Data in Audit - a guide


Within assurance functions or for specific assurance projects, using data can help improve effectiveness and quality.

There is certainly an efficiency angle too - this article explains how using data can help with efficiency.


There are various "analytics" guides, but few (if any) that are focused on the unique needs of assurance practitioners.

This guide is designed specifically for internal audit and assurance professionals.


If you lead an assurance function or you lead the use of data within assurance projects, you will probably consider:

  1. Governance
  2. Scoping
  3. Planning
  4. Fieldwork
  5. Reporting
  6. Tools and Techniques


If you are starting to use data, or you want to enhance your approach, start with this article: common challenges.

If you are looking for how to approach the use of data - how specifically to scope and plan the use of data, how to determine what to profile and what to test, this article outlines four of the more common approaches.



1. Governance


These articles outline considerations for oversight of the use of data within assurance functions. 

#1: Why audit functions need to consider specific approaches to data governance (within the audit team).

#2: Whether access to data within the audit team should be open (access for all) or closed (access only as needed).

#3: Three key principles for governing data within IAPrinciple 1: Access - detailed.

#4: Principle 2: Quality.

#5: Principle 3: Maximizing benefits.



2. Scoping


Top-down first

One aspect of the use of data within audit has changed over the past few years.

There has been a shift from bottom up thinking to an objectives based approach. What is the problem that needs to be solved?

The traditional, easy way, is to start with a library (a list of rules based analytics routines), but that won't help to properly achieve the assurance or value delivery goals.

This article outlines the hypothesis-based approach (preferred) and three other common approaches.



Assurance professionals (typically) have a unique perspective across multiple functional areas.

Access to each business unit / department = potential to look into matters across the organisation.

So consider the organisation as a whole in scoping the data work to conduct.


Customers don't care which part of the organisation is involved in providing a product or service to them, they care only about the service. Use customer feedback/complaints data if you can - there are several benefits.


The Board won't (or shouldn't) be as concerned with which department you have reviewed, as they are (or should be) with what the potential risks and opportunities are. So you need to look across functional boundaries.


How can the story best be told?  It could be function specific, but this is often not enough.



  • Your high performing peers are not using data just to say "we used analytics"
  • Your stakeholders expect to see integrated results - not just an appendix to your report
  • You can use data purely to confirm compliance, but try to strike a balance where possible
  • Avoid duplication - check whether BAU activity already covers your hypotheses (i.e. how likely is it that you will uncover new insights, given data work conducted elsewhere in the organisation)



3. Planning


Some of the key points to consider in planning your assurance data project / activity include:



4. Fieldwork: Process and Methodology


This process and methodology is specifically for assurance projects - internal audit and performance audit.

Download the process & methodology doc

Key points to note:

  • Start the data process before audit planning. Why?
    • it takes time to get access to the data that you need
    • you want the results of the data work to inform planning and fieldwork
    • it takes time to explore and evaluate exceptions (anomalies)
  • The data process is iterative, as outlined in the guide.
  • Some steps may not be relevant, and you don't need to follow them all.
  • Visualization is an important step - it enables easier exploration of the data and supports explanations/reporting.



5. Reporting


Data is exceptionally useful for reporting

  1. Data can help make reporting more efficient - as outlined in this article.
  2. In finalising an audit, where management actions (a.k.a. management comment, remedial actions) are being prepared, you can use data to help go beyond that remedial action.


If you use data, carefully consider how that will reflect in your report


More on reporting coming soon. Contact us for early access.



6. Tools and Techniques


Deliberately the last item in this topic - because it should not drive the approach.


It is still important, though. This article outlines the minimum set of software and considerations for selection.

Tools don't have to be costly. This article debunks 3 common myths associated with open source software.


Most importantly, avoid "audit analytics" software.  More on this in Episode 18 of the Assurance Show (podcast).

Recent blog articles

4 ways to approach the use of data: internal audit and performance ...

Aug 25, 2020

Efficiency audits: why you shouldn’t avoid them and how to tackle t...

Jun 19, 2020

A broader perspective on how auditors can use data for efficiency

Jun 02, 2020

Recent podcast episodes