Digital Reporting, Dashboards Help Execute Store-Level Audits in Real Time

By Rick Childs, Managing Director
Consumer Products and Services Industry Leader




Retailers are under increasing pressure from all directions these days. In May, Credit Suisse estimated that a record 8,600 stores will close in 2017 and that 25 percent of U.S. shopping malls will be shuttered by 2020. At the same time, retailers are facing increasingly complex regulations on everything from public health to environmental issues. All of these pressures are creating a need to consistently and continually measure execution at the store level. Timely, accurate and actionable store-level audit data has never been more important.

In our recent report on mobile audits, we explored how internal auditors are applying web-enabled tools to engage stakeholders, automate workflows, improve decision making and drive operational efficiencies. I revisited these change drivers in a recent blog post, advocating for small but meaningful changes in retail digitalization. But with retailers having to make increasingly difficult decisions with less and less lead time in order to stay competitive, I wanted to address two even more important, and often overlooked benefits of digitalization: analytics and reporting.

Traditional paper-based store data collection is time-consuming and has always been fraught with inefficiency and error. Data collected on paper has to be compiled — via fax, scan, or physical transfer — and manually keyed into a computer before it can be analyzed. Digital data, on the other hand, is available in real time, and responses can be standardized for greater consistency to meet both operational and regulatory compliance objectives.

Web-enabled store audit tools provide accurate and actionable data, in real time. Audits performed via mobile app, for example, are updated automatically, eliminating the need to fax, transcribe or email audit results. The reduced cycle time from data entry to reporting eliminates information bottlenecks. Dashboards and other digital reporting tools allow market managers to make informed decisions on the fly, confident that they are working with the latest information, and that all users are looking at the same data — eliminating awkward spreadsheets and version control issues inherent in paper routing.

Application reporting permissions are synched to job titles — an important control given the dynamic organizational hierarchies in retail. At the same time, companies can track a store manager’s performance across multiple locations, or location performance relative to other locations.

Just-in-time feedback encourages user engagement with operational applications, remediation, electronic follow-up and reminders. By accelerating the audit cycle, management can make informed decisions about low-performing stores and implement meaningful change. Trend information can be used by asset protection and store operations to identify negative activity at the stores and potentially across districts and markets.

With this kind of instant reporting gratification, the older, slower, less accurate analog store audits seem well on their way out, and they should be. Digital store audits improve consistency, minimize interpretation, increase the number of locations that can be covered, generate action items immediately and enhance communication to the field.

The graphical interfaces of real-time reporting tools convert mind-numbing columns of numbers into color-coded dashboards for an easily read picture of performance, with drill-down capability to the store and indicator level.

At this point, the question is no longer whether retailers should adopt digital audit technology, but how quickly they can get it done, and what are the risks to their retail organizations if they don’t.



PCAOB Revises Auditor’s Report

By Chris Wright, Managing Director
Finance Remediation and Reporting Compliance Practice Leader




With the Public Company Accounting Oversight Board’s (PCAOB) new auditor reporting standard finally pending before the U.S. Securities and Exchange Commission (SEC) after nearly a decade in the making, Protiviti has published a Flash Report summarizing the changes and examining possible consequences.

The Auditor’s Report on Audit of Financial Statements When the Auditor Expresses an Unqualified Opinion is intended to make the auditor’s report more relevant to investors by requiring more information about the audit. In a nutshell, the new standard requires auditors to communicate in the report any critical audit matters (CAMs) — that is, matters that were communicated or required to be communicated to the audit committee and that (1) relate to accounts or disclosures that are material to the financial statements, and (2) involve especially challenging, subjective or complex auditor judgment.

