What are the biggest limitations internal auditors are facing in implementing data analytics?
Thomasson There are four common blockers to implementation. First, getting access to complete data populations is difficult for many teams. It’s imperative that IT management understand why it’s necessary. IT’s main issues with granting data access include concerns around system performance impact, cyber and data security, and a lack of knowledge or comfort with what will be done with the data. The second block is getting management buy-in. Investing resources — both time and money — in a project or activity requires buy-in and approval. Many auditors have trouble getting IT and even their own management team to invest the necessary resources in their analytics projects. Next, starting a data analytics program requires specialized knowledge and skills that are often hard to come by — especially in the audit world. If a team doesn’t have the required skills, it needs to either invest in training or hire external help — both of which cost money and involve further internal approvals. The final blocker is budget. Internal audit has always been seen as a cost center, which constrains the amount of money the team can access. There’s also difficulty in providing specific ROI and value calculations when creating a business case. As a result, it can be almost impossible to get budget approval to build an analytics program.
Anunciacion We’ve been hearing about big data, data analytics, and “Moneyball” for 15 years. The biggest limitation for internal audit departments is embracing a change mindset. We get so caught up in our traditional methodologies that many internal audit functions don’t know where to start. It doesn’t have to be a massive, full-blown analytics program from day one. You can start small and smart in specific areas. Then it comes down to three things: people, process, and technology. Internal audit teams might not feel like they have the right skills, that they need a background in programming or data science — that’s not true. Auditors can do basic population testing using scripts already created for them. From a process perspective, it’s understanding where within internal audit’s methodology data analytics is ripe for implementation. Typically, we see it within the testing phase. I’d argue there are other parts of the process, like reporting, planning, or risk assessments, where analytics can be integrated. Finally, I’m a huge advocate of ensuring internal audit’s process is well-defined before investing in any sort of technology.
How does poor organizational data governance limit internal audit’s success with analytics?
Anunciacion Success begins with the strategy for data governance. What’s the structure around it? The most mature organizations have sound governance structures in place, such as policies and procedures around data availability and privacy. I’ve seen data governance committees where folks that represent a function — marketing, sales, IT, etc. — are in charge of maintaining the integrity of their own data. The last thing we need are more committees, but it’s imperative to have stewards throughout the organization to say, “Hey, who is the point of contact if I need to get my hands on payroll data or usage data?” It’s equally important to establish a framework for what can and cannot be done with data. Data is the most underused asset an organization has. We need to start treating data the same way we treat our people, our systems, our products and services, and institutional knowledge.
Thomasson Poor data governance limits the success of a data analytics program in many ways, but here are two examples. First, insufficient processes can lead to ambiguity and frustration. Internal auditors face major barriers without dedicated owners and rules around data. There can be system owners and business owners — or sometimes, no owners at all — and the steps needed to review and approve access to data will often vary. As a result, internal auditors spend time trying to untangle these factors and tailor their approach, which creates frustration and sometimes even leads to abandoning data access attempts. Second, without structure and standards, inconsistencies, inefficiencies, and bad data hygiene flourish, creating muddy data of questionable value. Auditors are then often tasked with data clean-up, which ultimately slows down analysis. If the data cleansing is done wrong or can’t be done at all, it also can mean poor, misguided, or unattainable insights.
What impacts can poor data have on audit findings?
Thomasson Poor data only leads to greater barriers and limitations for internal auditors. When auditors have to jockey for access and clean data, it’s time not spent providing valuable insights to the business. It does nothing to elevate internal audit’s value — it may even harm their reputation within the organization — and it wastes resources, making it even harder to advocate for additional budget. At the end of the day, poor data means poor insights and recommendations, which leads to poor decision-making that can negatively impact an organization’s overall strategy. This results in even more wasted resources as people, budget, and technology are pointed in the wrong direction.
Anunciacion There are significant ramifications that could ripple throughout the organization if there is poor data. For auditors, it could lead to bad decision-making, or simply recommendations that don’t add value. Making sure internal audit has the right data at the right time is critical for testing because the results of an internal audit engagement are typically independent opinions. With poor data, an audit finding may not necessarily be an audit finding, and management may not agree with internal audit’s observations. It’s one thing to have data, but to transform data into information, that’s a big challenge. Internal audit can potentially lose visibility into new opportunities, or the root causes of organizational pain points. Lastly, the organization can’t manage what it can’t measure.
What should auditors look for in assessing the readiness of data for analytics testing?
Anunciacion Internal auditors have to look at the organization’s appetite for data analytics. Many companies are protective of data for obvious reasons. Most often, internal auditors aren’t going to get direct access to a mission-critical system — typically, an organization will have a data lake or data warehouse where auditors can access data without any implications to the source. Aligning with the right people and establishing rapport, trust, and credibility with the data owners to get that access is going to be key to the readiness of analytics.
Thomasson Before trying to build an analysis program, auditors should look at the IT team: Who is their contact? How does IT feel about providing data access? What are IT’s biggest concerns, and how can internal audit work most effectively with IT? Are there existing processes in place that internal auditors can review and learn from? What documentation or approvals will internal audit need? Internal audit also should consider whether the organization values data insights. If internal audit hits a roadblock, does it know who can help? Has someone else done this before?
What steps can internal audit take to cleanse data to ensure it is reliable?
Thomasson Besides having a good overall data governance program, auditors should always keep in mind the end result: What are they trying to achieve? And then auditors should work backward. Identify what will answer their questions, where the data lives, who owns it, and how to get their hands on it. This also will help internal audit focus on the data that matters and cut what doesn’t.
Anunciacion There are a number of data services and tools that help normalize data, but internal audit should start with an understanding of what it has in place. Identify potential issues, such as incomplete or redundant data sets, that will take time away from performing actual testing. Work with data owners to ensure they have clean data to begin with. That really should be done on the front lines versus on the internal audit side. It’s not going to happen overnight, but internal audit can take the first steps around championing the need for cleansing and normalizing data.