Tag Archives: Audit

Abandon ACL and Others, Part 2

This post is in response to Xavier and Grant, who were kind enough to push back a bit on a previous post, Abandon ACL and Others? See their comments on that post.

I will respond to some of their points and reveal some more of my thinking as to why I believe that auditors need to become a LOT more technical.

Some may think I am just digging my hole a little deeper, but I’ve always loved the journey.

Continue reading

Advertisement

2 Comments

Filed under artificial intelligence (ai), Audit, Data Analytics, Data Science, Machine Learning, Python, Technology

ChatGPT Analyzes Internal Audit!

Just for fun, one of my readers asked ChatGPT to write an article analyzing how internal audit uses data analytics (love that alliteration).

If you’re new to ChatGPT, go here, and remember to scroll down.

This reader (who wishes to remain anonymous) asked ChatGPT to write about whether internal audit performs an adequate amount of data analytics and in the appropriate depth.

This person sent the result to me, and after reading it, I decided to publish it here.

Continue reading

4 Comments

Filed under artificial intelligence (ai), Audit, Blogging, Data Analytics, Data Science, Humor/Irony, Machine Learning, Python, Technology

Abandon ACL and Others?

For the past few years, I’ve been outspoken about auditors that 1) don’t do much data analysis, OR 2) rely only on tools like ACL, IDEA, Arbutus, and the like to do their data analysis.

In this post, I’m going to provide some reasons auditors should not rely on only on these tools. I’ve dealt with this before, but I want to look at it from some different angles.

In this post, I’m speaking only to auditors, as they alone are called to audit the technology and processes their companies use.

In this post, when I mention ‘ACL+’, I am referring to ACL, IDEA, Arbutus, and any other tool that typically only auditors use. I’m also including ACL ‘Robotics’ in this list.

In this post, I’m going to step on people’s toes, but my readers should be used to that by now.

Continue reading

6 Comments

Filed under ACL, Audit, Data Analytics, Data Science, Excel, Machine Learning, Python, Scripting (ACL), Technology

My Python Journey, Part 4

python programming

In this fourth post of the Python Journey, I want to discuss WHY I keep going on these journeys despite poor management support. And how I stay sane doing it.

While this post goes beyond my Python journey, previous journeys have been very similar, so in a sense, it has been one looong journey.

My first journey started with ACL, then came SQL, databases, virtual machines and virtual servers, and a host of other technologies, and finally Python and machine learning, all of which I pretty much learned/am learning on my own.

Not only because my audit management didn’t have much foresight or vision, but also because company management approved and launched tools without much guidance or training. Yeah, really.

So what keeps me going and why do I stay here?

See my previous Python journey posts 1, 2, and 3.

Continue reading

4 Comments

Filed under ACL, Audit, Data Analytics, Data Science, Humor/Irony, Python, Technology

My Python Journey, Part 3

python programming

In my first Python post, I described the first steps of my python journey.

In my second Python post, I shared my thoughts about whether auditors could learn programming and Python (yes).

In this third post of the series, I want to describe how my audit management has supported my Python journey (spoiler: poorly).

Continue reading

3 Comments

Filed under ACL, artificial intelligence (ai), Audit, Data Analytics, Data Science, Humor/Irony, Machine Learning, Scripting (ACL), Technology

Most Popular Blog Posts of 2021

most popular posts 2021Here’s a look back at the most popular blog posts of 2021 according to the number of times readers opened those posts. It’s been a long time since I’ve done a best blogs post…

Some of these posts are oldies, and yet they are still pulling in plenty of traffic. Check out the list, and see if you missed any of them, especially new readers.

Continue reading

Leave a comment

Filed under ACL, Audit, Blogging, Certification, Data Analytics, Employment, Excel, Free, Free Download, How to..., Security, Technology

Shatter Silos to Identify More Risk

If you want to increase the effectiveness of your audits and find risks that haven’t been identified before, you need to shatter your silos so you can identify more risk.

Too often, audits are performed on one process, one category, or one system: Earning Commissions, Windows Servers, or Wire Transfer. Each one of those is a separate silo (one for oats, one for corn, one for rice).

Continue reading

Leave a comment

Filed under Audit, Data Analytics, fraud, How to..., Technology

Quote of the Weak: No end goal

The other day I was in a meeting to discuss a new analytics project and discovered the team had no end goal.

When the discussion started with the software to be used, I knew they were already off track.

Continue reading

4 Comments

Filed under Audit, Case Files, Data Analytics, Humor/Irony, Quote of the Weak

Another Nail in ACL’s Coffin

Diligent’s acquisition of Galvanize (ACL) is another nail in the ACL analytics coffin.

