How far have audit functions come in terms of data analytics usage?
Petersen Progressing audit analytics is a journey that doesn’t have an end, but I’m excited to hear organizations describe how they continue to progress year over year. These organizations know the direction they need to go, continue to raise the bar for themselves, and set new objectives to achieve. They face the same resource limitations many audit teams do, so they encourage all their auditors to progress, not just those assigned as the data analytics expert.
Zitting Not far enough. Recently, my company’s State of the GRC Profession survey revealed 43% of professionals want to grow their data analysis skills, but those figures have been the same for years — if not decades. Leading audit teams that are willing to embrace change and take risks are indeed creating a new future by delivering and sharing successes in data analysis, advanced analytics, robotic process automation, and even machine learning/artificial intelligence; unfortunately, these leaders are the exception. They inspire us, yet other corporate functions like marketing, IT/digital transformation, security, and even risk management are leaving internal audit behind.
What are examples, beyond typical usages, of analytics that auditors should be undertaking?
Zitting Let’s not write off the “typical usages” of data analytics, because the vast majority of audit teams aren’t even doing those. The key control areas that virtually every organization’s audit and internal control teams test are completely automatable, yet few seem to do it. Areas like user access, IT administrator activity (or other activity log testing), journal entry, payment, and payroll should never again be tested with anything but data analytics.
Beyond that, the universe of possibility for the data-savvy audit team is limitless. I’m seeing leading audit teams even turn analytics in on themselves — like doing textual analytics on the text of the past several years’ audit findings to indicate where risk is increasing or not being addressed. It’s incredibly impactful. I’ve also seen practitioners develop analytics that use machine learning to create “hot clusters” of employees that are at high risk of churn, or to see “hot clusters” of payments that could be bribes, money laundering, or sanction violations.
Petersen How about running data analysis on the audit analytics program? Start by ascertaining how many audits contain some level of data analysis — sampling doesn’t count. Now compare that to how many should contain some analysis. I don’t know of any organizations that would find they should be doing analytics on 100% of their audits, but if they are honest, they’ll find a significant gap between those audits that could have some analytics performed and those that do.
Now that we have determined breadth of coverage, let’s determine depth of coverage. This is done by determining for each of those audits that could have analytics performed on them, the analytics that would ideally be performed. Internal audit should focus on those analytics it would be proud to report to the audit committee that it performed considering the risks and audit objective. Don’t be discouraged by the thought that internal audit can never achieve the coverage it has identified. Instead, plan to increase coverage each year.
How can small audit functions that can’t afford a data scientist jump into data analytics?
Petersen Start with basic analytics functions. Audit leadership needs to lead the organization to continually progress the analytics being performed. Leverage those individuals in your organization that have an aptitude for analytics and communicate within the team successes, new ideas, and new ways of doing things. Use known tools such as Excel and easy-to-use and learn audit analytics tools. Leverage existing audit techniques across different types of audits. For example, testing for duplicate payments, separation of duties violations, and several other routines apply across many types of audits. Once you’ve determined how to identify these in one audit, this can be applied to other audits. Teams without a data scientist can still have a strong audit analytics program.
Zitting Every audit function that can hire a single auditor can afford a person with data skills. The problem is that we accept the status quo of the short-term demands of internal audit’s stakeholders; thus, we elect to hire a “traditional” auditor over a person with technical data skills and the ability to think critically. Obviously, that is a necessity in real life, but also it illustrates that the “can’t afford” or “can’t find the skills” arguments are basically bad excuses that abdicate our responsibility as corporate leaders to evolve with the economic demands of the modern environment. Consider a complete shift in mindset. What if we were building a small data science team that had some audit skills instead of a small audit team with some data skills? Wouldn’t that change our perspective on staffing for a truly modern form of auditing?
What skills should audit functions be looking for when hiring a data analytics expert?
Zitting Most importantly, audit functions should be looking for critical thinking skills. Technical skills in data analytics can be taught. What is difficult to teach is critical thinking, particularly as it relates to knowledge of audit process/risk assessment/internal control, knowledge of the business and its strategy/operations, and the ability to navigate corporate access challenges — access to data and executive time — by asking really smart questions. Next, look for an understanding and desire to work in an Agile mindset. Specific tools and approaches will always change, but if the candidate understands Agile methodology — minimum viable product, sprints and iteration, continuous improvement — he or she will be able to deliver business results in both the short and long term regardless of issues of tool preference.
Petersen Communication and collaboration skills can exponentially increase the team’s analytics effectiveness. Without these skills, there is one expert off doing analytics by him or herself. However, with these skills and easy-to-use analytics tools, the expert can guide the entire team through its analytics needs, greatly increasing the overall effectiveness of the team. When not providing this guidance, the expert can work on more complex analytical projects. This approach also increases employee satisfaction of both the expert and the other team members.
What does a best-in-class audit function that is fully embedded in data analytics look like?
Petersen These teams apply a quantitative analysis and measurement to their audit analytics. They do this by measuring the depth and breadth of their analytics coverage. They have strong leaders who promote the value of analytics and make it a part of the team’s culture. They also understand that there is no finish line, but the analytics program will continually evolve and grow. Leaders of these teams incorporate all team members into the analytics process, understanding that some have a stronger aptitude for it than others, but still expecting all to participate, and they set appropriate analytics goals for each. Not only are organizations like this best-in-class with respect to the analytics functions but, as a surprise to some, they also have happier team members.
Zitting The best audit organizations already are demonstrating that their core skill is data analysis. It’s the only way to get large-scale insight on risk, control, and assurance across globally dispersed organizations using constrained resources. Best-in-class audit functions don’t embed data analytics, they provide 90% of all assurance they report through analytics and reserve “traditional” auditing for manual deep dives into areas of significant risk or deviation from policy, regulation, or other standards of control. For example, one of our clients moved its entire internal audit team into the core business operation and began rebuilding internal audit from scratch in the last two years. This was because audit was providing so much value via its complete focus on data and analytics, the business demanded to consume the function, and the audit committee agreed to rebuild. That’s one example of internal audit driving real value through a data-centric mindset and practice.