6 Simple Steps to a More Effective Internal Audit

For internal auditors today, the pressure is on. The demand to add more value while dedicating less time to each audit is growing, making it more essential than ever for auditors to maximize the resources available to them. To conduct an audit that is both time-efficient and valuable, auditors must be able to dig deep into the data they are presented to reveal insights, risks and potential fraud in their organizations.

To rise to this challenge, there are six key steps auditors must take to perform an effective internal audit that will reflect their value to the business:

1. Ensure that the foundation of your audit does not have any ‘cracks’

2. Determine the level of risk in decisions relying on information systems

3. Prepare a response that finalizes a strategy to address gaps4. Ensure that the resources available are adequate5. Finalize a model for conducting data analysis activities 6. Monitor and improve activities to ensure that desired outcomes

are reached

w w w . c a s e w a r e a n a l y t i c s . c o m3

Creating an auditing function is similar to constructing the framework for a new building. There are no simple guarantees: bigger is not always better and smaller is not automatically more efficient. No matter the size of the function, certain components are necessary:

A Strong FoundationAuditing functions do not just appear—they are built on top of strong foundations that have the right combination of critical elements cemented by an iterative building process that consists of:

• Strong and effective senior-level leadership• Regular and appropriate communications with

senior management• Activities that demonstrate adherence to

professional standards• A well-balanced, competent and skilled staff• A broad and comprehensive audit entity universe• Audit results from properly prioritized planning

activities

A Broad Scope of AuthorityAccording to the International Standards for the Professional Practice of Internal Auditing (the Standards), internal auditing should regularly evaluate risk exposures in:

• Governance (management’s policies and procedures)

• Reliability and integrity of financial and operational information

• Effectiveness and efficiency of operations

Ensure that the foundation of your audit does not have any ‘cracks’01

• Safeguarding of assets• Compliance with laws, regulations and contracts

Indicators of SuccessIndicators that progress is being made include:

• Higher marks in customer satisfaction responses• Success in attracting new auditors (as many like to

work where technology is being used to improve effectiveness and efficiency)

• Staff confidence levels increase• Turnover drops significantly• Staff shows interest in investigating different audit

approaches, techniques and tools• A strong ability to independently acquire and

analyze company data to either corroborate or detect failures in reliability and integrity of information

When auditing functions are built on a solid foundation, they are able to successfully complete their audits while also reaping the maximum benefits of effective auditing gained by using data analysis.

w w w . c a s e w a r e a n a l y t i c s . c o m4

Determine the level of risk in decisions relying on information systems02

Risk assessments need to be conducted at least annually in order to develop a flexible audit plan for the year. The audit plan then focuses on areas determined by an appropriate risk-based methodology, and takes into consideration any concerns management has regarding risks or controls.

To specifically assess risks associated with operational and financial information, auditors must gather and maintain information that includes:

• The types of systems used by the organization • Who owns these systems• An understanding of how much the organization relies

on the information from these systems

If internal audit is completing these activities for the first time, the task can be daunting; however, updates going forward are much easier.

Activities that need to be completed and updated annually are:

Risk-based MethodologyEstablish an appropriate risk-based methodology that will help ensure that audit priorities are set based on the probability of occurrence and potential impact. Risk-based methodologies can be developed, borrowed from another organization or bought. For those with an automated audit assistant or workpaper system, a risk assessment methodology may be an included function.

Business Information SystemsCreate an inventory of all current and future business information systems with the level of detail captured for each complementing the assessment process. Discussions with the business units that own and maintain each system should reveal if specific issues arise from using these systems.

Data Life CyclesDocument the data life cycle for each system. Include the source of data and how it is collected; where and how data is stored and backed-up; what key business decisions are made using the data; and how the data is distributed, including retention and destruction. Be alert to any issues around segregation of duties.

System Permission LevelsFor each system, document the permission levels granted to specific employees or groups of employees, and details on how permissions are granted and changed over time. This is an excellent area in which to implement data analysis scripts to continuously read current data and produce a matrix of users by permission level, time of day or day of the week for specific systems.

