Episode 23 | Maximize the benefits of using data within audit

The Assurance Show
Episode 23 | Maximize the benefits of using data within audit
/

 

Show Notes

In this episode we explore Principle 3 – Maximize the Benefits of the use of data within Internal Audit and Performance Audit.

Sub-principles
3a: Sharing lessons amongst the team.
3b: Identifying other risks and opportunities.
3c: Continuous improvement.

Link: The blog article where this principle was originally outlined

 

Transcript

Narrator:

Welcome to the assurance show. This podcast is for internal auditors and performance auditors. We discuss risk and data focused ideas that are relevant to assurance professionals. Your hosts are Conor McGarrity and Yusuf Moolla.

Yusuf:

Today, we’re going to talk about how we can maximize the benefits of the use of data within audit. We previously spoke about principles that apply to governing the use of data within audit. The first of those was security and open access. The second was quality . It is important that we govern our use of data within audit in a different way, because of the type of data that we get, how we bring the data together, what it means if we lose that data and because we’re not the creators of data. And because we largely are consumers and users of data in a very specific function, either within internal audit or performance audit, why that’s important. This third principle, which is about maximizing benefits, is laid out as one of the three key principles, primarily because, in earlier episodes we spoke about five core challenges that we face in using data for audits. This principle, maximization of benefits helps in addressing those core challenges.

Conor:

To refresh our memory some of the core challenges we face and using data for assurance. the first one being access to the data. second, one being low value where the analysis doesn’t yield, any new insights. Superficiality, the results aren’t deep enough fourth one was timing. the results of our analysis are not available in time and lastly, false positives.

Yusuf:

False positives is something that, you need to do something else with there’s a very specific , set of potential resolutions to that or solutions for that the first four that you spoke about there. So access to data, low value, superficiality, timing and reporting. Those are what we’re going to be focusing on through this principle today.

Conor:

Let’s kick off. what’s the first thing we need to understand.

Yusuf:

This principal has three sub principles. the first one being sharing lessons amongst the team, the second one being, identifying other risks and opportunities and the third being continuous improvement.

Conor:

Let’s start with the first benefit sharing lessons among the team.

Yusuf:

This is about capturing and communicating information that would be useful to other members of your team. examples of that would be where you have a brand new understanding of a business process. And you were able to get that sort of understanding by using data another example of that is where you have data quality issues and you’ve identified workarounds for those data quality issues. So these are the sorts of things where , your use of data, Can enable a better understanding. And can enable the sort of information that the broader team would need to have. It will be useful to the broader team, either for similar audits or for a broad range of audits later on, quite often when we use data for an audit, that data can be reused on another audit. If we capture the information. about what we found in using that data that could be useful for later, audit. the set principle sharing lessons amongst the team, how it addresses the access to data issue is that you can enable reuse. So if you’ve already got data for a particular audit, you may be able to, you know, capture those lessons and capture the information about the data for reuse in terms of low value. We don’t. duplicate what we’ve done before in terms of superficiality, because we’ve already started using data. We can start deeper than next time. And in terms of timing and reporting, we can accelerate because we now have an understanding new things that we can share amongst the team. sharing lessons helps reduce our effort in future audits. and. where we have that better understanding. we’ve done a few things with the data that we have. It makes sense to capture that, and either documented or at least have a discussion. with the broader team about what it is that we fund documenting would be ideal. And we’re not talking about going to, documentation for documentation sake, but important things that we have, and this can help maximize the benefits of our use of data.

Conor:

From the performance audit perspective, there’s certainly a lot of opportunity and room for improvement. And how, observations about the use of data get shared. an area that needs to be a lot of improvement in. What are some of the practical ways in which that transfer of knowledge about a particular data set to the broader team can take place?

