Year 9 – 1996 – Promoting CAATTs

I had been writing articles for the Internal Auditor (IIA) and other audit-related magazines for several years now, but I wanted to do more to educate and encourage auditors in the use of analytics.  One day I realized that if I assembled all of my previously published IIA articles, I had about 50% of the content necessary for a book on analytics.  So I started developing an outline and writing more content.  It took about six months to combine what I had and write the other 50% and the result was “CAATTS and Other BEASTs for Auditors”.   The book was published by Global Audit Publications, the publishing arm of ACL Services.  It was their first publication – other than software manuals.  Now I was a published author.

CAATTs and Other BEASTs explained how various types of software – from word processing to data analysis – could be used to support the planning, conduct and reporting phases of the audit.  It was well received by auditors who were looking for guidance in the use of analytics; and I was encouraged to write more articles and even another book (but not right away).  Even though it had a limited audience, the final sales total, after several years, was over 5,000 copies.

The next audit I supported was an environmental audit of hazardous materials.  The objective was twofold: ensure that hazardous materials were properly stored and disposed of in accordance with environmental laws and regulations.  At the beginning of the planning phase, I asked the auditors where they were going (i.e. where would the onsite audits would be conducted).  They told me that they were going to three large sites (one on the east coast, one in central region and the other on the west coast) and three smaller depots close to the large warehouses.  They explained that this would ensure all regions were covered and that small and large sites were audited.  Sounded good, but based on my analysis, one of the large sites and two of the smaller ones did not have any hazardous materials.  This wouldn’t make for a very good audit.

At the beginning of the planning phase of the audit, I had examined the hazardous materials data base and identified the sites with the most hazardous materials.  The analysis provided details on the quantity and types of hazardous materials were stored at each location.  I also included details on the 5-year purchase patterns as well as usage and disposal quantities for each site.  In some cases they were purchasing a 10 year supply of materials that had a 3-year shelf life and specialized handling and disposal requirements.  This amounted to serious safety and environmental risks at a number of sites.  Next I accessed a government hazardous materials information website and downloaded the environmental and health and safety requirements for the hazardous materials stored at each site.  Now the auditors had a much better idea of not only where to go, but also what they would find there, the storage and disposal requirements as well as the historical purchase, usage and disposal patterns.

ACL Commands: Filter, CLASSIFY, and CROSSTAB

Lessons-learned:  The analysis demonstrated the importance of the analytics team being involved at the start of the audit.  Data analysis can support the development of the scope, objectives as well as identify risks and control weaknesses.

 In this case, data analysis during the planning phase significantly improved the conduct of the audit in terms of both the efficiency and effectiveness.  A summary view can provide information on volume, while a historical summary can illustrate trends that would not be evident from a single snapshot of the data.   Detailed analysis can support the development of a comprehensive audit program and help prepared the auditors for their onsite work.

The audit also identified the importance of considering external sources such as government or industry websites.  The hazardous materials information system included critical information on the risks associated with the storage and disposal of each chemical compound as well as expiry dates, disposal methods and health and safety concerns.  This meant that the auditors were prepared (including obtaining hazmat suits) before the start of the audit and knew what to expect when they got to each site.

Lastly, I saw that traditional audit methods and approaches, including site selection, sampling, and manual reviews were still the “go to method” for many auditors and team leaders.  The use of data analytics was still going to require constant selling and involvement of data analysis specialists who understand audit.  AT the time I thought that this would change soon.  However, looking back to 1997 (almost 20 years ago), the same issue exists.  Auditors instead of asking “How can I use analytics to support this audit” or still more inclined to say “Analytics wouldn’t work (or be helpful) on this audit”.  Usually it is because of a combination of things including: a lack of understanding of what analytics can accomplish; strict audit timelines that don’t allow for analysis; laziness; and a lack of a top-down pressure/support.  A couple of weeks ago, at the request of the Chief Audit Executive, I was providing ACL training to a group of auditors and on the last day I asked “Will you use ACL in your audits now or are there still barriers to overcome”.  They had the software, were trained, and the CAE was fully supportive of the use of analytics – so I was surprised to hear them say “I don’t think so.  We don’t have enough time and our managers don’t see the benefit.”  This points to the importance of having not only top management support, but support at every level; and to have realistic expectations of what can be accomplished initially and as the analytics capability matures.

How do your experiences compare? Have you been able to gain acceptance and support at all levels for analytics?  How?

This article has 1 Comment

  1. I found your comments re the need to sell analytics to audit throughout the years up to now very relevant and interesting. Although I have the support of top audit management (mainly due to pressure to support/defend the investment made in ACL), I find that the actual audit team managers are skeptical and unwilling to come to the data analytics team and involve us in their planning and assessment processes. I would classify the issue as one of ownership (to avoid using the more cynical term of “territory”). At best, they might see themselves as stakeholders, but not owners, of the data analytics. I think your comments kind of confirm my experience on this (whew – its not just all me!). And I wonder how many others experience the same problems.

Leave a comment