After completing these activities, the auditing function may identify opportunities for improvement, in which case formal discussions should be held with management to agree on identified concerns and appropriate corrective actions.

w w w . c a s e w a r e a n a l y t i c s . c o m5

At minimum, internal audit is responsible for uncovering significant errors, irregularities or non-compliance while also being alert for indicators of fraud. Using and applying data analysis can help fulfill these duties and identify if data used by the organization to conduct business is unreliable. If this is the case, management could be making bad decisions or taking actions that don’t make operations more efficient and effective.

If the risk assessment discussed in Step 2 uncovers significant gaps in management’s monitoring activities, the auditing response may be more proactive. The response level will likely be different for each data table, as follows:

Extensive or Moderate AssuranceIf the risk assessment indicates that controls are inadequate or non-existent, then more in-depth assurance work is warranted depending on the frequency and/or impact of the problems. The auditing team must engage with the system owner(s) to agree upon a course of action. Data analysis activities should be conducted frequently to search for errors and irregularities, and the operating units can use the tests to help improve controls.

Minimal AssuranceThe risk assessment may reveal that minimal or no gaps exist and/or an independent area is actively monitoring information integrity and reliability. If so, auditing will need to verify this is the case by conducting sufficient work to rule out significant errors or indicators of fraud.

ConsultingSome organizations benefit more when the audit team acts in a consulting role and participates more in helping management assess the risks of new strategic initiatives, perform due diligence and complete other projects.

Depending on the response, the chief auditor should revisit the role of internal audit as stated in the Internal Audit Charter and recommend changes where necessary. Discussions with senior management, external audit and the board audit committee will likely need to be held if any changes are expected. The chief auditor should also ensure that the organization knows internal audit’s role in all critical areas, including data analysis and data mining initiatives.

Within internal audit, the opportunity for better auditing tools and skills intersects with the need to expand data analysis and data mining coverage. These competencies can improve and move beyond simply complying with the Standards. Using data analysis or data mining tools presents internal audit with the chance to achieve better audit results while also reducing audit cycle times.

Prepare a response that finalizes a strategy to address gaps03

w w w . c a s e w a r e a n a l y t i c s . c o m6

The chief auditor should ensure that auditing resources are appropriate, sufficient and deployed effectively in order to achieve the approved plan; this includes communicating the impact of resource limitations (see IIA Standards 2020 and 2030), which can become barriers to success. Resolving any resource issues before the annual audit plan is approved will increase the chance that data analysis processes will be rolled out successfully. Areas to consider are:

Obtain Corporate DataIf there are problems acquiring data, the audit plan will not be completed successfully. It’s important to proactively avoid these types of roadblocks by becoming familiar with the organization’s policy on permissions and privileges for data access (and if one does not exist, find out why).

Staff InvolvementWill data analysis activities be assigned to IT auditors, financial auditors or the full staff? Keep in mind that chief auditors usually don’t start out with a goal of 100% competency; most functions begin with a relatively small goal and each year, as successes increase and skills improve, more staff are added to the role.

Assess Skills and CompetenciesAuditors with data analysis experience can act as a catalyst to assist others. Other training sources can come from within the organization or from on- or offsite training with an external provider. New staff with existing data analysis skills can also be hired.

Acquire Effective and Efficient ToolsLook for tools that auditing may already have but that are only used by a few. Although using general office tools is common because they are readily available—such as Microsoft Excel, for example—these tools are easily overwhelmed by simple auditing techniques such as acquiring, merging, sorting and sampling data.

Current advanced data analysis tools like CaseWare IDEA successfully integrate auditing needs and requirements, allowing staff to be both effective and efficient—and all with minimal training. If new or additional tools are needed, purchase software known for its ease of use and access to reliable technical and customer support.

Resource needs should include the purchase of software purchase plus initial training if needed.

Defining audit resources such as tools, talent and a budget to acquire and maintain the level of appropriate activities will help the function become more effective. Skillsets to acquire on the audit team or develop that complement the use of data analysis tools include critical thinking skills and an understanding of information systems and relational databases.

Ensure that the resources available are adequate04

w w w . c a s e w a r e a n a l y t i c s . c o m7

Establishing a model to guide change can help staff get started and minimize false starts. Performing test runs on real data helps establish the most appropriate model for staff to follow. Areas to cover are:

Data Acquisition and ImportationEmployees must know how to obtain data and the required data elements (or fields). In some organizations, IT staff will require a properly completed and approved service request. Organizations with large ERP systems may provide report writers that—with permission—allow auditors to access data directly. Organizations with legacy systems can often provide standard reports electronically as a ‘print report’, which can be imported into the data analysis tool easily for verification and analysis.

