent of the financial losses suffered as a result of computer crime come at the hands of authorized insiders, draining from 1 percent to 6 percent of an enterprise's total revenue.

Organizations have historically focused on perimeter defenses, such as network firewalls and virtual private networks, to keep unauthorized outsiders from accessing internal systems. However, reports from Gartner, Yankee Group, and other national research organizations continually point toward authorized insiders as the biggest threat to real financial loss in businesses and government organizations.

Most enterprises don't have to look far to find examples of potential fraud in their business. Systems-based fraudulent schemes can include:

• Fictitious employees on the payroll.
• False — or ghost — vendors that invoice the organization for payment.
• Accounts payable tampering to redirect payments.
• Overpayments, duplicate payments, missing allowances.
• Fabricated commissions.
• Fictitious invoices, refunds, or expense claims from valid vendors, customers, or employees.

When reviewing purchasing transactions, for example, traditional fraud detection involves looking for vendors with similar billing addresses to those of employees. However, an employee with authorized system access can create a ghost vendor account with an unsuspicious address and then, just before the check-print batch run is processed, go into the system to alter the billing address. After the checks are printed, the employee goes back into the system and re-enters the original credible address.

Finding evidence of fraud with employees who know how to cover their tracks is often difficult. As users become familiar with a system, they figure out the logic behind it and learn how to beat the system — known in the business hackers' world as "gaming the system." Authorized insiders also often circumvent internal controls to bypass inefficient processes. Although this flexibility may be good for boosting productivity, it opens the door for misuse by overriding approvals, creating duplicate accounts, or introducing systems-based errors.

Misuse and abuse of the system often create an opportunity for other less-moral insiders to commit fraud. For example, if an employee sees that an invoice is paid twice or that a single invoice is booked twice without detection or correction, he or she may capitalize on the opportunity to commit fraud by routing the second payment for personal benefit.

As the number of transactions has increased dramatically with automated systems and businesses link more system information with vendors, suppliers, and contractors, fraud has the potential to pervade an enterprise in unforeseen places.

Maintaining Controls

To identify and prevent fraud, organizations are increasingly reliant upon the built-in controls of their ERP applications. However, these controls often come with a lot of baggage. Built-in segregation of duties controls, for example, can protect a company by enforcing a procedure that does not allow the same person to approve an invoice and its related payment voucher. These control functions can be incredibly detailed; maintaining and updating them is often overlooked and viewed as a heavy burden that few organizations are willing to undertake. Keeping up with new users, eliminating old users, and adding new roles for existing users can be a daunting task.

Any individual familiar with internal business processes represents a significant threat. Because a large percentage of computer crimes involve insiders with access to key data transactions, internal auditors are tasked with identifying vulnerabilities within the business systems. Unfortunately, management often overrules resulting audit recommendations for more stringent system controls because the direct costs of implementing and maintaining those controls outweighs the benefits or because the controls introduce unwelcome inefficiencies. 

Benefits of Continuous Transaction Monitoring

Continuous transaction monitoring can help assess the effectiveness of system-based controls and complement existing system-generated exception reports. Typical assessments involve examining 100 percent of selected types of transactions to determine whether or not they comply with defined controls. The assessments can also determine if transactions exist for which no controls have been implemented. Internal auditors, empowered with more comprehensive ammunition regarding anomalies, errors, and exceptions can help determine the related control weaknesses and can provide management with more meaningful audit recommendations.

Recently enacted federal legislation introduces requirements related to the financial losses from systems-based fraud. In particular, the U.S. Sarbanes-Oxley Act of 2002 requires many businesses to rethink their internal controls. Section 302 of Sarbanes-Oxley requires public companies to disclose significant internal control deficiencies, whereas Section 404 outlines specific requirements for managers to document the effectiveness of internal controls on financial reporting. Although most organizations are working to meet these requirements, they must also provide a process to continually assess the effectiveness of these documented controls. Continuous transaction monitoring, one solution to this need, suggests four key requirements to effective oversight:

• Continuous transaction monitoring must be conducted independent of operations so that users cannot determine out how to game the system.
• Transaction monitoring solutions must access information from the ERP system in real time so that ERP users do not have an opportunity to cover their tracks. Without a paper trail, transaction monitoring must produce inalterable data detailing the fraudulent act.
• Transaction monitoring should analyze all elements of the transaction.
• A minimal number of financial and IT personnel should have administrative privileges to the transaction incident monitoring system to reduce the risk of a guilty party deleting alerts and forensic information.

With vigilance over all transactions within a business system, continuous transaction monitoring can be used to recognize the context of a transaction and cross-reference outside data sources. By flagging the transaction — for example, a mailing address that is altered just before payment — and comparing information from various systems, such as Dunn & Bradstreet vendor numbers and human resource applications, continuous transaction monitoring builds a case of evidence for internal auditors to pursue.

Continuous transaction monitoring can also help businesses identify transaction errors. For example, a telecommunications company was contacted by one of its vendors to report that the company sent duplicate payments for a single $500,000 invoice. Transaction monitoring allows an enterprise to understand holes in its system and eliminate costly errors.

Benefits Versus Costs

In most cases, continuous transaction monitoring directly benefits the bottom line. For every instance of fraud or error that is identified, transaction oversight proves its value. Through diligent maintenance and documentation, it can also reduce the time and costs of implementing the requirements of regulatory compliance.

As technology continues to streamline internal business processes, enterprises should evaluate how these efficiencies might create vulnerabilities that insiders can exploit. Continuous transaction monitoring can easily identify systems-based fraud and help organizations comply with regulations.

Patrick Taylor has more than 15 years' experience in companies such as Internet Security Systems, ORACLE, and Symantec in sales, product management, marketing communications, and channel marketing activities for information security and wireless Internet platforms.

Allstate Life Insurance Co. Implements ERM

Vinaya Sharma, FSA, MAAA, PRM, FLMI 
Actuary
Allstate Life Insurance Co.
Northbrook, Ill.

A little more than two years ago, I was asked to formalize the enterprise risk management (ERM) process at Allstate Life Insurance Co. Although the company has always proactively managed its risks, management wanted a formal program in place. As the team leader for this effort, I was anxious to coordinate a project of this magnitude.

Much like defining art, if you ask 10 people to define ERM, you will get 10 different answers and an equal number, if not more, ways to create an ERM structure.

Why would a company implement ERM in the first place, particularly an insurance company that is supposed to specialize in risk? ERM could help the company:

• Provide companywide assessment to risk analysis.
• Demonstrate how a single relevant economic event affects the company.
• Reveal portfolio effects.
• Enhance capital allocation process.
• Clarify roles and responsibilities.

Although these points are certainly noble, a few may seem somewhat idealistic. Implementing ERM at Allstate Life would put the theory into practice. It is important to note that ERM is not necessarily a universal analysis and assigned responsibility of risk; in this case, it is more targeted and focused.

Given Allstate Life's organizational structure, a three-pronged approach toward ERM was the best way to get the most "bang for the buck," first analyzing significant risks and next, aggregating risks through the enterprise. Finally, the third prong would be to establish a point team to address large events that impact the enterprise.

Analyze significant risks

The first step in the process was to identify the company's largest risks along with those that could be measured and managed easily, such as interest-rate risk, credit-market risk, and equity-market risk exposure. 

The next step involved aggregating the exposures throughout the company. For example, Allstate Life has equity exposure through variable annuities, equity indexed annuities, and nonaffiliated common stock. Because equity exposures are managed among different groups, we needed to roll the exposures together to understand the effects of the stock market on the company as a whole, not just as a segment.

After aggregating the exposures, we implemented a series of risk-related metrics to quantify the risk. Examples of risk-related metrics include net amount at risk, embedded value risk, and risk to income and capital. The Society of Actuaries' Risk Management Task Force has a risk metrics group that has several other relevant metrics. At Allstate Life, our metrics are relatively standard in definition and thus difficult to misconstrue. Ideally, the metrics must also be understandable to the practitioners who are responsible for day-to-day management of risk so they know what levers can be pulled to decrease or increase risk.

Risk tolerance levels also are a key to the analysis. A company should consider internal factors, such as the performance of senior management and risk managers, and external factors, such as rating agencies, investment analysts, and state insurance departments, when setting tolerance levels. For example, setting a tolerance of insolvency in 10 percent of all scenarios is likely too aggressive. Likewise, zero volatility in Generally Accepted Accounting Principles income in any interest rate scenario is probably too conservative. Senior management review is necessary to establish the risk appetite for the company.

Once tolerance levels are established, measurement must take place. Based on the risk level, management must make decisions not only as to how, but also how often to measure the risk. Certain risks, such as credit risk, may need to be measured and monitored more frequently than, say, mortality risk. In addition, depending on the risk and the modeling capabilities available, a stochastic measurement may be more useful than a deterministic approach. However, a deterministic approach normally is easier for senior management to grapple with when understanding risk and establishing baselines.

The last step in the ERM process involved periodically updating the risk profile. A short, concise report that summarizes the risks will garner more attention than a 20-page report with 40 pages of appendices. The latter may be useful in measuring and managing the risk, but a succinct report can help drive action by senior management.

Aggregate risks throughout the enterprise

Although there are several specific risks that are key to Allstate Life, the company faces myriad other risks that must also be considered, such as legal risk, external partner risk, technology risk, operational risk, and tax risk. Quantifying these "soft" risks can be tricky and rather burdensome. Given the limited availability of time, the most efficient approach to understanding the soft risks was to have a monthly risk meeting with risk liaisons throughout the company. Those liaisons kept me up to date on the risks and opportunities that they deal with in their respective areas of the company.

At first, I felt it necessary to quantify the identified risks. However, I soon discovered that although the exercise could be of value, it was not an efficient use of time. My discussions with the risk liaisons also forced me to learn terms and a vernacular that I do not normally use. For example, learning about metrics related to distribution and marketing, such as sales and brand awareness, helped me speak more cogently with those liaisons.  

Last year, Allstate Life held its inaugural risk forum, with liaisons from more than 20 areas of the company. Attendees and senior management met for a day to discuss the top risks and opportunities of each area in the company. The forum gave participants a greater understanding of the Allstate Life business as a whole. It was structured so that each liaison could mark down a risk from someone else that may affect his or her particular area. This structure allowed the affected area to be involved in the project — or at least informed of progress — as opposed to finding out about it later and having to react to decisions that were made without all stakeholders at the table.

Establish a point team on large events

The third prong of the ERM process is more reactive in nature. The risk liaisons are responsible for measuring and quantifying the impact of large events that affect multiple parts of the enterprise. Events that have required such collaboration include terrorist attacks, SQL/Slammer virus, and the recent tax proposal by U.S. President George W. Bush.

The ability to summarize and synthesize the information provides a single overview of these impacts, which can be particularly useful when dealing with external stakeholders.

The value of ERM

There have been several areas where the implementation of an ERM program has shown value to the company:

• Consolidation of resources. Through monthly meetings, we have been able to quickly assess whether certain risks or projects may impact others. We then bring those parties together quickly for a more thorough decision-making process. In several instances, we have been able to enlist the help of others in the organization who have handled similar projects.
• Aggregation of exposure. A question as innocent as, "What happens to us if the market drops 10 percent?" can now be evaluated inside the ERM framework.
• Increased discipline. Although discipline existed at Allstate Life before ERM, our structured, periodic measurement of risk increases risk awareness and enables all business units to anticipate and plan around identified exposures.
• Broader understanding and measurement of risk. The more involved business units are in risk measurement, the more it becomes a part of the general processes. Communication also becomes more effective as the terminology is more standardized.

