Study after study has shown that data analytics is effective and efficient at detecting risk and identifying control weaknesses, non-compliance, and inefficient business processes. Chief Financial Officers (CFOs) and Chief Audit Executives (CAEs) have repeatedly stated that data analysis expertise is a much-needed skill, and surveys by the ACFE and CPA firms over the past 10 to 15 years have rated data extraction, data analysis, and analytical software as critical tools for effective internal audit organizations. Why then do more than half of organizations—according to those same surveys—still rate their analytic capability as poor or needing improvement?
A recent survey “A maturity level assessment of the use of technology by internal audit functions: a comparative analysis of the Federal Government of Canada” conducted by Steenkamp, Smidt, Kahyaoğlu and Coderre (2022), asked questions of CAEs to measure their organization’s data analytics maturity on three critical aspects: people, process, and technology. The results were not overly surprising given the issues raised in the opening paragraph. More than 52 percent were at a low level (level 1 or 2) of overall analytics maturity and only 8 percent had a high-level of maturity (level 4, but none were at level 5). When looking at the areas separately, a similar pattern emerged: people (60 percent – low level of maturity), process (52 percent – low level of maturity), and technology (60 percent – low level of maturity).
My assistance with the survey was not simply to validate or repeat previous studies. I was interested in determining which factors were more intricately linked to higher level of analytics maturity – simply put, what should CAEs do to improve their analytics maturity. Identifying the key drivers in each of people, process, and technology would allow CAEs to focus their efforts on initiatives that would be most likely to result in movement along the maturity curve.
People attributes related to auditor skills and expertise, management buy-in, and support were assessed to arrive at the overall people maturity rating. The attribute most intricately linked to high maturity was the organization having (or having access to) experts in analysis. A close second was having access to experts who understood the ERP systems and were able to extract necessary data.
Process examined the attributes that would ensure that analytics were integrated in the audit process. This included the use of analytics, saving and re-use of analytics, analytics support for risk-based planning, individual audit planning and risk assessment, conduct, reporting and follow-up. The attribute linked to high maturity levels was the development of an audit process that included analytics.
Technology examined data access and protocols, audit software tools, automated extract, transform, and load capabilities, and the ability to analyze large data sets. The attribute linked to a high-level of maturity levels was having data access protocols. This included ensuring that audit’s need for, and authority to access, data were understood and accepted by all levels of management.
If the CAE genuinely wants to develop and maintain their use of analytics at the higher levels of maturity, then the critical factors to focus on are:
- Access to experts in data analysis. If in-house expertise does not exist, then using external experts to assist initially, and training internal resources will help to address the gap.
- The audit process is designed with analytics included at all phases of the audit. In addition, the Quality Assessment Review team should focus on the use of analytics when assessing audits.
- Data access protocols are in place to support the extract, transform, and load of data into analytics software. This includes ensuring that the audit charter clearly states audit’s requirement and authority to access organizational data and having support for analytics from senior management and the audit committee.
Addressing these critical factors is doable whether you have a large, medium, or small audit organization. Ensuring that audit has experts in ERP systems and data analysis will mean that large audit shops should develop an analytics team and small shops should establish contractual relationships with an external firm to assist and support them. All audit organizations should have a charter and a standard audit process, thus, ensuring analytics are integrated into all phases is not something a small organization would not have. Developing data access protocols usually means working with IT to ensure audit has access to the required data. Again, this can be accomplished by large or small audit organizations. In a small audit shop, the CAE will be the person involved in establishing the relationship with IT; in a larger audit shop it may be the manager of the analytics team.
Movement along the data analytics maturity curve requires a will to put the pieces in place, a plan to do so, and execution of the plan. I hope that I have given you a focus that is not only critical, but also doable; and will help you to move the yard sticks.
Dave Coderre, CAATS
Reference: L. Steenkamp, L. A. Smidt, Sezer Bozkuş Kahyaoğlu & David Coderre (2023) A maturity level assessment of the use of technology by internal audit functions: a comparative analysis of the Federal Government of Canada, EDPACS, 68:1, 1-41, DOI: 10.1080/07366981.2023.2229986