Six ways internal audit can advance its analytics journey
Internal audit provides significant value to an organization and is under continuous pressure to go to the next level and become a true leader in risk management. By fully integrating analytics capabilities throughout the audit life cycle, internal audit can better meet those expectations: conducting efficient full-population monitoring, focusing on key issues, and delivering more robust risk assessments and richer insights.
Expectations placed on internal audit are increasing. Companies are looking to the function to lead their risk management practices – which ultimately improve the business – and are concluding that data analytics can fundamentally change the way internal audit responds to those expectations.
While the internal audit function often uses data analytics to automate fieldwork, we, at PwC, are encouraging companies to fully integrate analytics capabilities throughout the audit life cycle.
Our new report, Turning the corner: Advancing the use of analytics within internal audit, explores how internal auditors can advance their analytics programs to secure efficiency, richer business insights and enhanced monitoring. By looking at wider populations and sifting out important issues from less critical ones, internal audit functions can generate greater value and respond better to risks. The ultimate goal is to have an internal audit function composed of critical thinkers who are enabled by analytics in every aspect of their work.
Stakeholders are pressuring companies to provide deeper insights and root cause investigations. PwC’s 2016 State of the Internal Audit Profession Survey found that 62% of stakeholders expect more from internal audit, even though almost half of them already expressed receiving significant performance from their audit functions. Maximizing the value of your internal audit analytics investment can help meet these rising expectations.
We’ve identified six ways internal audit can advance their analytics journey:
Define your strategy. Creating a roadmap for the next 18 to 24 months is necessary to ensure internal audit has a comprehensive data analytics goal and an execution plan in place, so that internal audit can further build what is required to advance. The roadmap prioritizes initiatives and sets an achievable timeline to meet specific milestones that will help ensure successful execution of the strategic plan.
Connect the dots. Internal audit’s data analytics strategy should also leverage functions across the organization, including information technology, compliance, and operations. By making those connections, internal audit can learn where others are in the data analytics process, can benefit from their knowledge, and can potentially take advantage of resources, technologies, and processes that already exist.
Don’t forget your organizational culture. Implementing data analytics will create new roles and modify job descriptions. Internal audit must consider how to create an environment in which it can successfully execute the analytics strategy. The objective is to encourage and increase adoption by helping people feel that the use of analytics is the new normal and an expected part of every audit.
Overcome the automation trap. Many internal audit functions embark on analytics by incorporating them into fieldwork to automate testing, but if fieldwork is the only area where analytics get deployed, internal audit is simply automating the work it has always done. Internal audit should explore all the pieces of the audit process to see where analytics can be applied, to capitalize on the more robust risk assessment, the richer insights, and the data-driven discussions that are possible when analytics are applied to their full potential.
Integrate analytics into internal audit methodology. Analytics should be transformative to the audit process, not additive. Revisit your end-to-end audit methodology to make sure that appropriate revisions have been made to integrate analytics efficiently and effectively such that analytics accelerate the overall process, not add more steps.
Embrace an analytics mindset. The internal audit team should have a combination of audit skills, business knowledge, and data and technical competency. The entire team also has to have a level of analytics acumen for building critical-thinking skills with regard to how, when and where to use data to solve problems.
The Path Forward
Internal auditors should tailor their approach to analytics based on their company’s perception of risk and the company’s audit mandate. By following these steps, internal audit can accelerate its progress and begin to see the benefits anticipated.
Monitoring vendor networks through supply chain risk analytics
By Scott Greenfield
The depth of risk that can lurk within today’s global, multistage supply chains is stunning. For every primary vendor with which a company has a relationship, it may have secondary relationships with dozens of entities that supply that vendor, plus tertiary relationships with each of those entities’ own subsuppliers, and so on. To manage risk comprehensively within that landscape, a company must be able to verify whether each of those individual vendor and subsupplier entities is abiding by the laws of all of the countries whose jurisdictions the company operates in.
