Many small audit departments grapple with how to use analytics to audit more efficiently. The value added through analytics is regularly discussed in research, thought leadership, and industry publications. And most auditors would readily capitalize on an opportunity to do more with less. The challenge for those audit departments with constrained resources is not what to do, but rather how to go about doing it.
Small audit shops can leverage analytics and use tools already in place to implement analytics within their audit functions, reducing the need for a potentially costly up-front investment. Many of the metrics historically used to measure business performance are analytics. Examples include variance analysis, benchmarking, return on assets, turnover (inventory, accounts receivable, employee), reorder points, credit limits, and even Benford’s Law. With this in mind, small audit functions that think analytics may not be within their grasp should reconsider.
Analytics can be used at various phases of the internal audit process, including the risk assessment process, macro-level audit planning, and micro-level audit planning. During risk assessment, analytical data can be used in combination with qualitative data to better understand and prioritize the organization’s risks. At the most basic level, analyzing financial and operational information, prior audit findings, and key performance indicators (KPIs) across the enterprise can be a useful tool in completing the risk assessment. At macro- and micro-audit level planning, analytical data can be used to assess specific controls and to examine existing and emerging risks. This will help determine specific areas of audit coverage and the extent of testing within each area. The size of the audit department should not be the only factor in determining whether to implement an analytics program, as there are analytic tools that can be used even by one-person audit departments.
With the right approach, moving analytics from concept to practice can be simple. As an internal audit department of any size begins using analytics in its audit process, an important first step is determining what it wants to understand. The analytics initiative must have clearly defined goals and performance measures. Further, internal auditors should critically assess the questions they need to ask to ensure they understand how the business objectives and operating cycle will impact the underlying data to be analyzed.
Organizations may have different responses to the same question. For example, “How does weather influence your organization?” will have different meanings and different outcomes, depending on the industry. Thunderstorms may drive ticket sales for movie theaters while they wreak havoc on energy providers. In addition, the time of year, day of week, time of day, and geographical location likely will impact how weather influences any organization. In this situation, there is no right or wrong answer — it’s what makes sense for the organization.
There are numerous questions an internal auditor may want to answer with the analytics program, which should closely correlate with the specific objectives of the program, itself. Examples include, “How frequently are credit limits overridden?” as related to the order-to-cash cycle; “Is inventory turnover in line with historical and/or budgeted averages” related to the inventory cycle; and “Do company buyers have an over-reliance on key vendors?” related to the vendor management process.
Internal audit departments often fail to identify the correct data source for the data to be analyzed when beginning an analytics program. Selecting the wrong source could be detrimental to getting an analytics program up and running; therefore, a critical decision is determining which data sources are the most appropriate to address the questions being asked. Several ways to overcome such roadblocks are to review the preliminary data, determine whether there is anything in the data that raises questions, and ask questions to confirm and validate the accuracy of the data source.
Similar to validating the criteria used to assess the audit entity, auditors should validate that the data can be used to address audit objectives. To do this, understanding the business, including typical operating cycle and key drivers that influence relationships within the data, is critical. The ability to look beyond the data to understand what it does or does not represent (e.g., identifying all systems in which revenue/expenditure transactions are recorded and confirming data files being used contain both accurate and complete data for the entity being analyzed) and application of critical thinking skills also are important steps in steering clear of roadblocks. Finally, this often is an iterative process, in which there may be multiple conversations with the data and business process owners before determining whether the data source contains the specific information needed to answer the questions at hand. Simply asking, “Can this data be used to answer the audit objective?” will smooth the path not only for obtaining the data but also accepting analysis results.
Although the fraud brainstorming process documented in the American Institute of Certified Public Accountants’ Statement on Auditing Standards No. 99 (SAS 99), Consideration of Fraud in a Financial Statement Audit, is not required for the internal audit process, research has demonstrated that it is an effective tool when used within the internal audit activity. While fraud is only one consideration of an analytics process, brainstorming should help identify key data and relations that should be evaluated.
One starting point is reviewing significant audit reports from the prior year. For example, in analyzing audit reports with low ratings, and considering uncontrolled risk or ineffective controls, the auditor could identify potential data points that would improve monitoring of the process in question. Likewise, in analyzing audit reports with high ratings, the auditor could identify potential elements in the process-level risk management that could be leveraged for other processes.
Another approach is asking management in risk assessment interviews, “What are the most important KPIs you are managing?” and follow-up questions such as, “What are the key variables that impact those specific KPIs?” Brainstorming during the internal audit planning process can identify additional factors that may impact those KPIs that are not already being considered.
Brainstorming also can be used in the evaluation of various company-generated reports to identify if there is information that may be further explored for additional insight. Financial statements and reports are great tools for understanding relationships in financial data and brainstorming where additional analysis may add value to the audit process. Other examples of using company-generated reports for brainstorming include evaluation of employee hiring and turnover reports as compared to historical and industry averages, review of inventory metric reports as compared to budget as well as prior year, and analysis of asset reports to consider whether the percentage of lost or stolen IT assets has increased or decreased.
