What IT skill sets will internal auditors require to remain relevant going forward?
Simpson The two most relevant IT skills are data analytics and an understanding of application systems controls. If internal auditors have a strong grasp of both, they should be able to assess most internal controls within an organization. The importance of understanding application controls often is overlooked, but without it the data analyst/scientist is quite ineffective.
Gowell The lines between auditor and IT auditor are becoming increasingly blurred. Every auditor now needs to have a good working knowledge of financial reporting systems, software, networks, and cloud computing. Additionally, now that most financial reporting systems can output data into easily digestible formats such as Excel, audit departments are less dependent on IT auditors to obtain data extracts for testing.
Are IT auditors becoming more specialized in specific areas, such as security, analytics, and system development projects?
Gowell With the emergence of the new breed of data analytics tools that allow any auditor to perform data analytics, I see the classic IT auditor position evolving into a highly specialized role. With the right skill set, IT audit can play an important role in system development. For example, an auditor credentialed in the systems development life cycle approach and development methodologies such as Agile — and all its flavors — can significantly minimize the risk of project failure.
Simpson IT auditors are becoming more specialized, and that trend will continue because of the growing complexity and constant changes in IT. Some of the audits traditionally performed by IT auditors, such as data analytics, should be shifted to other auditors.
How can technology be used to assist the internal audit staff in preparing their audit plan?
Simpson All audit plans today should be risk-based, and there are several tools available to assist the department in conducting risk workshops, assessments, scoring, allocation of resources, etc. Some companies have started using data analytics to supplement risk insights via continuous monitoring systems or governance, risk, and compliance platforms; or for new business processes, they may examine a subset of key business controls.
Gowell I am a firm proponent of risk-based audit planning. The days of the “annual” audit plan are numbered, as risks do not change on an annual schedule. Performing a continuous risk assessment simply cannot be done without the benefit of technology.
The key approach leveraged by leading internal audit departments in this area is continuous self-assessment. The process owner uses technology to update risk and control changes directly into an audit management system that directly feeds the risk-based audit planning process.
How can internal auditors harness the power of big data to better do their jobs?
Gowell With the ability to now simultaneously harness huge volumes of unstructured and structured data, internal auditors can more easily and accurately focus their efforts on true anomalous activity. One of the challenges in limiting analytics to structured data is typically the high level of false positives, which take time to investigate. Leveraging big data analytics can not only make internal auditors more efficient, it also can reduce audit’s footprint on the business.
Simpson If the internal audit function is going to add value and improve an organization’s operations, it must be able to efficiently mine/interrogate big data repositories at appropriate frequencies. This is to ensure that the insights are fed to the business timely to inform value-added risk management decisions. Key factors are the ability to:
- Understand the business environment.
- Map data and data flows to business processes/procedures.
- Create useful information from data repositories.
- Automate into an efficient and repeatable process.
For those college programs that have internal audit courses, what additional subjects should they include in their curriculums to better prepare the next generation of auditors?
Simpson While it is important to have strong audit skills, internal auditors also should develop a solid understanding of business processes and the use of IT. More specifically, internal auditors should be well-versed in critical thinking, internal control frameworks such as COSO, and data analytics.
The graduate must know how to apply the data analysis tools in an internal audit context — that is, knowing what data to analyze and how to interpret the results. For any auditor to be successful using these tools he or she must be able to answer the question, “How are the internal controls represented in the business systems’ data?”
Gowell The feedback I am hearing from audit directors is that a strong background in business is critical for today’s successful internal auditors. Additionally, in this era of text messages, email, Facebook, and Twitter, effective face-to-face communication and strong writing skills are in short supply.
I would build a curriculum that incorporates a strong business foundation and also addresses interpersonal communication skills to help prepare students for a successful career in internal audit.
Should internal audit get into predictive analytics to provide more future insight into risks and control issues? Could predictive analytics and the different technology tools today change the way auditors work and think?
Gowell I am an absolute believer that audit should lead the charge in using historical data to predict trends and help reduce risk. Predictive analytics can not only prevent irregularities, it also helps maximize scarce resources by allowing departments to refine their risk assessments and prioritize audits.
Simpson There is the traditional approach of looking at the past to determine what has happened. Then there is looking at what is happening now, implemented primarily using continuous monitoring systems. However, as predictive analytics mature, organizations will use them more often to determine what will happen. For example, a customer’s credit card transaction history can be used to determine that current transactions are anomalous based on usual behavior. Secondly, you can predict potential fraudulent transactions on a specific account by comparing the account activity to patterns of other frauds committed.
Should internal auditors do on-site audits or scans of the data managed by their organization’s cloud providers?
Simpson Internal audit performing independent assessments of cloud computing vendors is not practical on a consistent basis, largely due to:
- An organization’s ability to maintain adequate skill sets to perform a review of the vendor’s infrastructure and operating procedures.
- Competing/conflicting interests with other entities that may be supported by the vendor.
Gowell With the proliferation of cloud-based solutions comes a corresponding increase in cloud providers. The decision of whether to go on-site to audit depends on the provider and the data being managed. The internal control requirements on cloud providers are increasing, and I believe they will quickly evolve to a point where site visits, at least to the leading providers, are not necessary.
Michael Gowell is general manager and vice president of TeamMate.
Andrew Simpson is chief operating officer of Caseware RCM Inc.|