The latter distinction takes into account certain factors including, but not limited to:

  • The auditor’s assessment of the risks of material misstatement, including significant risks
  • The degree of auditor judgment related to areas in the financial statements that involved the application of significant judgment or estimation by management, including estimates with significant measurement uncertainty
  • The nature and timing of significant unusual transactions and the extent of audit effort and judgment related to these transactions
  • The degree of auditor subjectivity in applying audit procedures to address that matter or in evaluating the results of those procedures
  • The nature and extent of audit effort required to address the matter, including the extent of specialized skill or knowledge needed or the nature of the consultations outside the engagement team regarding the matter; and
  • The nature of audit evidence obtained regarding the matter

The distinguishing factor in determining whether something is a CAM is the degree to which it involves challenging, subjective or complex auditor judgment during the audit process. The audit report must include identification of each CAM, a description of the principal considerations that led the auditor to determine that the matter was a CAM, description of how the CAM was addressed in the audit, and reference to the relevant financial statement accounts or disclosures.

Because CAM determinations are subjective, some say it will give auditors leverage to encourage additional management transparency to the benefit of investors. Others see it as a significant cost, and, potentially, a competitive threat, depending on the kinds of issues discussed and disclosed.

The final standard includes other changes to the auditor’s report intended to affirm the auditor’s independence, clarify the auditor’s role and responsibilities related to the audit, provide additional information about the auditor, and make the auditor’s report easier to read.

The new standard applies to audits conducted under PCAOB standards. In addition, it specifically concludes that the communication of CAMs is not required for audits of brokers and dealers; investment companies other than business development companies; employee stock purchase, savings and similar plans; and emerging growth companies.

Subject to SEC approval, the final standard and amendments will take effect as follows (although the PCAOB allows auditors to comply with the standard before the effective date, at any point after SEC approval):

  • All provisions other than those related to critical audit matters will take effect for audits of fiscal years ending on or after December 15, 2017.
  • Provisions related to CAMs will take effect for audits of fiscal years ending on or after December 15, 2020.

One consequence to watch for is whether auditors will require disclosure of original information in articulating CAMs encountered during the audit. Limitations of the auditor’s knowledge and expertise, potential liability implications, and friction in the relationship with the company may become influencing factors that could discourage auditors from going beyond management disclosures. No doubt, this will place companies, their SEC counsel and their auditors on a collision course when it comes to deciding how much disclosure is enough disclosure.

We will continue to follow this issue and advise clients on best practices as they develop. For more detail, you can download the full flash report free from our website.

Can Your SOX Compliance Process Benefit From Some Fine-Tuning? Find Out With Our Latest Benchmarking Survey

By Brian Christensen, Managing Director
Executive Vice President, Global Internal Audit




The results of Protiviti’s latest SOX compliance survey are in, and one takeaway in particular – cost of SOX compliance – may be music to the ears of some companies. For many organizations, those costs were reported to be lower this year than last, even as the number of controls, as well as hours dedicated to compliance, increased.

We don’t know the specific reasons why the costs at some companies decreased but we have some reasonable guesses: The fact that many companies have now completed their adoption of the new COSO Internal Control – Integrated Framework most certainly is a factor. The cost of the COSO implementation work was estimated to be between $50,000 and $100,000 on average.

Another potential factor regarding costs is who, exactly, is doing the work. As we illustrate in our infographic, a majority of organizations either outsource or co-source SOX compliance activities. This, in effect, may be masking some SOX compliance costs, as the expense for these external resources may not be captured under direct SOX costs the organization is tracking.

One other important point: The downward cost trend is not across the board – in fact, the overall number of companies spending over $2 million annually rose this year compared to last.

In addition, we wanted to get some further insight into why some companies report increasing controls, as well as increased hours and costs, so we introduced a new parameter in our survey this year – number of unique locations per company. Not surprisingly, the results revealed that the more locations a company has, the higher the number of controls it has and the higher its SOX costs are. This trend is quite clear, and it should help companies plan for their SOX costs next year, based on their plans to expand, reduce, or keep the same their number of unique locations.

