Recent research by the Chartered IIA (CIIA) and AuditBoard found that while many internal audit teams are using some data analytics, program maturity is low. For those who have already progressed on the data analytics journey, the results are tangible. Demand for further development is now coming from within organisations themselves as they too see the benefits.
However, for those who are at an early stage of development or have not yet taken the first step on this journey, there may be a temptation to slow or even defer investment indefinitely and simply “deliver the audit plan as normal”. This is a short-sighted view that will inevitably create a widening gulf between the value delivered by internal audit functions who invest in data analytics and those who don’t. Data is key to the future for all organisations, it is therefore key for internal audit as well. Understanding what the data shows about risk resilience in today’s complex environment will ensure the organisations’ success. No matter where your function and organisation are in their data analytics journey, there is always progress to be made.
Read on for actions you can take to further your team’s use of data analytics at each stage of the maturity curve, then download Embracing Data Analytics: Ensuring Internal Audit’s Relevance in a Data-Led World, to learn more about developing your audit analytics strategy.
1. Zero data analytics activity
Action: Internal audit functions that have not embarked on the data analytics journey yet need to get moving post-haste. A lot can be achieved with a little. For example, begin experimenting with a core finance dataset using Microsoft Power Query in Excel to analyse and test the full data population. Join an interest group such as the Chartered IIA’s Data Analytics Working Group. Discover what others are doing and begin to understand the potential for data analytics in internal audit.
2. Ad hoc, disjointed tactical use
Action: Demonstrate progress to the audit committee for buy-in and to access investment. Recruit a data analytics specialist or if this is not possible, champion data analytics and data science investment within the organisation at large. Map the organisation’s entire data universe and access as much data as possible. Embed continuous monitoring/risk assessment for greater risk awareness, planning and scoping.
3. Strategic use of data analytics but basic to medium-level techniques and applications
Action: Continuous risk assessment is now running in the background and audit planning pinpoints the biggest priorities. Formalise a data analytics strategy with clearly defined goals. Set up knowledge-sharing workshops and huddles so internal audit can learn from data specialists either within the function or the organisation. Further develop your peer group connections and learn from others’ experiences and their practical applications of data analytics. Foster a culture of experimentation and continuous improvement. Expand application of data analytics to multiple risks and business functions/activities. Use software and self-coded bots to automate menial and repetitive tasks, such as financial controls testing or document gathering. Bring audit reporting to life with data visualisations to paint a clearer risk picture for senior stakeholders. 8 Embracing data analytics: Ensuring internal audit’s relevance in a data-led world
4. Strategic and integrated use of data analytics and data automation techniques
Action: Explore machine learning capabilities such as natural language processing (NLP) by coding bespoke tools, moving beyond the analysis of numbers and binary data entries alone. Contrast multiple datasets for more precise, incisive risk perspectives. Experiment with process mining to better understand deviations, control failures and anomalies across end-to-end processes. Set defined targets for the use of data analytics across audit activities to measure progress. Continuous monitoring and automation should cover all core processes and audits in green and amber risk areas, freeing up internal audit’s time and resources to focus on the very highest priority strategic and emerging risks.
5. At the bleeding edge of the profession, having begun to integrate process mining and machine learning
Action: Further experimentation with emerging and AI-powered analytics techniques applied to both structured, semi-structured and fully unstructured data. Simultaneously analyse multiple internal datasets and where possible and relevant contrast this with external data analysis to deliver unique insights. Apply predictive capabilities to track audit activities and identify audits that may run over time or budget to put in place interventions. Similarly, develop predictive capabilities to understand the relationships between various business risks, identifying potential domino effects that may be likely to manifest as threats to the organisation in future.
6. Fully optimised and integrated data analytics and data science approach with predictive capabilities
Action: The function is as fully enabled as current technology allows and continuous, automated and predictive analyses are overlaid with internal audit’s expert and intimate understanding of the business for unparalleled assurance provision. The internal audit function is no longer looking in the rear-view mirror at past issues. All available data is flowing into the function and internal audit is only focused on what matters, heading off risks before they become major incidents. The third line keeps pace with advances in machine learning and integrates them where appropriate, refining and honing its data approach.
To learn more about how to mature your data analytics capabilities, download a copy of the CIIA and AuditBoard’s full report, Embracing Data Analytics: Ensuring Internal Audit’s Relevance in a Data-Led World.