Integrating Data Analytics Into a Risk-Based IT Audit

Although most would agree that internal audit is an assurance function, I like to think of internal auditors as value-added trusted advisors. A given mandate will provide assurance on processes that are functioning appropriately; however, the real value is in identifying areas of improvement that add tangible value back to the organisation. Data analytics has long been my tool of choice to help accomplish this value in an effective and efficient manner.

At ISACA’s 2015 North America Computer Audit, Control and Security (CACS) conference, I will be presenting alongside Bob Cuthbertson, COO of CaseWare IDEA Inc., on successful integration of data analytics within a risk-based IT audit universe. In a prelude to our session, I would like to provide examples from my own work in the past that I will be adding to, along with others, during the session on 16 March in Orlando, Florida.

Getting Started—Scoping the Audit Engagement

Understanding the business is the first and most crucial step in the audit process. It is what determines the amount of value you can potentially provide to key stakeholders. Shown in scenario 1 below, data analytics can be used before the audit begins as a status indicator of the risks facing an organization. And with this information, internal audit is able to improve the audit effectiveness as well, with the ultimate effort of providing value to the organisation.

Scenario 1: Driving the Audit Scope

Areas of Risk Identified:

• Change Management
• Project Management

Challenge:  Time limitations allowed only one area of focus for the audit year.
Solution:  High-level analytics of change logs and project management databases uncovered significant internal development projects.
Results:  The System Development Life Cycle (SDLC) process was therefore identified as an area of immediate value to the organization.

Homing in on Insights Gained (Audit Execution)

To save time and resources, the use of data analytics in the planning phase helps develop greater understanding of where the hotspots are in terms of risk. Outlined in scenario 2 below, utilizing 100 percent of the available data enables internal audit to truly focus and identify anomalies within areas that have been identified as high risk.

Scenario 2: Testing Compliance

Mandate:  Operational efficiency—IT help desk tickets

Challenge:  More than 140,000 tickets were opened and closed during the year.

Solution:  Use data analytics to identify trends to ensure the IT department meets the service level requirements—as delineated in the service level agreement (SLA).

Steps:

1. Obtain an extract from the ticket management system (Footprints). Confirm data completeness by verifying record count on screen (from the system) to the csv dump.
2. Execute a trend analysis based on tickets closed by employee, criticality and category type, amount of time from “Ticket Open date” to “Ticket Close date.”
3. Confirm compliance to SLA.

Results:  The analytics showed that the IT group was in compliance with the agreed-upon SLA. Encouragingly, management was very interested in our data analysis, which led to the development of a dashboard for both operational efficiency (which was performed manually at the time by the director) and employee performance. The employee performance KPIs were then linked to their respective annual evaluations for a more objective evaluation of the core performance of the help desk employee.

Reporting Results

The insights found during the audit execution are what allow you to create a report that will provide value to the organization. They are the first step to providing a tangible root cause analysis and shedding light on the compliance and governance failures that matter most to companies.

The reporting phase is crucial when it comes to providing the added value for which we strive. If you have performed your audit effectively, the report will only include validated control deficiencies. The use of data analytics throughout the audit process should allow time to report on exact findings, highlight root causes and provide tangible recommendations. Furthermore, data analytics, namely data visualisation, can be used to convey high amounts of data and information in one image. I always remind myself that information is what the other party receives and not what I say. Therefore, the use of data visualisation to ensure the identified efficiencies make it across to the reader is yet another way in which data analytics helps me become the value-added trusted advisor I strive to be.

Conclusion

We have been using data analytics and attaining value by operating in a systematic and structured manner. We maximize our investment through these efficiencies and are able to provide stakeholders with the answers to questions before they even have them. This can and will continue to increase our value as internal auditors and trusted advisors to the business. During the session at North America CACS in March, I will be expanding on the processes behind these scenarios along with more examples using analytics tactics and visualisation methods. I hope to see you there!

Seren Dagdeviren, CPA, CIA
Manager, Internal Audit, Ivanhoé Cambridge
Montreal, QC, Canada

Seren Dagdeviren will present “Building Momentum” at 2015 North America CACS in Orlando, Florida, USA, 16-18 March 2015. For information and to register, visit www.isaca.org/northamericacacs2015.

[ISACA]