Big data could result in auditors becoming less independent and objective if not managed properly, according to the latest ICAEW report - Internal audit in the age of data analytics.
Data analytics can provide greater efficiencies and higher levels of assurance for companies, but organizations should consider the potential influence of analytics on the relationship between internal audit and business.
Effective data analytics can transform vast volumes of data into information clusters that can greatly inform the auditor of the risk landscape, elevating performance and increasing the credibility of an internal audit with its stakeholders. As a result, data analytics is increasingly becoming an indispensable element of the internal audit toolset.
However, in making the most of data analytics, internal audit departments face increased risks, such as conflicts in independence, misinterpretation of data, and challenges around data privacy and security. Strong governance frameworks are needed on data analytics, covering four key areas: independence, quality, talent and security.
The influence of analytics on the relationship between audit and business
The report cautions that the use of data analytics must preserve the internal auditor’s independence and objectivity. To do this, data received must not be taken at face value, but should be checked for quality and completeness.
The roles of data analytics and internal auditors must be separate and clear in order for auditors to take an objective view on whether the data received is a true reflection of the business, and not corrupted or compromised
“Organizations must enforce governance frameworks to ensure internal auditors and data analysts are clear about their roles,” says Martyn Scrivens, chair of ICAEW’s Internal Audit Panel. “However, there must also be collaboration to share knowledge. For example, auditors should be in a position to handle sensitive data provided by analysts, and be able to interpret and communicate the results.”
Managing data security and privacy risks in the age of data analytics
Data analytics governance frameworks should also consider who can access data, where it is stored and for how long, as data security can become an issue when sensitive material is involved.
In addition, the data analytics governance framework should encapsulate the preservation of the three major concepts in information security: confidentiality of data stored, processed and reported; data integrity; and data availability. In the case of any breach, the organization should be in a position to take corrective actions as soon as possible.
Martyn said: “It is worth noting that sourcing and collating data for analytics can result in a higher cyber security risk, and auditors with access to sensitive data may be targeted by cyber criminals. Data analytics can be beneficial, but managing the risks associated with it is very important. The starting point should be a careful review and development of a governance framework that addresses the use of analytics, audit strategy and risk.”