Prior to 2012, CU’s Internal Audit (IA) department was using Excel for most auditing activities, and they were struggling to have any sort of audit program that extended past sampling and manual checks. Sample sizes would be selected and then a time-consuming verification process would be completed against related documentation in physical files (actual document repositories came later).
It was the IA industry trend to move away from sampling and towards testing full populations to monitor effectiveness of operations and policy compliance that motivated CU to start thinking about how they could improve and get more in line with the industry. Senior-level personnel from CU would attend conferences and hear of where the future of audit was going, what other organizations were doing, and in some cases what tools other organizations were using.CU needed a tool themselves to propel them into the future of IA and the technologies involved.
ACL Analytics (AN) would allow CU to create, maintain, and run analytic scripts to cover the analysis of full data populations -CU started here. Following that, a moveto Analytics Exchange(AX) wouldfurther move them along the audit maturity curve by allowing them to house and schedule a more sophisticated library of scripts. As well, making use of Galvanize Services to have scripts created specifically for continuous monitoring would allow CU to hit the ground running with AX.
Hiring a Data Analytics Specialist, who had a vision for CU IA and became a huge champion for Galvanize products, further pushed IA into cleaning up and expanding their script library, identified additional groups atCU that could benefit from their auditing, and eventually guided the team into the realm of machine learning (ML) with their Galvanize gear plus HighBond’s Results module.
Making use of analytic scripts instantly provided CU with a way to move into continuous auditing and monitoring; results of regular audits are being shared outside of the IA department. With the Registrar’s Office, they provide instances of bad or duplicate student and faculty data that could lead to larger issues. And with the PCard Department, they provide insight into where and how fraudulent activity is occurring; this helps the department to remediate the issues and prevent future occurrences.
CU also had a vision to setup up an automated process incorporating ML to identify potential fraud for IA to evaluate internally. By implementing select Galvanize offerings1into this sophisticated process, they were able to realize this goal. Fifty percent of what CU’s ML process is identifying as fraud is accurate -this is a huge achievement in terms of detection!This is saving the IA group hundreds of hours in time that they would have had to spend on data exploration, but instead can move them right into the investigation phase.
With continuous auditing and monitoring in place, and now ML having automated part of their fraud detection, CU is in a good place to further mature their use of ML, as well as start to direct some more time and attention to their Enterprise Risk Management system.
ACL analytic scripts create (and continually update) master tables and datasets, RCOMMAND extracts required data from these, CU’sR scripts pickup the extraction and ML is then used to identify and rank potential fraud. The output from this learning is loaded into HighBond Results where a fraud group within IA then makes an evaluation – yes or no to each record found being fraud. The result of this evaluation is put back into next quarter’s R evaluation to update andimprove the ML algorithm.