The Why Factor

Too often auditors are satisfied with only finding the problem.  In fact, it is usually only ‘evidence that there is a problem’ and not the actual problem.  At which point their recommendations fall short of providing value and helping management improve controls and reduce risk. These types of audits often look something like this: Objective: Verify compliance with “A” Criterion – you are supposed to do “A” Condition – the…

August 2, 2020

Linking ERM and Performance Measurement – part #2

A proposed integrative model Dave Coderre, CAATS,  During the strategic planning process senior managers propose goals and objectives for the coming year. ERM should evaluate objectives to ensure that risks have been considered and the chosen objectives are consistent with the entity’s mission. The risks should be analyzed and prioritized and mitigated by an appropriate response that considers the entity’s risk tolerance and risk appetite. The risk appetite will vary depending on…

October 17, 2018

Auditing the Right Things

Is there a mismatch between where internal audit spends its time auditing and the risks that organizations face?  Boards/audit committees should constantly re-evaluate whether internal audit is being used effectively to deliver risk-based assurance.  The fundamental questions for boards/audit committees are: are we doing the right audits; and are we doing audits right. In previous articles I have discussed ‘how to do an audit right’ – namely, the importance of…

September 20, 2018

Making IT Audit more effective and relevant – part #1

Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more?  Then you need to wake-up to today’s business environment and step out of your comfort zone.  You also will probably need to pull the general auditor away from the safety of pure compliance audits.  The notion of the integrated auditor was usually applied to…

September 2, 2018

ACL Scripts Part #5 – Validating User Input

If you have been trying to build scripts following my previous posts, then you are ready to make your scripts a little more robust; particularly if your scripts will be used by other people.  There are always issues when you prompt the user for input such as: did they actual provide any input; and is the input the right type and correct format.  Since the proper running of the script…

July 13, 2018

ACL Scripts

Many new ACL users overestimate the difficultly in developing simple ACL scripts.  I would agree with you if we were talking about IDEA scripts which require some knowledge of Visual Basic.  But, in my opinion a simple, ACL script which only performs commands that you have previously executed and want to execute again, is simple to create. Assumption: you have performed an analysis and want to save it in a…

June 15, 2018

Got Analytics – Now What?

What could be worse than not having an analytics capability? Having an analytics capability, but not being sure what to do with it!  This means that you have invested in developing analytics to access your business systems, but now are unsure about: Which analytics do I run? How often should I run them? What do the results mean? How do I verify the results? How do I deal with false…

April 7, 2018

Sampling Guidelines

1.0 Introduction There are two main types of sampling: Statistical sampling is used to draw conclusions about populations. Non-statistical sampling is used to establish the existence, and determine the extent of, suspected conditions. Statistical Sampling Statistical sampling permits auditors to project characteristics of the sample to the population from which the sample s drawn, whereas non-statistical sampling only allows you to draw conclusion about the sample itself. Statistical sampling also…

November 2, 2017

Becoming Sought After

At the annual ACL user conference (Connection 2017) the recurring theme was “Being Sought After”.  Employees who are sought after are recognized by senior management.  In the case of ACL users, this means their ability to use analytics to identify and assess risk, detect fraud and improve operational efficiency and effectiveness.  Clearly, if you can do that, not only will you bring value to the organization, but also to your…

October 5, 2017


Always looking for ideas for my blog, I could not resist when Chris Broussard asked me to write something on ACL workspaces. Simply put, an ACL workspace is used define either physical fields or expressions.  However, instead of defining these fields in the table layout, the definitions are stored in a separate project item (i.e. a workspace).  The main advantage is that the workspace can be shared by multiple data…

May 25, 2017