Yusuf:

This largely does depend on the size of the team and how well the team works together overall. you want to document some key things. make sure that you clear about the data that you’re getting and what you’ve learned. That’s new about a particular process or function or agency in the case a performance audit, when you’re looking at, broader audit plans, annual plans or strategic plans, then it’s important to think about what you’ve done before and, contribute. Information about what you’ve done before that you think could be relevant for future audits. So this is an ongoing, and we’ll talk about continuous improvement in a sec, but this is an ongoing improvement opportunity . But It’s not always that easy to make this concrete and say, this is a particular step that you can do to ensure that this continues to happen in future. This is about collaboration amongst the team. This is about thinking about other audits, not just the audit that you on. and this is about the team getting together and actually talking about the order plan. I know we’ve worked with a few functions, both internal audit and performance audit, where they do this really well. where , the whole annual plan is something that the whole team will talk about as a collective. And the benefit in that is even if you have, a function where different teams are responsible for different subject matter, if you, in a financial services institution that might be somebody involved in insurance, somebody involved in banks, somebody involved in wealth management, somebody involved in, corporate matters in performance audit. That might be somebody looking after the health sector, somebody else looking after justice, somebody else looking after education, somebody else looking after transport the benefit of having the team come together and think about the whole plan overall. and then also for individual audits, when you brainstorming individual audits, bringing people in from other audits that are either ongoing or that have happened before. So that that sharing can happen. you can either have the discussion ad hoc, which happens quite often, or ask people to think about the things that they think can contribute to either the annual plan or to those individual audits, if you’re having an individual audit discussion. beyond that many order teams keep records of the data that they’ve collected. So they’ll say we’ve collected this sort of data from this entity or the sort of data from this entity. , that metadata is important because that’s , almost like a running sheet of what it is that we’ve collected and what we’ve used it for. If you can then append to that, information on what it is that you did with that data. So, you would do things like reconcile the data. You would do a whole bunch of data, quality checks. You would do a whole bunch of data cleansing activities. you may have identified some insights from the data that will be relevant for other audit. And if you can capture that in your running sheet of data, and the data that you’ve collected, then that’s something they can use going forward.

Conor:

You’ve touched upon a very important concept. And that’s every auditor contributing to something bigger than a particular role that they’re trying to execute bringing their knowledge to bear, but the data they have used to inform and guide the broader planning off the team.

Yusuf:

Even if you think about just your next audit, and what it is that you’re doing on your current order to help with that or what it is you’re doing on an audit to start earlier, and relevant to an audit, decided later, those are the sorts of things you would do as a more junior person. As you become more senior, you then want to think about more broadly. And if you are the head of that function, if you’re head of internal audit to the head of performance audit, you naturally need to have that broader perspective around what’s going on within the different teams and how we can bring information. From one team to the other

Conor:

Sharing lessons among the team. that’s the first, The second one is. identifying all the risks and opportunities.

Yusuf:

We touched on some of this. but just to be a bit more specific. This is where, when we’re using data for an audit, we identify a whole range of risks, a whole range of opportunities. Sometimes those are directly relevant to the audit that we’re doing. Sometimes they aren’t. may not make it into our report or they may not be directly relevant to the particular subject matter that we’re looking at, but where we identify such adjacent, risks and opportunities, we want to capture those so that they can be followed up, reported on and are used for, planning, future audits, or where we have a planned future audit. For, information flow into that future audit. So we spoke already about how, when we using data, we can use the information that we obtain or the knowledge that we obtain, the lessons that we learn for future audits. This is where we’re doing a particular audit. And we see, something that isn’t relevant to this audit, or it’s only mildly relevant to this audit, but it could have a significant impact on a later audit or something broader reporting to the audit committee or something else, or even it’s not going to be relevant to any audit. But I think management need to know about this.

Conor:

Could be a business opportunity.

Yusuf:

Could be a business opportunity. and it could be non audit committee reporting specific if you want to call it that, but Because when we do data related work, we usually look top down. So we create a hypothesis or set of hypothesis. And then we use that. We then also do some bottom up analysis. So we’ll look at overall quality of the data, et cetera. quite often as audit is particularly if we are curious audited and not following standard sets of routines, if we really are focusing on trying to the stand what’s in front of us get. a good understanding of it and take the time to do that. we do find these opportunities. particularly when you’re using data, it’s very easy to find these sorts of opportunities. capturing that information, and then sharing that with the right team or within audit or the right team within the entity that we auditing or the function that we audit thing. If we internal audit. That’s where we can help maximize some of the benefits we hear this a lot. We hear that, data can be used to drive value. auditor should use data to drive value. And then we conduct an audit and we use some data and it helps us to either prove or disprove our hypothesis and kind of ends there. , where we find these other opportunities, we need to do something with them. And it’s that, that can create that additional value that we provide as auditors. We have a unique perspective because we’re looking at data from multiple different dimensions. and so when we find that it mustn’t just be, if we just say, Hey, this doesn’t relate to our report, or it’s not significant enough to go into the report. So let’s discard it. Then we are missing an opportunity

Conor:

This identification of opportunities by internal audit through the use of their data was something that, resonated strongly with Joseph Watson. We spoke to in the previous episode. Joseph, the, chief risk officer for, a digital bank was talking about internal audit. maximizing. their ability to identify these opportunities. So working towards a performance focused agenda, as well as the conformance agenda that internal audit maybe have traditionally veered towards. so maximizing benefits, three internal audit, performance audit, identifying other opportunities is certainly something we need to do a bit more work on.

