Episode 41 | Steve Rummel, Senior IA Analytics Manager at CVS Health

The Assurance Show
The Assurance Show
Episode 41 | Steve Rummel, Senior IA Analytics Manager at CVS Health
/

 

Summary

Steve Rummel is a Senior Internal Audit Analytics Manager at CVS Health.

In this episode, Steve explains how he helps his audit team use data.

 

Transcript

Yusuf Moolla: 

Today, we have Steve Rummel joining us. Steve is a Senior Analytics Manager, Internal Audit with CVS Health. We’re not going to try to explain your background because you can do that best. So it would be good if we could kick off with a little story about where you’ve come from and where you are now.

Steve Rummel: 

So I am right now about 16 kilometers west of Chicago, where I’ve lived for most of the last two decades after graduating university. My undergrad is in Finance. I’m not going to tell you what year that’s from, but you’ll probably figure it out if you do the math and take notes carefully during the session. I started out as a Financial Analyst and an Accountant, worked there for a couple of years. Went into consulting. Started to do IT audit right around the time Sarbanes-Oxley heated up. For those of your listeners who might not be familiar with that, here in the States we had some really notable public fraud in the early 2000s that resulted in a large global accounting firm, Arthur Anderson, going under. Part of their group rebranded themselves as Protiviti and spun off as an IT audit service provider. I worked for them for about seven years. During that time, I started doing a lot of analytical work. And again, like you and a lot of your listeners, I was a nerd from day one. So I’ve been a computer person and decided that was just not sexy enough. I had to do accounting and finance as well. Along the way I picked up a CPA. During my time at Protiviti, I started doing a lot of analytical work using ACL, the best audit analytics software package in 1987. And worked on that for about 10 years. Eventually, found my way to better tools and have been basically doing some variety of that ever since. And for the last 10 years or so, I’ve spent most of my time helping organizations ramp up analytical functions within their internal audit departments. So everything from figuring out what tools to use, what kind of people to hire, writing job descriptions, working on very detailed, I don’t want to call it a vision statement cause that sounds a little too generic, but basically sitting down and helping organizations figure out, all right, hey, what does data analytics mean in an internal audit capacity anyway? What’s the difference between data science and analytics and just ETL? What can we as an organization do? What is the best way to ensure that when we ramp up this function within the organization that it will stand the best chance of being successful? And I’ve been doing that for about the last 10 years on and off. Right now, I am at CVS. We have 10 or 15 different business units within my internal audit shop. There are about 200 auditors in the shop. I work specifically within the prescription benefits management vertical. So we are over all of the functions within the company that actually makes sure that people who come into our pharmacies or submit a prescription to one of our mail order pharmacies or specialty pharmacies, that they get that prescription in a timely manner. That they get what they’re supposed to get when they’re supposed to get it. Which sounds really simple, but there’s actually a lot there.

Yusuf Moolla: 

What is it that drew you into the use of data within audit in particular? Cause it’s quite a niche area.

Steve Rummel: 

Well, I think problem solving, right? When you start out working in internal audit, especially if you’re working in professional services, you don’t get called into an organization when things are going really well and everything’s just swimming along. You get called in because there’s a problem. Either the client doesn’t have capacity or there’s some weird thorny thing that they’re grappling with and they can’t solve. And obviously, accounting and finance, they all run on top of some kind of enterprise accounting reporting package. There are all kinds of other applications from Microsoft Excel all the way up to SAP. There’s a lot of moving pieces. There’s a lot of data moving through organizations that things can go wrong. And there is a good living to be made, helping organizations figure out where the problems are and breaking down that problem into solvable chunks and then saying. Here’s the problem, let’s figure out how we can implement a solution that will work for you and that will hold up over time. That sounds really nice and notional. It was basically my boss going, what the hell is going on here? Figure it out. So you go and you sit down with IT. You sit down with the application owner, you sit down with accounting and you say, okay, where are things just falling apart? Where do you see the wheels coming off this process? And when they tell you, you start digging in and just doing that root cause analysis. And pretty soon you’ve dug your way all the way down to IT, into the database administrator, into the data lake and whatever else. And it is actually a lot of fun when you solve a problem like that. Human beings are natural sort of problem solvers. So when you can go in and say, hey, you know, I figured out this thorny thing. Here’s what we need to do. It’s fun. And then you do that often enough and pretty soon you’ve done it enough that people think that you have some credibility in that space. So they call you more often. And then you have to train minions on how to do it because otherwise you’re going to spend all your time doing it.

