For the past decade, PwC’s annual State of the Internal Audit Profession study has proved to be a reliable barometer of the status of issues impacting auditors globally.
This year’s study contains a strong theme around the importance of executive leadership in internal audit, and continues with the message that has been in every release of the study—data analysis has a critical and transformational role to play in audit’s ability to deliver value that matters to stakeholders.
There is no question that leaders in the profession now recognize what we at ACL have been saying for a quarter of a century. Caroline Armour, chief audit executive at Verizon, is quoted as saying:
“Data analytics and visualization are fundamentally changing the way internal auditors do their jobs; they are changing the internal audit profession.” PwC’s study also states that “The objective of analytics is not simply to automate isolated audit procedures but to transform the way internal audit functions. Analytics are embedded in risk assessment and integrated throughout audit planning, fieldwork, and reporting.”
The PwC report goes on to describe the experiences of Bristol-Myers Squibb Company in their transformational use of data analysis. The case study does a good job of identifying a number of topics that need to be addressed within a successful audit analytics program and I think it worth quoting the full description:
“Audit Services had to clearly define a strategic vision that was aligned with the business strategy to secure the investments needed to build advanced analytical capabilities within a function that historically had not been analytics driven.
This required—and continues to require—deliberate, clear communication about the value proposition and benefits to the business.
Audit Services is already beginning to see payback from its efforts. It is fully integrated and aligned with the company’s enterprise-wide analytics strategy, and is viewed as a thought leader around data governance. Additionally, Audit Services has now conducted analytics-driven audits, which have enabled the function to extract insights from data in a way that increased the overall effectiveness of its audits and the assurance it provides to stakeholders.
With these successes in hand, Audit Services is continuing to demonstrate forward thinking and innovation. The function is investing in analytics capabilities that have enormous potential payback from joining disparate data sets across multiple business processes to uncover deeper insights and drive further value. It is also implementing innovative ways to use analytics to drive its periodic risk assessment, using a hypothesis based approach to analyze transactional data and identify themes and trends that inform the department’s view of risk throughout the company. Finally, Audit Services is transferring the analytics it has developed to the business, giving business leaders new tools to manage the risk to the organization. Audit Services’ transformational analytics strategy, the deeper insights it is generating from the effort, and the value it is adding by transferring capabilities to the business are all steps helping Audit Services to demonstrate its value as a Trusted Advisor to the organization.”
Yet this is still more of an exception than the rule
This is all great to hear, but it is still disappointing to see the slow progress that many audit teams are still making in their use of data analysis and, for that matter, technology in general. This is clearly recognized by those stakeholders who rate IA’s performance in the use of technology as the worst of eight performance criteria. Only 40% of stakeholders consider that IA is doing well in their use of technology. Though in the case of audit teams with leadership that is rated as being strong, this rating moves up to 70%—and down to 24% for audit functions with weak leadership.
The importance of leadership in successful use of data analysis and technology is clear in practice. Without exception, every internal audit organization that I can think of that uses technology sustainably and effectively, is led by an individual who has given strong strategic and practical support to a well-managed data analysis program. On the other hand, if an audit leader, no matter how well intentioned, considers data analysis to be a technical topic, with responsibility often delegated to individuals with little management experience or mandate, then there is very little chance that data analysis can be successfully integrated into the audit process.
Although some things may be simpler in some small audit departments, almost every medium to large audit team that has made significant progress in their use of data analysis has also managed to address the same range of issues. In addition to overall CAE leadership, these topics include, for example:
- Design and management of an analytics implementation program
- Building the business case
- Setting goals and measuring results
- Integrating analytics into the audit process
- Accessing and managing data
- Design and maintenance of analytic tests
- Organizing roles of team members
- Knowledge and skillsets
- Technology capabilities
I am sure that PwC, or any of the other global audit services organizations, would endorse the view that while technology can be a massive enabler of a transformed approach to audit and risk management, it is just an enabler. While it is important to select and use the right audit and data analysis technology, without also having effective leadership around the people and process issues of technology implementation, it is not surprising that many audit departments are still not meeting the expectations of their stakeholders