Be aware of the potholes

There are several potentially negative aspects of the ERM process that must be considered:

• Senior management buy-in is essential. For an ERM structure to make inroads, it must be a top-down campaign instead of a grassroots initiative. Failure to obtain senior management buy-in can result in a lot of wasted time for all parties involved. 
• Turf issues may occur. Overlaying an ERM framework on an existing framework requires a delicate balance. A meeting with the day-to-day risk managers is worthwhile to help identify which part of the organization is responsible for each particular step of risk management (e.g., senior management may be responsible for company-level risk tolerance, whereas line actuaries are responsible for risk analysis, solutions, and implementation.) It is important to remember that risk management already existed without a formal ERM process.
• Witch hunts should be avoided. Those not used to dealing with risk can be prone to a "gotcha" mentality. Disrupt this type of thinking early on by providing necessary information to all who will be involved in, or affected by, the process, such as explaining how the information will be disseminated and how it relates to other parties. 
• You only know what you are told. It's hard to manage something you are not aware of. Communication is key.
• Risk management is different to different people. Ten people can have 10 different interpretations of, and approaches to, ERM.
• Quantifying ERM value can be difficult. In today's measurement-based world, it is hard to put a value on ERM. Have our monthly discussions saved several people some time and effort? Absolutely, although admittedly I do not know exactly how much. Has the establishment of tolerances and periodic measurement helped Allstate Life management better understand its risk profile? Yes, and it has also helped to allocate capital held by the company. This, in turn, translates into higher return on equity, which ultimately results in higher shareholder value.

Allstate Life's ERM process is not the only way to implement ERM, but it is the way our organization has made it work. 

Vinaya Sharma has more than 10 years' actuarial experience and has served as an actuary with Allstate Life Insurance Company for the past five years.

A version of this article was published in the November 2003 Actuary newsletter. Copyright 2003 by the Society of Actuaries, Schaumburg, Ill. Reprinted with permission.

Auditors Provide Feedback on Risk Management

Survey results pulled from the Global Audit Information Network (GAIN), The IIA's benchmarking service for the internal audit profession, indicate that use of the Committee of Sponsoring Organization of the Treadway Commission's (COSO) enterprise risk management (ERM) framework is alive and well in many organizations. Based on information gathered from auditors in a variety of industries, the responses to the March 2004 survey, COSO ERM Impact on Internal Auditing, provide benchmarking data companies can use to evaluate their own progress.

COSO's Enterprise Risk Management Conceptual Framework exposure draft, issued July 2003, was designed to offer company boards and management a commonly accepted model for evaluating risk management efforts within an organization. The new framework, which COSO expects to release in July, will encompass the criteria set forth in COSO's original document, Internal Control–Integrated Framework, published in 1992. A detailed practical application guide will accompany the final framework document.

Focusing on internal auditors' involvement in ERM, survey results indicate that COSO's framework serves as a useful tool in many organizations' risk management processes, whereas others are waiting for further direction before committing further resources. Almost 100 participants responded to questions such as:

How much impact do you expect the release of the COSO ERM framework to have on your organization's ERM plans or activities?

Many organizations have already integrated the concepts in the new COSO ERM model into their risk management process, while others, who currently do not have an ERM system, are looking to the updated publication to jumpstart the process.

Almost 65 percent of the respondents said that the ERM framework will, or already has, impacted their internal audit department activities to improve their organization's risk management process. Although 35 percent indicated they have not done much to integrate the framework into their audit plan, many said they intend to use it as a yardstick to evaluate and improve ERM within their organization. Others reported that as their company continues to understand and adopt the cultural and procedural changes brought about by the requirements of the U.S. Sarbanes-Oxley Act of 2002, they will be ready to embrace the COSO ERM methodology.

Which of the following best describes the status of your organization's ERM activities?

Most respondents indicated that their organization has some sort of risk management process. Twelve percent of survey participants indicated that they have a fully implemented ERM process, while 58 percent have an informal process or are in the process of implementing an ERM program. Twenty-four percent of the respondents are planning to implement ERM but have not yet started the process, whereas 6 percent have no plans as of yet.

Many respondents stated that ERM within their organization is in continuous improvement, working toward better processes for measuring progress on effectively managing risks. For others, the concept is new and they are just starting the education and communication stages. In all stages, respondents indicated that executive management support is crucial.

Which of the ERM benefits identified in the COSO framework are the primary drivers — management motivators — to your organization's ERM activities?

The majority of respondents agreed that implementing a COSO-based ERM process will help minimize operational surprises and losses and identify cross-enterprise risks. More than 35 percent also responded that ERM helps to align risk appetite and strategy and enhance risk response decisions. To a lesser degree, other benefits identified focused on linking growth, risk, return, and capital.

What are — or were — your organization's primary ERM implementation barriers?

Organizational culture — including no clear sense of benefits or urgency — was the respondent's primary barrier to ERM implementation. Other obstacles included lack of tools, time, and resources and a common ERM process or language, as well as turf issues. Several organizations indicated that ERM was taking a back seat to Sarbanes-Oxley priorities.

Most respondents agreed that a risk-conscious tone at the top needs to be in place to drive the ERM process and that ERM should be part of day-to-day management practice and not a bureaucratic process that simply adds a layer of administrative activity. The challenge is to change an inflexible organizational culture by helping management understand the value ERM can add to the company and then get management to embrace it.

What role is internal auditing playing in the ERM process?

