Risk Insights Logo

Repeatable analytics - whose job is it?

May 9, 2018

Over the past few years, and again at the 2018 ISACA conference in Chicago, there have been lots of discussions regarding analytics strategies for internal audit teams.

Among the strategies, repeatable analytics (e.g. continuous controls monitoring or CCM) seems to be a fairly common theme. Is this the easier route or the appropriate one?

Here are some questions we need to ask:

  1. What is the role of the third line? Is it to assume management responsibility?
  2. Do internal audit teams still use rigid plans?
  3. Repeatable analytics - resurrecting CCM, without calling it that?
  4. Do teams continue to focus on the traditional rules-based approaches (and old tools)?

Without diving into explicit answers, perhaps we need to consider:

  1. One IIA position paper on 3LOD states
    "Operational management naturally serves as the first line of defense because controls are designed into systems and processes under their guidance of operational management. There should be adequate managerial and supervisory controls in place to ensure compliance and to highlight control breakdown, inadequate processes, and unexpected events."
  2. The leading IA teams, with the exception of those that have significant supervisory oversight duties, have moved to more flexible, agile audit planning approaches (e.g. 3+9, 6+6).
  3. The views regarding CCM and where it should reside vary, but the position paper excerpt above provides some guidance - "first line ... controls in place ... highlight control breakdown".
  4. While the rules-based approaches have served IA folk well, it is time to move on; some of the traditional IA analytics software vendors have not progressed, and are keeping us in the past with them. This Deloitte article on fighting fraud talks about "investigate efforts" that can be impeded by, amongst other factors, "over-reliance on rules based testing".

With a recent series of reports highlighting failure by IA teams to leverage analytics, could this be the reason that the strategies are not working?

Some of those reports talk about repeatable analytics being a core component of the IA analytics strategy. Do you agree?

Share this article

Get more insights like this

Blog Post
The Assurance Blog
March 3, 2022

Data in Audit Guide

Read article
Blog Post
The Assurance Blog
December 16, 2021

The Data-Confident Internal Auditor: Software

Read article

Subscribe to our mailing list

Get notified by email about new blog posts and podcast episodes by the Risk Insights Team.