Data literacy is an emerging skill in Internal Audit. It is the ability to read, understand, create and communicate data as information. What that really means is that as internal auditors, we need to think in terms of data and its flow through our organizations rather than only thinking in terms of processes, risks and controls. Data literacy is one level deeper than how we traditionally look at our organization and plan our work.
If your organization has a Chief Data Officer (CDO), it has likely already transitioned to a data-driven culture. For those internal auditors that want to stay aligned with and provide value to your organization, you need to shift your audit approach to a data-driven perspective.
Being data literate does not mean you have to rush off and get that data science degree you’ve been putting off, nor do your next three new hires have to be data scientists (although hiring at least one might not hurt). In fact, according to the Touchstone Insights for Internal Audit, 58 percent of teams are in the beginning stages of their data analytics programs, where most team members do not have extensive skills. If you are in that 58 percent, here are six steps that can help your team transition to a data-driven approach.
6 Steps to Transition to a Data-Driven Approach
- Make a List. Create an inventory of your data systems and applications. List them all, even those pesky spreadsheets that inevitably become a decision-making tool or an input to a data flow. Capture the high-level information, such as the application age, data process maturity, years to replace, and criticality of the data to the overall business. Think of this inventory as a structure where large applications may contain several different data types’ workflows. Each major workflow should be a sub-system, so create this inventory as a tree structure where you can eventually roll up details to understand the impact of a specific application. For example, if you use Salesforce, are you using it simply for your sales team to manage their activities? Probably not. You likely have several other workflows, such as customer relationship management, marketing engagement, sales quote systems, etc. If you set this inventory up as a dimension in your audit management tool, that will come in handy in a later exercise.
- Go With the Flow. With this inventory in hand, create a flowchart. Make a diagram that walks your data flow through your organization’s systems and applications rather than through your departments and teams. Organizations today do not operate closed systems. Data generated in one system feeds another system or multiple systems. It might split apart, or it might be enhanced. Does it ever flow back to the system of origin? Is the system of origin, or any part of the data flow, handled outside your organization? If so, make sure you capture that, too. In the Touchstone Insights, 47 percent of the respondents reported that they would automate data process testing by 2024. The first step to automating will require a full understanding of your data flow.
- Get Curious. The first two steps were the set up for the interesting part. Identify the sources or types of data that are the highest risk and/or are the most attractive. Client data, financial data, and third-party access points are a good start. How new is that API or connector? Do outside parties access it? Document these risks in your risk assessment.
- Connect the Dots. Create links between your data risks and your inventory of applications, and link those risks back to the business functions responsible. If you look at your organization through this data lens, where are the highest risk areas? Flip back to your standard business process lens. Do you still see them?You should consider flipping between both to ensure your audit plan coverage hits the highlights through multiple lenses.
- Follow the Data. Any auditor can undertake the steps to this point without getting that data science degree. But you should now start working with a data analytics or data science expert if you are not one. With an understanding of your highest risk data areas, work on creating some hypotheses to test. How would you take advantage of the data? How would you know if someone had?
- Test, Measure, Modify. Create data analytics tests if there are clear markers in the data or tracing system access to data across your ecosystem, which is the tell-tale sign. Create RPA bots if you need to scenario watch to see if data is being accessed or altered between systems. Create continuous testing routines if your hypothesis covers high cadence and large volume data transactions. Ensure that IT control design covers your hypothesis scenarios, and ethically hack those APIs to see if you can identify an attempt or prevent an attack.
According to the Touchstone Insights for Internal Audit, 30 percent of the over 1,000 respondents plan to implement process mining, advanced analytics, and RPA bots within the next 24 months. Before any of these technologies can be successfully deployed, teams will need to understand what they intend to audit, create their hypotheses, and determine which tools are most appropriate. Expanding your data literacy skills through these steps is necessary to become part of that 30 percent and achieve success.
Data literacy, like most skills, has a range of abilities. While we have not traditionally thought of our organizations through a data lens, I would encourage you to be curious. Keep in mind that it’s likely that no other function has looked at data the way that auditors do—which adds value in terms of identifying potential areas of risk. Explore the data your organization creates, consumes and produces. Where is there value? What behaviors in your organization does the data reveal? What trends can you see that might change your audit scope and direction? If you do not have the skills to explore your curiously, augment your team with a data explorer. Together you will do great things!