Seven dangers of document-based auditing

By Dan Zitting,  ACL Chief Product Officer

Dan Zitting, ACL's Chief Product Officer

Dan Zitting, ACL’s Chief Product Officer

In the 1980s and 1990s, large audit organizations moved away from hard copy audit files and working papers because of the difficulties in sharing and collaborating on physical files. This was the first major technology transition for the audit profession in many decades. However, the situation only marginally improved, with processes and technology solutions becoming centered on simply using electronic documents. Information gets trapped inside documents and spreadsheets, where it effectively becomes “dark data”: impossible to search, reference, analyze, export, report on or access on mobile devices. These are all key demands of today’s large audit teams—and for data intelligence to support insights and decision making. While the issues with document-based auditing center around dark data, other dangers also lurk. The key problems created by the legacy of the document-based approach to electronic working papers and audit management include the follow seven risks. acl third ad

  • Information inside documents or spreadsheets is “dark.”

Data intelligence cannot be efficiently accessed by reporting systems, data analysis tools or mobile devices, severely impairing the value of that information in delivering key business insights.

  • Documents aren’t databases (thus don’t protect data integrity).

Embedding audit process metadata (i.e., tick marks, review notes, auditor commentary and, especially, inter-document links and references) into document files creates significant data integrity risk. Documents are not able to enforce referential integrity and other core systems architecture principles that put data durability controls in place. Systems that rely on deep document integration are therefore prone to data loss when files are corrupted, edited in conflict by disparate users, or moved between locations that break references and relationships. This also causes slow performance, as documents simply cannot perform at the level of database-driven systems.

  • Information inside documents or spreadsheets cannot inherently maintain its relationships to other information.

Again, since documents are not databases, there is no mechanism to create and maintain a relationship between data in different files. Hyperlinking and other document-embedded features implemented by many audit technologies are therefore inherently unreliable.

  • Rolling forward audits is difficult and highly manual.

When primary audit documentation is captured in documents, it is impossible (or very dangerous) to update programmatically. Therefore, when rolling an audit forward, all data must be updated manually to avoid erratic behavior.

  • Exporting and archiving outside the software is impossible.

Hyperlinking information inside and between documents—referred to as “deep linking”— necessitates document-embedded metadata, with references stored in the software system. Since a link from inside one document to another depends on this externally stored reference, it is impossible to archive or export an audit project outside the software without breaking those links.

  • Dependencies cause software version conflicts and difficult upgrades.

As Microsoft Office or other document editing software applications are updated and file formats change, integration dependencies often break the compatibility of the audit software. This leads to situations where, for example, a new Office version forces an upgrade of the audit software or changes the embedded metadata (again causing data integrity risks). Even in the best case, upgrades require rigorous testing, which causes lengthy delays in upgrade implementations.

  • Requirement for burdensome “thick client” technology.

Creating and managing document-embedded metadata requires that these legacy audit software systems include a locally installed application or complex web browser plugin. Because they are hosted individually on local machines, these applications create significant IT administrative burdens, including high-maintenance installation rollouts and upgrades, and compatibility issues. Check out ACL’s whitepaper here. mglass

MetricStream releases new M7 Platform with ‘robust’ GRC apps

From MetricStream

MetricStream CEO Shellye Archambeau

MetricStream CEO Shellye Archambeau

MetricStream – the governance, risk, and compliance (GRC) apps and solutions provider – says its new M7 platform includes applications for risk, compliance, audit, IT security, third party management, and other functions upon which GRC professionals rely.

With M7, MetricStream says it is providing fourth-generation GRC technology the industry has so far lacked. The M7 platform and apps are designed to help companies preserve their corporate integrity, protect their brand, and drive exceptional business performance through GRC that is simple, pervasive, and delivered in the cloud, the company said.

M7 focuses on enabling high performers through an “engaging user experience, high degree of configurability, enhanced mobility and layering, sophisticated reporting and analytics, and a future-ready architecture,” MetricStream said in announcing the release.
“M7 enables high performing organizations by making GRC simple, intuitive, and more deeply embedded across the enterprise and extended ecosystem,” said MetricStream CEO Shellye Archambeau. “M7 gives our customers real-time intelligence that they need to anticipate risk, and balance opportunities effectively.”

