Data-enabled internal auditing can be a driver of change for organizations and can provide a performance- and risk-based outlook to audit engagements. Businesses can benefit from data-enabled internal auditing in a variety of ways.
Performance Reporting Internal audit can provide timely performance reporting to the audit committee and management by mapping performance against key risk indicators (KRIs) and critical success factors. This can enable business leaders to begin remediation of risks that could have a significant impact on achieving organizational objectives.
Fraud Prevention and Detection Internal auditors can proactively identify fraud instances by using red flags embedded in the internal control systems. The system will raise red flags if it identifies an instance, not fraud, itself. For example, if a parameter has been embedded in the control system that the invoices are raised against, like the same supplier for the same type of materials within the same month, then the system should generate an alert.
Continuous Monitoring Data-driven audits can focus on defining the threshold that would trigger a fraud alert, such as by number, amount, category, and frequency of transaction. An auditor can follow through on such alerts to identify a potential breach of authority, policy, or procedures. This capability can enable businesses to monitor control activity on a more automated basis.
Enhanced Risk Assessment and Risk Coverage Risk assessment may be improved by linking risk analysis with the KRI database, risk loss reporting, and governance risk compliance dashboards. Linking risk analysis enables an internal auditor to identify processes with high-risk impact and likelihood rather than by merely using judgment. Moreover, it may improve audit coverage by:
Identifying the correct audit to be performed.
- Increasing the number of audits per year.
- Decreasing the time required to cycle through the audit universe.
- Increasing the frequency of audits in key risk areas.
- Increasing the scope of specific audits.
Audit Effectiveness Adopting the data analytics approach can build critical data analytics capabilities within the internal audit department. For example, analytics can make the function more effective at detecting risk and data anomalies, as well as identifying performance improvement opportunities across the organization. Moreover, by enabling auditors to select high-risk samples, this approach can decrease the time auditors spend on testing and the amount of disruption to audit clients.
Risk-based Internal Audits Using data analytics to detect anomalies can help internal auditors identify high-risk areas within the audit universe and develop audit themes for selecting end-to-end, high-risk processes for audits.
Developing dashboards and analytic reporting on metrics such as KRIs and key performance indicators (KPIs) within each operating area of the organization can help auditors leverage continuous auditing. It also can provide a platform for more robust and continuous risk assessment processes for audit planning.
Moreover, internal audit can link to the organization's strategic objectives by developing audit themes derived from the results of periodic KRI assessments.
The Audit Process
Data and analytics can be embedded in several phases of the internal audit cycle. For example, auditors can use business intelligence tools for pre-fieldwork scoping such as data discovery. Analytics can enable dynamic audit planning using a technology-enabled, quantitatively enhanced, continuous risk assessment process. Auditors can also use analytics for specific tactical efforts such as proactive fraud protection. This data-enabled internal audit approach may consist of several steps.
Analyze the Audit Universe Internal auditors should analyze the audit universe to determine and select audits that can benefit from the use of data analytics based on factors such as:
- Availability of data. Check if sufficient data is available to analyze the area under review, and if business technology is available to capture the data source.
- Reliability of data. Evaluate if the data available is obtained through a reliable source and is consistent.
- Risk analysis. Based on the risk assessment performed, an auditor will evaluate if the area under consideration is assessed as high risk. The higher the risk assessment, the higher the priority for the process to be selected.
- Complexity. Data complexity is based on the number of sources the data is derived from and the time required to obtain it.
- Frequency. This refers to the number of times the audit is required to be performed during an annual audit period.
Develop the High-level Scope Internal auditors should review the process risk points of the area under review to determine the KPIs, KRIs, trends, or anomalies that would make a difference in the scope of the audit.
Execute the Audit The execution step begins with data extraction. Internal audit can obtain data sets through management information systems reporting, knowledge management systems, and customized user reports from the available system capabilities, which are identified during the phase of analyzing the audit universe. Once the data is received, auditors should extract relevant data points from the source system, transfer it into a database format, and load it into an analytics engine.
Next, auditors should analyze the data to identify potential issues, trends, and anomalies. They can use an analytics engine to perform advanced analysis, including rule-based scripts, descriptive models, or predictive models. This may require help from a specialist with advanced technical training and relevant experience.
Analytics should be integrated into an audit program to meet objectives. Auditors should design and test this program using data analytics-based audit procedures that achieve audit objectives. For example, a vendor management audit might include:
- Activity — vendor data master maintenance.
- Process risk — operational inefficiencies because of ineffective vendor master data management.
- Traditional procedure — verification that purchasing management periodically reviews and actively corrects vendor master data for any inaccuracies or incomplete data.
- Data-enabled audit procedure that generate statistics for each field in critical datasets, including reviewing metrics for in-scope data elements.
Once audit procedures are complete, internal audit should examine results and develop insights. Auditors should perform additional fieldwork to validate that the analysis was performed correctly and identify the trends, anomalies, or issues that should be reported. They should use a visualization tool to validate the results of the analysis.
Report the Findings Once the audit is completed, internal auditors should report the results using a visualization tool that allows for enhanced reporting through data connection, extraction, and analysis linked with KPIs and KRIs. A standard audit report that can be shared with management also may be used. In addition, an auditor may design and establish reporting mechanisms, data-analytics dashboards, balanced scorecards, and alerts.
Implementing the data-enabled internal audit approach can be a long journey. To begin, the CAE can design a pilot project and perform one engagement using this approach and can further refine the internal audit strategy.