Ouroboros | Fake Phishing | Hindenburg Research | The fuzz | Tools | Father of Accountants

Welcome to this week’s Zac Explains Audits! In AuditPal Spotlight, we discuss how ERM and Internal Audit can create a continuous, mutually beneficial cycle to enhance risk management. Back of the Napkin shares my close call with a suspicious ISACA email, while Borrowing Inspiration highlights lessons auditors can learn from Hindenburg Research’s investigative approach. Auditcraft features a time-saving Excel trick, and Tools of the Trade rounds up useful resources. Finally, in Foo, we honor Luca Pacioli, the father of accounting, whose 500-year-old principles still guide us today. Enjoy!

As a reminder—

• AuditPal Spotlight: Highlights of internal audit trends.
• Back of the Napkin: One new thing I learned this week.
• Borrowing Inspiration: Ideas or tools from other fields.
• Auditcraft: Update on what I tried or failed at this week.
• Tools of the Trade: A roundup of interesting ideas I found.
• foo: Random thoughts or ideas not necessarily related to audit.

Now that you’re up to speed, read on! 🙂

Zac Explains Audits is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

AuditPal Spotlight:

Risk management and internal audit Ouroboros

It’s no longer enough for Enterprise Risk Management (ERM) and Internal Audit to simply orbit each other, sharing information when convenient. This model worked—for a time. But in today’s environment, this approach won’t cut it anymore. To deliver real value, ERM and Internal Audit must intertwine their efforts, creating a cyclical, mutually reinforcing relationship.

When ERM is mature, it holds a ton of business knowledge about the organization’s risks. This isn’t just “nice to have” data—it’s gold for Internal Audit. When ERM is fully mature, it contains critical insights about the organization’s risks (imagine that…). These insights allow Internal Audit to focus efforts on areas that sometimes get left behind— those medium-high risks with “great mitigations” that could sink the ship if left unchecked or those mitigations not really operating effectively. Audit’s job isn’t just to verify that controls exist but to ensure they’re effective, aligned with company goals, and up to the task.

In return, Internal Audit plays a vital role in closing the loop. By validating the effectiveness of controls, audits provide ERM with critical feedback: Are those risk responses working? Are there blind spots ERM missed? This feedback loop allows ERM to refine its assessments, creating a cycle of continuous improvement.

As internal auditors, we can’t afford to wait for the audit report or year-end review to share insights with ERM. Real-time feedback is essential. In a past project, we used Microsoft 365 tools to build an ERM environment integrated with Internal Audit (IA). The system linked updated risk control matrices to the risk register, dynamically adjusting risk ratings for specific risks or mitigations.

We also introduced the concept of a “Risk Delta,” measuring the difference between gross risk and net risk. By weighting factors like impact, likelihood, and velocity (tailored to our industry), IA could focus on risks with the highest deltas or those showing significant changes in gross risk due to mitigations.

This approach highlighted risks transitioning from high to medium or low levels, emphasizing mitigations that became critical to the organization’s success. In essence, the system prioritized monitoring and validating the effectiveness of key mitigations in real time.

This dynamic I think of like the Ouroboros—the symbol of a snake eating its own tail. Risk Management feeds Internal Audit with insights, while Internal Audit strengthens ERM with assurance and recommendations. Together, they form a self-sustaining system, each function enhancing the other’s effectiveness.

This approach also aligns with evolving expectations for both functions. Boards and executives want risk management and assurance processes to deliver actionable insights, not just compliance checkboxes. Regulators and stakeholders demand a clear narrative of how risks are managed and mitigated. A siloed approach can’t meet these demands. A collaborative Ouroboros approach can.

How to Make It Happen

1. Shared Risk Universe: ERM and Internal Audit should work from the same risk universe, ensuring alignment on key risks.
2. Real-Time Information Sharing: Risk priorities can shift rapidly. Establish regular communication channels to keep audit efforts aligned with the latest risk assessments.
3. Audit-Driven Feedback: Use audit findings to validate ERM’s risk mitigation strategies. Close the loop by identifying gaps or areas where risk treatments need improvement.
4. Integrated Reporting: Present a unified narrative to leadership, showing how ERM and Internal Audit collaborate to protect the organization’s value.

Back of the Napkin:

Fake phishing forced ISACA to respond

Those of who you are members of the Information Systems Audit and Control Association (ISACA), you may have received an email that looked quite suspicious- especially considering it came from an information systems association.

