The Protiviti View is examining some of the ways internal audit (IA) departments around the world are reinventing themselves into next-gen audit functions, drawing on the experience of 16 innovators profiled in Internal Auditing Around the World, Volume 15. This post looks at ways IA teams are using advanced data analytics to provide more efficient, effective and even predictive assurance and risk management.
In the blink of an eye, the state of the art in sourcing data for analytics has gone from on-prem operational databases, to data warehouses, and now is focused on big data sources such as data lakes in the cloud. Unlike data warehouses, which house only structured, orderly data the same way boxes are stacked on a shelf behind or on top of one another, data lakes can contain raw data in any format, structured and unstructured, and offer fast, flexible access to that data for analysis in ways not previously possible under the confining schemas of traditional hierarchical databases and enterprise warehouses.
For internal audit, such developments in data analytics can be transformational. With advanced data analytics tools and training, internal audit teams can quickly and efficiently extract deeper truths from data available in any format, and even drill down to causal factors in real time. This level of next-generation data analysis is vastly different from the spreadsheet-based sample analysis of traditional internal audit, and requires new tools, new talent, and training. The historic approach of waiting for the business or IT to provide data sets is no longer acceptable, with more IA groups focusing on self-service reporting to increase their value and flexibility.
The companies profiled in the latest edition of Internal Auditing Around the World represent a broad cross section when it comes to use of next-gen analytics, covering the gamut from very advanced to just beginning.
The IA team at global consultancy Accenture is good example of the former. Internal auditors at Accenture worked with the company’s IT department to make a case for getting IA direct access to the company’s enterprise data lake. This required a new suite of processing and visualization tools, but has allowed IA to provide near real-time risk analysis and dashboards with drill-down capabilities that help to direct audit selection, scoping and testing.
And at Occidental Petroleum, auditors must use data analytics for every internal audit task, unless the vice president of internal audit has specifically granted a waiver from this mandate.
“There are siloes of data scientists, quants and other folks in the business doing things with data,” says Occidental’s vice president of internal audit. “It’s time for our team to either leverage what has already been developed or work directly with the business and IT to develop something we can all use.”
Some of the uses Occidental’s IA team has found for analytics include real-time monitoring of expense reporting, payments and inventory; and comparative process reviews across business units.
Fintech company Synchrony has taken a similar “all-in” approach. To ensure that everyone on the 60-member IA team has a working knowledge of data analytics by 2020, chief audit executive Mark Martinelli established the “Data Intelligence Academy” — a series of two-week intensive courses for internal audit, run by the team’s data scientists.
“My view is that the next generation of internal auditor will need to know data analytics,” Martinelli said. “I’m already thinking about what we will be able to do in our organization by the end of next year when everyone in the department has deeper knowledge of data analytics and techniques. Then we’ll be able to use our true data scientists in a more specialized way.”
The internal audit team at Delta Air Lines has turned data analytics into a value-adding specialty. Over the past five years, auditors have developed operational risk models and dashboards to help business partners monitor their own risks and take corrective measures as needed.
Next-generation data analytics doesn’t have to be resource intensive. Lynne Howison, senior director of internal audit at Brinks Home Security, says she and her two-member IA staff worked with the company’s enterprise data analytics group to learn how the organization’s data lake was already being used, and identify ways to tap into existing analytic work streams for audit purposes.
The Brinks audit team reviewed sales and customer analytics prior to performing the sales and customer audit and used the information to identify questions to ask during the field audit such as customer acquisition, retention and attrition. The audit team at DriveTime took a similar approach.
It is important to note that the adoption of advanced data analytics is still in the early phases and that many companies, particularly established companies with older computer systems, have yet to begin this journey. Linda Chan, head of group audit and risk management at The Jardine Matheson Group, a Chinese trading company, for example, would like to make better use of analytics but faces a problem common to many companies across industries – legacy systems that won’t talk to each other.
“To do data analytics well, you need to have some standardization of systems. We don’t have that yet, though it is gradually evolving,” Chan said.
Clearly the profession has a long way to go, but as even the small sample of companies represented in Internal Auditing Around the World, Volume 15 point out, the potential is enormous. The months and years ahead will no doubt see an analytics-driven revolution in the way internal audits are conducted. The best is yet to come.