IIA Breakfast - Leveraging Data Analytics in Internal Audit 2019-03-20 PDF

LEVERAGING
DATA ANALYTICS
IN INTERNAL
AUDIT
Michael Kostanecki, Associate Director, Protiviti

March 20, 2019
Confidential
© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and
does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TODAY’S PRESENTER
Michael Kostanecki Michael is a proven leader with over 10

years of consulting experience specializing in the areas of IT
Audit and Data Analytics. As an Associate Director in the
Protiviti Toronto office, he plays a hands on leadership role in
the IT Audit practice with a unique blend of an accounting
and business background coupled with a deep understanding
of key technical IT and Cybersecurity risk areas delivering
meaningful value add recommendations to clients.
Michael.kostanecki@protiviti.com
2 does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AGENDA FOR THE SESSION
What We Will Cover
Current State of Data Analytics Reporting

in Internal Audit
The Future of Analytics
Data Analytics In Internal Audit
Approach and Examples
How to Accelerate the Process
CURRENT STATE OF ANALYTICS
IN INTERNAL AUDIT
DEFINING DATA ANALYTICS - WHAT IS IT?
The process of inspecting, cleansing, transforming, and

modeling data sets with the objective of highlighting
meaningful information, drawing conclusions, and
supporting decision making.
Converting Information to Insight
POLL QUESTION
Does your internal audit department currently use data analytics as

part of the audit process?
A. Yes
B. No
C. Unsure
INTERNAL AUDIT NEEDS TO EMBRACE
ANALYTICS…FAST
2018 Internal Audit Capabilities and Needs Survey
• Data analytics will be a game changer for the

internal audit profession.
• Not surprisingly, the ability to utilize data

analytics and “big data” to achieve
competitive advantage and manage
operations and strategic plans ranks among
the top risk issues for board members and C-
suite executives worldwide.
POLL QUESTION
How strong is your audit committee’s interest in analytics?
A. No interest/low level of interest

B. Medium level of interest
C. High level of interest
D. Don't know
DATA ANALYTICS IN INTERNAL
AUDIT APPROACH AND
EXAMPLES
WHY USE DATA ANALYTICS?
Data Insight Decision Action Unlock

Making Value
1 Transform a flood of data into meaningful information
2 Facilitate risk identification, measurement and profiling – answer important business questions
3 Increase testing quality and insight:
• Test 100% of populations instead of sampling

• Provide true error rates rather than error estimates
• Highlight trends and factors that may not be noticed through conventional audit techniques
• Identify interesting subsets of the population for testing and new unseen relationships
4 Increase productivity and efficiency
5 Deliver value-added suggestions and/or provide ongoing analytics tools to management
THE ANALYTICS ADVANTAGE
Reporting Planning
Root Cause
Risk Profiling
Investigation
Data
Real Time Exception Analytics Test Data
Management Application Simulation
Areas
Risk Quantification Statistical Sampling
Audit Execution Continuous Controls

Control Simulation
Monitoring
Predictive Risk Fraud Indicators

Identification
INTERNAL AUDIT DATA ANALYTICS
Internal Audit Uses
Risk Assessment
• Analytics to assess key risk indicators to be used as an input
into annual audit risk assessment process
• Refreshing these analytics on a regular basis can be used to
evaluate changes in the risk environment and for timely updates
to the Annual Audit Plan
Discrete Audits
• Analytics in the planning and execution of individual audits in the
Annual Audit Plan
• Enables better identification of targeted risk areas for an audit
and analysis of full populations vs. traditional sample-based
audit testing.
Continuous Auditing
• Automated analytic routines that can be run at defined intervals
to provide regular insights into the effectiveness of controls and
potential risk areas.
• Allows more timely visibility into significant risk areas that may
require immediate attention.
HOW TO IDENTIFY POTENTIAL FOR ANALYTICS
Repetitive Audit Procedures Common Process Areas

