Zac Explains Audits: Volume 005

Every week it seems like I come up with a new idea to add another feature to ZacExplains. We are working on a fictitious case study to help learn Benford’s Analysis and generate ideas within the community right now and I’m sure will have a nice announcement when it is available. In the same vein, I’ve been in contact with a retired fraud investigator whose interested in helping teach some of the things he has learned over this career- more to come on that, but we should have another recurring (probably monthly) newsletter coming soon! This week’s edition dives into audit acronyms you didn’t know you needed, why your dog’s name is a hacker’s best friend, and how bees are the ultimate risk management professionals- so let’s dive in!

As a reminder—

AuditPal Spotlight: Highlights of internal audit trends.
Back of the Napkin: One new thing I learned this week.
Borrowing Inspiration: Ideas or tools from other fields.
Auditcraft: Update on what I tried or failed at this week.
Tools of the Trade: A roundup of interesting ideas I found.
foo: Random thoughts or ideas not necessarily related to audit.

Now that you’re up to speed, read on! 🙂

Zac Explains Audits is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

AuditPal Spotlight:

IYCUWIASTYAAP (…Uh what…?)

Acronyms are a favorite past time of programmers, sports networks, and of course regulators. We’ve talked about Sarbanes-Oxley (SOX), and the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), but what other acronyms do auditors need to be aware of?

Well… Just going over compliance areas there is a lot of them covering a lot of different topics and we won’t even get into things like BS, IS, CFS, ROI, and other fun accounting/finance related terms.

This list isn’t even close to exhaustive and quite honestly I’ve not read about them enough to tell you much other than a quick description, but if you find one that you fancy and want to know more, let me know and maybe I can try and do a deep dive in the future. You can also find most of these online as free resources, so have fun, especially if you need something to read before bed. Just don’t yell at me when you are having a discussion over proper business regulation between Paul Sarbanes, Michael G. Oxley, Barney Frank, and Chris Dodd in your dreams…

Regulatory Compliance

Sarbanes-Oxley Act (SOX) – Internal controls over financial reporting (ICFR).
Bank Secrecy Act (BSA) / Anti-Money Laundering (AML) – Financial crime compliance and reporting.
Foreign Corrupt Practices Act (FCPA) – Anti-bribery and accounting transparency.
General Data Protection Regulation (GDPR) – Data privacy requirements for EU citizens.
California Consumer Privacy Act (CCPA) – Data privacy rights for California residents.
Dodd-Frank Act – Financial regulation and consumer protections.

Cybersecurity & IT Frameworks

National Institute of Standards and Technology (NIST) Frameworks
- NIST 800-53 (Security and Privacy Controls for Federal Information Systems)
- NIST Cybersecurity Framework (CSF)
COBIT 5 / COBIT 2019 – IT governance and control framework.
ISO/IEC 27001 – Information security management system (ISMS) standards.
Center for Internet Security (CIS) Controls – Best practices for cyber defense.
System and Organization Controls (SOC) Reports
- SOC 1 – Financial reporting controls.
- SOC 2 – IT security, availability, processing integrity, confidentiality, and privacy.
- SOC 3 – Public-facing trust reports on IT security.
Cybersecurity Maturity Model Certification (CMMC) – Defense contractor security framework

Industry-Specific Regulations & Standards

Healthcare
- HITRUST CSF – Healthcare cybersecurity framework.
Financial Services & Banking
- Federal Financial Institutions Examination Council (FFIEC) Guidelines – IT and cybersecurity expectations.
- Office of the Comptroller of the Currency (OCC) Guidelines – Risk management standards for banks.
- Gramm-Leach-Bliley Act (GLBA) – Safeguards Rule for financial institutions’ customer data.
- Federal Deposit Insurance Corporation Improvement Act (FDICIA) – Internal control assessments for large banks.
Farming (You know I had to…)
- Generally Accepted Agricultural and Management Practices (GAAMP) – Standards for farming operations, covering manure management, irrigation, pesticide use, and environmental sustainability. (Turns out no matter where I go I can’t get away from Generally Accepted Anything)

Operational & Risk Management Frameworks

Enterprise Risk Management (ERM) Frameworks
- COSO ERM Framework – Risk management integration with strategy.
Business Continuity & Disaster Recovery
- ISO 22301 – Business continuity management systems.
Supply Chain & Vendor Risk
- Third-Party Risk Management (TPRM) Frameworks (e.g., SIG Questionnaire, Shared Assessments).

Oh and by the way- the title stands for “If you can understand what I am saying then you are a politician” (IYCUWIASTYAAP)…obviously…

Back of the Napkin:

Hackers Love Your Dog’s Name Too

So you’ve heard of a password, but have you heard of a passphrase? No, it isn’t just another word for password, but the switch can increase your account security tremendously (and make it easier for you too).

Let’s be truly honest to ourselves here- how many of us have that one special password that we re-use again and again? I mean yes maybe we change the 01 to a 02 then a 03 every few months when our password expires (which, by the way, is no longer recommended by NIST). But other than that, we tend to keep it the same over time, which obviously can be very bad when data breaches are occurring all over the place (to large institutions I might add). Thus, when a company is breached and your password is found, your special password is now out there and hackers can try and take advantage.

