In part-one of this post we discussed the obseletion of the traditional internal auditor and the rise of databots who will systematically replace knowledge workers in the audit, compliance, and risk management process. With that not-so happy outlook, what might we do now?
The good news though is that enterprise data is complicated, and it is going to be an exceptionally fruitful environment for those with the skills to develop the “databot environment”, driving real efficiency and mountains of value into an organization’s bottom line. Thus… this salary split we’re already beginning to see in part-one of this post. The opportunity is for a new breed of entrepreneurial auditor to take control and lead the charge to obsolete our largely broken approach to traditional internal auditing. It seems apparent that the mandate for innovation and forward progress in the audit, risk, and compliance professions—without the massive over-complication usually surrounding the discussions of “big data”—should be effectively three-fold:
1. Get a clear view of what’s important based on organizational strategy
In this stage it is time to do what I call “The GRC Grind”. The GRC Grind is the painful but “must be done” process of identifying what’s actually important to the business in terms of controls by deconstructing it’s top level strategy into key goals/objectives, the enterprise-level risks that are likely to threaten the achievement of those goals, the process and project level control-objectives that mitigate those enterprise risks, the process level risks that threaten achievement of the control objectives, and the actual controls that mitigate the process level risks. This set of controls should define what is truly important to the business operationally, and thus finally the last step of The GRC Grind is to map compliance requirements to those controls and any “overhead controls” to the framework that are required for compliance reasons but not already captured. Once completed, this will create a complete picture of governance that will meaningfully push forward the organizational assurance that will achieve its performance goals.
2. Automate the “menial” audit work away
With the clear picture of the broader business developed through The GRC Grind, there will undoubtedly be basic control testing and monitoring that needs to be done, core “must monitor” compliance areas, basic risk rating, and standard operational auditing that need to be done by location, process, entity, etc. All of this type work is opportunity for automation through data. This is where traditional data mining and data analytics come into play. By building fully repeatable and sustainable data mining analytics that evaluate a risk/control/etc. on an ongoing basis and automating prescriptive communication and remediation processes for red flags we are creating the “databots” that eliminate the need for traditional audit work, freeing up time and resources to uncover what are the really big stories going on in the business.
3. Help the organization look forward by uncovering the meaningful stories in the organization through its data
Where the real future internal auditor will then spend the majority of their time is developing and sharing the perspectives on organizational risk and performance that look forward on the organization’s likelihood of achieving its objectives. The only way to truly do this is through data, using risk analytic techniques that are foundationally forward looking in nature. The term “predictive analytics” is grossly overused and essentially useless, implying some sort of magical statistical algorithms that are magic in their ability to dictate what the future will look like. What is important is using analytics to weave a forward looking picture… for example, by analyzing and correlating some basic data on product sales and customer usage patterns we can relatively easily develop a story about our general ability to engage and retain a customer after their purchase to ensure success and advocacy. Similarly, by analyzing and correlating some basic data around systems access, it is relatively easy to create a forward looking picture of where in the organization cybersecurity vulnerability may exist.
Lessons from the field… start small and evolve, but ACTUALLY start!
Embracing the shift to “data-driven” is the first step certainly, however it’s step 2… actually doing something… that really matters. 80% of the failure I see in building data programs in internal audit is just because they never get started. Organizations tend to spend an inordinate amount of time worried about what tool buy, how to get budget for “training”, tip-toeing around conflict on getting access to data with IT, etc. none of which actually relates to the objectives, risks, and controls we want to analyze.
I recently did a session at the 2016 IIA GAM conference in Dallas with Laura Biland who leads up the data analytics efforts (among other roles) in the internal audit team at Texas Instruments, the Fortune 200 semiconductor manufacturer. What I like about Laura and her program at TI is that they have systematically developed their capabilities and innovated around how they look at audit through data since starting in 2008. While they have had all the typical struggles… access to data, auditor skill sets, etc. they’ve continually pushed through to where they’re now in a position to really transform how they look at audit across TI. The timeline of their experience she shared at the conference looks like the following:
The punchline here is that they have been on an 8+ year journey now, but by taking it one step at a time with even very limited resources dedicated specifically to data analytics, they are now in a place where a good chunk of mundane audit work (coverage of approximately 200 risk/control points) is completely automated and systematically looked after on a continuous basis. They are now moving into scoping out all audits with data analysis so no time is wasted in areas of minimal risk, and ultimately into more forward looking analysis to assess risk across the enterprise. They are well ahead of most companies in transforming internal audit because they simply got started, made time, got small successes, built on the learning gained, and iterated until they had a sustainable program in place. This agile approach to transformation through data is what I see bringing (unfortunately currently few) internal audit shops back to the strategic advisor table in the new data-centric world of digital business.