Page 629 - ITGC_Audit Guides
P. 629

GTAG — Where Should Internal Auditors Begin?




            Process                                             2.   Manage your data analysis initiative like a program,
              Integrating data analysis into an audit plan will change   focusing on your desired end-state of maturity.
            the way the audit is conducted, so changing audit processes,   3.   Develop a uniform set of analytic practices and proce-
            procedures, and schedules is necessary. As noted above, data   dures across assessment functions.
            analysis techniques can be utilized throughout an audit cycle,   4.   Assign responsibility for data management, quality
            so process changes at each stage need to be considered —   assurance, and other key roles.
            not just at the testing phase. In some cases, audit planning   5.   Document and/or comment scripted analytics to
            and preparation may take longer than normal when using   record the intent and context of the analysis being
            technology as data-driven indicators or when risk or controls   automated.
            weaknesses may affect the audit plan. Where data from   6.   Review and test analytics being used to ensure the
            multiple sources is deemed required, additional preparation   results being generated are accurate and appropriate for
            time may be needed to get access to the data. CAEs may   the audit step being run.
            want to consider adding access and authorization privileges   7.   Establish a peer review or supervisory review process
            to their organization’s data in their audit charter to stream-  of analytics performed to safeguard against the reli-
            line this part of the process.                          ance on results generated from using incorrect logic or
              Where the use of data analysis extends to parts of the   formulas during analysis.
            overall continuous auditing process, significant changes to   8.   Standardize procedures and tests in a central and
            internal processes will be required to ensure that organiza-  secure repository.
            tional units are prepared to receive timely notification of   9.   Safeguard source data from modification/corruption
            exceptions and establish a mechanism of managing those   — either through the type of technology being used
            exceptions to close the loop on findings.               to conduct the analysis or by analyzing back-up data or
                                                                    mirrored data for audit purposes.
            Technology                                          10.  Address the potential impact of the analysis on
              There are a variety of data analysis technologies to choose   production systems, either by scheduling analysis at off-
                                                                    peak times or by using back-up or mirrored data.
            from. The key is to choose the right technology for your orga-  11.  Educate staff on how to interpret the results of the
            nization’s audit tasks, objectives, and IT environment. CAEs   analysis performed.
            should consider what they want to accomplish in the long   12.  Treat training as a continuous process, measured
            term and choose the right data analysis technology or suite   by ongoing growth and continuous development of
            of technologies to achieve their objectives.            capabilities.
              Regardless of what decisions are made with respect to   13.  Aim for constant improvement through leveraged use
            people, processes, or technology, it should be emphasized that   of data analysis software as analytics evolve over time.
            internal audit departments should start with a risk assess-
            ment that aligns the audit scope with the audit objectives.

            Obstacles
              Embarking on an increased focus on data analysis using
            technology will likely have obstacles and challenges. The
            most common obstacles include underestimating the effort
            required to implement correctly, lack of sufficient under-
            standing of the data and what it means, and the need to
            develop the expertise to appropriately evaluate the excep-
            tions and anomalies observed in the analysis. These and
            other obstacles are best addressed through a well thought out
            plan that commits sufficient resources and time.
              A decision to invest in implementing or improving data
            analytic capabilities needs to be appropriately managed to
            ensure maximum benefit is obtained, with the least amount
            of cost. A few recommendations to help accomplish these
            goals are:

            1.   Align your overall data analysis strategy with your:
                a. Risk assessment process.
                b. Current audit plans.
                c. Long-term audit goals and objectives.


                                                             15
   624   625   626   627   628   629   630   631   632   633   634