The 2020 ACFE Report to the Nations highlighted the effectiveness of internal audit in detecting fraud - in fact, it is the second most likely way that organizations will discover wrongdoing, with 15% of the cases in their survey detected by audit teams.
Data analytics tools have the ability to transform the work of audit teams and their internal audit processes, over time making this an even more effective strategy to tackle corporate wrongdoing.
Traditional internal audit processes
Although internal audit teams are constantly evolving their practices, they have traditionally focused on evaluating the effectiveness of financial reporting while utilizing techniques such as sampling.
Sampling can take many forms, with the most frequent being the ‘judgemental’ sample of transactions using basic criteria, like the highest value payments to third parties or those third parties deemed a high risk as part of a due diligence process.
Although theoretically adequate, this approach has a number of limitations. For example, the incorrect selection criteria or sampling approach can skew the results. It is backward looking and often internal audit processes are run only annually, meaning corrupt activity can go on for months or even years without being identified. The organizational cost of this could be significant - both in financial and reputational terms.
Using Data Analytics in Internal Audits
For a data analytics system to be effective and efficient, it should focus on producing risk-relevant context from the raw data coming from critical, yet often disparate, sources of organizational spend and revenue data, as well as any risk support systems (e.g., third-party risk management).
The risk-relevant context, which is critical for audit professionals to analyze, can only be generated from a robust methodology. That methodology should seek to generate risk indicators and expose trends, patterns and outliers using a variety of analytics, including those grounded in risk, behaviorial concepts and statistical outputs.
This is a significant step forward and is based on technology that allows for the connection of disparate data sources, analysis of that data using complex criteria and machine learning that can spot patterns of behavior that might have previously gone unnoticed.
There are a number of clear advantages to an approach based on concrete data:
Organizational data is continuously monitored
Of course, the business is using its data in real-time to make decisions and make progress towards the goals of the organization. Therefore, internal audit should be striving to keep pace with their partners and monitor and evaluate risk in near real-time.
Ensuring their data analytics system is continuous is important because it enables auditors to identify problematic practices or transactions with vendors, customers, or from employees when they actually occur.
With the data analytics system in constant operation, the powerful algorithms, which go beyond the traditional flagging based on either specific, or combinations of, data attributes, have the opportunity to expose a transaction as “risky” based on completely separate transactional data.
For example, imagine a vendor is identified by the due diligence process as “low risk”. But, their master vendor attributes and transactions are actually similar to other vendors identified as “high risk”, based on the costs appearing in similar expense categories and the vendor’s geographic location.
Continuous monitoring makes the periodic nature of audits more redundant. Auditors are more frequently evaluating the data, potentially eliminating the time between wrongdoing and detection - or perhaps even preventing the wrongdoing from occurring at all.
Data is complete, not sampled
Sampled data is problematic in two main ways.
The first issue is that it is inherently a limited selection of transactions for review. If a problematic transaction doesn’t fall within that sample, it surely cannot be identified.
Second, sampling relies on the sampling technique being objective. Subjective decisions on where to focus resources and how to sample can, inadvertently, determine the outcome of the audit. And although internal audit processes are designed to minimize selection bias, using complete, real-time data can help eradicate this issue.
Data is harmonized from disparate data sources to spot patterns
Data silos create huge problems for internal audit teams. They may require different processes that take into account the idiosyncrasies of that particular department, business unit or data source.
The reality, in most organizations, is that transactional data is rarely connected to due diligence systems. And, if it is, this might be in relation to a strict control rather than an attempt to connect and contextualize risk data.
A data analytics system pulls data from a variety of data sources to allow connections to be made, making the transactional detail as robust as possible for the various algorithms.
Automation fuels efficiency
As the data collection and transaction prioritization is automated, it means that internal audit resources can get on with the more important activities of analysis, investigation and remediation. The efficiency created is good for team morale and most importantly, enhances its ability to manage and mitigate risk.
Data analytics systems still rely on the expertise of audit teams, as human intelligence still needs to be applied - at least for a while - to sensitivity-testing the criteria that is used to sift and connect data. However, automation does remove manual data collection and arrangement, number crunching and human error from this element of the audit process.
An internal audit team needs to report their findings to management and the board. Recommendations based on concrete data and evidence makes for a more persuasive case that is harder to dispute and easier to act upon.
Evidence-based recommendations enable the organization to prioritize risk management resourcing and strategies based on organizational realities rather than theoretical risk. This not only helps protect the organization from the risks themselves, but also provides evidence to prosecutors and regulators (should an investigation occur) that it has made data-driven decisions in attempting to mitigate risk.
Long term culture change
In order to maintain and improve effectiveness in an increasingly complex world, risk professionals are always thinking about how they can extend their coverage, prioritize more effectively, and become more efficient. An effective data analytics tool has the ability to not only improve the audit team’s ability to identify risk, but bring new insight and efficiency to its working approach. Further, it’s an expectation of the regulatory authorities and the modern internal auditor, who has likely come from a program where data was taught to be key.
The aim of any internal audit team must be not only to detect risk, but to actively prevent it. Data analytics and automation tools make the prediction of risk and the prevention of wrongdoing a reality and, as we increasingly move towards a data-driven future, should become a key tool for any internal audit team.
The internal team at Alexion recently transformed their global risk program using data analytics. This video walks through the tools and approaches they used and the results they’ve seen.