Yusuf:

You spoke about performance there, which is really important, but even in the conformance world, this becomes an important thing. And if we think about things like, where we evaluating a full customer data set for a particular subject matter, so. let’s look at something like within financial services determining where the fees are being charged correctly on deposit accounts. No. In order to do that, we would normally get information on, customers on accounts, on transactions and then we’ll determine whether those fees are correct, correct. The right level of fees used, et cetera. But when we get that information, one of the things that we need to do is determine whether the quality of our data is good. And a quality check that we often do is look at whether we have any duplicate information in the data that we have. And sometimes that duplicate information could be in things like the customer name or the customer address. and while the direct audit that we’re doing is not necessarily related to what I’m going to talk about now. When we do that, we often find that there are multiple individuals in our customer relationship management system or in the customer data that we have. I remember doing a few audits like this, but one in particular where we were looking at fees and charges and because we needed to know what the data looked like, and we needed to make sure that we were actually getting it right. We looked at, names of, customers. And we had a range of similarly named customers with similar addresses and similar dates of birth and the differential between, one and the next was very small. what we. Concluded quite correctly. It was that those were actually the same individual. Now the potential risk there then , is that you have multiple customers that you’re dealing with, and this can create several opportunities to provide value as an audit function. The first is if you have more than one customer with different addresses and the same date of birth, you are potentially sending to them multiple letters to multiple different addresses, with different spelt names, which is not really a good look for your organization. if my bank sends me a letter, and my last name is two Eldine right. If somebody sends me a letter with one L for a particular account and two L’s for a different account, they’ve spelled my name incorrectly once. So I have to ask, am I just a number in your system or do you actually know who I am? So there’s an opportunity there. So that’s a customer service, performance, step opportunity. The other is. anti money laundering. where you have multiple accounts belonging to the same individual, when you report to regulators, you usually need to report on deposits above a certain value. Now that doesn’t mean that you report on deposits above that value on an individual account that the person owns. So, as an example, For my one deposit account. If I had $10,000 coming in and for another one, I had another $10,000 coming in. Those individually wouldn’t be flagged as issues because they are two different people, but they actually do the same people. So depending on the money laundering laws that you have in your country in Australia, it’s $10,000. So that could have been flagged, but assuming it was 9,000 to each account. So I’m actually getting $18,000 into my two accounts. That really should be reported to the regulator because I’m one individual, but because you see me as too, you don’t, so that’s a conformance thing. there’s lots of opportunities for tangential information that can be identified and that won’t necessarily be directly related to the project or the audit that you’re doing. These are the sorts of examples that you have, where the information that you’re looking at bottom up. Could identify other risks and opportunities equally.

Conor:

That example speaks to a couple of things in my mind. The overall issue seems to be the opportunity to improve the quality of the data that’s held by the business, which then can obviously lead to them achieving business efficiencies and minimizing risk to the organization. But like you said, that’s a by-product of maybe the internal audit or the performance audit that we’re doing, but it’s a great example.

Yusuf:

There’s another example in the public sector within performance audit. and this is a, theoretical example, if you want to call it that, but extending what we just spoke about there. with the current pandemic and responses to it. one of the key responses has been the provision of government grants. And I know that audit offices are going to be looking at government grants quite closely, over the next little while, because that’s one of the biggest areas of spend, if you are providing grants to different entities and evaluating those grants, what we just spoke about then would be very relevant. Are we providing the same grant to multiple organizations that are effectively the same organization. are different organizations applying under different names, but in reality they’re the same organization. that would then point to the potential for not having identified those organizations as separate that’s directly relevant to that audit. If we see things like that. Then there’s the flow on impact on other entities and other performance orders, but, or even if not other performance audits, other government organizations that may need to know about this information and it would then be our duty to provide that sort of information what the right, protocols in place, et cetera, because government can become quite tricky in terms of how the data is shared, but. That’s our obligation. We have to make sure that we use what we find to identify those other opportunities and then provide the relevant information to the relevant parties.

