Big data has greatly expanded the amount of information available to internal auditors. Organizations now store an enormous amount and variety of data, ranging from traditional financial data associated with sales and expenses to more unstructured data associated with video, weblogs, email, and tweets.
Data-savvy internal audit groups are mining this data to generate actionable insights and recommendations. For example, the ability to analyze large data sets can enable internal auditors to examine all cash expenses, not just a sample, and determine whether any employees are consistently submitting an inappropriately high volume of cash expenses. Another example would be reviewing the types and amounts of purchase card transactions made by all departments for anomalies.
Data analytics makes it possible for auditors to discover and report on meaningful patterns and insights derived from large and complex data sets through the use of statistics and other types of quantitative analysis. Audit analytic tools and data visualization software, coupled with the massive data storage capacity of data centers, have created an opportunity for internal auditors to exploit an organization’s data to improve the internal audit function’s performance.
The Four V’s of Big Data
Big data has four specific attributes: volume, variety, velocity, and veracity. Volume refers to the amount of data available. According to IBM, the world is generating 2.5 exabytes (2.5 billion gigabytes) of data daily. The most obvious impact this vast amount of data has on the internal audit function is the capacity to greatly improve audit coverage. Instead of selecting a limited sample of transactions to test, an auditor now can analyze all of the transactions in an audit population.
Variety refers to the various types of data being generated, both structured and unstructured. Ninety percent of data is unstructured, including text, photos, audios, videos, click streams, and log files. Access to such a variety of business documents can enable auditors to analyze larger, nontraditional data sets and perform more detailed analysis.
Velocity refers to the increasing speed in which the data is created, as well as the speed in which it can be processed, stored, and analyzed. Greater velocity enables continuous auditing of audit evidence on a frequent, repeatable, and sustainable basis. Although the concept of continuous auditing has been around for more than 20 years, the software and hardware associated with big data is making continuous auditing a reality for internal audit groups.
Finally, veracity refers to the quality and trustworthiness of the data to be relied on to draw accurate conclusions. The volume, variety, and velocity of data is only useful if that data is correct, consistent, and complete. IT audit processes such as those associated with assurance in areas such as backup and restore, disaster recovery planning, data storage, data security, and access control are critical in ensuring the veracity of the organization’s data.
In addition to the Four V’s, internal auditors should consider a fifth aspect of big data: visualization. Data visualizations are presentations of data in a pictorial or graphical format that enables decision-makers and auditors to view a visual representation of the data. An effective visualization facilitates the understanding of difficult concepts or identifies new patterns or trends from the data.
Recent advances in user-friendly data visualization software are enabling auditors to easily extract and analyze data and create visualizations and storyboards from that data. This helps auditors find and communicate meaning from the data. In addition, visualization tools support the detailed analysis of large, nontraditional data sets and provide the means for internal auditors to more effectively communicate insights from their organization’s data.
Adding Analytics to Audits
To incorporate data analytics in their internal audit operations, auditors should consider four guidelines.
- Understand the data. Data can be an organization’s most important asset, and internal auditors should understand both the data that is currently available in the organization and the data that is not available. This knowledge can help prioritize the types of analysis appropriate to the organization and to internal audit.
- Prioritize acquiring data analytics skills. Although every auditor does not have to be a data analytics specialist, every audit team should have at least one member who is data-focused and can spend a portion of his or her time on analytics. This person ideally should be technology-savvy and interested in how analytics can improve existing internal audit processes. Given the demand in the marketplace for data analytics skills, the ability to recruit and retain personnel with these skills will be an important investment and strategic decision for organizations.
- Select the right tools. Traditional audit analytics focuses on analyzing structured data through tools like Microsoft Excel and Access. With big data and analytics, more powerful tools are available for data visualization, statistical analysis, and business intelligence. These tools require additional training but can provide the mechanism for reaping the benefits of big data.
- Develop a road map. As part of the strategic planning process, the internal audit function should build a two- to three-year road map outlining a planned approach for incorporating analytics into the current internal audit processes. This plan will highlight the overall objectives of analytics in the audit processes, as well as the costs and benefits. While an organization initially might focus on data analysis to better understand past events, data analysis also can evolve to predictive analytics, where data is used to make predictions of future events. With a road map, the objectives of analytics can be linked directly with the data maturity of the organization, as well as with the internal audit function’s objectives.
Tool for Transformation
Following the four data analytics guidelines can potentially transform the internal audit function. By analyzing the organization’s data more strategically, auditors can better understand the organization and gain additional insights from the data. The data can be used for supporting the financial statement audit, as well as improving efficiency within the organization. For example, an auditor can examine 100 percent of travel expense data to provide more evidence of the accuracy of the expense accounts, test for fraudulent transactions, and test the relevant controls.
From a risk management perspective, data trends and anomalies can provide insights into the risks facing an organization. An emerging area in risk management is the use of unstructured text analysis to examine large amounts of text-based artifacts, perhaps from social media sites, to detect word patterns that could indicate potential risks to an organization.
Big data and data analytics provide an opportunity for internal auditors to perform truly data-driven audits. By prioritizing data analytics, internal auditors can harness big data and increase their overall value to the organization.