Audits repeat across business units, Audit of a process where analytics are
locations, geographies, or time (e.g., frequently applied and quality data is
annual SOX testing, location-based audits, available
etc.)
Information Exists In Manual Audit Procedures

Unstructured Data Traditional audit procedures in the
Information is captured in area are extremely manual, time-
unstructured data format that consuming, and/or tedious to
is difficult to mine/report on perform
System Processing/ Data Inadequate Management

Integrity Issues Reporting
System processing or data/report Business or management reporting
integrity issues are suspected or in the area audited would not
have existed in the past sufficiently identify risks or process
breakdowns
High Transaction Volumes

The area audited includes high
transaction volumes that are
retained over meaningful periods of
time
INTEGRATING ANALYTICS INTO THE AUDIT PROCESS
The entire audit process from scoping to reporting is affected by integrating analytics
Traditional Audit Steps
Confirm
Confirm Kick-off Sample
objectives and Reporting
detailed scope audit testing
approach
Identify Identify
Obtain Analyze Targeted Visualize
potential potential
data data testing results
analytics issues
Integrated Analytic Audit Steps
DATA ANALYTICS APPROACH
Obtaining and validating data for the first time is typically the most time consuming step
Interpret &
Scope & Obtain & Perform
Report
Plan Validate Data Analysis
Results
Objective
Define the objective Obtain, validate, and Perform analysis using Summarize and report
cleanse the necessary available tools and results of the data
of the analytic data analyze results analysis
• Identify the audit objective • Develop request for data • Finalize analysis approach • Evaluate and summarize the
• Determine the approach • Determine plan for delivery • Develop test scripts/queries analysis results
• Identify the data elements and storage of data • Execute test scripts/queries • Assess the results against
Key Activities
• Verify completeness and the analytic objectives

• Discuss the approach with • Interpret and analyze results
the data owners, IT and key accuracy of data • Document scripts & queries
stakeholders • Cleanse data • Archive scripts and queries
• Identify systems, data • Identify any gaps in required for future use
storage, data owners, format data
and file requirements
• Plan, prioritize, and
document the tests
Deliverables
• Analytic requirements • Formalized data request • Test scripts and queries • Final report on results
• List of data sources and • Verification of data received • Detailed analysis of data sets • Presentation to Management
expected outputs • Data and script repositories and outputs • Documented scripts and
• Staffing, timeline and budget • List of gaps in the data queries
QUESTION
How much % of time is usually spent in the Obtain and Validate

Data phase?
A. 20%
B. 40%
C. 60%
D. 80%
THE CHANGING LANDSCAPE OF TOOLS
Typically for Data Analytics you will have three classes of tools – an ETL tool (Extraction, Transformation, and Load), a
Database to query information from, and an analytics tool. The image below represents a very small sample of tools
available. One key trend we have seen is Internal Audit organizations driving toward adoption of more classical BI type
technologies.
Used for complex analytics solutions. MS Access is a very handy tool

Ability to manage large volumes of data and easily available (As part of
in a systematic manner. MS Office) to analyze
• Analysis on a huge sample of data reasonable data in a
• Structured analysis structured form.
• More business value at a lesser • Cost Effective
cost • Quick turn around time
SQL MS Access
• Backend databases in most • Easy to use
of the top organizations • Non technical
Data Visualization tools