In today’s business environment, the global scope and enormous volume of supply chain transactions have vastly amplified a companies’ exposure to legal, regulatory, and reputational risk. We see it in the news on a regular basis: US companies rocked by unsuspected or undivulged links to shell companies; terror networks; politically exposed persons; and entities involved in conducting cybercrime; human trafficking; child labor; conflict minerals; money-laundering schemes; tax havens; general corruption; and counterfeiting.
The depth of risk that can lurk within today’s global, multistage supply chains is stunning. For every primary vendor with which a company has a relationship, it may have secondary relationships with dozens of entities that supply that vendor, plus tertiary relationships with each of those entities’ own subsuppliers, and so on. To manage risk comprehensively within that landscape, a company must be able to verify whether each of those individual vendor and subsupplier entities is abiding by the laws of all of the countries whose jurisdictions the company operates in. The company must be capable of doing so continuously—at the same time that it has to meet constantly evolving screening requirements and face the perpetual possibility of new exposures based on those vendors’ changing business activities. Noncompliance with the growing body of laws and regulations aimed at tightening safety controls and extending a company’s responsibility across its full supply chain can result in regulatory fines and criminal prosecutions of companies and, increasingly, company leaders and board members.
In the current business environment of increased complexity and proliferating risk, traditional—and primarily analog—approaches to supply chain risk management are no longer effective in monitoring for aberrant or suspicious behavior. Responsible companies have developed competencies around due diligence and periodic monitoring of their direct vendors, such as by requesting SOC 2 or SOC 2+ Service Organization Controls Reports, but today’s multilayered supply chains demand more-robust surveillance models—ones that can integrate and report on high volumes of constantly changing data from the full supplier network, from service providers, and from shippers, all of it while sustaining rapid decision making and keeping costs under control. To respond to that need, forward-thinking organizations are exploring advanced analytics and visualization solutions that perform continuous monitoring of the entire vendor ecosystem. The capabilities of those solutions:
Today’s supply chain risks demand persistent, full-population monitoring
Supply chain assurance can even be a competitive differentiator in an environment characterized by unprecedented levels of consumer awareness, as more and more consumers base purchasing decisions on ethical considerations while seeking more transparency from the companies they patronize.
An evolving framework + next-generation analytics = robust surveillance
Finding solutions for the supply chain risk management capabilities that companies need to have to have today does not have to involve new decision science. Instead, the search can be built on existing monitoring tools that can be adapted to fit the new imperative.
As companies move to evolve their supply chain risk management approaches, the adoption of an overarching framework can serve as a useful mechanism to enhance decision making, gather and structure disparate data relevant to regulatory/reputational/internal risks, and improve data quality as needed. Such a framework should incorporate five core capabilities: vendor identification, vendor verification, due diligence, vendor risk scoring, and risk mitigation, all of them wrapped up in a process of continuous monitoring that ensures compliance and defends a company’s brand.
Within that supply chain risk management framework, surveillance tasks such as vendor screening and risk scoring become more efficient and effective based on various analytics techniques that can alert an organization to the presence of a barred vendor within its supply chain or to unacceptable risks posed by a vendor’s profile, practices, or relationships. The potential components of a supply chain analytics approach include:
Making analytics work for business
Ultimately, the use of supply chain analytics is about simultaneous (1) improvement in supply chain risk management and (2) streamlining of risk management processes to make them more efficient and more cost-effective. In addition, an analytics-based approach should simplify and improve decision making by the correction of critical attributes that increase risk exposure and by calculations of vulnerability versus predicted impact.
An analytics approach should promote proactive, continuous monitoring of the full supply chain, and it should continually evolve to stay current with emerging risks, new monitoring methods, and additional data sources. In addition, by promoting broader compliance, the use of analytics decreases net costs based on avoidance of fines, prevention of damage to brand and reputation, and reductions in the time and resources required for investigations and adjudications.
Turning enterprise data into an asset against risk
Companies are investing heavily in best-in-class enterprise system solutions to manage their increasingly complex data flows, yet many still feel they lack complete visibility into how these systems should help assess risk and enable companies to pursue opportunities. A robust enterprise analytics platform can create a cohesive narrative and provide greater visibility to achieve actionable data-driven insights.
