Data analytics in internal audit: weighing the benefits
The opportunity to draw insights from data analytics grows every year. This is due to a number of factors, including the simple fact that volumes of data are exploding. Worldwide business data doubles every 1.2 years, according to an estimate from Arizona State University, flowing in from payment systems, billions of smartphones and countless other sources.
At the same time, data storage is increasing while its cost has fallen. Finally, computing power is rising, and data scientists and programmers are developing more sophisticated algorithms to parse and compute that data.
Undoubtedly, this presents a huge opportunity and challenge for organisations. In the era of 'big data', there is an urgency to not only analyse the troves of data being collected, particularly in the very largest corporates, but to draw actionable insights from that analysis.
As organisations come to own more data, there is an opportunity for internal audit to also turn that to its advantage by making it work more efficiently and increasing the breadth and depth of audits, leading to greater assurance coverage.
Microsoft Excel is a powerful tool for analysing datasets and one that internal auditors have been using for years, if not decades. For many internal audit functions, such desktop applications will meet their needs for the foreseeable future.
Audit functions in larger organisations with higher volumes of data, however, may look to more advanced tools as a means for achieving their goals. This is especially true where audit resources are stretched and there is a need to automate processes to focus attention on strategic and emerging risk areas.
Excel is arguably less suited to collaborative work as shared spreadsheets are prone to formula mistakes and user error, which can cause problems with audit trails. Audit-specific applications such as ACL and Teammate solve some of Excel's limitations and link directly to an organisation's Enterprise Resources Planning (ERP) system (although it should be noted that more recently it has become possible to link Excel directly to ERP systems).
The real potential lies in such integrated systems where data analytics applications interface with the organisation's entire ERP system. This opens up opportunities to conduct whole population testing and continuous auditing, rather than periodic audits of limited samples. Such analytics can be effective in bringing to light patterns and identifying anomalies that would otherwise go unnoticed and can help internal audit to deliver a greater breadth and depth of assurance.
There is almost no limit to the ways in which internal audit can apply analytics to its assurance duties, providing there is sufficient and relevant data available to analyse and there is the time, the skills and the will to do so. From our engagement with Institute members who are further along the analytics maturity path, we see that analytics can be applied right across the internal audit cycle:
Risk assessment
Analytics can be used to monitor key risk indicators and help in the delivery of risk assessments by confirming or uncovering where significant risks exist;
Planning
This in turn can help internal audit to be more risk based in its approach. By assisting in bringing specific risks, or business areas that are most exposed to risk, to internal audit's attention, resources can be allocated to areas of the organisation or control groups requiring the most urgent attention;
Fieldwork
Analytics can be used in the field to provide increased assurance by testing up to 100 percent of the population in the time taken to test a sample manually, or performing testing more efficiently;
Reporting
Analytics may also improve the granularity and veracity of findings, including root cause analysis, allowing for risks to be more accurately quantified and therefore giving senior management and the board greater insight to remedy weak controls or signs of risk.
Example: How internal audit might utilise analytics throughout an audit cycle
Top Retail plc has 100 stores nationwide. In an ideal world, internal audit would visit each store every year to assess the extent to which controls and processes are effectively mitigating risk and give an independent view of any operational improvements that could be made. Given its resource constraints, however, the function must take a risk based-approach and so analyses a number of metrics to determine which stores require the most urgent attention. This analysis measures a number of key risk indicators, such as which stores have the highest revenue, the lowest profit margins, the weakest trading over the critical Christmas period, the highest turnover of senior staff etc. This results in an accurate risk assessment of the company's store portfolio, which stores present the highest risk and, therefore, where internal audit should focus its attention.
It is determined that Top Retail plc's Oxford Street branch is a priority as it is responsible for the most sales and the highest turnover of line managers, which raises concerns about how effectively installed controls are being communicated to each successive store manager and are therefore being followed by staff. Prior to visiting the store, internal audit performs an analysis on the login data of the cloud-based inventory management software and finds unusually high login activity for a single staff member and multiple instances of the manager logging in that does not match their shift rota.
In visiting the store and meeting with its manager, it is found that the inventory software login has been shared among staff who do not have the authority to use it, a serious control failing that increases fraud and theft risk by making it harder to track who at the store is updating inventory data. This is reported back to senior management and the board, and all 100 store managers are trained on maintaining correct security protocols.
Crucially, and this is where analytics can add significant value, internal audit puts in place a continuous auditing script which flags up any suspicious inventory software login activity across all 100 of Top Retail plc's stores. Not only does this help to ensure the control continues to work in practice but means that internal audit may no longer have to periodically assess this risk area, instead giving it its attention only when necessary. This shows how analytics and continuous auditing can help the internal audit function to achieve a more risk-based approach.
Are the challenges worthwhile?
Implementing advanced audit analytics is not without its challenges. As pervasive as data has become, and despite its exponential growth, it is not always possible to make good use of it. This is true of data analytics as a whole, not just for audit purposes.
This may be because the quality of data is poor, and work needs to be done to cleanse and better manage it. There may also be significant issues with the way that data is structured and stored across an organisation. The use of ERP systems is meant to bring all data under one roof, but silos are common, and multinationals may struggle to unify and contrast related data collected in different countries because of divergent parameters.
There is also the fact that internal audit may simply not have the expertise to pursue an analytics strategy or design practical models and scripts. Sophisticated approaches to analytics will often require at least one analytics specialist in the team, which may not be possible, although we recommend that internal audit use to its advantage any available subject matter experts in the organisation that could support an audit analytics strategy.
Moreover, if the function does possess the technical resource, there may be time constraints that prevent analytics being harnessed to their full potential. Large, well-resourced corporates are the frontrunners of this development. It's clear, however, from widespread engagement in the Institutes Data Analytics Forum, across all sectors, that internal audit's use of analytics is continuing to grow.
Deciding on whether to pursue an audit analytics strategy will require careful consideration. Chief audit executives (CAEs) should ask themselves the following questions before they embark on a data analytics programme:
- The ability to develop an effective audit analytics programme will depend on the availability of data in the organisation. Therefore, to what extent is the organisation becoming data-led? Is data being collected, managed and structured in a way that is conducive to effective analysis? Or must the organisation improve its data strategy and governance before internal audit can apply analytics to controls in a meaningful way?
- Would the application of data analytics to internal audit deliver value, i.e. is it likely to improve assurance coverage and make the function more efficient? In what ways, e.g. whole population testing, continuous auditing, etc? Is this necessary or materially beneficial to internal audit's overall assurance proposition within the organisation?
- Does the internal audit team possess the skills and expertise to make practical use of analytics? If not, is there a budget to recruit talent and build this capability? How long will this take?
- Does the audit committee/board recognise the benefits of developing data analytics within the internal audit function and is it recognised that in doing so there will be a J-curve, i.e. despite a potential long-term return on investment, the costs and time of pursuing analytics may outweigh the benefits in the short term? Are the benefits of developing such a strategy and approach likely to outweigh the costs in the long run?