The Data-Confident Internal Auditor: A Practical, Step-by-Step Guide

By Yusuf Moolla and Conor McGarrity

For internal auditors, developing trends in data analysis and data science can feel less like a wealth of information and more like an avalanche. Still, better use of data provides an opportunity to advance your career by adopting new, invaluable skills. The missing link? Jargon-free guidance that cuts through the hype.

The Data-Confident Internal Auditor demystifies the use of data in internal audits through practical, step-by-step guidance. With concepts and tools that are easy to understand and apply, this comprehensive guide shows you how to approach data yourself, without having to wait on data scientists or technical experts.

Developed over the course of hundreds of actual audits, these real-world approaches and practices are distilled into a simple sequence of steps that will leave you feeling confident and even eager to apply them for yourself. Pick up The Data-Confident Internal Auditor and start building your data skills today.

• Language: English
• Publisher: BookBaby
• Release date: Dec 7, 2021
• ISBN: 9781544526751

Book preview

Introduction

As an internal auditor, you know that data can help you to deliver better audit work.

Data is growing in volume and scope. Emerging approaches are making certain analyses possible. Technology is maturing—better hardware, more stable software. These combine to create opportunities for you and your team.

The value internal audit teams can achieve is obvious. What’s less obvious is why audit teams are shying away from using data.

Some say the complexity and jargon surrounding data are too overwhelming. Team leaders don’t know how to distinguish between hype and practical application. Team members are hungry to learn how to use data but aren’t sure where to start. Everyone is paralyzed, with no clear path forward.

Does this describe how you are feeling?

You’re not alone. Many audit professionals feel this way.

Since you’re reading this, even though we haven’t met you, we can make an educated guess that you’re curious, motivated and determined. Above all else, you know that you need to act to remain relevant.

Importantly, you’ve taken the first step. You picked up this book.

It is not difficult to use data, especially with the right teacher. Of course, it won’t be a walk in the park, and you will feel uncomfortable at some point. Embrace that discomfort. It’s proof that you are growing and learning: progress.

You’re in safe hands.

We’ve worked with dozens of audit teams on hundreds of audits.

Allow us to introduce ourselves.

Yusuf: I have worked with Deloitte and KPMG in several countries. I started my career performing data-focused roles, then moved into audit. It took a little while to work out that they were not distinct fields. In 2006, an opportunity to use data on an audit presented itself. It was an exciting initiative, so I jumped at it. I worked hard, enjoyed the challenge and delivered real value—the work was tremendously satisfying.

Conor: My career has focused on the public sector. I have worked for several statutory bodies and with KPMG, reviewing governance structures and delivering performance audits. About ten years ago, I realized that data, used properly, can help you deliver better audits. I’ve been using data ever since, uncovering new opportunities and enhancing audit quality.

We’ve thought long and hard about how to use data for audits. This book brings much of that thinking into one place. It is designed to help you shortcut the process that we went through. If you apply the guidance, it will save you years of effort.

We have repeatedly applied all the approaches, concepts and practices in this book to our own work.

We’ve structured this book to be consumed in small sections to manage any fear or confusion you may have.

There is also a companion website, www.data-confident.com, which is referenced throughout the book. Here you will find supplementary resources like templates and cheat sheets. There are also interactive versions of the Chapter 7 visualizations, sample data sets and example KNIME¹ workflows.

By working through the principles, approaches and simple sequence of steps in this book, you will gain the confidence to use data directly in all your audits.

---

1 KNIME is an open-source analytics platform. There is more info on this in Chapter 4.

1

Benefits and

Misconceptions

There are many misconceptions about data, especially about using it for audits.

Because many internal audit teams are unfamiliar with data, they make general assumptions about its value and application. Before we can explain how to use data, we must first dispel these myths.

Myth 1: Using data only increases

the value of a handful of audits.

A surprisingly common misconception is that data has limited applicability to audits.

It’s something you have heard—perhaps from colleagues, managers, or maybe even just the voice in your head. You already know that this is false, or you wouldn’t be reading this book! But how do you convince others?

