Information overload: How to make data analytics work for the internal audit function

Transcription

1 Information overload: How to make data analytics work for the internal audit function Danny Miller, Scott Higgins and Michael Rose Contents 1 A value proposition for internal audit 2 Leveraging data analytics 4 Tools for data analytics 5 Data analytics in practice 5 Getting started 6 Conclusion A value proposition for internal audit It is difficult to overstate the impact that data analytics technologies also known as business intelligence have had on customer relationship management, finance and other parts of today s organizations. Now it is the internal audit department s turn. Data analytics has the potential to transform both the internal audit department itself and the department s value to the organization by helping organizations identify and manage risks more effectively and efficiently. The Institute of Internal Auditors (IIA) already recognizes the growing importance of data analytics to the future of internal audit. Indeed, the IIA has specifically addressed continuous monitoring and data analytics in GTAG-3, a report from its Global Technology Audit Guides series, a resource designed to provide standardized guidance to auditors. The challenge is to find ways to incorporate data analytics into the internal audit department s key activities. In doing so, internal audit executives are likely to find that data analytics procedures often reduce audit time and costs significantly, while offering the potential for continuous insight into both control effectiveness and transaction compliance. The development of specialized and powerful audit analysis software has transformed traditional auditing in many organizations. These tools allow data analytics to be applied effectively to a broad range of audit procedures, often without the need for technical expertise. By relying on the automated extraction of difficult-to-obtain data to enhance decision-making, internal auditors can minimize audit-related costs, maximize profits, increase reliability and improve efficiency. In some organizations, internal audit departments have been able to reduce staff by 25 percent after implementing data analytics. The challenge is to find ways to incorporate data analytics into the internal audit department s key activities.

2 Data analytics is a broadly defined set of analytical techniques used to derive specific information, conclusions, trends and other valuable insights from one or more sets of correlated data. Traditional auditing applies a range of typically manual tests to transactions and balances. Legacy internal audit applications deliver a fixed set of data that is intended to help answer a static set of questions determined at a given point in time. By definition, these fixed data sets do not provide the flexibility required for conducting more fluid types of analyses. (See page 6 for definitions of key terms.) The attraction of data analytics lies in its ability to facilitate the identification of errors, potential fraud and inefficiencies by independently checking and validating entire collections of transaction data against specified control parameters and business rules. This type of transaction monitoring can reduce fraud and error, and effective analytics adds measurable efficiencies to audit and related risk and control processes. A structured approach to data analytics is essential. Internal audit groups can also use data analytics to identify trends and exceptions and highlight potential areas of concern. Therefore, data analytics has a critical role to play throughout the audit cycle and adds significant value in controls monitoring. For example, data analytics can help organizations recover revenue from a single instance of fraud or from other sources of lost revenue. Data analytics can also help prevent these situations from occurring in the future. 1 Leveraging data analytics A structured approach to data analytics is essential. A prerequisite for using data analytics effectively is a well-defined set of audit goals and objectives covering topics such as the following: Detecting and monitoring key risk indicator (KRI) thresholds and events Adherence to company policies and procedures Material cost fluctuations Performance thresholds such as customer complaint levels A strong framework Companies need an effective data analytics framework that is dynamic enough to accommodate an evolving set of challenges and opportunities such as enterprise data sets that are often large, detailed and complex and continually changing business needs and conditions. A properly designed framework has four major components: A common data model A model that defines the unifying structure of related and unrelated data in a way that produces useful information Analytical procedures Procedures used in the study and evaluation of data Data visualization A visual representation of data A common delivery platform A system or systems used to interact with the data With those elements in place, the framework can support ad hoc, on-demand and interactive analysis, reporting, and exploration, thus allowing organizations to rapidly identify issues and their underlying causes. The framework also supports security constraints defined at the database level to ensure proper access and controls so that personnel without read access can t perform analytical procedures on the data. A common data model also enables data standardization and normalization by allowing the rapid absorption of any amount of data from any source. 1 Verver, John. Effective Data Analytics: The Path to an Integrated Approach for Audit and GRC, Oct. 26, Corporate Compliance Insights, /effective-data-analytics-audit-grc. 2