First, ACL acquired another company and created Galvanize. And we were told governance, risk, and compliance (GRC) would never be the same.

And I told you that ACL analytics would never be the same. In fact, I predicted that this acquisition meant that ACL analytics was dying (when I say ACL analytics, I’m referring to the Windows desktop version that they built the original company on).

For more on this, see ACL Officially Changes Name & Spots  and Is ACL Analytics Dying?

Continue reading

25 Comments

Filed under ACL, Audit, Data Analytics, Scripting (ACL), Technology, Written by Skyyler

Blogging about Internal Audit (10 tips)

A looooooong time ago, Leeann asked me to write a post about blogging about internal audit, so here goes. Most of this post applies to blogging on any subject, too.

First of all, there is a dearth of good internal audit blogs, and even less good IT audit blogs. So if you’re thinking about, we sure could use you in the blogsphere!

Writing a blog is hard work, and you often get tired of it. Life finds a way to get in the way. This is my 11th year of the blog (see the first post here), which, ironically, was written by skyyler. Fortunately, we’ve gotten better since that first year.

Blogging about internal audit is like a moon shining in a dark place… here’s my 10 tips…

Continue reading

12 Comments

Filed under Audit, Blogging

Mack-the-Auditor Gets Audited! Part 2

Review ACL log

This is the second of 3 posts; this post describes the audit, some speed bumps, and the audit results.

Read the first post here, which provides the background on the audit and the audit’s scope.

Continue reading

1 Comment

Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)

Mack-the-Auditor Gets Audited! Part 1

Review ACL logUsually, I’m the one doing the auditing, but this time, I (Mack) was the one who was audited.

It was a great experience for me.

Well, sort of. No one likes being audited (ahem). But it gave me a fresh perspective of how others feel when I audit them.

This is the first of 3 posts; this post contains some background info on the project that was audited, and the second one discusses the audit and the results, and in the third post, I describe my perspective on the whole thing, and some takeaways.

Continue reading

1 Comment

Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)

Auditor Struggles, Part 4

This is Part 4 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1, Part 2, Part 3.

Does the Process X team provide metrics around their process?” I asked.

“Yes,” the most senior auditor replied, showing me the web page where the Process X metrics were displayed.

After reviewing the page briefly, I said, “I see they do metrics by month. You have a year’s data; are you planning to understand how they prepare their metrics and re-calculate them to see if you get the same numbers?”

Continue reading

Leave a comment

Filed under Audit, Case Files, Data Analytics, Excel

Auditor Struggles, Part 3

This is Part 3 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1 and Part 2.

I looked at the third page of the handout and asked, “What is this?”

“A list of Active Directory (AD) groups and the user IDs in each group. I searched AD for any group containing the system name,” the junior auditor said, “and identified these 6 groups. I then downloaded all the members of these groups from AD into Excel.”

Continue reading

Leave a comment

Filed under Audit, Case Files, Data Analytics, Excel

Auditor Struggles, Part 1

Some auditors struggle with basic auditing. So when these auditors try to data analysis, well you can imagines how that goes.

I recently met with a team of auditors to give them input on what data profiling would be appropriate to perform. And what analytics might be insightful.

This is Part 1 of a 4-part Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. Do not try these methods at home or work. Don’t even dream about them, awake or asleep. 

Continue reading

5 Comments

Filed under Audit, Case Files, Excel

Job Automation Quiz

automation quiz

Test how much you know about automation technologies by taking the job automation quiz at Financial Management magazine.

Continue reading

Leave a comment

Filed under Audit, Free, Security, Technology

Steal from Agile to Increase Audit Analytics

agile analyticsTo increase the amount and depth of the analytics performed, steal some agile methods, and apply them to your audits.

If you’re not familiar with agile methods, check out the first 5 topics listed here (just click Next at the bottom of each page; the topics are quick to the point and full of pictures).

Briefly, agile projects are performed in cycles, or iterations, rather than in a long, linear-waterfall fashion, which is: do all planning, then field work, then reporting. Each iteration of the project creates some value and includes feedback, which is used in the next iteration to increase the value of the project.

Continue reading

1 Comment

Filed under Audit, Data Analytics, How to..., Technology, Written by Skyyler

Create a Team for Audit Analytics? Part 3

analytics team?In the previous post, Create a Team for Audit Analytics? Part 2, I explored the pros and cons of expecting all auditors to develop a level of data and analytic proficiency.

These auditors would continue to do audit testing that involves analytics as well as testing that does not involve analytics. In addition to keeping up their business skills, they would be learning and upgrading their data analytic skills.

