Last week I was meeting with one of our company’s Accounts Payable clerks, who told me she was not concerned about some upcoming General Ledger changes.
2 changes that were submitted by developers on her behalf.
2 changes she didn’t know anything about, so she didn’t consider them her problem.
This post is a Quote of the Weak post. For more info on these types of posts, see the Quote of the Weak topic under About.
Filed under Audit, Case Files, Quote of the Weak, Security, Security Scope
Diligent’s acquisition of Galvanize (ACL) is another nail in the ACL analytics coffin.
First, ACL acquired another company and created Galvanize. And we were told governance, risk, and compliance (GRC) would never be the same.
And I told you that ACL analytics would never be the same. In fact, I predicted that this acquisition meant that ACL analytics was dying (when I say ACL analytics, I’m referring to the Windows desktop version that they built the original company on).
For more on this, see ACL Officially Changes Name & Spots and Is ACL Analytics Dying?
Filed under ACL, Audit, Data Analytics, Scripting (ACL), Technology, Written by Skyyler
It seems to me that auditing as a profession is not full of critical thinkers, much less thinkers.
If you read my last post about auditor judgment, I’m struggling with some of the junior auditors that I’m working with.
But I’m also struggling with quite a few of the senior auditors that I work with, those that are my peers (which means they peer at what I’m doing and how I’m doing it and then continue on their merry paths).
I came to this opinion based on most of the auditors I’ve met through the years across many companies, small and big, and across sectors, including public service. And also by the many articles calling for the profession to do more critical thinking, and yes, it is needed.
But let’s start with plain old thinking (walk before run).
Filed under Audit, Data Analytics, Excel, Humor/Irony, Technology
Companies need to create a help desk for data, similar to the help desk they created for hardware, software, application, network, and user problems.
Can you imagine if companies didn’t have a computer help desk and each department had figure out their own computer issues? If each department had to find, load, configure, and troubleshoot their own hardware and software?
But isn’t that how most companies operate when it comes to data and data projects?
Filed under Audit, Data Analytics, How to...
This is the second of 3 posts; this post describes the audit, some speed bumps, and the audit results.
Read the first post here, which provides the background on the audit and the audit’s scope.
Filed under ACL, Audit, Case Files, Data Analytics, Scripting (ACL)
This is Part 4 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1, Part 2, Part 3.
Does the Process X team provide metrics around their process?” I asked.
“Yes,” the most senior auditor replied, showing me the web page where the Process X metrics were displayed.
After reviewing the page briefly, I said, “I see they do metrics by month. You have a year’s data; are you planning to understand how they prepare their metrics and re-calculate them to see if you get the same numbers?”
Filed under Audit, Case Files, Data Analytics, Excel
This is Part 3 of a Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. See Part 1 and Part 2.
I looked at the third page of the handout and asked, “What is this?”
“A list of Active Directory (AD) groups and the user IDs in each group. I searched AD for any group containing the system name,” the junior auditor said, “and identified these 6 groups. I then downloaded all the members of these groups from AD into Excel.”
Filed under Audit, Case Files, Data Analytics, Excel
Some auditors struggle with basic auditing. So when these auditors try to data analysis, well you can imagines how that goes.
I recently met with a team of auditors to give them input on what data profiling would be appropriate to perform. And what analytics might be insightful.
This is Part 1 of a 4-part Case File series that describes how real auditors tried to apply questionable methods to auditing and data profiling. Do not try these methods at home or work. Don’t even dream about them, awake or asleep.
Filed under Audit, Case Files, Excel
Before you start analyzing data, you need to 1) know you have the right data, and 2) understand the data and the process that produced it.
This post assumes, of course, that you already accomplished some of the hardest tasks already: figuring out what data you need, where to get it, and actually getting the data. Good luck with that. :)
This post is part of the Excel: Basic Data Analytic series.
Filed under Audit, Data Analytics, Excel, How to...
Before you analyze data, you should profile it.
