The Risk-Base Audit Plan (RBAP) is an important output of Internal Audit. Not only is it a requirement of the IIA standards, but it also focuses audit on the most significant risks affecting the organization. In addition, it gives the Chief Audit Executives (CAEs) everything they needed to determine which audits will be performed and when; and to identify the required audit resources. However, developing a robust RBAP is not…
Dave Coderre, RiverAA I have been performing analytics for more than 30 years and I am not sure if it was simply a case of “hard to teach an old dog new tricks” or what, but I never really saw the point of visualizing the results. If I run an Accounts Payable duplicates test and identify $500K in duplicates and can tell you that it is because of three main…
For years I have been thinking about Risk, Controls, Black Swans and Entropy; and more recently about Analytics and RPA. Only recently did I understand how these are all connected and impact large and small organizations – particularly in activities that are high-risk and strictly controlled. Sadly, these tightly controlled areas are often overlooked until it is too late. Which bring us to Risk and Controls. Risk and Controls: Business…
I purposely made the first title more dramatic than needed to make people understand that Continuous Auditing needs to be looked at from a different perspective. In fact, it is the original perspective – Risk and Controls – the needs to be adopted. Unfortunately, the concept of Continuous Auditing transformed into “data analysis” which often resulted in auditors simply reporting errors and exceptions and not tying these back to the…
As the principle author of the Institute of Internal Auditors (IIA) Global Technology Audit Guide (GTAG) on Continuous Auditing (GTAG#3), I hope that you will grant me the prerogative to state that “Continuous Auditing is Dead”. Continuous Auditing – a misnomer as it should have been called ‘Continual’ Auditing – was never fully understood or accepted by auditors or by audit clients. The idea behind Continuous Auditing was to improve…
The identification of duplicates ultimately comes down to finding a balance between the False Positives, False Negatives and True Duplicates. This article discusses various approaches to reducing the number of False Positive and False Negatives – making the duplicate results more reliable. The concept of identifying duplicates is fairly simple: do two records have the same values? If yes, then they are duplicates. However when dealing with names and addresses…
For years I have written about data analysis to identify and assess risk, to detect and prevent fraud, and to improve business processes (efficiency and effectiveness). Please allow me to, just this once, talk about something more personal that affects every parent and every child: “The Talk” about sex. If you are like me, a father of two girls, I was more than happy to let my wife give them…
GRC: Governance, Risk and Compliance (or, in my view, Controls) is critical to companies that want to remain viable. A company’s GRC activities should be not just coordinated, but also integrated to provide all levels of management with a view into changing risks and risk levels. If you do not have structures and procedures in place to monitor, identify and assess these risks you are less likely to succeed. Want…
A proposed integrative model Dave Coderre, CAATS, www.caats.ca During the strategic planning process senior managers propose goals and objectives for the coming year. ERM should evaluate objectives to ensure that risks have been considered and the chosen objectives are consistent with the entity’s mission. The risks should be analyzed and prioritized and mitigated by an appropriate response that considers the entity’s risk tolerance and risk appetite. The risk appetite will vary depending on…
Enterprise risk management (ERM) and performance management (PM) are two essential processes for the management of an organization. Both are designed to support the organizations’ efforts in making decisions and meeting its goals—ERM through the identification and management of those risks that could affect business objectives, and performance management through the identification and measurement of the drivers needed to achieve results and provide value. Yet despite having mutually consistent objectives,…