In today’s business environment, data is like air: all around us, essential for life, but taking shape and form only when we force it to. Making sense of data is key not only for seizing new opportunities but also for managing the risks that proliferate as more data accrues—particularly around security, privacy, brand reputation, and regulatory compliance.
To help integrate and interpret their complex data flows, companies are investing heavily in enterprise systems that leverage best-in-class solutions across on-premise, cloud-based, and software-as-a-service (SaaS) platforms. But still, many feel their systems lack the visibility needed for assessing risk, pursuing strategic opportunities, and simply running their businesses efficiently and effectively.
What companies have is a lot of data. What they need is a repeatable, sustainable, and cost-effective approach to mining, governing, and analyzing that data for insights that can expose inconsistencies, improve controls, enable faster decision making, lead to more-effective management of risks, and handle regulatory and compliance obligations competently.
Using analytics for improved governance, risk management, and compliance
Today’s demanding business environment puts many organizations into a constant state of transformation: they’re continually entering new markets and industries, undertaking major acquisitions, divesting businesses, creating increasingly complex third-party ecosystems, and adopting multiple-enterprise applications from multiple vendors in pursuit of best-in-class solutions. At the same time, government and regulatory-authority compliance mandates are growing in both volume and breadth, and data-savvy regulators are imposing heavy fines and penalties for noncompliance, fraud, waste, and abuse.
As companies move toward leaner operating models that have integrated risk management and compliance programs, the combination of systems and data proliferation, amplified risk, and expanding government regulation is stretching risk and compliance teams beyond their capacity. Organizations need insights across their enterprises so they can drive strategy, control their businesses, and navigate threats.
Organizations must demonstrate the ability to effectively govern and control the complex architecture of data and applications that underpin their businesses in today’s environment. They need clear insights into the systems and the data in order to identify risks, manage costs, and ensure compliance with a multitude of key stakeholders.
To get where they have to be, organizations must move beyond traditional and largely manual compliance and control processes. In place of those existing processes, they need ones that take advantage of intelligent analytics so they can assess the ways that application configurations, user access, transactional processing, and master data interact within and across their enterprise systems. By applying such data-focused analysis across applications and data, along with visualization tools that help managers focus on what matters, companies can achieve new levels of precision in:
Business leaders know where they need to be. In PwC’s 19th Annual Global CEO Survey of January 2016, 68% of respondents named data and analytics as the technology best able to generate return for stakeholder engagement—a specific area that hints at the wider enthusiasm we see for data and analytics across organizations. However, our Global Data and Analytics Survey of July 2016 showed that companies have a long way to go toward translating that enthusiasm into action. Clearly, business leaders are sold on the power of data and analytics to deliver insight, but nearly two-thirds (61%) admit that at their companies, decision making is “only somewhat” driven or “rarely” driven by data.
A common, flexible platform for analytics success
A company has to be able to tell the story of its whole organization—completely and accurately. And to effectively manage a complex enterprise ecosystem and then implement a repeatable and cost-effective data-driven solution, the enterprise needs a robust platform that takes all the threads of the organization’s regulatory and compliance requirements, data streams, data assessment and integration needs, and desired outputs and brings them together into a cohesive narrative.
Transforming risk and compliance through data
Effectively applying the data from multiple enterprise systems is usually difficult, time-consuming, and costly. To make an analytics approach pay, organizations should focus on two imperatives: narrow their focus to only data that answers questions of critical importance to the business and make the process repeatable so it promotes continuous improvement and results in long-term cost savings. Organizations must be able to answer yes to the following questions.
Data is companies’ lifeblood in today’s digital world. Does your organization have in place the kind of end-to-end data approach that can help transform risk and compliance structures for today’s challenges? Consider the impact of not being able to make that transformation; the operational, financial, and reputational impacts can be severe.
PwC’s Enterprise Insights Technology is a cross-system analytics solution that helps companies assess risks within their enterprise system data. By analyzing system configurations, security levels, and transactional and master data, Enterprise Insights Technology identifies and helps take corrective actions in critical areas that can add to business costs or lead to compliance concerns. With a strong reporting portal and the ability to work-flow results, this content-rich monitoring platform offers a solution that supports a data-driven approach to managing business process risks and controls.