Here are the top three benefits that we’ll discuss:

1. Data helps identify opportunities that management cannot see.

As auditors, we have a unique perspective, because we look across functions and domains. Most of our first- and second-line colleagues focus on their direct areas. But we are not limited by process, function, service or product. Our domain is the whole organization. Using data can help us find opportunities that go across several functions.

The classic example of this is procurement and payroll. Procurement teams focus on procurement activity. They generally don’t focus on payroll or employee-related matters. The same holds for payroll and HR functions. They rarely concern themselves with procurement-related matters, except when they are engaging service providers to help them with systems, or for contractors and the like. If we are conducting a payroll audit, we can use data from both payroll and procurement.

Why?

If there are employees (in the payroll system) who are also being paid as service providers (in the procurement system), there is a potential conflict of interest. We know that unmanaged conflicts of interest can create all sorts of risks. As internal auditors, we should be concerned about this. If we know that management is not looking at this risk, it is our duty to consider it as part of our payroll audit.

2. Data makes it easier to read our audit output(s).

Audit reports can be lengthy. They can also be text heavy, and are often laden with information only relevant to a small number of people, sometimes only one person. Thankfully report writing, like many aspects of our audits, is getting better as we look for ways to make it easier to understand our reports. We work hard at it, removing jargon, writing in plainer language and using diagrams and infographics.

Many audit leaders have been working with their teams to incorporate auditviz (audit data visualization) into their reporting. This is where we use graphs and charts in our reports. With visualized data, the reader doesn’t have to waste time trying to imagine the context of each finding or decipher complex descriptions of the results. With auditviz, findings and results are intuitive.

Here is a good example from a public sector efficiency (value-for-money) audit:²

This auditviz represents relative efficiency scores for services provided by 46 similar entities (the colored dots).

The auditviz is compelling and easy to understand for a few reasons:

•The three service models are clearly labeled and displayed (use of color).

•The efficiency score uses a simple, intuitive scale (less efficient and most efficient).

•The performance of each entity is clear (adequate spacing of results).

Here the individual council model (orange) is often less efficient than others.

(More of these councils are grouped towards the less efficient end of the scale).

Auditviz like these convey messages and outcomes quickly to help the audience see the results. Of course, text can help support or further explain what’s in the charts or graphs. But graphs help bring any text explanation to life, making for a faster, easier read. Sometimes, we may not even need to explain each of the data points. In fact, as we produce more reports with these visual elements, the graph becomes the primary component. The words then support the graph, help focus attention or help remove ambiguity.

Auditviz makes the reader’s consumption of the report more efficient. A simple and focused auditviz means the reader can skim the detailed supporting text. This saves time, which the reader can use to focus on dealing with the issues and acting on the opportunities.

In some cases, even writing the report becomes more efficient. By including auditviz, we can start with the picture and explain what we are focusing on, to guide the reader’s attention. This is more difficult to do if we don’t have a graph in front of us.

Yes, it takes time to do. Time to check accuracy. Time to format the visuals to suit the audience. Time to remove anything that isn’t necessary (clutter). But as with any work that we do, it gets easier, and we get faster with experience. And review time improves. Audit reports generally go through various layers of review. If we make the review process easier with accessible information organized in an intuitive way, the effort will decrease. Your reviewers will thank you for the time you save them.

3. Data makes it easier to manage the exceptions.

Traditional audits include a multitude of broad, sweeping statements about control failures or process gaps. The reports rarely contain the specific details needed to take action. Instead, the auditees may be instructed to follow up with more information on how to fix the identified issues. It’s a time-consuming process that rarely helps anyone. Often, the solutions are so vague, the problems get lost or deprioritized.

But if we use data, we can often identify the root causes of issues. This makes it much easier for management to take meaningful action. We can surface real gaps, going beyond the traditional controls testing approach that may only identify theoretical gaps.

Of course, it’s still important to test controls. It’s still important to go beyond the initial remedial action.³ But where we are also using data, we can identify the specific issue: where the control failure has created a real loss or potential loss. This is probably what needs to be fixed first.

For a $30 million revenue audit, we spotted a gap in discount authorization controls. We could have said that the control was not working, with potential for loss.

Instead, we analyzed the relevant data to find out what the control weakness meant. How much were we losing? $26K, which was less than 0.1