Data in Audit - a guide
Within assurance functions or for specific assurance projects, using data can help improve effectiveness and quality.
There is certainly an efficiency angle too - this article explains how using data can help with efficiency.
There are various "analytics" guides, but few (if any) that are focused on the unique needs of assurance practitioners.
This guide is designed specifically for internal audit and assurance professionals.
If you lead an assurance function or you lead the use of data within assurance projects, you will probably consider:
If you are starting to use data, or you want to enhance your approach, start with this article: common challenges.
If you are looking for how to approach the use of data - how specifically to scope and plan the use of data, how to determine what to profile and what to test, this article outlines four of the more common approaches.
These articles outline considerations for oversight of the use of data within assurance functions.
#2: Whether access to data within the audit team should be open (access for all) or closed (access only as needed).
One aspect of the use of data within audit has changed over the past few years.
There has been a shift from bottom up thinking to an objectives based approach. What is the problem that needs to be solved?
The traditional, easy way, is to start with a library (a list of rules based analytics routines), but that won't help to properly achieve the assurance or value delivery goals.
Assurance professionals (typically) have a unique perspective across multiple functional areas.
Access to each business unit / department = potential to look into matters across the organisation.
So consider the organisation as a whole in scoping the data work to conduct.
Customers don't care which part of the organisation is involved in providing a product or service to them, they care only about the service. Use customer feedback/complaints data if you can - there are several benefits.
The Board won't (or shouldn't) be as concerned with which department you have reviewed, as they are (or should be) with what the potential risks and opportunities are. So you need to look across functional boundaries.
How can the story best be told? It could be function specific, but this is often not enough.
- Your high performing peers are not using data just to say "we used analytics"
- Your stakeholders expect to see integrated results - not just an appendix to your report
- You can use data purely to confirm compliance, but try to strike a balance where possible
- Avoid duplication - check whether BAU activity already covers your hypotheses (i.e. how likely is it that you will uncover new insights, given data work conducted elsewhere in the organisation)
Some of the key points to consider in planning your assurance data project / activity include:
- Start early - it can take up to 3 months to source the data that you need
- Plan for iteration - a traditional project management approach does not always work - this article outlines a potential alternate approach
- Plan for time to confirm assumptions and to verify outcomes
- Full population procedures often produce high numbers of exceptions - this article explains one approach to dealing with the noise
4. Fieldwork: Process and Methodology
This process and methodology is specifically for assurance projects - internal audit and performance audit.
Key points to note:
- Start the data process before audit planning. Why?
- it takes time to get access to the data that you need
- you want the results of the data work to inform planning and fieldwork
- it takes time to explore and evaluate exceptions (anomalies)
- The data process is iterative, as outlined in the guide.
- Some steps may not be relevant, and you don't need to follow them all.
- Visualization is an important step - it enables easier exploration of the data and supports explanations/reporting.
Data is exceptionally useful for reporting
- Data can help make reporting more efficient - as outlined in this article.
- In finalising an audit, where management actions (a.k.a. management comment, remedial actions) are being prepared, you can use data to help go beyond that remedial action.
If you use data, carefully consider how that will reflect in your report
More on reporting coming soon. Contact us for early access.
6. Tools and Techniques
Deliberately the last item in this topic - because it should not drive the approach.
It is still important, though. This article outlines the minimum set of software and considerations for selection.
Tools don't have to be costly. This article debunks 3 common myths associated with open source software.
Most importantly, avoid "audit analytics" software. More on this in Episode 18 of the Assurance Show (podcast).