Organizations are waking up to the benefits of enhancing data analytics in their internal audit. In this article, we’ll focus on the data analytics maturity decision: what mix and level of data analytics is right for the organization in question?
To answer this, we’ll go through four key considerations that are essential to answering this question:
‘Data Analytics’, in simple terms, is the examination and drawing of insights from data. Taken at face value, data analytics is central to traditional internal audit: a lone auditor tracking duplicate payments for purchase orders across journal entries is using data analytics. Therefore, the question for an organization is not whether to introduce data analytics to internal audit, but how to do so.
To answer this question, the organization needs to consider different types of data analytics:
The different types of analytics set out above could all be implemented manually. However, the key benefits arise from automating data analytics. Some potential benefits include:
Whatever the benefits of automating data analytics, the organization needs to determine at the strategic level how data analytics might best contribute to the audit goals of the organization. This includes recognizing how data analytics might contribute at the selection, planning, execution, reporting, and follow-up phases of audit.
This strategic activity can benefit from considering data analytics in terms of ‘maturity’. A data analytics maturity scale ranges from 1 to 5 depending on the type of analytics deployed, the level of automation, regularity and integration with other business systems.
Maturity scales are common for explaining data analytics capability in different industries. KPMG has suggested the five-point scale below for internal audit (though in this case, their focus is on the planning and execution phases):
The advantage of the maturity scale is that it acknowledges that data analytics is not an ‘all or nothing’ affair: Most internal audits employ some level of data analytics. On the other hand, the maturity scale might be thought to imply that there is something ‘better’ about being further along the scale.
There is another way to look at it.
The desired level of maturity depends on the specific risks faced, the risk appetite, the constraints, and the audit goals of the organization (e.g., for smaller organizations, the cost and effort of implementing Level 5 data analytics is probably not worth it).
In conjunction with the decision on data analytics maturity, the organization must decide which tools it will use for that purpose. More specialised or powerful solutions are required for greater analytics functionality. While desktop tools (e.g., Excel or Access) will be sufficient in some cases, enterprise software or specialised audit solutions (such as Caseware IDEA ).
Furthermore, in making the maturity decision, the organization will need to consider the optimal internal audit skillset. Maturity requires the right mix of data analytics expertise. This might be achieved via training or secondment of existing auditors, or direct recruitment of data analytics specialists.
The key question for organizations is not whether to introduce data analytics to internal audit, but which mix of analytics and analytics automation is right for that organization. One useful way of thinking about this is with a data analytics maturity scale: The organization can position itself along the scale depending on the risks it faces, its risk appetite, its constraints, and its audit goals. Every organization needs to consider as part of its maturity decision how data analytics can be employed in auditing the particular risks that the organization faces.