CEB Blogs


Internal Audit

3 Steps to Successful Data Analytics Application

Internal audit teams should use three decision criteria to determine when and how to apply analytics in their audit engagements

Alongside many professionals in many other parts of a large company, internal audit teams are keen to use the vast panoply of data now produced by the day-to-day activities of a multinational, as well as the increasingly sophisticated software available to parse and analyze it.

To auditors, this work is typically known as a data analytics program and, although the benefits of funding and running one can certainly make it worthwhile, it pays to make sure the audit department is prepared.

For audit teams just getting started with analytics, the first step is to clarify analytic goals. Next, they should determine how and where using analytics will yield the best insights into the risks facing the company. They then need to overcome the most common hurdles to achieving a standardized analytics program: namely, understanding how to apply data analytics during audit engagements, how to consistently prioritize those engagements, and (of course) how to obtain the necessary data.

Three Steps

There are useful tips and tricks to help with each of these three challenges.

  1. Understand how data analytics supports audit engagements: The only way you will be able to identify what areas do and don’t require the “analytic treatment” is to spend time understanding the specifics of incorporating these techniques into audit engagements.

    Most commonly, the use of data analytics by audit departments falls into four categories (see chart 1). Using scenarios can help you illustrate how data analytics make an audit more effective and efficient. For example, if an audit team is testing compliance with the US Foreign Corrupt Practices Act, the summary in chart 2 provides a clearer picture of how analytics can help.

    Examples of data analytics use

    Chart 1: Examples of data analytics use  Source: Data Analytics: Elevating Internal Audit’s Value, The Institute of Internal Audit Research Foundation, Warren W Stippich Jr, CIA, CRMA, CPA, and Bradley J Preber CPA/CFF, CGMA, CFE, CCA; CEB analysis


    Using analytics to help FCPA

    Chart 2: Using analytics to help with FCPA  Source: CEB analysis

  2. Prioritize engagements that analytics will benefit the most: Armed with this general understanding, use the risk level and the quality of the information you have as two screening criteria to prioritize the engagements that are best suited for data analytics.

    Risk level is about the threat a particular audit area represents to the entire organization. The higher the risk level, the more relevant and interesting your insights should be to business partners.

    Ask yourself:

    • How high is the inherent risk in this risk area/audit?

    • How well-controlled is the risk?

    • Is the risk level increasing or decreasing over time?

    Information quality is quite straightforward — you must determine whether you have the data you need to run a useful analysis (chart 3 has more).

    Ask yourself:

    • Is the process/activity data-rich?

    • Is the data clean and verified?

    • Is the data easy to access?

    • What is the automation potential?

    Determining data analytics application

    Chart 3: Understanding whether analytics is worth it  Source: CEB analysis

  3. Make sure you can get the data you need: Even if you know that data exists, it can take a while to actually obtain it. The best thing you can do (especially if you are just starting your analytics program) is to engage with data owners early on, so as to create a sustainable pipeline of information.

    As one head of audit analytics told CEB, “You cannot over-invest enough in the upfront planning necessary to get data from IT or the business, especially when you are asking for the first time.”

    Communicate with data owners early on to leave enough time for unforeseen challenges in acquiring the data. It can be helpful to begin your requests by stating the benefits the audit will provide. Also, make yourself readily available for follow-up questions. Four principles will help.

    • Think through your request: Do you really need it? Consider how the data you seek will support your analytics objectives. Identify any barriers to using the data upfront.

    • Incorporate data requests into engagement planning: Build this step into your existing processes to allow time for the information to be scoped and analyzed.

    • Ask data owners for access: See if you can connect directly to the source system on your own.

    • Trust, but verify: Always make sure what you receive is actually what you need.

More On…

Leave a Reply



Recommended For You

Data Privacy Risks for Internal Audit Still a Major Concern

Internal audit executives continue to worry about customer and corporate information leaking or being stolen...