Another important consideration for small audit departments is the analysis methods to be used. Some examples of analytic tools that can be used by small audit departments include correlation analysis, regression analysis, Benford’s Law, and visualization. Internal audit functions may already be using several of these tools, but they may not be commonly thought of in terms of analytics. When identifying desired relationships, the analytic method should be considered when identifying data and sources necessary to perform the analysis. The analysis that the auditor is interested in performing, and the extent of data available, will dictate the analytic method to be used and the tool that can assist in facilitating analysis.
Correlation analysis is the comparison of X and Y to see how they relate to each other. An internal auditor might use correlation analysis in a production process audit to measure the strength of the relationship between product defects and factory overtime. If the association is strong, the auditor might then use inquiry and observation to assess whether an overworked and stressed labor force is the cause of the defects, or perform regression analysis to predict future defects and then confirm the projection against actual defects that have occurred. This would allow the audit team to add some discussion of the coefficient of determination; namely, how much of the change in product defects is explained by the change in overtime.
Regression is the functional relationship between two or more correlated variables that is often empirically determined from data and is used especially to predict values of one variable when given the values of others. It can be used to evaluate the association between X and Y when a control exists for other known relationships. For example, in the event that overtime and employee turnover are both increasing, then regression analysis would provide for a more thorough analysis of what is causing the increase in defects. This would potentially allow for identification of changes, which may directly address the root causes and implementation of actions to bring the defect rate to an acceptable level.
Benford’s Law is a theory based on a logarithm of probability of occurrence of digits (pattern anomaly of leading digits). Benford’s analysis may allow small audit functions to more efficiently analyze revenue and expenditure transactions based on whether unexpected patterns exist within operations. Such analysis could be conducted across the entire organization, as well as within divisions or functions to identify additional risk concerns. This would be beneficial if there are specific data patterns associated with errors or potential fraud activities. One such example from M.J. Nigrini’s Forensic Analytics: Methods and Techniques for Forensic Accounting Investigations would be an analysis of organizational expenditures. Although on the surface we may expect the first (two) digits of invoices would have an equal likelihood of occurrence, according to Benford’s, the pattern of occurrence is not uniform, but a declining logarithmic pattern from 1 (10) to 9 (99). More specifically, the likelihood of “1” being the leading digit in a random number set would be 30.1 percent compared to 4.6 percent for the occurrence of “9” as the leading digit. Using Benford’s analysis to evaluate invoices would identify specific leading digits of transactions, which should be further investigated via substantive testing. While initial analysis may not identify fraud, it identifies potential transaction anomalies, which may be linked to inappropriate expenditures.
Visualization comprises graphs and charts that often tell a story that is not easily understood by looking at the data alone. The internal auditor might use visualization to analyze the number of lost or stolen laptops year over year to evaluate whether laptop theft/loss is increasing or decreasing. Perhaps even further, the auditor could determine whether there are certain locations or business units that are driving the trend. If the trend line shows the number is increasing, the auditor might investigate to understand the root cause for the increase, including evaluating the effectiveness of the controls in operation.
Tools to perform computer-assisted audit techniques have improved and expanded capabilities during the past two decades. While the internal audit profession has traditionally considered such tools as analytic tools, there are many additional tools that can be used in analytics. However, during the initial phases of developing an analytics program, particularly for small audit departments that may have more limited budgets, it may be more valuable to use tools that are already in place within the organization.
One objective in the early phase of analytics is attaining small wins to make the case for expanding the use of analytics. In many cases, small wins can be more easily achieved when the investment cost is low. Given that Microsoft Excel remains one of the top analytical tools used by internal auditors, its versatility and ability to perform each of the previous analytic methods allows it to be a first step in implementing an analytics program. However, despite all of its flexibility, data limitations (Excel is limited to 1,048,576 records of data) may prevent the use of Excel during early stages of program implementation.
While starting small can produce early successes, it is critical to have an analytics plan that will allow internal audit to continue to improve its analytics capability. This should include a path that is scalable so the early successes can be built upon and not thrown away.
As the use of analytics matures and evolves, many organizations ultimately reach the continuous monitoring phase, in which process owners are responsible for continuous analysis of key risk areas (see “Analytics Maturity Classification” at right). Furthermore, team members will be much more likely to understand the broader software needs to expand the analytics processes. With greater understanding of functional needs, software selection may become a greater consideration, given the cost of the software as compared to the expected benefit to be received.
Despite rapid changes in technology, many audit functions have not significantly modified their audit process to keep up with the data available as a result. While change can be difficult, it often provides increased opportunity to maximize the value that internal auditors can contribute. Although this contribution may be a lengthy process, failing to implement analytics into the audit risk assessment, testing, and monitoring processes limits the value that can be provided. So whether it’s for the next risk assessment or audit, consider when, where, why, and how to use data in the process. Starting small is better than not starting at all.
Jared Soileau, CIA, CPA, CISA, is an assistant professor of accounting at Louisiana State University in Baton Rouge.
Laura Soileau, CIA, CRMA, CPA, is a director in Postlethwaite & Netterville’s Consulting Department in Baton Rouge, La.