Studies after study have shown that data analytics is more effective and efficient at detecting risk, and identifying control weaknesses, non-compliance, and inefficient business processes. Chief Audit Executives (CAEs) have repeated stated that data analysis expertise is a much needed skill in internal audit, and IIA surveys of software over the past 10-15 years have rated data extraction, data analysis and analytical software as critical tools for effective audit organizations. Why then do more than half of the internal audit organizations still rate their analytic capability as poor or needing improvement?
I have been an internal auditor for 30 years and have been a user and advocate of analytics for 28 of those. (It was during the first two years of auditing that I realized I could do a better job by analyzing data.) I have been asked hundreds of times, “How can we develop and maintain an analytics capability?” Too often CAEs give up without even trying (“we are doing good audits now, why change things?”; or only make a feeble attempt at it (“let’s get a programmer right out of college and have them develop analytics for us.”)
The reality is change is difficult. As auditors we are constantly making recommendations to help others improve, change, do more, etc. but we ourselves stick with traditional auditing tools and techniques. Perhaps what is needed is a taste of our own medicine.
In order to successfully implement analytics and integrate data analysis in the audit process you must have a formal development and implementation plan. The plan must address the need for sufficient people (appropriate level and number), technology (primarily software) and processes (you need to change the way you currently perform audits). It must also have a project manager who will be held accountable for delivery on the plan, clear objectives, milestones, and a reporting requirement – to the CAE and/or the audit committee (but only if they fully support the adoption of analytics).
Analytics also requires an understanding of the business processes, the data and supporting them, and a solid grasp of internal auditing processes and requirements (e.g. application of the IIA standards). None of these will be provided by junior level audit or programming resources. Rarely will all these skills exist within one individual; and they might not already exist in your audit organization. Rather than being an impediment, this should be seen as an opportunity: an opportunity to obtain the right resources and task them with a clear objective. If you are lucky and have the appropriate type of resources in your organization – this is ideal. Existing resources should already know the business processes and have the internal audit skills, and perhaps have some analytical capabilities. However, they will need to be supported by training and software, and given sufficient time to develop the skills and implement the functionality. Most importantly, they will need to be dedicated to analytics. Otherwise you end up pulling valuable resources away from other priorities and tasking them with something in addition to what they are already doing; or settle for a subset of the required skills. In either case, it is a recipe for failure.
A statement I hear often is, “We are a small audit organization, and we can’t afford to dedicate a person to analytics”. It is usually used as a rationale for not using data analytics. My response is something along the lines of “Because you are small does that mean you can afford to be less efficient and effective?” The reality is, unless you are using analytics, you are not addressing risk, testing controls, examining compliance and improving business operations to the extent that you could be. If you are going to decide not to use data analytics, at least make it an informed decision. Examine the costs and benefits and then decide. Don’t simply look at your existing resources, which are most likely being used to the maximum, and decide that you can’t take on anything else. It is not a question of doing more with the same resources. Ask yourself if there are things that you don’t need to be doing or if they are better ways to do what you need to do. Also look at what you are not doing and determine the value-added if you could do those things. Then decide if you can afford not to be using data analytics.
I also get asked about audit software, “which package should I use?” This is something that should be decided based on your requirements and your short- and long-term plans for analytics. I encourage you to fully utilize the existing capabilities such as standard reports and you can definitely start with Excel, but don’t be limited by what you have – think about what you need. Find out what other audit organizations are using. For more than 10-15 years, the IIA magazine, Internal Auditor, conducted a survey of software usage and the results were printed in the August issue. The results have consistently shown that ACL is the most used audit software for data extraction, data analysis, and fraud prevention and detection in the world and has been for almost 15 years. It is the software I use, so I may be biased, but just because you are biased doesn’t mean you are wrong.
In conclusion, you should be using data analysis. You will need to plan and manage your adoption of analytics. It will take time, resources, and technology. It has to be integrated in the audit process (planning, conduct and reporting) and developed with an understanding of the business processes and the underlying data. It is easy to do wrong, but worth doing right.
Why did I title this “The Data Analysis Conundrum”? Because I don’t understand why we are still talking about the “Why, How, and What” of data analytics and not simply getting on with the job. Stop asking questions about analytics – get off the fence and actively pursue it. The successful implementation of analytics will add significant value to the internal audit function and your ability to support the goals and objectives of senior management.