The analytics team was now at three people – so I could build some overlap in our knowledge of the application systems that were we accessing on a regular basis. For example, this meant that I was no longer the only person who understood the financial system. Now we had at least two people for each of the 10-12 systems we were accessing on a regular basis. For all but the inventory system (an IMS database we accessed with ACL for MVS IMS interface) we were getting monthly extracts – either by running the extract jobs ourselves, or as a standard production job.
The first question I had to address in building a team was the level and experience of the people that should be part of the analytics function. A related question was: Should an auditor be taught programming (data extraction and analysis) or should a programmer be taught to conduct audits? Failures in implementing analytics have one thing in common — management did not assign the right person or people to the task. Too often, a junior programmer with limited or no audit experience — addressing only the IT aspects of the job — is assigned to develop the analytics function. Given the nature of the task — dealing with business process owners, system programmers, and review team leaders — the analytics function must be staffed at the appropriate level and with the necessary experience. The biggest hurdle is having the business process knowledge to identify the types of analytics to run. Because of management’s support, I was able to hire people at senior auditor or team leader levels. One was a programmer with IT audit experience, the other a programmer willing to learn about audit.
Continue reading Year 5 – 1992 – building a sustained team
By 1991 the idea of using data analytics to support internal audit was firmly in place in the organization. I was producing monthly reports which described how analytics was used by various audit teams to improve efficiency, to expand the scope, to arrive at better findings and to fully test controls (i.e. not using samples). The analytics team (still only two people) had developed CAATTs (Computer-Assisted Audit Tools and Techniques) manuals to describe the financial and Inventory data to which we had access; and we were working on a manual for the HR system. These manuals included a series of standard tests that could be requested by the auditors as well as a description of the fields that were available so that ad hoc requests could be performed. We were accessing approximately 25-30 information systems a year; 7-8 were accessed on a regular basis and the others were used occasionally or on a one-time basis. For the regular systems, we had arranged for standard extracts to be produced on a monthly basis and we were beginning the process of creating multi-year summaries (e.g. summary by General Ledger account by Year for the past 3 years). This allowed us to start looking at trends in the data such as the usage of overtime or professional services compared to regular salary dollars. In the future, we would be able to use this information to contribute to the annual risk-based audit plan (but I am getting ahead of myself). For now, it supported the planning phase of the audit – expanding the analytics input beyond the conduct phase.
The analytics team tried to meet team leaders early in the planning phase to determine their data requirements and to encourage the use of analytics during planning, conduct and even reporting. It was still very much a “push” rather than a “pull” so we had to understand their requirements and sell them on the use of analytics – but it was getting easier as we racked-up success stories which we published every month.
Continue reading Year 4 – 1991 – Up and running
Welcome to the 1990’s, the age of personal computers, distributed processing and the promise of great things from technology – sound familiar?
About six months ago, my manager questioned me about the fact that I had provided reports to, and performed analysis for, other audit teams. He said, “You were hired as an IT auditor, not to support other audit teams.” At the same time, he recognized that the audits I helped – were producing excellent audit results and that the data analysis and reports I provided were a contributing factor. He told me that he wanted the weekend to think about what to do with me. On Monday, when I was summoned to his office, I wasn’t sure if I would still have a job or not. I was fortunate, for a trial period I was given responsibility of supporting analytics. We had another discussion a year later when he wanted to know why the audit teams were not self-sufficient after being supported by me for a year. I was teaching them lots of things about the data and ACL, but they still needed help with more complex analysis. I explained that as long as I kept learning – and doing analysis 12 hours a day – the auditors would never catch-up to me and would always need help as we did more and more complex analysis. The trial period ended and a permanent data analysis function was created. A year later, the team of analytics experts had grown from one (me), to two; and we are supporting 100 auditors and 30 evaluators (mainly the auditors) who were performing about 20 audits and seven evaluations each year.
Continue reading Year 3 – 1990 – Data analytics established
In 1989 I was assigned a second audit in the telecom area. The main objective was to assess our use of Leased Long Distance Lines (LLDLs). LLDLs were dedicated long distance lines that were primarily used for transfer of data. Rather than pay long distance charges, we had dedicated lines for this purpose. The LLDLs were cheaper than using regular lines, and had higher quality and faster speeds. I asked for the reports for the LLDLs and was directed to another pile of boxes of unopened reports.
We had thousands of LLDLs in hundreds of offices and buildings across the country. Since the telecom was managed centrally, all reports were sent to headquarters. I was disheartened at the prospect of slaving over more paper-based reports again. The manager told me that even though the monthly usage reports were divided by region / building / LLDL number, all the charges were processed by the same telecom company (sometimes monopolies are a good thing). So I called the telecom company and inquired about getting the information electronically. After much discussion, they agreed to provide the data in an electronic (ASCII Text) format for $240.00. I went to my manager and asked for permission to spend the money to get the electronic version of the 12 monthly usage reports. He told me to talk to the Audit Director – who owned the budget.
Continue reading Year 2 – 1989 – the beginning of my analytics