The majority of survey participants indicated that internal auditing plays a proactive role in establishing their organization's risk management function and actively supports the ERM process. In organizations where a formal risk management program doesn't exist, the internal auditors are bringing ERM to management's attention, along with suggestions for establishing such a process. The respondents agreed that independence and objectivity of approach and decisions must be maintained. A few respondents also indicated that they have incorporated ERM into the organization's control self-assessment model, focusing on risk to evaluate and incorporate controls.

Participant comments revealed that many chief audit executives are taking a lead role in coordinating and facilitating ERM efforts, providing the tools, knowledge, and assistance to management to help identify risk and to assist management with creating a work plan that addresses managing and mitigating risk.

Has your organization's management developed a risk management philosophy, defining the value the organization seeks from risk management?

Almost half of the respondents indicated their organizations have implemented, or are in the process of implementing, a formal risk management philosophy that is embedded in a formal ERM policy. Approved by the board, these policies are generally communicated through employee workshops and committees and are included in business performance criteria with guidance and reminders in written correspondence.

The COSO Framework's risk identification component includes event categories — groups of similar potential events. Which of the following best describes your organization?

Approximately 65 percent of respondents categorize their business risks, with 41 percent using three to 10 risk categories and 23 percent using from 11 to more than 25 risk categories.

Several respondents, whose organizations do not place risk in specific categories, indicated that their executive committee views risk in one big bucket, while others thought that putting risk into categories limits out-of-the-box thinking in the risk identification process.
 
What are the primary methodologies and techniques used within your organization to identify and assess risk?

As participants were allowed to select various methodologies and techniques, the respondents listed use of the following, in order of most frequent use to least:

• Facilitated workshops and interviews.
• Benchmarking.
• Process flow analysis.
• Leading indicators and event inventories.
• Loss-event data.
• Probabilistic and non-probabilistic models.
• Escalation triggers.

Respondents using facilitated sessions found a synergy in management's understanding and acceptance of the risk strategy and processes. Others found that critical incidents are a big motivator in their ERM process, while proactive assessment usually takes a back seat to current issues or fires.

How satisfied are you with the effectiveness of your organization's ongoing risk monitoring capabilities?

The COSO framework's monitoring component includes ongoing monitoring activities, including periodic reporting — quarterly or monthly reports from the risk owners — and real-time reports on changing conditions. Only 41 percent of participants indicated that they are satisfied with the ongoing risk monitoring within their organization. Those who were not satisfied indicated that little emphasis was put on monitoring risk, because loss data and exposure was difficult to summarize or they had informal processes that were not measured.

For more information on the survey, visit COSO ERM Impact on Internal Auditing, or GAIN's services, visit www.gain2.org.

For further guidance on risk management, see The IIA's Practice Advisories:

• Practice Advisory 2100-3: Internal Audit's Role in the Risk Management Process 
• Practice Advisory 2100-4: Internal Audit's Role in Organizations Without a Risk Management Process  

Q&A with Dave Harmon

David Harmon, CCSA, CIA, CISA, CPA
Director of Financial Management Programs 
UCLA, Los Angeles

Quoting from the U.S. Public Company Accounting Oversight Board's (PCAOB's) audit standard No. 2, under the heading Management Self-assessment of Controls — page 81, paragraph 40 — "Management may test the operating effectiveness of controls using a self-assessment process. Because such an assessment is made by the same personnel who are responsible for performing the control, the individuals performing the self-assessment do not have sufficient objectivity as it relates to the subject matter. Therefore, the auditor should not use their work." So, does this totally rule out use of control self-assessment (CSA) when evaluating an organization's controls?

The short answer is no, CSA is not dead. The long answer is a bit more complicated. I must admit, as a strong proponent of CSA, I was extremely encouraged at first by the passage of the U.S. Sarbanes-Oxley Act of 2002. It seemed that this ruling would be the driver to bring CSA into the mainstream of the audit process, from the fringes of an esoteric internal audit best practice. But after digesting the fine details of the new internal control standard, I now have different thoughts. However, what may appear to be a lost opportunity does not mean that all is lost. After taking some time to think about it, there may be a silver lining in this somewhat gray cloud. By not institutionalizing CSA, the concept may be somewhat protected from the risk of becoming a watered down version of its original promise.

One thing that I have stressed time and again is that organizations need to sponsor a champion for CSA to work. This has been one of CSA's greatest challenges and has also been the most common reason for failure. Advocates know that CSA can pay big dividends when properly implemented. But because the self-assessment process also has had its share of failures, advocates might ask, how did this happen? In my view, self-assessment failures are due to implementing controls that don't work as designed. If CSA had been adopted and mandated as a PCAOB requirement, many of the organizations required to adopt it may not have had an appropriate champion to sponsor and support it. The long-term effect would be that CSA would lose credibility — realizing the PCAOB assertion that it cannot be relied upon — and become a self-fulfilling prophecy.

Here is the catch-22. CSA is a highly effective method for assessing the health of an organization's system of internal control — in particular its control environment — and should be considered when assessing internal control. However, if the PCAOB had made it a requirement, it may have ceased to be effective as it is deemed unreliable for purposes of evaluation. Therefore, the PCAOB's failure to embrace CSA is not necessarily a detriment and may actually be appropriate as the standard provides some latitude in using CSA results. In context with these thoughts, another reference to the standard — page A-27, paragraphs 52 and 53 — appears at odds, indicating that "self-assessment programs as a company-level control may be appropriate …. to test and evaluate the design effectiveness of company-level controls first, because the results of that work might affect the way the auditor evaluates the other aspects of control over financial reporting."

