Mike Pivette from returnonsecurity.com has posted 25 lessons about the cybersecurity industry from his 17 years in that field. It’s a great list, and I agree with almost all of them.
You can agree with me, roll our eyes, or fight back in the comments. :)
Filed under Audit, Certification, Employment, Security, Technology
As the season of gratitude unfolds, let’s take a moment to express thanks for the often unsung heroes of the corporate realm – the IT auditors. In a world that thrives on bits and bytes, their role is crucial, and this Thanksgiving, we highlight the things that IT auditors have to be thankful for:
Filed under Audit, Humor/Irony
Identifying a risk is always a good thing, but to apply the right solution, you need to find the root cause (the real problem).
Too often, finding the root cause can be hard not only because of how something was implemented (like a control), but also due to the assumptions you make while you’re reviewing the process.
I was reminded of this when my BBQ grill out on my deck refused to light when I pressed the ignitor button. That’s an easy fix–changing the ignitor battery isn’t hard. Root cause: dead battery.
Filed under Audit, How to..., Humor/Irony, Technology
I was wandering through some of my older posts on my blog and rediscovered my Data Center Failure series.
I had totally forgotten about these adventures as they happened so long ago – 2014 to be exact, back when I was the information security manager for a Fortune 500 company (today the position is known as CISO).
I bring this series to your attention for the following reasons:
Filed under Audit, Case Files, Security
Twitter no longer allows WordPress blogs to tweet about new blog posts, so if you want to be notified when new posts arrive, sign up with your email.
Look for the signup area similar to the one shown in this post, enter your email, and click the Sign me up! button.
I won’t share or sell your emails. I promise. -Mack
Filed under Audit
I thought I’d lead you on a backward journey to explore some of my favorite posts. Just for fun, notice the year some of these posts were written.
I’ve picked several posts that are a bit different from each other. Most likely, you haven’t seen most of these posts.
Filed under ACL, Audit, Case Files, How to..., Humor/Irony, Quote of the Weak, Security Scout, Technology
This post contains my response to my earlier post, ‘ChatGPT Channels Elon Musk RE: Data Analytics’.
First off, I liked the disclaimer which said that ChatGPT can mimic Elon Musk, but don’t expect perfection.
So in this case, ‘Chatty’ is saying take this with a grain of salt. Lately, Chatty has been getting a lot of press regarding sounding too authoritative and just plain making things up. So when Chatty is having fun, you get a disclaimer. Otherwise, you better believe what it says. Interesting.
This post is in response to Xavier and Grant, who were kind enough to push back a bit on a previous post, Abandon ACL and Others? See their comments on that post.
I will respond to some of their points and reveal some more of my thinking as to why I believe that auditors need to become a LOT more technical.
Some may think I am just digging my hole a little deeper, but I’ve always loved the journey.
Previously, I published an article written by ChatGPT regarding whether internal audit performs an adequate amount of data analytics and in the appropriate depth.
The reader who sent me that article also asked ChatGPT to write the same article as if Elon Musk wrote it.
So I’m publishing the ‘Musk’ article too, mostly for fun. I realize that ChatGPT can do a lot more impressive things than this, but this relates directly to audit and is simple.
I’ve never heard or read anything about Musk’s opinion on analytics (couldn’t find anything).
Filed under artificial intelligence (ai), Audit, Blogging, Data Analytics, Data Science, Technology
This post contains my response to my earlier post, ChatGPT Analyzes Internal Audit!
First of all, most of the article sounded like it was written by external auditors; it sounds important, but really doesn’t say much.
Filed under artificial intelligence (ai), Audit, Data Analytics, Data Science
Just for fun, one of my readers asked ChatGPT to write an article analyzing how internal audit uses data analytics (love that alliteration).
If you’re new to ChatGPT, go here, and remember to scroll down.
This reader (who wishes to remain anonymous) asked ChatGPT to write about whether internal audit performs an adequate amount of data analytics and in the appropriate depth.
This person sent the result to me, and after reading it, I decided to publish it here.
