Data and Analytics in Internal Audit

Introduction

The internal audit department within the CFO’s office plays a vital role in overseeing the organization’s governance, risk management, and business operations. According to the Institute of Internal Auditors (IIA), Internal Audit is one of the three lines of defense (3LOD) in corporate governance, alongside Management and Risk. Internal Audit activities, including risk assessment, compliance audits, operational audits, and IT audits, help organizations manage complex risks, improve operational efficiency, ensure regulatory compliance, and achieve strategic goals. However, many Internal Audit teams face significant challenges that can hinder their effectiveness. Key challenges include managing evolving and complex regulations (such as GDPR, SOX, AML, HIPAA, and IFRS/GAAP), increasing cyber threats, limited budgets and staffing constraints, balancing diverse stakeholder expectations, and maintaining consistent audit practices across different jurisdictions, and more.

Data and Analytics in Internal Audit

While various solutions exist to tackle these challenges, Data and Analytics (D&A) techniques can significantly enhance internal auditors’ capabilities in risk assessment, ensuring compliance, detecting fraud, and improving overall organizational performance. In this context, Principle 13 of COSO’s Internal Control – Integrated Framework emphasizes that “The organization obtains or generates and uses relevant, quality information to support the functioning of internal control” [1]. The impact of D&A extends beyond regulatory compliance—it also boosts business performance. Research from MIT found that digitally mature companies are 26% more profitable than their counterparts, while McKinsey Consulting reported that insight-driven organizations experience above-market growth and EBITDA (Earnings Before Interest, Taxes, Depreciation, and Amortization) increases of up to 25% [2]. In this regard, here are the top four ways D&A can enhance the effectiveness of the Internal Audit function.

1. Automated Auditing: Business transactions such as orders, deliveries, invoices, and price lists are the backbone of commerce. D&A algorithms enable auditors to continuously monitor these processes and automatically detect inefficiencies, bottlenecks, and unusual activities—such as duplicate payments, unauthorized transactions, outliers, regulatory violations, and impairments—based on predefined rules.
   
2. Comprehensive Analysis: D&A models can thoroughly examine large datasets to identify patterns, trends, and anomalies that may indicate risks or control gaps. Unlike traditional audit methods, which often rely on sampling, data-driven audits use descriptive analytics to assess the entire population of historical data, ensuring no critical risk areas are overlooked.
   
3. Enhanced Reporting: In today’s heavily regulated environment, optimizing compliance is crucial to avoiding penalties, maintaining a strong reputation, and building stakeholder trust. D&A helps streamline audit workflows, accelerating the audit cycle while delivering efficient compliance reports and dashboards that provide actionable insights and visual summaries.
   
4. Advanced Analytics: By leveraging predictive and prescriptive analytics, organizations can forecast future risks based on historical data, enabling proactive mitigation and process improvement. These advanced models not only identify risks but also offer actionable recommendations to address process vulnerabilities.
   

Implementation Challenges

However, implementing D&A use cases in Internal Audit presents several challenges. Below are some of the key obstacles:

• Data Quality. A significant portion of enterprise data is of poor quality. Gartner reports that 27% of data in the world’s top companies is flawed, and according to Experian Data Quality, bad data can cost companies up to 12% of their revenue [2]. In internal audits, data quality is critical, as the accuracy, completeness, and reliability of the data directly impact the audit’s conclusions and recommendations. Poor data quality can lead to inaccurate findings, misguided decisions, and increased risk for the organization.
  
• Data Protection. Internal Audits often involve handling sensitive financial, operational, and personal data. The insights from D&A can uncover vulnerabilities, non-compliance, or financial discrepancies, which, if improperly disclosed, could harm the organization. It is crucial to protect the data and insights throughout the D&A process to prevent unauthorized access, breaches, or misuse, ensuring confidentiality and regulatory compliance.
  
• Skill Gaps. PwC’s Global CEO Survey found that only 40% of CEOs believe their Internal Audit departments effectively use D&A. Research from Deloitte indicates that D&A adoption within internal audit teams remains basic. This highlights a significant skills gap in using D&A tools and techniques. To fully harness D&A, internal audit teams may need additional training or the recruitment of data analytics specialists.
  
• Tools and Techniques. Selecting the appropriate D&A tools and technologies is essential for streamlining the internal audit process, improving risk management, and ensuring regulatory compliance. Additionally, if these tools are not properly integrated with existing ERP systems that manage business transactions, it can pose significant technical challenges for implementing D&A solutions effectively.
  

Where to Start?

So, where can Internal Audit teams begin their D&A journey? Since there’s no one-size-fits-all approach for implementing D&A—given that organizational needs and capabilities vary. Here are some strategies to guide the implementation of D&A solutions in Internal Audits.

1. Set Objectives: The business case for implementing D&A in Internal Audit should focus on two key areas: (A) Business Impact—linking the D&A use case to the organization’s primary business goals such as increasing revenue, reducing expenses, and mitigating risks; and (B) D&A Maturity Levels—crafting implementation phases based on the organization’s current D&A maturity.
   
2. Think Big, Start Small: The crucial step is to start the process. There’s no need for a PhD-level data scientist, a dedicated D&A team, or costly tools to kickstart D&A projects. Start by developing D&A solutions using spreadsheets and open-source tools like Python or R to showcase quick wins to stakeholders. Avoid investing in expensive, “monolithic” D&A products initially; instead, focus on “low-hanging fruit” use cases that are relatively simple to implement yet yield immediate results, helping to build trust and credibility with stakeholders.
   
3. Be Agile: Establish clear, realistic deliverables and timelines. Familiarize yourself with the data and enhance its quality as necessary. Acknowledge that achieving 100% data quality is unrealistic; data often contains inaccuracies, inconsistencies, and gaps due to human error, system limitations, or data integration challenges. The objective is not perfection, but ensuring the data is sufficiently accurate, reliable, and fit for D&A.
   
4. Manage Change: Secure strong support from senior leaders who can champion D&A initiatives. Assemble the right team, enhance D&A skill levels, engage stakeholders early in the process, recognize employees who embrace D&A, celebrate successes, and address any resistance to change. Once you achieve some successes and learn from the implementation, you can consider developing long-term D&A solutions.
   
5. Govern Data: Data governance involves establishing an accountability framework with appropriate policies, processes, and procedures to ensure effective creation, use, and management of D&A within Internal Audit. It plays a vital role in managing data quality throughout the audit cycle, ensuring that the right individuals handle the right data appropriately.
   

Conclusion

D&A focuses on leveraging data to generate insights that enhance and measure business performance. In this context, D&A has the potential to revolutionize the internal audit function by improving the efficiency, effectiveness, and scope of audits. By facilitating comprehensive risk analysis and continuous auditing, data-driven approaches empower auditors to transcend traditional methods. As the business environment continues to evolve, integrating D&A into internal audits enables organizations to strengthen their governance, risk management, and internal control processes. Moreover, it allows them to proactively address emerging risks, drive operational improvements, and build a culture of accountability and transparency.

References

• https://www.auditboard.com/blog/coso-framework-fundamentals/

• Southekal, Prashanth, “Data Quality: Empowering Businesses with Analytics and AI”, John Wiley, Feb 2023

---

Identify your path to CFO success by taking our CFO Readiness Assessmentᵀᴹ.

Become a Member today and get 30% off on-demand courses and tools!

For the most up to date and relevant accounting, finance, treasury and leadership headlines all in one place subscribe to The Balanced Digest.

Follow us on Linkedin!