So how should auditors interpret these contradictions? Can or should external auditors use CSA results? This is where auditor judgment comes into play to determine if an organization's CSA program has credibility. If there is evidence that the organization uses it successfully as a control assessment tool, the auditors may consider reliance. However, if indications are such that the organization's CSA process is not truly effective, the external auditors will probably not rely on it when assessing controls.

If CSA is on the vanguard of identifying control issues, the results will be hard to dismiss. To steal a philosophy from the movie "Field of Dreams": If you embrace CSA and give it credibility, they — the external auditors — will come and place reliance on it.

As a true believer, the benefits of an effective CSA program go well beyond compliance with Sarbanes-Oxley. Enlightened chief audit executives and management should embrace CSA, whether or not external auditing places reliance upon it. 

David Harmon, CCSA, CIA, CISA, CPA, is director of financial management programs at UCLA in Los Angeles. Harmon helped develop a CSA program in his former position at Fannie Mae, instructs several IIA courses on CSA, and contributed to the questions in The IIA's CCSA exam.  

Success Stories

The Journey Continues

Mariefrance Weiler, CIA, CFSA, CCSA
Internal Audit Director
Morgan Stanley Credit Services

Although it feels like only yesterday that Discover Financial Services' (DFS) internal audit department embarked on its control self-assessment (CSA) initiative, the process actually started in September 1996. The internal auditors of DFS, a wholly owned subsidiary of Morgan Stanley, began by developing a strategy that detailed how CSA techniques could be implemented as an audit tool integrated with the control framework provided by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).

In the past decade, there have been many drivers that point to CSA facilitated workshops as a key audit tool in addressing the foundation of control-environment issues. From the U.S. Federal Sentencing Guidelines in 1991 to the U.S. Sarbanes-Oxley Act of 2002 [PDF], these initiatives focus on governance and public scrutiny. At DFS, the internal audit department viewed CSA as a strategic approach to collaboratively link business objectives with internal controls and ethics.

Less than a year after DFS's internal audit department began its CSA initiative, Dean Witter Discover, DFS's parent company, merged with Morgan Stanley. Soon after the merger, the three dominant internal audit groups within the newly merged company — Morgan Stanley institutional securities, Dean Witter retail services, and Discover credit card services — initiated an analysis to understand the similarities and differences between the internal audit groups. The study concluded with a united audit group, governed by one global audit director, with standardized and streamlined audit methodology, reporting, and practices. Although there were fundamental differences in each group's audit universe and local internal audit practices, each methodology shared a risk-based approach with a COSO foundation — just what was needed to expand the use of CSA. In 1998, as the merged internal audit department worked through the audit structure assessment, CSA was targeted as a strategic initiative. Representatives from the former audit groups pulled together a plan to assess, develop, and roll out a CSA process throughout the organization. Having the good fortune of leading the initiative from its beginning, I worked on the project through multiple phases, and the journey still continues.

The overall initiative has enjoyed great success at DFS — where CSA was implemented aggressively — and more opportunities are being explored for use in the various Morgan Stanley business units. Now with Sarbanes-Oxley as added impetus, we continue to find new applications for the process. Looking back, several critical steps contributed to the program's success, including a well-developed project strategy document, the right positioning, an appropriate methodology, adaptive tools, key skill sets, and a dedicated champion. Each of these items remains applicable today as we continue to evolve and maintain the CSA program.

Project Strategy Documentation

As with any new concept, pulling together a well thought-out strategy is crucial to successful implementation. We began with developing a project strategy document to define and capture the initiative's objectives.

DFS's CSA project strategy document contains a background section describing the increasingly competitive and customer-focused marketplace and the resulting impact of constant, rapid change to our organization. We elaborated on how this element raises the level of risk in the organization and the need for reliable, cost-effective internal control systems. We wrapped up our lead argument by paralleling the ever-evolving control environment with the need for adaptive audit tools, such as CSA. We included a description of CSA as we saw it: "CSA is not about one single methodology, but rather, a general approach that takes many specific forms. It is objective driven, action and results oriented, and shares a common framework for implementation."

Finally, to close the background section, we listed some of the benefits and hurdles of a CSA process. Although the benefits were fairly self-explanatory, the group was challenged on how to mitigate the hurdles and meet expectations, such as open communication and ownership.

• Workshops.                
• CSA handbook.                                  
• Management produced analysis — Federal Deposit Institutions Corporation. Improvement Act (FDICIA).
• Newsletter.                  
• Questionnaires.            
• Awareness presentations.
• Awareness training.      
• Control database repository.

The project strategy document continues with sections on Customer and Stakeholders, Scope Determination, Milestones and Deliverables, and Resource Requirements — both internal and external — ending with a section on Project Risks and Mitigation Strategy. During development, this last section was one of great debate, as we could not quite agree on what to include. We finally came up with risks considered critical companywide for which we would develop a mitigation strategy, including: business unit buy-in not obtained; culture of the organization; unrealistic expectations; lack of follow through on findings; and audit resources diverted to other tasks.

What makes the project risks and mitigation strategy section important is that it gives the user tools to clearly define the risks and possible mitigation alternatives before experiencing a full-blown situation where clarity of thought may not always be present.                                         

Positioning

Positioning — who should own CSA — is important to the success of any CSA agenda and was a critical component considered when launching DFS's program. Although there is not one best approach, there can be strong arguments for or against who the owner should be — the business unit or the internal audit department. Most companies agree that understanding the pros and cons and the organization's culture will help decide where to best place CSA.

