The Data Analytics Maturity Decision for Internal Audit: 5 Key Considerations
Organizations are waking up to the benefits of enhancing data analytics in their internal audit (as seen in the results of our Audit Trends 2020 report). In this article, we’ll focus on the data analytics maturity decision: what mix and level of data analytics is right for the organization in question?
To answer this, we’ll go through five key considerations that are essential to answering this question:
- Different types of data analytics
- Potential benefits of automated data analytics
- The data analytics maturity scale
- General considerations in making the data analytics maturity decision
- The maturity decision and compliance audit
1. Different Types of Data Analytics
‘Data Analytics’, in simple terms, is the examination and drawing of insights from data. Taken at face value, data analytics is central to traditional internal audit: a lone auditor tracking duplicate payments for purchase orders across journal entries is using data analytics. Therefore, the question for an organization is not whether to introduce data analytics to internal audit, but how to do so.
To answer this question, the organization needs to consider different types of data analytics:
- Descriptive analytics interprets historical data. The auditor with his journal outlined above is performing descriptive analytics.
- Predictive analytics predicts future outcomes based on historical data. A simple, well-known and effective example of predictive analytics in audit is the use of Benford’s law in detecting potentially fraudulent transactions. A predictable distribution of numbers in many naturally occurring sets can be used to identify irregular transactions.
- Diagnostic analytics examines the data and asks ‘why?’ As a simple example, an increase in loan defaults at a bank might correlate with an increase in loans approved, indicating relaxed lending criteria as the cause of default.
- Prescriptive analytics identifies the best course of action based on the analysis of data. For example, by comparing suspected fraud in two separate areas with two separate controls, prescriptive analytics could recommend preferable controls.
2. The Potential Benefits of Automated Data Analytics
The different types of analytics set out above could all be implemented manually. However, the key benefits arise from automating data analytics. Some potential benefits include:
- Testing controls: With software, auditors can employ ‘scripts’; sets of instructions to the software to examine whether internal controls have been breached. As well as reducing the impact of human error, inevitable in a manual review, the script makes the action readily repeatable;
- Data integrity: The manual transfer or extraction of data for internal audit process increases the chance of data corruption which can be eliminated through automation;
- ‘Whole-of-population’ audit: Traditionally, audit has relied heavily on sampling in order to draw inferences about the data as a whole. The speed of automated analytics means the potential to evaluate controls across the whole set of data;
- Reduced financial cost: In some cases, data analytics can free up auditor time from more routine tasks to focus on value-added audit activities.
3. The Data Analytics Maturity Scale
Whatever the benefits of automating data analytics, the organization needs to determine at the strategic level how data analytics might best contribute to the audit goals of the organization. This includes recognizing how data analytics might contribute at the selection, planning, execution, reporting, and follow-up phases of audit.
This strategic activity can benefit from considering data analytics in terms of ‘maturity’. A data analytics maturity scale ranges from 1 to 5 depending on the type of analytics deployed, the level of automation, regularity and integration with other business systems.
Maturity scales are common for explaining data analytics capability in different industries. KPMG has suggested the five-point scale below for internal audit (though in this case, their focus is on the planning and execution phases):
- Traditional Auditing: Data analytics may be used, but is mainly descriptive and applied during the planning phase.
- Ad Hoc Integrated Analytics: This may include both descriptive and diagnostic analytics at the planning and execution phases (e.g., identifying outliers), but is carried out in an ‘ad hoc’ rather than systematic manner.
- Continuous Risk Assessment and Auditing: This may include all types or categories of data analytics in a pre-defined automated set. This set provides ongoing data to auditors.
- Integrated Continuous Auditing and Continuous Monitoring: A full set of automated analytics is deployed, and they permit continuous monitoring by management, as well as a continuous data flow to the audit shop. The systems are largely seamless and integrated.
- Continuous Assurance of Enterprise Risk Management: A full set of automated analytics is deployed, as with level 4. In addition, there is a further emphasis on aligning continuous data analysis with strategic enterprise goals. The internal audit plan is ‘dynamic’ in response to risk fluctuation.
4. General Considerations for the Maturity Decision
The advantage of the maturity scale is that it acknowledges that data analytics is not an ‘all or nothing’ affair: Most internal audits employ some level of data analytics. On the other hand, the maturity scale might be thought to imply that there is something ‘better’ about being further along the scale.
There is another way to look at it.
The desired level of maturity depends on the specific risks faced, the risk appetite, the constraints, and the audit goals of the organization (e.g., for smaller organizations, the cost and effort of implementing Level 5 data analytics is probably not worth it).
In conjunction with the decision on data analytics maturity, the organization must decide which tools it will use for that purpose. More specialised or powerful solutions are required for greater analytics functionality. While desktop tools (e.g., Excel or Access) will be sufficient in some cases, enterprise software (e.g., SAS or Oracle) or specialised audit solutions (such as CaseWare IDEA) might be necessary in other cases.
Furthermore, in making the maturity decision, the organization will need to consider the optimal internal audit skillset. Maturity requires the right mix of data analytics expertise. This might be achieved via training or secondment of existing auditors, or direct recruitment of data analytics specialists.
5. The Maturity Decision and Compliance Audit
As mentioned above, the maturity decision cannot be made without considering how data analytics can help with assurance for the particular risks faced by that organization. By way of example, we consider below three different compliance risks organizations may need to attend to, and how data analytics can be employed in the audit response:
- Data protection: The General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) place stringent requirements on businesses dealing with European or Californian consumers respectively. Two areas of significant compliance risk are data breaches and response times to requests from customers for their own data (‘data subject access requests’). Here, scripts might be implemented across the whole of the organization’s data to test the adequacy of existing controls;
- Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements: A crucial requirement for compliance with these laws is identity verification. Instead of taking a random sample of verified identities, predictive analytics might be deployed to identify a sample of those identities most likely to be fraudulent. Learn about AML compliance solutions here.
- Access to utilities: In many jurisdictions, utility providers have an obligation not to disconnect customers who are eligible for financial aid. The consequences of non-compliance can be severe (for example life support customers may rely on an electricity connection for their survival). Diagnostic analytics could be used to examine various datasets to determine what correlates with a high level of wrongful disconnection. For example, diagnostic analytics might compare data sets on disconnected customers with datasets on customers eligible for financial aid to pinpoint where data has not been appropriately cross-referenced.
Which mix of analytics and automation is right for you?
The key question for organizations is not whether to introduce data analytics to internal audit, but which mix of analytics and analytics automation is right for that organization. One useful way of thinking about this is with a data analytics maturity scale: The organization can position itself along the scale depending on the risks it faces, its risk appetite, its constraints, and its audit goals.
We have considered three examples where data analytics might be useful in compliance audit, but every organization needs to consider as part of its maturity decision how data analytics can be employed in auditing the particular risks that the organization faces.
Paul Leavoy is a writer who has covered enterprise management technology for over a decade. Currently, he researches and writes on data analytics and internal audit technology for CaseWare IDEA. Contact Paul directly or follow @CasewareIDEA for the latest on internal audit and data analytics.
Learn more about Benford’s Law and other data analytics tests and tools by downloading A Beginner’s Guide to Fraud Detection with Data Analytics today.