designed to allow for ease of
ACL / IDEA is an industry-wide implementation on the desktop
accepted tool for Audit ACL / IDEA Tableau / with simple, intuitive interfaces.
analysis. Power BI • Quickly create reports
• Quick turn around time • Strong visualization/Graphic
• Flexible and user friendly capabilities
• Accepted Audit tool • Simple and easy to share
reporting results
GROUP ACTIVITY (10 MIN)
What is wrong with this data set of Invoices?
DUPLICATE PAYMENT ANALYSIS
100% of AP transactions are run through multiple different algorithms to identify potential duplicate payments /
duplicate purchase order (PO) receipts. These are categorized based on priority and reported by root cause.
Root Cause Analysis
Summary Overview
Root Cause Count Dollars
Priority Claims Flagged for Total Flagged
Grouping Review Amount Altered Invoice Number 124 $1,302,541
High 152 $1,955,533
Incorrect Vendor 78 $541,992
Medium 97 $450,778
Multiple Vendor IDs 62 $550,778
Low 42 $162,970
Total 291 $2,558,281
Paid in System and P-card 19 $104,931
Unknown 8 $58,039
Total 291 $2,558,281
EXAMPLES
Procure-to-Pay Examples Order-to-Cash Examples Information Technology
• Vendor Master File Analysis • Analysis of Cash Receipts and Timely • Verifying access rights are in
• # of Inactive Vendors with Activity posting compliance with
policy/templates
• Payments to Inactive Vendors • Customer Credit ranking aligns with
Policy Requirements (amounts, • Multi-system segregation of
• Duplicate Vendors, Invoices, Payments
authorization) and Perform Analysis on duties analysis
• Vendor to Employee Match Customer Activity (payments and credits) • Last user sign on
• Benford’s Law Analysis - Invoice,
• Analysis of Write-off Transactions • Duplicate employee IDs
Payments, PO, and/or Credit Analysis
(authorization, timeliness)
• Missed Discounts – Late Payments • Change Management
• DSO Analysis by Order Date, Bill Date, and authorization
• Authorization and Analysis of PR, PO, Payment Received Date
Invoice, and Payment • New Hire/Terminations
• Analysis of Unfulfilled Customer Purchase
• Aging and Analysis of AP and Credit • Problem Management
Orders
Processing Analysis
• Holiday Activity • Analysis of system logic to
• Analysis of Overpayments/Refunds verify procedures (e.g.,
(unused credits) write-offs, refunds) are
programmed accurately
• Report benchmarking
INTERNAL AUDIT DATA ANALYTICS
Common Process Areas For Analytics
Process Area Value Statement
Provide insights into employee expense behavior and trends, assess compliance with company
T&E Expenses
T&E policies, and identify instances of potential fraud or general abuse.
Identify vendor master risks, duplicate payments, invoice and payment process inefficiencies,
Procure-to-Pay*
procurement control issues, and working capital improvement opportunities.
Identify sources of revenue leakage, suspicious activity, control deficiencies, and inefficient
Order-to-Cash
collections through review of customer and pricing master files, sale orders, and billing records.
Provide valuable insight into inventory trends including slow moving or obsolete inventory, cycle
Inventory
count/adjustment activity, negative margin items, and identify instances of potential fraud.
Review for HR employee master risks, inappropriate payroll disbursements, overtime abuse,
HR/Payroll
assess bonus/commission payments for impropriety, identify unusual pay increases, etc.
Identify potential errors or impropriety in journal entries (JEs) through analyses such as
General
account variance analysis, approvers analysis, duplicate JEs, manual JE testing, cut-off
Accounting
analysis, etc.
Analyze the fixed assets sub-ledger to identify potential duplicate assets, validate useful lives,
Fixed Assets
confirm proper capitalization, and verify write-offs are processed appropriately.
* Examples of analytics in these areas provided on following pages
PROCURE-TO-PAY ANALYTICS EXAMPLES
Ensure the validity of payments made to vendors by identifying potential duplicate