Conor McGarrity: 

Just to put it in context, Steve’s company, CVS, is a Fortune 5 company. Just behind Apple, which is number four. So Steve, Over the years you’ve helped establish or grow various analytics functions within internal audit. What are some of the common challenges or issues that you’ve encountered, particularly in the early years of setting up those practices?

Steve Rummel: 

Probably one of the biggest is technology has been changing so much in the last 50 years, but that only accelerates, right? And it’s a cliche to say it, but it’s true. When I attended university in the mid 1990s, the internet was brand new. Napster was still the big thing, you know, And you start pushing that forward. You look at the tools and things that have come about since then. Web development back then was, hey, you fire up the text editor, you write HTML, maybe CSS, but like that was it. And now we’ve had several generations of really robust tools. Keeping track of that is a full-time job in and of itself. A lot of the people who are now in senior leadership roles, in organizations, especially large organizations where you’re spending your career, working your way through these things. They are not necessarily the kind of people who stay really on top of these things. I made a joke about ACL before being the best software tool of 1987. There are so many more tools now. You start with ACL and like SAS, but then over time there are other tools that came out for analytical things. So you’ve got Python, which is one that I use now Tableau for visualization. DataIQ for GUI centered analytics. Alteryx, another sort of GUI software. DataIQ is more web-based. Alteryx is a fat application. You gentlemen were telling me about an open source application that you used. So there’s a lot of stuff out there. There are a lot of vendors out there pushing these things. And a lot of the senior leadership who are, right now, they are the Chief Audit Executives. They’re making decisions about, hey, I heard this great thing about, we should put together an analytical function. They don’t know. They need to be well-advised. And there is a whole cottage industry of people out there who are willing to advise them. A lot of them are vendors. I’m sure a lot of your listeners have sat through vendor presentations where, oh, I’ve got this black box product that you plug it in and you feed in your data one end and you get nothing but beautiful, clean, crisp. That’s garbage. That’s not true. There are people who get paid a lot of money to sell so many yards of blue sky to senior leaders. And that’s not to disparage the products, necessarily. They are selling good products, but the leaders need to have somebody on their side to understand not just the products, but what’s the process. Analytics is not a product. It’s a process. It’s a way of thinking about your organization, the business process you’re looking at, what you want to get out of it. You have a business process that you want to, in the case of audit. You want to audit that business process. How can you get some assurance that the process is working as it’s supposed to. And to do that, you need to think about not what product can I stick on this thing, but what am I looking for? A professor of mine once called internal audit, the practical application of common sense. You look at a process, you say, where are the risks here? Where are the hazard? Let me draw some things on a whiteboard and draw out this process and say, hey, here’s a failure point. Here’s a failure point. Here’s a failure point or a potential failure point. Let’s think about this in an organized and systematic manner. And then once you have some idea of what you think the issues could be, then you start saying, all right, what’s the best tool for the job to solve this? Do we need to monitor something? Do we need some kind of a reconciliation tool, whatever it may be. So that’s a challenge because you’ve got leaders who have limited experience with the technology, but they know their business and their process inside and out. And they don’t want to be sitting through multiple tech demos. They want somebody to give them the answer. And the answer is never going to be just a product. It’s going to be this is a process that when we put this in place, and we execute it in a consistent manner and to quality, you’re going to get that additional assurance that you want in your audits. And they have to understand the benefits of it. And they have to understand the limits of it. There are some audits and some business areas that you can’t automate. Flip side, there’s some that you can automate that people get really afraid of. So you’ve also got the sort of the HR