How often has this occurred, or been discussed, within your Internal Audit department?
- Terminated employees retain access and aren’t discovered for months
- Configurable control settings are modified going undetected
- ‘We need you to do more testing but on a smaller budget.’
- ‘We’d really like to start to use data but how do we start?’
The sheer volume and velocity of data created by organizations can drive Internal Audit in mitigating risk, uncovering new business insights, and testing an entire population.
Analytic Program Challenges
You’re probably asking yourself, “Sounds great, and I’ve thought about all the above, but what do I need to get started?” From our work, we’ve noted four distinct areas Internal Audit departments experience implementing an analytics program:
|Data Availability||We need transactions to perform an audit, what can we get our hands on?||Work with the Data Ops function to determine if periodic data dumps can be inserted into a data warehouse/data mart.|
|Data Quality||We now have data, what shape is it in? Multiple systems could mean multiple architectures.||Define a comprehensive ETL process to normalize data into a consistent format.|
|Data Privacy||Who has access to source data, any ETL processes, and where the data resides?||Apply access controls to areas where data/transformations occur. In addition, is there a defined chain of custody?|
|Org Structure||Do we have the budget to start this program? Purchase a tool? Do we have anyone on the team to pull data out of source systems for our analysis?||Free analytical tools exist or could be included in an enterprise licensing agreement. Can we leverage company Data Analytics/Science resources to build out our data?|
Cadence Audit Analytics Framework
Once the above has been addressed utilize the below framework to get airborne:
- Risk Assessment – Where are the significant risks we need to test?
- Data Availability – What can we get our hands on? What shape is it in? How often is it refreshed?
- Develop Audit Steps & Tests – Leverage previous audits to develop the tests for the analytics process.
- Define Alert Mechanism & Response Protocol – How will we be notified of exceptions to test thresholds? How do we respond?
- Evaluate & Present Findings – What visualizations should be presented? What happened and why?
In our next post, we will walk through the Cadence Analytics Framework with an actual example. Outlining the challenges encountered for each step of the framework and how the team mitigated and implemented a repeatable visualization solution.