The application of data analytics in internal audit encompasses the use of software to identify significant trends and exceptions in large amounts of data. Such software can be used for basic data analysis, through to complex data interrogation across billions of transactions, as well as assessing control performance and exception reporting among other applications. Many internal audit teams still rely primarily on spreadsheet-based tools and applications rather than more sophisticated analytics and data mining tools. A recent Deloitte survey showed that only around one-third of HIAs use data analytics at an intermediate or advanced level. The remaining two-thirds of HIAs use basic, ad hoc analytics (e.g. spreadsheets) or no analytics at all. It is important to compare the different sets of analytic tools to determine what works best for the internal audit function.
The range of tools includes the following:
• Desktop tools, e.g. Excel. Most organisations have this tool and its use for data analytics within internal audit is widespread;
• Specialised tools, e.g. SPSS, Tableau. These enable a wider range of tasks such as infographics and are compatible with usage in other parts of the organisation;
• Audit specific tools, e.g. ACL, Teammate. These enable advanced analytics but require investment and training.
• Enterprise tools, e.g. SAP, Oracle. These tools can be used by audit functions but users need some data science skills and knowledge e.g. scripting.
Continuous auditing means that internal auditors can move from periodic evaluations of risks and controls based on samples of populations, to ongoing evaluations using a larger proportion of transactions.
Whole population testing
Internal audit analysis techniques include procedures that are designed to determine whether processes contain data errors and/or whether financial reports contain misstatements. Analysis techniques have always been used to test random data sets or target specific data if an internal auditor feels an internal control process is at risk. The use of data analytics enables auditors to test 100% of populations. Internal auditors use different types of data analytics to undertake a variety of functions. Fraud analysis and continuous auditing are examples of areas where the total population is often tested and then outliers are subjected to more detailed testing. It is worth noting, however, that whole population testing is not always necessary because:
• Samples selected using judgement give the level of assurance needed in almost all cases;
• The use of samples is the best use of manual audit resources; and
• Testing 100% does not necessarily give 100% assurance because auditors themselves may make mistakes, particularly if the work is tedious.
In internal audit functions where there is currently no or limited use of data analytics internal auditors will test samples of transactions. Only very rarely would they examine every transaction in the period audited, i.e. if fraud or other financial irregularity was suspected then internal audit will test 100% of transactions. For example, every payslip issued, every invoice authorised, every stock item held.
Testing 100% of transactions isn’t new but it was previously undertaken manually and only in exceptional circumstances due to resource constraints. Instead, internal auditors often turned to statistical sampling to extrapolate the number of errors in the total population and to determine the accuracy, or otherwise, of transactions. The sample sizes were often large and therefore may have resulted in human errors resulting in false assurance.
Common uses of data analytics by internal audit
Most commonly, auditors use data analytics for fieldwork and engagement planning, and use the results to identify anomalies and test controls. It was asserted in a recent report by Deloitte that internal audit needs to embed analytics into its approaches, methods, and communications across most of its activities, from planning through to reporting, in order to make the most impact. For many functions data analytics is used in more financially oriented audits such as:
• General ledger;
• Purchase to pay;
• Travel and subsistence/entertainment; and
• Order to cash (a set of business processes that involve receiving and fulfilling customer requests for goods or services).
Benefits of using data analytics
Analytics can enable internal audit to automate the more routine activities of the internal audit process, which then frees up time to do deep dives on the more strategic and complex issues. Internal audit needs a detailed understanding of the potential benefits of data analytics before implementing it in audit processes. The key benefits include:
• Increased efficiency. For example, scripts can be re-used for periodic audits resulting in efficiency benefits by avoiding repeated manual analysis;
• Increased effectiveness. Analytics allows for whole population testing instead of random or judgmental sampling, as well as enabling continuous auditing so that internal audit and the business can pick up on emerging trends and themes and be more nimble with their risk monitoring;
• Improved assurance. For example, analytics reduce the margin for human error in the analysis of vast datasets, and allow for greater precision in assessing operational performance;
• A greater focus on strategic risks by moving away from the more routine tasks which can be automated to a greater degree;
• Greater audit coverage; and
• Significant time and money savings over the longer term.
The path to maturity
Internal audit teams who already use data analytics are at various points on the maturity path. For those functions considering adopting analytics, teams with members who are conversant in analytics skills can start further along the maturity path. It is worth noting that not all team members need to be conversant in the more technical areas such as scripting. If you decide that you would like to incorporate data analytics into your function’s work at more than a basic level, it is worth bearing in mind that you may need to look for internal auditors with more developed data skills and abilities in the future. The chart below shows the link between the data analytics maturity path and the internal audit team’s skill set.
Data analytics offers numerous benefits, but you must first assess whether it would fit with your function’s overarching goals and desired activities. You can then build a business case to present to your audit committee chair, but there are some important questions to address before doing so, as outlined in the previous section.
Most who are using data analytics are using it to bring about greater efficiency and to provide greater assurance in their audits and particularly financial audits. We are, however, seeing examples in larger organisations and those in Financial Services, which tend to be further along the maturity path, of analytics being applied to more strategic risk areas such as culture. Many relevant controls in relation to key business risks have not been automated yet.
Internal audit’s approach in relation to assurance around these key risks has, therefore, not fundamentally changed at this point in time. This of course is likely to change as time goes on, so it is imperative to have discussions with the audit committee chair sooner rather than later about how, why and when the internal audit function will need to consider using data analytics to reap the potential benefits.
Internal audit’s strength lies in its ability to adapt to an ever-changing landscape, and the use of data analytics should be no different. Internal auditors’ skill set will change but they will continue to support their organisations to achieve their goals and objectives through the provision of assurance in relation to risk, control and governance.