Despite years of Chief Audit Executives stating the data analytics are a necessity for efficient and agile audit, and requiring auditors to have analytic skills, analytics still often fail to deliver. I have often heard. “We didn’t have time to investigate the results of the analytics”, “We didn’t have time to get the data”, “The data doesn’t have integrity”, ”We didn’t understand the results”, “We didn’t know what to recommend…
Reflecting on 35 years of performing analytics to support internal audit, finance, and fraud detection has led me to a – not so startling – revelation: you can build the best analytics in the world, and they still might not be used by internal audit. Analytics I have developed, even with significant client input, have not been used or were limited in their use: either time or extent. The question…
When I am asked, “What does an internal auditor do?” my response is usually, “How much time do you have for me to answer that question?” As a long time internal auditor (35 years), I have often been disappointed by the perception of management (and others) regarding the purpose and value of internal audit. Ask management about internal audit and their response if usually that audit reviews financial statement and…
At the end of the year, I tend to reflect back on what I have done or not done. It occurred to me that 2023 will be my 35th year using ACL Analytics (Galvanize, Diligent) on a daily basis. Throughout the years I have had many failures and successes. I have learned from identifying lessons-learned when things worked and even more importantly when they did not. I also took responsibility…
My understanding is that SAP user roles are difficult to design properly, and the review of user authorizations and access rights is equally challenging. I thought that I could use analytics to identify instances where a user had performed transactions that constituted a potential separation of duties (SOD) issues in the FI component and support management in their reviews to identify roles that were not designed properly. The analysis utilized…
I was fortunate it my early career by a forward-thinking manager. Back in 1990, my manager allowed me to explore the notion of data analytics to support audit. The manager also had the view that the analytics developed for the audit (e.g., AP analytics) should be handed over to management for their use (e.g., AP manager does continuous monitoring). So, I began my analytics career with the notion that analytics…
This is the next post in a series that discusses the importance of having a proper audit objective, defining the business goals and objectives, and the risks to the achievement of those objectives. This article will discuss the identification and assessment of risk. The next series of articles will look at the audit finding statement: Criteria, Condition, Cause, Impact and Recommendation. The focus will be on the use of data…
According to the Protiviti report, ‘SOX Compliance and the Promise of Technology and Automation1’ SOX compliance costs have shown year-over-year increases but are starting to level off. It also states that organizations are beginning to make greater use of technology and automation to support the compliance process. However, implementing automation in the SOX compliance process is difficult for many organizations. Understanding and defining requirements, getting stakeholder buy-in, and the investment…
It feels odd to have to continue to justify the need for and use of analytics. What can I add that has not already been stated many times over the past 20-30 years? Studies since the early 1990’s have pointed to the need for businesses and auditors to embrace the use of analytics. More recently, Deloitte’s 2021 Global Risk Management Study1 recognizes the potential for digital risk management technology to…
Too often auditors are satisfied with only finding the problem. In fact, it is usually only ‘evidence that there is a problem’ and not the actual problem. At which point their recommendations fall short of providing value and helping management improve controls and reduce risk. These types of audits often look something like this: Objective: Verify compliance with “A” Criterion – you are supposed to do “A” Condition – the…