Risk Insights Logo

Data in Audit Guide

March 3, 2022

Within assurance functions or for specific assurance projects, using data can help improve effectiveness and quality.

There is certainly an efficiency angle too – this article explains how using data can help with efficiency.

This guide is designed specifically for internal auditors, performance auditors and other assurance professionals.

If you lead an assurance function or you lead the use of data within assurance projects, you will consider:

  1. Governance
  2. Scoping
  3. Planning
  4. Fieldwork
  5. Reporting
  6. Tools and Techniques

If you are starting to use data, or you want to enhance your approach, start with this article: common challenges.

If you are looking for how to approach the use of data – how specifically to scope and plan the use of data, how to determine what to profile and what to test, this article outlines four of the more common approaches.


1. Governance

These articles outline considerations for oversight of the use of data within assurance functions.

#1: Why audit functions need to consider specific approaches to data governance (within the audit team).

#2: Whether access to data within the audit team should be open (access for all) or closed (access only as needed).

#3: Three key principles for governing data within IA; Principle 1: Access – detailed.

#4: Principle 2: Quality.

#5: Principle 3: Maximizing benefits.


2. Scoping

Top-down first

One aspect of the use of data within audit has changed over the past few years.

There has been a shift from bottom up thinking to an objectives based approach. What is the problem that needs to be solved?

The traditional, easy way, is to start with a library (a list of rules based analytics routines), but that won’t help to properly achieve the assurance or value delivery goals.

This article outlines the hypothesis-based approach (preferred) and three other common approaches.


Assurance professionals (typically) have a unique perspective across multiple functional areas.

Access to each business unit / department = potential to look into matters across the organisation.

So consider the organisation as a whole in scoping the data work to conduct.

Customers don’t care which part of the organisation is involved in providing a product or service to them, they care only about the service. Use customer feedback/complaints data if you can – there are several benefits.

The Board won’t (or shouldn’t) be as concerned with which department you have reviewed, as they are (or should be) with what the potential risks and opportunities are. So you need to look across functional boundaries.

How can the story best be told? It could be function specific, but this is often not enough.


  • Your high performing peers are not using data just to say “we used analytics”
  • Your stakeholders expect to see integrated results – not just an appendix to your report
  • You can use data purely to confirm compliance, but try to strike a balance where possible
  • Avoid duplication – check whether BAU activity already covers your hypotheses (i.e. how likely is it that you will uncover new insights, given data work conducted elsewhere in the organisation)


3. Planning

Some of the key points to consider in planning your assurance data project / activity include:


4. Fieldwork: Process and Methodology

This process and methodology is specifically for assurance projects – internal audit and performance audit.

Download the process & methodology doc

Key points to note:

  • Start the data process before audit planning. Why?
    • it takes time to get access to the data that you need
    • you want the results of the data work to inform planning and fieldwork
    • it takes time to explore and evaluate exceptions (anomalies)
  • The data process is iterative, as outlined in the guide.
  • Some steps may not be relevant, and you don’t need to follow them all.
  • Visualization is an important step – it enables easier exploration of the data and supports explanations/reporting.


5. Reporting

Data is exceptionally useful for reporting

Data can help make reporting more efficient – as outlined in this article.
In finalising an audit, where management actions (a.k.a. management comment, remedial actions) are being prepared, you can use data to help go beyond that remedial action.

If you use data, carefully consider how that will reflect in your report

More on reporting coming soon. Contact us for early access.


6. Tools and Techniques

Deliberately the last item in this topic – because it should not drive the approach.

It is still important, though. This article outlines the minimum set of software and considerations for selection.

Tools don’t have to be costly. This article debunks 3 common myths associated with open source software.

Most importantly, avoid “audit analytics” software. More on this in Episode 18 of the Assurance Show (podcast).

Share this article

Get more insights like this

Blog Post
The Assurance Blog
December 16, 2021

The Data-Confident Internal Auditor: Software

Read article
Blog Post
The Assurance Blog
February 28, 2021

Small datasets for audits: 5 ways to extract value

Read article

Subscribe to our mailing list

Get notified by email about new blog posts and podcast episodes by the Risk Insights Team.