Digital Muhammad Hassan Rizvi Feb 21, 2022
If internal audit functions took advantage of everything AI and data analytics present, businesses would be able to benefit from them in a variety of ways. These benefits include performance reporting, fraud prevention, risk-based internal audits, and continous monitoring.
With continuous expansion of technologies such as artificial intelligence (AI), cloud computing, and big data, organizations can now store and process more data than ever, making it easier for them to drive business strategies and decisions based on data analysis insights. With growing technology use in business decision-making and its impact on the global business paradigm, many internal audit departments have yet to adopt all of the opportunities that AI and data analytics offer.
Data-enabled internal auditing can be a driver of change for organizations and can provide a performance- and risk-based outlook to audit engagements. Businesses can benefit from data-enabled internal auditing in a variety of ways.
Performance Reporting Internal audit can provide timely performance reporting to the audit committee and management by mapping performance against key risk indicators (KRIs) and critical success factors. This can enable business leaders to begin remediation of risks that could have a significant impact on achieving organizational objectives.
Fraud Prevention and Detection Internal auditors can proactively identify fraud instances by using red flags embedded in the internal control systems. The system will raise red flags if it identifies an instance, not fraud, itself. For example, if a parameter has been embedded in the control system that the invoices are raised against, like the same supplier for the same type of materials within the same month, then the system should generate an alert.
Continuous Monitoring Data-driven audits can focus on defining the threshold that would trigger a fraud alert, such as by number, amount, category, and frequency of transaction. An auditor can follow through on such alerts to identify a potential breach of authority, policy, or procedures. This capability can enable businesses to monitor control activity on a more automated basis.
Enhanced Risk Assessment and Risk Coverage Risk assessment may be improved by linking risk analysis with the KRI database, risk loss reporting, and governance risk compliance dashboards. Linking risk analysis enables an internal auditor to identify processes with high-risk impact and likelihood rather than by merely using judgment. Moreover, it may improve audit coverage by:
Identifying the correct audit to be performed.
Audit Effectiveness Adopting the data analytics approach can build critical data analytics capabilities within the internal audit department. For example, analytics can make the function more effective at detecting risk and data anomalies, as well as identifying performance improvement opportunities across the organization. Moreover, by enabling auditors to select high-risk samples, this approach can decrease the time auditors spend on testing and the amount of disruption to audit clients.
Risk-based Internal Audits Using data analytics to detect anomalies can help internal auditors identify high-risk areas within the audit universe and develop audit themes for selecting end-to-end, high-risk processes for audits.
Developing dashboards and analytic reporting on metrics such as KRIs and key performance indicators (KPIs) within each operating area of the organization can help auditors leverage continuous auditing. It also can provide a platform for more robust and continuous risk assessment processes for audit planning.
Moreover, internal audit can link to the organization's strategic objectives by developing audit themes derived from the results of periodic KRI assessments.
Data and analytics can be embedded in several phases of the internal audit cycle. For example, auditors can use business intelligence tools for pre-fieldwork scoping such as data discovery. Analytics can enable dynamic audit planning using a technology-enabled, quantitatively enhanced, continuous risk assessment process. Auditors can also use analytics for specific tactical efforts such as proactive fraud protection. This data-enabled internal audit approach may consist of several steps.
Analyze the Audit Universe Internal auditors should analyze the audit universe to determine and select audits that can benefit from the use of data analytics based on factors such as:
Develop the High-level Scope Internal auditors should review the process risk points of the area under review to determine the KPIs, KRIs, trends, or anomalies that would make a difference in the scope of the audit.
Execute the Audit The execution step begins with data extraction. Internal audit can obtain data sets through management information systems reporting, knowledge management systems, and customized user reports from the available system capabilities, which are identified during the phase of analyzing the audit universe. Once the data is received, auditors should extract relevant data points from the source system, transfer it into a database format, and load it into an analytics engine.
Next, auditors should analyze the data to identify potential issues, trends, and anomalies. They can use an analytics engine to perform advanced analysis, including rule-based scripts, descriptive models, or predictive models. This may require help from a specialist with advanced technical training and relevant experience.
Analytics should be integrated into an audit program to meet objectives. Auditors should design and test this program using data analytics-based audit procedures that achieve audit objectives. For example, a vendor management audit might include:
Once audit procedures are complete, internal audit should examine results and develop insights. Auditors should perform additional fieldwork to validate that the analysis was performed correctly and identify the trends, anomalies, or issues that should be reported. They should use a visualization tool to validate the results of the analysis.
Report the Findings Once the audit is completed, internal auditors should report the results using a visualization tool that allows for enhanced reporting through data connection, extraction, and analysis linked with KPIs and KRIs. A standard audit report that can be shared with management also may be used. In addition, an auditor may design and establish reporting mechanisms, data-analytics dashboards, balanced scorecards, and alerts.
Implementing the data-enabled internal audit approach can be a long journey. To begin, the CAE can design a pilot project and perform one engagement using this approach and can further refine the internal audit strategy.