Integrating ERM and Performance Measurement: Part #1

Enterprise risk management (ERM) and performance management (PM) are two essential processes for the management of an organization. Both are designed to support the organizations’ efforts in making decisions and meeting its goals—ERM through the identification and management of those risks that could affect business objectives, and performance management through the identification and measurement of the drivers needed to achieve results and provide value.  Yet despite having mutually consistent objectives,…

October 12, 2018
Read More >>

Auditing the Right Things

Is there a mismatch between where internal audit spends its time auditing and the risks that organizations face?  Boards/audit committees should constantly re-evaluate whether internal audit is being used effectively to deliver risk-based assurance.  The fundamental questions for boards/audit committees are: are we doing the right audits; and are we doing audits right. In previous articles I have discussed ‘how to do an audit right’ – namely, the importance of…

September 20, 2018
Read More >>

Making IT Audit more Effective and Relevant – part #2

The next area that will need to be address by CAEs is ensuring that risk-based audit plans are relevant and that selected audits provide maximum value to senior management.  Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk-based audit plan must keep pace with this rapid change if it is to properly identify and assess emerging risks that can impact the…

September 10, 2018
Read More >>

Making IT Audit more effective and relevant – part #1

Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more?  Then you need to wake-up to today’s business environment and step out of your comfort zone.  You also will probably need to pull the general auditor away from the safety of pure compliance audits.  The notion of the integrated auditor was usually applied to…

September 2, 2018
Read More >>

Year 28 – 2015 – Fraud Risk Management Guidance

COSO had released an update to COSO-ERM which included Principle #8 (“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”) related to fraud risk.  David Cotton (Cotton and Company LLP) put together a team of experts to develop guidance on how the audit profession and management could address the requirements of principle #8 and I was fortunate enough to be invited to be part…

November 21, 2016
Read More >>

Year 24 – 2011 – Fraud Detection – part 1

By 2011, I was becoming more and more involved in data analysis to detect fraud.  I had been doing this for years but had never really thought about the approaches I was taking to assess fraud risk and determine the analytics to perform.  The following is the result of my deliberations (which continue to this day). Fraud Detection The unrelenting advancement of technology is affecting virtually every aspect of our…

October 10, 2016
Read More >>

Year 19 – 2006 – Health Claims

Note: I hope this is like the ACL forum where there are more people reading it, but not posting questions/answers.  While I am enjoying my trip down memory lane – it is a lot of work and it would be a shame if I was the only one reading the posts.  My aim was to encourage discussion and sharing – this is not happening and lessens the value of the…

August 15, 2016
Read More >>

Year 18 – 2005 – Quantitative Indicators of Risk – part 2

This is Part2 of an article on developing quantitative indicators of risk to support the annual risk-based audit planning process. Part1 presented the concept that risk (Probability and Impact) can be measured quantitatively by looking at Complexity and Change (which increase the probability) and Materiality or Volume (which increases the impact).  It also encouraged you to look at more than financial risk.  Part 2 presents examples of indicators of risk…

August 8, 2016
Read More >>

Year 18 – 2005 – Quantitative Indicators of Risk – part 1

This was my first attempt at identifying risk to support the development of the annual risk-based audit plan (RBAP).  I have been involved in the development of the RBAP – even responsible for it – over the years and always felt that it was more professional opinion than anything else.  Some people built a spreadsheet with weighting factors 1-5 and fooled themselves into believing that there is a logic and…

August 2, 2016
Read More >>

Year 12 – 1999 – Part 1 – Data analytics to assess risk

Wow – never realized how much work this would be.  I mean, I am only posting once a week – but it still takes a lot of time.  Not getting many comment, but I hope people are enjoying and learning from the posts.  I had hoped more people would share their experiences so we could learn from each other. I was now interested in expanding my use of data analytics…

May 16, 2016
Read More >>