In the first post of this series, I reviewed some of the pluses and minuses of creating a dedicated analytics team.

However, a third option exists, which is sort of a hybrid between having dedicated analytic auditors doing all the analytic work and requiring everyone to increase and develop their data and analytic skills.

Let’s explore the hybrid method in this post, and wrap up the series with a few final thoughts.

This is the third post of a 3-part series…

Continue reading

7 Comments

Filed under Audit, Data Analytics, How to..., Technology, Written by Skyyler

Create a Team for Audit Analytics? Part 2

analytics team?In the previous post, Create a Team for Audit Analytics? Part 1, I explored the pros and cons of developing an analytics team.

This team consists of analytic auditors who are dedicated to analytic projects; they would NOT typically manage audits or testing that did not include analytics.

In this post, let’s explore another option for managing and growing analytics in an audit department — expecting all auditors to develop a level of data and analytic proficiency.

This is the second post of a 3-part series…

 

Continue reading

1 Comment

Filed under Audit, Data Analytics, How to..., Technology, Written by Skyyler

Create a Team for Audit Analytics? Part 1

analytics team?Once your audit team has proven the value of doing analytics consistently, the next question is: Do we create an analytics team and have the team do all (or the majority) of the analytics?

Or should we expect all auditors to develop some levels of analytics proficiency?

Of course, this question often comes a bit further down the trail on the analytics journey, but I think the sooner it is decided, the better.

This is the first post of a 3-part series…

Continue reading

2 Comments

Filed under Audit, Data Analytics, How to..., Technology, Written by Skyyler

The Analytic Staircase for Auditors

analytic staircase stepsBuilding a successful audit analytics program is like climbing a staircase.

The staircase is a set of steps that consist of several items having increasing levels of maturity.

The staircase steps not only help you build your program, but enable you to measure that maturity.

As you view the staircase graphic, mentally insert the word “analytics” before each step.

Continue reading

3 Comments

Filed under ACL, Audit, Data Analytics, How to..., Technology, Written by Skyyler

5 Things We Need from ACL in 2018

5 thingsHere’s the 5 things I’m hoping will change in 2018 regarding ACL.

They are all related to each other and feed off each other…

Interesting.

Continue reading

9 Comments

Filed under ACL, Audit, Data Analytics, Excel, Scripting (ACL), Technology, Written by Skyyler

IIA Analytics Article Dead Wrong

analytics dead wrong iia tombstoneA recent IIA article on building an analytics function in internal audit is dead wrong.

At least on one major point, anyway. And it’s a big one.

As the tombstone reads, this point is D.O.A (dead on arrival, or more specifically, dead on analytics).

The article, Building a data analytics program, requires IIA membership to view, and is located at https://iaonline.theiia.org/2017/Pages/Building-a-Data-Analytics-Program.aspx (that’s actually good, as it means a lot fewer people will ever read it).

Continue reading

4 Comments

Filed under Audit, Data Analytics, Written by Skyyler

No Analytics, No Audit Department

dead-audit-department

If YOUR audit department doesn’t embrace data, analytics, and automation eventually, your audit department will NOT exist.

No data, no analytics. No analytics, no automation. Eventually, no audit department.

Editor Note: This post really applies to all departments in a company, but mainly I’m addressing auditors, but you might want to read between the business lines….

By embrace, I don’t mean have one or two auditors working on this. I mean the entire department.

Before you cite all the regulatory requirements mandating the existence of an audit department in companies, having an audit department in name only won’t cut it.

Having an inept audit department will not be acceptable to regulators, and it shouldn’t be acceptable to company management either. Or Audit Committees!

Companies need skilled and efficient auditors that can do the heavy lifting, and this need will only increase.

Continue reading

19 Comments

Filed under Audit, Data Analytics, Employment, Technology, Written by Skyyler

Audit Automation is NOT all Automation

audit automation ACLSome Chief Audit Executives (CAEs) and audit managers tend to think that audit automation is a set-it-and-forget-it process. NOT.

In this post, I want to expand on a problem I mentioned in an earlier post , 10 Signs Mgmt Doesn’t Really Support Analytics.

Audit management too often thinks that once a process or an audit is automated, ALL auditor/staff hours previously spent performing that process can be reassigned elsewhere.

That is not the case at all.

Continue reading

3 Comments

Filed under ACL, Audit, Data Analytics, Scripting (ACL), Security, Technology, Written by Skyyler

No Metrics, Little Analytics

analytic metrics, numbersIf your department doesn’t track metrics on your analytics, you are probably not doing analytics or you are making little progress in analytics.

In either case, its obvious that analytics isn’t very important to your management.

