Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more? Then you need to wake-up to today’s business environment and step out of your comfort zone. You also will probably need to pull the general auditor away from the safety of pure compliance audits. The notion of the integrated auditor was usually applied to…
COSO had released an update to COSO-ERM which included Principle #8 (“The organization considers the potential for fraud in assessing risks to the achievement of objectives.”) related to fraud risk. David Cotton (Cotton and Company LLP) put together a team of experts to develop guidance on how the audit profession and management could address the requirements of principle #8 and I was fortunate enough to be invited to be part…
By 2011, I was becoming more and more involved in data analysis to detect fraud. I had been doing this for years but had never really thought about the approaches I was taking to assess fraud risk and determine the analytics to perform. The following is the result of my deliberations (which continue to this day). Fraud Detection The unrelenting advancement of technology is affecting virtually every aspect of our…
Note: I hope this is like the ACL forum where there are more people reading it, but not posting questions/answers. While I am enjoying my trip down memory lane – it is a lot of work and it would be a shame if I was the only one reading the posts. My aim was to encourage discussion and sharing – this is not happening and lessens the value of the…
This is Part2 of an article on developing quantitative indicators of risk to support the annual risk-based audit planning process. Part1 presented the concept that risk (Probability and Impact) can be measured quantitatively by looking at Complexity and Change (which increase the probability) and Materiality or Volume (which increases the impact). It also encouraged you to look at more than financial risk. Part 2 presents examples of indicators of risk…
This was my first attempt at identifying risk to support the development of the annual risk-based audit plan (RBAP). I have been involved in the development of the RBAP – even responsible for it – over the years and always felt that it was more professional opinion than anything else. Some people built a spreadsheet with weighting factors 1-5 and fooled themselves into believing that there is a logic and…
Wow – never realized how much work this would be. I mean, I am only posting once a week – but it still takes a lot of time. Not getting many comment, but I hope people are enjoying and learning from the posts. I had hoped more people would share their experiences so we could learn from each other. I was now interested in expanding my use of data analytics…
Even now, I firmly believe that the potential for the Y2K disaster was real. The only reason that its effects were minimized was a result of the hundreds of thousands of hours spent checking and rechecking programming code to address the “00” year problem before it occurred. For those of you too young to remember, prior to the year 2000, many databases and applications only used two digits for the…
I had been writing articles for the Internal Auditor (IIA) and other audit-related magazines for several years now, but I wanted to do more to educate and encourage auditors in the use of analytics. One day I realized that if I assembled all of my previously published IIA articles, I had about 50% of the content necessary for a book on analytics. So I started developing an outline and writing…
Our analytics team was running on all cylinders and achieving significant results. There was not just my opinion, we received an ISACA Award of Excellence at the Info Tech Audit ’95 conference for leadership and contribution to IT Audit Community. Amazingly, it was a $1,000 cash award. The team (3 people) went for out for a celebratory dinner and donated the remaining funds to a local charity. By how we…