I was one of those unfortunate people and immediately thought it was a phishing attempt. I was even more unnerved however after noticing the ISACALogin email address came from a sender using isaca.org, which means that it appeared to be coming from the legitimate site of ISACA. So, I saw an email appearing to come from a legitimate email account of ISACA, but sending me to a webpage that uses isaca.my.site.com, which seems extremely phishy as well. For this to be a phishing attempt coming from a legitimate ISACA email address, this would mean that ISACA itself had been compromised, which could include sensitive personal data. Fortunately, this was not the case.

ISACA later sent an email apologizing for the issue and blaming it on a configuration error during a system enhancement. Glad to see it was not a legitimate phishing issue, but still got me nervous. Did you think it was phishing at first glance?

Borrowing Inspiration:

Hindenburg Research shuts its doors

Hindenburg Research was a financial research firm known for conducting investigations into fraud, corruption, and corporate misconduct. Founded by Nate Anderson in 2017, the firm specializes in short-selling, a practice where investors profit from identifying overvalued or fraudulent companies.

The company gained significant attention for its reports exposing alleged wrongdoing, often targeting high-profile firms and executives. Their work, built on analyzing public records, financial data, and whistleblower tips, has led to civil and criminal charges against numerous individuals and organizations.

By combining investigative rigor with a focus on transparency, Hindenburg aimed to hold entities accountable and protect investors from systemic fraud just as auditors do.

If you haven’t heard of Hindenburg Research, you may have heard of some of the companies they have published reports on, including:

• Super Micro Computer
• Adani Group
• Nikola
• Clover Health
• Block, Inc.
• Kandi
• Lordstown Motors

The reason I bring this up is because I believe auditors can learn a lot from Hindenburg Research’s unconventional approach to tackling fraud. Hindenburg thrived by challenging traditional norms, leveraging creative techniques, and embracing transparency.

Nate Anderson, the founder, plans to open-source their investigative process, illustrating how sharing knowledge can empower others to uncover risks and hold bad actors accountable. Auditors can adopt a similar mindset by creating accessible information or templates (like ZacExplains…), sharing insights, and collaborating across industries to expose hidden risks.

For example, Hindenburg’s work shows the value of connecting data points others overlook. We can use this strategy to analyze financial anomalies, identify control weaknesses, and uncover noncompliance. By combining investigative thinking with a commitment to transparency, we can make our work more impactful and elevate trust in the profession.

Auditcraft:

*Fuzzy* searching in Excel

A friend recently asked for help streamlining a tedious Excel process. Their quarterly task was to review admin activity within an ERP system, manually comparing hundreds to thousands of changes—a process that took days, caused review fatigue, and was, frankly, boring.

The setup included two data exports: one from Jira (where approval tickets were logged) and one from the ERP system (listing admin changes). Unfortunately, there was no common ID linking the tickets to the changes. The only potential match was document numbers, referenced sporadically in ticket titles, descriptions, or comments. The challenge: search across multiple columns for these document numbers and make it scalable for thousands of rows.

I started by using Excel’s =TextJoin() to combine relevant columns into one searchable field. Then I tried to use =XLookup() on that column, however, it failed because the text didn’t match the document numbers exactly. That’s when I remembered =XLookup() is a formula that supports wildcards. By wrapping the document number with asterisks (e.g., *ACDC1942*), Excel could match it within any string, even if surrounded by extra text like ASDAFASDFADSFADSFDSACDC1942SDFASDFSADFASDFASDFASDF.

This tweak allowed the search function to identify over 75% of relevant tickets, cutting review time drastically. A 15-minute solution now saves around 15 hours per quarter. At a median senior accountant salary of $99K/year, that’s nearly $3K saved annually—an excellent return on a small investment of time!

Tools of the Trade:

• Tool: SubStack – (Find newsletters for any interest)
• Read: The Innovator’s Dilemma by Clayton M. Christensen
• Watch: How to build your creative confidence | David Kelley

Foo:

The father of accounting

Have you ever considered how accounting practices have evolved over the centuries? In 1494, Italian friar Luca Pacioli introduced the concept of double-entry accounting in his writings, capturing a system that Venetian merchants had been using for some time. This method revolutionized financial record-keeping, laying the foundation for modern accounting principles.

Pacioli’s documentation was more than a historical milestone—it was a blueprint for efficiency and transparency in commerce. The balance of debits and credits (then “in dare” and “in havere”) provided a structured way to track financial activity.

Today, while technology has automated much of the process, the fundamentals remain basically unchanged. From Venetian trade to global markets, Pacioli’s work stands the test of time. Double-entry accounting continues to stand as a testament to the enduring value of sound financial principles… well until triple-entry accounting takes its place… (just kidding).