What is Audit Analytics?
According to Investopedia, “data analytics is the science of drawing insights from raw information sources.” Additionally, “internal audit is the examination, monitoring and analysis of activities related to a company's operations, including its business structure, employee behavior and information systems.” With definitions like that it comes as no surprise that so few of us, in fact, do understand the value added from internal audit analytics.
Since many people may have stopped reading after seeing “science,” here’s a definition that is a little easier to swallow:
Data analytics is using data to solve problems. Internal audit is identifying risks within the company and evaluating controls (i.e. processes) to figure out how risky they actually are, then designing controls to decrease the risk (i.e. mitigating the risk).
Essentially, internal audit data analytics is the process of using data to identify and mitigate risks within the company.
Even with the less academic definition, it’s still pretty abstract. So what’s one of the best ways to make something concrete? Not to mention, what’s the content most of you are actually looking for when you searched for ‘internal audit analytics’?
One of the most impactful procedures in identifying control gaps and adding value is through a substantive segregation of duties review, where we look at the access rights of each employee in an application and determine if they can circumvent controls with their current access rights.
Working with both the business side and IT, we determine which access rights represent a segregation of duties issue. For example, someone with the “Create Vendor” role that also has the “Accounts Payable” role could create a fake vendor and send the payment to their own personal checking account. To mitigate those risks, we would designate that conflict as a rule that the data analysis should identify. By completing the analysis for every role in the application, we’ll be able to add value by:
Identifying control gaps: Perhaps some of the responsibilities can’t be segregated due to resource restrictions. Instead, we have the opportunity to implement a control to mitigate the risk of someone creating a fake vendor and paying themselves.
Performing a role review: Sure, it’s appropriate that Jan in accounting has the “GL” role assigned, but what permissions does the “GL” role allow for? Do those permissions align with Jan’s job responsibilities? These are questions that need to be answered when conducting our analysis.
Fraud analysis: Reviewing the user activity of users with segregation of duties issues is helpful in determining if the user did, in fact, circumvent a control.
Testing privileged access: Along with the role review, we’ve also tested the access of those with super user, admin, and other powerful access rights.
Terminated user process: We might as well get a terminated user listing from HR and substantively test the termination process since we have all the other data.
Further, we might have also identified a control weakness in the user provisioning process. If we’re seeing where a particular manager’s employees have segregation of duties issues, then it could be a sign that management isn’t reviewing access requests and are simply approving them.
All of this is great and the audit report might have plenty of value-added recommendations, but as we always say, “You can’t manage what you can’t measure.” So, now it’s time to throw the results into a dashboard and present the findings to management and the Audit Committee. Then, as changes are made to the roles, controls are added, frauds are identified from reviewing account activity, and risks are lowered, they can be presented to stakeholders who now have a concrete view of the value added.