At the end of the year, I tend to reflect back on what I have done or not done. It occurred to me that 2023 will be my 35th year using ACL Analytics (Galvanize, Diligent) on a daily basis. Throughout the years I have had many failures and successes. I have learned from identifying lessons-learned when things worked and even more importantly when they did not. I also took responsibility for my failures and shared my successes with the auditors on my teams.
In the late 1980’s and into the early 1990’s internal audit was considered an early warning for senior management. Audit searched for things that were going wrong and reported them which is probably why audit go a reputation for being a cop and having a ‘got ya’ mentality. This changed significantly when the IIA positioned audit to identify weakness in controls. An even bigger change occurred in the early 2000’s when the audit focus transitioned to identifying and assessing the risk to the achievement of enterprise objectives. Audit was encouraged to be part of the management team and have a seat at the senior management table. So the focus of internal audit continues to evolve, but the audit process has not.
Back to the early 1990’s – personal computers were entering the workplace and data analytics was making an appearance in audit. Early adopters, like myself, saw it as a powerful tool to assist audit in testing controls and, later, identifying risk. I expected all auditors to incorporate analytics into their audit process, particularly those just entering the profession. However, team leaders and audit management are stuck in the past (Why did the auditor cross the road? Because that it what he did last year.) Study after study in the last 30 years has identified a shortfall in the ability of auditors to effectively use data analytics.
My hope for the increased use of analytics was rekindled when COVID sent many workers to a ‘work-from-home’ model. Surely analytics would become an absolute necessity. During a time when many businesses were experiencing serious issues, many auditors used this as an excuse not to audit (“management is too busy now”) rather than assisting in identifying and analyzing risks to assist management. In addition, even though working remotely, unless audit had already built the required extract, transform and load processes, they were not able to use analytics.
The IIA standards espouse the use of analytics, the ACFE ‘Report to the Nations’ shows that proactive analytics can reduce the cost and duration of fraud, and every study on the audit profession states that analytics is a much-needed skill. So, there is no doubt the value is well understood and demonstrated. I believe that anything worthwhile takes effort and analytics is no exception. Early, failures often means that you are pushing the envelope and provides an opportunity to gain experience. Do not let it detract from the longer-term objectives. I worry when internal audit, in trying to catch-up, is quick to jump on the latest bandwagon: Big Data, Robotics, AI, and other buzz words). Sometimes these are just a step too far. If you do not have a solid basis of analytics to build upon, the result is too often failure and a further reluctance to invest in data analytics.
For 90 percent of my career, I was a team of one and sometimes as many as three. My own analyses have become increasing complex and more integral to the audit objectives. (I should note that simple analytics, like filters, still form an import element in my analytics toolbox.) Early analytics focused on simple filters and sorting of the data to spot overly large or small transactions. (My first analytic result identified $75K in overpayments – which would have paid my salary and the purchase of the audit software.) My middle years included an analysis to identify obsolete inventory using a hierarchical data base that had 1M nodes and thirty-two layers which identified over $300M in obsolete inventory and improved reprovisioning times dramatically. I was also involved in identifying a $340M fraud that had been ongoing for more than 10 years. Now, I focus on using analytics, not only to identify risks and control weaknesses, but to take it a step further and identify the root cause of the control weaknesses and emerging risks. The analytic results are not simply a bunch of Excel files or a visualization of the problem; they identify specific actions management should take to bridge the gap between risk and control.
I am no longer working as a full-time internal auditor – and there are times I miss it. Currently, I am pulling together and continuing to grow a vast array of analytics that provide assurance across core business lines, including accounts payable, vendor management, accounts receivable, customer management, P-Card, travel and entertainment, contracting, payroll, financial monitoring, and ERP controls. The results provide risk-ranked dynamic visualizations to highlight the materiality and impact of the weaknesses; as well as specific targeted recommendations to address the root cause of the weaknesses.
Dave Coderre (www.caats.ca)