For the past few years, I’ve been outspoken about auditors that 1) don’t do much data analysis, OR 2) rely only on tools like ACL, IDEA, Arbutus, and the like to do their data analysis.
In this post, I’m going to provide some reasons auditors should not rely on only on these tools. I’ve dealt with this before, but I want to look at it from some different angles.
In this post, I’m speaking only to auditors, as they alone are called to audit the technology and processes their companies use.
In this post, when I mention ‘ACL+’, I am referring to ACL, IDEA, Arbutus, and any other tool that typically only auditors use. I’m also including ACL ‘Robotics’ in this list.
In this post, I’m going to step on people’s toes, but my readers should be used to that by now.
Filed under ACL, Audit, Data Analytics, Data Science, Excel, Machine Learning, Python, Scripting (ACL), Technology
In this fourth post of the Python Journey, I want to discuss WHY I keep going on these journeys despite poor management support. And how I stay sane doing it.
While this post goes beyond my Python journey, previous journeys have been very similar, so in a sense, it has been one looong journey.
My first journey started with ACL, then came SQL, databases, virtual machines and virtual servers, and a host of other technologies, and finally Python and machine learning, all of which I pretty much learned/am learning on my own.
Not only because my audit management didn’t have much foresight or vision, but also because company management approved and launched tools without much guidance or training. Yeah, really.
So what keeps me going and why do I stay here?
Filed under ACL, Audit, Data Analytics, Data Science, Humor/Irony, Python, Technology
In my first Python post, I described the first steps of my python journey.
In my second Python post, I shared my thoughts about whether auditors could learn programming and Python (yes).
In this third post of the series, I want to describe how my audit management has supported my Python journey (spoiler: poorly).
In my previous Python post, I described the first steps of my python journey.
In this post, I want to respond to Grant’s comments that he left here re: auditors getting into programming, and specifically python.
[For my readers who don’t know, Grant is the founder, President and Chief Architect of Arbutus Software Inc, which specializes in audit analytics (he usually doesn’t mention that he was involved in writing the first versions of ACL too).
So his words have experience to back them up, and while I’m flattered he pops in here and there to comment on my little blog, I don’t hesitate to disagree with him occasionally .]
I’m going to take a break from my python journey to dive back into artificial intelligence (AI) and what I’m calling the battle of the AI bots.
Previously, I have posted about 4 common AI fallicies and how AI is NOT going to take over the world.
Filed under Audit
As I mentioned in my previous post, I’ve been learning Python.
As a result, I haven’t posted for a long while, so I thought I’d crawl out of my Python den and discuss my journey so far. It has been an interesting slither with some sunshine, as well as a few dark days.
My Background
I’ve been an auditor for many years, and before that I managed a data/computer security department (see my ABOUT post for other details). I don’t consider myself a programmer by any means, but have automated several processes with a variety of tools, including ACL, command line, Visual Studio, SQL Server Integration Services (SSIS), Power BI, and other tools.
Filed under Audit, Data Analytics, Data Science, Machine Learning
Hi folks, it has been a while since I posted. I’m not dead or in solitary confinement.
I’ve just been busy studying Python, and it has taken a bit of my time.
I’ll post something soon….
Anybody else working on Python?
Filed under Audit
Here’s a look back at the most popular blog posts of 2021 according to the number of times readers opened those posts. It’s been a long time since I’ve done a best blogs post…
Some of these posts are oldies, and yet they are still pulling in plenty of traffic. Check out the list, and see if you missed any of them, especially new readers.
Filed under ACL, Audit, Blogging, Certification, Data Analytics, Employment, Excel, Free, Free Download, How to..., Security, Technology
If you want to increase the effectiveness of your audits and find risks that haven’t been identified before, you need to shatter your silos so you can identify more risk.
Too often, audits are performed on one process, one category, or one system: Earning Commissions, Windows Servers, or Wire Transfer. Each one of those is a separate silo (one for oats, one for corn, one for rice).
Filed under Audit, Data Analytics, fraud, How to..., Technology
While installing and configuring some new software on my Windows server, I noticed that the IT department forgot to remove some previous software components from my server.
