Connect Support Advance

Whitepaper

Data Analytics
Techniques for
Internal Audit
April 2023

Level 5, 580 George Street, Sydney NSW 2000 | PO Box A2311, Sydney South NSW 1235
T +61 2 9267 9155 F +61 2 9264 9240 E enquiry@iia.org.au www.iia.org.au
© 2023 - The Institute of Internal Auditors - Australia
 Data Analytics Techniques for
Internal Audit
Contents Background
Data analytics should be utilised by all internal audit
Background 2
departments irrespective of the size of the organisation
- Purpose 2 and the internal audit team. The extent to which data
- Background 2 analytics is used depends on several factors, including:

- Issue 2 › Buy-in for data analytics from the audit committee,

chief audit executive and senior internal audit staff.
- History 2
Discussion 3 › Number of internal audit staff with data analytics skills.

Standard Data Analytics Techniques 3 › Capacity of internal audit staff with data analytics
skills.
Emerging Data Analytics Techniques 4
› Availability of trusted data sources across the
Summary 4
organisation.
- Conclusion 4
› Breadth of data analytics techniques at the disposal
Bibliography and References 5 of internal audit.
Purpose of White Papers 5
Issue
Author’s Biography 5
Data analytics is typically one of the top skills in demand
About the Institute of Internal Auditors–Australia 5 for internal audit teams. However there often barriers that
Copyright 6 either prevent or limit the use of data analytics including:
Disclaimer 6 › Lack of buy-in – Data analytics is not prioritised due
to lack of awareness about benefits and possibilities.
Introduction Preference for standard audit techniques.
Purpose › Inadequate capacity – Appetite for data analytics
Data analytics are used to test controls and validate exists, however there are either no data analytics staff
that business risks are managed. This would generally within internal audit, or the demand for data analytics
occur at a point-in-time when an assurance activity is exceeds the capacity of existing data analytics staff.
scheduled. Rather than test a number of transactions, › Data is difficult to handle – Data cannot easily be
the entire population of transactions can be reviewed for analysed as it is too poor in quality, too large in
greater coverage. Data analytics includes automated tools volume, not fit-for-purpose, or not easy to join data
such as generalised audit software, test data generators, across multiple data sources.
computerised audit programs, specialised audit utilities
and computer-assisted audit techniques (CAATs). › Guidance required on techniques and data sources
– Internal audit teams require further guidance on
Data analytics has proven to be an effective internal
different data analytics techniques and how different
audit technique as it provides a deeper level of assurance
compared to traditional sampling approaches through the types of data can be analysed.
ability to test full data populations. Audit efficiency is also This White Paper focuses on the last point above to
improved as it is more time consuming to manually assess demonstrate the range of data analytics techniques that
risks and controls when there are sufficient data points for can be used in internal audits, including standard and
data analytics. emerging data analytics techniques.
As organisations are becoming more digitized, there are
History
higher volumes of structured data (for example data in
spreadsheets, databases and data warehouses) and Data analytics has been used on internal audits for at
unstructured data (for example data in Word documents, least the past 20 years with Microsoft Excel spreadsheets
PDFs and emails) that can be analysed effectively through being the mainstay data analytics tool throughout this
data analytics. time. Initially, audit-focused data analytics tools such as
ACL and IDEA were used widely by internal audit. Around
10 years ago due to the proliferation of databases and
data warehouses, relational database tools like Microsoft
SQL Server and other data analysis tools like SAS were
adopted.

© 2023 - The Institute of Internal Auditors - Australia 2

 Data Analytics Techniques for
Internal Audit
With the rise of data science over the past few years, tools Data can be taken from each of the three systems to
like Python and R are now being used in addition to low or check for the accuracy and completeness of data flows.
no-code tools like Alteryx and Dataiku. Data visualization Initially data from system A is checked against system
has also emerged over the past few years with tools such B for any anomalies and then a similar check is done
as Tableau and PowerBI dominating the market. Instead between systems B and C. Depending on the nature of
of a single tool, multiple tools or toolkits are often used data manipulation and calculations done in system B, it
depending on the data analytics skills across internal might be sufficient to check the data in system A against
audit, the variety of data sources available and the system C to gain comfort on the end-to-end data flow
complexity of data analytics techniques being deployed. across the three systems. This is a more efficient approach
than performing two checks between system A and B and
Discussion also system B and C.
Standard Data Analytics Techniques Accuracy and completeness of reporting
Integrity of systems or processes All types of reporting that are data-driven including
Data analytics can be used to independently verify that exception reports, management reports for decision-
systems and processes are working as intended, primarily making and regulatory reports can be independently
using structured data sources as the input. This includes assessed using data analytics. If the reporting is not
whether business rules and calculations are correct. The accurate, incorrect management decisions could be made
high level steps include: which can impact the organisation reputation or attract
increased scrutiny from regulators.
› Independently extract data from relevant system
(for example through access to the system or by Using this approach, a sufficient sample of recent reports
extracting data from a data warehouse or big data should be tested against documentation outlining the
platform), or through a data request to the system data sources used for the report, filters applied to the data,
owner or IT support team for an agreed period of time and any data transformations or calculations. After the
such as data for the past 6 months or 1 year. business rules have been validated, source data for the
report is processed with the business rules independently
› Obtain business rules and calculations from an implemented through data analytics. Data analytics
authoritative source such as a framework, policy or outputs are compared with the report outputs to assess
procedure document or some other system document. accuracy and completeness.
› Implement the rules and calculations using a data
Data quality profiling
analysis tool and output results to Excel or some other
format such as a data visualization or dashboard. Data used for important business processes needs to
be high data quality so it can be relied upon. Examples
› Compare independently generated results to
of important data includes data used for management
the system or process outputs and validate any
decision-making, data exposed to customers or other
exceptions with the business.
third parties, and data sent to external parties including
Integrity of data flows regulators.

