Research Article: 2022 Vol: 26 Issue: 1
Mr. Bonginkosi G. Mhlongo, Durban University of Technology
Dr. Lulu F. Jali, Durban University of Technology
Citation Information: Mhlongo, B.G., & Jali, L.F. (2022). Use of data analysis techniques by small and medium sized audit practices. Academy of Accounting and Financial Studies Journal, 26(1), 1-23.
Organisations are facing growth in the digitisation of their processes. This causes rapid growth in the creation of electronic data. These electronic data come from different sectors of business processes such as operational, financial and others. The introduction of industrial age has accelerated the information age. This rapid growth has brought the world to fourth industrial revolution. Internal auditors are expected by their professional body to fulfil the mandate of adding value to organization by reducing risks that threaten the achievement of its goals. This calls for better techniques that are modern. This study adopted two theoretical frameworks which is Fuzzy Set Theory and Grounded Theory. The fuzzy set theory works best when there are no or few researchers in that field of study. Indeed this study has random elements of fuzzy set variables which are vague and imprecise information. Additionally, Grounded Theory was necessary to be used because of the intention to reveal insights. The purpose of the study was to investigate the factors that contribute to the successes and unsuccesses in other areas of audit by small and medium sized audit practices. This is necessary because the Institute of Internal Auditors (IIA) regards data analytics as a critical tool for effective internal audit organisations. The study was conducted using qualitative research approach. Data was collected through Interviews which were conducted to 10 internal auditors. Data was analysed through themes by the use of NVivo. The empirical findings indicated that the transformation of the internal audit activity by the small and medium sized internal audit practices requires much more data analytical development than the technical capabilities in order to be at the most matured state of using data analytics.
Internal Audit, IIA Standards, Information Age, 4th Industrial Revolution, Small And Medium Sized Audit Practices, Consequences Of Non-Compliance, Data Analytics Techniques, Technology-Based Audits.
Kiyosaki (2012) notes that the world is in the Information Age and not in the Industrial Age. In the Information Age, the greatest asset is the newness of that information. History has further taught that people who frequently get left behind in life are people who are held in traditional ways of thinking and doing things (Kiyosaki et al., 2012). The internal audit function carried out by small and medium sized audit practices has been described as being held in the industrial age, while there is growth in the digitisation of an organisation’s operations (Mokhitli & Kyobe, 2019). Coderre (2017) notes that internal audit practises should be using technology based audit technique to embrace the change brought by the information age. It enables an auditor to check a larger set of information and increase focus on high-risk areas. However, the pace at which these tools and skills are being incorporated is said to be slow. Kaya et al. (2018) supports the views of Coderre that majority of the internal audit functions are at “analytics infancy.” Although, there has been slow progress in adapting data analytics but it has been observed that it adds value to the work of internal auditors (Coderre, 2017).
Nevertheless, the incorporation of data analytic techniques in the internal audit functions is said “not to be an easy process” (Davis et al., 2017). Coderre (2017) echoes the same sentiment with Davis et al., by indicating that a majority of the small and medium sized internal audit practices are finding it difficult to incorporate data analytic tools, because the implementation process is not approached with a clear plan of action. Furthermore, over the past 20 years Chief Audit Executives (CAEs) have struggled to implement a successful analytical program in their internal audit function (Coderre, 2017). The problems identified were poor method of implementing change, difficulties in accessing data, lack of data analytic skills and high costs of implementation (Davis et al., 2017). The research indicates that the shortage of data analytic skills is also another cause contributing to the difficulty to incorporate data analytic tools in audit practices (Earley, 2015).
There is a need to strengthen the internal audit function especially in this information age period. The Institute of Internal Auditors (2016) claims that, as long as there are limitations of implementing a strong data analytic program within small and medium internal audit practices, progress will not be visible. This is due to the increase of data created from organisations which calls for strengthening of audit practices that integrate data analytics in the internal auditing function. High-risk items can be automatically flagged, inversely, enabling auditors to focus on high-value areas.