Otherwise, your analysis may not be too broad, too narrow, or you may miss some important insights or errors.
This post is part of the Excel: Basic Data Analytic series.
Data profiling is developing a profile of your data, just as facial profiles of a person, taken from various angles, helps you size up a person’s nose, identify whether his chin is sagging, and how far apart the person’s eyes are.
Filed under Audit, Data Analytics, Excel, How to...
If you are in IT, audit, or security (or any other job requiring data analysis), you should NOT be cleaning data manually.
Let me share a recent experience with you….
A young IT auditor texted me at work and asked for some Active Directory user account data that I capture automatically every week, using some scheduled ACL scripts.
If you’re not familiar with my ‘Quote of the Weak’ series, I described it briefly in About. For a list of posts in this series, see here.
Filed under Audit, Case Files, Data Analytics, Excel, How to..., Quote of the Weak, Security, Technology
Test how much you know about automation technologies by taking the job automation quiz at Financial Management magazine.
Filed under Audit, Free, Security, Technology
Contrary to what ACL has been touting as their new ‘robotics’ feature, it is NOT robotics process automation (RPA).
[The ‘robotics’ feature is due out later in 2018. It appears to be ACL’s latest attempt to get you to use their GRC software.]
ACL, via John Verver, defines the term this way in his RPA article: “The idea is a relatively simple one: get computers to perform tasks normally performed by humans, and cut resource and time requirements for many repetitive activities.” Continue reading
Filed under ACL, Audit, Data Analytics, Scripting (ACL), Technology
To increase the amount and depth of the analytics performed, steal some agile methods, and apply them to your audits.
If you’re not familiar with agile methods, check out the first 5 topics listed here (just click Next at the bottom of each page; the topics are quick to the point and full of pictures).
Briefly, agile projects are performed in cycles, or iterations, rather than in a long, linear-waterfall fashion, which is: do all planning, then field work, then reporting. Each iteration of the project creates some value and includes feedback, which is used in the next iteration to increase the value of the project.
Filed under Audit, Data Analytics, How to..., Technology, Written by Skyyler
A while back, a reader named Kyle and I had a conversation about analytics.
It started with his reading my Excel:Basic Data Analytics post where I list a number of procedures that anyone can do in Excel.
Kyle said he was expecting some “super sophisticated process & methodology that works like magic.”
Filed under Audit, Data Analytics, Technology
Once your audit team has proven the value of doing analytics consistently, the next question is: Do we create an analytics team and have the team do all (or the majority) of the analytics?
Or should we expect all auditors to develop some levels of analytics proficiency?
Of course, this question often comes a bit further down the trail on the analytics journey, but I think the sooner it is decided, the better.
This is the first post of a 3-part series…
Filed under Audit, Data Analytics, How to..., Technology, Written by Skyyler
Building a successful audit analytics program is like climbing a staircase.
The staircase is a set of steps that consist of several items having increasing levels of maturity.
The staircase steps not only help you build your program, but enable you to measure that maturity.
As you view the staircase graphic, mentally insert the word “analytics” before each step.
Filed under ACL, Audit, Data Analytics, How to..., Technology, Written by Skyyler
Here’s the 5 things I’m hoping will change in 2018 regarding ACL.
They are all related to each other and feed off each other…
Interesting.
Filed under ACL, Audit, Data Analytics, Excel, Scripting (ACL), Technology, Written by Skyyler
A recent IIA article on building an analytics function in internal audit is dead wrong.
At least on one major point, anyway. And it’s a big one.
As the tombstone reads, this point is D.O.A (dead on arrival, or more specifically, dead on analytics).
The article, Building a data analytics program, requires IIA membership to view, and is located at https://iaonline.theiia.org/2017/Pages/Building-a-Data-Analytics-Program.aspx (that’s actually good, as it means a lot fewer people will ever read it).
Filed under Audit, Data Analytics, Written by Skyyler
If YOUR audit department doesn’t embrace data, analytics, and automation eventually, your audit department will NOT exist.
