It occurred to me today that I have been performing internal audits and reviews for more than half my life. Throughout the years I had had many failures and successes. I have learned from both by identifying lessons-learned when things worked and even more importantly when they didn’t. I also took responsibility for my failures and shared my successes with the auditors on my teams.
In the late 1980’s and into the early 1990’s internal audit was considered an early warning for senior management. Usually, it was a retrospective assessment of the past and current processes to identify what went wrong so management could fix it before it got bigger (and before someone else found out). In the mid 1990’s the IIA positioned internal audit to identify weaknesses in controls. This gave audit a new focus – identify and assess critical controls. By the early 2000’s, the audit focus was targeted on identifying and assessing the risk to the achievement of enterprise objectives. Audit was encouraged to be part of the management team and have a seat at the senior management table.
I would argue that, while progress has been made in moving from early warning to risk assessment, audit has struggled to make the switch from the “got ya” mentality of the early 1990’s even though many of today’s auditors we not born in 1990. Too often the assessment of a ‘good’ audit is whether it identified problems, hence the ‘got ya’ motivation lives on. One of my first audits identified contracting issues and a fraud. My senior manager congratulated me on having done a good audit and said, “I expect more of the same in the future.” I replied, “then give audits where there is lots to find.” He was not commenting on the quality of the work I had performed, but the findings I had identified which I found to be inappropriate.
Back to the early 1990’s – personal computers were entering the workplace and data analytics was making an appearance in audit. Early adopters, like myself, saw it as a powerful tool to assist audit in testing controls and, later, identifying risk. The beneficial promise of the early years of data analytics did not lead to its adoption by the audit community – particularly the directors and team leaders. Hence it remains a missing key skill that is noted by study after study. Identifying and accessing the required data, determining the analytics, and interpreting and effectively using the results of the analytics remain critical barriers to the use of analytics.
A few weeks ago, I had the opportunity to deliver a virtual session at the Birmingham IIA / ISACA /Greenskies conference. My session was entitled, “My Analytics Journey: Successes, Failures, and Lessons-Learned”. For most of my career I was a team of one and sometimes as many as three. I highlighted numerous instances where I got the wrong or incomplete data, performed inaccurate analyses, failed to link the analytics to the audit objectives (rendering them useless), and was unable to identify the root cause (making recommendations less valuable). Despite, or maybe because of what I learned from, my many failures, I also achieved a lot of successes. The analyses have become more complex which can be a source of errors, but they are also of more value to management. Early analytics focused on simple filters (e.g., identify all long distance calls over 999 minutes in length) and sorting of the data to spot overly large or small transactions. My middle years included an analysis to identify obsolete inventory using a hierarchical data base that had 1M nodes and 32 layers which identified over $300M in obsolete inventory and improved re-provisioning times dramatically. Now I am focused on identifying root cause of control weaknesses and emerging risks.
The other thing I had noted in this session is that the use of analytics does not come easy to enterprises and requires a change management strategy for success. Whether you are the analytics team of one, or part of a larger team, you will have to constantly market and demonstrate the value of analytics. To this end, I developed ½ day sessions for team leaders, directors and even the Audit Committee and senior management; produced quarterly newsletters that highlighted audits that had achieved successes using analytics; and made a yearly presentation to the Audit Committee. All to raise the awareness, at all levels, of the value of analytics.
The IIA standards espouse the use of analytics, the ACFE ‘Report to the Nations’ shows that proactive analytics can reduce the cost and duration of fraud, and every study on the audit profession states that analytics is a much-needed skill. So, there’s no doubt the value is well understood and demonstrated. I believe that anything worthwhile takes effort and analytics is no exception. Early, failures often means that you are pushing the envelope and provides an opportunity to learn. Don’t let it detract from the longer-term objectives.
I am no longer working as a full-time internal auditor – and there are times I miss it. I am a co-founder of CTRLmatters. We’ve pulled together a vast array of experience including IT security, software development, cloud computing, visualization and more. We have built a service platform that provides assurance across core business lines, including accounts payable, vendor management, accounts receivable, customer management, P-Card, travel and entertainment, contracting, payroll, financial monitoring, and ERP controls. The analytics run monthly, producing health check reports outlining the highest risk areas with supporting data linked to dynamic visualizations. We also provide recommended actions to mitigate the risks identified. So begins a new chapter in my analytics journey.
Dave Coderre
CTRLmatters, Co-Founder and Senior Data Analyst
Comments