The research shows that those internal audit practices, which have successfully incorporated the software, will have results that are reliable. This is due to the data analytic software having the ability to identify all the high-risk items, enabling internal auditors to direct attention to high risk areas (The Institute of Internal Auditors, 2016). That is why modern audit engagements now consist of clients that are making use of big data and analytics due to striving to remain relevant and competitive in today’s business environment (Appelbaum, et al. 2017).
The purpose of this study is to investigate the factors of Institute of Internal Auditors’ (IIA) requirements of technology-based audit and other data analysis techniques by the small and medium sized audit practices. This research has four objective. These are (1) to determine the extent of use of data analytical software by small and medium sized audit practices, (2) to examine the impact or consequences of non-compliance of the use of data analytic software by the small and medium sized audit practices, (3) to determine factors and reasons for any non-compliance, and (4) to recommend the steps to be considered in the implementation of data analytics by small and medium sized audit practices.
This study used the 2 theoretical framework that is Grounded Theory and Fuzzy Set Theory. These theories link to the study because of their ability to reveal insight and information which would have been otherwise unobtainable. For example, Grounded Theory connected to this study because of the ability that enabled the discovery of new theoretical principals from data, which was systematically obtained and analysed using comparative analysis. Whilst the Fuzzy Set Theory linked to this study because it afforded the opportunity to challenge and lengthen existing literature knowledge, especially when the existing knowledge was subjective with imprecise judgments.
There is evidence of change taking place worldwide due to digital products that are introduced in the business sector. This was confirmed when Standard Bank a South African financial services group (i.e. bank) and Africa's biggest lender (measured by assets) closed most of its branches because most of services are able to be rendered using technology. Most employees lost jobs because banks in South Africa had introduced and increased digital banking products (eNCA, 2019). This was an indication that business process tools used were changing dramatically whilst the business process objectives remained the same (Kiyosaki et al., 2012). Despite these changes in business processes, internal auditors still have a mandate to add value and improve an organisation’s operation. In addition, internal auditors are to help an organisation accomplishes its objectives by evaluating and improving the effectiveness of processes (The Institute of Internal Auditors, 2018).
Global Technology Audit Guide (2012) recognises the advantages in computer aided audit techniques hence its requirement for Chief Audit Executives (CAEs) is to obtain tools such as data analysis. The observed strength of data analysis is to provide a more real-time perspective of the IT risk landscape. It offers the CAE an approach to review indicators of emerging risks and assess the operating effectiveness of internal controls constantly. Auditing data information using data analysis proved increased functionality especially with this tool having the capabilities to efficiently process larger amounts of data (The Institute of Internal Auditors, 2012). Coderre (2017) supports the reasons why the IIA now regards data analytics as a critical tool for effective internal audit organisations, & Kiyosaki et al., (2012) indicates that new technology is going to change things for all mankind.
Recent studies have deliberated on data, data analysis and internal auditors from different points. Consultancy. Uk (2018), outlines that data analytics is changing the internal audit profession because it has an ability for the user to gain competitive advantage, manage operations and to plan strategically in this computer age era. These highlighted abilities of data analytics mitigates the key risks board members want to resolve. However, current maturity in data analytics within many audit practices is rated low because of the lack in implementing innovative technology (Consultancy.Uk, 2018).
This statement by Consultancy.Uk agrees that, the digital age carries new challenges and opportunities for the internal auditor. Pan (2016) explains that the digital age has seen a change in how internal auditors can perform effectively their duties by no longer focusing on resolving issues on back-end processes, however, propose solutions that are strategical focusing at end-to-end process improvements thereby forecasting the future of the organisation (Pan, 2016). Since organisations are at a digital age, the International Standards for the Professional Practice of Internal Auditing now recommends technology-based audit and other data analysis techniques. The Institute of Internal Auditors (2017) brings a mandate to internal auditors to use innovative technology. This mandate comes through the word “must” which internal auditors have a responsibility to take (The Institute of Internal Auditors, 2017).
