As internal audit practitioners seek to evolve and transform their functions, to keep pace with the transformation occurring within their organizations, internal auditors are increasingly assessing and consulting on a wide variety of risks, including digitalization, cybersecurity, enterprise risk management, fraud risk, vendor risk and corporate culture. These new areas now dominate the global discussion of internal audit capabilities and needs, according to Protiviti’s latest Internal Audit Capabilities and Needs survey.
Amidst this expanding scope, one aspect of internal audit in need of additional focus stands out — data analytics. It features prominently in this year’s survey not only for its growing role in the business but also for its broad application as an audit, compliance and risk management tool, across all risk categories. This trend is driven by the rapidly increasing volume of data elements being created and captured, the emergence and use of a wide array of internet-connected (and data-gathering) devices, as well as an increasing demand from regulators for more sophisticated risk analysis.
Despite this growing focus on analytics, many internal audit functions are still struggling to move beyond using analytics for specific point solutions (often one-off, throw-away solutions) and adopt analytics across the audit lifecycle, and on a more strategic and sustained basis. Many internal audit functions continue to use analytics in areas they feel most comfortable – account reconciliation, travel and entertainment, purchasing cards, to support sampling for testing, basic data comparisons, etc. Factors limiting expansion beyond those areas are lack of comfort around big data, cloud and business intelligence technologies (rated between 2.4 and 2.7 on a 5-point competency scale) and lack of access to, and understanding of, needed data from the business, including due to distributed and legacy system environments.
An interesting observation emerged from the survey this year: There is a lagging adoption of analytics in North America as compared with the other highlighted regions – Europe and Asia-Pacific. Just under two thirds (63 percent) of North American respondents said their internal audit departments are using data analytic tools, compared with more than three quarters (76 percent) in both the Asia-Pacific and Europe regions.
Even more stark was the regions’ difference in data quality – a determining factor in the ability to expand the use of analytics. Whereas more than half of respondents from European and APAC countries (58 and 59 percent, respectively) rated their organizations’ raw data as “excellent” or “very good,” only 28 percent of North American respondents could say the same. Others cited difficulty with access controls and fragmented legacy systems that made it difficult to identify a reliable single source of truth.
This may be a sampling bias, due to the fact that respondents from Europe and APAC tend to represent the largest organizations with the most mature internal audit functions, while respondents from the U.S. represent a much larger variance in internal audit shop maturity. But there may be other contributing factors.
Although not measured in the survey, the disproportionate focus placed on Sarbanes-Oxley (SOX) compliance in the U.S. (versus broader international markets) may have also contributed to the disparity. I think this is borne out by the high correlation between audit committee engagement and investment in analytics. I would turn that around to suggest that the more an audit committee has to focus on other critical matters — such as SOX compliance — the less time and energy it has to engage internal audit leaders in analytics strategies. It is incumbent upon chief audit executives (CAEs) to take the initiative: develop an analytics strategy, communicate clearly with the audit committee, establish the relationships and protocols necessary to gain access to quality data, develop analytics methodologies and capabilities, and generally champion audit analytics as critical to the company’s internal audit strategy.
There are a number of other interesting aspects of the survey that we will explore in future posts, with focus on cybersecurity, fraud, culture, third-party risk and more. For now, I’d like the highlight some analytics action items for CAEs:
- Recognize that the demand for data analytics in internal audit is growing.
- Seek opportunities to expand internal audit’s knowledge of what’s possible, what other organizations are doing, and what progress is needed to advance its analytics capabilities.
- Set an influential tone and cultivate audit committee and broad organizational support for analytics investments by demonstrating those capabilities.
- Create a dedicated data analytics function, or at least identify champions to encourage the use of analytics.
- Explore avenues to increase internal audit’s access to quality data.
- Identify new data sources, both internal and external, to enhance internal audit’s view of risk across the organization.
- Increase the use and reach of continuous auditing and monitoring of key risk indicators used by leadership in key decision making.
- Develop real-time snapshots of the organization’s risks and incorporate the results in a risk-based audit approach.
- Seek insights from operational stakeholders when building and implementing continuous auditing tools.
- Build a business case for increased analytic resources by measuring and reporting analytic successes and insights.
Sounds like a lot, doesn’t it? Don’t go it alone. Partner with IT. Partner with the business. Leverage robotic process automation to drive efficiency in delivery of internal audit activities and free up staff to focus more on analytics. Get a really good understanding of what data is available and develop a process for getting access to that data. A practical way to make progress is to maximize existing capabilities, tools and data stores (for example, those already in use within a business intelligence function), rather than trying to start completely from scratch. Look for analytic skills in new hires. Bring over analysts from other parts of the business to work in internal audit on a rotational basis. This not only increases the skill level within internal audit, but also helps to build broad support for the function’s analytics initiative throughout the enterprise. The more internal auditors can demonstrate the strategic value of an investment in analytics, the more likely they are to get the resources required.
As my colleague Brian Christensen, executive vice president and global internal audit practice leader, recently told the The Wall Street Journal, “People are not moving at a pace of change that is responsive enough. Auditors have an obligation to remain current and responsive to these ever-changing needs.” I fully agree.