Article

IT Internal Audit of the Future: Embracing Analytics and Digital Enablement

2021 Hot Topics for IT Internal Audit in Financial Services

October 2020

Confronting Uncertainty

Despite being an area of focus for Internal Audit teams for a number of years, many functions have yet to make significant progress in effectively and sustainably embedding the use of data-driven auditing and analytics. With COVID-19 impacting every aspect of the work environment, many Internal Audit functions have reflected on the impact of the pandemic on their businesses and have concluded that the manner in which they deliver services to the organisation will naturally need to adapt as well.

During a time of change, IA should continue to provide assurance over the most consequential risks, while simultaneously increasing its role in advising management and the board on the shifting risk and control landscape, including anticipating new emerging risks. Now, more than ever before, IA should consider deploying enabling digital technologies, beyond analytics and automation, with the objective of becoming more resilient, cost-conscious, and smarter about providing services that make an impact. Some of the reasons for this include:

  • The increase of remote working arrangements themselves have highlighted the need for data-based auditing, particularly where web-based conversations are not as easy or productive as sitting next to the auditee. Deployment of analytics is a key assurance mechanism when direct face to face auditing proves challenging and IA needs to shift to low-to-no contact auditing.
  • Increased digitisation of business processes across the business, as we have covered previously in this survey, is also driving analytics adoption and enablement during audit delivery.
  • Similarly, the evolving technology environment, with the increased cloud adoption and digitalisation, means that accessing enterprise data warehouses and other key data sources is easier than ever and the quality of data itself has generally improved.
  • The frequent changes to the external environment, associated threats and, in consequence, the risk profile in the current environment, increase the need for IA functions to have data driven metrics at their fingertips and to run continuous assessment.
     

Guiding principles for building a resilient function

Deloitte has compiled a set of guiding principles across a standard audit lifecycle as an immediate response, enabling internal auditors to adjust to the “next normal” of remote internal auditing10. These principles highlight where the use of digital technologies, tooling and analytics methodologies can be utilised to drive change and increase long-term organisational resilience. Taking the time to institute a set of guiding principles for remote internal auditing is instrumental in preserving IA’s ability to perform well, be present for stakeholders, and remain relevant in the long term.

While we make frequent references to tools and technologies, in our view success is achievable when the principles and business objectives lead the way, rather than the technology itself. Effective digital enablement for IA requires robust strategy, people, process, and technology – in that order.

Figure 1: Foundational principles for building resilience in Internal Audit1

Stage 1: Risk assessment

Principles

  • Performing risk assessment as part of annual or 6+6 planning is not sufficient.
  • Functions need to collaborate with key stakeholders to identify emerging, shifting or new risks.

Data analytics and Digital-enablement opportunities

  • Function need to be agile and respond in a dynamic way in recognising and evaluating shifting risk patterns.
  • Use of external or internal data to facilitate continuous risk assessment or risk monitoring.
  • Example of tools, include Continuous Business Monitoring, Dynamic Risk Assessment or Risk Sensing. These are powered by automation and machine learning capabilities, moving the function from manual, fragmented, often unrepeatable processes to repeatable, standardised tools and methods.

Stage 2: Audit planning

Principles

  • Functions should reprioritise the audit plan regularly to provide assurance over the most consequential risks.
  • In addition, functions should consider which audits cannot be performed remotely, if data analytics can be applied, as well as align the plan to internal resource capacity and capability.

Data analytics and Digital-enablement opportunities

  • Automation tools, enabling the generation of planning documents, files and RCMs using exiting control libraries can significantly speed up the planning process and reduce errors.
  • Agile auditing techniques coupled with smart data interrogation (KPIs, incident reports, or performance dashboards) can help auditors focus their planning on areas that matter most.
  • Data-driven auditing improve data access and reveal key insights before fieldwork commences.
  • Making connections and comparing performance and key benchmarks between products, processes, and business units means auditors can focus on what is of utmost importance and avoid merely confirming the obvious.

Stage 3: Collaboration and Communication

Principles

  • By establishing communication and auditing protocols early on, and utilising tools that enable collaboration, auditors have a unique opportunity to use remote working to their advantage, minimising stakeholder disruption and getting the most out of virtual meetings.

