Changes inherent to big data and data analytics have many chief audit executives (CAEs) around the world asking what internal auditors of the future will look like: Will they be accountants, mathematicians, or data analysts?
Most likely it will be a person who has analytical, technical, and data skills, as well as business acumen, presentation skills, and project management capabilities, said Neil White, Deloitte’s global internal audit analytics leader. “That doesn’t necessarily need to sit in one person. It could be spread across multiple people within a group.”
Some larger organisations are employing a handful of data science people as part of the internal audit analytics team, White said. In addition, organisations are training their core audit professionals on how to use analytics to deliver greater insight.
“People are starting to rethink traditional [internal] audit models,” he said.
The consequences are potentially far-reaching, touching not only on people skills but also on processes, tools, and methodologies to plan the audit, perform the data analysis, and present the results.
Traditionally, internal auditors probed samples of transactions that had already happened for compliance, but they have to be more forward-looking, White said. “Internal audit is beginning to realise we need to be more engaged in the strategic risks of the organisation, and we need to be able to communicate more effectively with our stakeholders the importance of what we’re trying to say.”
What worries CAEs
More than three-fourths (79%) of CAEs around the world expect moderate to significant changes in internal audit in the next three to five years, according to a 2016 Deloitte survey of more than 1,200 CAEs in 29 countries. Audit committees and management are key drivers.
But knowing changes are coming doesn’t mean CAEs are confident in how to manage them. Many are struggling to address serious concerns:
- 57% of respondents are either not satisfied or only somewhat satisfied that their teams have the skills and expertise to deliver on stakeholders’ expectations. Top skills gaps are in specialised IT (42% of respondents), data analytics (41%), and risk modelling (27%).
- 64% of respondents consider it very important to be able to influence the board of directors, the executive team, and other key personnel, but only 28% believe internal audit has strong influence.
- 86% of respondents use data analytics, but only 7% use them at an advanced level and 24% use them at an intermediate level.
- 58% of respondents expect their budgets to remain the same or decrease over the next few years, which may not adequately fund the desired evolution in internal audit.
What’s an insight-driven internal audit?
Traditionally, an internal audit sampled 25 to 30 transactions out of millions to look for non-compliance, White said. Data analytics allow internal auditors to involve all transactions and apply statistical and quantitative modelling and profiling to provide greater insight into where internal audit should focus its resources.
To gain these insights the internal audit function needs to evolve, he said. “We’re moving the analytics up front in the audit process to make better decisions during planning and allow the auditors to define a more dynamic audit scope and, therefore, something that’s much more responsive to the risks in the business.”
Internal audit is uniquely positioned to advise management, Deloitte suggests. The function possesses the objectivity, independence, rigour, and enterprise-wide view of risks and data needed to help management understand challenges ranging from strategic to cyber risks and to help boards untangle the complexities of an evolving business, technologies, and competitive and regulatory environments.
Take, for example, an assessment of a company’s IT expenditures, White said. A year’s worth of a company’s payables data includes each transaction, not just two dozen random samples. Using external vendor benchmarks to pinpoint IT vendors, combined with procurement and HR data, helps identify IT purchases that are made without the approval of the technology department.
Following the data trail further may reveal challenges in procuring IT equipment for overseas locations, which may have led to behaviour that circumvented controls, allowing employees to procure technology outside the company to ensure quick delivery.
Presenting a graphical representation of the assessment results and the root causes of the IT expenditure breakdown is a business insight valuable to executives that internal audit is able to deliver because of its unique ability to acquire data from multiple, functional areas of the business.
7 steps to manage the internal audit evolution
To meet the expectations of audit committees and management and address CAEs’ concerns, Deloitte suggested these seven steps to help internal audit evolve:
Seek ways to increase impact and influence. Internal audit needs to learn about the changes, issues, disruptors, and risks that worry management and the audit committee and how to address them.
Embed analytics into internal audit activities. Analytical tools, which have become simpler and less expensive, enable internal audit to do more – from planning audits to assessing risks and generating insights – and to communicate the results visually and interactively.
Companies can start by assessing current capabilities and needs, and then setting up a pilot project to demonstrate analytics in action and their value.
Streamline and visualise communications and reports. Visualisation tools allow internal audit to highlight anomalies, risks, and issues stakeholders care most about.
Assess and address talent and skills gaps. Resources may be available through guest auditor and rotation programmes, co-sourcing, outsourcing, and other arrangements. It makes sense to explore such alternatives considering the talent shortage, the skills gap, and the complexity of stakeholder needs and risks in areas such as cyber-threat management and date governance.
Review strategic planning and risk management. Internal audit should ascertain that processes are sufficiently robust, particularly in the context of expected disruption and change.
Promote a culture of innovation within the function. Keep abreast of changes affecting organisations and new techniques being used by leading internal audit functions. Expected innovative developments, such as risk anticipation and predictive analysis, should be explored and implemented.
Marshal senior-level support. Work with key stakeholders – the audit committee chair, CFO, and CEO – to support specific changes that will yield benefits. Examples include applying analytics in ways that increase audit efficiency, reduce cost, or plug cash leaks, or rotation programmes that help address skills gaps and increase the number of ambassadors for internal audit within the broader organisation.
—Sabine Vollmer (Sabine.Vollmer@aicpa-cima.com) is a CGMA Magazine senior editor.