Another trend driving hours and costs up is the dynamic nature of the SOX controls environment. With regulatory changes and developments constantly in play – PCAOB, new revenue recognition standard, cybersecurity, SOC 1, etc. – the learning curve seems to always be up, dragging hours up as well.

I’ve just highlighted the top trends here. The survey report provides much more granular insights, by type and size of company, type of control environment and more. Interest in benchmarking and peer performance with regard to SOX compliance is strong, and we are confident that the survey report provides a useful benchmark with detailed numbers and explanations. Download the survey report here and watch our highlights video below.

Financial Firm Auditors: Are You Ready to Audit Under CECL?



By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit

and Benjamin Shiu, Director, Model Risk Management


Amid widespread concern that Generally Accepted Accounting Principles (GAAP) are inadequate when it comes to advising investors on deteriorating credit quality, the Financial Accounting Standards Board (FASB) has issued a new methodology. The new standard, known as Current Expected Credit Loss, or CECL, uses data analytics to forecast expected losses based on internal and external trends, as well as borrower-specific information. In its simplest form, CECL replaces the old standard of actual or “incurred” loss with a forward-looking estimate of “expected loss” over the foreseeable future. (See our analysis of its anticipated impact.)

The standard was originally scheduled to become effective for public companies in December 2018, but that deadline has been pushed back to December 2020, with private companies to follow a year later.

CECL represents a significant change with far-reaching implications for loss reserves. And yet, just one in ten affected companies has made any significant effort to assess the potential impact and prepare for the change.

Protiviti conducted a webinar recently aimed at internal auditors trying to get the ball rolling at their organizations. As is often the case, the webinar generated more questions than we were able to address during the live session. We want to address some of the additional questions here.

Q: Isn’t the “foreseeable future” loss prediction based on “historical losses” as well? It’s hard to see how CECL offers any real improvement if the underlying data is essentially the same.

A: The forecast into the foreseeable future could be based on historical experiences (losses) and management judgment based on the most updated information.

For the forecasting based on historical losses, data is essential, and that is why CECL implementation will require companies to retain a variety of historical data over a much longer time horizon and analyze it against external information, such as FICO scores, loan-to-value and debt-to-income ratios, and debt service coverage. Internal audit will need to provide assurance on data completeness. With a longer time horizon and more variety of historical data, the CECL model should be able to better estimate the loss under different foreseeable future scenarios. Most companies already have such data saved. Even those who don’t, if they start saving data now, will have four years of historical data to work with by 2020.

For the forecasting based on management judgment, unlike the incurred loss model, the CECL model explicitly requires management to take into account the current information and identify the future scenarios for loss estimation.

Q: With the implementation of CECL, will there also be a corresponding allowance for loan and lease losses (ALLL) requirement on the lending institution?

A: Yes. Regulators published a Joint Statement on CECL on June 17, 2016. Expect more on ALLL in the future, but the June 17 statement is already out there.

Q: Isn’t stress modeling sometimes subjective even when using a third party?

A: Not necessarily. Third-party vendors typically use industry-level data to develop their models, and these models then serve as objective benchmarks against which institutional assets can be evaluated.

Q: What is going to be expected of internal auditors under CECL? Will we be expected to audit the ALLL process and controls over the model, or will we be expected to perform full model validation as well?

A: Both would be expected. Right now, internal auditors should be talking to management to ensure there is transparency into the portfolio and the credit quality evaluation process. There should be clear lines of reporting and communication to the board, and internal audit must remain close to the process throughout to ensure that the model is being applied, and that the model itself is valid as a predictor of credit losses in the foreseeable future.

As we discussed during the webinar, and at the highest level, processes, data sources and accounting will be changing under the CECL guidance. Whenever processes change, internal controls must be reassessed to make sure that no new critical risks have been created and that all critical risk areas have adequate controls in place.