No data, no analytics. No analytics, no automation. Eventually, no audit department.
Editor Note: This post really applies to all departments in a company, but mainly I’m addressing auditors, but you might want to read between the business lines….
By embrace, I don’t mean have one or two auditors working on this. I mean the entire department.
Before you cite all the regulatory requirements mandating the existence of an audit department in companies, having an audit department in name only won’t cut it.
Having an inept audit department will not be acceptable to regulators, and it shouldn’t be acceptable to company management either. Or Audit Committees!
Companies need skilled and efficient auditors that can do the heavy lifting, and this need will only increase.
Filed under Audit, Data Analytics, Employment, Technology, Written by Skyyler
To create a successful analytics program in internal audit, you must have a plan. A plan that points to analytic North.
That requires WRITTEN goals.
In an earlier post I outlined 10 Signs Mgmt Doesn’t Really Support Analytics.
One of the signs that indicates management isn’t really serious about analytics is that management does not require every staff member to have measurable analytic goals.
Filed under Audit, Data Analytics, Excel, How to..., Written by Skyyler
Your management says it wants more analytics, but does it really support analytics? Here’s 10+ signs that indicate that your mgmt:
Filed under Audit, Data Analytics, How to..., Technology, Top 10, Written by Skyyler
In my last post, I described Why Internal Auditors Should Care about Robotic Process Automation.
In this post, I’ll explore whether RPA can replace analytic packages like ACL, IDEA, R, and Power BI.
That might seem like a strange question, but a few managers and a VP have asked me just that recently. Here’s how I’ve answered it.
Filed under ACL, Audit, Data Analytics, Employment, Scripting (ACL), Technology
If you’re an auditor and you are not yet using Excel PowerPivot, you are missing the next greatest thing since spreadsheets arrived.
If you are NOT an auditor, and you don’t use PowerPivot, you’re in the same boat with the auditors mentioned above, and it is sinking.
In other words, if you use Excel, you should be learning Excel PowerPivot. It’s that big.
Let me explain why.
NOTE: I updated this post quite a bit with new info…
Filed under Audit, Data Analytics, Excel, Free, Technology
If you’re an auditor, you need data analytic skills or you will die.
Or put another way, if you don’t acquire them in the next 1-5 years, you will no longer be an auditor.
Pretty bold statement, isn’t it?
Filed under Audit, Data Analytics, Employment, Free, Technology, Written by Skyyler
If you like Dilbert cartoons or big data, you might enjoy Dilbert’s adventures in data analysis, data mining, data privacy, security, and dealing with a dumb manager.
Filed under Audit, Data Analytics, Humor/Irony
You can check for blank and invalid data in Excel several ways.
Depending on the size of the file and your preferences, you can either scroll through the dropdown list, sort each column from A to Z and then Z to A, or apply a filter.
Sometimes, you need to use a combination of these methods.
It’s important to know how these methods treat data differently and to be aware of their limitations.
Filed under Audit, Data Analytics, Excel, How to...
Before you analyze data, you must first validate it.
Otherwise, your analysis may not be accurate, and you may miss some important insights or errors.
This post is part of the Excel: Basic Data Analytic series.
Before analyzing your data, you need to check the following:
Filed under Audit, Data Analytics, Excel, How to...
Here’s a list of my basic data analytic procedures for Excel.
As I add more posts to the series, I’ll update this list.
I created this series because:
1) I often get asked by new AND EXPERIENCED auditors how to do these tasks,
2) when I review workpapers, I realize too many auditors are not aware of these functions,
Filed under Audit, Data Analytics, Free, How to..., Security
In case you missed it, ACL released the next version of their Acerno product, renamed it ACL Excel Add-in, and made it FREE! 2021 UPDATE – it doesn’t look like it’s free any more; requires ACL subscription.
UPDATE – I’m guessing that since this product never caught on, they only give it away to subscribers – go figure.
