It was hard to believe, but I had now been at this (data analytics to support audit) for 20 years. And I still found it interesting, challenging, frustrating, rewarding and aggravating – all at once. I was constantly being asked to access new systems and perform analysis for different types of audits. At the same time, I had my regular monthly routine tasks of extracting, downloading and cleansing data we…
Note: I hope this is like the ACL forum where there are more people reading it, but not posting questions/answers. While I am enjoying my trip down memory lane – it is a lot of work and it would be a shame if I was the only one reading the posts. My aim was to encourage discussion and sharing – this is not happening and lessens the value of the…
This is Part2 of an article on developing quantitative indicators of risk to support the annual risk-based audit planning process. Part1 presented the concept that risk (Probability and Impact) can be measured quantitatively by looking at Complexity and Change (which increase the probability) and Materiality or Volume (which increases the impact). It also encouraged you to look at more than financial risk. Part 2 presents examples of indicators of risk…
This was my first attempt at identifying risk to support the development of the annual risk-based audit plan (RBAP). I have been involved in the development of the RBAP – even responsible for it – over the years and always felt that it was more professional opinion than anything else. Some people built a spreadsheet with weighting factors 1-5 and fooled themselves into believing that there is a logic and…
From time to time I was lucky enough to get to do some consulting work. These were usually fairly large audits, involving a number of external experts. As the “data guy” I was often given very little time to perform the required analysis. On such audit was a review of the costs for a major construction project. The audit team did not have all of the necessary expertise and had…
This was the year that I re-published my second book “Fraud Detection: A Revealing Look at Fraud (2004). This dealt with obtaining, verifying and analyzing the data to support fraud prevention, detection and investigation. However, it was also relevant to regular internal audit analyses. I thought I would do something a little different this week – so here is a fraud analysis story. It is based on an actual fraud…
People, even those that perform analytics, often think that data analysis can only be applied to financial-type audits. I have tried to highlight other types of audits where analytics played a significant role including transportation, inventory, and hazardous materials (environmental). In that vein, I offer you analysis that was part of an HR recruitment audit. he organization was an international/national police force. Like many police forces, it needed a fairly…
It was beginning to almost become routine – get data, perform analysis, identify significant results, make recommendations and, often, transfer the analysis jobs to management for continuous monitoring. This doesn’t mean that there were problems: obtaining the data, persuading audit teams to use analysis, and sometimes convincing management to address the control problems. It was a challenge and it kept the job interesting. I was also performing consulting from time…
Second part of article on making IT Audits more effective and value-added …. The next area that will need to be address by CAEs is ensuring that risk-based audit plans are relevant and that selected audits provide maximum value to senior management. Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk-based audit plan must keep pace with this rapid change if…
Many audit shops rely on IT auditors to support their use of data analytics; however, the IT audits typically focus on general and application controls. Around this time I wrote an article for the EDPACS magazine which encouraged IT auditors to look beyond the black box – to look at how IT supports, drives, and impact business processes. I have included below. IT Auditors need to come out of the…