Risk Insights Logo

Principle 3 - Maximize benefits - data governance within IA

April 1, 2020

This article focuses on principle #3 – Maximizing the benefits of using data in audit.

This is the 5th article in this series.  The four earlier articles addressed related topics:

  1. Why you need to govern the use of data, within the audit team, in a different way
  2. Why we must share data, that is collected or used for audits, with the whole audit team
  3. Principle 1 – Security and open access
  4. Principle 2 - Quality


Why this principle (3) is about maximizing benefits

You might be wondering – why is this so important that it is laid out as one of 3 key principles?

We previously explored 5 core challenges that we face in using data for assurance:

  1. Access to data: you can't get all the data, or you can't get it quickly enough.
  2. Low value: the analysis doesn't yield new insights.
  3. Superficiality: the results are not deep enough to properly understand and refine the problems or to identify opportunities for improvement.
  4. Timing: the results are not available in time for reporting/concluding.
  5. False positives: too many of them; results are overwhelmingly noisy.

Principle 3 helps address the first 4 of these 5 core assurance analytics challenges.

[The 5th item, dealing with false positives is a separate matter. For one approach to dealing with those, this article may help.]


Let’s explore the sub-principles and explain how they help address the 4 challenges.


3a: Sharing lessons among the team


Capturing and communicating information that would be useful to other members of the audit team. For example:

  1. insights from the analysis
  2. a new understanding of business processes, identified by the analysis of data and not previously known by the audit team
  3. what the data could not show because certain fields were not captured, it was not granular or there wasn’t enough history
  4. data limitations and what assumptions were then needed
  5. data quality issues and workarounds for these


sharing lessons helps reduce effort in future audits and serves as an accelerator for other members of the audit team.


During the audit for longer audits or where other relevant audits are commencing, and after the audit in all cases

How it helps

  • access to data (reuse where suitable)
  • low value (deduplicate - prevent repeating the same insights and prevent repeating issues that appear to be valuable at first but turn out to not be real opportunities)
  • superficiality (start at an advanced position, for deeper results)
  • timing (accelerate - start earlier with existing data, work faster by reducing the impact of known limitations and quality issues)


3b: Identifying other risks and opportunities


In using data and performing analytics for an audit, where risks and/or opportunities that are not relevant to the audit are identified, these should be captured for follow-up, reporting, planned future audits or to initiate a separate audit that had not been planned for


Because the analytics involves both bottom-up and top-down analyses, such risks and opportunities are identified very often.  We have an obligation to do something about it.


Whenever such risks or opportunities are identified – often during the audit, could also happen in wrap up

How it helps

  • low value (the analysis helps with new insights, even if not related to the audit)
  • superficiality, if it flows into a separate audit (start at an advanced position for deeper results)


3c: Continuous improvement

Use data and insights to improve the results of future audits. Use lessons learnt to improve auditor capabilities:

  1. previously used data can supplement the audit work – for example, if you have explored and analysed data for one audit, then start another audit that could use that data, because you have used it before it will be easier to see the potential linkages and then exploit them.
  2. insights from one audit may be relevant to others – for example, if you have identified a specific data quality matter in conducting an audit, then knowing about this means that you can work around it in future audits, to help improve the results of that future audit
  3. identify gaps in capability and find ways to plug these gaps


You want to continuously improve the value that you produce, and your team’s capability levels.  As you produce insights, the expectations about future insights will grow – people will expect more and expect increased sophistication.


Generally, after the audit, for longer audits you may be able to identify and plug capability gaps during the audit

How it helps

  • access to data (reuse)
  • low value (linking data not ordinarily combined, for new insights)
  • superficiality (by starting with known identified risks/opportunities, the ability to refine further is enhanced)
  • timing (improving capability – skilling up - can help accelerate delivery)



Are you maximizing the benefits from your data (in audit) initiatives?

Share this article

Get more insights like this

Blog Post
The Assurance Blog
March 3, 2022

Data in Audit Guide

Read article
Blog Post
The Assurance Blog
December 16, 2021

The Data-Confident Internal Auditor: Software

Read article

Subscribe to our mailing list

Get notified by email about new blog posts and podcast episodes by the Risk Insights Team.