Here are the M7 highlights:

For risk management professionals

The MetricStream Enterprise Risk Management app enables organizations to manage a wide range of risks and related activities in a systematic and integrated manner. Through the app, users can identify, assess, monitor, and mitigate enterprise risks effectively.

Powerful analytics and reporting capabilities, paired with detailed graphical dashboards and charts, offer comprehensive and real-time visibility into risks, enabling stakeholders to make informed decisions. This app is often deployed with the Operational Risk Management, Business Continuity Management, and Internal Audit Management apps.

For regulatory and corporate compliance pros

The MetricStream Regulatory Engagement Management app streamlines and automates the process of managing various regulatory engagements, including examinations, meetings, and requests for information from regulators.

metricstreamIn tandem with the Compliance Management app, the Regulatory Engagement Management app simplifies engagement creation and task management, and captures all regulatory engagement data in a central repository.

Powerful dashboards and reports provide real-time insights, enabling stakeholders to make informed decisions that strengthen the organization’s relationships with regulators.

For audit management professionals

The MetricStream Internal Audit Management app helps organizations plan, manage, and track internal audits with ease and efficiency.

The app streamlines audit planning and scheduling, audit execution, review and analysis of audit findings, creation of the final audit report, and follow-up activities.

Through an intelligent, risk-based approach to internal auditing, the app helps prioritize audit tasks and resources based on the areas of highest risk.

For an enterprise audit management solution, the Internal Audit Management App is often deployed with the Compliance Management and Operational Audit Management apps.

For IT security professionals

The MetricStream IT Risk Management app empowers organizations to adopt a focused and business-driven approach when managing and mitigating their IT risks.

The app streamlines IT risk identification, IT risk assessments, and risk treatment. It also provides sophisticated analytics and reports that transform raw risk data into actionable IT risk intelligence, providing clear visibility into the top risks, and improving decision-making.

This app is often deployed with the IT Compliance Management and Threat and Vulnerability Management apps for an integrated IT GRC solution.

The MetricStream Threat and Vulnerability Management app strengthens IT security by proactively aggregating and correlating threats and vulnerabilities across information assets. The app integrates with multiple end-point IT security and infrastructure management tools and security intelligence feeds to identify and prioritize the risk exposure for IT assets, and streamline the remediation process.

Third party management 

The MetricStream Issue Management app facilitates a systematic and integrated approach towards managing governance, risk, and compliance issues.

The app provides a single system for enterprise-wide issue management initiatives, thereby strengthening compliance and risk management, while reducing the associated costs.

Through an integrated approach, the app facilitates cross-functional coordination and collaboration on issue management, and helps align these processes centrally with corporate governance and reporting objectives. Issue Management is a critical component of any GRC solution.

Survey Management app

The MetricStream Survey Management app enables a structured and automated process to manage surveys for systems compliance, process compliance, risk assessments, HR policy awareness, legal attestations, etc.

The app fosters accountability by streamlining the flow of information and records, and documenting attestations and representations at appropriate stages.

Moreover, the reporting engine built on the MetricStream GRC Platform aggregates survey data, and enables exploration and evaluation of survey findings at the enterprise level.

Survey Management is a critical component of any GRC solution requiring the collection of intelligence across the enterprise and business partners, and can be integrated with other apps including Compliance Management, Risk Management, and Third Party Management.

For more information, go here

ACL summer release: Visualizing fraud and financial compliance

By John L. Guerra

Editor, GRC & Fraud Software Journal

aclGRC and Analytics solutions provider ACL introduced its summer release in July, which focuses on features for financial compliance.

The updates span three categories of improvements: scaling up for complex financial environments, 27 new financial crime-related risk analytics, and a new graphic visualization feature that lets investigators visualize analytics pointing to fraud. The new screen has risk visualization capabilities designed for immediate impact in finance teams.

GRC & Fraud Software Journal interviewed Dan Zitting, ACL’s chief product officer, to find out about the new release’s unique focus on visualization and fraud analytics.

