Cost recovery firms make millions of dollars identifying and recovering duplicate payments. They often have well developed analytics that can identify duplicate payments while reducing the number of false positives. You will pay 25-50% but you are getting money back, so it feels like a win-win. However, there are two things to keep in mind: 1) they go after the low hanging fruit and the largest possible duplicates; and 2)…
This is the sixth in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: Impact. The focus will be on the use of data analytics to assist you in determining the impact of what was observed (the condition) and to support the recommendation. In simple terms, the impact answers the ‘why should I care.’ What is the impact of controls failing…
This is the fifth in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: Cause. The focus will be on the use of data analytics to assist you in determining the cause of what was observed (the condition) and to support the development of the recommendation. In simple terms, the cause answers the ‘why.’ Why are controls failing to prevent and/or…
This is the fourth in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: Condition. The focus will be on the use of data analytics and how the condition supports the development of the recommendation. In simple terms, the condition is “what is.” Typically, the analytics are testing for the existence of something, and the results are the condition. For example,…
This is the third in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: Criteria. The focus will be on the use of data analytics and how the criteria play an important role in the development of analytics to support and inform the audit. IIA Standard 2210.A3 states that “adequate criteria are needed to evaluate controls.” Simply put, the audit criteria…
This is the next post in a series that discusses the importance of having a proper audit objective, defining the business goals and objectives, and the risks to the achievement of those objectives. This article will discuss the identification and assessment of risk. The next series of articles will look at the audit finding statement: Criteria, Condition, Cause, Impact and Recommendation. The focus will be on the use of data…
Study after study has shown that data analytics is effective and efficient at detecting risk and identifying control weaknesses, non-compliance, and inefficient business processes. Chief Financial Officers (CFOs) and Chief Audit Executives (CAEs) have repeatedly stated that data analysis expertise is a much-needed skill, and surveys by the ACFE and CPA firms over the past 10 to 15 years have rated data extraction, data analysis, and analytical software as critical…
According to the Protiviti report, ‘SOX Compliance and the Promise of Technology and Automation1’ SOX compliance costs have shown year-over-year increases but are starting to level off. It also states that organizations are beginning to make greater use of technology and automation to support the compliance process. However, implementing automation in the SOX compliance process is difficult for many organizations. Understanding and defining requirements, getting stakeholder buy-in, and the investment…
It feels odd to have to continue to justify the need for and use of analytics. What can I add that has not already been stated many times over the past 20-30 years? Studies since the early 1990’s have pointed to the need for businesses and auditors to embrace the use of analytics. More recently, Deloitte’s 2021 Global Risk Management Study1 recognizes the potential for digital risk management technology to…
Too often auditors are satisfied with only finding the problem. In fact, it is usually only ‘evidence that there is a problem’ and not the actual problem. At which point their recommendations fall short of providing value and helping management improve controls and reduce risk. These types of audits often look something like this: Objective: Verify compliance with “A” Criterion – you are supposed to do “A” Condition – the…