dynamic. Oh my gosh. If you automate all of this stuff, where’s my job going to go. And so you get people who were resistant to that as well. The way I typically pitch this, I shouldn’t say pitch, I think it’s true. Auditors don’t want to be bored. Nobody wants to be bored at work. Auditors want to be doing interesting work. Most of all, it is boring. When you sit down and you’re putting together a set of work papers, the process of conducting an audit from start to finish might be some interesting meetings, might be some interesting stuff. You learn about the business along the way. But the bulk of it is going to be doing just scutwork, really dull stuff. If you can automate that and get people to focus on the stuff that they need to be focused on, one, you’re going to get better results because they are going to be again, focused on the problem at hand. Second, you won’t be wasting their time. If you give somebody X number of hours to do an audit, and those hours are spent actually using their brains to think about what they’re supposed to be doing and about the risks that they’re supposed to be illuminating and quantifying, you’re going to get a lot better results. If you can go the whole hog and turn that into some sort of a continuous process so that all the boring stuff never has to be done by a person again. You’re giving your auditors a great experience right. Now, they’re like, hey, I learned this thing. It was really hard to learn, but now I don’t have to do the boring stuff anymore. I can think about this. One of the hardest things in audit to find are things like collusive fraud. That would be ideal. It takes a ton of legwork that you can’t automate, you can’t build an automated fraud detector. You can build a universe of small applications and analytics that can point you in the direction. That’s what people should be doing. They should not be spending their time doing boring automatable thing. So you asked, hey, what are the things that are challenging or are the issues that come up when you’re trying to ramp up a function like this? It’s getting past those organizational hurdles where people are worried about their jobs. It’s getting past the leadership’s lack of familiarity with the tools. It’s getting grassroots engagement. I think that’s the other piece. You need executive buy-in. You need them to understand what’s possible. You need to understand what they want to do. You need to understand what is their vision for this thing? Do they want a be all and end all super analytical function and knock it out? Or are they just looking to automate some things? Or are they looking to get, you always hear the phrase, quick wins? There’s a lot of quick wins to get in the analytics space. If you don’t have anything to start with. It’s really easy to jump in and say, hey, I’m just going to save you the hassle of wrangling 400 gigabytes of data, because it’s just a pain. You can’t do it in Excel and your staff are tearing their hair out. But figure out what their vision is, what do they want to do, and then put together a project plan to get there. And you want to have a combination of sort of visionary things that you put in there, but you also want to have very nuts and bolts. All right. Hey, I’m going to be involved in every planning meeting. I’m going to be involved in annual audit planning. And as I build a team, that team is going to be involved in those things. If I come into an organization. I’m going to start by, one, helping leadership figure out what they want to do, where they want to go. And I’m also going to start talking to the team right away, because if you don’t get the team to buy in, if you don’t get the managers and their staff to buy-in, you will fail. You will not just be able to do it. You have to have that grassroots level of support and you have to have the executive support. The only other piece is time. It takes time for this, especially in a larger organization. You can get measurable results right away. Hey, this went a lot faster. This one a lot better, but it takes a long time to actually put a fundamental process in place that is going to manifest itself in the audit plan in terms of, okay, how many audits did we do that we used analytics on? How much time did we save?

Yusuf Moolla: 

You were talking there about the key challenges being largely managerial, as opposed to needing to find the right technology or find the right data, et cetera. The other thing that we see and that you alluded to was that there’s fear amongst auditors’ directly using that to themselves. The natural reaction would be to just toss that over the fence and get Steve to do it as opposed to have to do it ourselves. How have you overcome that?

