A common problem that presents itself when doing analysis is the need to extract detail records that match a list of values (criteria) in another file. This can range from simple to more complicated, primarily depending on the nature of the match. The following describes three approaches, based on the objective of the analysis. Simple question: A simple question of this type is where we have a file with detailed…
Studies after study have shown that data analytics is more effective and efficient at detecting risk, and identifying control weaknesses, non-compliance, and inefficient business processes. Chief Audit Executives (CAEs) have repeated stated that data analysis expertise is a much needed skill in internal audit, and IIA surveys of software over the past 10-15 years have rated data extraction, data analysis and analytical software as critical tools for effective audit organizations. …
Even though I am retired, I am still getting to do interesting analysis – perhaps even more so because I get to pick and chose want I want to do. In this case, I was asked to assist with an audit being performed by a municipal audit function. A large city had an internal audit group that was interested in auditing revenue – primarily from property taxes. One of the…
The following posts is part 2 of “Adding Value to Compliance Audits” Given a good understanding of the current level and sources of risk, the next step is to look at the requirement for, and the adequacy and effectiveness of, the control to mitigate the risk. This requires an understanding of the cause and source of the risk and the operation of the control. Is the control still required? Does…
I have often been critical of compliance audits, but I recently realized that it is not the ‘compliance audit’ that bothers me, but the way it is done. This led me to write the following thoughts. It is difficult to argue that compliance audits are not an important internal audit product. Done properly, they can protect a company from fines, penalties and even criminal charges. For example, non- compliance with…
I didn’t realize how quickly it would take to get to 30 years when posting one blog per week for each year (30 weeks). Even drawing some of the posts out to two weeks didn’t add much. So now I am posting additional analysis performed over the years. Another thing I didn’t take into account was that I would continue to perform analysis – even after I retired. So I…
I have been away on vacation and now I have exams to mark and Christmas preparations to finish. So, I must confess that these examples are fillers as I have been too busy to write much else these days. However, I do still feel that they have value. Sometimes fraud is detected through the identification of missing items or transactions; in other cases unexpected transaction are found, highlighting the fraud. …
It is always important to test controls when systems and/or processes change. Sometimes a current process may have adequate controls, but the new process may not be as secure. Equipment Serial Numbers A large company with several plants purchased expensive, highly specialized, equipment for use in its manufacturing plants. A central purchasing organization made all the purchases and the inventory held until required by a plant. The inventory manager was…
Hidden Costs The true cost of fraud is more than the total of the financial losses. Stockholder confidence, employee morale and other intangible factors must be added to the monetary losses. Most managers agree with this assessment; however management often encourages fraud by placing unrealistic goals on employees, or by disregarding the rules themselves. Auditors must be aware of the pressures placed upon employees that may lead them to commit…
COSO had released an update to COSO-ERM which included Principle #8 (“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”) related to fraud risk. David Cotton (Cotton and Company LLP) put together a team of experts to develop guidance on how the audit profession and management could address the requirements of principle #8 and I was fortunate enough to be invited to be part…