As a promoter of data analysis for fraud, internal controls, and audit for more than 30 years, I am often asked, “Which software tools or application should I use?” While I have packages that I have used for 30+ years, and am a co-founder of an data analytics service provider (WWW.CTRLmatters.Com) , I hesitate to answer the question. The capabilities and robustness of data analytics are changing very quickly, and…
Setting the proper objective is critical to delivering on a quality, value-add audit. It must be strongly linked to the goals and objectives of the entity being audited; drive the risk identification and assessment; and be a foundation for the audit workplan and conduct of the audit. And ultimately, is it the statement upon which the audit concludes. Yet too many audits have poor objectives. I have performed analysis in…
Dave Coderre, Co-Founder CTRLmatters It occurred to me today that I have been performing internal audits and reviews for more than half my life. Throughout the years I had had many failures and successes. I have learned from both by identifying lessons-learned when things worked and even more importantly when they didn’t. I also took responsibility for my failures and shared my successes with the auditors on my teams. In…
When I tell people that I am an internal audit, three things happen: first I must explain that I am not from the IRS and will not be auditing their taxes. The second, I must tell them that I do not just focus on financial statements, or fraud, but conduct many types of audits. This often leads to the third comment, perhaps in jest, “So, you are just interested in…
For years I have been thinking about Risk, Controls, Black Swans and Entropy; and more recently about Analytics and RPA. Only recently did I understand how these are all connected and impact large and small organizations – particularly in activities that are high-risk and strictly controlled. Sadly, these tightly controlled areas are often overlooked until it is too late. Which bring us to Risk and Controls. Risk and Controls: Business…
I purposely made the first title more dramatic than needed to make people understand that Continuous Auditing needs to be looked at from a different perspective. In fact, it is the original perspective – Risk and Controls – the needs to be adopted. Unfortunately, the concept of Continuous Auditing transformed into “data analysis” which often resulted in auditors simply reporting errors and exceptions and not tying these back to the…
The identification of duplicates ultimately comes down to finding a balance between the False Positives, False Negatives and True Duplicates. This article discusses various approaches to reducing the number of False Positive and False Negatives – making the duplicate results more reliable. The concept of identifying duplicates is fairly simple: do two records have the same values? If yes, then they are duplicates. However when dealing with names and addresses…
For years I have written about data analysis to identify and assess risk, to detect and prevent fraud, and to improve business processes (efficiency and effectiveness). Please allow me to, just this once, talk about something more personal that affects every parent and every child: “The Talk” about sex. If you are like me, a father of two girls, I was more than happy to let my wife give them…
Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more? Then you need to wake-up to today’s business environment and step out of your comfort zone. You also will probably need to pull the general auditor away from the safety of pure compliance audits. The notion of the integrated auditor was usually applied to…
I hope that, after having read, and tried, the approaches to developing ACL scripts in the Part #1 post, you are anxious to learn more. Certainly, the Part #1 suggestions will allow you to build simple scripts to re-run analysis, but there is more to scripting: more power, flexibility and control. In particular, you may want to control the ACL environment to allow the scripts to run without, for example,…