Steve Rummel: 

I don’t know if it’s a fear of data or just a fear of new things. And sadly the only way to get past that, and when I’ve run into it, it’s been a training question. I spend a lot of my time now, training staff, training seniors, training managers, training executives, to understand enough of what they need to know so that they can intelligently assess audit analytics in whatever role they have. When you’re talking staff and seniors, if you have a staff or a senior person, so you’re talking like ideally, typically somewhere less than 10 years out of university, in most cases. There are a lot of exceptions. I’ve run into much older staff and seniors. But when you’re running into somebody a few years at a university and they’re really that afraid, you have to ask yourself why. I haven’t seen anything consistent there, but a lot of it is just training. Sit them down and just walk them through. And I think the best way to put it would be any of this stuff, any of these tools that we have, any of the techniques that we have, they’re discoverable. Audit is not rocket surgery. Audit is not even data science. I have a master’s degree in data science. I’ve only scratched the surface of my first graduate school class. Because accounting and finance are fundamentally, in an audit context, really simple. Unless you’re doing some kind of really specialized audit, like model validation audit for a hedge fund or something like that, which that’s a whole separate conversation that has nothing to do with the vast majority of audit. Most audit is pretty straightforward. So it’s talk to the person about it.. What do you do? What are you trying to do? Explain your audit to me. Tell me what you’re doing. They tell you and they say, okay, what are the challenges you face? What’s the biggest pain trying to do this audit. I get this Excel file that’s 400 megabytes. And okay. I can help you with the logistics of that. So it’s trying to find out what the person’s pain point is and solving that. Because even somebody who’s really afraid, paranoically afraid, they still appreciate the effort to help them do what they want to do. So you have to meet people where they are and talk to them about things that they understand. And if that means take it very slow and just, if it okay with you, we’re just going to start right here and we’re going to get about this far and that’s it. But for the most part, what would I see a lot of is it’s not so much they’re afraid. The frame of reference is totally different. I’ll give you an example when typically auditors think in terms of I’m going to take the sample and I’m going to test it. and if they want to get fancy, they’ll say we’re going to take a statistically significant sample and then we’re going to test it. And I say okay, what’s a statistically significant sample of this thing. It’s 60. Okay. Where’d you come up with that? That’s what the public auditor told me it was. Okay. How do they know? I don’t know, it’s 60, it’s like a magic number. And then, if they get really fancy, they’ll go to a website and say, hey, I went to this is website that calculates the, I’m not sure what a confidence interval is, but I know that this is the value I plug in there. Right. So you sit down and you start talking to them about it and say, okay. There’s two things at play here. One, negotiated numbers. You have a partner at a public firm who says, they’re not going to do a sample of 360, even though that would be a statistically significant sample if we wanted a 99% confidence interval. So fine, we’ll take 60. There’s a lot of that that goes on. There is a lot of negotiation in audit. So it’s understanding where those pieces fit in. And then two, going back to the other and say, okay, look, if you want to do detailed testing of a sample of 60, that’s fine. But one here’s what statistical significance means. And we actually just did something recently a big exercise at CVS, where we put together some training to explain to our teams what does statistically significant even mean. And we walked through three pages of a really detailed example of saying, okay, if you do this and this is how you get a