Alex Hunt outlines the examples that offer the greatest benefit to audit teams.
Data analytics has been at the forefront of audit and risk for decades. Computer-assisted audit techniques are well established and specialist audit software such as IDEA are tried and tested. However, internal audit functions are still not fully benefiting from analytics’ transformative capabilities, with auditors reverting back to traditional sampling and manual processes time after time.
What organisations need is a roadmap that will help auditors to harness data science and process automation, and enable data-driven decision-making and insight. Adding these abilities can bring substantial benefits to the way assurance is delivered, and transform how third and second lines of defence use data analytics to identify, manage and monitor an organisation’s risks.
Using effective data and analytics is shaping the businesses of the future. The examples suggested below show why audit functions need to invest time in analytics to make a difference across the audit life cycle, from upfront planning assessments to reporting.
Businesses need real-time insight into key risks and changing conditions. Control environments have changed with remote working, staff shortages and different trading conditions. Risks emerge from unforeseen topics and management can struggle anticipating such events. When data is available but not used in a prescriptive manner, it may fail to identify emerging risks or generate risk-sensing insights.
Data analytics can provide businesses with rapid and continuous insight on key processes and controls, while advanced business intelligence software can provide visual insight into risk exposure and underlying trends. By maturing their data strategies to incorporate risk management measures organisations can start to analyse internal and external data to initiate a risk-sensing programme that includes the following:
Deviations in trends and behaviours can be detected using advanced analytics such as data visualisation and statistical modelling. Examples: credit risk exceptions or bribe payments.
Data analysis can be used to generate operational or financial predictions on risky transactions or conditions. Examples: supply chain risk monitoring, customer churn prevention or project performance tracking.
Key performance indicators with defined thresholds can give management early warning signals of adverse events. Examples: lending covenants or expense fraud, IT changes without testing sign-offs.
Text mining and natural language processing can identify and extract subjective information from open data sources. Examples: social media posts from customers or product reviews.
Analytical procedures can address a wide range of risks, helping internal auditors to better understand an entity and its environment, and to perform more comprehensive tests for potential fraud. They can also explore data on the fly as an audit progresses and drill down into the underlying issues to support conversations with auditees. For example, a data analytics test that identifies employees who are paid as vendors can provide initial evidence of fraud; that test can also lead to the implementation of controls and assist with remediation efforts.
The results of data analytics will require validation with the business to ensure conclusions are appropriate and false positives are eliminated. Analytics will report the symptoms of an issue and not necessarily the root cause or ultimate control failure. They can also support conclusions on both design and operating effectiveness.
One of the key provisions, of course, lies in supplying factual evidence in audit reporting. Visualisation tools can transform how this audit reporting is delivered by linking dashboards into a story and timeline. Stakeholders can then access reports remotely and on demand as needed.
Continuous auditing is defined as the automated performance of an audit activity on a regularly repeated basis that gives timely insight into an organisations risk and control issues. This method migrates standalone automated analytical solutions to perform on a redefined frequency based off a schedule (monthly, quarterly) or event (eg, payment threshold or expense reversal). Monitoring controls built into dashboards can be the basis for continuous auditing and monitoring solutions can be used by the second lines of defence within the business.
Auditors need to work more flexibly particularly as working remotely is the new normal for many organisations. Data analytics offers a way to do that and is increasingly being used to deliver remote audits, and to generate insights on risks and the internal control environment.
The advancement of software tools also removes many of the traditional barriers to analytics, such as handling disparate data sets and multiple instances of enterprise resource planning (ERP) systems, or an inability to ingest or connect to live data sources.
Meanwhile, the opportunity to add value at all stages of the audit lifecycle through analytics is growing and can change the way assurance is delivered. If the use of data analytics in auditing is not embraced there is a missed opportunity to raise the profile of the internal audit function, and to add significant value and insight to stakeholders across the wider organisation.