Passphrases add length and memorability to a password. So instead of having a password of “Tr0ub4dor92!$” we instead go with “TroubadorDiamondsClearOpulent4&k”, which is now 32 characters instead of 13. It also makes it easier to remember too, let me walk you through this passphrase here. Troubador reminds me of the band Turnpike Troubadors who have a song titled Diamonds & Gasoline, which diamonds are clear and opulent and can be 4 karats, which is 4&k spelled out. Xkcd can explain this better than I ever can, if you are still confused.

Now you have a passphrase and that’s great, but how are you going to remember all 50 you need for all the web surfing you do? Well, that is when password managers are recommended. LastPass, BitWarden, and KeePass are all password manager solutions and all have pros and cons, but that is for a different newsletter edition.

Ultimately, just know that switching from passwords to passphrases will help you remember your passwords and make it a whole lot more secure, especially if you can get rid of that sticky note hiding in your drawer 😉.

Borrowing Inspiration:

The art of organized chaos

A beehive is a lesson in structured flexibility. Worker bees (female bees) collect nectar and proteins, drones (male bees) establish the hive’s future, and the queen ensures there are always working hands er… antennae? Defined roles are critical—but so is adaptability. When resources dwindle or threats emerge, the hive shifts, reallocating efforts to survive.

Auditors should take note. Strong governance (like the hive’s structure) is essential, but rigid frameworks fail in dynamic environments. Risks evolve, just as bees adjust with the seasons. The best audit teams, like successful hives, anticipate change, monitor warning signs, and stay resilient.

Bees also operate as a super-organism or as individuals working as one. In times of abundance, they invest in growth. In scarcity, they conserve, redirecting energy where it’s needed most. Even temperature control is a team effort, with bees fanning wings to heat or cool the hive. There is a lot to learn from our fuzzy friends.

Audit isn’t just structure—it’s smart adaptation. So next time you’re deep in a plan, ask yourself: Are you stuck in a static framework, or are you thinking like a bee?

Auditcraft:

How Numbers Are Snitching on You

Imagine you have a large data table in Excel, like sales figures, expense reports, or population data. You might think that the first digit of these numbers (1, 2, 3… all the way to 9) should be pretty random. Maybe each number shows up roughly the same amount of times?

Benford’s Law says that in many real-world sets of numbers, the number 1 appears as the first digit way more often than 9 does. In fact, about 30% of numbers start with 1, while only 5% start with 9. The smaller numbers (1, 2, 3) show up way more than the bigger ones (7, 8, 9).

Why Does This Happen?

Think about money. If you start with $1 and double it, you go to $2, then $4, then $8… but it takes a long time before you reach $10, which goes back around to a leading digit (LD) of 1. The same pattern happens with things like population sizes, stock prices, and invoices. The numbers grow in a way that naturally follows Benford’s Law.

How Auditors Use It

Auditors love Benford’s Law because real financial data should follow this pattern. If an accountant or fraudster is making up numbers, they usually don’t know this rule—so their fake numbers won’t match Benford’s distribution.

Auditors can take a company’s data and check how often each number appears. If the numbers don’t follow the expected pattern, it’s a red flag. It doesn’t prove fraud, but it tells auditors, “Hey, something weird is going on here—let’s look deeper.”

Benford’s Law helps auditors catch financial fraud, tax evasion, and find points of interest within data. It may not always point to fraud, but it will help you dig deeper and discover what the data is trying to tell you.

If you want a bit more of a deep dive through conducting a Benford’s Analysis on a set of data- We’ll be publishing a fictitious case study involving Benford’s Law and areas of interest that you can find within the data contained completely within Excel!

For now, I’ll leave you with a bit of a teaser, can you figure out what these charts might be telling you?

Tools of the Trade:

Tool: Feedly – News aggregator
Read: What if? by Randall Munroe – A collection of xkcd’s most popular answers to ridiculous questions
Watch: Dirty Money (Netflix) – A docuseries covering corporate fraud, money laundering, and shady business practices

Foo:

Finance to Farmer pipeline

Many people in finance or finance-adjacent careers know someone who has transitioned into a lifestyle vastly different from spreadsheets—whether it’s working with cars, gardening, farming, or homesteading. These individuals seem to find fulfillment in pursuits that contrast sharply with their professional backgrounds.

This shift has me reflecting on what we truly crave from life and the choices we make along the way and how much influence others have within our lifetimes.

I came across a quote yesterday that resonated with me:

“Life used to be hard on the body, but easy on the soul. Now, it’s hard on the soul, but easy on the body.”

To me, this highlights the transition from physically demanding work to the more mentally and emotionally challenging demands of modern life. It’s not that life was easier or simpler “back then”, but there’s something inherently satisfying about some physical labor that makes us feel useful and accomplished that many of us no longer experience. I think it is deeply human to see the world as it is and shape it with our hands. Perhaps these are the reasons we finance folk tend towards these grounded pursuits such as gardening.

We spend so much of our time in a confluence of the ethereal – digitized numbers, electronic planners, and scheduled Teams meetings, that we crave the tangible. The dirt under our nails, the strain of muscles against a tree root, the cool breeze blowing across our face. The peace of a steady pace.

In today’s world, perhaps we’re searching for that same sense of purpose and fulfillment in ways that connect us to the tangible, beyond just the mental grind.