Duplicate Payments payments. Potential duplicate payments are identified where one of more of the following data
elements are identical or similar: vendor, invoice number, amount, and/or invoice date.
Identify potential duplicate vendors in the vendor master file (e.g., where multiple vendor records
Duplicate Vendors
have the same or similar values for address, bank account, telephone, FEIN, etc.).
Unauthorized Changes
Identify vendors created or with master data changes performed by an unauthorized employee.
to Vendor Master
Multiple Invoices from Identify fraudulent or misuse of vendors coded in the vendor master file as "one-time vendors"
One-Time Vendors that have multiple invoices and are used regularly.
Identify cumulative payments for two or more transactions approved by same employee to the
Split Payments
same vendor that exceeds or is within a percentage below threshold of the authority limit.
Identify employees that are set-up as vendors in the vendor master file. Match employee and
Employee-Vendor Match vendor master files based on name, address, tax ID, or phone number to identify potential
employee-vendor matches for additional investigation.
Identify discounts missed on invoices that were paid within the discount period, but were not
Discount Analysis
taken, or discounts that were lost due to payment of invoices past the discount period.
CLIENT EXAMPLE (1/2)
Building Supply Company
Project Objective Protiviti Approach
1. Identify duplicate vendors in the vendor 1. Identified potential duplicate vendors and payment
master file transactions using repeatable database logic, customized to
work with exports from the client’s ERP solution
2. Identify duplicate payments within
transaction data for A/P 2. Automated test procedure for continuous auditing
3. Enable the client to perform duplicate 3. Provided walkthrough and detailed step-by-step instructional
checks on an ongoing basis guide to enable client’s ability to test going forward
Benefits Achieved
Provided customized
Cost Recovery with duplicate database tool and
Identified duplicate vendor payments ~ $100,000 guidance for
vendors and payments Duplicate Payments performance of
Recovered duplicate checks on an
ongoing basis
24
CLIENT EXAMPLE (2 OF 2)
Government Agency
Project Objective Protiviti Approach
1. Became familiar with the test data and its limitations

1. Design analytics to meet defined objectives
using the IDEA Analytics tool 2. Created a detailed testing plan document for each required
analytics test
2. Understand complex data sources and
relationships 3. Obtained client buy-in for each testing plan document and
executed testing.
3. Document the analytics so that they can be
performed on a continuous basis 4. Leveraged multiple laptops to increase processing power to
meet engagement timeline
Benefits Achieved
• Quantification of overpayments in terms of Through test plans

Client received detailed
monetary value created, provided
test plans and test
guidance
results for each • Overpayment insights including aging
for future IDEA
required analytics test analysis, originating location and length of
Analytics tests
time for recovery
25
HOW DO YOU ACCELERATE THE
PROCESS?
WHERE TO START…
Top Down or Bottom Up?
From the top… What business questions are you trying to answer? What business insights are
you trying to derive? Who are you trying to deliver information to?
From the bottom… What data exists? Where is it, and in what forms? How accessible is it?
Both! To be successful and move beyond routine, point-analytics you need to have answers to the
top-down and bottom-up questions.
OBSTACLES TO SUCCESS
Data access and quality issues
Creating a silo rather than awareness
Focusing too much on the tool versus the outcome
Insufficient planning
Narrow thinking
Uninspired reporting
Data access and quality issues
• A common challenge is access to QUALITY data.

• Partner with IT to develop robust processes for data acquisition (specific
and easily understood data requests, direct connections to data stores
etc.).
• There is a growing trend for internal audit functions to have their own
data stores or access to enterprise data warehouses (EDW).
• Internal audit functions that have earned a reputation for collaborating
with the business consistently encounter fewer data management
obstacles when deploying data analytics.
Creating a silo rather than

awareness
• Technical competence is necessary (absolutely) but avoid creating a silo.

• Focus on the more important drivers of success – data analytics
awareness.
• Develop an understanding of the data to create a business-centric view
of analytics as opposed to a technology-only view.
• Consider how you source analytics talent.
• Reuse internal capabilities and tools, as possible.
Focusing too much on the tool

versus the outcome
• Resist the urge to buy a tool and start scripting…

• First, establish a plan and set of initial, high-value use cases.
• Carefully evaluate a high-value area to target, understand the data
source, validate it, and identify how the results will be evaluated and
shared.
• 80% of time spent on understanding the data, the business process it
supports, and the activities and decision-making that it drives, along with
the business value the analysis is designed to deliver.
• 20% of time spent on the technical aspects of the analysis, including the
tool.
Insufficient planning
• Use of effective analytics often requires pre-planning, sometimes taking

