ICAEW.com works better with JavaScript enabled.

Data Analytics Transforming Internal Audit

A paper from Credit Suisse entitled: Data Analytics Transforming Internal Audit – Pillars of Success, written by Stephen Magora, Director, Data Analytics at Credit Suisse.

As the array of risks facing the business expands and diversifies, ask any Internal Audit (IA) function whether they would be interested in covering more with less, whilst at the same time enhancing audit quality. The answer would be a unanimous yes. Why then, is quantitative testing and analysis of large datasets not more pervasive in Internal Audit? Big data and analytics are fundamentally changing the way businesses operate, and Internal Audit cannot afford to be left behind.

As we have discovered, IA faces some unique challenges (and some familiar ones) when it comes to embedding analytics in our daily working practices. In addition to changes in mindset, financial and cultural barriers to entry can be significant, and benefits are often not immediately evident or tangible. Below, we cover some key pillars that can help ensure a nascent analytics function is set up for success and is sustainably embedded into the internal audit fabric.

Sponsorship

As auditors, we are used to following tightly defined processes and embedded ways of working. Disrupting this harmony by introducing analytics is an endeavor that requires strong and continuous sponsorship at the highest level. Analytics should be considered core to Internal Audit’s strategy and vision, and use of analytics techniques encouraged to accelerate take-up. Evidence in financial services industry to date shows that best outcomes are achieved when the sponsorship comes from the very top, the entire leadership of the IA function.

Sponsors should also recognize and accept that a period of incubation before tangible benefits can be delivered is to be expected, and that the road towards maturity is an on-going, often costly multi-year initiative. A recent survey of 19 financial services institutions conducted by Deloitte put the cost of embedding and sustaining an analytics team within internal audit at between 3 and 15% percent of the total audit function cost. Clearly this cost needs to be articulated and accounted for up-front.

Integration with audit methodology

Traditional internal audit methodologies have served us well for decades but they need to be updated/refined to incorporate analytics in order to successfully leverage its potential. In fact, we are seeing an increasing number of cases where analytics is now embedded at the core of the methodology.

So how can we use analytics in our audit lifecycle? We can use it at every single stage:

  • Risk assessment – can analytics help with ongoing risk assessment, either via ad-hoc testing or within continuous risk monitoring processes.
  • Planning – can analytics help drive more targeted auditing by helping auditors focus on areas or population segments with the highest risk.
  • Fieldwork – can analytics be used to provide a higher degree of assurance, or perform testing more efficiently.
  • Reporting – can we provide more insightful findings actionable outcomes through analytics, by helping to quantify risk, or identify root causes.

The objective is to transform ourselves from a traditional, judgement based, sample driven, manual-intensive and reactionary audit process to one that is risk based, continuous and real-time, and totally data centric.

Awareness and understanding

Once the analytics have been produced, it is the job of auditors to consume them to draw the right conclusions and insights from the information. Instilling an understanding of analytics and data concepts in the general auditor population, including skills to produce simple analyses by themselves, can empower the practice to audit more extensively in less time, which in turn, drives analytics value in the organisation.

It is therefore imperative to devise and execute an appropriate training and awareness program to improve auditors’ understanding of analytics and its applications. The training should also aim to address common areas of confusion such as:

  • What is analytics and how can it benefit my audit?
  • When is it appropriate to employ analytics?
  • What is possible with analytics?

Where possible, theoretical training should be enforced with case studies demonstrating real success stories – these are significantly more effective at increasing buy-in, as well as helping to disseminate ideas.

People and skills

As with any critical business function, getting the right people with the right skills onboard is a key success factor. The ideal data analytics auditor is a chimera with a blend of core analytics skillsets, business functional experience, and a good understanding of risk. They are expected to understand the linkages between business processes, risks and data, devise innovative ways to assess these risks, and finally present findings and robust challenge to non-technical staff. Clearly, and given the infancy of the discipline in the audit profession, ideal candidates that meet all these criteria are non-existent. There is no single best hiring strategy but our experience suggests that it is easier to train an analytics expert to be an internal auditor than an internal auditor to be an analytics expert. Apologies to our hard-nosed auditor colleagues out there.

Contribution measurement

Considering the potential scale of investment, it is important that IA data analytics functions measure themselves on progress toward defined strategy objectives. Some of the impactful performance/contribution metrics we have seen being used are:

  • Percentage of audits supported by analytics.
  • The number of issues or observations attributed to analytics work by RAG status.
  • Types of analytics employed (e.g. simple trending vs. risk profiling and continuous risk monitoring).

Ultimately, analytics should be driving measurable change to the way audit departments assess risk and execute audits. We hope that the above provides some food for thought for budding data analytics teams, big or small, towards helping Internal Audit become more efficient and impactful.