Deloitte (2017) notes that for the past few years’ traditional internal audit methodologies have achieved significantly their designed purpose, that included sampling data for testing which was revealed to have inherent limitations, the limited views about the exceptions, control breakdowns, or risk. Nevertheless, the progressively, complexity and fast-paced business landscape of businesses is moving in the direction that calls for implementing advanced business analytic techniques (Deloitte, 2017). The purpose being to enhance the attention on risk and acquire more insight into the organization (Deloitte, 2017).
Lowe (2018) states that, small and medium sized internal audit practices continue to fall behind on IT use and the perceived importance for audit testing, audit report writing, and client administrative management applications. Auditors from these practices consider data analytics as being less important than the other larger audit firms. Lowe (2018) further states that auditors from these audit practices may not recognize that this position them at a competitive disadvantage, especially since their clients may not demand this type of IT. Davis & Cernautan (2017) note that, other challenges which are faced by these audit practices when implementing data analytic software are: (1) changing from traditional audit techniques to incorporating analytics (2) difficulty in accessing data (3) lack of data analytic skills (4) and the high costs to implement.
The study intends to assist the small and medium sized internal audit practices to gain an understanding of the importance of attaining the obligatory knowledge, which is technology-based audit and other data analysis techniques per the IIA standards. This knowledge is in support of the advisory and assurance services, which is to mitigate the non-compliance issues of the IIA requirements standards (The Institute of Internal Auditors, 2017). This knowledge is mandated by the Standards about data analytic techniques, in accordance with Standard 1210 – Proficiency, 1220.A2 - Due Professional Care and Standard 2201 – Planning Considerations (The Institute of Internal Auditors, 2017).
Conformance with The IIA’s International Standards
The Institute of Internal Auditors (IIA) has established rules with which the individual internal auditor and the internal audit activity must abide by, one of these rules are called “International Standards for The Professional Practice of Internal Auditing (Standards).” The Institute of Internal Auditors (2017) also notes that, conformance with this standard is important to meet the responsibilities of internal auditors and the internal audit activity (The Institute of Internal Auditors 2017).
In addition, the Institute of Internal Auditors (2018) further highlights that internal audit becomes more effective when it complies by using the International Professional Practices Framework (IPPF). The aims of IPPF are demonstrated in a form of mandatory elements, which are the Core Principles for the Professional Practice of Internal Auditing, the Code of Ethics, the Standards, and the Definition of Internal Auditing (The Institute of Internal Auditors, 2017).
The Institute of Internal Auditors (2017) maintains that, conformance with the Standards proves conformance with all mandatory elements of the IPPF. Francis (2019) states that, the IIA Standards provides the necessary tools and expectations that are required to conduct internal audit. Hirth (2009) emphasises that, members must follow the mandatory elements of the IPPF or face disciplinary action, including expulsion. The mandatory elements of the IPPF include the Definition of Internal Auditing, the Code of Ethics, and the IIA Standards. Francis (2019) notes that the non-compliance with these mandatory elements, may not produce the best results. Therefore, compliance with the IIA Standards reduces the opportunity of misusing audit resources while promotes the audit efficiency (Francis, 2019).
Section 1220.A2 of the IIA Standards
Section 1220 of the above mentioned standards discuses Due Professional Care. This section highlights one of many responsibilities that internal auditors must achieve, such as to possess the skill and apply care in their work of a reasonably prudent and competent internal auditor (The Institute of Internal Auditors, 2017). Furthermore, the section is expended by IIA through Section 1220.A2 requiring Internal Auditors to exercise due professional care and must consider the use of technology-based audit and data analysis techniques (The Institute of Internal Auditors, 2017).
Technology-based audit techniques are defined as “any automated audit tool, such as generalized audit software, test data generators, computerized audit programs, specialized audit utilities, and Computer-Assisted Auditing Tools And Techniques (CAATs)” (The Institute of Internal Auditors, 2017).
