Dealing Instant C.A.R.M.A. – “Continuous Analytic Risk Monitoring”

Apr 30, 2016



By Rich Lanza, CPA, CFE, CGMA

The term Instant Karma is the bringing of immediate accountability for
ones actions.  Doesn’t that phrase exemplify our objectives of
continuous monitoring which starts with risk management using a series of
risk planning analytics followed by designing automated alarms and on-site
assistance, now only focused on the top areas of concern. 

Part One of the system is the
automation of risk planning, although this egg may need to start as the
chicken at times.  Let me explain: Until specific business processes
and risks are managed with analytics so deviations are detected, it is
difficult to know:

  • Which alarms to build to manage the quality of that process,
  • When on-site testing is required, or more efficiently,
  • When would a GRC alert (with a secondary Email) do well enough for the
    results distribution to the process owner for comment.

Regardless whether they ever run a specific business process report, the
risk manager, can still apply analytic risk management, and the trick is
to think more “general”ly with the ledger data at hand.  For example:

  • Build a trial balance by month for trending account activity over time
  • Visualize associated change between financial account types (revenue,
    expense, etc.)
  • Identify material unique and recurring entries to understand top
    unique patterns and volume trends
  • Locate new accounts never used to date and their materiality in the
    current period
  • Summarize trends by solely focusing on the text usage in the
    description fields

What aids general ledger system reviews is that data is frequently
maintained at the detail transactional level so once a trend is
identified, the summary visualization can be drilled-down into the
detailed transactions instantly.

Part Two of the continuous
analytic engine are specifically built alarms which serve the purpose of
gaining feedback on root causes, while also providing additional detailed
design specifications for the  next alarm development.  The system
should get faster and smarter each time it runs so the quicker the process
of automating alarm response, the faster the analytics transform around the
process.  Manually developed Emails and on-site visits can start with
automated updates to a results manager system, personalized for each user,
with Email reminders for lack of response.  The faster the responses
are generated and trended themselves, the faster change can happen within
the process along with the design of the next best alarm for that process.

The goal is to turn false positives/negative reports into ones that directly
find the issue, thereby meeting the report’s objective as quickly as
possible.  Such tweaks in the process constantly change over time as
the process improves in their risk management.  For example, a matching
of the vendor information to governmental “watch lists” could start with an
address and name match and quickly expand to a match on close approximations
of the name, address, geolocation of zip codes, and then, once the business
process owner decides to enter TIN information for each vendor, a TIN match
to a government funded TIN matching service. 

The last unmentioned part of any instant CARMA system surrounds the process
and is the consistent execution of such analytics.  Only through the
collection and analysis of data points at consistent intervals can the
organization and automated system continuously “learn” how to adapt itself
to the process.  Further, the risk manager can continuously run
business process scoring by trending the now validated alarms.  Through
trending of the alarms and business owner risk responses can the risk
manager identify which departments and locations are more ripe for an
on-site review, or at the very least, an online conference meeting.

To learn more on dealing instant C.A.R.M.A., please see my AuditNet(r)
minutes to analytics webinar on risk planning scheduled for May 11th (http://bit.ly/1WPvQgW)
followed by a complimentary webinar on June 8th on automating specific
control reports. (http://bit.ly/1MQYIDa).

Rich Lanza CPA, CFE, CGMA (www.richlanza.com) has over 25 years of audit
and fraud detection experience with specialization in data analytics,
business process diagnostics and cost recovery efforts. Rich wrote the
first book on practical applications of using data analytics in an audit
environment titled, 101 ACL Applications: A Toolkit for Today’s Auditor,
in addition to writing over 19 publications, and over 75 articles. Rich is
proficient and consults in the practical use of analytic software
including ACL, ActiveData for Excel, Arbutus Analyzer, IDEA, TeamMate
Analytics and auditing with Microsoft Excel techniques. Rich has been
awarded by the Association of Certified Fraud Examiners for his research
on proactive fraud reporting. He is also a regular presenter for CFO.com,
the Institute of Internal Auditors, Association of Certified Fraud
Examiners, Auditnet ® and Lorman. Rich consults with companies ranging in
size of $30 million to $100 billion and in all, has helped them find money
through the use of technology and recovery auditing. 
He is also a current faculty member with the International
Institute for Analytics.