Audit & Analytics
A complex and changing world represents an opportunity for growth as well as a more strategic approach to audits
Transform How Boards and Leaders Work Together
Meeting & Agenda Management
Seamlessly create, update and share agendas and board meeting materials.
Access resources, view upcoming meetings and annotate board materials from any device.
Minutes & Actions
Easily capture minutes and actions during a meeting. Assign contributors and set automated prompts.
Signature & Resolutions
Send documents for approval integrated with DocuSign.
Virtual Data Rooms
Share and collaborate on documents with stakeholders in a secure room.
Have private conversations on a dedicated channel integrated for easy access.
Complete self evaluations or D&O questionnaires in the same place as the boards material.
Get new directors up to speed with the resources they need in one location.
Identify gaps in board composition and recruit from a pool of 250,000 board members.
Internal Audit and Data Analytics: A Growing Partnership for a Changing World
Twenty years ago, Sarbanes-Oxley transformed reporting and compliance for publicly traded companies — and for their internal audit teams. Two decades on, intensifying cyber threats, rising data privacy concerns, geopolitical conflict and ESG are making the work of internal audit even more complicated.
But these issues also present an opportunity for growth and a more strategic approach to audits.
We as auditors don’t make the company any money, unless we make a cost recovery, which is a one-time event. We need to keep giving strategic value to the organization so they keep funding our resources.
— Tom Keaton, Director of Internal Audit, Crown Castle
Internal audit has traditionally focused on three key areas: providing assurance over the organization’s biggest risks; providing valuable insight by connecting data across systems, functions and teams; and improving internal audit’s efficiency while increasing assurance with the same level of resources.
However, these three focuses are no longer sufficient. “There are mission-critical risks outside of internal audit’s typical scope,” said Tom Keaton, Director of Internal Audit at Crown Castle. Yet internal audit needs to factor in risks such as utility strikes (e.g., hitting a power main), wildfires and other risk factors not traditionally audited. “You can’t fill your audit plan with these risks,” Keaton said, “but you have to incorporate them into your planning.”
Another high-risk area, as many auditors likely know, is mergers and acquisitions. “Acquisitions are tough,” said Fola Ojumu, Partner at Kearney & Company. “In an acquisition, financial statements start moving all over the place. With acquisitions, just assume that there’s fraud. It creates such a high-risk opportunity for degradation of controls.”
Another risk factor that will soon be consuming internal audit’s time, if it isn’t already, is ESG. “Look at what’s happening internationally,” said Kristen Sullivan, Partner at Deloitte & Touche LLP. “The EU is moving fast and furious and comprehensively [on ESG]. The SEC is focused on climate. Many of the organizations [auditors] work for and engage with are going to be required to audit [ESG data].”
Yet challenges remain, particularly in providing assurance with an entirely new set of variables. “We don’t have the debit/credit for this data,” said Helle Bank Jorgensen, CEO of Competent Boards and a former partner with PwC. “How do we ensure we have the info we need? I don’t want to be accused of greenwashing. What are the questions I need to ask? How do I know if I can sign off on this data?”
Look at what’s happening internationally,” said Kristen Sullivan, Partner at Deloitte & Touche LLP. “The EU is moving fast and furious and comprehensively [on ESG]. The SEC is focused on climate. Many of the organizations [auditors] work for and engage with are going to be required to audit [ESG data].
— Kristen Sullivan, Partner at Deloitte & Touche LLP
One place for auditors to start is with frameworks that have already been established, such as SASB, TCFD and the ISSB. And it’s only a matter of time before climate-related assurance must be a part of 10K filings.
“ESG may not be quantifiable in the short term, but even if it’s not understood and anticipated, it will become financially material,” said Sullivan.
As internal audit’s scope expands to encompass these new risks, the only way for auditors to continue providing assurance in each key area is by automating more routine operations.
Whereas traditional audit functions focus on financial and compliance risks, with any leftover resources dedicated to strategic and operational risk, Keaton advised flipping that equation. “You need to swap your resource allocation so you can focus the majority of your resources on strategic and operational risk,” he said. Automation is the key to flipping that. “Automate financial and compliance assurance, and use data and human insights for strategic and operational risks,” he said. Automated testing and continuous monitoring using data analytics frees up auditors to focus on these higher-priority risks to the organization, without decreasing assurance.
Equipped with analytics and other tools that streamline, strengthen and sharpen compliance and risk oversight, internal audit teams can:
- Identify and mitigate risk in a way that looks forward, not backward
- Deliver regular updates to leadership in a timely fashion rather than through periodic, limited and dated reports based on insufficient samples
- Help the organization more effectively prevent, mitigate and respond to evolving threats
- Connect internal audit to business strategy, and serve as the trusted advisor their organization needs in a changing world
These data analytics strengthen an audit team’s ability to provide actionable intelligence and strategic insight, which are essential in today’s changing world.