Unlocking the Value of Audit Analytics: Best Practices and Efficiency
I like to imagine auditors as similar to the forensic scientists on television shows like CSI. Then reality kicks in and I am brought back to earth; but not entirely. At the end of the day, auditors are risk and internal control scientists investigating the deepest root causes of control breakdowns and providing insights and recommendations to management.
So what enables an audit department to deliver consistently high quality work when other departments struggle?
To scale an internal audit department to cover the businesses key risks the Chief Audit Executive must be able to get average teams to produce high quality work. This is achieved by embedding excellence in the department’s practices and procedures. While there are many facets to this excellence, this blog focuses on leveraging data analytics, making it standardized and repeatable, and aligning remediation to optimize business processes.
Best Practices in Audit Analytics
As businesses grow, so does the complexity of the processes along with expected audit coverage (Figure 1) and stakeholder expectations (as I’ve mentioned previously). The good news is, today’s business processes have grown with technology, and with technology comes data to be analyzed and insights to be gained. There are tremendous efficiencies to be gained from the use of this data.
Figure 1: Audit Plan Coverage in 2014
Steps you can take to incorporate data driving best practices in your audit process:
1. Collaboration and Automation
Ensuring that analytics can be reused and reducing redundant or duplicated efforts is a major cost saving and efficiency improvement. If 20 auditors are accessing, downloading and preparing the same data files for analysis imagine the efficiency that can be gained by streamlining this process. Being able to streamline the following has tremendous benefit:
- What data to request.
- What analytics to perform.
- The nuances of the data and how it reflects the business.
Allowing auditors to share and reuse each other’s work will create an environment where the process is continuously improving, along with the results. Collaboration on data analytics may include data acquisition, analytics (logic, visualizations, etc.) and interpretation of the results. Going beyond this and actually automating the analytics based on the work done can reduce the audit effort and time significantly. To automate tasks performed in previous audits means quicker results and significant impact.
2. Continuous Auditing
So we have covered collaborating and making the analytics repeatable but what about going beyond that and making them continuous? Simply rerunning the analytics before the audit is of value but analyzing the controls more frequently will give you far more insights. This will help you to answer some critical questions:
- What controls are improving?
- What controls are becoming less effective?
- What should be the scope of testing for the next audit?
Furthermore, you can share these insights with the business throughout the year in an effort to improve the internal control environment.
3. Optimizing Processes
In the end, the value of an audit is in the optimization of the internal controls environment. Streamlining how control deficiencies are to be measured and remediated is a major process improvement. If every time there is a problem with the internal control environment the business and audit response varies then you are missing opportunities. Note that I also said, “measure”. Yes, knowing the impact of a control breakdown and more importantly the root cause allows the business to detect trends and identify wider ranging business problems.
The best way to achieve this standard is by engaging the business with the results of the analytics on an ongoing basis. This could be simply sharing results with the business units or through an enterprise-wide continuous monitoring solution.
As we prepare for what the future holds, it’s important to remember that every role evolves to adapt to its environment. With tremendous room to grow within the organization for IA, ensuring efficient processes will only further your value, closing the gap between assurance provider and trusted advisor.
About Andrew Simpson:
Andrew Simpson has close to two decades of experience in the information systems audit and security business; specifically data analytics, interrogation and forensics. He is a regular contributor to various auditing conferences and is acknowledged as an expert on continuous controls monitoring and revenue assurance.