Which is one of the points I made in my post, 10 Signs Mgmt Doesn’t Really Support Analytics.

So far, I have encountered very few audit departments that track meaningful metrics about their analytics.

Counting the number of projects that include analytics isn’t enough.

Continue reading

1 Comment

Filed under Audit, Data Analytics, How to..., Written by Skyyler

10+ Signs Mgmt Doesn’t Really Support Analytics

mgmt doesn't support analyticsYour management says it wants more analytics, but does it really support analytics? Here’s 10+ signs that indicate that your mgmt:

  • Does NOT knows what it takes to get analytics off the ground
  • Believes that analytics multiply like rabbits, naturally
  • Is NOT willing to make the adjustments required to deliver and sustain real value.

Continue reading

6 Comments

Filed under Audit, Data Analytics, How to..., Technology, Top 10, Written by Skyyler

New IT Auditor (and WannaBEs) Master List

Here’s a list of all my posts to-date related to becoming or growing as an IT Auditor, all in one place for easy reference.
I’ll add other posts as they are written.

Continue reading

11 Comments

Filed under Audit, Employment, How to..., Security, Technology

Audit Management Sometimes Sucks

see no evilWhen internal auditors (or those pretending to be such) do poor work and don’t follow the appropriate audit and IT standards, they are unprofessional. However, I put the blame at the feed of audit management.

Continue reading

7 Comments

Filed under Audit, Employment

Do you have User IDs Hidden in the Cloud?

hidden-in-the-cloudIt’s 10 o’clock in the cloud. Do you know where all your user IDs are? Are some hidden in the cloud?

Cloud security if often cloudy because it’s not on premise where you can control it easier.

That means you may have powerful user IDs in the cloud that your security team knows nothing about, which means….

Continue reading

2 Comments

Filed under Audit, Case Files, Technology

Mack Falls Prey to Phishing Email

phishing emailIt finally happened: I fell prey to a phishing email.

I actually clicked a link.

At work, no less. Not good.

Continue reading

3 Comments

Filed under Audit, Employment, Humor/Irony

Some of my Favorites

Since some of you are newer to the blog, I thought I’d bring a couple of my favorite posts to your attention.

Continue reading

Leave a comment

Filed under ACL, Audit, How to..., Security, Technology, Top 10

Behind Locked Doors: Conclusion

office doorMost of the team deployed to the 2 departments and started emptying wastebaskets in the ‘wastebasket audit‘ exercise, collecting all the trash in large carts on wheels.

Two others were posted as look-outs in the main hallways outside the target department.

I carried my black bag of tools and approached THE door.

I pulled out my favorite flat-head screwdriver. Originally, I was going to remove the closing arm at the top of the door and then pry the hinge pins out of the hinges.

This is the fifth and final post in a series. See the previous post, Behind Locked Doors: Part 4. Start with Behind Locked Doors: Part 1.

Continue reading

4 Comments

Filed under Audit, Case Files, fraud, Security, Technology

Don’t Use GRC app to do Workpapers!

eat internal audit dog foodI consulted with a company that implemented a new GRC package, and unfortunately they are using an application designed for GRC to do audit workpapers.

That wasn’t the only move that was questionable…

Continue reading

11 Comments

Filed under Audit, Security, Security Scout, Technology

Server Audit for the Dauntless

dauntless server auditIf you’re looking for an insightful server audit, and you’re dauntless, you might want to jump on this train.

First, why do you need to be dauntless?

Because you’re going to need to obtain your data from a number of different sources; the bigger your company, the more likely you’ll need to call on and question more than a handful of people.

Because comparing and tracking all the servers that are on one list, but not another can be a challenge.

Because it his highly LIKELY that you WILL find something and the server team will not be happy.

Continue reading

5 Comments

Filed under Audit, How to..., Security, Technology

FREE Infosec & Web Pentesting Education

Security Monkey posted that PentesterLab has some great resources that provide training on pentesting, like:
  • Basics of Web
  • Basics of HTTP
  • Detection of common web vulnerabilities:
  • Basics of fingerprinting
  • and more! (like Linux Host Review)

Continue reading

Leave a comment

Filed under Audit, Free, Free Download, Security

Evaluating Risk in the Dark

risk in the dark2When you evaluate the risk of a vulnerability, do you do it in the dark?

Or do you take into account other factors that might affect the risk?

What if one of the factors is an existing audit issue that has not been remediated?

Continue reading

2 Comments

Filed under Audit

Master List of CISA Articles

cisa study guide, tipsTo make these posts easier to find (and link to), here’s a list of all the CISA-related posts on this blog, in alphabetical order.
I’ll add other CISA posts as they are written.

