ISACA Journal
Volume 2, 2,017 

Features 

How Analytics Will Transform Internal Audit 

Robert E. (Bob) Kress and Dave M. Hildebrand, CPA, CFE 

Many companies are just beginning to apply analytics techniques to internal audit challenges. Initial applications tend to be focused on using analytics to improve how internal audits are executed. But analytics has the potential to change the way internal audits are conducted in more fundamental ways over the next three to five years. This article studies the business impact of analytics on internal audit, both in conducting risk assessments and in the planning, scoping and execution of audits. It also seeks to define a vision and strategy for the next-generation application of analytics in the internal audit function.

The Maturation of Analytics in the Internal Audit Function

The authors’ experience using analytics for internal audits at Accenture illustrates how the application of analytics is evolving and maturing. Before 2012, Accenture leveraged the power of analytics on a limited basis. Accenture’s internal audit function employed a distributed model, deploying analytic tools to each individual auditor’s personal computer (PC). Those auditors who were comfortable with analytics techniques were able to make use of these tools in their specific areas of responsibility, but the total impact was hindered in several ways. Training was implemented broadly across the department, but auditors struggled to leverage the technology and manage large sets of data. In an area where data files can regularly exceed 50GB, PCs struggled as well.

Without a consolidated data set to analyze, the process of gathering and managing data was inherently inefficient. In the absence of a coordinated, functionwide strategy, the analytics enthusiasts had a hard time getting started and a harder time getting access to the right data.

Demonstrating a clear return on investment (ROI) from the expense required to move from a distributed model to a centralized analytics program was a roadblock, as were data security concerns.

Based on conversations with audit colleagues in other companies across many industries, Accenture’s challenges were not unique. As internal audit functions seek to leverage the power of analytics, they begin by exploring before moving up the maturity scale (figure 1). The earliest stage of adoption can be characterized by analytical capabilities that are confined to a few individuals. Application is inconsistent, and effectiveness and business impact are limited. As more auditors become skilled in the application of analytics tools, they discover the relevance of analytics capabilities to their work. In time, these capabilities are developed and used in a consistent fashion, with defined goals linked to increasingly standardized processes and tools.

But throughout this early stage and even after analytics is more firmly established, the focus typically remains on using analytics to improve the conduct and execution of internal audits.

Moving Upstream: Leveraging Analytics to Transform Audits

Accenture’s internal audit function began leveraging analytics during audit execution. Earlier phases of risk assessment and audit planning gauged risk on a broad level and identified the scope of the audit based on known risk factors, discussion within the audited function or area, and historical testing procedures. Only then were traditional analytics techniques applied to the conduct of an audit, with tests performed based on the results.

But the Accenture internal audit team soon recognized that, as useful as analytics can be in the execution of an audit, the full power of analytics can be realized only by continuing the process of maturation and “moving upstream” to transform in a fundamental way the way audits are approached. As analytics becomes more integrated with the internal audit function, data sources are readily available, one-off activities become repeatable processes and metrics are introduced to measure performance. In short order, analytics becomes embedded across organizational and business unit audits, methodologies for improvement are implemented, and metrics are closely monitored.

At full maturity, analytics-based risk models are adopted by the business, and the power of analytics begins to change auditor behaviors and new value propositions begin to emerge.

The impact of moving upstream and leveraging analytics from the very beginning of the audit process right through to its conclusion can be seen in figure 2.

Applied consistently in this way, analytics introduces the ability to continuously measure risk across a broad set of business units, geographies and functional areas to identify the areas of higher risk. Additionally, access to the full breadth of data enables the use of analytics to drive risk assessment and audit planning and full population testing vs. sampling. By mining the data, it is possible to determine which countries, business units, and business processes or other areas hide outliers that could represent increased risk or compliance issues. Once a business unit or geography is identified, the scope of the engagement can be further refined by drilling deeper into the data, increasing scope in higher-risk areas and reducing scope in sectors where analytics suggests the risk may be less. The overall result is a more dynamic audit plan based on continuous, just-in-time risk assessment; more efficient audits that are aligned with areas of risk; more effective results from audits that are focused on those areas of high risk; and automated reporting.

Watching Analytics Work: Data Visualization

As an internal audit function matures in its use of analytics, dashboards and other data visualization techniques provide insight into the risk factors identified through analytics. By displaying data points and combining the analytics with key performance indicators, auditors have the ability to drill down, looking both vertically and horizontally across risk areas to identify individual audits, scope and key testing procedures. Providing business unit and process risk assessments through dashboards also empowers internal audit teams by giving them a self-service model to assess risk on a regular or real-time basis.

Within Accenture’s internal audit operations, dashboards are already being used to show risk by business units. The breadth of the business requires a matrixed dashboard that is flexible and empowers audit management with the ability to identify risk across specific business processes. A corporate function dashboard will be introduced soon, creating a more detailed global picture of risk profiles, with each corporate function represented (e.g., human resources, procurement and special categories such as subcontractors), creating greater visibility into risk across business units and countries. This corporate function dashboard will be structured on multiple levels to enable management to identify and scope an audit, and to provide the data required for detailed testing to be extracted directly from the tool. The dashboard leverages the existing analytic portfolio and key indicators for each process, displaying one global view across all geographies and business units. Based on risk results, an internal audit team can drill down into specific regions, countries, processes and analytics to provide a holistic view. Data are automatically refreshed on a regular basis, providing a real-time assessment that can be leveraged to identify audits and adjust the audit plan accordingly throughout the year.