DFS's approach to ownership is a little different than other organizations; we agreed on a shared approach, depending upon which CSA menu option was selected by the business unit. However, in each approach, management remains the owner of the controls, data, and action plans, but the process is shared with internal auditing. For example, our most dynamic CSA option is the facilitated workshop. The process is owned by internal auditing, but management owns the controls, content, and follow-up. With responsibility for the workshop process, internal auditing can ensure the COSO-based methodology is adhered to. It also provides us with the opportunity to comment on management's integrity as part of the control environment, allows inclusion of significant issues in the audit report if they arise in the workshops, and provides a vehicle for follow-up on those issues until they are resolved. It also enables the auditors to raise significant issues to the appropriate levels in the organization. Each workshop is conducted with the understanding that this will happen.

Open and frank communication brings out significant issues in the workshops despite the participants knowing that issues may be escalated through an audit report. Collaborative wording is used in the audit report, which represents the partnership efforts of the workshop. The end result is agreed-upon action plans and management ownership of the issues and resolution, which builds a stronger process.

Methodology

Several years before launching the CSA program, the internal audit department adopted the COSO framework methodology for conducting internal audits. In the search for an appropriate CSA approach it was essential that the methodology fit with our current internal control framework, because we did not want the two audit approaches to conflict. The biggest challenge was to find a workshop approach that would include the internal control framework in its application — not complement it, and not be an add-on to it, but one that would hinge upon our COSO based methodology.

After researching and reviewing various approaches, processes, and vendor tools, we narrowed our search to five applications that had the tools and approach we wanted. We finally selected a methodology that requires an internal control framework, includes an ethics exercise, and offers a user-friendly flexible tool, instant reporting, and customer support.  

Tools

When selecting a tool to support a CSA function, consideration needs to be given to ensure it is cost effective, flexible, and delivers timely information. The tool should have the ability to capture, analyze, and produce information of substance relevant to the business. Although DFS uses various self-assessment tools, the facilitated workshop is the most dynamic. To illustrate how the CSA program ties together the audit process, we use the unoriginal, though appropriate, umbrella diagram [PDF] to represent a holistic view of CSA. In all forms, it is a collaborative event between internal auditing and the business unit.

DSF's CSA tool allows the facilitator to run a dynamic workshop, capture the discussion of the workshop, cover each component of COSO, provide for a quantitative analysis on ethics, and produce a report with radial, graphs, and narratives within 24 hours of the original session. Its flexibility, efficiency, and speed allows the facilitators to present timely information to the participants and senior management on their processes, risks, ethics, and action plans. 

By ensuring the CSA approach is integrated with our audit methodology, the information maintained in our controls database is supported. It also gives us the ability to include workshop results in our automated workpapers and allows significant issues to be included in our internal tracking tool. As we expand or modify existing internal audit technology, the existing CSA tool is flexible enough to remain integral to our assessment process.

Skill Sets

Different CSA options require different skills. Upon analyzing the various requirements of the program, we decided we needed the expertise of facilitators, technicians, analyzers, control experts, and persons with knowledge of the business. The facilitated workshop requires the most specialized set of skills and uses the gamut of expertise. We realized early on that we might not find all these skills in the same person, so we designated a team of individuals encompassing the necessary skills needed to run a successful program, and typically use two individuals to run a workshop.

When we first launched CSA, the entire internal audit department — 24 individuals — attended training to introduce them to the methodology, technology, CSA concepts, COSO, ethics, and first-hand workshop delivery. During this time, we assessed each individual's skill set and were able to plan appropriate training for their development in some or all of the disciplines. New employees are assessed in a similar manner. As newer, less-experienced facilitators and technicians embark on their first workshops, more experienced auditors accompany them to ensure success of the workshop and to further reinforce the newly acquired skills until they feel comfortable to run workshops on their own.

Champion

The term champion may not be an officially recognized designation in all organizations, but it is a well-known requirement for successful implementation of any strategic initiative. A champion gives the cause a voice. Typically, the champion embraces the project in spirit and practice and is knowledgeable about the organization, as well as the risks, controls, and CSA process. Without a champion, or multiple champions for physically dispersed locations, the program is not likely to be sustained or embraced.

A Successful Journey

I have lost count of the number of CSA workshops we have run at DFS since initially launching the program. What is more interesting is the continued applicability of these self-assessment processes in our business environment. We have used our CSA approach without compromising methodology or process to perform benchmarking, risk assessments, ethics testing, Sarbanes-Oxley work, and audit assurance. Our self-assessment tool has been flexible enough to fit with our automated workpapers, our soon-to-be launched client interactive audit-tracking tool, and our relatively new controls database. The workshops continue to raise issues in a collaborative way with the business units and are viewed as a value-added service by senior management. Our CSA tool allows for a graphic representation of risk, tied to business objectives and controls, which integrates nicely from a risk management perspective. 

CSA is a very powerful tool with which DFS has had much success. For organizations considering such a program, I encourage you to remember it is not a one-size-fit all process and to think strategically when implementing CSA. To help determine the best "size," internal auditors need to embrace CSA holistically, understand the culture of the organization, form a sound objective, stay on course, and pay attention to lessons learned.

Mariefrance Weiler, an internal audit director at Morgan Stanley Credit Services, is responsible for auditing Discover Financial Services' credit card operations. She has more than 17 years' experience in the internal audit profession, eight of which were spent in Europe and South Africa working for Big Four accounting firms. Weiler is a frequent speaker on CSA at IIA conferences.

According to Mike

Michael Pidzamecky, CMA, CFE
Senior Audit Consultant
 Desjardins Financial Security 
Toronto, Canada

As I contemplate the somewhat improved economic business environment, many exchange-listed companies are reporting how well they did — or perhaps did not do — in the last business quarter. But earnings are not the only news stakeholders are keeping their ears open to, as reports about corporate scandals and governance problems remain prominent. While investors are focusing on yet another company with a governance problem that has rocked my part of the world — Canadian-based Nortel Networks Inc. recently terminated three of its top executives for overstating income on its financial statements — I tried to relate this troubling news to a risk assessment workshop I recently attended for not-for-profit (NFP) companies.

