Internal audit shops are buzzing over data analytics, with more audit leaders planning to jump in for the first time or expand their use of the evolving technology across the scope of their audit work.
The latest round of internal audit studies from Deloitte, Grant Thornton, Protiviti, and the Institute of Internal Auditors seem to reflect that as well. Deloitte’s latest poll says nearly 40 percent of those who participated use analytics in at least 50 percent of their internal audits, and that’s expected to rise to nearly 60 percent over the next few years.
At the high end, Deloitte’s survey said roughly a third plan to use analytics on at least three-fourths of their internal audits in the next three to five years. Protiviti’s latest survey said two-thirds of internal auditors use data analytics currently and, of those who don’t, three-fourths will be doing so in the next year or two.
Given the broad spectrum of internal audit use for data analytics currently, that suggests new uptake along all aspects of audit work. Grant Thornton’s poll, for example, says roughly 80 percent of internal audit shops using analytics do so to analyze or document operational and business situations, and nearly as many use the technology to diagnose business problems. On the leading perimeter, however, one-third say they use analytics to predict future trends, and one-fifth are leveraging analytics to prescribe or recommend business initiatives.
“What we’re now seeing is expansion of analytics across every phase of the audit lifecycle,” says Neil White, global leader for internal audit analytics at Deloitte. Some audit experts are calling it predictive analytics—using analytics not just as an audit testing tool, but in the earlier stages of the audit, such as scoping or planning. As a simple example, White says, he was involved in a vendor audit where analytics used in planning and scoping the audit helped identify IT spending that was occurring outside the normal purchasing process. Technology helped identify which spending might be most concerning.
“We weren’t looking at samples because of high dollar value [a traditional marker for outliers],” says White. “They were selected because they didn’t behave the way you’d expect.”
“All of a sudden more folks are talking about it. More internal auditors are trying to get involved in data analytics.”
Mike Rose, Partner, Grant Thornton
As the audit results revealed disconcerting levels of IT spending occurring outside the designated procurement process, people behind the spending told stories of cumbersome, excessively prohibitive processes. “So, we were able to go to the CFO and provide business insights as opposed to what an audit would typically do to provide assurance on compliance issues,” White says.
Douglas Anderson, managing director of chief audit executive solutions at the Institute of Internal Auditors, says the time has come for internal auditors to leave more routine, audit-like procedures to management while auditors dig more deeply. Common checks for potential purchasing abuses—like comparing vendor addresses with employee addresses to look for indicators that employees are siphoning cash with disguised invoices—should be left to operational staff.
“Personally, I think accounts payable should be responsible for that,” says Anderson. “Internal audit should be about addressing the adequacy of processes and controls. Use data analytics to identify where the risk is.” Simply running tools because they provide interesting results is fruitless, he says. “How can tools help me focus on risks and identify risks?”
WHAT INTERNAL AUDITORS SHOULD BE ASKING
Three questions internal audit leaders should be asking:
How can we be more efficient in reducing risk?
How can we use all the data in the organization and switch to an enterprise-wide model?
How can we continuously audit in real time, identifying anomalies and issues and producing instant reports to inform strategy and decision-making?
Source: Grant Thornton
The IIA survey results suggest internal auditors are moving in that direction, but they’re not there yet. Only 22 percent of internal auditors in that poll said they use data analytics “extensively or frequently” to perform risk assessments in developing the department audit plan, and 35 percent use it to the same degree to assess risk in planning a specific audit engagement. Half of audit leaders in that poll said they “rarely or never” use analytics to develop the department audit plan, and a third rarely or never use the tools in planning specific audits.
“We are making progress,” says Anderson. “It’s still too low on the maturity curve, but it’s moving up the curve. It’s going [in] the right direction.”
In part, internal audit is moving toward increased use of analytics because it’s happening elsewhere in the business, says Bill Watts, a partner at Crowe Horwath who leads the firm’s emerging industries risk solutions. “You see many organizations trying to embrace data and leverage it internally for many different reasons,” he says. “That creates more risk to the organization, and internal audit has to be in tune with that.”
The big challenges remain however, such as how to handle the magnitude of data that’s developed and how to capture the right data. In the Deloitte poll, 60 percent said one of the hurdles is simply identifying where data resides. Only 22 percent said they would rate the quality of their data as excellent or good. “The availability and the quality of data continues to be the No. 1 obstacle,” says White.