As automation and visualization tools are combined, Accenture can envision a time when individual teams will have the ability to plan and execute their internal audits leveraging analytics in a fully self-service mode, providing insight into scope and high-risk areas across a region, geography, process or subprocess.

Use Case: Business Process Risk Assessments

Risk assessments of specific risk areas and business processes such as travel and entertainment (T&E) provide a practical demonstration of the power that results when internal audit and analytics collaborate. For many companies, T&E expenses are a comparatively minor line item in budgets. For consulting companies, where travel to and from clients is an everyday reality, T&E needs to be effectively monitored and managed. Analytics-powered travel audits also delivered a quick-win, helping convey to Accenture leadership and its audit committee the value of analytics and encouraging them to become early supporters.

Accenture’s global travel group, working in concert with internal audit, uses analytics to analyze airfare spending that runs into the hundreds of millions of US dollars each year and studies flight purchase patterns across the enterprise. Analysis of the top travel clusters revealed both the optimal booking time period (typically two weeks in advance) as well as suboptimal outlier pockets, such as people who repeatedly booked flights on short notice. Accenture employees already used a global reservations platform, but the need for behavioral change ran deeper. Through analytics-powered booking analysis, Accenture—and, in turn, Accenture’s clients—saw a US multimillion-dollar improvement in optimal booking practices. Once the business sees the value provided through analytics, leaders tend to develop an insatiable appetite for more.

Achieving ROI From Analytics in Internal Audit

Introducing analytics across the internal audit function incurs costs. Processes must be reengineered, people trained and new analytics capabilities added. How is the ROI on this investment calculated? The return can be seen in several different forms. Using analytics to identify areas of higher risk means that audits can be increased where the risk areas are high and reduced or eliminated in areas where the risk is lower. This is particularly the case when analytics is used upstream to monitor large areas of the business. Analytics can tell where the risk resides across a geographic area or a business entity, so that audits are conducted only where risk exists. The net effect is to achieve broader risk coverage by focusing audit activities in those areas where the risk are greatest. In addition to these gains in coverage and productivity, analytics is also very effective in identifying specific cost-savings opportunities.

Key to achieving a satisfactory ROI on the investment in analytics is embedding analytics into standard operating models for the internal audit function. If the use of analytics is done on a one-off basis, the returns understandably may be disappointing. When analytics is integrated into continuous monitoring processes, the power of analytics is multiplied, as is the ROI.

Analytics and the Future of the Internal Audit Function

Has the maturity of analytics usage advanced widely or dramatically since Accenture first began using these tools in 2012? Based on the authors’ interaction and collaboration with audit colleagues in other companies and industries, it appears not, even though opportunities exist and are being pursued to maximize the potential of analytics, not just in the execution of audits, but across the internal audit process at Accenture (figure 3). In the authors’ view, the culture within an internal audit function needs to evolve to become more open to analytics and more appreciative of the value that analytics can deliver.

The first item on internal audit’s change agenda must be to focus on the value proposition. Internal auditors have to want to use analytics and they must be focused on tangible business value, which can improve risk assessment, audit productivity through full population coverage and identification of outliers, or identification of cost-savings opportunities. A win in an area will show internal audit’s contribution, and that win can be used to secure greater support and buy-in.

Analytics talent or the lack of it will be the other major challenge facing many companies. There is a serious shortage of trained talent in the marketplace. In particular, it is difficult to find people with both internal audit and analytics experience. Accenture has found it easier to take people with audit experience and a strong interest in analytics and train them to be internal audit analytics specialists than to start with analytics specialists and train them in internal audit.

These challenges can be daunting, but they are not insurmountable. Analytics is now employed in more than 78 percent of Accenture audits. Within a few years’ time, it is likely that the presence and power of analytics will steadily transform the internal audit function, quickly bringing the profession to a point where it would be difficult, if not impossible, to imagine working any other way.

Robert E. (Bob) Kress
Is the managing director of Global IT Audit in Accenture’s internal audit organization. He is responsible for identifying, evaluating and reporting on the full range of client-facing and internal technology, financial, and operational risk to Accenture senior leadership and the audit committee of the board of directors. Previously, Kress was the chief operating officer in Accenture’s high-performance internal IT organization responsible for running IT like a business, including IT strategy, IT planning, IT risk and all IT operations. He has published two books, Running IT Like a Business and IT Governance to Drive High Performance: Lessons from Accenture. He has most recently published an article on digitizing internal audit.

Dave M. Hildebrand, CPA, CFE
Is the director of internal audit Americas and global lead of continuous audit and investigations at Accenture. He has 17 years of experience in external and internal audit, internal controls, regulatory compliance, external reporting, and strategic planning. His areas of expertise include effective team management, planning and organization, and maximizing resources to achieve objectives.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.