Once in place, the controls must be tested by internal audit. For example, here are some critical concerns:

  • Data, process and judgments – Internal audit must collect and test company loss experience and other past events. Some of the processes will require judgment; those judgements must be articulated and supported by evidence. Forecasts on factors that affect collectability, either internal or third-party, must be validated and back-tested.
  • Other models – For some institutions, Asset Liability Management (ALM) and DFAST/CCAR models, because they incorporate effective lifetime and credit risk assessment, may be utilized (or modified) for CECL estimates as well. However, these models are used for regulatory and management purposes, not as a source of disclosures in financial statements.
  • Documenting processes and controls – Documenting processes and controls will be a major undertaking. Ideally, areas of control weakness in the new processes should be identified as the processes are being developed, not after the fact.
  • New skill sets – Many internal audit departments may require skills in data and modelling. Adequate budget must be provided for staff and training.

Q: Do you advise firms to develop benchmarking CECL models?

A: It may not be necessary to develop a complete benchmarking model. Nevertheless, during the development process, it is reasonable to assume that after considering a variety of alternative approaches, data and assumptions, a benchmarking model may emerge as a side product of verifying the performance of the primary model.

The bottom line is that the time for the internal audit function to develop key CECL-related objectives is now. What auditors have to audit has changed significantly. Data has a certain subjectivity, and auditors must ensure that subjectivity is reduced. In addition, auditors have to increase their skill competency – they have to increase their understanding of modeling and data analytics. To provide assurance, auditors must become confident of their skills and ability to analyze credit risk. The archived webinar is a good first step.

Jeff Marsh of Protiviti’s Risk and Compliance practice co-presented the webinar and contributed to the development of this content.

A Sea Change Is Coming – Transitioning to FASB’s New Lease Accounting Standard


By Chris Wright and Charles Soranno,
Managing Directors, Internal Audit and Financial Advisory



On the heels of the Financial Accounting Standards Board’s (FASB) new revenue recognition standard, which becomes effective for calendar-year public companies beginning January 1, 2018, the accounting and internal audit world is gearing up for another significant accounting and financial reporting change beginning one year later (on the first day of the first quarter), January 1, 2019 – the new lease accounting rules.

We presented on this topic last month at The IIA’s 2017 Gaming & Hospitality Conference in Las Vegas. Judging by the attendance at our discussion panel, many gaming and hospitality organizations are acutely concerned about making the transition to the new rule and are turning to their internal audit departments for strategic advice.

In scope for that industry are leases of real estate, hotels and casinos, and of course, the ever-changing casino floor electronic gaming equipment itself – if leased. However, for all industries, the new lease accounting standard represents a sea change in lease accounting for lessees, affecting all companies and organizations – whether public, private or not-for-profit – that lease assets such as real estate; airplanes; ships; and construction, office or manufacturing equipment. For lessors, accounting for leases is substantially the same as in the past.

The new standard will require lessees to recognize a lease liability and a right-of-use asset for all leases, except for short-term leases, as follows:

  • “Lease liability” is the lessee’s obligation to make lease payments arising from a lease, measured on a discounted basis.
  • A “right-of-use asset” is an asset that represents the lessee’s right to use, or control the use of, a specified asset during the lease term.

With regard to income statement recognition for lessees, the FASB retained a dual model, requiring leases to be classified as either operating or finance. Operating leases will result in straight-line expense recognition, while finance leases will result in a front-loaded expense pattern. Classification will be based on “consumption” of the asset, meaning that leases of property (i.e., real estate), which are typically not consumed, will follow straight-line amortization, and leases of non-property (e.g., office equipment), which are typically consumed, will follow an expense pattern similar to current capital leases.

Of note, the International Accounting Standard Board (IASB) retained only a single model – all leases treated as a financing.

While the new standard represents a big change, the bright side is that many companies might be able to comply using their existing processes and systems, provided their current lease inventory is appropriately inventoried, housed and cataloged.