several weeks.
• Planning should focus on:
– Understanding how data is created, processed, and consumed; and
how it drives business activities and decision-making
– Seeking input from business partners
– Carefully identifying which analytics are likely to yield the most valuable
results
• Analytics is not just one steps in an audit process, it’s in every step.
Narrow thinking
• Avoid thinking only about the “old benefits” e.g., testing a full population.
• Leading internal audit functions use analytics throughout the audit life cycle:
− Dynamic risk assessments
− Monitor trends, fraud, and risk and performance indicators
− Deviations from acceptable performance levels
− Model business outcome
• Think of analytics as a way to interpret data that helps tell a story.
• There must be an acute understanding of the data that is created, processed,
and consumed within — and across — the organization and how it is used to
drive business activity and decision-making.
ANALYTICS INTEGRATED INTO EACH AUDIT STEP
Analytics should not be a discrete step during the audit process…
Prep Fieldwork Reporting
1. 2. 3. 4. 5. 6. 7.
Project Resource Fieldwork Execute and Validate and Draft Report Audit Closing Track and
Assignment and Kickoff Oversee Communicate and Communicate
Planning Fieldwork Findings Reporting Value
Understand relevant Acquire and Execute Conduct Data analytics Handoff to Track, and
data (including external prepare data analytics plan thorough QA finalized management communicate
data) for analysis value
Be flexible… Create/Share Determine
delivered by
Mine for risk insights Finalize follow the data visualizations continuous
analytics
analytics plan and reports monitoring
Establish data capture (efficiency,
options
approach Prepare for effectiveness,
handoff to and business
Develop analytics
management insights)
concept
…it should be embedded into every step.
Key: Do not underestimate the time required for planning and data prep.
Uninspired reporting
• There is no excuse for using old-style tables and charts.

• Make use of widely available visualization tools – dynamic presentation
of results and real time, drill-down capability.
• Visually compelling, high-impact reports help internal audit and internal
audit clients quickly draw insights from data.
ADDRESSING THE OBSTACLES FOR SUCCESS
1 Understand what data is available, in what formats, how it can be accessed and its general profile.
2 Assess transformation and preparation required to analyze properly.
• Is the data complete and accurate?

• Is the data available in an easily analyzed format e.g., table-based?
3 Create a clear data request that results in data that can be validated back to source as necessary.
4 Perform any necessary transformation – but do as little manipulation as possible!
5 Develop source checks to validate data integrity that can be traced back to the source.
Load data into analytic tool of choice – develop another set of validity checks to validate proper import. Include
6
data checks throughout analysis, focus on areas at high risk of data error / loss (e.g., where joins occur).
POLL QUESTION #4
Which of the following obstacles to analytics success do you feel is

the biggest challenge for your organization?
A. Creating a Silo Rather than Awareness

B. Putting the Tool Cart Before the Horse
C. Insufficient Planning
D. Narrow Thinking
E. Data Access and Quality Issues
F. Uninspired Reporting
REPORTING
REPORTING EXAMPLES (1/8)
CYBERSECURITY DASHBOARDS 1/3
All
LOB
100% 100%
89%
57%
Trending 50% 50%
Compliance %
0% 0%
8/23 9/20 10/18 11/15 8/23 9/20 10/18 11/15
300 15K
Trending High 200 10K

Risk Devices |
Devices Scanned Devices Scanned 100 Devices Scanned 5K
0 0K
9/06 10/18 11/29 9/06 10/18 11/29
UNIX ROUTER
ROUTER UNIX
WINDOWS DESKTOP
Snapshot by DESKTOP WINDOWS
selected view 0 200 400 600 800 0K 5K 10K 15K 20K
Device Type Devices Scanned Devices Scanned
Legend # High Risk Devices Devices Scanned
Vulnerability Scan Results Explorer Vuln Type
All
All
1,216,949 553,721 1,816 826 670

Detected Detected High-Risk Avg Vulns / Avg High-Risk Devices
Vulnerabilities Vulnerabilities Device Vulns / Device Scanned
Vulns by Type
450,340
Flash
237,511
Microsoft Excel
112,586
Microsoft Outlook Risk
67,850
Microsoft PowerPoint Low
63,996
SQL Server Medium
63,804
Java High
59,012
Microsoft Word
57,757
Oracle
0K 50K 100K 150K 200K 250K 300K 350K 400K 450K 500K
#Vulns
Vulns by Business Application Vulns by Device

47,836 6,500
Business Application 4 Device 343
45,285 5,809
42,965 5,466
40,563 5,454
40,451 5,395
39,311 5,343
38,478 5,120
38 003 5 104
0K 20K 40K 60K 0K 2K 4K 6K 8K
#Vulns #Vulns
Last Logged Incident: 2/9/2016
Incidents Count by Type Count by Status

Filter Filter
Other/Misc Malware Data Network
7
5 4 Leakage Control
10
3 3
24
Policy Violation
Email/Spam
4
4
Incident Status
Open
In Remediation
Compromised Asset Closed
Count by Severity
Incident Type: All Filter
Repartition by Handler, Business, & Status 6
8
LOB Open In Remediation Closed
4 2 2 24
LOB1
4
LOB2
10
2 2 2
LOB3
1 1 1
Severity
LOB4 High
2 1 Medium
LOB5
Low
THE FUTURE OF ANALYTICS
SUSTAINABLE ANALYTICS… IT’S A JOURNEY
Advanced • Continuous improvement

Analysis • Predictive analytics
• Continuous/real time analytics

• Fully integrated analytics program
Full Integration • Standardized reporting packages
• Enterprise access to analytics reports
• Established data governance
• Broaden organizational use

Year 3+ • Fully embed analytics
Integrate Analysts • Move towards data governance
• Identify champions
• Enhance tools and training
Year 2 • Integrate ad hoc analysis
Expand Use • Define data access model
• Identify opportunities to embed
• Get sponsorship
• Define objectives and strategy
Year 1 • Understand the data landscape
Foundation • Focus on important business items
• High impact reporting
• Start small, iterate and prove value (E.g., pilots, PoCs)
10 DATA ANALYTICS ACTION ITEMS FOR
INTERNAL AUDIT
Recognize the demand for data analytics in
1 internal auditing is growing across all
organizations and industries.
Seek out opportunities to expand internal

2 audit’s knowledge of sophisticated data
analytics capabilities.
Understand that budget and resource
3 constraints, along with business-as-usual

workloads, can limit internal audit’s ability to
optimize its data analytics efforts.
4 Consider the use of champions to lead the

analytics effort and, when appropriate, create
a dedicated analytics function.
Explore avenues to expand internal audit’s

5 access to quality data.
10 DATA ANALYTICS ACTION ITEMS FOR
INTERNAL AUDIT
Identify new data sources, both internal and
6 external, that can enhance internal audit’s
view of risk across the organization.
Increase the use and reach of continuous

7 auditing and monitoring.
Leverage continuous auditing and develop

8 real-time snapshots of the organization’s risks.
9 Seek ways to increase the level of input

stakeholders provide when building and
using continuous auditing tools.
Implement steps to measure the success of

