I spoke at an excellent MIS Training Audit Directors Symposium in Boston earlier this week. My topic was the integration of data analytics into the audit and risk processes. My view is that well planned integration, which involves multiple aspects, is typically one of the prime factors in achieving real success in the use of data analysis.
It was a great opportunity to have some highly engaged conversations with a group of Internal Audit leaders. We spent over two hours talking about the role of data analytics in audit and risk. There were some great examples of success stories, but, for many participants, the most valuable part of the session was probably the discussion on the issues that typically limit the extent of progress.
There were a few examples of innovative use of analytics – a few that caught my attention:
- Using ACL to test the amount of time it takes managers to approve expense claims (if the time between opening a claim and approving it is less than, say, 30 seconds, the chances are there was not exactly a lot of diligence applied)
- Using ACL to identify addresses which were really P.O. Boxes (some courier companies, for example, have a service to provide customers with physical street addresses)
- Using ACL to search for text that could indicate an FCPA violation. I knew about searching for words like “facilitation” and “agents.”The new one for me was “a cup of coffee.” Apparently in some countries this is the euphemism for a payment made as a bribe.
There was also some good brainstorming on things you should and should not do when implementing an audit analytics program. A few takeaways included:
Should
- Start relatively small and build on successes
- “Sell” the successes internally
- Plan for the data acquisition process far ahead of the date the audit is due to start
- Identify a specialist to deal with data access issues and champion/support use through the rest of the audit team
- Schedule time for audit analytics during the audit planning phase
- Make sure that team members have the chance to put their learning in to practice immediately after receiving training
- K.I.S.S. – do not start off with an overly ambitious project
Should Not:
- Assume the data is complete and accurate when first receiving it
- Send people on a training course with no chance to apply skills in practice
Many of the other “should not’s” were the reciprocal of the “should’s” listed above.
The main takeaway for me was that it is a good sign to have a refreshingly realistic discussion about the use of analytics in audit and risk. There was clear consensus view that:
- Data analytics definitely have an important role to play in audit and risk
- It is not always easy to achieve success – some issues, such as data acquisition and finding the right skills, can be tough nuts to crack
- The business needs to be using analytics to test and monitor transactions and controls