Data analytics and Digital-enablement opportunities

  • Auditors explore the use of tools with capabilities such as making and distributing request lists, uploading documentation, and tracking status.
  • Many collaboration tools offer capabilities such as whiteboard, Kanban boards, thereby facilitating agile IA audit environments.
  • One of the benefits of the use of video conferencing facilities is that it enables auditors leverage screen-sharing and screen recording to assess processes, such as configuration or code testing, which would typically be reviewed in-person with the process owner.
  • Instead of requesting static screenshots, a live review conducted online can be more effective since it gives internal auditors the ability to ask questions in real time and drill down into modules that they otherwise wouldn’t be able to access directly.

Stage 4: Data | Stage 5: Audit execution

Principles

  • The principles of running audits in the least invasive and quickest way possible are more important than ever.
  • Auditors should take the opportunity and ‘negotiate’ with the business owners easy access to data, through data warehouses or pipelines to gain continued access to real-time data.
  • Audit scope should be evaluated against manual testing procedures, and availability of complex but good quality data to determine where/how analytics can be utilised as part of audit execution.

Data analytics and Digital-enablement opportunities

  • Target analytics toward audit areas that require standardised and repeatable tests, such as those required for meeting regulatory reporting standards. Rather than having to deploy new technologies, this can often be done by using existing automation, analytics, and data visualisation technologies that are readily available within the company’s portfolio.
  • Reflect on the current use of digital tools and assess the potential for reducing risk management costs, without impairing effectiveness. Take Continuous Controls Monitoring (CCM) for example. CCM would enable the first line of defence to take ownership of its risk profile and the second and third lines of defence to become strategic advisors.
  • Other opportunities for analytics, including:
    – Smarter or risk-based sampling;
    – Full population testing over a large dataset, to increase level of assurance provided;
    – Statistical interrogation of data to test hypotheses;
    – Data quality assessment, data aggregation and integration;
    – Use unsupervised machine learning tools to extract hidden relationships and outliers from the dataset (thereby preventing analyst bias);
    – Use of voice analytics to identify insights in voice data and voice biometrics based datasets.

Stage 6: Reporting and insights

Principles

  • The reporting and communication strategies of the IA function should be adapted to the changing environment.
  • This would mean adjusting the frequency of communication per stakeholder, as well as the nature and method of reporting.

Data analytics and Digital-enablement opportunities

  • Use of interactive dashboards and visualisation techniques to report on audit findings is an innovative way of reporting that is adopted by many functions lately.
  • Dashboards can convey insights quicker, and assist IA in creating impactful reporting as images and graphs based on data represent quantitative evidence of a hypothesis, which builds trust with the audience and positions IA well as an advisor and thought leader.
  • Other reporting solutions and digital-enabled innovation include:
    – Automated generation of text-based audit reports
    – Robotics process automation supporting file completion, and auto-generation of audit report draft
    – Robotics supporting Audit Committee reporting, particularly where data and information is hosted across various /disparate platforms and systems
    – Predictive insights/thematic risk identification
    – Text and sentiment analysis tools

Lessons for the future

One of the principal lessons we have seen arising from the crisis, is that the more analytics-savvy and digitally mature functions performed better. They continued to provide assurance in a non-intrusive manner, analysing available data (e.g. business performance, incidents, customer complaints, cyber-attacks) in a manner that provided a level of visibility over the nature of risks faced by the organisation as well as the effectiveness status of key controls that was imperative at the time. In an environment where some functions had to pause all auditing activity, or were told to defer meetings with key staff during the initial phase of the crisis, the use of analytics and digital tools helped separate the truly ‘resilient’ functions.

We believe, for the long term, IA should embrace digital-enabled transformation, continuous risk assessment, automated testing, exploratory analytics, and more broadly, agile methods as a way of decreasing costs and adding value. A deeper digital transformation and the use of data-driven auditing will not be merely required by Audit Committees as a nice-to-have, but in our view would be core for the development of a resilient and a high functioning function of the future.

______________________________________________________________________

1 Source: Building Resilience in Internal Audit. Guiding principles for thriving in a time of remote internal auditing and beyond; Deloitte, 2020

Did you find this useful?