These are difficult days for many companies. Recent developments, including the economic downturn and other problems stemming from the coronavirus crisis, threaten the very existence of businesses across several industries, from airlines to retail, to manufacturing.
With so much uncertainty and disarray, corporate boards and senior executives are looking to internal audit to deliver robust assurance and advisory services, to help quickly identify emerging risks, and to share valuable insights learned from internal audits. To accomplish those objectives, internal audit has to make better use of technology—data analytics in particular—to take advantage of this historic opportunity for internal audit to elevate its role as a leader in risk management and assurance and as an equal partner in corporate governance.
Why data analytics and why now? Because advanced data analytics can shed some much-needed light on exactly how current events are impacting the organization and where threats and opportunities may be developing. By applying data analytics during audits, practitioners may be able to see some patterns developing out of all the uncertainty.
An Underused Tool?
Before we get too far along, what, exactly, is data analytics in an internal audit context? In its publication, “Audit Analytics and Continuous Audit, Looking Toward the Future,” the American Institute of Certified Public Accountants (AICPA) defined data analytics as: “The art and science of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing the audit.”
Over the last decade, data analytics has helped many internal audit organizations greatly improve the quality, depth, and coverage of their work all while keeping operating costs relatively flat. The technology continues to improve, and a number of data analysis software options are now widely available, including Access, Galvanize (ACL), IDEA, SAS, Arbutus, Tableau, and more, along with Microsoft Excel, which is where many internal auditors start their data analytics journey. These technologies offer internal auditors multi-dimensional views of data, which has improved data translation and enabled proactive risk management, something that internal audit stakeholders have come to expect.
While audit analytics has dramatically improved, its use by internal audit functions has lagged behind. Over the last few years, various studies and surveys have consistently shown that data analytics is still underutilized in internal audit, although there has been some improvement. According to the Institute of Internal Auditor’s 2017 Pulse Report, only about 20 percent of internal audit functions use data analytics at a high level of maturity and aligned to strategic goals. Many of these advanced users are banks and financial institutions that have made significant investments in technology and have hired experts to assist with implementation. About 30 percent of internal audit functions use data analytics at an intermediate level that is mature and well-managed, but not fully aligned with strategy. The rest, about 50 percent of the internal audit functions, either do not use data analytics at all or use it sporadically and not in a structured or sustained manner.
A survey conducted this year by the Audit Analytics Institute shows that progress is limited in advanced analytics, reminding us that a relatively small number of auditors use data analytics effectively and that the profession has a long way to go to fully harness the power of this technology.
With nearly 20 years or more of data analytics in the rear-view mirror, it would be reasonable to expect that the use of data analytics would be more widespread and more evolved in 2020. Indeed, today’s data analytics software is more powerful and easier to use than ever. It enables internal auditors to examine large amounts of data, often 100 percent of the population under audit.
What Data Analytics Can Do for Internal Audit
Data analytics is suitable for all phases of the audit process. In planning, it can help facilitate risk profiling with financial statement analysis, Beneish model analysis, and other granular data analysis, such as revenue, inventory, and payroll, to identify anomalies, patterns, and internal control gaps, which can help the audit team focus during field work. In field work, there are many possible applications, including to:
Select statistical samples.
Search for duplicate payments, invoices, purchase orders, and other items.
Test accounts receivable aging, including recalculating the aging summary.
Detail test revenue by matching sales invoices to customer sale orders, inventory records, shipping documents, price and discount tables, and tracing them to the general ledger for completeness.
Test the propriety of electronic workflow approvals by comparing approver ID to approved authorization tables. Such tests can be applied to general ledger journal entries, purchase orders, payment files, and many more.
Test journal entry for various attributes, including journal entry dates and times during the closing process, and searching for keywords that may indicate fraud.
Detail-testing vendor invoices for proper authorization, performing three-way match, and matching to vendor payments.
Perform data completeness tests.
In reporting, visualization capabilities help present crispier and deeper observations and insights to stakeholders.
Because data analytics facilitates the examination of the entire population under audit, it also helps to reduce audit bias, including the elimination of the “cherry picking” technique. Cherry picking is when managers or others use incomplete evidence or data to support a particular position, while suppressing evidence or data that contradicts the desired position and may be intentional or unintentional.
Some internal auditors have also made good use of data analytics technology to institute continuous monitoring and auditing routines. These are computer programs and scripts running continuously in the background to identify exceptions from expected operations, calculations, controls, and business activities. Continuous auditing and monitoring can be used to identify cybersecurity threats, test user access reviews, general ledger journal entries, account reconciliation approvals, the propriety of cash applications, test master data management controls, foreign exchange rates, and prior period adjustments, among other uses.
So Why the Slow Adoption Rate?
Given all the benefits that data analytics can offer and all the advances in technology, why has its use by internal auditors plateaued? The answers may be related to funding, lack of skills, access to data, or all of the above.
Certainly, budgeting can be a barrier. While internal audit functions generally enjoy the support of their governing bodies (the audit committee) and senior executives, few departments receive adequate funding to invest in data analytics technology, to acquire and retain talent with expert data analytics skills, and to provide internal audit data analytics training.
Another problem is finding professionals with the required skills. There is currently a general shortage of professionals with data analytics technology skills willing to build careers in internal audit. To help implement and operationalize data analytics, internal audit organizations need to hire and retain tech-savvy talent to work alongside traditional internal auditors. While some internal auditors are tech-savvy, only a small percentage can keep up with technology changes and the breadth of knowledge required to remain an effective and respected internal auditor. To effectively and sustainably use data analytics following implementation, teams need technical experts and traditional internal auditors working side-by-side during audits.
Getting access to the proper data and maintaining quality data are other hurdles. Unless a company maintains structured data across functions, segments, and subsidiaries — most optimally overseen by master data management professionals, using master data methodologies and platforms — it’s too hard to obtain, format, and use data during an audit. Often, auditors are unable to obtain data due to a lack of availability or compatibility, or managers hoard data and become territorial about it. Additionally, when data is provided, it is unusable because it is not structured or lacks uniformity. Often, hours are devoted to obtaining, understanding, and organizing the data provided, and the analysis yields too many errors that render the effort worthless. A large global company I’m familiar with, for example, had to spend nearly two years to implement a global, standard general ledger chart of accounts before it could implement a data analytics program in general accounting. With the fourth industrial revolution underway, many companies have technology implementation projects underway in robotic process automation (RPA), artificial intelligence (AI), blockchain, and the Internet of Things (IoT), all of which build on or require robust data analytics programs.
Now is the time for internal auditors to get involved. Chief audit executives and their teams should join such implementations as they present an opportunity to partner and provide advice. While providing advice, internal auditors can better understand changes in technology, provide guidance in developing structured data suitable for data analytics, remind corporate leaders and governing bodies of the benefits of a successful data analytics program, and request support and funding to either kickstart or resume a data analytics program that may have stalled because of COVID-19 or other reasons.
Chris Dogas, CPA, CFE, CRMA is a principal at AudereSapere Risk Assurance Advisors & Consultants LLP, which provides corporate governance services.