Better Audit Reports

Here are my top eight best practices for creating better internal audit reports that hit the mark: Audit Objective: ensure that the audit objective addresses the risks to the goals and objectives of the organization.  It should drive the risk identification and assessment; and be a foundation for the audit workplan and the conduct of the audit.  And ultimately, is it the statement upon which the audit concludes. Audit Workplan:…

April 24, 2022

Audit Finding Attribute: Impact

This is the sixth in a series of articles on data analytics and internal audit. This article looks at the audit finding statement: Impact. The focus will be on the use of data analytics to assist you in determining the impact of what was observed (the condition) and to support the recommendation. In simple terms, the impact answers the ‘why should I care.’  What is the impact of controls failing…

March 21, 2022

Data Analytics and Internal Audit

This is the next post in a series that discusses the importance of having a proper audit objective, defining the business goals and objectives, and the risks to the achievement of those objectives.  This article will discuss the identification and assessment of risk.  The next series of articles will look at the audit finding statement: Criteria, Condition, Cause, Impact and Recommendation.  The focus will be on the use of data…

February 16, 2022

Building a Sustainable Analytics Function

Study after study has shown that data analytics is effective and efficient at detecting risk and identifying control weaknesses, non-compliance, and inefficient business processes.  Chief Financial Officers (CFOs) and Chief Audit Executives (CAEs) have repeatedly stated that data analysis expertise is a much-needed skill, and surveys by the ACFE and CPA firms over the past 10 to 15 years have rated data extraction, data analysis, and analytical software as critical…

September 8, 2021

Unicorns and the Case for Analytics

It feels odd to have to continue to justify the need for and use of analytics.  What can I add that has not already been stated many times over the past 20-30 years?  Studies since the early 1990’s have pointed to the need for businesses and auditors to embrace the use of analytics.  More recently, Deloitte’s 2021 Global Risk Management Study1 recognizes the potential for digital risk management technology to…

April 27, 2021

Analytics to support risk-based audit plan (RBAP)

The Risk-Base Audit Plan (RBAP) is an important output of Internal Audit.   Not only is it a requirement of the IIA standards, but it also focuses audit on the most significant risks affecting the organization.  In addition, it gives the Chief Audit Executives (CAEs) everything they needed to determine which audits will be performed and when; and to identify the required audit resources. However, developing a robust RBAP is not…

January 3, 2020

Risk, Controls, Entropy, Black Swans, Analytics and RPA

For years I have been thinking about Risk, Controls, Black Swans and Entropy; and more recently about Analytics and RPA.  Only recently did I understand how these are all connected and impact large and small organizations – particularly in activities that are high-risk and strictly controlled.  Sadly, these tightly controlled areas are often overlooked until it is too late.  Which bring us to Risk and Controls. Risk and Controls:  Business…

August 23, 2019

The Death of Continuous Auditing

As the principle author of the Institute of Internal Auditors (IIA) Global Technology Audit Guide (GTAG) on Continuous Auditing (GTAG#3), I hope that you will grant me the prerogative to state that “Continuous Auditing is Dead”.   Continuous Auditing – a misnomer as it should have been called ‘Continual’ Auditing – was never fully understood or accepted by auditors or by audit clients.  The idea behind Continuous Auditing was to improve…

February 6, 2019

CEOs Need to Wake up to the Strategic Importance of GRC

GRC: Governance, Risk and Compliance (or, in my view, Controls) is critical to companies that want to remain viable.  A company’s GRC activities should be not just coordinated, but also integrated to provide all levels of management with a view into changing risks and risk levels.   If you do not have structures and procedures in place to monitor, identify and assess these risks you are less likely to succeed.  Want…

November 27, 2018

Linking ERM and Performance Measurement – part #2

A proposed integrative model Dave Coderre, CAATS,  During the strategic planning process senior managers propose goals and objectives for the coming year. ERM should evaluate objectives to ensure that risks have been considered and the chosen objectives are consistent with the entity’s mission. The risks should be analyzed and prioritized and mitigated by an appropriate response that considers the entity’s risk tolerance and risk appetite. The risk appetite will vary depending on…

October 17, 2018