Call: +918860190008 Email: communications@mbgcorp.com
MBG Corporate Services Logo
Expo 2020
flagIndia
UAE Qatar Singapore Germany China Japan
Get A Quote


    Home-Insights-Data Analytics – Transformation of Internal Audit
    Risk Advisory

    Data Analytics – Transformation of Internal Audit

    FOREWORD

    Data analytics is a game changer. But it doesn’t have to be a large, daunting undertaking. Internal audit teams have options to start small, build early wins, and demonstrate unique value to leadership. The key is to get started. For a broader view, see how data analytics is transforming internal audit.

    Effective analysis of data must lie at the heart of internal audits if they are to remain relevant to stakeholders. To make this happen, strong governance frameworks are needed in data analytics, covering four key areas: quality, talent, independence, and security. To ensure that organizations realize full value from their analytics investments, governance frameworks should be reviewed with a view to adopting a more transformative approach. As a result, data analytics is increasingly an indispensable element of the internal audit toolset.

    In this guidance the following aspects need to be understood:-

    • The need for Data Analytics
    • Quality
    • Talent
    • Independence
    • Data Security
    • Conclusion

    The need for Data Analytics

    Analytics breaks down vast volumes of data and then rebuilds it to form information clusters that the auditor can use to analyse the risk landscape.

    Effective data analytics elevates performance, provides greater value to the organization, and increases the credibility of internal audit with its stakeholders. It is also helping to transform internal audits by significantly automating processes, supporting compliance within existing organizational policies, and providing management with a higher level of operational assurance.

    However, opportunities are coupled with risks, and this area is no exception. In making the most of data analytics, internal audit departments face issues including inaccurate or misleading results; misuse or misinterpretation of data; conflicts in independence; development of talent; and challenges around data privacy and security.

    To address the above, internal auditors should focus on effective analysis of better data and strengthen their internal audit governance framework to cover emerging data‑analytics‑related risks surrounding quality, talent, independence, and security.

    Quality

    High‑quality, impactful analytics are an asset to the business and a boon to the credibility of internal audits. Unfortunately, trust can be rapidly lost due to inaccurate or unreliable results, which can be caused by poor‑quality data; incorrect coding; poor or misleading presentation; and failure to answer the question. It is therefore imperative that testing and quality assurance (QA) procedures are put in place that take into account the ‘quality’ risks attributed to developing an analytics solution.

    A strong test and QA framework should incorporate principles from the IT development cycle, including:

    • Data quality standards and assessments. For example, Service Level Agreements (SLAs) for regular data deliveries; direct access to validated data sources (data warehouse or ERP applications); header/row counts; and data‑quality profiling for key attributes.
    • Code verification. For example, logical accuracy and correctness, and formats.
    • Output validation. For example, checks that the output answers the business problem; output readability; and consistency.

    Some organizations that are more advanced with their use of data analytics are starting to develop data‑quality assessments and standards at the macro (general content) and micro (specific fields or values) levels. The purpose of these assessments is to identify erroneous data and to measure the impact on analytics‑driven processes. It is critical to identify data errors and to understand their implications.

    The quality assurance scope should include the tools (and algorithms) used for performing the analysis of data. The objective is to obtain assurance that these tools operate as intended.

    Role and responsibilities

    Analytics is most effective when there is close engagement between internal auditors and data analysts. Whenever the roles and responsibilities between analytics specialists and auditors are not well defined, there is a risk that the relationship becomes unbalanced and ineffective. For example, too little involvement from analytics in defining the audit scope can result in inappropriate insights being produced, whereas an over‑reliance on analytics to define the testing can lead to the wrong questions being asked or risks being investigated.

    To achieve the right balance of responsibility and collaboration between data analysts and auditors, there should be clarity in terms of the roles that each performs. In addition, organizations should align performance goals with the broader goals of the data analytics initiative.

    Through training and skills development, the capabilities of internal audit team members should converge to share a common understanding of tasks and expected behaviours. For example, traditional auditors should be able to handle appropriately sensitive data provided by data analysts and interpret and communicate the business results. Similarly, data analysts should collaborate with auditors to enhance their understanding of data sensitivity and produce more effective analytics. For how these insights feed reporting, see the 5 Cs of Internal Audit reports.

    Independence

    It is imperative that the use of data analytics preserves the internal auditor’s independence and objectivity. The nature of the outputs delivered by the analytics cycle can give rise to specific complications when it comes to meeting these principles. Careful consideration must be taken to address a number of issues that can affect the independence of the audit work.

    For example, an analysis that identifies specific instances of control failures could be interpreted by the business as part of detective control. In fact, the business may approach internal audit to learn how analytics can be transferred down the lines of defence.

    Although internal audit does not own any sourced data, it does own the outputs and the logic used. If the logic is transferred in full to the business, how does that impact internal audit’s independence and objectivity when reviewing the same area later? How will the business and internal audit share common data platforms, repositories, and tools?

    It does not make economic sense for internal audit functions to build their own infrastructure; build and maintenance costs are prohibitive. Multitenancy approaches that allow a single data platform (such as a data lake) to serve multiple tenants or departments are being explored by many organizations. The tenants do not share or see each other’s data.

