I had been writing articles for the Internal Auditor (IIA) and other audit-related magazines for several years now, but I wanted to do more to educate and encourage auditors in the use of analytics. One day I realized that if I assembled all of my previously published IIA articles, I had about 50% of the content necessary for a book on analytics. So I started developing an outline and writing more content. It took about six months to combine what I had and write the other 50% and the result was “CAATTS and Other BEASTs for Auditors”. The book was published by Global Audit Publications, the publishing arm of ACL Services. It was their first publication – other than software manuals. Now I was a published author.
CAATTs and Other BEASTs explained how various types of software – from word processing to data analysis – could be used to support the planning, conduct and reporting phases of the audit. It was well received by auditors who were looking for guidance in the use of analytics; and I was encouraged to write more articles and even another book (but not right away). Even though it had a limited audience, the final sales total, after several years, was over 5,000 copies.
The next audit I supported was an environmental audit of hazardous materials. The objective was twofold: ensure that hazardous materials were properly stored and disposed of in accordance with environmental laws and regulations. At the beginning of the planning phase, I asked the auditors where they were going (i.e. where would the onsite audits would be conducted). They told me that they were going to three large sites (one on the east coast, one in central region and the other on the west coast) and three smaller depots close to the large warehouses. They explained that this would ensure all regions were covered and that small and large sites were audited. Sounded good, but based on my analysis, one of the large sites and two of the smaller ones did not have any hazardous materials. This wouldn’t make for a very good audit.
Continue reading Year 9 – 1996 – Promoting CAATTs
Our analytics team was running on all cylinders and achieving significant results. There was not just my opinion, we received an ISACA Award of Excellence at the Info Tech Audit ’95 conference for leadership and contribution to IT Audit Community. Amazingly, it was a $1,000 cash award. The team (3 people) went for out for a celebratory dinner and donated the remaining funds to a local charity.
By how we had a steady stream of auditors seeking data extractions from 30+ information systems. We had standard monthly extracts in place for the major systems (8-10) that we accessed on a regular basis; and we were able to handle one-offs fairly well. We still heard the usual arguments from IT (you do not have authority to access the data, it contains personal info, you don’t have the security, etc.) when we sought access to a new system, but we were getting better at countering their arguments with solid facts and obtaining the necessary access. The more difficult issue was changes to existing applications. We were not informed when things like record layouts, file names, transaction types, etc. changed. This meant that we had to constantly be verifying the integrity of our standard extracts and scripts that we had developed.
To date we had used the personnel data to verify pay rates as part of a payroll audit; to determine personnel costs for a cost recovery audit; and for a number of other audits that required HR information.
The first HR audit to use data analysis was an audit of an employee reduction program. The company was downsizing and eligible employees were being offered a buyout package. The package was made available to full time employees and the buyout was based on years of service (including casual or part time employment) and current salary rate. The initial audit objective was to determine if the buyouts were for the correct amount.
Continue reading Year 8 – 1995 – HR analysis
Having been a member of the IIA since 1990, I always looked forward to the Internal Auditor magazine. However, it rarely included articles on computer-assisted audit tools and techniques (CAATTs). I wrote the first of several articles on data analytics “Computer-Assisted Audit Tools and Techniques: The Power of CAATT is turning up the ‘can-do’ potential of some audit shops”. It was published in February 1993 and, to my knowledge, was the first time that the acronym “CAATTs” had been used anywhere. Previously there was only one “T” as in “CAATs” but it was never clear to me if the “T” stood for tools or techniques – having two “Ts” solved that issue. I also proposed the establishment of a regular column called “Computers and Auditing” and I, along with James Kaplan, were the first co-editors. The column, replacing “PC Exchange”, debuted in February 1994 with my first column “Auditmation” which included four different audits where analysis had been used. James and I were co-editors for several years and I wrote many columns on data analytics and audit. These became the base=is for a book I wrote several years later.
At my regular job, I worked on a repair and overhaul audit. Our company had contracted out the maintenance of specialized equipment to several vendors. As per the contract terms, the vendors were required to maintain an inventory of critical parts for which we paid the storage costs and the purchase price when used. The vendors were also loaned specialized test equipment to be used for repairs and testing of our equipment. The audit objectives included the verification that the vendors were complying with the terms and conditions of the contracts.
Continue reading Year 7 – 1994 – Transfer of Audit Analysis to Mgt
Analysis had proven to be successful in not only supporting the conduct phase of internal auditors but also during the planning phase. More and more we were being asked by audit teams to perform analytics to support the development of the audit scope and objectives. However, there were still team leaders that avoided the use of analytics. “Analytics won’t be of any use in this audit” was still a familiar response to “can we help you?” As part of a sales push, I produced a monthly report describing the new data sets /applications that had been accessed that month. Audits were listed and detailed of the types of analysis, the results, and the benefits of analytics in time, cost, efficiency, consistency, coverage, etc. were highlighted. Typically, six to seven audits were featured each month and the analysis covered HR, IT, operations, finance and administrative audits. But we had to keep expanding our capabilities and what we could access.
The challenge this year was accessing and understanding the legacy pay system which was still used for about 70% of the employees. The application created an IBM 25,000 byte variable block data set for each employee. The first 500 bytes were a fixed block with basic employee information such as name, employee number, address, etc. The remaining portion of each record consisted of a variable number of 50 byte segments that were one of 26 different types – each with its own layout (e.g. type “A” was a regular pay segment which had the paid date, pay rate, and pay amount; “B” was an adjustment record type with the pay date, adjustment amount, and reason; “C” was an allowance record with the pay date, start and end date of the allowance, type of allowance, and amount; etc.). The hardest part of the analysis was building and testing the table layout. But, not only were we able to read the record and produce a fixed block output for further analysis, we were also able to produce the employee’s summary pay information, including the income tax filing data. Currently, this was done manually by the pay clerks because the complicated legacy system had not been updated to reflect changes in tax laws for several years.
Continue reading Year 6 – 1993 – Promoting Analytics