In the October issue of the Internal Auditor magazine in the Back to Basics section an article was written called “Analytics Refresher“. The authors state “internal audit can be a catalyst for expanding the use of analytics through the company to provide greater, more holistic business insights”. Very True. But the very last paragraph of the article states “Internal auditors are at the beginning of a new era in the use of analytics to enhance the internal audit process. Taking the steps outlined above can help internal audit departments realize gains in effectiveness and efficiency while providing greater business insights.” Beginning of a new era? What? The enterprise value of data analytics and the role that the internal audit function can and should play with respect to the use of data analytics is hardly new. In fact, companies like ACL and Idea have been around for many, many years and so has Microsoft Excel and Access for that matter. The article misses a great opportunity to focus on the fundamental question of why doesn’t every company and every internal function in the world, regardless of size or industry not just use data analytics, but use them properly? And secondly, why has there been and while is there still a somewhat slow adoption rate? The reasons or maybe excuses range from ineffective audit committees, ineffective internal audit leadership, lack of adequate funding down to the fact that some internal auditors still to this day are fundamentally not equipped from an educational and training perspective to build, maintain, let alone properly use data analytic software and its data to add value across the enterprise. Yet each time I read an article about a fraud, security breach, business enterprise reputational impact due to a myriad of things that can occur through social media, etc. it seems like the question of “where was internal audit” always comes up. In my experience, assuming the company has an effective internal audit function (if the company has one at all) they are working through their annual audit plan which was approved the prior year by the audit committee using completely outdated audit programs that are based upon data sampling techniques that look back at data after the fact, in many cases several months back. For a compliance driven audit, haphazard sampling techniques looking back over several months is fine. But in order for internal audit to truly become a valued added business partner and not just the “controls police” they must be almost right on top of real time data that is the most crucial to an organization through the use of data analytic software and understand how to effectively analyze and report upon such data in a much more timely manner that is meaningful to the organization in order to be in a position to truly answer the question “where was internal audit”, assuming at this point, the question is even asked at all.
In addition, and I am frankly very surprised the authors didn’t even bring this up in the article, until the internal audit profession as a whole moves away from reactive data testing and moves to a more real-time continuous auditing model built around the Three Lines of Defense Model we will continue to read the same type of data analytics article that have been written for the last 20 years.