I remember seeing the notice that the software was being uninstalled and replaced by another package.
I could have removed the left over components myself (I am admin on the server), but I wanted to see if they would ever be removed. Did the Windows server team forget about this, or did the team not concern itself with such things? Maybe the procedures don’t include a process to ensure all components are removed.
I waited about 2 months, but the components were not removed.
Filed under Audit, Case Files, Security, Security Scout, Technology
Oh, I hate the Table Already Open ACL error message with a passion.
And the Command Cancelled message (see the end of this post regarding that message).
Usually, it means I did something stupid, and I can figure out what, and fix it pretty fast.
Sometimes I have to scratch my head for quite some time before I figure it out.
I wrote a post in 2017 about Deleting ACL Table Covers A Multitude of Sins. This post is an expansion of that post, but mainly focuses on the “Table Already Open” error.
Filed under ACL, Audit, Data Analytics, How to...
Here’s a couple of my favorite ACL tricks & treats that I use frequently to get me through the day a little faster and a little less frustrated.
These tricks are the kind that they don’t teach you in class or in tutorials (at least I’ve never learned any of them there; maybe I was in the bathroom during that session); I either figured them out on my own or had someone say, “Let me show you something.”
The Command Line
When I train someone in ACL, the command line is one of the first bonus items to which I draw their attention. The command line allows you to run individual ACL commands without using the ACL menu or scripts.
To open the command line: in the menu bar, click Window, Command Line. This will appear:
You can run most ACL commands from the command line, such as OPEN a table, ASSIGN a variable value, and lots more (the commands can be entered in lower/upper/camel case, but I use uppercase in this post to help them stand out).
My 2 most frequently used command are listed below.
DISPLAY – list the fields in a table, along with their start position, length, and more.
To run this command, 1) open the table you want to run this command against, and 2) enter the command in yellow in the command line, and press Enter.
Note that the last line shows you a computed field and the formula behind it.
DISPLAY VARIABLES – list all currently active variables, their type/format, and their values.
To run the following command, just enter it in the command line, and press Enter.
Note that user-defined variables (v_record and v_table) are shown, along with system variables (OUTPUTFOLDER and WRITE1). If you’re not familiar with ACL system variables, look them up in the ACL help file (it will be worth your time).
Note that 2 of the variables are character (C) type and 2 are numeric (N).
This command is extremely helpful when you are troubleshooting variables.
Bonus: Instead of DISPLAY, you can type DIS; instead of DISPLAY VARIABLES, you can type DIS VAR. Much shorter!
Bonus #2: Another useful use of the command line is to enter variable values. For example, if you have a NOTIFY command at the end of a script that will send an email if v_Run_Notify = “Y”, you can enter v_Run_Notify = “N” in the command line and press Enter to change the variable value and prevent the NOTIFY command from running while you test changes to your script.
Open a Table You Can’t Find
Sometimes I can’t find a table because I don’t remember (or know) which ACL folder it is hiding in (the folder in your project, not a Windows folder on your hard drive).
If you know the name of the table, you can just type OPEN <tablename> and press Enter (where <tablename> is the name of the table you want to open). When I don’t remember the table name or I’m too lazy to type it out, I copy the name from the ACL log or a script that uses it, and copy it to the command line.
When the table opens, you can then see what folder the table was hiding in (the folder is not shown in screenshot below).
Clear the Command Line
When you use the command line a lot, you have to clear it before entering another command. Instead of backspacing and deleting the text, or highlighting and deleting the text, just click the X at the far right.
Likewise, instead of pressing Enter after entering a command, you can click the checkmark.
Table History
When you’re working on a big project that contains many different tables, sometimes it’s hard to remember how that table was created. Or you haven’t opened the ACL project in a while, or you have to troubleshoot or review a project someone else created.
So what table(s) were used to create that table, and what filters/joins were used to create it? How many records did the original table contain?
I used to hunt through the ACL log or the scripts to find all that info, but for the most part, it’s all in the table history.
