Risk Insights Blogcast (Spoken blog articles)

This is an audio version of a blog article.The original article was published here: https://riskinsights.com.au/blog/data-confident-internal-auditor-softwareIn this episode, we discuss software for using data in audit.Links: Risk Insights BlogKNIMEPower BIFor more advice on analyzing data for audits, you can find The Data-Confident Internal Auditor on Amazon, with bonus resources available at data-confident.com. The book aims to demystify the use of data in internal audits through practical, step-by-step guidance.

This is an audio version of a blog article.The original article was published here: https://riskinsights.com.au/blog/small-data-5-ways-to-extract-value/ In this episode, we discuss the use of small datasets for audits, and 5 ways that auditors can extract value from smaller sets of data.Links: Risk Insights Blog The UK Government used open data to save £4m in 15 minutesFor more advice on analyzing data for audits, you can find The Data-Confident Internal Auditor on Amazon, with bonus resources available at data-confident.com. The book aims to demystify the use of data in internal audits through practical, step-by-step guidance.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/4-audit-data-approachesIn this episode, we discuss four broad approaches to using data as part of audits. These apply to both internal audit projects and performance audits.Links: Risk Insights BlogCounter-Trafficking Data Collaborative (CTDC)Note: The original article contains an image and a visual.This audio version of the article includes a short explanation of each, but it would be easiest to see them in original form in the written version of the blog (link above).

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/efficiency-auditsIn this episode, we discuss why auditors should include efficiency audits and how to tackle the common objections to conducting efficiency audits.Note: The original article contains an Auditviz (a data visualization). This audio version of the article includes a short explanation of the graph, but it would be easiest to see the graph in its original form in the written version of the blog (link above).

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/data-for-efficiency-in-auditIn this episode, we discuss how auditors could use data to achieve four separate sets of efficiency outcomes. For the audit team and for their organizations and stakeholders.Note: This article contains an Auditviz (a data visualization). For this audio version of the article, we will provide a short explanation of the graph, but it would be easiest to see the graph in its original form in the written version of the blog (link above).Other links mentioned in the article:share intel and data among the teamgoing beyond the initial remedial action

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/relative-vs-absolute-to-combine-performance-or-risk-indicatorsIn this episode, we discuss how to understand combined relative performance across two or more performance or risk indicators.Note: This article contains several graphs. This audio version of the article includes short explanations of the graphs, but it is easier to see the graphs in their original form in the written version of the blog (link above).

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/crisis-as-an-opportunity-to-reset-strategic-assurance-prioritiesIn this episode, we discuss how crises present new challenges and opportunities for assurance leaders.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/audit-data-governance-5In this episode, we discuss principle 3: Maximizing benefits - data and analytics within Internal Audit.Links in the article:1. Why you need to govern the use of data, within the I.A. team, in a different way.2. Why we must share data, that is collected or used for audits, with the whole audit team.3. Principle 1: Security and open access.4. Principle 2: Quality.5. 5 core assurance analytics challenges6. "false positives" approach in this article.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/audit-data-governance-4In this episode, we discuss principle #2 – Quality - for data and analytics governance within the Internal Audit function.Links in the article:1. Why the use of data within the IA team (e.g., for audits) should be specifically, and differently, governed. 2. A point of view about keeping access to data - that is collected or used by the audit team - open to the whole audit team, where appropriate.3. The 3 key principles and principle 1 in detail.

3 key principles for Data and analytics Governance within Internal Audit (DGIA).A core set of guidelines that we, as internal audit professionals, can check ourselves against in planning for and using data and analytics.This is an audio version of this blog article - the 3rd in the DGIA (Data and analytics Governance within Internal Audit) series. LINKSThis article (the original written version)The first article in the DGIA seriesThe second article in the DGIA seriesThe Core Principles for the Professional Practice of Internal Auditing, as articulated by the Institute of Internal Auditors. Accessed here, at the time of publication of this article

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/augment-team-vs-automate-processIn this episode, we explore what internal auditors need to consider when automating for audit purposes and when involved in audit activities related to the business adoption of automation.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/performance-audits-creating-sustaining-public-valueIn this episode, we explore the role that performance auditors and internal auditors play in sustaining public value.This article is for: Performance Auditors, to help explore their critical role in sustaining Public Value.Internal Auditors, in conducting performance audits (i.e., assessing economy and efficiency within their organisations).Links and resources mentioned in the article:Creating Public Value: Strategic Management in Government, Mark Moore, 1995, Harvard University PressUse of community voting on projects - Victoria’s Pick my ProjectPublic involvement in program design - Auckland’s Co-design labOngoing refinement of proposed new public services - the UK’s Policy Lab

