Risk, Analytics and Machine Learning Highlight the Committee on Finance and Information Technology's March Meeting

Mike Kelly, Partner, Ernst & Young (EY) hosted FEI’s Committee on Finance & IT (CFIT) and some members of FEI’s Committee on GRC (CGRC) at his offices in Los Angeles, California.  The objective of the meeting was to learn how Data Analytics is being used for Governance, Risk and Compliance (GRC) and audit in particular.

Todd Gower, Senior Manager, EY, discussed the selection and implementation of GRC technology solutions.  Before shopping for a GRC solution, he recommends obtaining strong leadership support and a mature Governance model, along with an agreed upon PRC (Process, Risk and Control) framework, in order to get maximum value out of any eGRC tool investment.

Kathleen Chu and Matthew Miller, both Senior Managers at EY, focused on the U.S. Foreign Corrupt Practices Act of 1977 (FCPA).  Chu discussed the collateral consequences of FCPA violations, based on recent cases, and provided an overview of government enforcement actions in 2015.  Miller discussed some of the results of EY’s Global Forensic Data Analytics Survey 2016.

Michael Cangemi presented the results of a research report that he wrote for the IIA Research Foundation (August 2015), Staying a Step Ahead: Internal Audit’s Use of Technology.

This report is part of the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Study series currently in development.  The survey data shows that internal audit use of technology in the audit process continues to grow, but there is room for improvement.

Scott Fulkerson, Senior Manager, EY, described EY Helix as EY’s global suite of analytics that simplifies and enhances audit testing and provides deeper insights using advanced analytic techniques and data visualization.  Because it is web-based, it can analyze larger data sets.  Helix uses complete data populations to obtain higher quality audit evidence within areas of higher risk, and delivers relevant feedback and insights during the audit, so that the client can optimize its business processes and controls.

Rob Belk, Executive Director, Cybersecurity, EY, recommended an “active defense” for cybersecurity.  Understanding your critical cyber business risks and knowing what attackers may want from your organization enables you to establish “targeted defense” through prioritization and hardening vulnerabilities.

Assessing your threat landscape through Cyber Threat Intelligence (CTI) allows you to understand the most likely threat actors and methods they may use, which can be played out in scenarios to gauge readiness.  “Active defense” sends out intelligent feelers to look for potential attackers, analyze and assess the threat, and neutralize the threat before it can damage your organization’s critical assets.

Chris Yamashita, Finance Director, Microsoft, presented examples of how machine learning is being used by companies.  For example, in sales and marketing, it is being used for customer acquisition and loyalty programs.  In finance and risk, it is being used in fraud detection and credit risk management.

Bill Sinnett, Chief Operating Officer, Research, for FEI, has drafted a complete What We Learned report for FEI members, available for download on FEIconnect.