Many end-to-end business processes involve data There are many different ways to test data quality
flowing across multiple systems that are often managed depending on the field type. Some examples include:
by different teams across the organization. As a simple › Is the field 100% populated or are there missing
example, we will take a business process comprised of the values?
following data flows: › If the field is categorical (it needs to be one of several
› Data is generated by system A. pre-defined values), are there values that are not
expected?
› Data then passes to system B for further manipulation
and processing. › If the field is numerical, are there values outside the
expected range? For example are there negative
› Data ends at system C for reporting or decision- values when all values should be positive or any
making. values that are too low or too high?
› If the field is a date, are there default dates that are
impractical? For example dates like 01/01/1900 or
dates in the future.

© 2023 - The Institute of Internal Auditors - Australia 3

 Data Analytics Techniques for
Internal Audit
Emerging Data Analytics Techniques Independent use of machine learning can assess the
effectiveness and accuracy of the system or process. Note
Continuous monitoring dashboard that extra time is required to validate machine learning
A dashboard can be developed where there is a outputs to ensure the results are reasonable. Another
heightened area of risk that warrants continuous consideration is how explainable the outputs are when
monitoring on a regular basis. This allows dynamic traced from the input data. This depends on what types of
changes to the internal audit plan if there are significant algorithms were used.
changes to the risk environment, or it can be used Natural language processing
to facilitate ongoing discussions with management
responsible for that risk area. Natural language processing (NLP) is a powerful technique
when analysing unstructured or free-text information.
A data visualization tool is required to create the Useful types of analysis for internal audit include:
dashboard with data feeds coming in from one or more
data sources. › Sentiment analysis – This technique determines if
the sentiment of a document or free-text comment
Some key considerations before investing the time and / description is positive, negative or neutral by
effort to create a continuous monitoring dashboard analysing the types of words in the text and the
include: frequency of these word types.
› Does Line 1 or Line 2 already have a relevant › Topic analysis – This approach identifies the topics
dashboard? If so, determine whether this dashboard within a collection of documents or free-text fields
can be relied upon and whether it has the required such as comment or description fields. Powerful
insights. insights can be gained using topic analysis to
› Is it possible to automate or mostly automate the automatically identify trending topics from large
dashboard? If the required data can be sourced from volumes of unstructured text.
a data warehouse or big data platform, then it will be
easier to automate. Summary
› Are there any imminent changes to the data sources? Internal audit teams are increasingly using data analytics
If so, it might be better to develop the dashboard after as they provide an effective audit technique enabling
the changes have been made to avoid duplication of deeper audit insights and assurance. Increased digitization
effort. of processes and controls have resulted in higher volumes
of structured and unstructured data that can be analysed
Machine learning using data analytics than ever before. Control gaps or
weaknesses relating to systems, processes and reporting
The main advantage of machine learning is the ability are unlikely be detected without the use of data analytics.
for algorithms to discover patterns in data that are not
easily observable by humans. Machine learning is a more Data analytics competence is one of the top in-demand
powerful technique when there are large volumes of data skills sought by chief audit executives and audit
to analyse and there are many columns of data (called committees for their internal audit teams due to the
features in machine learning terminology) to learn from. powerful insights analytics can provide. Also, there is high
demand for data analytics skills from internal auditors to
Two broad categories of machine learning are supervised future-proof their skills and empower them with enhanced
and unsupervised machine learning. With supervised digital capabilities.
machine learning, one of the features (called the target
variable) is labelled. Examples of labelling include a true / Conclusion
false outcome or a classification outcome. The algorithms There are a wide variety of data analytics techniques that
predict an outcome based on determining relationships can be deployed on audits depending on the nature of
between the input data features. For unsupervised processes, risks and controls that are in scope. Often, a
mixture of data analytics techniques are required within a
machine learning, the algorithms are not trained, hence
single audit. Different data analytics tools can be used to
they analyse and cluster unlabeled data. implement standard data analytics techniques, while more
For example, internal audit could use machine learning specialised data analytics skills and tools are required for
to test either a rules-based or machine learning-based teams using emerging data analytics techniques.
system or process that gives a true / false (for example ‘is
a transaction fraudulent?’) or classification (for example
‘what is the category of a transaction?’) outcome.

