Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Heads of Internal Audit Virtual Forum

11 January 2023

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised

Participants

Derek Jamieson, Regional Director, Chartered IIA UK and Ireland (Chair)

Liz Sandwith |Chief Professional Practices Advisor, Chartered IIA UK and Ireland

Chair's opening comments

The Data Analytics Working Group now has over 500 members/300 organisations.

If you haven’t joined yet – now is the time. Click here.

I’m often reminded of audit’s past when talking about data analytics (DA) and I often wish I’d had the tools and capabilities we have today. How much better might the audits have been?

My personal challenge to you is – how do we do more this year? It is an imperative. 

  1. Reconsider the level of commitment to DA within your audit plan
  2. Challenge yourself and the team to look for new opportunities
  3. Reconsider how DA adoption is assessed in your scorecard and ensure your team is being measured against a challenging target
  4. Take today’s meeting as a call to increased action on DA

Key takeaways

The Chair discussed key points from the Institute’s latest research report Embracing Data Analytics.

  • No correlation between the top risks in Risk in Focus 2023 and audits where time is invested in DA per the Embracing Data Analytics report
  • DA is useful across the whole audit plan – consider it for everything
  • DA is NOT a threat to internal audit jobs – they will just look different
  • Keep your DA budget active - in times of cost constraint it will pay benefits
  • Stay close to senior management – understand the changing risk profile so that you can remain relevant and adapt your use of DA
  • Be aware of any new system implementation – how can it benefit use of DA?
  • Use internal audit knowledge and experience to help improve data governance
  • Start small – automate a manual test and build from there
  • Sample testing should not be the default position – whole population should become the ambition, where relevant
  • Tell stories with your data – be insightful
  • Blow your trumpet about your successes and the benefits of DA to the Audit Committee/Board
  • Share success stories across your network
  • Learn from mistakes – don’t be afraid of DA

Comments  to reflect on for your Data Analytics Journey

Shehryar Humayun – Audit Director, Applications Data and Applied Sciences, Lloyds Banking Group

  • Data first mindset – we came from a place were we used DA on less than 5% now 75%
  • Now use machine learning, natural language processing, robotic automation, process mining
  • Introduced techniques to business – share tools – lead by example
  • Influence leadership – it’s hearts and minds as much as data
  • Huge digital revolution this century – we cannot provide assurance without using data
  • 80% of data is unstructured (email/word etc) – analysis provides richer assurance
  • DA is rapidly becoming non-negotiable, not optional for our profession
  • Analytics gives you the power of telling management something they don’t already know
  • DA is not the new name for CAATS – it is more than financial analysis
  • DA can be used for audits of change management, customer complaints, people, cyber, ESG etc - everything
  • The real challenge is not the availability of DA tools but upskilling the internal audit team
  • If data quality is poor, don’t walk away – challenge management how they use it for decision-making

 Neil Macdonald – Technology4Business

  • Report helps answer the question of ‘where do we start’
  • It is still okay to start your DA journey with Excel and progress from there
  • Be comfortable with less than perfect – this is a culture change for internal auditors
  • Driving data governance is important – poor data can be a barrier for DA

Richard Chambers – AuditBoard member

  • There has been a lot of change over the decades – but DA is not new
  • No greater imperative than right now for our profession to grasp DA
    • Speed of emerging risks
    • Volatility of risk and its randomness
    • Constrained budgets – do more with less
    • Volume of organisational data
    • Increases audit capacity – using DA we audit more and faster
    • Multiplies the value of internal audit – what we deliver

There is a role to play in the provision of continuous risk assessment, potentially collaborating with 1st and 2nd line in the development and delivery of new data flows

Click here for the slides used

View from the Institute

Data analytics is very much the future for internal audit. The new global standards, out for consultation in Spring 2023, will reflect this requirement. A greater focus on data analysis and enrichment of findings. Internal auditors need to be ahead of the game, expectations are changing and there will be an evolution of minimum standards.

Chair's closing comments

This will be a challenging year for costs. One organisation has recently had its Internal Audit budget increased when all other departments are facing cuts. A key factor is that the Audit Committee/Board are engaging with the value of using data analytics.

Let’s help the next generation, young internal auditors have the skill sets we need.

Let’s not close them down before they get started.

Our next meeting is 8 February ‘Is your scorecard balanced.’

Please send me your anonymised examples.

Questions/Chat box comments

Question: In the context of utilising DA to support continuous assurance, who should provide continuous assurance?

  • A barrier is accessing data on an ongoing, efficient basis. It can be a challenge compared to just as a one off
  • It is a divisive subject – what value does it provide? After the first couple of months does it add value to internal audit’s work?
  • Continuous monitoring is 1st/2nd Combined assurance is an opportunity to work with others, internal audit can focus on high-risk areas and also act as enabler for other lines to build their continuous monitoring activities
  • I am selling audit as a change agent so my "continuous audit " agenda is for higher risk, high change areas where risk owners have self-identified control gaps/a need for improvement - that I then regularly risk monitor those projects/changes - provide some input and communicate up to the Audit Committee.
  • Continuous control monitoring is not a role for internal audit but there is value in continuous risk monitoring to enable risk-based auditing (partnering with CRO for example).
  • We have a number of dashboards developed by/supported by internal audit. These are used as 'early warning indicators' and can be leveraged by 1st, 2nd or 3rd line, not assurance but points to what looks like exceptions and can be actioned/monitored/audited. If an audit highlights an issue there is now a question as to why it wasn’t addressed. [Comment from the chair: This is an example of the point raised by Richard Chambers regarding continuous risk assessment.]
  • I think we need better discussions around combined assurance in organizations. No providers have full coverage and we should be using our capabilities to provide a holistic view to audit committee. So yes, continuous assurance across all lines of defense, leveraging from all providers where possible to generate and provide insight into the organization.
  • Continuous audit - yes; continuous monitoring 1st & 2nd line

Comment: Page 35 of the report outlines the "Progress Blockers", with views that certainly resonate. In any discussions with Audit Committee members, especially as part of EQA reviews, I always look to understand their awareness of IA's data analytics capabilities. As the main customers of IA, we need to convince more of them that they can help drive the strategy and investment in DA by continuing to challenge their CAEs as to why DA is taking so long to progress.