The Second “E” Of The Analytics Revolution: Embed

Most internal audit functions are using some form of analytics. And that’s great, right? Yes, but how many of them are really deriving value from analytics? Well, that’s a different story. A lot of internal audit teams are stuck in a state of arrested evolution with their analytics and are failing to achieve the transformational change that analytics can bring about. Business leaders in operations, finance, marketing, service, and other areas are not only using analytics to make better, faster decisions; they are also transforming the very ways that work gets done. And so must Internal Audit. We have to move faster than the speed of evolution. We need a revolution in the ways we think about audit such that analytics are fundamentally changing how the function operates.

Our clients are revolutionizing their uses of analytics through five Es. The first is Enable, and here I tackle the second: Embed.

A natural starting place for internal audit analytics is the area of testing—specifically, the increasing of testing efficiency and effectiveness by way of analytics to test whole populations versus limited samples. This is definitely a way analytics can help. Far greater value is achieved when analytics are embedded throughout every audit phase. That doesn’t mean layering analytics on top of existing processes and methodologies but enlisting analytics as a catalyst to rethink how the audit process gets done—from risk assessment through reporting.

Continuous risk assessment. When analytics get embedded into risk assessment, the process occurs on a more frequent basis, updated with new data to support new decisions on how to address risk. Instead of a static, annual assessment, data and analytics update the assessment on a more frequent basis, and audit plans can be adjusted accordingly. That represents a major shift in the way risk assessment gets executed, because it uses continuously updated key risk indicators and allows for more-frequent decision making about the audit plan. For example, if a new risk appears in the second quarter, internal audit leadership can schedule an unplanned audit to address the risk, or can make a trade-off decision between a planned audit and the new risk area, or can decide to postpone a planned audit to later in the year so as to make room for the new area of more-immediate or more-significant risk.

Practical planning. The key risk indicators from the risk assessment ripple through the process to change how planning occurs. Key risk indicators prompt Internal Audit to ask better questions of a business unit, sometimes enabling Internal Audit to bypass full audit work and move directly to issue reporting, thereby saving significant resources. Perhaps an internal audit team gets a risk profile on training compliance and sees that one business unit is much lower than others. Instead of identifying the issue through training logs in fieldwork and testing, Internal Audit can move directly to investigation of the issue.

Fieldwork and execution. Sometimes key risk indicators don’t give absolute answers. But they can serve as leading indicators that help auditors plan where to best focus their time, which is also extremely valuable in managing business risk and audit efficiency. Analytics that are embedded into fieldwork and execution facilitate intelligent, exception-based auditing. And with the power of analytics, internal audit teams can review entire populations of data, identify exceptions, and use those as the starting position for an audit.

Dynamic reporting. Analytics embedded into the reporting phase can help auditors create far-more-effective reports by quantifying the impact of identified issues. The right data can provide stakeholders and audit committees with a far more meaningful message that tells how serious an issue may be. Analytics help auditors discern patterns and determine the frequency of an issue occurring so that it can be quantified and then tracked until remediated.

When analytics are truly embedded, every phase of the audit cycle is data driven and more responsive: Risk assessment is based on more-continuous monitoring of key risk indicators. Leading indicators guide planning. Fieldwork is exception based using intelligent sampling. And dynamic reporting quantifies issues, which are then fed back as data for the next risk assessment as part of a continuous cycle.

Embed is the second of the five Es needed to revolutionize how Internal Audit uses analytics. Watch for my next post as I continue the analytics revolution series with the third E: Empower.