Generic Approach to Data Analysis for Audit

After years and years of mistakes, missteps, or invalid analysis, I have developed a series of steps that can reduce the likelihood or errors and increase the success of analytics for audit purpose.

The first step is to ensure that you understand the goals and objectives of the audit.  Then the following steps should be performed:

  1. Based upon the audit objectives and risks, and mitigating controls identify analytics that will be run.
  2. Identify the source data and fields required to perform the analytics.
  3. Identify and meet with the client and the programmer for the client applications to define, verify, and obtain access to required data sources and fields.
  4. Identify and obtain access to standard reports that are available.
  5. Obtain client agreement that the source data and analytics can be used to address audit objectives.
  6. Request the required data – trying to ensure that unnecessary fields are excluded for the request.  Prepare a formal request for the required data, specifying:
    • the data source(s) and key fields,
    • the timing of the data (for example: as of Sept 30, 2022),
    • the data transfer format (LAN, FTP, USB, etc.),
    • the data format (DBF, MDB, Excel, Delimited, flat file, ODBC, ASCII print file, etc.),
    • control totals (number of records, key numeric field totals),
    • record layout (field name, start position, length, type, description),
    • a print of the first 100 records
  7. Import the data into your analytics software.
  8. Verify the data integrity:
    • Use Verify Command – to check data integrity,
    • Check analytic totals against control totals,
    • check the timing of the data to ensure proper file has been sent,
    • compare analytic view with the print of first 100 records
  9. Understand the Data – COUNT, STATISTICS, STRATIFY, SUMMARIZE, etc. to develop an overview of data
  10. For each objective
    • Develop analytics
    • Run tests – the output is your “hit list” – possible problem records
    • Evaluate initial results and refine the analytics.
    • Re-run and refine test to produce more meaningful results.
    • Evaluate the results using manual analysis, interviews, comparison to source data, or other techniques to link exceptions to source; confirm analysis and nature of exceptions; and identify reasons for the exceptions
    • Form an audit opinion on every item in your results.  For each you should be say that the record is OK – there is a valid explanation; or that it is an issue and action is required (e.g., address control, recover, etc.)
  11. Quality Assurance and Documentation– document source data and how to obtain it, analytics performed, and results obtained.
  12. Safeguard analytics for future use.
  13. Re-run analytics as part of continuous audit/risk assessment and follow-up on management action plans.
  14. Provide analytics to management to enable continuous monitoring.

Dave Coderre

This article has 4 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *