Skip to main content

Embracing data analytics in auditing

(Image credit: Image Credit: Pitney Bowes Software)

In a digital world, now is the time for internal audit functions to embrace analytics. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, the results of which show that Chief Audit Executives (CAEs) and internal audit professionals are increasingly leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities. 

There is growing recognition that an “analogue” approach to auditing is not a tenable long-term strategy for advancing the function into a higher-level role helping the organisation understand and manage risk. Structured data is plentiful in all organisations and CAEs are beginning to feel a responsibility to find the valuable insights, efficiencies and issues buried within. On the positive side, a lot of organisations are employing data analytics in their audit processes in one way or another and see significant value in doing so. Yet, most organisations are in the early stages of maturity and competency.

When it comes to embracing and enhancing their use of data analytics, many internal audit functions have just begun their journeys. Most of the obstacles hindering internal audit’s data analytics progress, such as budget and staffing constraints, are challenging enough, but one hurdle that is particularly difficult is that internal auditors may not be fully aware of the benefits such capabilities can deliver.

Following are notable findings and observations from a recent survey conducted by Protiviti on the use of data analytics in the audit process. 

  • Demand for data analytics services from the internal audit group has increased dramatically across all organisations in the last year. It is likely that as internal audit shops embrace analytics and achieve more progress in how they use data, this demand will continue to increase. This underscores the need for internal audit to develop how it is using analytics and build processes, people and technology to handle the growing volume and more sophisticated requests.
  • Organisations indicate that a strong level of value is derived from including analytics in the audit process.
  • Data quality and availability represent significant barriers to performing analytics, as do system constraints, coordination with corporate IT func¬tions and needed data elements that the company does not capture.
  • Given the prevalence of data access and quality challenges, it is not surprising to learn that a relatively small number of internal audit shops that are utilising analytics – just over one in four – maintain their own data warehouse. Many others likely are pulling data from the same warehouse that the business uses. Having access to the organisation’s data warehouse often is sufficient, but some internal audit groups lack this access. In addition, a dedicated data ware-house affords internal audit the advantage of being able to manipulate data and conduct testing in a sandbox. That said, not every internal audit group requires a dedicated data warehouse. Each shop should assess its own needs and circumstances.
  • More than 90 per cent of internal audit functions use internal data sources exclusively in their analytics processes. This indicates a great opportunity to seek out external data sources that can enable bench¬marks or other related comparisons that may provide management with a unique perspective not previ¬ously considered. For example, having data on the volume of receivables competitors report may tell an organisation whether it is carrying more risk than similar organisations. External data enables organisations to benchmark key risk indicators against other companies based on similar size, industry and other factors. Another example is hedging: External data sources can provide historic industry information such as market trends over time, which could help identify risks and issues with the organisation’s hedging process.

As such, we would recommend the following 10 Data Analytics Action Items for CAEs and internal audit teams: 

  • Recognise that the demand for data analytics in internal auditing is growing across all organisations and industries. This trend is certain to continue as more organisations undergo business and digital transformation initiatives, and as regulators increasingly call for organisations to use analytics.
  • Seek out opportunities to expand internal audit’s knowledge of sophisticated data analytics capabilities so that the function has a more comprehensive and precise understanding of what is possible with analytics, what similar organisations are doing with analytics, as well as what progress is needed to advance these capabilities.
  • Understanding that budget and resource constraints, along with business-as-usual workloads, can limit internal audit’s ability to optimise its data analytics efforts, try conducting even modest demonstrations of analytics capabilities that can set an influential tone and are positive steps toward building a stronger internal audit data analytics function.
  • Consider the use of champions to lead the analytics effort and, when appropriate, to create a dedicated analytics function. Having champions helps to bridge the gap between the analytics function and operational auditors. It also encourages more analytics use, including basic usage by the whole team. Compared to other organisations, those with analytics champions and dedicated analytics functions in place deliver more value, experience higher demand for their analytics services and obtain better access to higher-quality data.
  • Explore avenues to expand internal audit’s access to quality data, and implement protocols (including those related to completeness, conformity, data quality and reliability) that govern the extraction of data used during the audit process.
  • Identify new data sources, both internal and external, that can enhance internal audit’s view of risk across the organisation.
  • Increase the use and reach of data-based continuous auditing and monitoring to perform activities such as monitoring fraud indicators, KRIs in operational processes, and information used in the leadership team’s strategic decision-making activities.
  • Leveraging continuous auditing, develop real-time snapshots of the organisation’s risks and incorporate results into a risk-based audit approach that is adaptable and flexible enough to focus on the highest areas of risk at any point in time.
  • Seek ways to increase the level of input stakeholders provide when building and using continuous auditing tools and when determining what data should be monitored by these tools. It is important that the effort is focused on building tools that internal audit can leverage to monitor risk in the business. Many different stakeholders have important insights to help determine areas of focus.
  • Implement steps to measure the success of your data analytics efforts, and consider the most effective ways to report success and value to management and other key stakeholders. Internal audit groups that can successfully demonstrate tangible value will build a stronger business case for increased budgets and resources dedicated to a data analytics function, as well as underscore throughout the organisation the importance of analytics and, in the process, boost internal audit’s reputation internally.

In conclusion, given the increasing level of digitisation across different industries, CAE and internal audit functions must begin to embrace and enhance their data analytics and usage. This will allow them to better understand and manage their risks across the organisation, thereby being able to assure all stakeholders that they are able to face the future with confidence. 

This article has been adapted from the Protiviti research report, Embracing Analytics in Auditing. For more information or to read the full report, visit

Sukhdev Bal, Managing Director, Protiviti
Image Credit: Pitney Bowes Software

Sukhdev Bal
Sukhdev Bal is a Managing Director at Protiviti, and focuses on Internal audit and risk management. He has worked across several industries including financial services, manufacturing and telecommunications across an international geography.