Better
communication with IT
How to get the data you need when you need it
By Dustin Lewis, CISA, ACDA
Information Technology (IT) and Internal Audit departments sometimes have conflicting needs and can clash when it comes to sharing access to sensitive organizational data.
IT must safeguard data from violations and errors associated with fraud, control gaps, inappropriate access, and information privacy. Audit, however, needs quick access to critical business data in order to fulfill its mandate to provide assurance. The “access to all data” mandate in almost every audit charter creates a “push-pull” between those who need the data for business insight and those whose job it is to manage the data.
Here are four ongoing data issues and some best practices that can help manage them:
Issue #1: Fragmented
Data Trails
Data
fragmentation often occurs when auditors store project files on the
network, then move on to a different task. When it’s time to re-visit
that project, the auditor might struggle to locate the right data file.
Faced with potentially tens of thousands of data tables in an Enterprise
Resource Planning (ERP) system, this is a frustrating situation that
eats up valuable time and resources.
IT can work with the audit group to help them identify not only how to access the data, but also to determine which data best fits a specific business need, such as looking for “ghost” employees in a payroll file.
By working as advisors to Audit, IT can save significant time and frustrations for both parties. Auditors who do not have technical backgrounds, for example, might not know what type of data to request, or might ask for a data file that’s far too general. Simple request forms can help auditors to better clarify their needs. Questions such as “what do you want to see in the final report?” and “in what format?” can also help ensure that Audit receives the appropriate data with supplemental information, and prevents missing pieces that could be essential for a specific project. Requests can also be used as templates for future extracts.
A strong analytics
solution, however, will allow the audit group to access source data
directly from a single interface. There should be no need for IT to
build data warehouses specifically
for Audit, and a secure repository should be established with recurring,
automated feeds triggered from a scheduled server process. Once Audit
has been connected to a specific data file, minimal effort should be
required to set up access on a daily, weekly, or ongoing basis.
Issue #2: Large Data
Volumes
Organizations working in industries such as health care,
telecommunications, government, finance, and banking will generate
enormous data volumes on a daily basis. These files can often be too
large for a laptop or the network share drive.
To address the challenge of large—and ever-growing—data volumes, best practices promote analytic technology that harnesses the power of the server. Servers are designed to process large data volumes and support multiple users with minimal impact on end-user response times. A strong data analysis solution should be able to manage near-infinite file sizes. With a server-based solution, there’s no need to store data on a laptop or network drive—making the analysis extremely fast.
Selecting only the necessary fields from an extensive set of options will limit the amount of data required for thorough analyses. Scheduling tests to run in off-times, minimizing data volumes with precise filters and queries, and building up offline storage capabilities further enhances both efficiency and speed.
Issue #3: Delayed Data Access
IT has numerous responsibilities that can make it difficult to
quickly fulfill ad-hoc data requests from Audit. However, multiple-week
wait-times for source data can compromise how Audit completes its work
plan—leading auditors to use summarized paper reports, spreadsheets,
and sampling instead of testing the actual underlying data.
Ultimately, Audit needs direct access to critical data or the ability to schedule data extracts during off-peak times. Effective data analysis technology will give both IT and Audit multiple ways to tackle secure, timely data access protocols. In one scenario, IT can give Audit access to a secure database that auditors can access whenever they need—either through scheduled extracts or on-demand. Another option is for IT to set up a workflow that fits internal security credentials. This workflow can provide, on a scheduled basis, the appropriate data files for audit. This scenario offers the best of both worlds, because IT does not have to provide data again and again, but still maintains effective control over distribution and quality.
Best practices are
supported by analytics technology that provides advanced data access,
including scheduled downloads during off- peak hours and specialized
connectors to specific data types (e.g., eXtensible Business Reporting
Language (XBRL), Society for Worldwide Interbank Financial
Telecommunication (SWIFT)). This helps prevent regulatory breaches and
gives IT greater control over data access procedures. The technology
should also have a built-in scheduling function that makes it easy to
set up repetitive data access routines without IT intervention.
Issue #4: Privacy and Confidentiality Constraints
When auditors need source data from sensitive business areas such as
payroll or human resources, IT may struggle to preserve confidentiality
while delivering adequate records. Security breaches represent a
critical risk area for organizations and can result in regulatory
penalties, injured reputations, and damage to overall business
operations and profitability. Fears about data privacy and security
regulations can often mean Audit does not receive the data at all, or is
limited to sample-based testing. The result: privacy and security take
priority over true visibility into the health of the organization, and
business decisions are made based on assumptions or historical trends
more than on facts.
Best practices support analytics with built-in controls that enable IT or management to mask sensitive data such as credit card numbers. Data masking technology ensures that complete numbers are never viewable, but consistent scrambling techniques still support Audit in conducting useful comparisons, matching, and pinpointing anomalies. Keeping data in a secure server environment with customizable security controls should enable audit managers or IT to lock down specific files, results, and areas to certain individuals or groups.
Most importantly, conducting analysis tasks within a server environment is the best way to fully safeguard critical data. Security standards can be established for end-user computers such as laptops, desktops, and Local Area Networks, but they are generally easier to circumvent and harder to enforce. Server environments provide a centralized location where auditors can view full data populations and feel confident that transactions are not accidentally omitted, without breaching information control standards.
IN CONCLUSION
In today’s business environment, transaction volumes are growing
exponentially. To remain relevant and to add value to the business,
Audit must look deeper into data and reduce its reliance on samples and
speculative opinions based on smaller information sets. At the same
time, corporate and government regulations for data management,
security, and reporting have been steadily tightening. But on balance,
businesses do not fail because of minor compliance issues; they fail
because management lacks full insight or makes decisions based on poor
or incomplete information. Without complete data coverage, major control
issues such as revenue leakage and fraud can go undetected—for months
and even years.
The solution lies in giving auditors direct access to data in a secure, IT-managed environment. Looking at how a transaction flows through a process almost always reveals new lessons that can help strengthen both existing controls and benefit the bottom line. Even the smallest control breaches can point to an ongoing fraud or inefficiency that could waste hundreds of thousands of dollars each year.
Working together and understanding each others’ mandates allows IT to effectively safeguard data while enabling Internal Audit to provide the critical assurance organizations need to run effectively.
___
Dustin Lewis, CISA, ACDA
As a senior technology consultant at ACL Services Ltd., Dustin Lewis, CISA, ACDA, works with ACL clients to help them understand the benefits of audit analytics technology. He has a background in internal audit and earned the CISA designation in 2004. For over ten years, Dustin has applied audit analytics to gain insight into a variety of industries. He has notable consulting and training experience in government and education. Dustin has significant technical and business experience, and regularly bridges the knowledge gap between a client’s IT department and their business leaders. He has worked with audit teams to identify opportunities for saving time and expenses on audit plans. He also developed a consulting practice focused on saving clients money and identifying fraud and waste. As an internal auditor in a bank setting, Dustin used audit analytics to develop an automated continuous monitoring program to monitor nine affiliate banks’ ledger accounts. The monitoring tool helped the bank reduce field work and detect problems before they became a crisis. Dustin is a native of Omaha, Nebraska. He has a degree in Business Management with a concentration in Accounting and is a member of the Information Systems Audit and Control Association (ISACA). He received the ACDA certification in 2006. For more information visit www.acl.com.
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®