ValidationData should be tested for completeness and accuracy. The data should agree with a specific company report, financial results or statements, or with a comparison to the same period from the previous year or current year’s budget. Before proceeding, any variances should be resolved.

AnalysisAnalysis comprises a broad range of activities, including merging and joining data files, sampling or extracting specific records, and sorting or looking for timing, gaps and irregular data patterns. The analysis then becomes the support for conclusions.

SupervisionThe Standards require that work is supervised both adequately and appropriately. Directions should be created indicating how these activities will be completed and by whom. Some workpapers facilitate activities and functions related to supervisory review.

DocumentationTo support audit conclusions, excellent audit trails and histories of analysis activities must be maintained. The client needs to rest assured that the auditing work did not introduce data integrity or reliability issues into the workpapers. Any audit-specific data analysis tools used by auditors should include an automated history log.

Sharing ExperiencesSome auditing functions hold a closing conference on data analysis activities shortly after the final audit report is issued. This sharing of experiences benefits both auditors and management: having open discussion on what did or did not work strengthens monitoring activities and future auditing work.

Establishing a model helps keep the auditing function organized. If the auditing team’s instincts have been raised, reasonable additional tests could be conducted that may reveal previously undetected issues, such as data failures and fraud.

Finalize a model for conducting data analysis activities 05

w w w . c a s e w a r e a n a l y t i c s . c o m8

Auditing team leaders must monitor activities periodically to ensure maximum benefits are gained. This is especially important if new audit tools and methodologies have been introduced. Periodic monitoring also provides the opportunity for leaders to vocalize their support for the audit function’s work and accomplishments.

Key areas to focus on include:

PerformanceGoals related to effectiveness and efficiency should be clearly identified, communicated and monitored. As a rule of thumb, audit work should strive to always be less costly, faster and better. Controls should be implemented to identify where opportunities were overlooked or performance did not meet expectations.

Continuous ImprovementStaff should always be looking for new and better ways to conduct activities and audit work. Building on knowledge of the company and industry as well as the tools and techniques used by other auditors is very important. Additionally, new ideas may be discovered by attending user group and professional association meetings.

TrackingInternal audit should develop a process for formally cataloging analysis and test results. This library is really an asset of internal audit and can be used to drive improvements and demonstrate successes.

Analysis of ExperiencesWhen indicators suggest changes are required, fine-tuning of performance expectations, benchmarks and progress indicators may be necessary. A good source for new ideas may be obtained by attending user group and professional association meetings.

Spread the WordAuditing should use its successes as a form of promotion. This demonstrates pride in auditing successes and may encourage other departments to look to auditing for assistance with data problems. In addition, helping management achieve company goals can facilitate better audits down the road.

While monitoring helps the audit function and staff stay on track, it also begins an iterative process that builds success for the department—and the organization as a whole. Staff see their efforts receive attention and appreciation, which increases pride and morale throughout the audit department.

Monitor and improve activities to reach desired outcomes06

w w w . c a s e w a r e a n a l y t i c s . c o m9

ConclusionThese six steps are the keys to helping your audit function become a more effective and valuable resource for control and operational efficiency issues in your organization. In following these steps, auditors come to be seen as strategic partners in helping the organization achieve its goals.

Adding even more value for the organization, data analysis tools and techniques are transferable to business units, enabling them to self-assess and improve controls. As audit continues to move to more consultative roles, this will benefit the entire organization by demonstrating that it is committed to operating efficiently and responsibly.

When audit departments function in a way that leads personnel to be assured that their financial and operational data is reliable for good decision making and trustworthy financial reporting, truly effective internal auditing has been accomplished.

Unlock the Power Within Your DataCaseWare IDEA is a division of CaseWare International and is home to IDEA®—a powerful and innovative data analysis solution that empowers auditors, accountants and finance professionals to combine data from disparate sources to create meaningful insights that help assess risk, gather audit evidence, uncover trends, identify potential issues and provide the intelligence needed to make informed decisions and improve business processes. With 40 distribution offices worldwide, CaseWare IDEA serves more than 400,000 professionals in 90 countries. To learn more visit idea.caseware.com.