statistically significant sample. And by the way, there are ways that you can change the way you sample where you take, you get the sample, but then you start testing. You say, okay, if I can go through a certain percentage of it and find no issues, can I cut off testing early? So we start talking about ways to like really making people understand what the process is. But the better case, and this is the use case that people have been using forever. I got this from ACL and this is the one insight that I love about them. Can you test a hundred percent of population. If you can do attribute testing on a hundred percent of a population and come up with true error rate for the population, bam you’re done. And not only that if I tell somebody, hey, I can give you a Jupyter notebook that’s going to have everything from the data import, the validation. All the things you need to tick the boxes and say, yes, we have complete and accurate data. We tested the population. This is how we tested it. Bam. Here’s the error rate for these parameters that we tested. They’re going to be happy as a clam. And once they do that, then they start to see, they start to think, not in terms of what does an audit look like in my little world, but they actually start to think about the audit as it should be thought of as a means of clearing away the undergrowth and getting to assurance, getting to the actual risks at play. How much have we explained? We have just explained everything about these three things by doing this test. So it’s a change of focus. It’s really easy for us auditors and I’m guilty of this myself. I think we all are where you have an audit plan and we all make our check. Okay, here’s the audit plan, which is a big checklist. And now I’m going to pull the audit out and I’ll just start on the first one. I’m going to start checking it yet. Okay. Did this. I did my kickoff deck and my kickoff memo. I had the meetings I got to work my way down and you get into that mode because we have deadlines, because we have time pressure. And because you have to do quality work, there’s a lot of stuff you just have to do. So you get really good at working your way through a checklist. In audit, that’s the career path. The better you can crank your way through a checklist, the better you’re going to do because you’re going to be doing good work on your time budget. So it’s getting people to stop thinking about that. And that goes back to executive support as well, because analytics will save you time but you do have to invest time to do it. And sometimes, analytics doesn’t work. You may say, hey, I’m going to look at this data, give me a week with it. You play with it, you stretch it. You bend it eight ways from Sunday and you might come up with something interesting, or might not. And you might find that you can’t do the testing that the audit team wants to do. You can’t do it in an automated fashion. You can certainly help them understand the context of the business process and the data, but you may not be able to give them that home run thing. And that’s something you have to be willing to do. And something that leadership has to be willing to accept that there’s not always going to be a DA play. I go to all the prep meetings for every audit that kicks off and one of the deliverables I have to my audit teams is, I will give you either an analytical plan for what I think we should do based on our conversation. So it’s not my plan, it’s our plan. But I’m going to tell you technically how we’ll do it. Or I’m going to write a paragraph saying there is no DA play here, and here’s why. And I will list out in English why we’re not doing any kind of analytics, because again, my leadership, they’re like you’re a data guy and you’re telling me you’re not going to do any analysis. Yeah, there’s no play here. And here’s why, and you explain it in plain English and that takes time. Doing something simply and clearly actually takes a lot more time than doing something, just writing paragraphs and paragraphs. Writing a nice short, concise audit report is a hallmark of a great audit manager to my mind, but it takes time to do it and it takes talent to do it.

