As internal auditors, we know the value of technology and automation since we regularly recommend corrective actions to move from manual to automated controls. Now we have the same challenge with data analytics and robotics process automation (RPA) making manual testing and reporting obsolete. When we implement these solutions, we’re going to increase our audit efficiency, focus on key risks, provide deeper and more valuable insights to management, and we’ll be able to automate some testing, reporting, and issue follow up that takes so much time. The first hurdle is knowing where to start, so in this article, we’ll address the top ten questions from auditors about data analytics and RPA so you can further your education about the available technology and get started on the right path to automation.
Data Analytics & RPA
1. What are data analytics and RPA?
We usually think of data analytics for testing whole populations instead of sampling. Analytics helps us to reorganize data to draw conclusions. Sampling is good for making assumptions about data, but analytics provides true error rates, highlights trends, and identifies areas for further investigation. RPA automates repetitive tasks by working continuously so auditors can focus on the more dynamic audit work of interviewing, testing, and reporting issues.
Planning the Transition
2. What first steps would you recommend for an internal audit department that has no experience with data analytics and/or a limited budget?
Start by looking for anyone else internally who is using analytics, like someone in Finance or Accounting. You might be able to shadow them, or they may be willing to train your department. There may be free tools like PowerBI, which comes with your Microsoft package, or you can purchase one if you have specific needs. If you need to budget for software, remember the ROI for the tool — you’re going to save time, and your time is valuable.
Roles/Ownership of Data Analytics
3. When do you determine who should own the data analytics process and RPA?
Some organizations centralize data analytics and RPA as a Center of Excellence that includes an innovation team, so it might not be owned by audit. Then, internal audit could leverage the data analytics process used in their testing or reporting. The business will own data analytics and auditors should test the program if it’s used to support or validate controls.
4. What functionality should I look for in a Data Analytics or RPA tool?
Ease of use is probably the most important — if the tool is too complicated, no one’s going to use it. After that, you’ll focus on specific functionality you need. As a best practice, work with the organization to find an analytics platform that works for everyone, not just the audit department, that way you may be able to share or spread the costs.
5. How do I audit data analytics and RPA?
A good place to start is to think about completeness and accuracy. Audit could evaluate the implementation process to decide if the analytic used was designed properly and tested before the business started relying on the output. Same with RPA, audit can test if the automation outcome works as expected. One thing to watch for is failures — the automation will usually skip unexpected data, so we’ll need to find out why the RPA failed.
Data Analytics Adoption
6. How do we overcome challenges with sharing knowledge if data analytics is limited to just a few people on the team?
We need strong leadership support to require the use of analytics on every audit, and then we hold the team accountable. We’ll naturally push and train each other. Newer auditors can shadow more experienced people while they perform analytics, or we can even dedicate time for short training sessions for the whole department.
7. Should data analytics be part of every audit?
Absolutely, data analytics can be part of the entire audit process. It helps us rank risk priority, we can test full populations instead of sampling, and we can use analytics to understand the impact of any issues we find.
8. What are some use cases for implementing data analytics into the risk assessment?
One is to facilitate more frequent, dynamic risk assessments. As data is analyzed, the increases and decreases in risk ratings may alert you to risks trending beyond the organization’s risk appetite.
9. How can we use data analytics or continuous monitoring for testing management override?
That’s a great use case. We often look for transactions that need approval and look for signs that the approval was bypassed with an override. Our analytics tools are good at finding these transactions quickly. If we move to RPA or continuous monitoring, the application could create exception reports for the overrides.
10: How do I choose the appropriate way to use the data I receive from auditees?
We have two ideas. A top down approach starts with a question and we look through the data to find the answer. In a bottom up approach we start with the data and look for trends, patterns, and gaps. If you use both methods, we can get a more holistic view of the data to increase the reliability of any test or to better visualize the results.
Moving forward with data analytics and RPA sets you on a path to improving the entire audit process. You are trying something new and there will be a learning curve, so don’t be afraid to learn from any missteps along the way and make process improvements as a team. The insights you can gain about your organization through analytics will completely justify the effort.
Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.
Eric Groen, CPA, CIA, is a Managing Director at Protiviti with almost 20 years of experience in compliance, internal audit, external audit, and risk management. Eric is the current president of the Phoenix chapter of the IIA.