Just about every recent survey and report on trends affecting internal audit has ranked the areas of data analytics, continuous auditing and monitoring as being of high importance. Although continuous auditing and monitoring can theoretically take place without automation, there is widespread acceptance that technology, specifically data analysis technology, underlies these processes. How do these three areas relate to each other, and how do organizations implement these approaches?
In practice, the use of analytics is usually part of a continuum. It tends to start off with ad hoc use, then move to repetitive use, and, finally, to continuous auditing and continuous monitoring. Let us take a look at the typical evolution in usage.
The first stage in using data analysis is often performing a preliminary analysis as part of an analytical review or initial risk assessment. The objective is to gain an understanding of the nature of the transactions that have taken place within a given audit area. So, if auditors are working on the purchase-to-pay cycle, for example, they first need to obtain access to the transaction data for purchase orders, goods received, invoices and payments. They then examine the data using software to better understand what has occurred during the audit period and to identify any immediate indicators of risk or abnormality.
In the case of a payroll audit, for example, this may mean analyzing all compensation payments for a given period by performing basic statistical analysis and finding that in one particular location, employees are receiving unusually large amounts of overtime or high pay rates. A bank audit example may involve stratifying mortgage interest rates to find that certain loan officers are issuing loans at unusually low rates. None of these analytics are particularly complex – they simply provide the auditor with some exploratory insight into areas that warrant further investigation.
The next stage may well be a more specific and structured process. A step in a purchase-to-pay audit program may be to determine that purchase order approval controls are working effectively. Instead of testing a sample of purchase orders, a specific analytic test can be performed to determine that every purchase for a 12 month period was properly approved by a valid authorizing officer, within the limits defined by approval policies. Once this step has been performed successfully, it usually makes sense to save the test procedures for repeated use. This involves creating a simple application that can be repeated as needed by auditors – during a subsequent audit or by other auditors in different locations.
The next stage in the continuum of analytics usually involves developing a suite of tests that can be applied for each audit area. These suites do not have to be all encompassing – typically they evolve over time, beginning with areas that produce the best results for the effort required to implement them.
Moving to continuous auditing and monitoring
Once the value of a particular analytic has been established, the natural next step is to determine whether it makes sense to run the test on a regular basis – as continuously as possible. The argument for doing this is straightforward. If there is value in knowing about control breakdowns and problem transactions sooner rather than later, then why not run the tests on a frequency that allows a timely response and correction of the problem? There are definitely people and process issues to consider when moving to a more continuous auditing approach, but from a technology point of view, it is not a large step to go from automated standard tests to running them on a regular basis. This may mean testing purchase-to-pay transactions daily, payroll on a weekly basis and journal entries once a month. Continuous can mean many things in the context of auditing and monitoring and, particularly in the case of testing transactions, is rarely truly continuous in terms of real time processing.
The next level along the continuum involves management. Although there continues to be some debate about the meaning of continuous auditing compared to continuous monitoring, the broad consensus is that continuous monitoring is the responsibility of management. Continuous auditing is performed by audit, who normally will communicate the results of continuous auditing procedures to management on a timely basis. Why not take the next step and have management take responsibility for monitoring controls and transactions to enable a rapid response and address issues before internal audit is involved? If management can see on a timely basis that a problem is occurring, such as a purchasing officer exceeding his or her limits and bypassing the approval processes (with the possible existence of fraud), then the organization should be able to respond more rapidly. The underlying technologies are very similar between continuous auditing and monitoring, though effective continuous monitoring usually involves specific capabilities to manage exceptions and the resolution process.
Each stage is part of a continuum and most organizations tend to progress from one stage to another. However, there is value in being able to use analytics at all stages. Let me explain. If an organization is performing continuous auditing or monitoring, what happens when specific problems are identified? It may be that the exceptions identified generate sufficient information to lead to problem resolution. Frequently though, additional ad hoc data analysis may be required to gain deeper understanding about the nature of related transactions and activities – for example within a specific department or region. It may involve additional analysis to drill down and investigate a particular authorizing manager, gathering a complete set of information on his or her activities in a specific time period.