    An organization’s data analytics governance framework should consider the disruptive influence of analytics on the relationship between audit and business. A collaborative approach should be considered, with clear roles and responsibilities for data sourcing and access, data knowledge, and data quality.

    Data Security and processing of sensitive data

    As large data consumers, internal audit teams are exposed to the same risks around data security and privacy that they examine for stakeholders. Managing these risks becomes doubly important when dealing with jurisdiction‑specific regulation and cross‑border issues.

    Although the department will already have policies surrounding the collection, storage, and disposal of audit working papers, internal auditors should consider these policies with respect to the end‑to‑end data analytics lifecycle and, for each data class, define:

    • what data can be requested/stored
    • how data is accessed
    • who can access the data on the storage platform
    • where the data can be stored, what data can be distributed or transferred and to whom, and the data retention period

    Particular attention should be given to how personally sensitive data is processed and stored, such as client‑identifying data, taking into account jurisdictional regulations and cross‑border restrictions. This is especially relevant to organizations whose analytics operating model includes offshore centres of excellence.

    In addition, the data analytics governance framework should encapsulate the preservation of the three major concepts in information security: confidentiality of data stored, processed, and reported; data integrity; and data availability. In the case of any breach, the organization should be in a position to take corrective actions as soon as possible.

    It is also worth noting that sourcing and collating data for analytics can increase cybersecurity risk. Besides insider threats, privileged users (including data analysts) who have access to an organization’s crown jewels (such as customer‑sensitive data) can be targeted by cybercriminals. To mitigate this risk, organizational policies—such as encryption of sensitive data—should be complied with by all privileged users, including internal auditors and data analysts.

    Conclusion

    Data analytics is transforming audits by providing data‑enabled insight coupled with automatic identification of high‑risk items, allowing auditors to prioritise and investigate high‑value areas.

    More importantly, a higher and unprecedented level of efficiency is achieved by letting analytics focus on transactional and low‑value activities, with auditors focusing on high‑risk items that require critical human observation and examination.

    As well as the benefits of disrupting traditional audit processes, analytics brings inherent risks that can limit effectiveness or expose the department to reputational damage.

    The starting point for managing these risks should be the careful review and development of a governance framework that helps align the use of analytics to audit strategy and risk appetite.

    The governance framework should articulate:

    • clear roles and responsibilities in relation to the resources involved in the entire analytics process
    • how conflicts of interest that could potentially arise will be addressed
    • how issues will be resolved

    As data and analytics are key components in the evolution of internal auditing, the governance framework must then be incorporated into the organization’s internal audit methodology. For the audit lifecycle, see the internal audit process from A to Z.

    Why Data Analytics Adoption Is Slow

    So why is there a slow adoption rate for data analytics?
    Given all the benefits that data analytics can offer and the advances in technology, why has its use by internal auditors plateaued? The answers may be related to funding, lack of skills, access to data, or all of the above.

    Funding and Budget Constraints

    Budgeting can be a barrier. While internal audit functions generally enjoy the support of their governing bodies (the audit committee) and senior executives, few departments receive adequate funding to invest in data analytics technology, to acquire and retain talent with expert analytics skills, and to provide internal audit data analytics training.

    Skills and Capacity Gaps

    Another problem is finding professionals with the required skills. There is a general shortage of professionals with data analytics technology skills willing to build careers in internal audit. To implement and operationalise data analytics, internal audit organizations need to hire and retain tech‑savvy talent to work alongside traditional internal auditors. While some internal auditors are tech‑savvy, only a small percentage can keep up with technology changes and the breadth of knowledge required to remain effective and respected. To use data analytics sustainably after implementation, teams need technical experts and traditional internal auditors working side‑by‑side during audits.

    Data Access and Data Quality Hurdles

    Getting access to proper data and maintaining quality data are other hurdles. Unless a company maintains structured data across functions, segments, and subsidiaries—most optimally overseen by master data management professionals using standard methodologies and platforms—it can be difficult to obtain, format, and use data during an audit. Often, auditors are unable to obtain data due to lack of availability or compatibility, or managers hoard data. Additionally, when data is provided, it may be unusable because it is not structured or lacks uniformity. Often, hours are devoted to obtaining, understanding, and organising the data provided, and the analysis yields too many errors to be useful.

    Transformation Dependencies and Competing Initiatives

    With the fourth industrial revolution underway, many companies have projects in robotic process automation (RPA), artificial intelligence (AI), blockchain, and the Internet of Things (IoT), all of which build on or require robust data analytics programs.

    What Internal Audit Should Do Now

    Now is the time for internal auditors to get involved. Chief audit executives and their teams should join such implementations, as they present an opportunity to partner and provide advice. While providing advice, internal auditors can better understand technology changes, guide the development of structured data suitable for analytics, remind corporate leaders and governing bodies of the benefits of a successful data analytics program, and request support and funding to either kick‑start or resume programs that may have stalled.

    Related Resources

    • Tags
    • data analytics
    • transforming your internal audit
    • internal audit function
    • data analytics and internal audit
    • risk advisory
    • Internal Audit

    What can we help you achieve?

    Stay one step ahead in a rapidly changing world and build
    a sustainable future with us.

    Request a Consultation