As identified in CaseWare International’s Audit Trends 2020 report, organisations around the globe are waking up to the benefits of enhancing their data analytics functions within internal audit. In this article, we’ll focus on the data analytics maturity decision: what mix and level of data analytics is right for your organisation?
To answer this, we’ll go through five key considerations that are essential to answering this question:
- Different types of data analytics
- Potential benefits of automated data analytics
- The data analytics maturity scale
- General considerations in making the data analytics maturity decision
- The maturity decision and compliance audit
1. Different Types of Data Analytics
‘Data Analytics’, in simple terms, is the examination and drawing of insights from data. Taken at face value, data analytics is central to the traditional internal audit approach: an auditor manually reviewing journal entries to track duplicate payments for purchase orders is using data analytics at its most basic. So, the question for an organisation is not whether to introduce data analytics, but how to improve their current usage.
To answer this question, an organisation needs to consider different types of data analytics:
- Descriptive analytics interprets historical data. The example given above is a depiction of descriptive analytics.
- Predictive analytics predicts future outcomes based on historical data. A simple, well-known, and effective example of predictive analytics in audit is the use of Benford’s law in detecting potentially fraudulent transactions, though it is far from the only method available to auditors.
- Diagnostic analytics examines the data and asks ‘why?’ As a simple example, an increase in loan defaults at a bank might correlate with an increase in loans approved, indicating relaxed lending criteria as the cause of default.
- Prescriptive analytics identifies the best course of action based on the analysis of data. For example, by comparing suspected fraud in two separate areas with two separate controls, prescriptive analytics could recommend preferable controls.
2. The Potential Benefits of Automated Data Analytics
The different types of analytics set out above can all be implemented manually, but, the key benefits arise from automating data analytics. Automating your data analytics function allows for:
- Testing controls: With a reputable data analytics software programme, auditors can employ ‘scripts’; pre-written sets of instructions to the software to perform a specified task, such as examining whether internal controls have been breached. As well as reducing the impact of human error, the script makes the action readily repeatable;
- Data integrity: The manual transfer or extraction of data for internal audit process increases the chance of data corruption which can be eliminated through automation;
- ‘Whole-of-population’ audit: Traditionally, audit has relied heavily on sampling in order to draw inferences about the data as a whole. The speed of automated analytics, combined with the increased cell count capacity of data analytics softwares, means the potential to evaluate controls across the whole set of data just as easily as sample testing;
- Reduced financial cost: Data analytics can free up auditor time from more routine tasks to focus on value-added audit activities.
3. The Data Analytics Maturity Scale
Whatever the benefits of automating data analytics, organisations need to determine at the strategic level how data analytics might best contribute to their audit goals. This includes recognising how data analytics might contribute at the selection, planning, execution, reporting, and follow-up phases of audit.
This strategic activity can benefit from considering data analytics in terms of ‘maturity’. Maturity scales are common for explaining data analytics capability in different industries and often range from levels 1 to 5 depending on the type of analytics deployed, the level of automation, regularity, and integration with other business systems.
KPMG has suggested the five-point scale below for internal audit (though in this case, their focus is on the planning and execution phases):
1. Traditional Auditing: Data analytics may be used, but is mainly descriptive and applied during the planning phase.
2. Ad Hoc Integrated Analytics: This may include both descriptive and diagnostic analytics at the planning and execution phases (e.g., identifying outliers), but is carried out in an ‘ad hoc’ manner rather than systematically.
3. Continuous Risk Assessment and Auditing: This may include all types or categories of data analytics in a pre-defined automated set. This set provides ongoing data to auditors.
4. Integrated Continuous Auditing and Continuous Monitoring: A full set of automated analytics is deployed, and they permit continuous monitoring by management, as well as a continuous data flow to the audit shop. The systems are largely seamless and integrated.
5. Continuous Assurance of Enterprise Risk Management: A full set of automated analytics is deployed, as with level 4. In addition, there is a further emphasis on aligning continuous data analysis with strategic enterprise goals. The internal audit plan is ‘dynamic’ in response to risk fluctuation.
4. General Considerations for the Maturity Decision
The advantage of the maturity scale is that it acknowledges that data analytics is not an ‘all or nothing’ affair: Internal audits should employ the level of data analytics appropriate to their requirements. On the other hand, the maturity scale might be thought to imply that there is something ‘better’ about being further along the scale.
The desired level of maturity depends on the specific risks faced, the risk appetite, the constraints, and the audit goals of the organisation. For SMEs, the cost and effort of implementing Level 5 Continuous Assurance of Enterprise Risk Management is probably not worth it.
In conjunction with the decision on data analytics maturity, the organisation must also decide which tools it will use for that purpose. More specialised or powerful solutions are required for greater analytics functionality. While desktop tools (e.g., Microsoft’s Excel or Access programmes) will be sufficient in some cases, enterprise software (e.g., SAS or Oracle) or specialised audit solutions (such as CaseWare’s IDEA Data Analysis) might be necessary in other cases.
Furthermore, in making the maturity decision, the organisation will need to consider the optimal internal audit skillset. Maturity requires the right mix of data analytics expertise. This can be achieved via training or secondment of existing auditors, or direct recruitment of data analytics specialists.
5. The Maturity Decision and Compliance Audit
As mentioned above, the maturity decision cannot be made without considering how data analytics can help with assurance for the particular risks faced by a given organisation. By way of example, we consider below three different compliance risks that organisations may need to attend to, and how data analytics can be employed in the audit response:
- Data protection: The General Data Protection Regulation (GDPR) stringent requirements on businesses dealing with European or UK consumers. Two areas of significant compliance risk are data breaches and response times to requests from customers for their own data (‘data subject access requests’). Here, scripts might be implemented across the whole of the organisation’s data to test the adequacy of existing controls;
- Anti-Money Laundering (AML) requirements: A crucial requirement for compliance with these laws is identity verification. Instead of taking a random sample of verified identities, predictive analytics might be deployed to identify a sample of those identities most likely to be fraudulent.
- Access to utilities: In many jurisdictions, utility providers have an obligation not to disconnect customers who are eligible for financial aid. The consequences of non-compliance can be severe (for example life support customers may rely on an electricity connection for their survival). Diagnostic analytics could be used to examine various datasets to determine what correlates with a high level of wrongful disconnection. For example, diagnostic analytics might compare data sets on disconnected customers with datasets on customers eligible for financial aid to pinpoint where data has not been appropriately cross-referenced.
Which mix of analytics and automation is right for you?
The key question for organisations is not whether to introduce data analytics to internal audit, but which mix of analytics and analytics automation is right for that organisation. One useful way of thinking about this is with a data analytics maturity scale: The organisation can position itself along the scale depending on the risks it faces, its risk appetite, its constraints, and its audit goals.
We have considered three examples where data analytics might be useful in compliance audit, but every organisation needs to consider as part of its maturity decision how data analytics can be employed in auditing the particular risks that the organisation faces.