Hoesing (2010) indicates that the practise of these Technology-based audit techniques supports the auditor to achieve the standards. The changes on the standard on or after the 1st January 2009, internal auditors were required to perform their audit activities using the standard with the insertion of the word “must” (instead of “should” as it was in the previous standard). The additional insertion was to “consider the use of computer-assisted technology-based audit tools and other data analysis techniques when conducting internal audits” (Hoesing, 2010). Pagalung et al. (2017) agrees with Hoesing through illustrating that section no. 1220.A2 of the Standard advises internal auditors to consider the use of information technology because it identifies red flags of fraud from the entire business data rather than form the chosen sample. This withstands increased demands of work for internal auditors, for instance, increased number of volume, complexity and scope of the audit implemented in line with business development. Hence the requirement to consider use of information technology because a software supporting the information systems designed to assist internal audits has been developed (Pagalung et al., 2017).
The Data Analysis Techniques
The Institute of Internal Auditors and Global Technology Audit Guide, (2017) outline that, due to increased demand, emerging risks resulting from developing business changes and opportunities that are not systematically managed or broadly understood by companies, have created a need for more guidance in this area. Internal auditors in the small and medium sector must now develop knowledge of data analytic principles to effectively provide assurance that risks are addressed and benefits are realized. The Institute of Internal Auditors and Global Technology Audit Guide (2017) demonstrate a clear principle about big data, that it describes exponential growth and availability of data created by people, applications, and smart machines.
In support
In support of data analysis having a progressive effect on the internal audit process, Boshuizen (2016) highlights that these insights can produce significantly better bottom-line performance and strengthening a company’s competitive advantage. It also offers the opportunity for more value added, informed engagement and dialogue with management charged with governance within the audited entity increasing the credibility of the audit (De Bonhome, 2017).
It should be noted that the introduction of data analytics does not mean that the audit process will be an easy task. As illustrated by De Bonhome (2017), data analytics means new challenges to the internal auditor. The testing of large populations often generates a numerous number of exceptions. The information delivered by the client should be in a format that can be used by the auditor and this is not always obvious, otherwise, it consumes more time to organise it for audit purposes (De Bonhome, 2017). Small and medium internal audit practices need to use simple data analytics, and complex data analysis techniques. Data analytics needs to be embedded in the audit approach, not purely the acquiring of tools (De Bonhome, 2017).
The other technique that has been in the market for a while is CAAT. Soileau (2016) claims that, tools that perform Computer-Assisted Auditing Tools and Techniques (CAAT) have improved and expanded capabilities compared to the past two decades. However, compared to the CAAT tools, the Audit Data Analytics tools involves more special knowledge and skills such as advance statistical techniques or data mining, while many internal auditors do not possess the knowledge, therefore causing a challenge (Li, Gershberg, et al., 2018). Soileau (2016) infers that, when developing the analytics program, for small audit departments that have more limited budgets, using tools that are already in place within the company is useful. De Bonhome (2017) support that, the internal audit approach must include data analytics techniques. However, despite majority of the internal auditors who uses data analytics within the internal audit activities, their rate of usage is at a basic level or complex.
Data Analysis Expertise a Much-Needed Skill
Coderre (2017) illustrates that, Chief Audit Executives (CAEs) in many organisations expressed that to have a data analysis expert is a continues and critical problem in the internal audit. A survey conducted through the IIA reveals that data analysis and analytical software within the past 10 to 15 years’ has been a serious instrument for effective internal audit organisations. This survey illustrates that more than half of internal audit practices continue to rate their data analytic competency as poor or in need of improvements. Coderre (2017) argues that, most of these internal audit shops who struggle to incorporate analytics within the internal audit methodology have been unsuccessful to come with a clear plan of action of implementing data analytics (Coderre, 2017).
Coderre (2017) indicates that for many years of experience as an internal auditor he has used and supported analytics. He continues by demonstrating that in the first two years of auditing using data analytics the potential of performing a greater job was realized. However, many CAEs give up in the development and maintenance of the analytics capability with lack of effort (Coderre, 2017).