The value of data analytics
Consider a basic question: Why do surveys identify proficiency with data analysis as a critical area in which auditors need to progress? The traditional audit approach involves indentifying control objectives, assessing and testing controls, probably performing a walk-through procedure, and doing some sampling (often on a judgmental basis, occasionally on a statistical basis) to see whether they support the conclusions around control effectiveness.
With data analytics, this approach changes fundamentally. It is now possible for organizations to look at every transaction and every balance, and to apply a whole range of tests to that data. This allows a greater degree of assurance about the effectiveness of the controls and the substantive validity of transactions and balances. It also provides greater audit coverage. Auditors have come to recognize this is a highly efficient approach. If analytic procedures are set up effectively, a significant reduction in audit time and costs often occurs (approximately 25 percent on average).
The move to automated testing and continuous audit procedures also changes the traditionally cyclical nature of the audit process. Comprehensive testing of transactions and controls effectiveness, on an ongoing automated basis, enables audit to move to a more risk-based approach. The results of continuous auditing techniques provide visibility into whether risk is increasing in specific areas and warrants additional audit focus. This use of analytics provides continuous insight into control effectiveness and the compliance of transactions. As long as internal audit can depend on the integrity of these testing procedures, it frees up audit resources to address other areas of risk. Reducing the need to commit substantial resources to regular financial and operational audits provides the ability to focus more on areas of higher risk in which professional judgment and expertise are key.
The use of data analytics for audit (a key part of CAAT’s) dates back at least two decades. At that time, it was a highly specialized area, often requiring mainframe programming expertise and was the domain of the most technical audit personnel. The development of specialized audit analysis software has transformed this area so that analytics can now be applied effectively to a broad range of audit procedures, in many cases without the need for technical specialization.
How to progress with analytics usage?
Although most audit departments now use data analysis in some manner, the actual extent of use and degree of benefit varies considerably. How do audit departments use analytics most effectively?
It begins at the audit planning stage. Some audit organizations require that consideration be given to the use of analytics in every audit and involve a specialist to identify potential applications. This means working through an audit program and considering, for every audit objective and step, whether analytics could provide more effective results than manual procedures. If it is clear that there is potential, the next step is to determine the availability of appropriate data.
In a typical audit of a financial or operational process area, our own experience is that analytics can often be applied to at least 50 percent of audit steps. In practice, there needs to be a prioritization in terms of where analytics can provide the greatest benefit, with the lowest effort required. There is nothing like proving the successful use of analytics in one audit to encourage more extensive use on other audits.
At the completion of an audit, it is good practice to have a specialist review how analytics were used, assess the overall effectiveness and recommend further opportunities for use in subsequent audits. This should include whether it makes sense to automate specific procedures for continuous use, and whether management should be involved in and take on the responsibility for continuous monitoring of specific controls and transactions.
A “big bang” approach to using audit analytics is seldom the best approach. As long as there is management commitment to integrating analytics into the audit process when there are clear benefits, then it is normally a case of constant progression in use. This means extending usage from one audit to another – and from one group of auditors to another – so that over time, experience and expertise become engrained throughout the audit team.
As use of data analysis widens, there are also benefits in viewing the results as a whole, at the management level. This may mean an audit director reviewing a dashboard with the CAE. The summary can be in terms of numbers of control points and transactions examined, the number and severity of exceptions identified, together with the status of resolution.
Technology platform
It is possible that basic data analysis can be performed using a range of tools, including spreadsheets and database query and reporting systems. There are certainly risks from using spreadsheets, apparent to any auditor, because of the difficulty of ensuring data integrity. General purpose analysis tools also have their own limitations. It is clear that the analytics process must be managed in order to be relied upon by audit, which is why audit-specific analysis software should include capabilities such as:
- Maintaining security and control over data, applications and findings
- Logging all activities
- Analysis techniques designed to support audit objectives
- Automated creation and execution of tests
The objective is to make the use of audit analytics a sustainable, efficient and repeatable process. As with most uses of software technology, it is not a magic bullet. It requires attention to people and process issues, from management’s commitment and support, through training and the assignment of roles.