© 2023 - The Institute of Internal Auditors - Australia 4

 Data Analytics Techniques for
Internal Audit
Bibliography and References engineering projects at BAE Systems.

The Institute of Internal Auditors - Australia, 2020. This White Paper edited by:
Factsheet: Data Analytics and Continuous Control Michael Parkinson BSc (Hons), Grad Dip Computing,
Monitoring. [Online] PFIIA, CIA, CISA, CRMA, CRISC
Available at: https://iia.org.au/sf_docs/default-source/
technical-resources/2018-fact-sheets/factsheet-data- About the Institute of Internal Auditors–
analytics-and-continuous-control-monitoring.pdf Australia
The Institute of Internal Auditors, Inc, 2011. Global The Institute of Internal Auditors (IIA) is the global
Technology Audit Guide: Data Analysis Technologies.
professional association for Internal Auditors, with global
[Online]
Available at: https://www.theiia.org/en/content/guidance/ headquarters in the USA and affiliated Institutes and
recommended/supplemental/gtags/gtag-data-analysis- Chapters throughout the world including Australia.
technologies/
As the chief advocate of the Internal Audit profession,
The Institute of Internal Auditors, Inc, 2015. Global the IIA serves as the profession’s international standard-
Technology Audit Guide: Continuous Auditing: setter, sole provider of globally accepted internal auditing
Coordinating Continuous Auditing and Monitoring to
certifications, and principal researcher and educator.
Provide Continuous Assurance. [Online]
Available at: https://www.theiia.org/en/content/guidance/ The IIA sets the bar for Internal Audit integrity and
recommended/supplemental/gtags/gtag-continuous- professionalism around the world with its ‘International
auditing/ Professional Practices Framework’ (IPPF), a collection of
Purpose of White Papers guidance that includes the ‘International Standards for the
Professional Practice of Internal Auditing’ and the ‘Code of
A White Paper is a report authored and peer reviewed Ethics’.
by experienced practitioners to provide guidance on a
particular subject related to governance, risk management The IIA-Australia ensures its members and the profession
or control. It seeks to inform readers about an issue and are well-represented with decision-makers and influencers,
present ideas and options on how it might be managed. It and is extensively represented on a number of global
does not necessarily represent the position or philosophy committees and prominent working groups in Australia and
of the Institute of Internal Auditors-Global and the Institute internationally.
of Internal Auditors–Australia.
The IIA was established in 1941 and now has more than
Author’s Biography 200,000 members from 190 countries with hundreds of
This White Paper written by: local area Chapters. Generally, members work in internal
auditing, risk management, governance, internal control,
Tariq Islam PMIIA, BEng(First Class Honours),
BMaths&ComputerScience, DCAM information technology audit, education, and security.
Tariq has 17 years of experience across financial services,
professional services and defence, including 10 years of
internal audit experience at CBA, Westpac and PwC. In
2023, Tariq founded RapidLynx Consulting to provide data
analytics and data management consulting services to
organizations in the Asia Pacific.
Prior to starting RapidLynx Consulting, Tariq held
Executive Manager Analytics roles in internal audit at
CBA and Westpac where he led teams delivering data
analytics work across multiple audit teams. Across CBA
and Westpac, Tariq led data analytics work on over
100 internal audits using traditional and emerging data
analytics techniques to consistently identify material
issues across all major business units and risk classes.
Before moving to banking, Tariq spent more than a decade
working in risk and fraud analytics at PwC and defence

© 2023 - The Institute of Internal Auditors - Australia 5

 Data Analytics Techniques for
Internal Audit
Copyright
This White Paper contains a variety of copyright material.
Some of this is the intellectual property of the author, some
is owned by the Institute of Internal Auditors-Global or the
Institute of Internal Auditors-Australia. Some material is
owned by others which is shown through attribution and
referencing. Some material is in the public domain. Except
for material, which is unambiguously and unarguably in
the public domain, only material owned by the Institute
of Internal Auditors-Global and the Institute of Internal
Auditors-Australia, and so indicated, may be copied,
provided that textual and graphical content are not
altered, and the source is acknowledged. The Institute of
Internal Auditors-Australia reserves the right to revoke that
permission at any time. Permission is not given for any
commercial use or sale of the material.

Disclaimer
Whilst the Institute of Internal Auditors-Australia has
attempted to ensure the information in this White Paper
is as accurate as possible, the information is for personal
and educational use only, and is provided in good faith
without any express or implied warranty. There is no
guarantee given to the accuracy or currency of information
contained in this White Paper. The Institute of Internal
Auditors-Australia does not accept responsibility for any
loss or damage occasioned by use of the information
contained in this White Paper.

© 2023 - The Institute of Internal Auditors - Australia 6