Guide for the successful implementation of data access and analysis technology
There is widespread recognition that a data-driven approach is critical to transforming audit, risk, and compliance processes and delivering a whole new level of benefits, many of which simply cannot be achieved with a traditional approach. Yet, at the same time, actually getting access to the right data at the right time remains a significant challenge for many internal audit and compliance teams.
Some of the challenges are technical and without the right technology it can be very difficult to connect to the right data and perform the many forms of analysis that drive audit, risk, and compliance processes. However, in ACL’s decades of experience in this area—and through talking with thousands of audit and compliance teams—we know that one of the greatest challenges revolves around working with the IT team to get access to data and implement analytic technology.
The ACL platform’s Analytics Exchange module has been developed specifically for dealing with typical technical challenges and to provide all of the functionality needed to enable a data-driven approach. Our customers know the value that the ACL platform powered by Analytics Exchange delivers once implemented. In this blog, we provide you with information that can help you plan for your dealings with the IT department and to communicate more effectively.
Why is dealing with IT to get data access and install software frequently a challenge?
It helps to start by putting yourself in the position of the IT department and looking at things from their perspective.
Request overload: IT teams are typically faced with enormous volumes of requests for data access and analytic capabilities. Many organizations have invested heavily in establishing data warehouses and acquiring data analytics tools that support business requirements for data analytics.
IT is unaware of the functional needs of audit, risk, and compliance teams: Understandably, IT’s initial response to a request for data access and implementation of specialized analytic software is often to point to corporate tools which are already available to support this. They are unlikely to be aware of the specific needs of audit and compliance teams or the particular technologies that are available.
Communication challenges: On the other hand, relatively few auditors and risk and compliance specialists are experts in the technical aspects of data access and analytic software implementation. They may be unfamiliar with the technical language and issues raised by the IT team. The result is often a communication breakdown that leads to frustration on both sides.
How to create a really productive relationship with IT
Plan, prepare, and engage
Preparation is key to setting up data access procedures and getting technology implemented. It doesn’t have to be a time-consuming and complex process, but thinking through some of the basic issues in advance will usually result in a big payoff.
IT may be used to thinking in long timeframes for data access and analysis projects, particularly when they perceive something to be a large initiative. Implementing audit and risk technologies should not be lengthy exercises, particularly when good working relationships are established—but it makes sense to allow some time to plan for how to best approach the IT team. And for optimal results, engage IT as a key collaborator early in your process.
Pick the right people
Who should be involved in communicating with the IT team? It often helps if there is a balance of knowledge and understanding about technical issues, as well as the bigger picture of the objectives of implementing data access and analysis technologies.
Involving a leader from the audit, risk, or compliance team can help to set the stage for a data analysis initiative. For example, this could mean referring to internal audit’s mandate and requirements to access data from across the organization in support of the audit charter. It may mean referring to the goals of a risk management and compliance initiative. Planning to also involve a leader from the IT function in discussions can do much to help create alignment around the overall value of the initiative and the benefits to the organization.
Audit and risk leaders are unlikely to have the technical knowledge to effectively deal with common IT questions and concerns. Involving an individual with appropriate technical knowledge who is able to address basic IT issues means that typical misunderstandings can be addressed up front.
Dealing with common concerns from the IT team
Common concern #1: “Why do you want to install this software? We already have data stores that support many business processes and multiple BI and analysis technologies. Why not use them?”
Auditors and risk and compliance specialists need access to the original source data relating to transactions and controls—across the organization. Business intelligence and other data repositories do not include the level of detail nor all of the components of related data that are essential to audit, risk, and compliance analytics. Data in corporate databases usually go through an ETL (Extract Transform Load) process that no longer fully represents the original source data that needs to be examined independently by an audit function.
Data analytics that are performed for audit, risk, and compliance processes do include many forms of analysis that are available through corporate analysis tools. However, the ACL platform provides many functions and forms of analysis that are specific to audit and GRC processes. It would be inefficient, unproductive, and very difficult to replicate these capabilities using corporate tools. (Speaking of which, here’s a post on how enterprise consolidation of analytics can hurt GRC and how ACL and Tableau are, in fact, complementary tools.)
Common concern #2: “What about security? The data you want to access is critical data that has to be maintained within the controlled corporate security environment. If we provide you with access and the ability to extract and analyze confidential data, how do we know you will maintain effective control over the data?”
Auditors are well aware of data security requirements and follow all corporate data security standards. The ACL platform will operate within a secure environment and provides controlled access to the application and to the data to which it connects. It also provides features such as data-masking which allows, when needed, confidential data to be analyzed without providing visibility into the data itself.
Common concern #3: “We’ll have to buy new servers, which will cost a fortune and take months to implement. We don’t have the time to deal with new hardware, new software, data access, …”
Good news! We have options that don’t require a new server and won’t drain your IT team’s time. For example, the ACL platform powered by Analytics Exchange can run on a virtual server. Please ask us about recommended servers or equivalent VMWare®; we are here to help you through this discussion which can seem complex to even the most tech-savvy. And when it comes to implementation, you can count on our customer success team for full implementation services, to take the burden off your IT team and your implementation into the hands of a team with deep knowledge of this technology. (Learn more about our wide range of Customer Success Services.) And when it comes to data access, consider our secure, read-only, IT-approved data connectors, and of course our trusty Customer Success team.
Common concern #4: “We can’t have our data in the cloud.”
This article says it all: Check out this post, where we crush four cloud myths and misconceptions.
Helping IT to see “what’s in it for them”
The use of data analytics and their close integration into audit, risk, and compliance processes is increasingly widespread and rapidly becoming the standard for the profession. The entire approach involves accessing data from multiple sources, often analyzing and examining it in ways that are not performed by any other function within the organization. This will become increasingly important to the organization’s GRC strategy.
The ACL platform is specifically designed to support this strategy, which delivers great value to the organization. If the IT team can assist in the implementation of the server software and enable appropriate data access they will not need to provide any further support. There will be little or no requirement for ongoing resources from IT to support GRC analytics as once implemented, the ACL platform enables the audit and risk teams to be self-sufficient in their use of data analytics.
ACL developed the capability model to help organizations more clearly evaluate their use of audit analytics and to better understand, plan, and communicate what needs to be done to achieve and increase benefits and success. This white paper will provide an introduction to the ACL Audit Analytic Capability Model and help organizations build a roadmap for increasing analytics testing throughout their internal audit function.