Audit Scotland ReBlog: The journey to become a Chartered Accountant (with Bonus sing-along opportunity)

My name is Graham Foster and I’m one of the in-house lecturing team with ICAS. Much of my early career involved auditing Scotland’s public services, giving me some early insights into the work of Audit Scotland. After moving into accountancy training, I’ve worked with many Audit Scotland trainees.

I joined the ICAS team in 2016 and deliver training across all three levels of the CA qualification. Let’s look at each of three levels in turn…

Read more about Graham’s journey here.

Accountability and Media Featured

Oregon Office of Economic Analysis ReBlog: Oregon Economic and Revenue Forecast, June 2018

The U.S. economy continues to perform well. Economic growth remains above potential and job gains are strong enough to pull down the unemployment rate even as more individuals are looking for a job. The business cycle is not yet waning and the near-term prospects for economic growth are good. The consensus of forecasters peg the probability of recession over the next year at just 15 percent.

However, longer-run forecasts remain relatively muted, in part due to the impact of an aging population and the temporary provisions in the federal fiscal stimulus. From today’s relatively strong cyclical vantage point, three real downside risks stand out. First is the Federal Reserve’s ability to engineer a soft landing. Second is the potential for deteriorating international relations and trade. Third is the recent run-up in energy prices which crimp household budgets in the near-term. To date, actual constraints on growth appear to be minimal, but bear watching in a mature expansion.

Josh Lehner breaks down Oregon’s economic forecast over the next two years. Read more here.

Accountability and Media Featured

IIA ReBlog: The Perils for Internal Audit of Donning a “Black Hat”

It’s easy to get typecast as wearing either a “white hat” or a “black hat” — as hero or enforcement villain. When an internal audit department is associated stro​​ngly with the type of investigations that result in terminations or even criminal prosecutions, it can be challenging for anyone in internal audit to be regarded as a true partner.

I don’t mean to imply that internal auditors should avoid participating in tough assignments, including investigations involving potential misconduct. Internal audit​​​ors can provide a unique and invaluable contribution. And, for smaller organizations, it may not be feasible to maintain separate internal audit and investigation teams. But one of the difficulties of taking on a “black hat” role is that changing roles may not be as easy as, well, changing your hat.

Richard Chambers discusses one of the challenges of being an internal auditor, and shares a few suggestions on how to balance the demands of the job with maintaining healthy and productive working relationships within an organization. Read more here.

Accountability and Media Featured

Harvard Business Review Repost: What it takes to think deeply about complex problems

The problems we’re facing often seem as complex as they do intractable. And as Albert Einstein is often quoted as saying, “We cannot solve our problems with the same level of thinking that created them.” So what does it take to increase the complexity of our thinking?

Tony Schwartz, president and CEO of The Energy Project, outlines the steps his team takes to tackle difficult and complex questions. As auditors, we are sometimes tasked with examining gnarly, high-stakes problems that have no apparent and straightforward solutions. This requires that we cultivate the kind of thinking that allows us to approach the problem from more than one angle.

Simple answers make us feel safer, especially in disruptive and tumultuous times. But rather than certainty, modern leaders need to consciously cultivate the capacity to see more ­— to deepen, widen, and lengthen their perspectives. Deepening depends on our willingness to challenge our blind spots, deeply held assumptions, and fixed beliefs. Widening means taking into account more perspectives ­— and stakeholders — in order to address any given problem from multiple vantage points. Lengthening requires focusing on not just the immediate consequences of a decision but also its likely impact over time.

Read more here.

Accountability and Media Featured

GAO Watchblog Reblog: Personal Information, Private Companies

The recent Congressional hearings on Facebook have highlighted the ways that companies collect and use personal information for marketing purposes.  So, what rights do you have to your own information?

The GAO outlined the lack of comprehensive legislation that addresses privacy in their 2013 report on the subject:

No overarching federal privacy law governs the collection and sale of personal information among private-sector companies, including information resellers. Instead, a variety of laws tailored to specific purposes, situations, or entities governs the use, sharing, and protection of personal information. For example, the Fair Credit Reporting Act limits the use and distribution of personal information collected or used to help determine eligibility for such things as credit or employment, but does not apply to information used for marketing. Other laws apply specifically to health care providers, financial institutions, videotape service providers, or to the online collection of information about children.

The current statutory framework for consumer privacy does not fully address new technologies–such as the tracking of online behavior or mobile devices–and the vastly increased marketplace for personal information, including the proliferation of information sharing among third parties. With regard to data used for marketing, no federal statute provides consumers the right to learn what information is held about them and who holds it.

These findings are still relevant today.

Read more here.

Accountability and Media Featured

Oregon State Police: Forensic Division Has Taken Appropriate Steps to Address Oregon’s Sexual Assault Kit Testing Backlog

Report Highlights


Oregon State Police (OSP) has taken appropriate steps to manage an influx of Sexual Assault Forensic Evidence (SAFE) kits sent by local law enforcement agencies after Melissa’s Law passed in 2016, including adding staff and equipment, changing how they prioritize the testing of DNA evidence, and using more efficient technologies for DNA processing. Many of these changes occurred too recently to definitively determine whether they will successfully eliminate the remaining backlog. However, the actions taken are aligned with best practices and OSP officials estimate they will largely eliminate the backlog by the end of 2018.

