Setting the proper objective is critical to delivering on a quality, value-add audit. It must be strongly linked to the goals and objectives of the entity being audited; drive the risk identification and assessment; and be a foundation for the audit workplan and conduct of the audit. And ultimately, is it the statement upon which the audit concludes. Yet too many audits have poor objectives. I have performed analysis in…
Too often auditors are satisfied with only finding the problem. In fact, it is usually only ‘evidence that there is a problem’ and not the actual problem. At which point their recommendations fall short of providing value and helping management improve controls and reduce risk. These types of audits often look something like this: Objective: Verify compliance with “A” Criterion – you are supposed to do “A” Condition – the…
A proposed integrative model Dave Coderre, CAATS, www.caats.ca During the strategic planning process senior managers propose goals and objectives for the coming year. ERM should evaluate objectives to ensure that risks have been considered and the chosen objectives are consistent with the entity’s mission. The risks should be analyzed and prioritized and mitigated by an appropriate response that considers the entity’s risk tolerance and risk appetite. The risk appetite will vary depending on…
Is there a mismatch between where internal audit spends its time auditing and the risks that organizations face? Boards/audit committees should constantly re-evaluate whether internal audit is being used effectively to deliver risk-based assurance. The fundamental questions for boards/audit committees are: are we doing the right audits; and are we doing audits right. In previous articles I have discussed ‘how to do an audit right’ – namely, the importance of…
Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more? Then you need to wake-up to today’s business environment and step out of your comfort zone. You also will probably need to pull the general auditor away from the safety of pure compliance audits. The notion of the integrated auditor was usually applied to…
If you have been trying to build scripts following my previous posts, then you are ready to make your scripts a little more robust; particularly if your scripts will be used by other people. There are always issues when you prompt the user for input such as: did they actual provide any input; and is the input the right type and correct format. Since the proper running of the script…
Many new ACL users overestimate the difficultly in developing simple ACL scripts. I would agree with you if we were talking about IDEA scripts which require some knowledge of Visual Basic. But, in my opinion a simple, ACL script which only performs commands that you have previously executed and want to execute again, is simple to create. Assumption: you have performed an analysis and want to save it in a…
What could be worse than not having an analytics capability? Having an analytics capability, but not being sure what to do with it! This means that you have invested in developing analytics to access your business systems, but now are unsure about: Which analytics do I run? How often should I run them? What do the results mean? How do I verify the results? How do I deal with false…
At the annual ACL user conference (Connection 2017) the recurring theme was “Being Sought After”. Employees who are sought after are recognized by senior management. In the case of ACL users, this means their ability to use analytics to identify and assess risk, detect fraud and improve operational efficiency and effectiveness. Clearly, if you can do that, not only will you bring value to the organization, but also to your…
Always looking for ideas for my blog, I could not resist when Chris Broussard asked me to write something on ACL workspaces. Simply put, an ACL workspace is used define either physical fields or expressions. However, instead of defining these fields in the table layout, the definitions are stored in a separate project item (i.e. a workspace). The main advantage is that the workspace can be shared by multiple data…