So I thought I’d update my review.
For my original review of Acerno, see A Review of ACL Acerno. It still seems that I’m the only one who ever took the time to review the product (versus marketing blurbs, which are all over the ‘net), which appears to be a statement regarding its popularity.
Despite the poor popularity, since they updated it AND made it free, I decided to dive in for another look.
Note: This add-in is not just for auditors! Any one who regularly reviews data should consider using this simple, EASY-to-use software.
Please take the new & improved poll at the bottom of this post (also free).
Filed under ACL, Audit, Data Analytics, Excel, Free, Free Download
Do you perform appropriate population validation of the data you rely on in an audit?
Population validation is simply gaining confidence that the data you are using in your audit contains all the appropriate data for your audit objectives (e.g., your server list includes all the SOX servers).
For the difference between population validation and data validation, see Why You Must Validate Data.
So how do you do population validation? Let’s look at an example…
When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:
Filed under Audit, How to..., Security, Technology
On occasion, I have received the following ACL error: The working directory does not have write access permission (see below).
Simply said, it means: the working directory is not working; something is not write. :)
Seriously, the working directory is the directory in which the application wants to start, which is why it is also called the starting directory. This is the directory to which ACL expects you to save your ACL projects. That’s why ACL needs write access to that directory.
Filed under ACL, Data Analytics, How to..., Written by Skyyler
A lot of company data is lying around unprotected, making it very easy to steal. No, I’m not talking about picking up other people’s documents at the printer. Stealing printouts isn’t hard, but it can be risky, especially if the printer is a busy one. Besides, it has 2 other problems:
There’s a much better way that is fast, easy, simple, raises no suspicion, and is basically impossible to detect, if you do it correctly. Can you think of what it is?
An Information Week article, From CRM to Social, noted that companies consider data mined from social media as business data. Basically, companies are supplementing their customer relationship management (CRM) database with the personal data from social networks. Consider these points:
If you don’ read anything else, see the quote in red below from the Guess CIO.
Filed under Security, Technology
ACL is offering FREE training as part of their bootcamp series, which started in September 2011. The training consists of a video presentation that includes ACL demos. The best part is that you do NOT have to be a current ACL customer or even have a copy of ACL.
The purpose of the series, according to ACL, is to teach basic skills and deal with common problems that ACL users encounter. Each session lasts about 30-40 minutes, followed by a Q&A session. The bootcamp is led by Shane Grimm (see his blog comment here).
Filed under ACL, Audit, Data Analytics, Free
In Case File: Audit Server Disappeared, I noted that a friend of mine learned that IT had, on its own prerogative, wiped a server belonging to Internal Audit because “it never appeared to be used.”
Some of you already commented on some of the issues involved in this incident and the normal IT activities that should have prevented this incident (or at least alerted IT that something was wrong). Let’s review those comments and I’ll add some other details and comments.
Filed under Audit, Case Files
If you hurry (limited time offer), you can register for and download a free copy of Data Leakage for Dummies from Sophos.
Some people do not understand that both diamonds and the Internet are forever. I found this statement in a discussion on LinkedIn:
I am excited about 2 interviews next week even though I’m not fully qualified for either one.
Filed under Employment, Humor/Irony, Quote of the Weak, Security
SC Magazine had a good article back in November (I am a bit behind in my reading and my blogging) about industry pioneers in IT security. Listed below are quotes by a select few of the people the mag profiled. If you find their quotes interesting, or you are not familiar with them, I suggest you check out the article and perhaps do some extra reading about some of them.
I thought cryptography was a technique that did not require your trusting other people…” – Whitfield Diffie
Filed under Security
The American Recovery and Reinvestment Act includes changes to HIPAA, including:
The changes are not effective until February 2010.
David Mortman of Searchsecurity.com provides an overview of the changes here.
For a more comprehensive list of changes, see Thomson Hine (PDF).
ITauditSecurity 