To access a table’s history, 1) open the table you’re interested in, and 2) from the menu bar, select Tools, Table History. You’ll see something like this:
The first line shows the original table (PcardTransactions) and the FILTER used. The second line shows the filtered data (all fields) was extracted to a new table (PCardUSA).
The third line shows number of records in the original table (Input) and the fourth line shows the number of resulting records (Output) in the extracted table.
If a JOIN was used, the table history would list the primary and secondary tables as well as the JOIN command parameters used.
The other nice thing is that you can take a screenshot of the table history and use it for documentation or evidence.
Bonus: Instead of selecting Tools, History from the menu, you can type DIS HIS in the command line, and press ENTER. Same results!
If you have some ACL tricks up your sleeve, let me know.
Filed under ACL, Audit, Data Analytics, Free, How to..., Scripting (ACL)
Last week I was meeting with one of our company’s Accounts Payable clerks, who told me she was not concerned about some upcoming General Ledger changes.
2 changes that were submitted by developers on her behalf.
2 changes she didn’t know anything about, so she didn’t consider them her problem.
This post is a Quote of the Weak post. For more info on these types of posts, see the Quote of the Weak topic under About.
Filed under Audit, Case Files, Quote of the Weak, Security, Security Scope
I’ve received an artificial intelligence (AI) marketing failure in the mail recently. Well, I think it was an AI failure; it sure was a marketing failure.
About a month ago, I received a letter saying that I could save a lot of money on my 15-year mortgage. It gave my current rate, the rate I could get if I refinanced, and the amount of the new payment.
I recently posted about 4 common AI fallacies or myths regarding artificial intelligence (AI). I wanted to dive a little deeper into some of these myths, and discuss why AI will NOT take over the world.
First of all, it is easy to fear what we don’t really understand, especially when some people push the narrative of computers becoming ‘aware’, which would result in them dominating the human race.
Filed under artificial intelligence (ai), Data Science, Machine Learning, Technology
An article posted on MachineLearningTimes.com discusses 4 common fallacies or myths regarding artificial intelligence (AI). These misconceptions lead to many misunderstandings and fear* regarding AI.
Wikipedia defines AI as “intelligence demonstrated by machines, unlike the natural intelligence displayed by humans and animals, which involves consciousness and emotionality.”
I like Investopedia’s definition better*: “the simulation of human intelligence in machines that are programmed to think like humans and mimic their actions.”
In the post, Melanie Mitchell, Davis Professor of Complexity at the Santa Fe Institute and author of Artificial Intelligence: A Guide For Thinking Humans, lists the 4 most common fallacies that I would summarize as follows:
Filed under Data Science, Machine Learning, Technology
As an auditor, I am told all the time by the business that “we have a current project plan that is addressing that risk”, which implies that I shouldn’t waste everyone’s time writing up an audit issue regarding the problem.
It means that the risk isn’t as big as it appears.
Really?
Filed under Audit, Case Files, Humor/Irony, Quote of the Weak, Security
The other day I was in a meeting to discuss a new analytics project and discovered the team had no end goal.
When the discussion started with the software to be used, I knew they were already off track.
Filed under Audit, Case Files, Data Analytics, Humor/Irony, Quote of the Weak
When you’re trying to get a data science job, you need experience, but to get experience, you need a job, right? Not always, and this is the case for many jobs, not just data science.
But in data science, you can generate the experience you need yourself.
You might have seen one of my earlier posts, How to get an IT Audit job with little or no experience. Let me say from the beginning that getting an IT audit job with no experience is easier than a data science job with no experience. But according to an article from KDnuggets, it can be done. And like everything else, it takes hard work.
The article defines data science as “an interdisciplinary field that focuses on solving problems and gathering information.”Â
Filed under Audit, Blogging, Data Analytics, Data Science, Employment, Free, How to..., Technology
Diligent’s acquisition of Galvanize (ACL) is another nail in the ACL analytics coffin.
First, ACL acquired another company and created Galvanize. And we were told governance, risk, and compliance (GRC) would never be the same.
And I told you that ACL analytics would never be the same. In fact, I predicted that this acquisition meant that ACL analytics was dying (when I say ACL analytics, I’m referring to the Windows desktop version that they built the original company on).