I was interested in attending this session — for charitable organizations and non-government agencies (NGOs) — because of my involvement in risk-assessment and risk-management processes. I wanted to see if NFP organizations have the same governance-related risks and issues as for-profit companies. As expected, I found that many of the same risks faced in a for-profit business — regulatory standards, governance oversight, and competitive advantage — are evident in NFP organizations as well. 

So, allow me to compare and contrast. The reality faced by for-profit organizations is that government, investors, and the general public expect the business to develop, promote, and most importantly, use sound business practices of governance, internal control, and risk management. Interestingly, the same for-profit stakeholders are turning their attention to the not-for-profit world. Many are saying that just because a NFP organization has a zero-target net income, they are supported through individual and business donations and receive tax advantages, and therefore, should have the same governance, control, and risk-management responsibilities in their business endeavours as required of for-profit companies.

In the for-profit world, sound governance and risk management programs are well under way in many corporations, thanks to recent regulatory initiatives. These same businesses are reporting to their customers and investors that their improved governance practices help ensure compliance with laws and policies and provide quality, timely goods and services to customers, resulting in sound financial profits.

In contrast, nothing could be worse for a not-for-profit organization than an internal scandal or high-risk incident, such as breaking the law, exposing people to harm, or misrepresenting how funding is used. A prime example is the scandal at the former Canadian Red Cross Blood Services Division in the mid-1990s. Because of the organization's ineffective risk-assessment and risk-mitigation processes, many public individuals became infected with HIV and hepatitis, resulting in legal awards totalling hundreds of millions of dollars. Added to this was a severely tarnished reputation for a noble organization that is slow to be reclaimed.

During the workshop I attended, the participants brainstormed generic risks that face NFPs and NGOs. After matching similar risks, a list of approximately 30 relevant topics was produced, eventually ranked as to the top five:

• Increased competition with sophisticated, aggressive, fund-raising tactics.
• Demographic shifts — including aging population, single versus family, ethnic background — affecting program delivery and fund-raising efforts.
• Uncontrollable external events that affect the organization and donor giving, such as terrorist attacks, and the local SARS disease outbreak.
• Attraction, retention, and training of competent professional staff, senior management, and board members.
• Labor strife due to unsatisfied, underpaid, and undertrained employees.

When working to secure appropriate funding, NFP organizations face similar risks and challenges as for-profit companies face when marketing and selling their services and products. Spending significant time researching available sources of funding, nurturing long-term relationships, and making sure its programs are unique and are needed, above all others, NFP organization's aren't really much different from the for-profit world. 

Regardless of whether an organization is required to comply with governance legislation or not, many internal auditors would agree that risk assessment and risk management is becoming a leading best practice in both private and public corporations around the world. It is important that all sectors — for-profit, not-for-profit, and government and nongovernment agencies — realize the full potential and benefits of risk assessment and risk management processes so investors and stakeholders can concentrate on the potential of their investment, rather than risk-related disasters experienced in organizations such as Nortel and the Canadian Red Cross.

Michael Pidzamecky, CMA, CFE, is a senior consultant, internal audit and security, at Desjardins Financial Security in Toronto, Canada. He also has a private consulting practice. Pidzamecky has developed several self-assessment approaches. He has presented sessions for IIA courses and conferences and has written questions for the CCSA exam.

Center News

Viva Las Vegas

The IIA's 2004 Enterprise Risk Management and Control Self-assessment Conference will be held Sept. 8–10, at the Las Vegas MGM Grand. Leaders in CSA and ERM will share the latest strategies and techniques, including topics on COSO's ERM framework and best practice implementation.

CCSA Exam and Review at the 2004 Conference

CSA practitioners have an opportunity to sit for the Certification in Control Self-assessment (CCSA) exam at The IIA's Enterprise Risk Management Control Self-assessment Conference. A Sept. 7 review session, held the day before the Sept. 8–10 conference in Las Vegas, will cover topics such as exam administration, CSA tools, risk and control concepts and models, project planning, and practice questions.

The special offering of the CCSA exam will take place Sept. 10, from 1:30 to 5:00 p.m. on the final day of the conference. Pre-registration by Sept. 2 is required. Candidates receiving a passing grade on the CCSA exam may apply for professional recognition credit for Part IV of the Certified Internal Auditor (CIA) exam.

Visit The IIA's Web site, www.theiia.org, in the CCSA section for registration details and requirements, or contact The IIA's Customer Service Center at custserv@theiia.org.

CSA Participation Needed for Web-based Discussion Group

Internal auditors interested in exchanging ideas and information with colleagues and fellow auditors are encouraged to visit The IIA's General Discussion Web page. Open to all, IIA members can access the discussion site on the IIA Web site, www.theiia.org, by clicking on "Services," "Discussion Groups," and "General Discussion." After you log in, select "Specialty Groups," which is designed for discussion of specialty group areas of interest to internal auditors, including control self-assessment, gaming, and financial services.

Call for Course Developers 

The IIA's Seminars Department is looking for professionals interested in assisting in the development and revision of core and specialty courses. Specific areas of expertise include auditing fundamentals, control self-assessment techniques, and quality assessment activities.

Find out more by visiting the training section on The IIA's Web site, www.theiia.org, or contact Cyndi Summers at csummers@theiia.org for further information.

IIA Research Foundation Offers Emerging Issues Reports

The IIA Research Foundation has launched a new series of research reports — the Emerging Issues Series — designed to provide internal audit practitioners with information and guidance on new and emerging issues in an easy-to-use format. The Foundation's goal is to respond more quickly to important changes in the internal audit profession.

