Internal Audit’s standing within their organizations has grown significantly over the last decade. According to a 2015 survey by the UK Chartered Institute of Internal Auditors (CIIA), the enhanced standing of internal audit functions is down to several factors - key amongst them being better reporting structures and more timely access to information.
Behind these improvements to Internal Audit’s operations and functions has been technology, with several studies showing organizations are increasingly looking to it as a means to improve productivity and risk management processes. One of the most significant technologies they are looking at is data analytics, with CEB data finding that almost two-thirds of audit departments have recently made or are planning to make significant investments in data analytics.
In a recent interview with us, Brian Matthews, International Internal Audit Manager at car repairs firm AutoZone, noted that ‘the most important aspect of Internal Audit, to me, is understanding the business. In traditional Internal Audit departments [primarily focused on compliance, after-the-fact control validation and issuing opinions], understanding the business allows auditors to effectively analyze processes, assess risk and identify key controls.’ The capability to better understand the business is a key advantage to using data analytics. It can also be used to pinpoint risks and issues, as well as delivering enhanced quality and coverage while providing more business value. Internal Audit can now leverage data from far more places than simply financial transactions, with email, social media, and so forth also providing reams of unstructured data that can now be analyzed for insights on a close to real time basis.
However, while companies seem sincere in their attempts to adopt analytics for Internal Audit, the function is still some way from integrating the technology to the extent it should be. Accessing data and data analytics to independently verify testing and to enable continuous monitoring will have to become normal practice if internal audit is to have hard evidence upon which conclusions can be based available quickly. Analytics that seek out abnormalities that require further investigation need to be enhanced to utilize fast-emerging new data-analytic techniques and capabilities.
There are two main obstacle holding companies back when it comes to data, according to PwC. These are a lack of clear strategy and a dearth of expertise necessary to fully exploit analytics.
Implementing data analytics in Internal Audit firstly requires a clear strategy. One approach that is often effective is implementing analytics on a case-by-case basis. You need to ask a number of questions before each audit, such as whether specific audit objectives can actually be addressed more efficiently through data analysis than through manual procedures? Is setting up audit analytic procedures to run on an automated continuous basis the best option available? There also needs to be a review of how successfully analytics has been used at the end of every audit and how it can be improved next time around.
A clear strategy is one thing, but without the talent in place to see it through, it is essentially useless. A recent Protiviti survey identified data analysis as one of three areas where improved knowledge and skill sets were most needed. PWC’s 2015 State of the Internal Audit Profession Study also found that just 65% of CAEs report that they have some data skills on their team, either in-house or through third parties, and noted that their interviews showed the combination of business acumen and data skills necessary to effectively leverage analytics was lacking.
Internal auditors who work with big data need to have a sound knowledge of not just data analytics, but statistical modeling and IT security too. Employees must also be able to use visualization software to demonstrate their insights. You have three options for ensuring you have access to this talent: training existing staff, hiring new talent with the skills you are looking for, or outsourcing. Internal auditors also need to work closely alongside both their chief technology officers to ensure the skill-sets in place are appropriate, and their chief information officer to ensure data is handled securely as all stages from collection to analysis.
Internal Audit has much more change ahead. Firms’ risk-governance models are undergoing significant change and they require strong and effective defenses. Regulatory complexity, cost pressures, and talent availability. They need the technology in place to deal with this change and the capabilities among their staff to deal with it. Leading IA functions are embracing recent enhancements in data mining technology and data visualization tools to deliver results more dynamically in response to risk, dive deeper into organizational data, and deliver fact-based insights.