Conor McGarrity: 

I’m just going back to something you said there where you guys like to get in and with the real hairy stuff, get the data analytics team involved as opposed to the auditors themselves. So they kick over some of the more complex analyses to you guys. Is that a sign of success then for you guys, when your services, Steve, are oversubscribed? And if that is the case, how do you then prioritize your team’s ability to assist the auditors on their projects?

Steve Rummel: 

That’s an excellent question. I have yet to get to the point where we were oversubscribed, because again, it takes time to ramp up. So if you have a 200 person audit shop and so in CVS, we have an actual dedicated data analytics function. They have a lot more high end hardware and some applications that I know how to use, but I don’t have direct access to because I have a laptop. I can run Python on there. I can run Alteryx on there. I can run Tableau on there. But the gerbils in my little Dell are not going to be able to run some kind of clustered computing application. I don’t have that. So we have a national team. Their role is a little different than mine. They have their own sort of analytical plan that they put together. So my primary driver is I serve the PBM audit plan and secondary to that I serve the rest of the department’s audit plan. So I’m the service Bureau. I go out and I work with the auditors. The national team, they will do that if they are asked. So if I get in something where I’ve got like four terabytes of data, I can’t do anything with this. I know what I want to do. I can’t do it. Can you guys handle this for me? We’ll figure it out. Yes. Okay. So we’ll work with that. But to your question, what do you do when you’re oversubscribed and how do you prioritize? Every large organization I’ve worked for, the audit plans, they spent a year. So if you do some planning correctly, assuming you do some planning correctly, you don’t really have to worry too much about that happening because you’ve looked the audit plan ahead of time and said, okay, we know we’ve got some audits come up that are going to use our system of record and is going to take up a ton of data. So we try to space things out anyway, because we don’t want to be banging on the same data provider all the time. That’s a really good way to lose friends in audit is to always nag the same. If you’re always auditing the same business process, or God forbid, you’re always asking the same team because you have one data team that supports multiple business processes and all. And they’re like, why you always calling me? Cause we’re auditing all the people you serve. So what we try to do is we try to rationalize. We rationalize our data requests. So if we know that we’re going to be auditing from the same data source, and we have several large ones, but if we know, hey, we’re going to be hitting this one a lot. We’ll reach out at the beginning of the year. We’ll tell them, hey, this is what we’re doing. So we really try to avoid those bottlenecks. Typically the bottlenecks are not with our capacity. It’s with either trying to get IT to schedule stuff. Because again, rule number one of audit, especially IT audit, don’t mess with production. Do not mess with the production. So we’re respectful of that. We try to have an SLA, a service level agreement with our auditees and IT, so we can avoid that. But how do we prioritize? There are times where we will sit there and say, okay, which one’s more important. Fortunately, I don’t have to make that decision too often because when we do our audit plan, we do what we call a risk-based audit plan. It’s a hybrid. Our risk-based are many of our risks are based on what the business leaders of the different business units tell us. When we do interviews Q4 of the previous year, we’ll say, okay well, you know, we’ll keep you awake that what are the new things on the horizon? And we also look out at the literature and landscape and say, okay, what’s coming in from outside the organization that we need to look at. Are there legislative changes? Are there other cyber threats there? Of course. Yeah. But we have a ranking of our audits and it’s not hard and fast or cast in stone. But we know what audits like. Okay, these five got to get done. And they take priority. And then these others. Yeah. If something had a slip, we’re going to pick this one over this one. Then we have some that are right at the bottom of our sort of modeling approach and we accept this going in. At the beginning of the year, we know that not every audit we put on the plan is going to get done. Because chances are something’s going to happen during the course of the year that we’re going to have to then add an audit to the audit plan and rejigger everything. So what are we comfortable dropping off the auto plan? And we have a whole change management process for our audit plan. That’s another thing, actually. Having good processes in place that you can integrate the data analytics process into is another key thing.If you’re going to make a change to the audit plan, do you have a defined change process where you say, okay, we’re proposing a change to the audit plan based on this, that, and the other thing. And here’s our rules, we’re changing it. And this is the risk assessment, Because it makes the conversations with leadership easier when you’re like, hey, we said were going to do this thing, now we’re not going to do it. And when we go to our audit committee and have to explain why we’re swapping stuff out, we need to be able to explain that. To your point, I have not seen us get so oversubscribed. And again, I feel like it’s because audits are not necessarily, there’s a lot of manual components to it. And there’s also a technology win already. So we already have at CVS and other places I’ve been to, functions where like we use robotic process automation in multiple areas, a lot of the stuff that would normally take up a lot of time, not that it doesn’t, there’s still auditors doing stuff, but already started to automate a way. the really just, I don’t even call it analytics, the pure like RPA stuff. I don’t think anybody would ever call RPA analytics, but it’s deploying technology to automate things and to save time and to save your staff from drinking on the job because out of sheer boredom. So we don’t really have too many problems with that note. We’re all busy. We’re all crazy busy, but we have never had a case that I’ve seen where we had to say, yeah, we just can’t support this because we’re just too to the wall. We can usually move things around or just shift deadlines around a little bit. And I think that’s a real key thing too, when you’re talking to leadership and you start saying things like hey, if I need to move a deadline by a week or two or a month even, or hey, I’m going to take an audit that was supposed to release the end of Q2, and I’m going to push it into the end of Q3, as long as you can make a case for it and your management is reasonable. I’m like, okay, I get it. You’re going to do everything you said you’re going to do this year, but we have to move things around. All right, that’s fine. And when we go to our audit committee meetings, I don’t get to go, but when our CAE goes to the audit committee meeting and says, hey, we’re still doing all this stuff, we had to move this one around. We had to move that one around. Yeah. There’s always going to be a certain amount of what percentage of the audit plan is done as of the end of Q2? And if it’s not 50%, if it’s 40%, then like, well, we’re behind now. You’re not behind. We’ve got a whole backlog of right here and there. Two weeks from now, they’re all going to be done. Yeah. So to your point It’s a lot of planning and just trying to be organized and consistent and have processes and actually have trust. We have to be trustworthy stewards of the resources that we shepherd and the processes that we audit and our audit process in and of itself. So that when we say we’re going to do something and that we need the extra two weeks to do it, we actually can justify it.