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/big-bang-data-warehouse-projectsIn this episode, we explore what internal auditors need to consider regarding big bang data warehouse projects.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/audit-data-governance-2In this episode, we discuss control over access to data within the audit team – that is, should you open data access up to the whole audit team or restrict access based on need.This is the 2nd article in the DGIA (Data and analytics Governance within Internal Audit) series.Link in the article: “More access to data to reduce risk and enhance business decisions”

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/investigators-and-corruption-agencies-can-cost-effectively-generate-deep-insights-from-dataIn this episode, we explore how corruption agencies and Investigators can cost-effectively use data to generate deep insights.Links mentioned in the article:Nov 2018 National Investigations Symposium (NIS) in Sydney.machine learning can help reduce false positives.4 years of financial data from here.Crime and Corruption Commission (Queensland, Australia) corruption allegations dashboard.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/integrity-and-oversight-agencies-dnaIn this episode, we outline five common organisational factors that lead to successful performance of integrity and oversight agencies.Mentioned in this article:Integrity agencies: This includes, among others, anti-corruption agencies, auditors-general, ombudsmen, integrity and public sector standards commissions.Australian Public Sector Anti-Corruption Conference (on twitter)

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/the-fraud-merry-go-roundIn this episode, we briefly outline key organisational characteristics in determining overall fraud risk profiles.

This is an audio version of a blog article. The original article was published here:https://www.riskinsights.com.au/blog-1/agile-internal-audit-part2 In this episode, we explore how internal audit can operate in tandem with other business units. That is, adopting similar project delivery approaches to deliver audits that are focused on outcomes for the customer, increasing value. This is part two of a two-part episode.

This is an audio version of a blog article. The original article was published here:https://www.riskinsights.com.au/blog-1/agile-internal-audit-part1 In this episode, we explore how internal audit can operate in tandem with other business units. That is, adopting similar project delivery approaches to deliver audits that are focused on outcomes for the customer, increasing value. This is part one of a two-part episode.

This is an audio version of a blog article.The original article was published here: https://www.riskinsights.com.au/blog-1/ccm-internal-audit-3lodIn this episode, we consider whether audit functions should be responsible for continuous controls monitoring.Links mentioned in the article:IIA position paper on 3LODDeloitte article on fighting fraud

This is an audio version of a blog article. The original article was published here:https://www.riskinsights.com.au/blog-1/audit-analytics-beyond-basic-rules In this episode, we briefly discuss how assurance analytics goes beyond basic rules.

This is an audio version of a blog article. The original article was published here: https://www.riskinsights.com.au/blog-1/going-beyond-the-initial-remedial-action In this episode, we explore a common flaw in designing audit remediation actions.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/risk-management-creating-riskIn this episode, we explore how poor risk management can result in more risk than it attempts to reduce.Links mentioned in this episode:The article in which we spoke about a PIA that did not consider all the risks and created a false sense of securityThe article in which we outlined how a flaw in risk-thinking can increase risk by reducing efficiency and effectivenessThe article in which we looked at how to use the results of audits to reduce risk, rather than just ticking a box.

This is an audio version of a blog article. The original article was published here:https://www.riskinsights.com.au/blog-1/inadvertent-privacy-breaches In this episode, we explore inadvertent privacy breaches. Links mentioned in the article:The travel card data privacy breach was reported on in this article in August 2019The article in Science Daily that says "Re-identifying anonymised data is how journalists exposed Donald Trump's 1985-94 tax returns in May 2019"The article in The Guardian that says "anonymising data is practically impossible for any complex dataset"OVIC wrote about the investigation in this blog articleOther false senses of security created by risk management in this separate blog articleThe De-Identification Decision-Making Framework The Microsoft Guide to Data Governance for Privacy, Confidentiality, and ComplianceUber: open source project for differential privacyGoogle: open source version of their differential privacy library