GRC & Fraud Software Journal: What led to the focus in financial fraud?

zittingDan Zitting: While financial fraud is not a new priority for corporate compliance officers and finance teams in most large companies, a recent increase in enforcement activity by the SEC involving financial reporting cases has created an urgency for companies to ensure they are both preventing and detecting fraud through more comprehensive systems.

Also, the SEC has stated in no uncertain terms that individuals, including accountants, auditors, audit committees and even C-suite executives, will be held accountable for cases of accounting irregularities that could have been prevented with more oversight or better controls. With financial fraud as the most common type of fraud in large organizations, ACL is ensuring these individuals are confident in the systems in place.

Q: Why are finance teams frustrated with trying to implement streamlined controls for fraud waste, and abuse?

A: In many cases, the problem is the ubiquity of “Big Data.” Finance teams are often overwhelmed by the amount of data collected and the increasingly disparate systems that require extensive analysis and oversight (such as HR, IT, or multiple regional ERP systems).

Also, given the enormity of available data, no ERP system contains comprehensive controls to effectively mitigate risk. This requires finance teams to manually compare data coming from third parties or different systems within the enterprise. When these systems don’t integrate well, they can actually create opportunities for fraud.

Q: What was lacking in streamlined controls?

A: In general, the controls work to identify red flags, but finance teams have historically struggled with understanding the underlying trigger for the red flags as well as how to manage or track the resolution of the issue and the follow up. A streamlined controls system should include a way to visualize the problem (graphically or otherwise), identify who in the organization is investigating the issue and track their progress.

Q:  How does ACL specifically address this frustration?

A: To address these issues, ACL expanded its tools for visualization and project management, adding cross-tab visualization, one-click data distributions and more.

acl small art

Go here to see how the visualization tool displays risk.


Annual GRC conference in Fort Lauderdale this morning

isaca nessISACA, in conjunction with the Institute of Internal Auditors, is holding its 2016 GRC Conference this morning in Fort Lauderdale.

The annual event brings together some of the leading minds in the field to share their knowledge and meet with other GRC and fraud professionals about the challenges facing the industry.

More than 600 CIOs, senior executives, directors and managers from around the world who work in IT will descend on the Diplomat Resort & Spa in Fort Lauderdale for the conference, which focuses on the critical business priorities of governance, risk management and compliance

The GRC Conference will offer new insights and perspectives from renowned presenters, including keynote speakers:

  • Theresa Payton, former White House CIO, cybersecurity authority and expert on identity theft and the Internet of things, will deliver the opening keynote, titled: “Big Data and the Internet of Things: Boon or Bust for Your Cybersecurity Efforts?”
  • Richard Chambers, CIA, QIAL, CGAP, CCSA, CRMA, IIA President and CEO, will speak on “The Influence of Culture on GRC.”
  • Andrew Tarvin, Engineer of Humor, who will discuss “Agile Leadership: How to Lead Up, Across, and Down in a VUCA World.”

Conference details are here.

Panama Papers database may contain bad news for honest banks

By John L. Guerra

Editor, GRC & Fraud Software Journal

Alan Morley, AML, compliance chief at GFT

Alan Morley, AML, compliance chief at GFT

The International Consortium of Investigative Journalists recently released a searchable database of 200,000 offshore entities, which may include details on accounts owned by Americans – information as yet unpublished.

When that occurs, the U.S. government, as well as financial regulators from around the world will be quick to act, investigating the banks and financial institutions in the database.

The Panama Papers revelations, the earthquake that rocked financial institutions around the globe, already has banks of all sizes preparing for greater regulatory scrutiny, says Alan Morley, head of AML and Compliance Practice at GFT, a global consultancy that councils nine of the world’s 10 largest banks and hedge funds.

Honest banks will review accounts

Banks know that illegal tax shelters, money laundering and providing accounts to banned entities and criminal groups is against the law, but that’s not the point. Honest banks also will fall under the regulatory magnifying glass.

Regulators want to see if compliant banks have managed – unwittingly or not – accounts or transactions with any of the firms and persons connected to the Panama Papers schemes.

Banks will beef up compliance staff

For instance, compliant U.S. banks that in the past facilitated questionable transactions that weren’t quite risky enough to stop or report to regulators could find themselves scrambling if those accounts and players turn up on the list. That means hiring more employees and auditors.