Yusuf Moolla: 

You mentioned RPA there. Just curious what the span of work that would involve the use of robotic process automation would be. Is it primarily in the compliance areas and SOX areas, as you were talking about before, where there’s that work that just has to be done every year, as opposed to those that would roll through an audit plan?

Steve Rummel: 

Right now, I am not the expert on that. I talk to the RPA team a lot. In fact, one of our data analysts on the national team, he’s also their RPA guru who has a couple of hats. And he’s also a frighteningly intelligent young man. So I deal with him all I can. We use it for compliance testing. We use it for SOX. We also use it for pretty much any kind of a process that is repetitive, that we know we’re going to have to use. If there’s a process that involves gathering information by logging into some kind of a web based portal and then going through a whole bunch of menus and then downloading a bunch of PDF files or word documents or something like that into a repository so that an auditor can go through them and not have to waste the time of picking their way through a web interface to get stuff. Or even better, take the output of it and pipe it into some kind of an OCR application that’s going to then open the things up and extract the information that we want and stick it into a lookup table, something like that. It’s kind of across the board. I know that there is a concerted effort to use it for and has been to use it for compliance and SOX, but we are looking to use those tools in any way shape or form we can to support audits just in general. I don’t like to draw distinctions between okay. You’ve got compliance audit. You’ve got SOX. You’ve got IT audit. It’s a business process. If you want to really audit correctly, you’re auditing in alignment with the way a business runs. Ideally not just the business segment, but the way the business segment interacts with other business segments. Like where I am, we have an IT audit shop and they focus on the typical IT audit things. But where I am now, unlike places I’ve been before, where if you said, we have concerns about segregation of duties on our database cluster. Then that’s IT audit, that goes to the IT auditors. With us, if it’s ours, and we own it. It’s PBM. We’re going to look at it. So if that means I’m going to be doing SoD testing, which would normally be in IT. We’re going to do it. Period. So we deploy tools wherever they’re needed for, whatever they’re needed for. That experience has been unique to CVS. Every other place I’ve worked in my career, they had very defined cases that like RPA, every place else had been RPA was pretty much a SOX thing or a compliance thing. But again, RPA is actually relatively new. It’s not brand new, but it’s only been big for about the last 7- 10 years. And I feel like there’s a lot of organizations that don’t really use it yet. Partly because it takes a lot of time and frankly money to roll the thing out. It wouldn’t surprise me to see it get a lot bigger because once you get the things set up and if you do it right, you can save a lot of money. And again, people stop drinking on the job.

Conor McGarrity: 

CVS actually stands for consumer value stores, which is excellent. And your company objective is helping people on their path to better health. So one of the things we try and talk about in this show is aligning internal audit with the objectives of the company, in which, you know, internal audit is focusing on how data analytics can contribute to the purpose of an organization. Are you able to tell us about one or two of your projects that you’ve been involved in CVS or elsewhere that have really contributed to that consumer health or where the end user actually gets the benefit of work done by internal audit?

Steve Rummel: 

