Responding to the growing demands for departments to gain greater insights on their programs and operations using data, internal auditors are tasked to find ways to apply data analytics to drive effective and efficient client consulting and auditing. Audit that uses data to assess and identify risk, test controls and report issues, adds value and provides extensive risk coverage and insights to exceptionally complex issues. When drawing a successful analytics roadmap, the ability to navigate through vast quantities of data is essential.
Analytics Maturity and Strategy
The most important first step is to formalize a strategy.
Understanding the current state (see Figure 1), documenting the strategy and translating the strategy into an actionable roadmap are critical to any analytics initiative. Applying a program-level approach to identify, plan and manage analytics can promote a client/internal audit partnership and help enhance relevant reporting and monitoring practices. The goal is to bring analysis closer to decision-makers.
Raising profile and momentum of the analytics strategy can include conducting one or two analytics-enabled pilots to serve as a proof of concept. Focusing on “low hanging fruit”, such as accounts payable or time and expense reporting will facilitate momentum.
Improving the level of data quality can lead to a smoother start of the pilot project. The following steps are an example of how data quality can be enhanced:
- put external reports into usable formats for analysis and extract relevant information;
- sort, attribute and aggregate data; and
- identify inter-relationships and data outliers.
However, the speed and confidence at which data cleansing and categorizing can be done, grows with experience and familiarity with the data and tools in use. Most of the effort has to be focused on creating the data foundation upon which the analytics will be applied. If data foundation is the engine, data analytics is the steering.
Using data analytics concepts and tools in the planning process will accelerate all subsequent steps of the audit cycle. For example:
- risk identification and key controls can be tested for violations;
- scope can be tightly focused to assess the violations and in particular the root cause.
The Institute of Internal Auditors [IIA] says,
Public sector auditors are in a unique position when it comes to serving their stakeholders. Not only do they need to satisfy the needs of their leadership and governance processes, they often have to balance those requirements with their political and public stakeholders.” (Auditing the Public Sector–Managing Expectations, Delivering Results by The Institute of Internal Auditors Research Foundation)
In this environment, data analytics is a necessary and powerful tool for assessing risks and controlling violations. Expense management is a high risk optics category for public sector operations. As such, considerable effort has been invested in the past through controllership, costly and prolonged substantive auditing, and client training to ensure appropriate compliance.
With a data analytics approach, expense concentration, consistency across periods, and deviations from the required limits or the mean, are all relevant elements used to identify patterns, trends and outliers to expense limits. The governance function at all levels remains highly visible, while the analytics expertise supports a cost effective monitoring culture.
Internal auditors and their government and public sector clients have a shared interest in improving their cost-effective control environments. The clients can use these techniques to develop their data use capacity to assess risks in complex program delivery, and to allocate compliance/control resources, accordingly.
A logical progression for internal audit’s role in the organization is to consult, encourage and support client groups to adopt these techniques. Data analytics applied directly by clients to policy and operations can provide improved control design and governance monitoring. Audit’s role under the COSO model also tests the effectiveness of new controls developed with data analytics to ensure they operate effectively. Both consulting and assurance roles require strong working knowledge of the business dynamics, data elements and linkages, and analytical tools necessary for assessment.
Case Example: Client Data Analytics Applied to Service Provider Performance and Compliance Monitoring
The Ontario Internal Audit Division (OIAD) worked with its client, a division in the Ministry, to establish risk profiles reflecting key data elements, performance indicators and outcomes relevant to a class of service providers. The client assessed their data holdings and other related best practices to refine risk profiles and compliance options. Additional monitoring tools were considered and tested for efficacy using actual data in controlled tests. The outcome of this client-driven process provided faster insight into performance and focused specialized resources on higher risk providers and mitigations. It also allowed for targeted, high impact and cost effective monitoring and interventions. Audit, with its advanced knowledge of data analytics, can provide further assurance of control and decision making integrity within the governance model.
The above processes resulted in mitigated risk, conserved resources and limited intrusion to those service providers who do not merit regular in-depth compliance assessment.
Evidence-Based Decision Making
For both the public and private sectors, analytics plays a critical role in evidence-based decision making. Today, it is vital that management focuses on reducing mountains of collected data into digestible insights that will drive clear and effective business practice. Legislative Officers, including Auditors General, Financial Accountability and Budget Officers, are already applying data analytics with direct access to huge data bases to perform their mandates toward value-for-money assessments and effective oversight.
In the 2015 Budget, the Ontario government announced their new Centre of Excellence for Evidence-Based Decision Making to build capacity to assess how programs are performing, using evidence to inform choices and lead change in critical public services with increasing transparency and accountability.
Communities of Practice
The Ontario Public Service (OPS) has also established a Communities of Practice (COP) process. The goal of the COP is to “advance the knowledge of those within government who pursue analytics and are looking to discover new methods, trends, techniques and understanding of the field.” The ability to convert data to practical knowledge will strengthen user group skills and confidence, and result in clear and insightful program management.
There is a clear opportunity for internal audit to formally invest in cross-cutting data management COP. The need to apply relevant consulting expertise and ensure cost effective assurance opinions are supported by the application of control assessments that mirror innovative business process. Data intimacy allows for horizontal links, across seemingly disparate programs, which in fact are quite similar in structure, to which tested techniques can be applied and leveraged.
Data Drivers: Key Success Factors for Auditors and Clients
The strategic approach and the examples outlined above reflect the following guiding principles when embarking on your own internal audit journey:
- Treat the endeavour as an investment, and establish collaborative linkages
- Define the initial objective. Establish a Plan. Define the ROI.
- Start with a critical mass of dedicated, adequately experienced enthusiasts
- Establish an intimate knowledge of key business processes
- Define success factors to test a hypothesis
- Gather data from multiple sources and DO NOT BE DETERRED
- Organize data, noting interrelationships, and quality/integrity controls
- Document the process
- Respect the present culture and barriers to change
Data visualization can be an additional critical guiding principal as it facilitates understanding of data sets and provides ability to drill down and get to the transaction in question. “Visualization tools provide visual representation of the data, facilitating organization of complex information, driving insights from the data and optimizing user needs. Within the agile world of identifying risks, the art of visualization is a strategic asset for internal audit teams.”
Recognizing that the internal audit profession is evolving, effective leaders are innovating processes by investing in data analytics and technological tools. Sophisticated decision making is not simply about analyzing more variables, crunching larger data sets or running complex models. It requires a fundamental change in mindset that begins with senior managers and continues throughout the entire organization. Data analytics must be seen as an investment with consistent, continuous improvement that requires sustained commitment under focused leadership. The benefits of advanced data management support improved risk assessment, focused control design, monitoring, and timely corrective measures. Change is happening all around us and it will take constant capacity building, supported by leading-edge resources to transform the way internal audit functions and supports its clients.