Data analytics’ role in business assurance: Audit technology takes center stage
Part 2:
Practical aspects of integrating data analytics into internal audit
processes
by John Verver CA, CISA, CMC
There’s no question internal auditors recognize the importance of technology and, specifically, data analysis. But many internal audit organizations now face practical challenges on how to effectively integrate analytics throughout the internal audit process to actually achieve the benefits of the entire range of analytics usage, including continuous auditing and monitoring.
Drive from the top
The best place to start is often with a statement from audit department leaders about the expected role of technology and data analysis in the audit process. The objective is to create both awareness and, when needed, a new way of thinking. If the audit department has vision and mission statements, it may mean incorporating a reference to the role of technology. Or, it may mean referring to the use of analysis technology as part of the strategy for efficient and effective completion of the overall audit plan. Whatever approach is used, one objective is to make it clear to the entire audit team – and perhaps the audit committee – that data analysis has a fundamental role to play and is not simply a technique left to technical specialists.
Analysis in every audit
One practical approach is to consider the use of analysis technology on every audit. This may be done at the planning stage when a specific audit program is reviewed and finalized. Typical questions to ask are:
- What benefits could be achieved by using data analysis in this audit?
- Where could analysis most effectively be applied?
- How can this be achieved?
Another technique I have seen work well is to assign to an auditor the specific role of “the analysis consultant.” This person is involved in planning every audit and is tasked with helping ensure these questions are both raised and answered. Then, at the end of every audit or audit cycle, the process involves the same people who consider: “How successful was the actual use of audit analytics?” and “What can be done to improve the use next time?”
A common initial reaction to this approach may be that data analysis is not applicable for the type of audit being performed. Although it is true that in certain audits there are no practical benefit from data analysis, many experts know that this is very seldom the case. The issue is often that the average auditor is just not trained to think about all the ways that analysis techniques can be applied.
Even in areas where there is wider awareness that data analysis has a role to play, the understanding of specifically how to apply it may be very limited. I have seen audit programs, for example, which are comprehensive and well thought-out in terms of identifying risks, controls, audit objectives and procedures throughout a business process. However, the only reference to using technology was an instruction to use data analysis to detect possible duplicate payments. There were probably 25 or more areas within the audit program where data analysis would provide an improved audit procedure over “select X items and test”.
This is where the role of the analysis consultant can be most valuable.
Roles in data analysis usage
A clear understanding of respective roles is important in any effective strategy for the comprehensive use of analytics. The traditional approach has often involved identifying a few technically inclined individuals, sending them on a training course for a specific analysis tool and leaving the designated specialists to work out when and how to use analysis.
A specialist can be critical for dealing with the issues of obtaining the correct data and developing more complex analysis routines. While the role of the specialist is very important, so too are the roles of many others in the audit department. Over-reliance on a specialist can lead to a number of problems: for example, bottlenecks in performing work and lack of control over the validity of analysis procedures, as well as missing the big picture of where analysis can provide the greatest value.
The engagement lead auditor or manager often needs to be involved to guide the prioritization of work and for review of the logic of analysis procedures. Thought also needs to be given to the role of less technical auditors – who may need to run the automated analysis procedures produced by specialists.
The various roles also require different types of training. These typically range from detailed technical training sessions to courses in managing the analytics processes and maintaining best practices.
Integration of data analysis into the audit process
One of the main causes of limited success in the use of data analysis is a failure to properly integrate analytics into the audit process overall. Effective integration usually looks something like this:
· The use of analytics is determined during the audit planning process.
· The audit program or workplan identifies analysis procedures to be performed in order to achieve specific audit objectives.
· The analysis procedures are described and, where appropriate, automated for repeat use and continuous auditing procedures.
· The results of analysis are linked back to the audit step in the audit program and include sufficient working paper documentation to support the validity of the analysis and conclusions.
· Standards are developed for procedures and documentation of analytics, for example:
o content and layout of analysis and exception reports
o descriptions of data and processing logic flow
o security over access to data
o logs of procedures performed
o trails of control totals generated and reconciliations to source data files
o quality assurance review by audit management
o procedures for tracking the status of management response to reports and exceptions provided
· Post-audit review takes place of analysis procedures performed and recommendations are made for subsequent use.
Moving to continuous: the continuum of data analysis usage
Continuous auditing and monitoring have gained considerable attention in the past few years. There has also been a lot of discussion about the challenges of effective implementation. It is useful to recognize that, in most cases, continuous auditing techniques are simply natural extensions of data analysis procedures. These procedures are initially developed to support a given audit objective. Once developed, it frequently makes sense to automate the procedures for repeated subsequent use, often by non-specialists, on subsequent audits. The logical next step is to perform the automated procedures on a regular basis so that timely response is possible by audit and by management.
When considered as part of a natural progression in usage, many audit departments find the shift to continuous auditing is an ongoing one. As more audit procedures are automated and the value proven, more analytics become part of a continuous auditing process. When management becomes directly involved in reviewing and responding to exception reports, the transition to continuous monitoring has effectively commenced.
There continues to be debate about what areas are most appropriate for implementing continuous auditing procedures – the areas of high risk, where immediate notification of exceptions and changes in trends are critical? Or areas of low risk, where audit routines can be automated and audit resources freed up to focus on high risk areas?
There is no one right answer – it depends on the circumstances. But the fact that questions such as these are being raised illustrates that the use of data analysis is making substantial progress within internal audit.
Note - This is part 2 of a 2 part article from John Verver. Part 1 is available here.
______
John Verver is vice president of services and product strategy for ACL Services, Ltd. He has been heavily involved in audit technology for more than 30 years. An acknowledged thought leader on audit analytics, continuous auditing and continuous monitoring, Verver is an inaugural member of the Center for Continuous Auditing’s advisory board. He was a key contributor to The IIA’s General Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment and is a frequent speaker at global audit and control conferences. www.acl.com
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®