Due to an inquiry on a message board my boss belongs to, she just
asked me about audit exchange and here is my answer. I thought I would
share it with you:
This is a very timely question as I just had
lunch with Peter Millar (ACL's Director of Business Development) last
week and talked to him about AuditExchange (AE) a great deal. He was
here in Houston visiting the TexasACL User Group. To help others
understand where I am coming from, I think it is only fair to disclose
my background. I am the President of the TexasACL User Group and one of
the best known ACL Users in the country. I am one of only two "Super
Users" on the ACL User Forum and was a guest speaker at ACL's 2008
Annual Conference Connections. While I don't work for ACL, I am a
strong advocate of CAATTS in general and ACL in particular. I mention
my background so that you can better assess my authority and my biases
in what I have to say.
While I haven't used AE,
I am very excited about this product. When I first heard about the
product at ACL's Annual Conference a few months ago, it didn't entice
me. I thought the product would be a waste of resources. Having talked
to Peter about it, I think this is a great tool---especially for the
healthcare industry.
Let me give you a few thoughts on AE:
1) Preservation of knowlege
I
am new here at St Luke's. Right now I am trying to get data access to
various systems and work through the beaucracy that is IT. It may take
me a few weeks or even months to get everything I may need. Once I have
that access, it will take me weeks or months to learn how those tables
interact. During that time, I might reach incorrect conclusions because
of a poorly or incorrectly formed joins/relationships. Over the next
few months, I will be learning as much as I can about the data bases
that I need. In time, I will have a decent understanding of the data. I
will write standard scripts to extract the data I need from the various
systems and will then write ACL scripts that clean and join the data
appropriately. In an ideal world, I will prove my value to SLEH by
writing a number of scripts that result in significant
savings/recoveries.
Now, let's say that in a year
or two something happens to me and Cecelia has to replace me. That
replacement will then have to recreate everything that I've done.
With
Audit Exchange, this risk is minimized if not eliminated. AE is
designed to provide a means to Extract and Preserve Data on a dedicated
server. In essense creating a Data Warehouse dedicated to audit.
But
this advantage extends beyond just when the "ACL Guru" leave, it
becomes an ongoing benefit. As the ACL Guru, I will be able to save
significant time and effort because the tables that I need/want have
already been downloaded and formatted in a meaningful usable manner.
Others in the department will be able to utilize ACL better because
they won't have to struggle with downloading, loading, and
interpretting the raw data from IT. In other words, suppose I have
written a code to clean up patient medical data that combines data from
several different systems, SLEH audit department will now have a usable
data source that ANYBODY in the department can use. This would
hopefully put more advanced auditing into the hands of more people.
As AE becomes a platform for script storage, this possibility is expanded even further.
2) Data Administration
In
AE, the audit department can establish different levels of
access/authority. As some scripts/tables will be proven and deemed
reliable, you don't want this data to be corrupted by inexperienced
users.
3) Informatica
Informatica
is considered by many to be the name in data itegration software and
ETL. ACL has an arrangement with Informatica wherein AE uses
Informatica software to obtain the data from IT. The name Informatica
should make discussions with IT much easier/smoother. IT may not know
or trust "ACL" but they will trust Informatica.
4) Masking of Data
This
is the area that has me particularly intrigued. While Internal Audit
may be able to demonstrate a need for any piece of data, it is
sometimes a challenge to convince IT or the business units that this
need exists. Many companies are particularly concerned about the data
of their employees. Try getting a data dump of the SSN, bank account
number, or routing number for employees and you might run into a dead
end. AE has a means of providing masked data that can be utilized in an
audit.
In other words, you are performing a test
comparing employee SSNs with Vendor TINs. You can do this analysis
without ever seeing your co-workers SSNs.
NOTE: I have a few questions into ACL about how security works on this masking capabilities.
4) Secure Server
You can estbalish passwords on the server adding an additional level of security.
5) Benefits of both a system version and desktop version.
AE
provides the advantages of both the traditional desktop and server
editions. The advantage of the desktop version is that you are able to
use ACL on your laptop whereever you are. If you want to work on ACL at
home or at the airport or at the doctor's office, you can do so without
logging onto a server. At the same time, unless you explicitly download
the data to your laptop, your data will be saved to the AE Server. This
provides tremendous advantages over the old desktop version. As the
data is on a secured server, you don't run the same HIPAA risk that you
might have with a desktop or laptop computer. What risks exists if you
loose your laptop or if your desktop is stolen?
6) Multiple users accessing the data at the same time.
One
of the disadvantages of ACL is that the same person can't use the same
files at the same time. Using AE multiple users will be able to load
the same data---granted subsequent users will only have "read" access,
but that is what happens with other software. You will be able to work
with the data and save it elsewhere as a different file.
7) Benefits of the licensing arrangement.
When
ACL version 9.0 came out, ACL messed up. They really antagonized many
of their clients with the new licensing arrangement. AE is an effort to
make amends and fix a mistake.
Before I go
forward, AE licensing does not change any of the currently existing
licenses. You are not required to move away from your current structure.
AE
introduces a new platform that is based upon the number of people in
your audit department. It then charges you a flat rate for that many
people. I don't know what the different levels are, but suppose the new
licensing arrangement has a certain rate for units with 30-50 auditors
in the unit. Your unit only has 40 people. That means that all 40 of
your users can use ACL simultaneously. But it gets better. You still
have room for 10 more users. This means that if AP or Compliance or
legal or any other unit in the building sees the value of ACL, they can
then link in and start using ACL off of audit's license. Due to the
security established on the server, audit can limit these users access
rights on ACL to prevent them from having full access to everything
audit sees and does.
Let's say that your unit is
at 49 people, but it grows by 2 people. It is now over that 50 person
mark. The license doesn't automatically shift to the next higher level.
It will only be reviewed when it is time to make your annual renewal.
At that time, you will be expected to move up to the next higher level
OR you will be able to purchase a bridge license. The bridge license
will cover an additional 3-5 users without moving you into the new
higher rankings.
Disclaimer: Again, I do not work
for ACL, everything I've said above is based upon my understanding of
AE. It may be incorrect, but it is what I understand AE to be.
New scripts added 7/20/08
WWW.TexasACL.COMPorter ACDA
President Texas ACL User Group
TexasACL@yahoo.comwww.TexasACL.com