Background

The Forensic Services Division of OSP provides Oregon’s only full-service forensic lab system. The intent of Melissa’s Law is to prevent a future SAFE kit testing backlog at local law enforcement agencies by mandating all non-anonymous kits be sent to OSP for testing.

Purpose

The purpose of this audit was to report on whether OSP has taken actions consistent with statute and best practices to address the SAFE kit backlog.

Key Findings

  1. OSP has complied with Melissa’s Law by increasing lab capacity and reporting results to legislators on efforts to reduce the SAFE kit backlog.
  2. OSP is following best practices outlined by the National Institute of Justice for forensic labs that process SAFE kits. For example, OSP’s “high-throughput” approach to obtaining DNA profiles from SAFE kits is recommended for decreasing kit backlogs.
  3. The agency’s decision to suspend DNA processing of property crime evidence to focus on SAFE kits could lead to a backlog of DNA evidence of this type at local law enforcement agencies. Local law enforcement agencies are eager for OSP to resume accepting DNA evidence for property crimes.
  4. As of January 2018, many of OSP’s capacity-building and process improvement efforts have been implemented. Since then, OSP has shown substantial improvement in the number of kits processed each month. Also, there has been a significant reduction in the statewide backlog. A 2017 survey of local law enforcement agencies found approximately 1,100 kits needing testing, down from approximately 4,900 in 2015. For these reasons, OSP believes it can eliminate the backlog by the end of 2018.

Recommendations

We recommend that OSP publicly post backlog status reports, examine options for a statewide SAFE kit tracking system, and plan for reintroducing DNA testing in property crimes.

OSP generally agrees with our recommendation. The agency’s response can be found at the end of the report.

Read full report here.

Featured New Audit Release Performance Audit

Methods (to our Madness): How IT audits help keep your $$$ safe

Recently, the Secretary of State Oregon Audits Division released an IT audit of GenTax, the software system that Oregon’s Department of Revenue uses to process tax payments and returns. This month, I sat down to talk to Erika Ungern, an 18 year veteran of the Audits division and the lead for the audit.

Why was the GenTax system selected for an audit?

A lot of the work we do on the IT team supports financial auditors. They need to know that the information they use for their audits is reliable. GenTax is a fairly new system – the Department of Revenue completed the last of four rollouts in November 2017 – so it was a good time to take a look.

What was the goal of this audit?

We were auditing to answer the question: Does the system do what it needs to do? That meant primarily looking to see if there are application controls in place so data remains complete, accurate, and valid during input, processing and output. In this case, GenTax is the software DOR uses to process tax returns and payments – which is something all taxpayers may be interested in.

What sort of criteria do you use to assess how well the controls are in place?

We currently use the Federal Information System Controls Audit Manual, or FISCAM. It’s a standard methodology for auditing information system controls in federal and other governmental entities. It provides guidance for evaluating the confidentiality, integrity, and availability of information systems. The information included in FISCAM ties back to National Institute of Standards and Technology (NIST) publications.

How did you go about gathering information?

This audit, like all IT audits, started with interviews and a review of agency policies and procedures. We need to know how agencies have implemented the technology and how staff are using it. We test different pieces of the technology depending on the answers we get. For instance, if we hear that the agency has specific controls in place, we’ll test those controls. If they tell us they don’t have controls, then that’s our finding. For instance, a lot of agencies don’t have strong disaster recovery controls in place for IT systems. That was the case for this one. We check back on their progress in follow-up audits.

Was there anything unique about this audit?

It was somewhat unique in that we were looking at a system that DOR purchased, and both DOR and the vendor are actively involved in supporting the software. Agencies used to build their systems all in-house, and when we would do an audit, we would only talk to agency personnel. When we do an audit of purchased software, system changes are sometimes made exclusively by the vendor, and our audit questions focus on how the agency makes sure those changes are correct, since we are not auditing the vendor’s change management procedures. In this case, DOR and the vendor both make changes to the system, so we asked both agency and vendor personnel about their processes to ensure the changes were correct.

Another new thing was reporting some results that didn’t hit the materiality threshold. This audit reported on a few things that only affect a small percentage of returns the software processes, like the fact the software doesn’t currently provide notification when taxpayers make a mistake in reporting withholding on their returns that causes them to overpay taxes. These results may end up going hand in hand with the performance audit of DOR’s culture that’s going on right now.

Any other thoughts on auditing for IT auditors, or auditors in general?

You know, IT audits are like a lot of other audits. Getting good results is all about asking the right questions. You don’t always know what they are when you start, but do your best to figure them out!

Read the full audit HERE

Members of the audit team included:
Will Garber, CGFM, MPA, Deputy Director
Teresa Furnish, CISA, Audit Manager
Erika Ungern, CISSP, CISA, Principal Auditor
Sherry Kurk, CISA, Staff Auditor
Sheila Faulkner, Staff Auditor

Accountability and Media Auditors at Work Featured