Subscribe for NewsLetters
Email: *
First Name: *
Last Name:
Enter Captcha:*
Wk Audit Net 468x60 Ad 1
Workiva Auditors Playbook 468x60 1

AuditNet® Technology::Dealing-instant-carma-continuous-analytic-risk-monitoring-automation

Coso Framework 2013 Cube

Dealing Instant C.A.R.M.A. - "Continuous Analytic Risk Monitoring Automation"

By Rich Lanza, CPA, CFE, CGMA

The term Instant Karma is the bringing of immediate accountability for ones actions. Doesn't that phrase exemplify our objectives of continuous monitoring which starts with risk management using a series of risk planning analytics followed by designing automated alarms and on-site assistance, now only focused on the top areas of concern.

Part One of the system is the automation of risk planning, although this egg may need to start as the chicken at times. Let me explain: Until specific business processes and risks are managed with analytics so deviations are detected, it is difficult to know:

  • Which alarms to build to manage the quality of that process,
  • When on-site testing is required, or more efficiently, 
  • When would a GRC alert (with a secondary Email) do well enough for the results distribution to the process owner for comment.

Regardless whether they ever run a specific business process report, the risk manager, can still apply analytic risk management, and the trick is to think more "general"ly with the ledger data at hand. For example:

  • Build a trial balance by month for trending account activity over time 
  • Visualize associated change between financial account types (revenue, expense, etc.)
  • Identify material unique and recurring entries to understand top unique patterns and volume trends
  • Locate new accounts never used to date and their materiality in the current period
  • Summarize trends by solely focusing on the text usage in the description fields

What aids general ledger system reviews is that data is frequently maintained at the detail transactional level so once a trend is identified, the summary visualization can be drilled-down into the detailed transactions instantly. 

Part Two of the continuous analytic engine are specifically built alarms which serve the purpose of gaining feedback on root causes, while also providing additional detailed design specifications for the next alarm development. The system should get faster and smarter each time it runs so the quicker the process of automating alarm response, the faster the analytics transform around the process. Manually developed Emails and on-site visits can start with automated updates to a results manager system, personalized for each user, with Email reminders for lack of response. The faster the responses are generated and trended themselves, the faster change can happen within the process along with the design of the next best alarm for that process.

The goal is to turn false positives/negative reports into ones that directly find the issue, thereby meeting the report's objective as quickly as possible. Such tweaks in the process constantly change over time as the process improves in their risk management. For example, a matching of the vendor information to governmental "watch lists" could start with an address and name match and quickly expand to a match on close approximations of the name, address, geolocation of zip codes, and then, once the business process owner decides to enter TIN information for each vendor, a TIN match to a government funded TIN matching service. 

The last unmentioned part of any instant CARMA system surrounds the process and is the consistent execution of such analytics. Only through the collection and analysis of data points at consistent intervals can the organization and automated system continuously "learn" how to adapt itself to the process. Further, the risk manager can continuously run business process scoring by trending the now validated alarms. Through trending of the alarms and business owner risk responses can the risk manager identify which departments and locations are more ripe for an on-site review, or at the very least, an online conference meeting. 

To learn more on dealing instant C.A.R.M.A., please see my AuditNet(r) minutes to analytics webinar on risk planning scheduled for May 11th followed by a complimentary webinar on June 8th on automating specific control reports.

Rich Lanza2Rich Lanza CPA, CFE, CGMA ( has over 25 years of audit and fraud detection experience with specialization in data analytics, business process diagnostics and cost recovery efforts. Rich wrote the first book on practical applications of using data analytics in an audit environment titled, 101 ACL Applications: A Toolkit for Today’s Auditor, in addition to writing over 19 publications, and over 75 articles. Rich is proficient and consults in the practical use of analytic software including ACL, ActiveData for Excel, Arbutus Analyzer, IDEA, TeamMate Analytics and auditing with Microsoft Excel techniques. Rich has been awarded by the Association of Certified Fraud Examiners for his research on proactive fraud reporting. He is also a regular presenter for, the Institute of Internal Auditors, Association of Certified Fraud Examiners, Auditnet ® and Lorman. Rich consults with companies ranging in size of $30 million to $100 billion and in all, has helped them find money through the use of technology and recovery auditing.  He is also a current faculty member with the International Institute for Analytics.

The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®. All links are being provided as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by AuditNet® of any of the products, services or opinions of the corporation or organization or individual. AuditNet® bears no responsibility for the accuracy, legality or content of the external site or for that of subsequent links. AuditNet® does not exercise any editorial control over the information you may find at these locations. Contact the external site for answers to questions regarding its content.