Traditional internal audit methodologies have served their purpose well for decades. However, as the business landscape for most organisations becomes increasingly complex, there is now a drive to leverage data analytics techniques to identify risks and bring insights into the organisation. 

While it is management's responsibility to ensure that risks are appropriately mitigated, internal audit can make full use of data analytics to focus on areas or transactions where controls do not exist or are not operating effectively. 

What is data analytics?

It is fundamental to understand what analytics is: it is not a technology, it is a concept. It refers to the use of certain technologies (eg data mining tools like IDEA and ACL), skill sets and processes for the exploration, evaluation and investigation of business operations. 

Data analytics is the process by which insights are extracted from operational, finance and other forms of electronic data, internal or external to the organisation. The insights can be historical, real-time or predictive and also be risk-focused. 

Why has the use of data analytics increased within internal audit?

There are several factors for why data analytics is on the rise within internal audit functions. First, there is the explosion of data volumes in recent years, both structured (financial data) and unstructured (emails and Word documents). Second, the traditional and manual internal audit processes have limitations – for example, they heavily rely on sampling, and so only give limited views on exceptions, control weaknesses or risks. 

Today's organisations have complex IT and financial system environments, meaning it is critical to carry out a deep dive into the organisation's data, and look at the whole population instead of using samples which might not uncover all the risks. 

Another factor is the increasing expectation of stakeholders and the need for internal audit to be 'cutting edge' in its approach and keep up with technology. Some of the key challenges for internal audit include becoming more efficient, more effective in identifying and responding to risk, and providing more meaningful insight. This is where data analytics really can make a difference. 

So where can data analytics transform the internal audit process?

Many internal audit departments are now using data analytics in areas such as expenditures, payroll and accounts payable. These areas are highly transactional and policy driven, and can provide opportunities for cost recovery. On the revenue side, billing data can be mined for checking the accuracy of an organisation's billing against contracts and pinpointing errors or unusual trends. 

Sampling is a fundamental part of any audit work, with many ways to sample. Using analytics tools like IDEA or ACL, statistical sampling becomes very easy. This allows the scope to be set, providing defensible and valuable insights when results are extrapolated against the population. 

Let's look at some of usual and simplest areas where data analytics can transform an internal audit:

Accounts payable

Controls over supplier data such as access controls, modifying bank details and authorising payments are often key risk areas to focus on. Using data analytics can identify users with access to supplier data and identify any segregation of duty conflicts, whereas transactional data can be interrogated to identify potential fraud, duplicate payments and identifying further control limitations. Outlined below are some key analytics which can be performed in this area: 

  • search for duplicate invoices and payments
  • confirm key suppliers, identify one-time suppliers, and suppliers set up with no transactions
  • check the bank account details in the supplier master file to employee bank account records, looking for potential fraudulent activity/dummy suppliers
  • search for invoices with no corresponding purchase order
  • search for unapproved purchase orders
  • search for multiple invoices at or just under approval cut-off levels.

Payroll and employee expenses

Hunting for ghost employees, falsified wage claims and tampered-with time sheets are all key areas where data analysis can add value. Data analysis can also bring value by enabling review of electronic time entry records for compliance with existing policies, procedures and employment regulations. Some of the key analytics are likely to be:  

  • search for ghost employees by looking for duplicate National Insurance numbers, addresses or bank account details held on the employee master file
  • search of payments made to employees after they have left
  • search for unapproved time entry records
  • analyse monthly/weekly payroll looking at the hours worked, level of overtime
  • search expense claims at or just under approval cut-off levels.

Sales processes

For invoicing or revenue stream audits, the related IT systems can be complex and the data volumes very large, for example at a telecoms or utilities organisation. Data analytics can be very useful in checking the accuracy of the customer billing. Any billing errors can be pinpointed much more easily and quickly, and can be quantified across the population. 

With accounts receivable, various analytics can be performed around searching for duplicate or missing invoices, unmatched receipts and bad debts, all of which can highlight weaknesses in the credit control process. 

Inventory

Given the huge size of some inventories, data analytics can be used to conduct inventory audits. It can be used to identify potentially obsolete or slow-moving inventory, and provide insights into the profile of the inventory. 

Key financial controls

Using data analytics to test key financial controls can give high levels of assurance to verify appropriate segregation of duties and other access controls such as the ability to approve or post journals. Furthermore, the whole general ledger transactions population can be quickly reviewed, and some valuable insights obtained into when a journal is posted and by whom, the volume and value of journals. 

In summary, there are many easy wins if internal audit embraces data analytics. It can really transform an audit by drilling down and testing whole populations of data, and provides valuable insights to an organisation's risks and processes. In truth, it is the only way forward for internal audit departments to look credible in the 21st century. 

Mark Smith – senior manager, Business Risk Services team, Grant Thornton