“There will be a temporary employee headcount increase in even smaller banks to handle the volume of work as a result of the new information and possible sanctions directives,” Morley says.

AML, KYC under microscope

Financial industry regulators will review documentation of the bank’s on-boarding process and audit the financial institution’s due diligence and Know Your Customer (KYC) procedures. That’s how they will determine whether a bank documented all the steps in the anti-money laundering procedures when approving new accounts.

“Banks will have to follow their own internal AML investigations processes to determine if a person or entity’s activity is worthy of a Suspicious Activity Report, be blocked or left as is,” Morley says.

Auditing of reporting processes

Financial institutions also will have to audit their reporting processes and find other solutions to ensure compliance with AML and other banking regulations.

‘The Panama Papers revealed some of the biggest and most frustrating gaps in AML coverage – and the increased risk of audit gaps, leading to possible action against global banks,” Morley says.

Are third-party entities on the list?

That includes whether the bank performed due diligence on third-party entities – the relationships account holders had with other individuals, financial institutions and organizations. For instance, does the account holder receive deposits from banned organizations or suspect individuals?

Though banks conduct enhanced due diligence on the Correspondent Bank (CB), they are unable to do effective third-party entity due diligence on the CB’s customers, other than name matching for Sanctions, Morley says.

Are account holders tax-compliant?

“It is likely that some institutions may have to conduct supplementary transaction look-backs, using both the names listed and an updated Customer Risk Scoring Process,” Morley says.

That includes determining whether prospective account holders met tax reporting requirements for U.S. citizens, filed annual reports required by the Foreign Account Tax Compliance Act, as well as the Report of Foreign Bank and Financial Accounts required by the Financial Crimes Enforcement Network.

The good news

The release of the database on Monday will also help banks get a better picture of risk.

“When finally fully published, the new Panama Papers list will also give financial institutions an opportunity to improve their monitoring and classification programs,” Morley says.

“Knowing the names of the offshore shell companies, names of the people associated with them and their banking relationships will make this process much easier. Intelligence gathering will also increase.”

Knowledge leads to better compliance

“Remember, we have no idea as to any criminality but we do know that the very nature of this probably catapults them to high – very high risk categories in any bank’s KYC due diligence program,” Morley says.

Morley suggests banks to prepare for:

  • An increase in KYC activities – potentially more head count
  • Adjustments to their Sanctions Filtering and Transaction Monitoring platforms (applications, data and tuning)
  • Significant updates to their own watch-lists
  • Spin off project(s) to make sure this gets done and in accordance with policy and procedure in a timely fashion- which will require more head count.

Advice: Cooperate with investigations

More positive news: The U.S. Security Exchange Commission’s Enforcement Division’s Cooperation Program awards greater cooperation by individuals and companies in SEC investigations. In some cases, banks can receive safe harbor as well as reduced fines and punishment for cooperating.

“Cooperation is encouraged and welcomed,” Morley says. “I heard Kara Brockmeyer, chief of the Foreign Corrupt Practices Act Unit at the SEC, speak at the Securities Industry and Financial Markets AML and Financial Crimes conference in New York in early April. She encouraged active cooperation on all levels. The sooner something is self-reported to the SEC and acted upon, the better for all.”



Banks rely on AML, Know Your Customer solutions to spot bad guys

By John L. Guerra

Editor, GRC & Fraud Software Journal

Rick Aragon

Rick Aragon

Editor’s Note: Rick Aragon was interviewed two days before news of the Panama Papers broke.

To combat money laundering and deny safe financial haven to criminal groups and terrorist organizations, financial regulatory bodies around the world require banks to know the true identity of the people and organizations that bank with them.

Hedge funds, trading firms, banks, corporations looking for investors, asset managers — all must comply with due diligence requirements set by national and international regulatory and oversight agencies.

Most banks rely on know your customer (KYC) and anti-money laundering (AML) software. The first ensures that you know the identity of the account holder and the potential associated risks; the second monitors for suspicious transactional activity. Vendors also combine the two regimens in a single solution that includes auditing, reporting and risk mitigation.