10 your data analytics efforts, and also consider
the most effective ways to report success and
value to management and other key
stakeholders.
EMERGING ANALYTICS TOOLS – PROCESS MINING
Process Mining Visualizations
Process mining tools can

fundamentally change the
way that we can analyze
processes.
• Automate the
walkthrough process
• Data tells us what is
actually happening in a
versus what we think is
happening
• Support risk assessment
activities – identify “hot
spot” areas, for focus
• Provide quantification for
observations (#
transaction, $ of
transactions, time to
process etc.)
WHAT’S NEXT?
Even as firms are just getting established on internal analytics, we are

already seeing shifting demands and new trends, such as:
Algorithmic Transparency and Assurance: As robotic process
automation (RPA) and artificial intelligence (AI) increase, audit is
being looked upon to review and provide assurances that these
models are running as designed, producing the best outputs and are
free of bias.
New Sources and Types of Information: Data lakes and big data
platforms are increasingly becoming ubiquitous and offer great
sources for auditors, but also carry with them huge risks due to the
types of data all centralized in one location. All of this will aid in
further driving value from the analytics that are produced.
Q&A
THANK YOU!
Analytics in Auditing is a Game

Changer – 2018 Internal Audit
Capabilities and Needs Survey
For more information and to
download the full report visit
https://www.protiviti.com/US-
en/ia-capabilities-needs-survey-
2018
Michael Kostanecki
Associate Director
michael.kostanecki@protiviti.com
181 Bay Street

Suite 820,Toronto, ON M5J 2T3
Canada
Cell: +1 416 912 5064
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed
or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.

IIA Breakfast - Leveraging Data Analytics in Internal Audit 2019-03-20 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IIA Breakfast - Leveraging Data Analytics in Internal Audit 2019-03-20 PDF

Uploaded by

Copyright:

Available Formats

LEVERAGING

Michael Kostanecki, Associate Director, Protiviti

Michael Kostanecki Michael is a proven leader with over 10

Current State of Data Analytics Reporting

The process of inspecting, cleansing, transforming, and

Converting Information to Insight

Does your internal audit department currently use data analytics as

2018 Internal Audit Capabilities and Needs Survey

• Data analytics will be a game changer for the

• Not surprisingly, the ability to utilize data

How strong is your audit committee’s interest in analytics?

A. No interest/low level of interest

Data Insight Decision Action Unlock

1 Transform a flood of data into meaningful information

3 Increase testing quality and insight:

• Test 100% of populations instead of sampling

4 Increase productivity and efficiency

5 Deliver value-added suggestions and/or provide ongoing analytics tools to management

Risk Quantification Statistical Sampling

Audit Execution Continuous Controls

Predictive Risk Fraud Indicators

Internal Audit Uses

Repetitive Audit Procedures Common Process Areas

Information Exists In Manual Audit Procedures

System Processing/ Data Inadequate Management

High Transaction Volumes

Traditional Audit Steps

Integrated Analytic Audit Steps

• Verify completeness and the analytic objectives

How much % of time is usually spent in the Obtain and Validate

Used for complex analytics solutions. MS Access is a very handy tool

Data Visualization tools

What is wrong with this data set of Invoices?

Procure-to-Pay Examples Order-to-Cash Examples Information Technology

Common Process Areas For Analytics

Process Area Value Statement

* Examples of analytics in these areas provided on following pages

Ensure the validity of payments made to vendors by identifying potential duplicate

Project Objective Protiviti Approach

Project Objective Protiviti Approach

1. Became familiar with the test data and its limitations

• Quantification of overpayments in terms of Through test plans

Top Down or Bottom Up?

Data access and quality issues

Creating a silo rather than awareness

Focusing too much on the tool versus the outcome

Data access and quality issues

• A common challenge is access to QUALITY data.

Creating a silo rather than

• Technical competence is necessary (absolutely) but avoid creating a silo.

Focusing too much on the tool

• Resist the urge to buy a tool and start scripting…

• Use of effective analytics often requires pre-planning, sometimes taking

Analytics should not be a discrete step during the audit process…

Prep Fieldwork Reporting

…it should be embedded into every step.

• There is no excuse for using old-style tables and charts.

2 Assess transformation and preparation required to analyze properly.

• Is the data complete and accurate?

4 Perform any necessary transformation – but do as little manipulation as possible!

Which of the following obstacles to analytics success do you feel is

A. Creating a Silo Rather than Awareness

Trending 50% 50%