3 Appropriate use Internal audit groups can establish continuous auditing, assessment and monitoring in any controls area with available data and with established control rules that have enough data as evidence of each control s effectiveness. For example, business process transactions may involve financial, operational and regulatory controls. The use of COSO 2 control objectives and audit assertions would serve as a guide in determining the control to be tested. It is good practice to include in the scope of the analysis all data collected from automated controls in the information technology area. This type of analytical and monitoring activity can provide insight into access and authorization tables addressing the following: Segregation of duties assessments User access assessments Data security assessments Systems configuration assessments Control Objectives for IT (CobIT) applicability The tables referred to above relate to certain systems user attributes (e.g., role, function, security level, other system privileges) that facilitate the transactions executed. Value-based data analytics Implementing a value-based data analytics approach requires an effective plan that focuses on enhancing the use of data analysis software for risk assessment, risk monitoring, and audit scoping, execution and reporting. This plan should also include a business case for acquiring additional tools beyond what is already deployed within the organization, and it should identify any resource requirements, including training. Continuous monitoring of KRIs As an internal audit department looks at significant risks to the business from multiple perspectives, it can look for more effective ways to continuously monitor KRIs. Every organization faces certain risks. KRIs serve as a barometer of overall and specific risk levels and as early warning signals of increased risk or potential problems. For example, one large global manufacturer with a complementary sales force has developed a KRI that involves customer complaint levels by product and region. Using data analytics, the manufacturer s internal audit group determined that customer complaints are a precursor in this instance, a KRI for product returns. The baseline for a KRI is as important as the KRI itself because the baseline determines when an alert will be triggered. In this example, complaints must reach an agreed-upon threshold before the KRI shows an increased level of risk. It is good practice to include in the scope of the analysis all data collected from automated controls in the information technology area. Automated sample selection ahead of scheduled audits Gathering appropriate samples for testing and analysis is an important part of internal audit and data analytics. As long as the internal audit department knows where the correct data resides and is comfortable with its sampling methodology, data analytics allows internal audit staff to identify relevant data sets before an audit begins. Then, as the audit progresses, the audit team can pull samples from those data sets as needed. However, the data sets must be refreshed regularly to make sure the audit team is working with the most recent data. In fact, the intervals for update are important to keep in mind when pulling sample data for audits. For example, depending on the frequency and volume of certain financial transactions, manual subledger-to-general-ledger journal entries are one of the most critical data elements that need to be captured on a scheduled basis. 2 Committee of Sponsoring Organizations of the Treadway Commission 3

4 Tools for data analytics A number of tools can facilitate and support analytical work on data set collections. Certain tools such as Microsoft Office Access and Excel s histograms and pivot tables are best used to perform basic analysis and sampling when data sets or collections of data are predefined in templates and don t require complex manipulation. These tools work for one-off queries and analyses, including sampling. They can also supplement more sophisticated reports produced by programming experts using Monarch (Windowsbased report mining software), Audit Command Language (ACL), Interactive Data Extraction and Analysis (IDEA), Statistical Analysis System (SAS), Statistical Package for the Social Sciences (SPSS), and TopCAATs, which runs from within Excel. More complex tools such as Cognos, BusinessObjects and Hyperion represent a new generation of powerful technologies for defining and correlating data, including data that is not easily associated. These tools are very effective for use in the continuous monitoring of KRIs and other complexattribute analytics. Because traditional business intelligence tools often provide static charts and text-based reports, they can be supplemented by a data visualization platform that allows users to query, summarize, hypothesize, visualize and report data in real time. These enhanced tools allow internal audit groups to perform complex analytical activities such as audit trails and event log correlation more easily. A data visualization platform supports immediate decisions with customizable dashboards and alerts, as well as visualizations and reports in a variety of formats that allow users to drill down into the underlying data at any level. Integrating data visualization and analysis allows internal auditors to analyze greater volumes of more complex data. As a result, end users with intimate knowledge of the data can perform various analytics in real time, improving efficiency and minimizing reporting time. For their effective use in internal audit, these technological tools should include: A strong governance, risk and compliance (GRC) structure. Such a structure establishes links between risks and controls. An efficient and easy-to-use relational database. Allows users to query on the characteristics shared by all data. The ability to facilitate collaboration. A truly collaborative tool that allows multiple users to view and share information easily and simultaneously. A strong documentation taxonomy. Every risk and control being assessed involves associated data and information. For example, if the internal audit department is assessing a control that requires a certain level of approval for invoices exceeding a specific dollar amount, that assessment will involve the data sets associated with every invoice and purchase order affected by that control. Security and verifiability. Effective technology will protect the confidentiality of documentation. Such technology must be secure and provide user access based on job roles and need-to-know requirements. 4