Conor:

That was the second, sub principle. and specifically there hope we can identify other risks and opportunities and share these . thirdly, and this is, very important issue and that’s continuous improvement.

Yusuf:

We use data and we use, the results of our data. to improve the results of feature audits and our order plan overall and providing, Create a value to the organization, importantly, though, why this is called up as a separate item is that this is about improving audit capability. So the first one was sharing lessons among the team so that, the team can look at other items more broadly or look at whether they can use the data that’s been identified more broadly for future audits, et cetera. The second one was where we’ve identified specific risks and specific opportunities on an audit. This one is along the same lines, but this is what the focus on improving what their capability. So bit softer. what can we do with the process that we’ve taken? The data that we’ve used to improve the capabilities of individuals within our team now? if you think about the core issues that we have and using data for what it, one of the main problems that we have, is the ability to use data for words. not the ability to pick up a tool and run some analytics if you want to call it that. But this is about the mindset that auditors have. thinking about data, thinking about how you can use data, exploring the opportunities to use data, and then actually doing it now. In terms of continuous improvement, then there’s two things that we can do to maximize the benefits of any data that we use. The first is when we share those lessons amongst the team, it’s not just about what we found, but it’s about how we went about determining what we were going to do. And then the specific things we did when we got there. So that continuous improvement then means we can reuse data that’s been used before we can link from one to the other. We can identify gaps in our capability and figure out how we can plug those gaps. But importantly, the two key gaps that we want to plug are. Capability in terms of identifying what to do with data. So the data mindset thinking about data, and then secondly, actually using that data. and this means that we want to, we want to level up, we want to improve the skills of our team, so that our future work becomes easier and provides more value.

Conor:

The key issue here is in trying to elevate people’s data main set or identify gaps in capability that we need to address as a team. should there be a particular person to be a senior person within the team that has responsibility for practically identifying those capability gaps? How do we go about identifying them?

Yusuf:

That look, that’s a difficult one. I think the easiest way to identify a capability gap. Like this is to look at who isn’t using data, who isn’t obtaining value from the use of data? Because if you do it properly, you will inevitably produce value in the work that you do. if you look at, outcomes, so outcomes from audits that maybe senior managers or managers are executing on, if they are not producing or not increasing the level of value they produce, over time, then this potential for. Them either not identifying the right debt to use or not using that data. So that may be a way to determine where that capability gap is? , Is data focused value being produced by the team and then in the reporting of the work that they do, do you see the data coming through as a strong element that , helps to contextualize, et cetera, the reports that are being produced? If you don’t see that, then one of two things are happening. Either the mindset doesn’t exist and mindset is something that you would potentially see largely in various discussions that you have amongst the team, in those continuous improvement sessions that you would hold, in those audit, brainstorming workshops, as a leader, you would automatically, or you should automatically be picking up on mindset. if you don’t have a data mindset yourself as a leader, then. We probably talking about a very different discussion here because that’s going to be very difficult to fix. But if you do see that, if you do see that the individual is, or set of individuals are very keen on the use of data and you can see that they obviously have the right mindset in terms of, how to identify the use of data, then that could then point to an execution problem. And the execution could be either in the way in which the data is being used or data is being accessed or data is being reported.

Conor:

For the data mindset to be embedded requires consistent and regular messaging from audit leaders so that people feel safe and feel supported. And being able to use data in the work, secondly, being able to use it in the right way to obtain the most value. that comes back to some practical questions for audit leaders are all my people using data in their work. If not, why not? What can we do to help you get more value from how you use data? So being cognizant or aware of asking those questions.

Yusuf:

Yep. Absolutely.

Conor:

We covered off three points there. The first one was making sure you share lessons among the team. The second one was identifying other risks and opportunities. And thirdly, continuous improvement. And if you don’t have a data mindset, you need to ask yourself, are you going to get left behind?

Narrator:

If you enjoyed this podcast, please share it with a friend and rate us in your podcast app. For immediate notification of new episodes, you can subscribe at assuranceshow.com. The link is in the show notes.