Connect with Us

About Us

The Decision Factor offers insightful comments and observations on analytics—from views on new technology approaches and market dynamics to the latest industry trends driving demand for faster, smarter information analysis. This blog contains personal views, thoughts, and opinions from SAP employees, mentors, and friends working in the area of analytics. It’s not endorsed by SAP nor does it constitute an official communication of SAP.


GRC Is NOT My Life

woman uses mobile GRC app

My Fictional Day Begins…. By Carla

After I drag myself out of bed and finish my morning ablutions, I sit down with coffee and cereal to read the latest Federal Register followed by Compliance Today and a few industry publications. I make notes as I go of any regulation changes relevant to my job. You see, the company is extremely interested in avoiding compliance risk—and to be honest, it makes my work life miserable.

Oh, pardon me, I should introduce myself. I am Carla Franco, a working manager of a purchasing team within a large global enterprise. I can’t …

Everything I Know About Key Risk Indicators I Learned in Middle School

Firefighters on the Job

A number of years ago, while living near Houston, Texas and working for a major oil company as an audit director, I joined the local volunteer fire department in my community.

As a new member, I was assigned the task of carrying out a fire inspection at our local middle school. I was part of a team that included more highly-trained fellow volunteers.

Auditing Fire Risks

Being an experienced auditor, I was certain I was up to the task. I knew all about controls and I thought that knowledge would come in handy. My plans were to meet up …

Monitoring Risk and Control Deficiencies – Who’s Responsible?

Who’s responsible for ensuring that corrective actions to remedy issues identified by internal audit are completed?

Management is responsible for the system of internal control as well as for managing risk.Management is responsible for correcting deficiencies either in controls or in the management of risk, whoever identified them.

So why does internal audit, more often than not, monitor completion of these actions? Why should they be the ones that report progress to the audit committee and executive management?

Internal audit certainly has an interest in seeing these actions taken. Not only does it mean that their recommendations for change …

Effective Anti-Bribery and Anti-Corruption Programs – Must They Remain Illusions, or Can They Become Allusions of Success?


Often, when looking at historical events and time periods, I try and imagine what it would have been like to live then and to have my perspectives influenced by the opportunities and challenges of the day. What would have been my reactions, for example, to experiencing the Prohibition of the 1920s, to having the Bible made available to the masses, to living under fascism, or to seeing the end of slavery?

Not having lived during those times, it can be easy to make allusions (or casual references) to the difficult and challenging periods as if they simply live in …

The Critical Role of Marketing Executives in the Risk Management Process


From my experience, marketing executives are often involved in the risk management process quite late – usually to manage the communication aspect of a crisis. Therefore, they’re only involved when the risk has transformed into a critical incident and the company is in a defensive mode.

I strongly believe that marketing executives can bring a lot to the table for a proactive risk management approach. This would notably help in monitoring the reputational risk and protecting the brand from adverse events.

As we all know, communication channels have exponentially expanded in the last few years to reach volumes that …

Analytics and the Internal Audit Report

analyzing data magnifying glass

Internal auditors have been using analytics (historically called ‘data mining’ or ‘computer-assisted audit techniques’ (CAATS)) to find potential issues for decades.

When I was with Coopers & Lybrand, we used analytics for a variety of audit purposes, including reperforming calculations, sampling transactions for manual auditing, and identifying unusual transactions for further inspection.

When I ran internal audit at Tosco and Solectron, we used analytics to detect millions of dollars of potential duplicate payments; at Solectron, we used analytics and a Benford’s Law routine to identify potential fraud in Suzhou, China; and at Business Objects analytics helped us search out …

GRC Software Selection and Implementation: Are You Designing the Automotor Horse?

automotor horse

What IS an automotor horse, you may ask, and what does it have to do with governance, risk, and compliance (GRC)? First, let me share a little background.

The automotor horse was an invention credited to M. Emile Langrenne, as described in British Invention. The newly developed automobile, described as “a vehicle in search of a horse,” apparently had caused some sense of loss and discomfort among those who would prefer to keep their existing carriages. Today, we might label these people as change-averse.

Enter the automotor horse, for which a patent was filed. The automotor horse was designed …

Auditing on an iPad: The Opportunity of Big Data

big data graphic

In my last blog of this series, I discussed the value of data analytics to help organizations provide greater assurance over data integrity. I used the example of an insurance company, which was able to use data analytics to more accurately identify potential fraud prior to claim payment.

But just consider the data sources here. For this analysis to be accurate, it will involve more than just financial records. The age, location, gender, income level, and socio-economic background are just some of the additional factors that, together, can allow more accurate identification of potential fraud in insurance claims.

Top 10 Benefits of a GRC Software Solution vs. Office Tools

Businessmen Looking at Computer Monitors

In a recent client presentation, I was asked by the compliance team what I thought were the benefits of using a software solution versus office tools, such as spreadsheets, that were already used internally and that everyone knows how to use.

Whatever the topic (this of course includes GRC), most software solutions are compared against office tools such as Microsoft’s Excel or Word. And it’s true, most companies have started their governance, risk, and compliance (GRC) journey using these tools, and even created shared drives on networks or intranet sites, macros in Excel, or dedicated Access databases and even …

Auditing on an iPad: The Bell Tolls for Audit Sampling

Redefining the Role of Internal Audit: Avoiding Redundancy

Over the last month, I’ve been looking at the results of surveys conducted by the Big Four accounting firms regarding internal audit. The messages are pretty consistent—audit departments need to pick up their game. They need to provide more proactive advice to stakeholders. The move from policeman to trusted advisor is requiring broader operational skills within the audit department.

But most importantly, auditors need to leverage technology more effectively. As I discussed in the first blog of this series, mobile-enabled audit management products provide an important opportunity to make the process of managing an audit more efficient. …