5 Data analytics in practice The internal audit group of a $3 billion pharmaceutical device manufacturer was able to develop an array of data analysis tools to streamline and improve its work after it began using data analytics to perform continuous monitoring. Relying on Cognos, the internal audit group can now produce dashboards, reports and just-in-time analysis for all levels of technical and business leadership. The company collates and aggregates data from subsidiaries and business divisions into more than 10,000 information cubes that are refreshed daily to provide particular data views. For example, there are cubes for sales and manufacturing arranged by product line and country. At first, this approach created an overwhelming amount of data and information. To select the data that was appropriate for its needs, the internal audit group focused on its goals and objectives for continuous monitoring and auditing. For example, one key objective was to establish continuous monitoring of expense reports to deal with potential exposure points that may have been created under the expense policies set by the parent organization. The internal audit team worked with personnel within the divisions to identify the cubes that would enable closer examination of expense reporting data. These personnel worked where the data originated and were responsible for aggregating the data into cubes for reporting and analysis. Using Cognos-enabled queries, dashboards and reports, the internal audit team was able to pull the relevant information from each cube in order to identify expense items above the internal audit threshold, unusual items on expense reports, and other anomalies and attributes that indicated potentially fraudulent expense reporting. Since this information was being refreshed daily, the internal audit team was able to take regular snapshots of activity and review them over time. Because the internal audit team created its own information cubes with defined and secure data, it was able to perform continuous monitoring for the organization without having to purchase new software. And because the tool was so widely used throughout the company, internal audit staff members were able to attend scheduled training with other users of the tool. Now that the tool is in place, the internal audit department regularly finds new and innovative ways to use it and the additional data it is able to generate. Getting started In many organizations, the move to data analytics in internal audit can simply be an extension of work that is already being done in the organization. Many companies may be using the necessary technological tools through existing enterprise resource planning and other systems. The key is determining how to modify these tools to accommodate the needs of an internal audit environment. 1. Collaborating with the information technology department. A good first step toward using data analytics is meeting with company IT experts and systems analysts to determine what is available and appropriate for internal audit data analytics. This can also serve the purpose of establishing a relationship with the IT department. The strength of that alliance can go a long way toward easing the transition to data analytics and allaying any concerns or anxieties among internal audit department leaders and staff. 2. Mapping enterprise data to the risk framework. The internal audit department needs to determine its specific data needs. Many companies maintain data warehouses with enormous amounts of data that can quickly become overwhelming. It is up to the internal audit staff to identify the most relevant data based on existing risk assessments, one- and three-year audit plans, and other departmental parameters. The process of establishing data analytics never really ends. Organizations and the risks that they face are constantly evolving. Therefore, the internal audit department s data analytics approach and tools must also change and evolve to keep pace and stay relevant. 5

