Building a successful and sustainable data analytics program requires a mix of people, processes and products. At the recent IDEA Innovations Conference in Houston, long-time CaseWare IDEA users Philip Billeaud and Anke Eckardt shared their successes and snags of building a collaborative environment for using data analytics. Here are some thought-provoking questions and responses from their roundtable presentation:
What is a data analytics life cycle?
Planning – Determine how and where you can use data analytics in your organization. While the business side may already be convinced it needs to be used, there are other groups that need to be educated on its benefits including (but not limited to) IT, AP, AR, Operations.
Adopting – Companywide adoption is significantly easier with backing from management – especially when working with various departments to access and acquire data. Top-down support from the audit committee, c-suite, compliance team, security, or end-to-end business owners helps auditors get what they need faster.
Philip Billeaud wins the support of management by showing them how fast IDEA can process large data sets. Auditors are sometimes pulled into projects, and it can be helpful to show upper management a snapshot of why you plan to investigate a splice of the organization. If you can use the data (and analytics) to demonstrate, or justify, the audit, management has a clearer understanding of what you’re working to accomplish.
Embedded – Remining independent is key for internal auditors. The long-term goal is to help business units become self-sufficient in their use of data analytics, which can be done by providing them with scripts to run, which serve as a self-policing mechanism where managers can handle issues as they arise and take more of a proactive approach.
How do you gain access to the data you need?
One of the biggest challenges auditors face is access to data. What do you do when IT says, “Nope, that’s our data!”? Or how do you respond to a data gatekeeper that says, “Why do you need it for? You didn’t ask for that data last time.”
In some cases, providing departments with information they didn’t have before can make them nervous. There might also be concerns about discovering that employees are not following policies or procedures. In one case, maintenance data gathered from SAP showed that employees were not doing their jobs. In such a case, support from the top is critical. To help avoid the, “don’t touch my data,” response, be as transparent as possible. Get people involved in the process and network with them to avoid be excluded from the data acquisition process. The goal is to become a strategic partner within the organization.
Another piece of advice from these experts is: “Don’t trust data you didn’t create yourself.” One way to circumvent this challenge is to explain you are authorized by the company charter to have access to the data. When analyzing data from an acquired company, vendor information may be classified differently. While some companies don’t rationalize data from acquired companies, critical insights may be lost by not incorporating that information into current business processes.
Who “owns” the data and what do you do with it?
While there may be multiple “owners” of the data, it is critical to work all involved parties to get the right data and establish how often audit needs access. You will need to determine whether you want aggregate or detailed data. What fields do you need? How often will you need the data – annually, monthly, weekly? Establishing risk levels will help you decide how often you will need to conduct audits.
It’s important to know what data you need and where it resides. Some examples included:
- Purchasing Cards (p-cards) – Data needs to be updated monthly and may come from different sources including a travel agent, expense reports and employee data
- Fixed Assets – Acquire operational data to look for units with no, low and high fixed assets
- Time Cards – Acquire time records and entry/exit access using employee badge information – compare badge swipe times (in and out of the building) to determine whether hours were worked in accordance with the time records provided
- Vendor with Freight Pay – Match vehicle records against a government registry to check whether the vehicle in use is capable of transporting goods
- FCPA – Match vendors against the OFAC watch list to look for potential fraud
Different locations will have data stored in different systems and formats, which is a perfect opportunity to use IDEA. In some cases, staff will provide data in PDF format, thinking it will be difficult to upload for analysis, but again, this is an opportunity to use the IDEA Report Reader feature.
Some of the more commonly used IDEA features mentioned include:
The Data Discovery automatically detect anomalies and outliers within the data, which is helpful in identifying risk. The presenters also discussed using the record macro feature to track repeatable tasks, and using the Fuzzy Logic feature to compare columns and view percentage variances. The History feature, which records all action taken on a file is helpful in litigation support. Once the data is normalized, the History feature makes it easy to show what work was performed in a clean way. Another useful feature for assessing risk areas is Benford’s Law. It can help reduce the number of false positives and identify “red flags,” which can turn into multi-million-dollar recoveries, or at least show areas for improvement and trends. The keyword search can be used to find high-risk items, such as non-taxable items within payment or p-card data. These features, and others within IDEA, can help eliminate low-risk test areas to ensure field work focuses on relevant exception data.
What are the end goals?
Maturity Framework – Both round table leaders agreed that building the “Maturity Framework,” and working towards using reactive analytics to shape predictive analytics is the goal. Moving from ad-hoc and reactive auditing towards continuous auditing can be done. There are compatible and built-in tools available for IDEA that can enable this transition. The IDEAScript Vault in Passport has several time-saving scripts, such as the multi-file import.
Stay Ahead of Fraud – Another goal is keeping up with the sophistication of fraud. It’s not acceptable to “rest on your laurels.” Your analytic tests must keep the pace of emerging fraud schemes. The best means to accomplish this are:
- Take time to understand and clean the data
- Work to understand the business process and department you’re auditing
- Are you asking the right questions?
- Look at 100% of the data so you’re not missing anything
Above all, maintaining independence is key. Audit should help clients with process improvements, and management must lead the role of monitoring. Management involvement and support is critical to building a successful data analytics program. While there may be decreased efficiency in the beginning as processes are established, everyone stands to benefit, and the effort will be reflected in increased efficiency and ROI. The experts advised to validate data throughout the process. Creating a feedback loop is also critical. Make sure you gather feedback along the way, discuss your plans, and communicate about upcoming audits. Let everyone know where you’re going so there are no surprises.
The benefits of a collaborative environment include improvement of the internal audit department’s reputation, networking among business units towards a common goal and building a foundation for younger employees to follow. Data analytics is growing and changing, and audit is at the forefront.
Special thanks to Anke Eckardt, Area Director, Group Audit (NAM) with Lehigh Hanson/HeidelbergCement and Audit Consultant Philip Billeaud for sharing their valuable insights with fellow IDEA users.