Accuity, Alacra, Oracle, FICO TONBELLER, ThomsonReuters and others develop KYC and AML solutions, competing for their piece of the banking industry pie.

Crime, money laundering synonymous

GRC & Fraud Software Journal spoke with Rick Aragon, an AML compliance consultant at LexisNexis Risk Solutions about AML and KYC requirements and how banks can adopt software solutions to meet those requirements.

“In order for criminals to be able to enjoy their ill-gotten gains, they need to appear as if they came from a legitimate source,” Aragon says. “Money laundering helps hide the person who benefits from or controls the illegal entity.”

ISIS, Al Queda names just the start

Banks, broker-dealers and other financial institutions use the software to run the names of account applicants against state, national and international law enforcement databases and myriad watch lists, including the Office of Foreign Assets Control (OFAC), the UN’s ISIS-Al Queda Sanctions List, Financial Action Task Force (FATF) statements on high-risk and non-cooperative jurisdictions; the World Bank List of Debarred Parties, and hundreds of other lists.

The LexisNexis proprietary database covers more than 1,100 different government sources from around the world, as well as Politically Exposed Persons (PEPs) and State Owned Entities, Aragon says. The software also captures adverse media mentions of potential customers.

“Our public records data covers about 98 percent of the adult U.S. population,” Aragon says. “We can leverage this data to verify identity, detect suspicious or fraudulent identities and help financial institutions perform due diligence on their customers.”

Data sources include U.S. credit bureau records, commercial credit records, utility records, motor-vehicle records, address history, arrest records, and a host of other sources.

KYC and relationships among suspects

As to KYC requirements, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FINCEN) will soon require U.S. banks – no matter how small – to know the true identity of the controlling entity known as the “beneficial owner” and up to four other individuals having at least 25 percent interest in the company.

“There are many aspects of risk connected to a bank customer’s name,” Aragon says. “Does the person show up in any global or U.S. economic sanctions list? Has the customer been involved in any law enforcement actions? The financial institution can review that relationship and ask itself, ‘Is this the kind of company, organization or other entity we want to bank?'”

KYC software should also examine critical connections among people and assets, Aragon says. Additionally, it should greatly reduce the average six months it can take to perform due diligence on prospective customers.

Smaller banks the weakest link

With fewer IT and software resources to positively identify who opens accounts, smaller financial institutions can’t always nail down the real identity of the companies and people who move money through their vaults.

“Large banks dedicate a lot of resources to compliance; they are under a great deal of scrutiny from banking regulators,” Aragon says. “That’s why you’ll see fraudsters go to smaller financial institutions, in the hope that their controls are not as strong as those at the larger financial institutions.”

Add to that the mindset of smaller banks. Because they handle fewer customers and the pace is slower, they don’t feel the need for additional customer screening.

“Sometimes it’s that mindset that puts the smaller banks at risk,” Aragon says. “They can be the weakest link in the financial system.”

Banks and financial institutions can access LexisNexis’s AML and KYC solutions via the cloud, or load the software onto the bank’s own computers. When the customer applies to open the account, it automatically searches the various global databases including Interpol, PEP and other databases.

The solutions speed identity verification, strengthen AML compliance, fortify risk mitigation and support enhanced due diligence for KYC, Customer Identification Program (CIP) and Bank Secrecy Act regulations, Aragon says.

Behavior raises flags               

In addition to customer screening, many financial institutions use behavioral analytics platforms to monitor for suspicious activity. If the customer has a direct deposit, checking account and has direct bill pay, for instance, those are the areas where the system watches for anomalies in the customer’s behavior, Aragon says.

If a $100,000 wire transfer suddenly hits the account of a customer who usually only receives a payday direct deposit of $450 each week, the system generates a flag.

“The bank will typically try to understand where the money is coming from,” Aragon says. “Did the customer just sell his house? Or is it something else?”

This type of software usually has case management functionality and performs audit and reporting for compliance purposes as well, Aragon says. The financial institution must document everything and make it available to banking regulators during audits.

“In the world of banking, if you haven’t documented an event, it didn’t occur,” Aragon says.






