Almost all global organizations utilize digital tools and strategies to make data-driven decisions. Even if data is not your primary business, it is critical to how your organization assesses strategy, measures performance, and pursues a competitive edge. The proliferation of data means a wealth of information is available to inform nearly every strategic decision. The challenge is that data is no longer contained in a single application or source and won’t be in the future. More organizations are implementing data exchanges through Application Programming Interfaces (APIs) with on-premise applications, cloud solutions and other applications with third parties to create a spiderweb of interconnections. Additionally, organizations are trying to consolidate data by creating data lakes, which essentially create a digital ecosystem.
With all this data sharing, wrangling and analysis, you might think that Internal Audit would be in on the action. After all, access to enterprise-wide data, especially updates to risk scores, control ratings and organizational findings, would be incredibly valuable to ensuring real-time assurance coverage. Yet, only 15 percent of global internal audit teams responding to the Touchstone Research for Internal Audit report state that they take advantage of APIs. This creates an exposure to the business because internal audit teams are not, or at least not efficiently, assessing all available information to inform their risk analysis.
Relying on closed systems means that even when internal audit teams do get data from other sources, they must manually update their risk assessments, audit plans, audit files, issue tracking and management information reporting. And, quite honestly, who has time for that? Of the 76 percent of survey respondents who indicated that they do perform this manual update/input, 21 percent do so monthly, 17 percent perform it quarterly, and 19 percent annually. The more frequent the updates are performed, the lower the risk—but it does take time away from other high-value activities. The less frequently, the greater the exposure for an organization. The answer is not in striking some mythical “right balance” through labor-intensive work. Instead, it is to automate these processes and free up audit resources to do what they do best.
When asked why internal audit teams do not take advantage of exchanging data with other corporate systems, it’s obvious that many teams do not think APIs could be used to ensure updated information is available as it occurs OR that teams are still thinking in terms of annual cycles rather than agile, real-time evaluation, where attempting this manual update process is simply not scalable.
This is where we see larger internal audit teams excel. In fact, we see automated APIs increase to 32 percent for teams with more than 100 auditors. Larger teams are also much more likely to increase the frequency of this exchange with 16 percent getting daily updates, and eight percent receiving real-time updates as transactions or data changes happen. These teams have moved entirely away from the concept of an annual or quarterly data updates since, once automated, there is no reason to delay the timeliness of their data updates. The results are not only measured in efficiency but for its effectiveness in reducing exposure for organizations.
The second challenge is that many internal audit teams are unsure of what organizational data they could, and should, be taking advantage of and where to get it. In speaking with organizations that have been using data exchanges, the starting point is with data that is easy for Internal Audit to consume. Issues and their current status is where 15 percent of the Touchstone Research respondents indicate they leverage data from other sources.
While Internal Audit may be the largest source of organizational issues, other second line functions also create issues, deficiencies, and findings that should be consolidated (at a minimum) for trending analysis. Having a single source of organizational issues also means that busy first line managers have a single application to use to update their remediation actions. Doing so eases tensions and frustrations for casual users and prevents follow up from reverting back to email and spreadsheets. With a data exchange, systems of origin can be kept updated so that all “need-to-know” parties are aware of the current status for their own reporting.
After internal audit teams get issue tracking hubs set up, they typically move on to include other data exchanges:
- 50 percent automate data for risk scoring
- 47 percent automate updates to organizational structures
- 46 percent automate their risk and control library content updates
- 44 percent automate audit program updates
- 43 percent automate user account information updates
What About APIs for Data Analytics?
Internal Audit charters should grant your team access to organizational data for the purpose of performing your assurance work. However, teams can have their access to data blocked by their IT departments citing security and data protection concerns. Those concerns are valid, especially if you are using scripting tools that could potentially cause harm and your access is ad-hoc. APIs, when set up with input from your IT and data governance teams, can eliminate this concern and provide your team with continuous access to data. This is a mutually beneficial approach.
There is often a misconception that APIs are always two-way or bi-directional data exchanges. APIs can be set up to only pull (or push) data to another application based on a schedule, or when an event or trigger occurs. This means that a pull API can safely take a copy of data that you want to regularly test and store it where your team and tools can access it.
As teams build their data analytics muscle, APIs can be the gateway to continuous audit testing and monitoring for key risk indicators.
How can internal audit teams take part in their organization’s ecosystems?
- The first step is to inventory all current sources of data that your team is manually updating/inputting and determine if the source system has API capabilities. Calculate how much time your staff spends on sourcing, formatting, and uploading or entering that data on a monthly, quarterly and annual basis. Where could those hours be better spent?
- Next, determine if your internal audit solution has an API framework. If it does not and the hours calculated above are significant to your team, invest in one that does.
- Finally, pick an activity where API can benefit your team the most and implement it. Measure the time saved, the value of real-time data access, and the speed in which your team can respond to new data. Then, expand your APIs to other internal audit activities.
Twelve of the 13 operational components in the Touchstone Research Maturity Model benefit from APIs. Where does your team stand?