6 Conclusion By using data analytics effectively, internal audit departments can add value to the organization while playing a more strategic role in day-to-day operations. Data analysis and data analytics can have a significant impact on the internal audit department s efficiency and productivity. As companies implement data analytics, they can move quickly from one-off analysis and testing to continuous auditing. Continual execution of automated audit and monitoring tests represents the greatest opportunity for organizations to achieve dramatic benefits and increased efficiencies. With data analytics, success comes from applying sustainable technology across financial, operational and business systems. With effective automated data monitoring, companies can be assured that any gaps or trends in internal controls and risks will be addressed quickly and problem transactions repaired quickly. The end result is an organization with a finger on the pulse of its key risks and the ability to manage those risks more effectively. About the authors Danny Miller National Leader IT Solutions, Business Advisory Services Danny.Miller@gt.com Danny Miller is a principal and the practice leader in Grant Thornton s Business Advisory Services practice in the Philadelphia offi ce. He is also the national leader for IT consulting and security for the fi rm in the United States. Miller has more than 24 years of experience in the IT, consulting and audit fi elds. Miller is accredited as a Certifi ed Information Systems Auditor (CISA). He has a Yellow Belt in Six Sigma and a Green Badge in ITIL, and he holds a Certifi cation in the Governance of Enterprise IT (CGEIT). In addition, Miller is certifi ed in the performance of quality assessment reviews and is a published author on topics related to computer fraud and IT governance. Scott Higgins Executive Director, Business Advisory Services Scott.Higgins@gt.com Key terms Common data model. A model that allows all users access to the same data sets. Configuration files. Files that defi ne application, database and operating system settings. Continuous assessment. A process used to assure the audit committee and senior management that controls are working properly by identifying control weaknesses and violations. Individual transactions are monitored against a set of control rules to provide assurance regarding the system of internal controls and to highlight exceptions. Continuous auditing. Any method used by auditors to perform audit-related activities on a continuous basis. Continuous monitoring. A process that management puts in place to ensure that its policies, procedures and business processes are operating effectively. Data. Groups of information that represent the qualitative or quantitative attributes of information. Data analytics or analysis (also called business intelligence). When these terms are used in the context of an internal audit, they are also referred to as audit intelligence. Data analytics used for the internal audit function encompasses data extraction and analysis, continuous auditing, risk assessment functionality, and fraud detection. Data catalogs. High-level defi nitions of what data is available, where it is stored, related data or collections of data, and other attributes. Data classification scheme. A tool used by organizations to get a handle on what data is available, what types of data categories have been established, and the criteria for organizing data into those categories. Data sets. Groups of data, including a database composed of one or more tables, metadata, flat fi les of information, confi guration fi les, and many other pieces or collections of data. Data visualization platform. Any tool that allows users to view large amounts of frequently complex data in the form of actionable, contextualized information. Metadata. A description of data or data about data. Because most organizations have no lack of data, their challenge is to defi ne and describe data correctly so that its correct use is ensured. Value-based data analytics. A process that integrates critical data from across the enterprise value chain, transforming silos of information into relevant, timely and actionable insight. Scott Higgins is an executive director in the Philadelphia offi ce s Business Advisory Services practice. He has more than 26 years of industry and consulting experience. Higgins provides an array of services pertaining to compliance (internal audit, Sarbanes-Oxley), IT, and management (budgeting, forecasting and human capital development). Michael Rose Partner, Business Advisory Services Michael.Rose@gt.com Michael Rose is a partner and the Northeast Region s practice leader of Grant Thornton s Business Advisory Services practice. He is also the co-leader of our national Governance, Risk and Compliance practice and the national leader of our Enterprise Risk Management practice. He has more than 25 years of experience in the areas of business process and IT SOX advisory, internal audit, IT security and monitoring controls. About Grant Thornton The people in the independent fi rms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member fi rm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member fi rms are not a worldwide partnership, as each member fi rm is a separate and distinct legal entity. Content in this publication is not intended to answer specifi c questions or suggest suitability of action in a particular case. For additional information on the issues discussed, consult a Grant Thornton client service partner. Grant Thornton LLP All rights reserved U.S. member fi rm of Grant Thornton International Ltd 6