Cancer charities disbanded; U.S. firms awaken FCPA

National cancer funds disbanded over misappropriations

Wisconsin Attorney General Brad Schimel, along with the Federal Trade Commission and agencies from all 50 states have obtained a permanent injunction to disband two nationwide fraudulent cancer charities and ban their president from profiting from any charity fundraising in the future.

The injunction and ban were crafted under a settlement filed in court Wednesday, the Winsconsin’s AG said Wednesday.

Cancer Fund of America Inc. (CFA), Cancer Support Services Inc. (CSS), and their leader, James Reynolds Sr., agreed to settle charges that CFA and CSS spent the overwhelming majority of donations on their operators, families and friends — and fundraisers to bring in more money.

“Donors to charitable organizations must be confident that their funds are solicited honestly and used for the promised charitable purposes,” Schimel said. “We will not sit idly by while scammers defraud well-meaning consumers of their hard-earned dollars and deprive legitimate charities of much needed support.”


More healthcare organizations complying with HIPAA

Healthcare professionals are demonstrating a better understanding of Health Insurance Portability and Accountability Act compliance measures, just in time for the phase 2 Office of Civil Rights HIPAA audits. The audits began March 21.

NueMD’s 2016 HIPAA Survey Update shows that ealthcare organizations are doing more to remain HIPAA-compliant compared to two years ago.

Survey results show that 69 percent of healthcare respondents knew about and understood the HIPAA Omnibus Rule, while only 64 percent of respondents could claim that in 2014.

Not only that, more organizations are establishing business associate agreements, a provision of the Omnibus rule. In 2014, only 24 percent of respondents stated they had reviewed all of their business associate agreements, while in 2016, 29 percent say they have.


Melberg: Businesses must lead online security compliance

Minneapolis–Either business leaders make the governance choices to ensure online security or someone outside the company will do it for them, governance expert Ryn Melberg said.

In her weekly podcast, “The Guardian Podcast with Ryn Melberg,” Melberg talks about the modern world of information work and commerce.

The podcast features conversations about better ways to deliver value using Agile, Scrum, Lean, and the Scaled Agile Framework in conjunction with issues of corporate governance.

One thought: Corporate lawyers may not be the right people to improve governance.

While lawyers may say they are interested in bettering governance rules so ‘no one else has to go through this again’ they are really in business to represent individuals or classes in court. “Their job is to keep you out of jail, not define technical rules of your or any business,” Ryn said.

The Guardian Podcast can be heard on her website at


SAP, Qualcomm not alone in foreign bribes

During the first calendar quarter of this year, the FCPA Blog reports eight corporate FCPA enforcement actions and three individual resolutions, which are agreements to pay fines.

VimpelCom’s $397.6 million settlement in February landed on the FCPA Blog’s list of the Top Ten FCPA cases of all time.

The eight settling companies paid a total of $497.6 million for the resolutions.

For comparison, in Q1 2015 there were two corporate FCPA enforcement actions and one individual resolution. And in Q1 2014 there were two corporate enforcement actions and two individual actions.

In all of 2015 there were eleven corporate resolutions with total payments to the DOJ and SEC of $133 million, and in 2014 there were ten corporate resolutions with payments of $1.56 billion.

Here’s Richard L. Cassin’s full article on FCPA actions for the first quarter of 2016.


ITAC 2015 opens this morning in Orlando

The IT Audit and Controls Conference 2015 opens this morning at the Omni Orlando Resort at ChampionsGate.

itac logo2ITAC brings together IT audit managers, directors as well as internal controls analysts, risk and compliance advisors – just to name a few – for two and a half days to discuss industry trends, strategies for overcoming today’s emerging technology obstacles and threats and tools to enhance your day-to-day functions all while earning up to 40 CPEs.

Five tracks at ITAC will cover all aspects of IT audit and controls:

  • What data breaches mean for cloud computing
  • ICT audit & security synergy
  • Added value pre-implementation audits
  • SSAE 16 SOC reporting
  • Social media risk management
  • CloudBots – abusing free cloud services to build botnets in the cloud
  • Network intrusion detection best practices
  • Internet of Things (IoT)
  • Auditing Oracle database security
  • Auditing UNIX and Linux servers
  • Securing and auditing Windows-based systems

For a complete look at the conference, go to the show’s website.