For more on this, see ACL Officially Changes Name & Spots and Is ACL Analytics Dying?
Filed under ACL, Audit, Data Analytics, Scripting (ACL), Technology, Written by Skyyler
It seems to me that auditing as a profession is not full of critical thinkers, much less thinkers.
If you read my last post about auditor judgment, I’m struggling with some of the junior auditors that I’m working with.
But I’m also struggling with quite a few of the senior auditors that I work with, those that are my peers (which means they peer at what I’m doing and how I’m doing it and then continue on their merry paths).
I came to this opinion based on most of the auditors I’ve met through the years across many companies, small and big, and across sectors, including public service. And also by the many articles calling for the profession to do more critical thinking, and yes, it is needed.Â
But let’s start with plain old thinking (walk before run).
Filed under Audit, Data Analytics, Excel, Humor/Irony, Technology
We recently acquired a new data analysis tool in our department, which prompted some of our newbie auditors to share their misunderstanding of auditor judgment and basic data analysis.
A group of less experienced and newer auditors were selected to try out the new tool before it was rolled out department-wide.
 If you’re not familiar with my ‘Quote of the Weak’ series, I described it briefly in About. For a list of posts in this series, see here. If you haven’t seen one of these posts before, it’s because I haven’t had one in a while…
Filed under Audit, Data Analytics, Humor/Irony, Quote of the Weak, Technology
Companies need to create a help desk for data, similar to the help desk they created for hardware, software, application, network, and user problems.
Can you imagine if companies didn’t have a computer help desk and each department had figure out their own computer issues? If each department had to find, load, configure, and troubleshoot their own hardware and software?
But isn’t that how most companies operate when it comes to data and data projects?
Filed under Audit, Data Analytics, How to...
I’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.
My previous post focused mostly on server access. In this post, I want to look at normal user access.
For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.
Assume the control you are testing states that user access is reviewed annually.
Filed under Audit, Security, Technology
This is the third of 3 posts; this post describes how I audited the auditors and my perspective on the whole thing.
Read the first post (background) and the second post (audit results).
Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)
This is the second of 3 posts; this post describes the audit, some speed bumps, and the audit results.
Read the first post here, which provides the background on the audit and the audit’s scope.
Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)
Usually, I’m the one doing the auditing, but this time, I (Mack) was the one who was audited.
It was a great experience for me.
Well, sort of. No one likes being audited (ahem). But it gave me a fresh perspective of how others feel when I audit them.
This is the first of 3 posts; this post contains some background info on the project that was audited, and the second one discusses the audit and the results, and in the third post, I describe my perspective on the whole thing, and some takeaways.
Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)
Have you ever wondered why I selected the picture above to represent my blog?
This picture illustrates so many aspects and nuances of this blog’s theme.
Here’s your chance to put on your thinking cap, and based on what skyyler and I have written about over the years, tell me what YOU think it represents.
As the comments roll in, we’ll comment on them.
Then, after a few weeks, I’ll peel back my brain and give you a peek inside as to what my reasons were.
Not sure how many of you will take me up on the challenge, but here goes…
Filed under Blogging
While you are checking out my blog, make sure you don’t miss all the free advice that’s laying around.
And I’m not talking about the blog posts (those are good too).
Whether you a new reader or you’ve been around since the beginning (2009!), when you find a post you like, don’t forget to do the following after you read it:
Filed under Audit
This is Part 4 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1, Part 2, Part 3.
Does the Process X team provide metrics around their process?” I asked.
“Yes,” the most senior auditor replied, showing me the web page where the Process X metrics were displayed.
After reviewing the page briefly, I said, “I see they do metrics by month. You have a year’s data; are you planning to understand how they prepare their metrics and re-calculate them to see if you get the same numbers?”
Filed under Audit, Case Files, Data Analytics, Excel
This is Part 3 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1 and Part 2.
I looked at the third page of the handout and asked, “What is this?”