That said, during our panel we stressed that lessees should nonetheless ensure that their policies, personnel, processes and reporting systems will be effective in generating the data and information needed to account for their leases in accordance with the new standard.  A few key points we addressed at the conference:

  • Determine the reliability of your lease inventory: Lessees should determine that all leases across the organization are identified on a timely basis and aggregated to create a complete and accurate lease inventory. Lessees should be able to update that inventory dynamically.
  • Assess systems and data scalability: If leases are managed through spreadsheets and databases at many locations across the organization, companies should consider selecting and implementing a suitable technology solution to simplify the lease data gathering process, store and update the required data, generate the required accounting, and support the required disclosures.
  • Watch out for embedded leases: If companies enter into arrangements that grant the right to use property, plant or equipment, that arrangement may very well contain a lease. Common situations are assets embedded in service arrangements or included in a bundle of goods or services. Don’t forget to account for those in your lease inventory!
  • Revisit your financing obligations: Lessees should review current debt agreements now to ensure the initial recording of new lease liabilities upon standard adoption would not be considered “new debt,” thus triggering unwanted debt covenant violations in areas such as debt/equity and debt coverage ratios, as well as working capital amounts and ratios, whether subject to covenants or not. Have that conversation with your bank now!
  • Understand what is new in the business: All organizations should assess whether technological or other changes are expected to take place in the business that will affect the nature of the lease instruments deployed to obtain access to needed assets to operate casinos, hotels or electronic gaming equipment.
  • Understand the new disclosures: Finance and internal audit executives will want to understand the financial reporting and expanded disclosures under the new standard and how they may require modification to existing systems and processes. The disclosures required of lessees and lessors include, among other things, the nature of the leased assets, management’s significant assumptions and estimates over lease amortization period and method, and a debt maturities summary.

In closing, the FASB’s new leasing standard is finally a reality. Financial management and internal audit teams need to familiarize themselves with the new standard and become educated as to its impact on the reporting of financial position, statement of earnings and cash flow, and all required disclosures.

Getting the transition process started early will enable management to develop an efficient and timely plan, as well as involve internal auditors early and enable them to have a voice at the table and offer strategic guidance to ensure orderly controls transition and project management monitoring. An early start will provide sufficient lead time to enhance processes, upgrade support systems and prepare stakeholders for the coming change.

The Internet of Things: A Game Changer for IT Audit

By Anthony Chalker, Managing Director
IT Audit Practice




I recently had the honor of attending the ISACA’s 2017 North America CACS Conference in Las Vegas, where I discussed how the Internet of Things (IoT) continues to transform the mission of IT auditors. The IoT is a perfect example of an all-around disruptor, including in IT audit departments, as businesses collect, analyze and act on data captured outside of the traditional IT boundaries. As a result, IT auditors now routinely must take steps to provide assurance over systems that are no longer under their direct control.

Auditors are fully aware of the challenge. Participants in Protiviti’s 2016 Internal Audit Capabilities and Needs Survey acknowledge that they need to improve their IoT technical knowledge, or they’ll be unable to do their job. Technical knowledge ranked as a top-five issue among the most important internal audit priorities in the survey report. Without an in-depth understanding of the IoT, the technology that enables it and the business opportunities and risks it presents, we as auditors will be unable to quickly recognize innovations and how they could affect the organization’s business model or strategic objectives in the midst of a disruptive environment.

Below are just a few baseline points we covered during the conference discussion panel:

What is the IoT?
The IoT is an environment in which virtually any object, animal or person with a unique identifier on the internet has the ability to communicate over a network with another device, without the need for human-to-human or human-to-computer interaction. The IoT evolved from the convergence of wireless technologies, micro-electromechanical systems (MEMS) and the internet. In short, the IoT is giving the world a digital nervous system that’s connecting people, processes and systems, from devices, such as smartphones and tablets on the consumer level, to machine sensors on the industrial level.

