For years I have written about data analysis to identify and assess risk, to detect and prevent fraud, and to improve business processes (efficiency and effectiveness). Please allow me to, just this once, talk about something more personal that affects every parent and every child: “The Talk” about sex. If you are like me, a father of two girls, I was more than happy to let my wife give them…
CEOs Need to Wake up to the Strategic Importance of GRC
GRC: Governance, Risk and Compliance (or, in my view, Controls) is critical to companies that want to remain viable. A company’s GRC activities should be not just coordinated, but also integrated to provide all levels of management with a view into changing risks and risk levels. If you do not have structures and procedures in place to monitor, identify and assess these risks you are less likely to succeed. Want…
Linking ERM and Performance Measurement – part #2
A proposed integrative model Dave Coderre, CAATS, www.caats.ca During the strategic planning process senior managers propose goals and objectives for the coming year. ERM should evaluate objectives to ensure that risks have been considered and the chosen objectives are consistent with the entity’s mission. The risks should be analyzed and prioritized and mitigated by an appropriate response that considers the entity’s risk tolerance and risk appetite. The risk appetite will vary depending on…
Integrating ERM and Performance Measurement: Part #1
Enterprise risk management (ERM) and performance management (PM) are two essential processes for the management of an organization. Both are designed to support the organizations’ efforts in making decisions and meeting its goals—ERM through the identification and management of those risks that could affect business objectives, and performance management through the identification and measurement of the drivers needed to achieve results and provide value. Yet despite having mutually consistent objectives,…
Auditing the Right Things
Is there a mismatch between where internal audit spends its time auditing and the risks that organizations face? Boards/audit committees should constantly re-evaluate whether internal audit is being used effectively to deliver risk-based assurance. The fundamental questions for boards/audit committees are: are we doing the right audits; and are we doing audits right. In previous articles I have discussed ‘how to do an audit right’ – namely, the importance of…
Making IT Audit more Effective and Relevant – part #2
The next area that will need to be address by CAEs is ensuring that risk-based audit plans are relevant and that selected audits provide maximum value to senior management. Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk-based audit plan must keep pace with this rapid change if it is to properly identify and assess emerging risks that can impact the…
Making IT Audit more effective and relevant – part #1
Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more? Then you need to wake-up to today’s business environment and step out of your comfort zone. You also will probably need to pull the general auditor away from the safety of pure compliance audits. The notion of the integrated auditor was usually applied to…
ACL Scripts Part #5 – Validating User Input
If you have been trying to build scripts following my previous posts, then you are ready to make your scripts a little more robust; particularly if your scripts will be used by other people. There are always issues when you prompt the user for input such as: did they actual provide any input; and is the input the right type and correct format. Since the proper running of the script…
ACL Scripts Part #4
In my previous discussion about variables, I neglected to mention ACL system-generated variables. These are more evident now, and can easily be seen by using the Variables tab in the Overview/Navigation window. The most common use of ACL system-generated variables are those created by the STATISTICS commands: MAX1, MIN1, HIGH1, LOW1, AVERAGE1, RANGE1, TOTAL1, COUNT1 and ABS1. These, and other variables, are created by the execution of ACL commands and…
ACL Scripts Part #3
Scripts are a powerful way of improving consistency and speed when processing the same commands over and over again. But they can also be used to provide relatively novice users with the ability to run more complex analysis. By now you may be ready to develop more interactive scripts that you can give to other users. This usually requires prompting the user for input; validating the input; and acting upon…