Sabrina Serafin, National Practice Leader of Frazier & Deeter’s Process Risk & Governance Practice, interviews Joe Oringel, Managing Director of Visual Risk IQ. They discuss the importance of visual data analytics and reporting in relation to today’s compliance tools.
Links to items mentioned in the podcast:
11:09 – Self-service – we’re offering a 15- or 30-minute demo of Tableau to any podcast listener where we can provide both a trial software license and a guided evaluation of the software. http://www.vriq.us/TryTableau to download software and email me to schedule the guided demo: Joe.Oringel@VisualRiskIQ.com
12:55 – Tweet re: Machine Learning and AI https://twitter.com/VisualRiskIQ/status/1010689657883918336
16:05 – Book information
Stephen Few book – Show Me the Numbers http://www.vriq.us/ShowMeTheNumbers
Edward Tufte book – Visual Display of Quantitative Information http://www.vriq.us/TufteBook
Dona Wong / Wall Street Journal’s Guide to Infographics http://www.vriq.us/DonaWongWSJ
17:15 – 3 Part Webinar: Improve Internal Audit and Compliance with Data Analytics https://www.tableau.com/learn/series/improve-internal-audit-and-compliance-data-analytics
Visual Data Analytics: An Integral Part of Any Compliance Toolkit Transcript
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: This is Sabrina Serafin, National Leader of the Process, Risk & Governance practice at Frazier & Deeter. Welcome to our Culture of Compliance series podcast. Today, we have with us Joe Oringel from Visual Risk IQ. Joe is a CPA and CIA with more than 25 years of experience in internal auditing, fraud detection and forensics. He has over 10 years of Big 4 external audit, internal audit and risk advisory experience, prior to co-founding Visual Risk IQ. His corporate experience includes internal auditing, information security and data analytics for companies in a number of highly regulated industries, including pharmaceuticals, utilities and financial services, all of which are industries where compliance is known for being important and even strategic. Joe has an MBA from the Wharton School at the University of Pennsylvania, and I’d like to welcome Joe to our podcast.
Joe: Thanks, Sabrina. Nice to talk to you today.
Sabrina: To provide the audience with some background, Visual Risk IQ is a highly skilled data analytics consultancy with a focus on audit and compliance related matters. Through on-the-job coaching and problem-solving, the firm helps its clients take on more complex and valuable visual reporting and data analytics projects than they might otherwise complete on their own. The firm was established in 2006 when Joe and his co-founder Kim Jones left PwC to focus on the adoption of data analytics and continuous auditing and monitoring software. This includes visual reporting tools that we’re going to be talking about today, and since inception, the firm has completed more than a hundred successful data analytics projects for clients across a variety of industries, geographies and corporate departments. Internal audit and compliance remain sweet spots for Visual Risk IQ and for Joe personally, so Joe, talk to us about visual reporting and how it differs from the more popular term “data analytics.”
Joe: Sure. I guess I the best way to do that is to picture in your mind’s eye a Venn Diagram with two circles, and I’d say that there’s plenty of intersection between data analytics and visual reporting, but you also can have one without the other. There is data analytics without visual and there even can be some visual reporting without necessarily a heavy component in data analytics, but in our experience the very best data analytics includes visual reporting dashboards.
Visual reporting is a much more effective way than tabular or spreadsheet analysis for exploring data, and I’ll distinguish between exploratory queries and confirmatory queries. An exploratory query just says, “Show me the biggest, show me the most important, show me the oldest, show me the newest,” and a confirmatory query says, “Does this transaction meet our compliance policies?” And we really like visual reporting, Sabrina, because it allows people to explore and get to know the data before answering the specific compliance question. It communicates the need for action, and a quote that I’ll share that my co-founder Kim shares with our clients is that a good graph or a good report shouldn’t be interesting, it should make us want to do something, and what we find in our experience is that visual reporting is a good way to communicate that something needs to be done.
Sabrina: That’s a great example. So talk to us about the kinds of compliance challenges that can most benefit from what’s called visual analytics.
Joe: Sure. Let’s use an example. I’m out in Utah and Colorado this week doing some mountain biking, and anybody that’s ever done any mountain biking, knows that good brakes are really important on your mountain bike. But the reason that brakes are important is that they allow you to go fast, not to go slow. But the better brakes you have, the more you can take the straightaways at a high speed, and then when it’s time to do your zigging and zagging, that’s when the good brakes become so important.
So, when I think about compliance, and particularly the Culture of Compliance, I want to make sure that we’re thinking about compliance as a competitive advantage and ways for an organization to move more quickly, to make the right decisions and enable the processes that they want to have to meet their strategic objectives.
There are a few different compliance frameworks, whether it’s COSO or the Department of Justice’s Hallmarks of an Effective Compliance Organization or OECD’s 13 Good Practices on Internal Controls and Ethics, there are a number of areas where data analytics and visual reporting can really help. I think that the first two are probably risk assessments and monitoring. For risk assessment, let’s think about the very simple communication of the corruption index as published by Transparency International. What’s more effective to you, is it listing the countries of the world in alphabetical order, or maybe alphabetical order within a region, and then next to the country’s name is risk number, or do you prefer the color-coded map of the world that shows the corruption index by color? That’s visual reporting and risk assessment. When I look at a color-coded map, I really like it.
Sabrina: Great point, and you mentioned COSO earlier. Talk to us about why compliance professionals and particularly their internal audit counterparts should get to know each other better. Why do you feel this is important?
