Reflecting on 35 years of performing analytics to support internal audit, finance, and fraud detection has led me to a – not so startling – revelation: you can build the best analytics in the world, and they still might not be used by internal audit. Analytics I have developed, even with significant client input, have not been used or were limited in their use: either time or extent. The question…
Study after study has shown that data analytics is effective and efficient at detecting risk and identifying control weaknesses, non-compliance, and inefficient business processes. Chief Financial Officers (CFOs) and Chief Audit Executives (CAEs) have repeatedly stated that data analysis expertise is a much-needed skill, and surveys by the ACFE and CPA firms over the past 10 to 15 years have rated data extraction, data analysis, and analytical software as critical…
Even if the auditor does a great job of planning, conduct, analysis, and follow-up, the real value of the audit will be absent if the recommendations miss the mark. Audit planning should be focused on two main objectives: identify the risk and design an audit program that will assess the risk. Risk affects the achievement of organizational goals and objectives. Capitalizing on positive risks will increase the achievement of these…
When I am asked, “What does an internal auditor do?” my response is usually, “How much time do you have for me to answer that question?” As a long time internal auditor (35 years), I have often been disappointed by the perception of management (and others) regarding the purpose and value of internal audit. Ask management about internal audit and their response if usually that audit reviews financial statement and…
At the end of the year, I tend to reflect back on what I have done or not done. It occurred to me that 2023 will be my 35th year using ACL Analytics (Galvanize, Diligent) on a daily basis. Throughout the years I have had many failures and successes. I have learned from identifying lessons-learned when things worked and even more importantly when they did not. I also took responsibility…
My understanding is that SAP user roles are difficult to design properly, and the review of user authorizations and access rights is equally challenging. I thought that I could use analytics to identify instances where a user had performed transactions that constituted a potential separation of duties (SOD) issues in the FI component and support management in their reviews to identify roles that were not designed properly. The analysis utilized…
I was fortunate it my early career by a forward-thinking manager. Back in 1990, my manager allowed me to explore the notion of data analytics to support audit. The manager also had the view that the analytics developed for the audit (e.g., AP analytics) should be handed over to management for their use (e.g., AP manager does continuous monitoring). So, I began my analytics career with the notion that analytics…
After years and years of mistakes, missteps, or invalid analysis, I have developed a series of steps that can reduce the likelihood or errors and increase the success of analytics for audit purpose. The first step is to ensure that you understand the goals and objectives of the audit. Then the following steps should be performed: Based upon the audit objectives and risks, and mitigating controls identify analytics that will…
Part #1 looked at why assessing data integrity is an important, value-added activity that supports management decision making. Part #2 examines things you can do to improve the integrity of the data and your analytic results. While I will be looking at data integrity primarily from a data analytics perspective, it is important to recognize that many people play a role in the integrity of data. Ensuring data integrity is…
A common refrain that I hear is, “We can’t rely on the data because it does not have integrity.” This raises a couple of questions in my mind and should in yours as well. First, what is management using to produce its reports and make decisions? Second, how accurate does your data have to be to allow you to perform analytics and arrive at valid recommendations/conclusions. The obvious answer to…