In 2018, everyone is talking about data analytics. Many areas within an organization have been quick to adopt data analytics, and its maturity is evidenced by things such as dedicated workforce, data methodologies and analytics tools. There are, however, certain areas of the business that have not yet progressed to maturity – one of the main ones being internal audit.
Internal audit leverages the concept of Computer-Assisted Audit Techniques (or CAATs), which really just replaces a lot of the typically manual work involved in auditing with assistance from computers – whether it be simple word processing/spreadsheets or more sophisticated data analytics. CAATs have been around since the 1990’s but despite advancements in analytics, data availability and computing power, we still find audit functions playing catch up and not fully leveraging all of the benefits of CAATs. Audit analytics applications are mainly limited to:
- Automated canned re-performance tests
- Automated notifications and escalations
- Dashboards that display the current state of an audit, the issues and their severity
Internal audit functions need to keep pace with technology and create a culture of continuously upskilling and leveraging newer technologies.
Here are four things that can help internal audit keep pace with technology:
- Investments in data infrastructure – The effort technical auditors expend in data acquisition, conversion and standardization is a classic example of the 80-20 rule. A well governed and standardized data infrastructure eliminates unnecessary effort spent in data acquisition and creates more capacity for meaningful testing.
- Adoption of newer technologies – In some of our audits, most of the effort is spent on painstakingly collecting data from the web for benchmarking and training Artificial Intelligence (AI) models. Today, we can collect 10x more data in the same amount of time by leveraging Robotic Process Automation (RPA). Newer cloud AI tools allow anyone to build predictive models without writing a line of code.
- Building integrated teams – It’s important for the business auditors to understand basic analytics and the analytics team to understand the business basics. Audit tests should be designed in conjunction with data scientists who can assist the business to determine if the test design is solving the underlying requirement.
- Thinking like the perpetrator – The technique most relied by cybersecurity firms is paying someone to break the system. If you are conducting an audit of employee trading compliance, think how you would skirt the rules if you had to.
If internal audit can follow these four simple steps, they will quickly find that they are at the forefront of technology and not just in catch-up mode. For larger organizations, these changes may take longer and will require additional change management activities to build a culture of continuous improvement.
In subsequent blogs, we are going to explore more analytics hotpots in banking areas such as KYC, AML and CECL.