Joe: Like I said, there are two things that the visual reporting can help with. One is risk assessment and then the other is monetary, and in a compliance program, most compliance programs begin with the control environment, communicating. The top is sharing well written practices and training programs. These are often the strengths of compliance leaders with a strong legal background, but the DNA of a great lawyer may be different from the DNA of a great auditor. We’re often wired a little bit differently, so monitoring is how the compliance professional knows that their policies and training are being followed and that the organization is really remaining in compliance with those key policies. We encourage our compliance professionals to enhance their relationship with internal audit and vice versa because of the complementary discipline between internal controls and other aspects of compliance.
Sabrina: Exactly, so visual reporting should be part of a compliance program’s monitoring activities. I think our listeners would also bring up that data and information systems are always changing. How do we make sure that dashboards and the reports that we’ve created stay up to date with all these changes that take place almost daily in most company systems and data?
Joe: That’s a great question. Building a dashboard and having it present all the right information for a month or two and then having a bunch of error messages after there’s an underlying data change, that’s bad. We want to make sure that doesn’t happen, so in our experience that’s where effective data analytics planning and execution really pay off. We’ve been in this business, like you mentioned, for more than 10 years, and we’ve got some particular best practices as it relates to data acquisition, specifically data quality, so part of our data acquisition routines, every time we bring a new file into the analytics tool and into a particular set of visuals or dashboards, we have control totals and edit checks to make sure that the data is unchanged.
We call these things integrity checks. We use integrity checks to verify the control totals and to put alerts in place to let the right people know if there have been changes to the underlying source data. The data quality focus is an absolutely essential element in data analytics, particularly self-service data analytics.
Sabrina: Can you tell us more about that?
Joe: Sure. Self-service data analytics is where the person that wants to know the answer to a business or a control question, when that person is able to ask the question and answer it using data without relying on IT. You can answer the question yourself. Today’s modern analytics tools like Power BI and Click and especially Tableau are very user friendly, and they don’t require much or even any help from corporate IT. The time to answer questions is usually minutes or hours, not days or weeks. If someone’s listening to the podcast, it’s kind of hard to hear the words and picture what self-service is, so if I would invite anybody who’s listening and wanted to spare 15 minutes, we’d be happy to show them how we can turn a series of spreadsheets into compliance dashboards in a quick meeting. It’s amazing what these modern self-service data analytics tools can do.
Sabrina: There are a number of buzzwords in the compliance community and the internal audit community: robotic process automation, machine learning, artificial intelligence. Can you explain these terms, but more importantly, why do they matter?
Joe: Robotic process automation is scripting and scheduling the data acquisition to deliver the analytics without human intervention, so robotic process automation is kind of that data nirvana that that we’re all aiming for. But the good news is, it’s actually right here, something that we do today. Machine learning and artificial intelligence are the use of statistics to verify some of the answers in analytics, again, before the human gets involved in acting on the results of the analytics.
There’s actually a cartoon I tweeted about this, we’ll include that maybe in the podcast notes. We use machine learning and artificial intelligence to tune our analytics around suspicious payments, as an example. Whether your definition of a suspicious payment is simply a duplicate or maybe a compliance matter like a payment to a foreign government official, we can use statistics, including machine learning and artificial intelligence so that the queries and graphs can better prioritize the most risky transactions. And by getting the human to point out: this is a false positive, where this is a real issue, we can incorporate the initial human evaluation of the first set of outputs so that the future output takes that first output into place.
Sabrina: For organizations that we’ve piqued their interest, and they haven’t started with visual reporting or data analytics, what’s a good first project? Can you give us some examples?
Joe: Sure, sometimes the best way to get started is to simply get started. Don’t study the trail map so long to figure out what’s the best ride, just take your bike up the mountain and pick one that’s maybe a beginner trail, but get down the mountain and see what you learn. When I think about what a good first project might be, I would tell you that we like to start with traveling and entertainment or sometimes procurement card spend. There are two or three reasons for that, Sabrina.
The first one is the business reason. These are after –the-fact review items for most organizations. That means that the transaction happens, and then it gets reviewed, that whole “asking for permission versus asking for forgiveness.” So I like travel/entertainment and p-card for that reason.
The second reason that I like is the ease of data acquisition. Sometimes in organizations, getting access to data involves IT, and IT has a lot of projects, and sometimes compliance and audit doesn’t reach the level of importance where we get the right help to get their data. But in the case of p-card and travel, the data often comes from external providers. It might be the bank that processes the p-card system or maybe third party providers for traveling entertainment, like Concur, Chrome River or other cloud-based expense management systems. So we find that we can get data in just a couple of hours instead of days or even weeks. So with travel and entertainment and p-card transactions, you can make a great impact with a very low cost.
Sabrina: Great example, so if someone wants to learn more on their own, where would you suggest they go for additional reading or related resources?
Joe: I’ve got probably two or three authors that are my go-to for data analytics and visual reporting. We’ll put some links in the speaker notes to the books and publications by each of them. I like Steven Few; he’s got a book called Show Me the Numbers, and that’s been a very influential book in our firm’s use of analytics. An older publication and author but still wonderfully relevant is a gentleman named Ed Tufte, and Tufte ‘s got a number of books out there, and then a more modern take is a woman Donna Wong from The Wall Street Journal. The last thing in preparing for today, it’s hard to do a podcast on visual reporting without being able to see some examples, so we did a three-part webinar series where we featured compliance leaders from financial services and from Higher Ed, so we’ll be sure to leave the link to the webinar series so that folks can see some of the compliance charts and dashboards that we have.
Sabrina: Well, Joe, thank you again, I appreciate you joining us again. We were talking to Joe Oringel from Visual Risk IQ, and I appreciate the audience joining us for Visual Data Analytics, An Integral Part of Any Compliance Toolkit. Please join us for the next Culture of Compliance episode.