Embracing Analytics in Auditing: New Protiviti Survey Takes a Look

In a digital world, the time for internal audit functions to embrace analytics is now. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, released today. The results show that chief audit executives and internal audit professionals increasingly are leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities.

Learn more by watching our video below. For more information and our full report, visit www.protiviti.com/IASurvey.

Arriving at Internal Audit’s Tipping Point Amid Business Transformation

Protiviti just released its 2016 Internal Audit Capabilities and Needs Survey, the 10th year we have conducted this insightful study on internal audit priorities and trends. We’ll cover many aspects of this study and the results in future blog posts. For now, I invite you to view our video and infographic, and visit our website to learn more and read our report.





Emerging Trends in Financial Services IA Analytics: A Benchmarking Study Overview

Barbi GoldsteinBy Barbi Goldstein
Managing Director, Protiviti’s Internal Audit & Financial Advisory practice




For decades, internal audit (IA) departments at financial services industry (FSI) organizations have relied on data analytics to support their work. With the growing availability of data, the value of this practice has increased significantly. Increasingly, IA departments are looking to develop forward-looking analytics capability rather than just scrutinizing data in support of individual audits. To achieve this goal, IA functions inside the largest FSI companies are striving to operate independently, access data when and where they need it, and conduct their own analysis, rather than rely on the business units that generate the data.

The demand for enhanced analytics capabilities is being driven by a variety of factors, most notably IA’s growing role in supporting regulatory compliance needs and monitoring, and intensifying pressure to gain better insights for improved risk management. The organizations’ reliance on big data and big data tools is further escalating the need for sophisticated data analysis within IA.

It is not a surprise then that knowledge and use of data analytics tools rate as top priorities for organizations to address, according to the responses of FSI participants in Protiviti’s 2015 Internal Audit Capabilities and Needs Survey. Respondents identified the following areas among their top five audit process improvement priorities in the coming year:

  • Data analysis tools: Statistical analysis
  • Computer-assisted audit tools
  • Continuous auditing

The findings spurred us to develop a separate benchmarking study involving the IA departments at some of the largest financial institutions – we wanted to learn how they are advancing their analytics capabilities and get a glimpse at their priorities in this area.

The study’s questions touched on a number of topics, including staffing levels specific to analytics, types of analytics tools used, and key challenges. The study was distributed to a select group of the largest U.S. financial institutions, including 13 of the top-25 U.S. banks and two of the top-five U.S. insurers. Among the most significant findings:

  • IA functions treat analytics as a high priority: 87 percent of FSI IA functions report that they have a dedicated data analytics/information management group within internal audit.
  • Analytics are evolving to provide a more risk-based approach to internal audit: The vast majority (86 percent) of IA analytics functions employ continuous monitoring – to some degree. Typically, this practice is used to plan individual audits, monitor key risk indicators and support risk assessments.
  • There is a significant opportunity to expand continuous monitoring capabilities: Ninety percent of those who use continuous monitoring say that their monitoring is currently focused on specific areas where there are known risk issues. Less than half of participants currently monitor key risk indicators; fewer monitor indicators of fraud risk.
  • Analytics departments appear intent on having access to business data when they need it: A majority of participants indicated that IA has access to the business data it needs within its own data warehouse or a similar environment. As demand for continuous monitoring grows, so will the need for greater flexibility in accessing needed data.

Of course, with greater analytics ambition come new challenges. Among them: identifying where data resides, confidentiality and privacy issues, and the ability to combine data from multiple systems and/or environments for analysis. By collaborating and coordinating with key stakeholders and management, however, IA can overcome these obstacles and leverage analytics to monitor the business in the most risk-relevant manner.

Access our full report and analysis of the benchmarking study here.

From Cybersecurity to Collaboration: Assessing the Top Priorities for Internal Audit Functions

Infographic-2015-IA-Capabilities-Needs-Survey-ProtivitiToday Protiviti released another exceptional piece of research: our 9th annual Internal Audit Capabilities and Needs Survey. This year, we took a close look at the role internal audit can and should play in helping their organizations manage cybersecurity and cyberthreats, giving the organization greater confidence in managing this ever-changing threat.

In future blog posts, we’ll be covering key takeaways from this research and offering guidance for CAEs and internal audit professionals. For now, I encourage you to view our video and infographic here, and visit www.protiviti.com/IAsurvey, where you can download a complimentary copy of our research report.






A New Tool for Fast Times: Continuous Risk Assessment

Brian Christensen - Protiviti PHX 2012_Low ResBy Brian Christensen – Executive Vice President
Global Leader – Internal Audit and Financial Advisory Practice




Many internal audit functions work hard to complete one enterprisewide risk assessment each year and then plan, or hope, to rely on it for the next 12 months.

But what good is an annual audit plan that can become obsolete almost overnight by new risks we know are surfacing faster than the expected shelf life of the plan?