These reports are provided as a service to IIA members who may reproduce and distribute copies of the reports for use within their organizations. The following reports are currently available:

• The Sarbanes-Oxley Act of 2002: Effect on Audit Committee Meetings at Publicly Traded Companies   (March 2004)
• The Sarbanes-Oxley Act of 2002: Effect on Audit Committees at Organizations Not Publicly Traded   (April 2004)
• Challenges in Government Auditing   (May 2004)

To learn more about The Research Foundation's Emerging Issues Series, visit The IIA Web site, under the headings "The IIA," "Research Foundation," "Projects."

Institute Expands Sarbanes-Oxley Guidance

To assist internal auditors in responding to questions and issues related to their role in their organization's Sarbanes-Oxley initiatives, The IIA's Professional Issues Committee has issued Internal Auditing's Role in Sections 302 and 404 of the Sarbanes-Oxley Act. Providing guidance on both short-term issues during the implementation phase of the reporting process, as well as longer-term questions on the role and responsibilities of internal auditing in this process, the paper suggests ways to maintain the ultimate objectivity and independence that is required by The IIA's International Standards for the Professional Practice of Internal Auditing (Standards). 

To access the complete paper, Internal Auditing's Role in Sections 302 and 404 of the Sarbanes-Oxley Act, visit The IIA Web site, www.theiia.org, click on "Guidance," "Corporate Governance," and click on the link under the section "Sarbanes-Oxley Act of 2002."

Quick Tips

Tips for Effective CSA Meeting Management

Chris Carter, CPA, CISA, CCSA, CIA
Director of Corporate Audit Services
 Global Power Equipment Group
Tulsa. Okla.

Most internal auditors have found themselves trapped in unproductive meetings at one time or another in their careers. Meeting management can help steer participants differently to ensure the meeting is effective. CSA programs require meetings for various purposes, including data gathering, information sharing, and problem solving. Although these meetings require different planning processes and tones, there are several concepts that can be used to effectively manage a meeting.  

Set the meeting well in advance to ensure attendance.
Communicate both the start and anticipated end time so busy participants can plan accordingly. If attendance is mandatory but allows delegation, communicate what level of attendee is acceptable. Require invitees to respond to ensure participation. Follow a meeting invitation with a phone call or face-to-face meeting to build rapport and assist in buy-in of the process.

Collect your thoughts before the meeting begins.
Know your audience and how they may respond in the meeting. Consider appropriate participant management tactics to deal with potentially difficult participants. Prepare an outline and leave enough time for additional questions or commentary. Avoid providing time estimates to the meeting participants for each topic as some participants may feel the meeting is out of control if the meeting is ahead or behind schedule.

Set the tone and keep the meeting focused.
Start the meeting on time with a review of the agenda. To keep on track, have a printed copy of the agenda and the meeting goals in sight. When a participant gets off track, tactfully pull the meeting back to the agenda by reminding them of the time restraints and telling them you would be glad to discuss the issue "off-line," or ask if the topic should be put on the next meeting's agenda, if applicable. Capture open issues or unanswered questions on a flipchart so the meeting participants feel that although you have recognized that their topic is not on the agenda, it is important and will be addressed later.

Conduct the meeting with respect for all.
Introduce yourself as a facilitator and the meeting participants as the experts. Learn their names and use them. Ensure everyone understands the discussion topics; don't assume everyone knows what the topic of discussion involves. If the current meeting is part of a series, summarize previous meetings for new participants so they are not left out in the cold. Acknowledge all questions and comments, and don't interrupt. Be flexible; everything may not work exactly as planned. Most importantly, act interested.  If you don't want to be there, they don't want to be there.

Be open-minded and delegate when necessary.
If the meeting is part of a series of periodic committee meetings, keep an open mind when new ideas are introduced. If the ideas seem unrealistic, ask the commenter to evaluate the issue further and report to the committee in the next meeting. Give everyone a chance for input. Respect others' opinions and expect the same from all participants. Delegate tasks when necessary; the meeting coordinator cannot be expected to do everything. Delegation makes others feel they are an important part of the team. Use everyone's knowledge to work towards a common goal.

Close the meeting in a timely manner.
Respect others' schedules and don't go over the scheduled ending time. Leave enough time for questions or comments. If you don't know the answer to a question, indicate you will have an answer by the next meeting or in a follow-up communication. Try to end the meeting with a personal note of appreciation. Additionally, some fun may also be appropriate — birthday salutations or snacks for the road — it helps to keep people coming back excited.

Calendar

June

Evaluating Internal Controls: A COSO-based Approach
June 14–16; Washington, D.C.
June 30–July 2; San Francisco, Calif.

Enterprise Risk Management: What's New? What's Next?
June 14–16
Washington, D.C.

Assessing Business Risk for Internal Auditors  (Formerly Assessing Business Risk at the Engagement Level)
June 16–18
Washington, D.C.

Facilitating Results Using CSA
June 30–July 2
San Francisco, Calif.

August

Enterprise Risk Management: What's New? What's Next?
Aug. 2–4
Boston, Mass.

Evaluating Internal Controls: A COSO-based Approach
Aug. 2–4; Boston, Mass.
Aug 9–11; Chicago, Ill.

September

Enterprise Risk Management and Control Self-assessment Conference
Sept. 8-10
Las Vegas, Nev.

Introduction to Control Self-assessment
Sept. 13–15
Phoenix, Ariz.

Facilitating Results Using CSA
Sept. 15–17
Phoenix, Ariz.

Value-added Business Controls: The Right Way to Manage Risk
Sept. 15–17
Phoenix, Ariz.

To add your CSA course, seminar, conference, or event to the calendar, please forward all pertinent information via e-mail to jwhitley@theiia.org, or fax +1-407-830-4832.