“A list of Active Directory (AD) groups and the user IDs in each group. I searched AD for any group containing the system name,” the junior auditor said, “and identified these 6 groups. I then downloaded all the members of these groups from AD into Excel.”
Filed under Audit, Case Files, Data Analytics, Excel
Some auditors struggle with basic auditing. So when these auditors try to data analysis, well you can imagines how that goes.
I recently met with a team of auditors to give them input on what data profiling would be appropriate to perform. And what analytics might be insightful.
This is Part 1 of a 4-part Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. Do not try these methods at home or work. Don’t even dream about them, awake or asleep.Â
Filed under Audit, Case Files, Excel
Microsoft announced that they are adding a big brother to vLookup named xLookup.
The best things about xLookup: 1) it fixes some of the limitations of vLookup, 2) it is easy to understand and use, and 3) it replaces hLookup also.
Also, vLookup and hLookup are not going anyway, so if any of your colleagues struggle to learn new things, they can continue to use them as is.
When auditors need to identify and understand IT controls, they search the company intranet, review policies, look for Github repositories, review inventories, schedule meetings, and analyze IT asset data.
I stumbled on a better way to get insight into the IT controls in my company, and I didn’t have to email anyone, do any research, or frankly, anything outright. The IT controls came after me.
Fortunately, the IT controls were blind to the fact that I am an IT auditor. To them, I was just an ordinary bloke. But that didn’t last long (more on that later).
It Began a Few Years Back
It all started a couple years ago when I was building the infrastructure required to support our data analytic efforts in internal audit.
Filed under Audit, Case Files, Security, Technology
Before you start analyzing data, you need to 1) know you have the right data, and 2) understand the data and the process that produced it.
This post assumes, of course, that you already accomplished some of the hardest tasks already: figuring out what data you need, where to get it, and actually getting the data. Good luck with that. :)
This post is part of the Excel: Basic Data Analytic series.
Filed under Audit, Data Analytics, Excel, How to...
Before you analyze data, you should profile it.
Otherwise, your analysis may not be too broad, too narrow, or you may miss some important insights or errors.
This post is part of the Excel: Basic Data Analytic series.
Data profiling is developing a profile of your data, just as facial profiles of a person, taken from various angles, helps you size up a person’s nose, identify whether his chin is sagging, and how far apart the person’s eyes are.
Filed under Audit, Data Analytics, Excel, How to...
I fear that ACL Analytics is dying, and has been as long as I’ve been ranting about it.
Making Laurie Schultz their CEO helped, but I don’t think it has been enough.
NOTE: I wrote this well over a month ago, long before I posted the ACL Officially Changes Name & Spots post; I just got sidetracked and forgot about this post. I stumbled across it today in my Drafts folder. I decided to publish it ‘posthumously’ (so to speak) to show 1) how much I’m agonizing over ACL’s direction, 2) how I’ve always felt about ACL’s software, and 3) provide some balance to my previous post.
Filed under ACL, Audit, Data Analytics, Written by Skyyler
It’s official: ACL is changing its name AND its spots.
I’ve claimed several times that ACL has left its first love (analytics) and doesn’t put enough work into their flagship product, ACL Analytics.
Correction: their FORMER flagship product.
At least they are publicly admitting it finally–they NO LONGER are an ANALYTICS company!
Filed under ACL, Data Analytics, Excel, Technology, Written by Skyyler
ITauditSecurity 
Blogging about Internal Audit (10 tips)
First of all, there is a dearth of good internal audit blogs, and even less good IT audit blogs. So if you’re thinking about, we sure could use you in the blogsphere!
Writing a blog is hard work, and you often get tired of it. Life finds a way to get in the way. This is my 11th year of the blog (see the first post here), which, ironically, was written by skyyler. Fortunately, we’ve gotten better since that first year.
Blogging about internal audit is like a moon shining in a dark place… here’s my 10 tips…
Continue reading →
Share this:
12 Comments
Filed under Audit, Blogging
Tagged as anchor, anonymous, Audit, blog, Blogging, comments, feedback, IT, knowledge, Leann, leap year, likes, list, most popular, passion, post, traffic