So I can tell you this. I came to CVS precisely because of that, our CEO, he just retired a couple of months ago. About a decade ago, he decided to stop selling tobacco products out of any of our retail pharmacies, because he said it made no sense to sell tobacco products and smoking cessation and cancer drugs from the same store. That was when CVS actually came onto my radar besides a store that I used to pass when I drove to and from home. So yeah, CVS is very much that people take that seriously. We take it seriously. I take it seriously. It’s one of the reasons I’m very glad to be there. I would like to tell you stories, stories about specific things. But unfortunately, I can’t. I will tell you this, however. We have pharmacies that deal literally with any drug that you would ever need. So everything from aspirin or all the way up to cancer treatment drugs and esoteric drugs. And we have a multitude of programs and plans in place that our goal is to make sure that every one of our customers, no matter what plan they’re a part of, what employee group they’re part. Like American healthcare is disastrously, horrifically complicated, I get to see how the sausage is made, it is every bit as complicated as you can imagine. And I only see the drug provision. So from the time a prescription comes in to the time it actually gets filled. Everything that happens in there. So that is my entire universe all day, every day of the week. We go to great pains to pay particular attention to where there are things that impact people’s health dramatically. So we have an entire group that does nothing, but look at specialty drugs. So God forbid you have cancer or some exotic disease that you need a drug that cost a hundred thousand dollars a week. We pay attention to that stuff. And we are, as a team, very cognizant of the needs of our customers. When we do our audit planning for the year, we have extensive and sometimes violently, but constructively, fireworky conversations about things that we feel strongly about. And when we put the audit plan together, that is the entire focus. What are we doing to help our customers on their journey to better health? If you were to imagine for yourself what a risk map would look like of an organization that deals with that kind of thing, I can assure you that ours looks exactly like you would hope it would.

Yusuf Moolla: 

A lot has happened over the last 20 years, as you’ve spoken about in terms of mindset, in terms of capability, uptake, the tools and technologies that are available, the techniques that are being used, the number of people that are involved. What are you planning for over the next three to five years say? What do you see coming down the line that you think will have a major impact on your job and the way in which auditors’ generally use data?

Steve Rummel: 

I think you’re going to see a generational change. I don’t know about three years, but as the individuals who were like my age and younger, as we move into more senior leadership positions and have a better understanding of the tools and techniques that are available and data and frankly, a much more flexible outlook on the way organizations run. Let’s say, there’ve been a lot of changes, just in organizational dynamics as well. 50 years ago, you started a company and you stayed there for your whole career. And these days that doesn’t happen anymore. So there’s a lot of stuff happening outside that definitely impacts the career paths of human beings, and that impacts the way businesses work. We’re all a lot more flexible and you hear, even large companies like ours, we are having to respond to all these changes. So the changes that you’re going to see are not going to be technological cause that’s just a constant. I think what you’re going to see is a lot more robust and mature use of AI, the writing’s on the wall. It’s been there for a while. It’s getting there. especially now that we have companies like Google and Facebook, who’ve been around long enough. That the senior people in industry have seen their fancy data tools. They don’t understand them, but they know that they work. So I think you’re going to see a lot more of these tools migrate their way into businesses and start speeding up, make things much more efficient. They already have done that in finance. They’ve done that in search and marketing advertising. You’re going to start to see that push down into other areas of the business as it should. I’m hoping that what you’ll see is all of that getting paired with solid project management risk assessment, which is where we, as auditors, can come in. Because implementing fancy technology without a good plan is a recipe for disaster. And in the past you could get away with it. Now at the speed things go, you can’t. And the magnitude of error you can make by not executing a project with analytics, the damage just goes way up. But I think most of us are going to see as a cultural change in senior management, as current senior management who came up before the internet was even a big thing or right when it was happening. Once they leave and a lot of the people who grew up on this, you just live and breathe it. They’re gonna start moving into roles. They’re going to be much more focused on their teams and on tools and getting the job done and they’re going to be less focused on, organizational politics. So it’s a cultural change. I think you’re going to see more of that. I hope you’ll see more of that in my career. in the place that I’ve been, where I was able to be successful. It was largely because the organization was willing to allow teams to do their jobs well, and to be a service Bureau to the organization. So rather than the traditional, I’ve built a kingdom, I’ve got this nice pyramid of people below me. It’s more I have these little pockets of capability and competence, I know the IT people, and I know the audit people, and I know people who deal in this thing. And we all get along and we all know each other and a much more free-flowing and collaborative environment. I can only judge from what I’ve seen, but from a purely subjective standpoint, that’s what I see. And that’s what I’m hoping will work.

Yusuf Moolla: 

Steve Rummel from CVS Health. Thank you very much for joining us.

Steve Rummel: 

Thanks. Take care.

Conor McGarrity: 

Thanks Steve.