Richard Chambers, president and CEO of The Institute of Internal Auditors (IIA), in a recent article for Internal Auditor Magazine, called for the adoption of a new, continuous approach to risk assessment. I couldn’t agree more.

Audit plans need to evolve continuously, incorporating up-to-date information and assessments of potential risks as they emerge. There are several techniques that can be used to do this efficiently and effectively, but they must be embraced and practiced by the entire audit team. As Chambers emphasizes, a continuous risk assessment process can’t be executed by the CAE alone.

To adopt this new approach, Chambers recommends the following steps:

  • Identify key risk indicators (KRIs) – At the beginning of the year, identify KRIs and monitor them continuously, or at least periodically, throughout the year. KRIs can be linked to the results of the annual risk assessment or to risks that are known to be volatile. When anomalies appear in these KRIs, “red flags” should go up, triggering internal audit to evaluate whether risks are shifting and adjust coverage as needed.
  • Conduct “shoe-leather assessments” – This approach involves conducting risk assessment “by walking around.” As the name implies, auditors need to spend quality time with senior management leaders with the intent of learning about new risks as soon as management does. Though they may lack the structure of formal assessments, shoe-leather assessments can uncover vital new information that otherwise may skip detection. It’s imperative that the entire internal audit team develop relationships with all key executives – especially in large organizations with numerous business units – to ensure comprehensive coverage.
  • Establish a “bird’s-eye view” – Chambers recommends “setting your antenna as high as possible” to alert your organization as soon as possible about industry-wide changes, economic trends and other external factors. Practically speaking, this means, among other things, attending professional association meetings and seminars and keeping current with industry publications as some of the ways to see ahead of the curve.

Using these three approaches together best assures protecting the organization. And they work well with other key action steps recommended for CAEs in the most recent Common Body of Knowledge (CBOK) Study by The IIA Research Foundation. It echoes Chambers’s advice and urges organizations to develop a more responsive and flexible risk-based audit plan.

One way to help companies not just realize the importance of but fully embrace continuous assessment is to set new priorities and incentives for the audit team. In other words, make the identification of emerging issues a key performance responsibility for those who report to you directly.

CAEs are encouraged to discuss with executive management and the audit committee the need to make more frequent updates to the audit plan and establish a clear process to make changes to appropriately address emerging risks.

Businesses have improved their ability to manage risks and that’s great. Now it’s time for all of us to learn to do it faster.

Assessing the Top Priorities for Today’s Internal Audit Functions

Protiviti’s research train keeps on rolling! Today we released the results of our latest Internal Audit Capabilities and Needs Survey. We’ve been conducting research to identify internal audit priorities and trends for eight years and have been very pleased with the response we continue to receive from the market. In looking at the major findings in our 2014 study, I expect this year will be no different. And kudos are due to our survey participants; they are the real “stars,” for without them studies of this nature would not be possible.

Infographic - 2014 Internal Audit Capabilities and Needs Survey

Infographic – 2014 Internal Audit Capabilities and Needs Survey

Internal audit functions today must anticipate and respond to a constant stream of new challenges – many of which deliver uncertain and still unfolding risk implications, from emerging technologies and new auditing standards to rapidly evolving business conditions. For example, in nearly every company over the past 12 months, the use of mobile and social media apps has presented new challenges, many of which are still emerging. Organizations’ growing reliance on cloud computing and data, in general, poses similarly complex challenges. Yet, these issues represent only a portion of those crowding internal audit’s 2014 priority list.

Our findings show that:

  • Social media, mobile applications, cloud computing and security (specifically with regard to the NIST Cybersecurity Framework) are critical areas of concern – Social media applications and related risks are top priorities for internal auditors to address, as are risks surrounding mobile applications, cloud computing and security.
  • CAATs and data analysis remain on center stage – As indicated in past years of our study, internal auditors plan to strengthen their knowledge of computer-assisted auditing tools, and continuous auditing and monitoring techniques.
  • Fraud management efforts focus more on technology as well as prevention – Auditors are concentrating more time and attention on fraud prevention and detection in increasingly automated business environments and workplaces.
  • “We have to keep pace with a raft of regulatory, rules-making and standards changes” – The updated COSO Internal Control – Integrated Framework represents a major change for internal audit, with significant implications for many financial, risk management and compliance activities. However, strengthening knowledge of the new COSO framework ranks as a lower priority compared to other critical rules-making changes internal auditors are digesting, including new Standards from The IIA and the new NIST Cybersecurity Framework.
  • Internal auditors want to take their collaboration with business partners to a new level – Internal audit’s longstanding desire to improve collaboration with the rest of the business has intensified, as is evident in the priority that CAEs and respondents place on communicating, and even marketing, the expertise and value that internal audit provides to the rest of the enterprise.

For more information and to download a copy of our full report, visit www.protiviti.com/IAsurvey. And I also encourage you to watch our short video: