If YOUR audit department doesn’t embrace data, analytics, and automation eventually, your audit department will NOT exist.
No data, no analytics. No analytics, no automation. Eventually, no audit department.
Editor Note: This post really applies to all departments in a company, but mainly I’m addressing auditors, but you might want to read between the business lines….
By embrace, I don’t mean have one or two auditors working on this. I mean the entire department.
Before you cite all the regulatory requirements mandating the existence of an audit department in companies, having an audit department in name only won’t cut it.
Having an inept audit department will not be acceptable to regulators, and it shouldn’t be acceptable to company management either. Or Audit Committees!
Companies need skilled and efficient auditors that can do the heavy lifting, and this need will only increase.
The (Audit) World is Changing
I’m saying that internal audit is changing, and auditors who don’t want to change with it will be left behind.
Consider, as an example: Some years ago, automobiles had NO on-board computers. They were basically mechanical machines. When computers arrived in automobiles, repair specialists had to learn how to troubleshoot and work with them, or they found another job or retired.
A similar transition is occurring in the business world, but most auditors refuse to learn how to handle and manipulate data, perform analytics, and automate their work. This trend is not a fad, and it isn’t going away. Only old-school auditors are.
Why do I think some audit departments will be obsolete in a few years?
- Audits are becoming more technical because business processes rely more and more on technology.
And yet all the audit publications and consultancies STILL complain that auditors don’t understand data or analytics; too few audits include deep data analysis; fewer auditors are learning automation.
- More business processes generate or consume data.
The age of paper and tick marks is over. Data tells the story of whether the controls are working, whether fraud may be spawning, or whether a process is inefficient. Hardly any business process doesn’t depend on data.
- Business units are doing their own dashboards and analytics.
How come business-line leaders can see that deep data analysis and dashboards provide better information, reduce risk, and in some cases, save money and time, and yet most audit leaders still don’t get it?
- Companies are starting to focus more heavily on automation.
Automation is becoming more necessary as companies compete; the bar for survival is getting raised. Why do audit departments think they are exempt from this?
Points #1 & 2 above are why auditors are doing more integrated audits–audits that have a financial/operational component AND a technology/IT component.
But overall, audit departments are NOT adapting and growing their skills.
Business Departments are Pulling Ahead
Meanwhile, business departments in a lot of companies:
- Have been training their employees in analytics and hiring staff with data and analytics experience.
- Are not only doing more and more analytics, but more complicated analytics.
- Are automating all data extraction, and are now automating more of their analyses.
In other words, business departments have more expertise in analytics and automation than internal audit, and yet internal audit is not in much of a hurry to catch up.
Previously, I’ve said that individual auditors will die if they don’t do analytics (see my earlier post), so what do you think will happen to an entire department full of non-analytic auditors?
A department’s death will be much slower; it will start with the department becoming less and less relevant.
Maybe your company isn’t becoming data driven yet. But other companies ARE, so what impact do you think those competitors will have on your company? And will that be good for your audit department?
Here’s how it can happen
1.) Auditors don’t know whether the data they receive is the RIGHT data. When I review the queries that IT or the business run to provide data to the audit department, I often find errors that that leave out too many critical records, or include ones I don’t need, or both.
Most auditors, including many IT auditors, don’t know how to read and interpret queries, so they can’t be confident of the data. This is not a new risk, but as more auditors and businesses do analytics, it is more important than ever.
Therefore, I am not surprised at the low confidence levels noted in a recent article at the ACL website:
See this article, which states “17% of internal audit teams have a high degree involvement in evaluating the quality of data used and 47% have little or no involvement.”
If your data is poor, your analytics will be misleading or flat wrong.
Many auditors don’t have enough understanding of query languages and basic network/file/database knowledge to even ask subject matter experts intelligent questions or recognize whether the answers they receive are reasonable.
2.) Auditors who are unfaithful in little are unfaithful in much.
If audit departments are not diligent enough to validate and profile their data, they most likely won’t do the more complicated analyzes either.
Profiling data in Excel or ACL is EASY and FAST. Profiling also helps you determine which products, transactions, or systems to focus your audit on, and what can be deferred or left untested.
If your auditors don’t do the easy stuff, how will they learn to do the heavy lifting for in-depth analysis or automation?
3.) Auditors are not keeping up with the business. More business lines do more and more of their own analytics, but audit departments continue to lag behind.
While audit departments seem to have a good grasp of the business processes, they don’t have a good grasp of the data or analytic processes (or tools) their business partners are beginning to depend on.
4.) Auditors will soon need to know how to audit business line analytic processes and data models. The best way to learn this is to do your own analytics (surprise!) and learn about the tools the business is using. If auditors aren’t doing analytics, CAEs will have to send auditors to a ‘checklist class’ or hire consultants to do that auditing.
Eventually, business lines will be analyzing most of their critical data.
So when you start an audit and ask for data, the business lines are going to tell you they already analyze their data, so why should you repeat what they have already done? They will tell you to just review THEIR analytics.*
*This recently occurred in a process I was auditing. The process isn’t in production yet, but it is running hard in the test environment and producing results. The business manager told me he expects to replace some manual controls with his new analytic process.
And since your department is so far behind the analytic curve, you won’t be able to audit their analytic process.
So you’ll need to hire a third party at great cost. That’s the path to irrelevance. Or maybe outsourcing.
CAEs need to get ahead of this shift.
CAEs (and Audit Committees!) need to understand auditors don’t need to do more analytics just to speed up their audits, provide more coverage, do more complex audits, and look good to the audit committee–auditors also need to gain a deep understanding of how to audit the analytics and data models their business lines are starting to depend on.
And that means they have to understand a lot more about analytics than what’s needed to run robust ACL analytics (which most companies still don’t do!).
As much as I love ACL, only 1 of my business lines use it (thanks to me).
That means that I also need to understand and use some of the tools the business uses. While ACL is much simpler to use, the tools the business uses are often faster, but more complex.
But as I master the the tools the business use, my influence with the business grows. I don’t have just one wrench (ACL) in my audit toolkit. And I understand the data and the process that creates it better.
- Take ownership for consistently increasing your own data, analytic, and automation skills, regardless of what your company or audit department are doing (or NOT).
- Think about how your department has progressed in handling data, performing analytics, and enabling automation in the past 2 years. If progress has been minimal, ask why. Then ask what’s the cost and impact of continuing on a similar path.
- Benchmark your audit management against the concerns raised in 10 Signs Mgmt Doesn’t Really Support Analytics. Create and execute a plan for improvement.
- If you can’t gain any traction getting analytics going in your department, or progress is slower than it should be, leave this post on your management’s desk*. Anonymously, of course.
- Start looking for a job in a more progressive industry and/or company.
* Please let me know what happened!