What is driving the IoT’s growth?
The explosive growth of IoT is supported by several converging supporting technologies including:

  • Adoption of IpV6 – The ability to have a seemingly unlimited number of unique identifiers on the Internet. To put this in perspective, IpV6 allows every atom on the face of the earth to have its own identifier, with enough left over for another 100 Earths.
  • Enhanced sensors – The dramatic drop in cost combined with the equally dramatic increase in capabilities of sensors to capture, analyze, store and transmit data.
  • Low-power/wide area communications – The ability to transmit data from a wide range of sensors across a simplified and secure communication infrastructure utilizing batteries or other low-power sources designed for the expected useful life of the sensor.

The convergence of these developments is ushering in a new digital platform that allows organizations to devise new and inventive methods of reaching strategic objectives. In a recent McKinsey article, the authors estimate that the IoT will have a $4 to $11 trillion economic impact over the next eight years.

What is the role of the IT auditor in an IoT environment?
The IoT integrates technologies to enhance business information needs. However, this does not mean that IoT projects necessarily originate in the IT organization. Many of the current IoT projects are occurring outside of the traditional walls of IT. As such, the IoT does not represent as much of a change in the purpose of the IT landscape or the types of issues that auditors typically address as it represents a change in where strategy is being implemented. We need to acknowledge this shift and ensure that we have a seat at the table to understand how the organization’s strategy is driving the IoT vision and the related IT risks that need to be addresses to successfully fulfill that vision.

To be sure, IoT discussions are happening across organizations today, from purchasing to research and development. IoT is not limited to a single industry or business process. As an IT auditor, are you part of these conversations? Are you in the loop of your organization’s IoT strategic initiatives? Again, we need to ensure a seat at the table to effectively perform our role as risk counselors and assurance advisors to management and the board about this rapidly evolving area. Unlike many areas on our traditional risk plan, IoT does not have an embedded platform of existing policies and procedures to leverage.  If we are not part of the strategic discussion, it will be difficult to fulfill our risk advisory role. Simply stated, we need to get in the loop, or we’ll find ourselves  on the outside looking in.

IoT does not inherently require a new IT audit skill set as much as it demands a new approach to identifying the linkage of strategy to IoT solutions. Here are a few questions we as auditors should consider as we continue to develop and refine strategies and solutions to help businesses maximize their IoT experience:

  • How is the IoT deployed in our organization today, and who owns it or its respective components? This includes determining an organization’s potential IoT inventory and IoT’s business activity role. The IoT could play a part in the end products that a business sells, for example, or in internal process management. It most likely does not reside in the IT organization. In many cases, projects will not include the wording “IoT” in their project plans or definitions. This underscores the importance of having skilled IT auditors who are able to link strategy and the underlying implementation mechanisms to identify where the IoT exists within the organization.
  • Do we know what data is collected, stored and analyzed, and have we assessed the potential legal, security and privacy implications? If IoT technology is found within a company’s solution offerings, for example, customer agreements may require disclosures regarding what information the devices are capturing and sharing. Do the organization’s data governance policies cover the tremendous amount of data being captured through the thousands of deployed sensors? Does the collection of sensor data pose risks that data may be aggregated in a manner that would create privacy concerns?
  • Do we have contingency plans in place in case our IoT “things” are hijacked or modified for unintended purposes? Among other considerations, it is critical to identify how an organization uses IoT devices and how a partial or full network shutdown would impact the business. Does the loss of these devices pose a risk to our organizations or other organizations? Is there a risk that our devices sold to others could be compromised on a large scale? One well-publicized example was the utilization of thousands of internet-connected devices as part of a denial of service attack on Dyn in October of 2016.

Auditors recognize that they need to improve their IoT technical knowledge, a skill set that is only going to grow in demand given the rapid deployment of connected devices throughout industry. We need to continually communicate with IoT experts and company managements and boards to create policies and procedures that address IoT opportunities and risks for organizations and industries alike. Perhaps the biggest risk on the auditor’s side of the ledger is failing to help his or her organization utilize IoT to make the most of its growth potential.

