With increasing demands for broader, more accurate and more efficient risk assurance, internal audit departments have officially entered the age of analytics. According to Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, two thirds of internal audit functions have begun using data analytics on at least a limited basis, with two-thirds of the remaining respondents indicating that they plan to begin using analytics within two years.
Respondents at organizations of all sizes reported that they have begun the transformation from labor-intensive manual processes to reliance on technology for things like sample selection and testing procedures. Most organizations are still early in the process. Only 16 percent said that they have a person dedicated full time to analytics, and only three percent indicated that they considered their audit analytics to be optimized.
I recently had the opportunity to review the survey results for participants in an April 12 webinar (available for streaming at the link). If you are interested in learning more about the survey results, I urge you to check it out. In the meantime, here are some action items for internal audit derived from the survey:
Recognize that the demand for data analytics is growing across all organizations and industries.
Internal audit organizations are under growing pressure to increase audit efficiency and coverage. Regulators across a wide array of industries are pushing for more use of data and quantitative inputs into the audit process, and auditors are finding that implementation of analytics allows them to provide broader assurance in less time than it would typically take to perform manual testing on a representative sample.
Seek opportunities to expand the internal audit function’s knowledge of sophisticated data analytics capabilities.
From peer-to-peer networking to engagement with industry groups and continuing education, it is critical for auditors to become familiar with the ways in which tools and techniques are being used across their industry.
Do not let budget and resource constraints and business-as-usual workloads limit internal audit’s ability to optimize data analytics efforts.
Look for practical applications you can showcase to gain buy-in from other auditors within your internal audit function. Understanding what peers are doing can also accelerate your organization’s analytic maturity.
Assign analytics champions to lead the effort.
Where a dedicated analytics function doesn’t exist, experience has shown that organizations that employ a champion network within their audit function benefit from broader analytics usage, more sophisticated techniques and greater adoption of analytics in the audit department. The ideal candidate for a data champion is someone with aptitude and interest in data analytics, and a person of influence whom others will follow.
Explore avenues to expand internal audit’s access to quality data.
Engage with stakeholders, such as IT and data governance, to understand how to gain access to data while following all applicable organizational policies and procedures.
Identify new data sources — both internal and external.
Internal auditors, because of their broad industry knowledge, risk focus and access to data and systems throughout the organization, are uniquely positioned to find and mine new data sources to analyze for risk assurance.
Increase use and reach of data-based continuous auditing and monitoring.
Once data sources have been identified, it is important for internal auditors to apply continuous auditing and monitoring tools to have a timely and accurate view of the state of risk in the organization. Visualization tools, such as dashboards, are useful for enabling real-time access to key risk indicators.
Use real-time risk snapshots to help focus audit efforts.
Related to the previous point, problem areas discovered through visualization tools, such as Tableau, can be flagged for additional research/root cause analysis.
Seek ways to increase stakeholder input when building/implementing data analytic capabilities.
Business owners understand and monitor the key risks in their business, as does risk management in its second-line role. It is important for internal audit to build relationships and work closely with the first and second lines of defense to continue to enhance their understanding of risk indicators in the business.
Implement steps to measure success of data analytics efforts.
Internal audit groups that can demonstrate tangible value will build a better business case for increased budgets and resources dedicated to data analysis. Metrics, such as logging requests for analytics in the audit process and number of audits that leverage analytics, are a good way to demonstrate the value of using analytics.
The overarching theme that emerged from this year’s survey results is that data analytics has reached a tipping point. Internal audit functions that lead by embracing analytics and continuous monitoring will grow in value and stature with their stakeholders, regulators and peers. Those that fail to adapt will struggle to keep up with the rate of change and the state of risk at their organizations.