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/emerging-risks-artificial-intelligenceIn this episode, we explore artificial intelligence, and how to manage the risks associated with AI opportunities.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/post/outside_in_risk_management_part1In this episode, we explore customer focus as it applies to risk management.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/post/3-open-source-myths-that-might-be-inhibiting-your-team-s-progressIn this episode, we explore 3 open source myths that might be inhibiting your team's progress.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/post/3rd-party-risk-management-do-you-consider-customer-experienceIn this article, we explore the need to consider customer experience in managing third party risks.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/audit-analytics-reducing-noise-false-positivesIn this article, we explore an alternate approach to dealing with false positives that result from internal audit analytics.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/survive-the-damage-caused-by-a-spreadsheet-model-errorIn this episode, we explore three ways to reduce the risk of spreadsheet error.Spreadsheets are often used for modelling and analysis, largely because they are easy to use and highly flexible. This has been the case for decades.But what happens when a simple error like cutting-and-pasting the wrong formula, or omitting data in a calculation, ends up costing you thousands or even millions of dollars?To build for sustainability and to reduce the number of inadvertent human errors, especially for large and complex models, you can reduce the risk of error.But how do you do that?ReviewA minimum of 2 types of Quality assurance reviews for each model:i) A technical peer review (ideally by someone who has not been involved in the development of your model) to review and evaluate the accuracy of the formulae, calculations and code.ii) A business user review, (by someone who understands the purpose of the model and the underlying business rules), to determine whether the model is working as it is supposed to - functionally.ProtectIf you continue to use the spreadsheet model, lock the calculation cells.This provides a layer of protection from unexpected changes; however, it does not necessarily prevent other users from unlocking the cells.Change platformMoving the model to an analytics platform allows you to enter your variable inputs through an interface (e.g. Excel, web form, visualisation tool) which can rerun the model on the fly (behind the scenes) and produce the scenario results.With this approach, the model can be used more broadly, with reduced risk of change to the underlying formulae / algorithms.

This is an audio version of a blog article.The original article was published here:www.riskinsights.com.au/blog-1/supply-chain-risksIn this episode, we explore three newer supply chain risks – two that relate to being associated with questionable suppliers, and a third that relates to fraud.The symantec guidance: Business email compromise

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/openaccessMore access to data to reduce risk and enable better decisionsControls are usually put in place to reduce risk.Like user access controls to reduce data integrity risk.But what if your access controls are actually increasing risk?This can happen - particularly if there is no distinction made between systems of record (like ERPs) and systems of intelligence (like data warehouses).In this article, we discuss an alternate approach.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/sas70-certification-and-other-soc-report-mythsSAS70 certification and other common SOC report mythsIf you use or plan to use a cloud/SaaS/hosted solution, how do you ensure that the service provider is protecting your systems and data?Rely on their SAS70 reports, right?Not quite.In this article, we explain why this is not the right answer and explore a few other common myths.BackgroundSystem and Organization Controls (SOC) reports used to be conducted in accordance with "SAS70" in the US.A few years ago, SAS70 was replaced by:In the US: SSAE18, now replaced by SSAE18.Globally: ISAE3402.In Australia: ASAE3402.For audits that are conducted in accordance with these standards, a SOC report is produced.SOC 1 Myths1. Certification or compliance - Myth: The outsourced service provider is certified or compliant. 2. Qualified Opinions - Myth: A qualified SOC report is the same as qualified financials, which is bad. 3. Use of SOC 1 reports - Myth: The reports can be used to determine the level of control over all IT risks.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/5-assurance-analytics-challengesFive assurance analytics challenges, and how you can overcome these:Access to data – you can't get all the data, or you can't get it quickly enough.Low value – the analysis doesn't provide new insights.False positives – too many of them; results are overwhelmingly noisy, distracting your focus.Superficiality – the results are not deep enough to properly understand and refine the problems or to provide opportunities for improvement.Timing – the results are not available in time for reporting/concluding.

This is an audio version of a blog article. The original article was published here:https://www.riskinsights.com.au/blog-1/3-analytics-software-sets-for-your-team-and-3-selection-advice-considerations In this episode, we outline the 3 types of data and analytics software that audit teams should have access to, at a minimum. We also explore 3 questions to ask if you are obtaining external advice regarding software selection.Link mentioned in the article: ASAP Utilities – an excel add-in.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/audit-data-governanceIt explains, using a case study, why internal auditors and performance auditors need to consider adopting a specific approach to managing the data used on audits.This is the 1st article in the DGIA (Data and analytics Governance within Internal Audit) series.

This is an audio version of a blog article.The original article was published here:https://www.riskinsights.com.au/blog-1/complaints-data-auditWhy are auditors increasingly using complaints data?Most auditors that use complaints data are interested in one or more of these three key benefits:Customer complaints can provide an alternate perspective for a range of audits e.g., identifying revenue leakage like in the example above, triangulating customer requests that had not been acted on, highlighting control gaps.Understanding complaints data enables audit to help management improve the complaints process e.g., how complaints are reported on. Exploring the complaints data enables audit to identify strategy achievement blockers – presuming that the strategy focuses largely on customers. For example, your complaints data may point to previously unidentified problems in how services are delivered. In this article we explore:the historical problem with using complaints data and why this is no longer a challengewhat the data typically looks like – understanding complaints dataanother use case (triangulating customer requests that had not been acted on)What the article doesn’t cover: The third benefit above (strategy achievement blockers) – this is an interesting angle, but we’ll leave it for a future articleComplaints data that is recorded manually e.g., handwritten notes in a physical file. This is not impossible to analyse but converting the physical data to electronic data is a separate topic. The solutions in this article assume that the data is already in electronic form.