From Analog to Analytics: 2017 a Turning Point for Internal Audit

By Barbi Goldstein, Managing Director
Internal Audit and Financial Advisory




With increasing demands for broader, more accurate and more efficient risk assurance, internal audit departments have officially entered the age of analytics. According to Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, two thirds of internal audit functions have begun using data analytics on at least a limited basis, with two-thirds of the remaining respondents indicating that they plan to begin using analytics within two years.

Respondents at organizations of all sizes reported that they have begun the transformation from labor-intensive manual processes to reliance on technology for things like sample selection and testing procedures. Most organizations are still early in the process. Only 16 percent said that they have a person dedicated full time to analytics, and only three percent indicated that they considered their audit analytics to be optimized.

I recently had the opportunity to review the survey results for participants in an April 12 webinar (available for streaming at the link). If you are interested in learning more about the survey results, I urge you to check it out. In the meantime, here are some action items for internal audit derived from the survey:

Recognize that the demand for data analytics is growing across all organizations and industries.

Internal audit organizations are under growing pressure to increase audit efficiency and coverage. Regulators across a wide array of industries are pushing for more use of data and quantitative inputs into the audit process, and auditors are finding that implementation of analytics allows them to provide broader assurance in less time than it would typically take to perform manual testing on a representative sample.

Seek opportunities to expand the internal audit function’s knowledge of sophisticated data analytics capabilities.

From peer-to-peer networking to engagement with industry groups and continuing education, it is critical for auditors to become familiar with the ways in which tools and techniques are being used across their industry.

Do not let budget and resource constraints and business-as-usual workloads limit internal audit’s ability to optimize data analytics efforts.

Look for practical applications you can showcase to gain buy-in from other auditors within your internal audit function. Understanding what peers are doing can also accelerate your organization’s analytic maturity.

Assign analytics champions to lead the effort.

Where a dedicated analytics function doesn’t exist, experience has shown that organizations that employ a champion network within their audit function benefit from broader analytics usage, more sophisticated techniques and greater adoption of analytics in the audit department. The ideal candidate for a data champion is someone with aptitude and interest in data analytics, and a person of influence whom others will follow.

Explore avenues to expand internal audit’s access to quality data.

Engage with stakeholders, such as IT and data governance, to understand how to gain access to data while following all applicable organizational policies and procedures.

Identify new data sources — both internal and external.

Internal auditors, because of their broad industry knowledge, risk focus and access to data and systems throughout the organization, are uniquely positioned to find and mine new data sources to analyze for risk assurance.

Increase use and reach of data-based continuous auditing and monitoring.

Once data sources have been identified, it is important for internal auditors to apply continuous auditing and monitoring tools to have a timely and accurate view of the state of risk in the organization. Visualization tools, such as dashboards, are useful for enabling real-time access to key risk indicators.

Use real-time risk snapshots to help focus audit efforts.

Related to the previous point, problem areas discovered through visualization tools, such as Tableau, can be flagged for additional research/root cause analysis.

Seek ways to increase stakeholder input when building/implementing data analytic capabilities.

Business owners understand and monitor the key risks in their business, as does risk management in its second-line role. It is important for internal audit to build relationships and work closely with the first and second lines of defense to continue to enhance their understanding of risk indicators in the business.

Implement steps to measure success of data analytics efforts.

Internal audit groups that can demonstrate tangible value will build a better business case for increased budgets and resources dedicated to data analysis. Metrics, such as logging requests for analytics in the audit process and number of audits that leverage analytics, are a good way to demonstrate the value of using analytics.

The overarching theme that emerged from this year’s survey results is that data analytics has reached a tipping point. Internal audit functions that lead by embracing analytics and continuous monitoring will grow in value and stature with their stakeholders, regulators and peers. Those that fail to adapt will struggle to keep up with the rate of change and the state of risk at their organizations.