The data analytics maturity decision for Iternal audit

The Data Analytics maturity decision for Internal Audit: 4 Key Considerations

Organizations are waking up to the benefits of enhancing data analytics in their internal audit. In this article, we’ll focus on the data analytics maturity decision: what mix and level of data analytics is right for the organization in question?

To answer this, we’ll go through four key considerations that are essential to answering this question: 

  • Different types of data analytics 
  • Potential benefits of automated data analytics 
  • The data analytics maturity scale
  • General considerations in making the data analytics maturity decision
1. Different Types of Data Analytics 

‘Data Analytics’, in simple terms, is the examination and drawing of insights from data. Taken at face value, data analytics is central to traditional internal audit: a lone auditor tracking duplicate payments for purchase orders across journal entries is using data analytics. Therefore, the question for an organization is not whether to introduce data analytics to internal audit, but how to do so. 

To answer this question, the organization needs to consider different types of data analytics:

  • Descriptive analytics interprets historical data. The auditor with his journal outlined above is performing descriptive analytics.
  • Predictive analytics predicts future outcomes based on historical data. A simple, well-known and effective example of predictive analytics in audit is the use of Benford’s law in detecting potentially fraudulent transactions. A predictable distribution of numbers in many naturally occurring sets can be used to identify irregular transactions.
  • Diagnostic analytics examines the data and asks ‘why?’ As a simple example, an increase in loan defaults at a bank might correlate with an increase in loans approved, indicating relaxed lending criteria as the cause of default.
  • Prescriptive analytics identifies the best course of action based on the analysis of data. For example, by comparing suspected fraud in two separate areas with two separate controls, prescriptive analytics could recommend preferable controls.
2. The Potential Benefits of Automated Data Analytics

The different types of analytics set out above could all be implemented manually. However, the key benefits arise from automating data analytics. Some potential benefits include:

  • Testing controls: With software, auditors can employ ‘scripts’; sets of instructions to the software to examine whether internal controls have been breached. As well as reducing the impact of human error, inevitable in a manual review, the script makes the action readily repeatable;
  • Data integrity: The manual transfer or extraction of data for internal audit process increases the chance of data corruption which can be eliminated through automation; 
  • ‘Whole-of-population’ audit: Traditionally, audit has relied heavily on sampling in order to draw inferences about the data as a whole. The speed of automated analytics means the potential to evaluate controls across the whole set of data; 
  • Reduced financial cost: In some cases, data analytics can free up auditor time from more routine tasks to focus on value-added audit activities. 
3. The Data Analytics Maturity Scale

Whatever the benefits of automating data analytics, the organization needs to determine at the strategic level how data analytics might best contribute to the audit goals of the organization. This includes recognizing how data analytics might contribute at the selection, planning, execution, reporting, and follow-up phases of audit. 

This strategic activity can benefit from considering data analytics in terms of ‘maturity’. A data analytics maturity scale ranges from 1 to 5 depending on the type of analytics deployed, the level of automation, regularity and integration with other business systems. 

Maturity scales are common for explaining data analytics capability in different industries. KPMG has suggested the five-point scale below for internal audit (though in this case, their focus is on the planning and execution phases):

  1. Traditional Auditing: Data analytics may be used, but is mainly descriptive and applied during the planning phase.
  2. Ad Hoc Integrated Analytics: This may include both descriptive and diagnostic analytics at the planning and execution phases (e.g., identifying outliers), but is carried out in an ‘ad hoc’ rather than systematic manner.
  3. Continuous Risk Assessment and Auditing: This may include all types or categories of data analytics in a pre-defined automated set. This set provides ongoing data to auditors. 
  4. Integrated Continuous Auditing and Continuous Monitoring: A full set of automated analytics is deployed, and they permit continuous monitoring by management, as well as a continuous data flow to the audit shop. The systems are largely seamless and integrated.
  5. Continuous Assurance of Enterprise Risk Management: A full set of automated analytics is deployed, as with level 4. In addition, there is a further emphasis on aligning continuous data analysis with strategic enterprise goals. The internal audit plan is ‘dynamic’ in response to risk fluctuation.
4.  General Considerations for the Maturity Decision 

The advantage of the maturity scale is that it acknowledges that data analytics is not an ‘all or nothing’ affair: Most internal audits employ some level of data analytics. On the other hand, the maturity scale might be thought to imply that there is something ‘better’ about being further along the scale. 

There is another way to look at it. 

The desired level of maturity depends on the specific risks faced, the risk appetite, the constraints, and the audit goals of the organization (e.g., for smaller organizations, the cost and effort of implementing Level 5 data analytics is probably not worth it). 

In conjunction with the decision on data analytics maturity, the organization must decide which tools it will use for that purpose. More specialised or powerful solutions are required for greater analytics functionality. While desktop tools (e.g., Excel or Access) will be sufficient in some cases, enterprise software or specialised audit solutions (such as Caseware IDEA ).

Furthermore, in making the maturity decision, the organization will need to consider the optimal internal audit skillset. Maturity requires the right mix of data analytics expertise. This might be  achieved via training or secondment of existing auditors, or direct recruitment of data analytics specialists. 

Which mix of analytics and automation is right for you?

The key question for organizations is not whether to introduce data analytics to internal audit, but which mix of analytics and analytics automation is right for that organization. One useful way of thinking about this is with a data analytics maturity scale: The organization can position itself along the scale depending on the risks it faces, its risk appetite, its constraints, and its audit goals. Every organization needs to consider as part of its maturity decision how data analytics can be employed in auditing the particular risks that the organization faces.