The Road to Continuous Monitoring

1
The Road to Continuous Monitoring Why Isnt
Everybody Doing It?
2
Evolution of Continuous Monitoring
Automated Testing / Continuous Monitoring No
User Intervention Required (Frequent Testing for
Leading Indicators of Problems)
Menu Based Applications - Limited User
Intervention Required (Regular Testing Of
Identified Risk Areas)

Most groups are stuck here.
Individual Macros - Some User Intervention
Required (Periodic Testing of Selected Areas)
Most Organizations
Manual Processing - Full User Intervention
Required (Retrospective Testing and Sampling)
3
Obstacles to Continuous Monitoring

• Obtaining the data easily on a systematic basis
• Standardizing the analysis process by identifying
  key risk areas and leading indicators
• Identifying a champion to spearhead creation of
  custom analysis routines and allocating time to
  complete the work
• Avoiding the use of multiple applications to
  produce the desired output
• Moving to proactive monitoring from historic
  focus on periodic retrospective testing

4
Case Study Truliant FCU

• On The Road to Continuous Monitoring

5
About the Organization

• Truliant Federal Credit Union
• chartered in 1952 to serve the employees of
  Western Electric
• known as Radio Shops Credit Union
• approximately 2,000 members and a little over
  100,000 in assets.
• name was changed in 1999 after membership was
  opened to other groups and companies
• Truliant now has 25 member centers in five states
  with more than 170,000 members and over 1
  billion in assets.

6
Implementation of Data Analysis

• Internal Audit Department purchased IDEA in 1999
  for
• branch audits
• election
• fraud review
• Accounting departments began using IDEA in 2000
  for
• loan reconciliations
• ATM reconciliations
• Out of balance searches

7
Obstacle 1 Obtaining the data

• Due to the size of their tables, Truliant chose
  to use customized SQL queries to obtain data for
  analysis
• - cumbersome and requires IT assistance
• - inhibits process automation

8
Obstacle 2 Standardize the Process

• IDEAScript routines have been successfully
  developed for the analysis of the following
  critical areas
• File maintenance (weekly)
• Due dates (bring dates back in)
• Rates (changed fixed rates, variable that dont
  change)
• Address Changes (changes from in-state to
  out-of-state)
• Overrides (are they proper)
• Dormant accounts (what activity is going on)

9
Obstacle 2 Standardize the Process

• Branch audits (approximately 12 per year)
• Analyze teller outages (highs, lows, gross, net,
  totals)
• Cash usage versus cash levels (tellers, ATMs,
  CDMs)
• Miscellaneous expense (analyze contents)
• Account and loan reviews (as deemed necessary)
• High/low/odd rates (unreasonable rates)
• Payment amounts (unreasonable amounts)
• Accrued interest (unreasonable accruals)
• Negative balances

10
Obstacle 3 Champion Needed

• The IA champion that developed many of the
  existing IDEAScript testing routines has left the
  credit union.
• The Internal Audit group is continuing with the
  projects underway and, when fully staffed, plan
  on continuing down the path of continuous
  auditing.

11
Obstacle 4 Multiple Applications

• Currently Truliant uses multiple applications to
  complete single analysis processes. The
  applications include SQL Server, IDEA, Excel, and
  their email system. Parts of some processes are
  accomplished by using separate macros in
  different applications.

12
5. Focus on Periodic Testing

• The most frequent testing results are contained
  in the weekly reports that test for problems in
  specific high risk areas.
• All other tests performed focus on retrospective
  testing to identify problems or errors.

13
Strategies for Future

• 1. Resolve data acquisition problems
• IDEAs recently released enhanced ODBC import can
  help resolve this problem
• SQL statements for data acquisition can be built
  into analysis macros to eliminate use of multiple
  applications/tools for data importing

14
Strategies for Future

• 2. Use full capabilities of VBA interfaces
• Streamline logic and merge macros to minimize or
  eliminate user intervention
• Combine macros from separate applications into a
  single script that calls on all needed
  applications

15
Strategies for Future

• 3. Find assistance for current champions
• Use outside resources for assistance in combining
  macros from different applications and developing
  additional automated tests
• Create menus for audit applications to simplify
  the processes and user interfaces

16
Strategies for Future

• 4. Shift to proactive monitoring
• Automate any tests that can be run without user
  intervention
• start with the weekly file maintenance tests
• Using information from exiting audit tests,
  identify additional leading indicators of
  potential problems
• Create/adapt test to search for these events on a
  more frequent basis
• Use the results from the automated tests in the
  risk assessment process to help determine the
  focus of on-going audit activities.

17
Conclusion

• Come back next year and well let you know how it
  turns out!