Internal Audit’s use of data – yes, it does go beyond CAATs / basic rules

Internal auditors have used Computer Assisted Audit Techniques / basic rules to identify duplicate invoices, payments and payroll transactions for some time.

While these techniques have helped identify errors in transaction records, the expectations and mandates of Internal Audit functions continually evolve.

Surveys of key stakeholders globally have highlighted that businesses are expecting internal audit, as their third line of defence, to focus on higher order risks – those related to objectives and strategy.

At conferences over the past few years, there has been an increase in presentations on data and “analytics”.

If someone outside of the profession listened to the discussions, they would be forgiven for thinking that IA hasn’t made much progress, apart from enhanced visuals and dashboards.

Is that the reality?

Fortunately, this is not the case.

There are a number of IA teams that are using newer approaches in the conduct of their analytics work. This includes:

  • text analytics: analysis of text (structured & unstructured), including NLP (natural language processing)
  • similarity searches / “fuzzy” matching
  • machine learning: e.g. supervised predictive models to help reduce false positives, and provide better outcomes than traditional sampling

This expands the range of questions that can be answered / risks that can be identified; they are useful regardless of the volume of data that you need to analyse, but are particularly useful when you need to (or want to) crunch through large sets of data.

Some teams are looking at hundreds of millions of records within individual audits

Expanding the range of techniques used has helped them with processing (i.e. making the analysis possible, without noise). Importantly, they have been able to produce high-value, tangible insights and outcomes; often helping to surface customer service issues, revenue leakage and unnecessary expenditure.

The techniques outlined earlier help solve specific challenges and are not simply all thrown in to prove or disprove every hypothesis.

If used appropriately, they can help improve audit quality, efficiency and effectiveness – providing additional value to stakeholders.