Continue reading

9 Comments

Filed under Audit, Security, Technology

How to be an Irritating Auditor

If you need to read about how to be an irritating auditor, you obviously haven’t been auditing very long. According to most auditees, that quality comes with the territory, right? I hope not!

Continue reading

2 Comments

Filed under Audit, How to..., Humor/Irony

FREE CISA Glossary

cisa study guide, tipsISACA has a free glossary of IT, audit, and security terms that is not only helpful in studying for the CISA exam, but is a good reference guide for new and experienced auditors.

Continue reading

3 Comments

Filed under Audit, Free, Security, Technology

How to Audit User Access

How to Audit User AccessWhen checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

  • Application ID
  • Application role or group
  • Membership in an local server group, Active Directory (AD) group, or UNIX Group
  • Access to the application’s share and/or folder on the server
  • Database ID
  • Database role, including access permissions (read/write)
  • Other permission (from a home-grown application code or enterprise identify management system)

Continue reading

8 Comments

Filed under Audit, How to..., Security, Technology

CISA vs. CIA Certification

cisa study guide, tipsIf you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?

Full disclosure: I have the CISA, but not the CIA. Back when the CIA was 4 exams, I studied for all the CIA exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.

Continue reading

176 Comments

Filed under Audit, Certification, Security, Technology

IT Admin vs. IT Auditor

IT admins and IT auditors often don’t see eye-to-eye, and they don’t usually think their goals are similar.

The IT auditor just has to work a little harder to convince the IT admin of that. I’ve worn both hats, so I know it can be done.

Continue reading

5 Comments

Filed under Audit, Security

New IT Auditor Needs Help!

A new IT auditor needs some help dealing with database patching issues and how far you need to dive into technology during an IT audit.

Take a moment to read his comment and add your thoughts. I’ve put in my 2 cents. Let’s get a good discussion going.

I think any auditor can chime in, as audit scope and audit limitations are not unique to IT audit.

Dinesh’s comment appears in What IT Auditors Ought to Know – and Don’t!

Leave a comment

Filed under Audit, How to..., Security, Technology

PSPad: Great Text File Audit Tool

PSPad is a great text editor and search tool, so by default, it’s a great audit tool, and it’s free. It can also handle a million lines of text–literally. Are you interested yet? It is also a great file diff/compare tool I’ve ever seen.

PSPad works with text files, such as those ending in TXT or CSV, or any text-based file (like an ini file). It works with DOC files too.

I’ll explain how to do the following with PSPad:

  • Search a file (find all lines containing X)
  • List all occurrences/matches of a search term
  • Export a list of occurrences
  • Compare 2 documents (diff)
  • Download & install PSPad

Continue reading

Leave a comment

Filed under Audit, Free, How to..., Security

Audit and IT Audit for Dummies

Here’s some links for Audit and IT Audit for dummies, one from the IIA, the other from ISACA. Most of them do not require being a member or logging in.

While these articles are not extensive, they will point new auditors in the right direction, and provide a refresher for the rest of us. Continue reading

36 Comments

Filed under Audit, How to...

No Bad Audit Reports Allowed?

No Bad Audit ReportsIt’s getting to the point where some audit directors are saying, “No bad audit reports allowed.” In other words, don’t shoot the messenger, just the message. What follows is an experience from one of my audit colleagues…

First, a couple “I know” statements…I know auditors are supposed to be helpful and friendly. I know auditors are supposed to add value. I know auditors need to be careful about giving only bad news; we should also note in our report what the auditee is doing right (if anything). I know that it’s hard for auditees to get hammered again and again by audit reports.

Continue reading

14 Comments

Filed under Audit, Technology

May –> Audit Awareness Month

May is Audit Awareness Month, so if you want to host an event to promote audit at your organization, you’re short on time.

I wrote about this last year, and all the links on that post are still good, so see May = Audit Awareness Month for ideas.

Hey, I’m recycling last year’s post, so this must be a GREEN blog!

Leave a comment

Filed under Audit, Humor/Irony

How Virtualization Changes Audits

If you haven’t determined how server virtualization changes your audit plans, you better get moving. I’m not just talking about a virtualization audit (more on that later), but the audits that you typically do every year or on a multi-year cycle.

For example, if every year you do an audit on all networks, servers, applications, and databases that host your key financial reporting or PHI systems, you’re looking at policies and procedures, configuration management, security (including patching), user access, logging, and so on. But do you first consider whether those assets run on virtualized servers?

Continue reading

2 Comments

Filed under Audit, How to..., Security, Technology