How Small and Medium Sized Audit Practices Can Position Audit Data Analysis Into The Audit Process
Peters (2017) claims that, data analytics in internal audit is becoming more dominant. Many internal audit practices are beginning to question how these capabilities can be incorporated in their methodologies. Cernautan (2017) supports Peters’ view and adds that a successful data analytics strategy needs to begin by building an internal business case. This phase prevents the loss of momentum if the program is not properly marketed within the organisation. The second phase is to address the knowledge and skill limitation by allocating funding to resource and train the audit teams (Cernautan, 2017). Peters (2017) outlines that, the head of internal audit (HIA) within the small and medium sized internal audit practices can engage into a strategic discussion with their board/audit committee to help determine the value add of introducing data analytics into the function’s methodology. These discussions should also outline that a large number of companies are generating big data, with enormous volumes of data coming from financial transactions to key metrics (Peters, 2017). As well as illustrating that internal auditors are making use of data analytics to drive their audit plan and test controls.
Coderre (2017) argues that, the integration of data analytics into the audit methodology calls for a development plan and implementation plan. The plan must disclose recruitment of resources as an obligation measurement at the specific level and the number, and the appropriate technology software, this also includes the process description and data surrounding the processes description (Coderre, 2017). Davis (2017) states that, changing the way internal audit think about their work is the key element for developing an effective data analytics strategy. Davis (2017) also agrees with Coderre that, starting with defining the objectives, planning and executing a vision for using data analytics is also the key to achieving the set objectives (Davis, 2017).
Coderre (2017) illustrates that, internal audit practices need to introduce new ways they presently perform their internal audits. The integration of data analytics will require a project manager with clear objectives, milestones, and a reporting obligation in order to account for the key performance areas (KPA) of the plan. The reporting need to go to the heights organisational level such as the CAE and the audit committee (Coderre, 2017). Cernautan (2017) outlines that, when purchasing, internal audit need to invest in modern technologies that are easy to accustom to and implement. The integration of data analytics requirements into the audit methodology is important since this will ensure maximum impact of the audit. CAE’s must make the use of analytics required rather than optional (Cernautan, 2017).
Cernautan (2017) notes that, internal audit need to aim for quick wins that will progress to larger successes by phasing the program in with an agile methodology. This includes the automation of routine audit areas, teams can contribute by self funding the program through efficiency gains and demonstrated return on investment (Cernautan, 2017). Davis (2017) supports the understandings of Cernautan and adds that, having a strong support from senior management is critical. This also includes the buy in from the audit staff in order to gain efficiencies in meeting the objectives. Davis (2017) maintains that, tools that are user friendly, and easy to set up will lead to quick wins and assist with buy in and the enhancement of the data analytics strategy momentum for more advanced analytical strategies. There should be analytics leaders or champion responsible for executing the strategy. The analytics’ leaders or champions will also be tasked with tracking progress, setting targets and monitoring key performance indicators and ensuring that analytics testing is performed (Davis, 2017).
Coderre (2017) outlines that, analytics call for business processes to be understood first, including the data associated with business processes, and a concrete knowledge of internal auditing processes, the application knowledge of the IIA professional standards. The declared skills may not be existing within one individual, and they might not already exist in small and medium sized internal audit firms. However, there is an opportunity to attain the right resources and assign them with a clear KPAs, through the implementation of audit data analytics (Coderre, 2017).
A survey conducted by Deloitte indicated that only around one third of Head of Internal Auditors (HIAs) use data analytics at an intermediate or advanced level. The residual two thirds of HIAs use basic, ad hoc analytics (e.g. spreadsheets) or no analytics at all (Peters, 2017). Coderre (2017) also claims that, the internal audit practices that already have the appropriate resources as indicated above, are ahead of the game. These literatures postulate that internal auditors within the small medium practices should already be proficient with business processes together with the internal audit skills, and possibly with some data analytical competences. Coderre (2017) supports the views that, internal auditors will need to be provided with skills development through training and especially software training, and with sufficient time to grow the skills and implement the analytics functionality. The literature also claims that internal auditors will need to dedicate to analytics because it will be a recipe for failure if they are pulled away to some subset of the required skills (analytics). Should these internal auditors be devoted into something different than analytics, the progress of implementation will be unsuccessful (Coderre, 2017). Peters (2017) notes that comparing the different sets of analytic tools is important in order to determine what works best for the internal audit function as described in figure 1.
Coderre (2017) argues that small and medium sized internal audit practices often suggest they cannot dedicate a person to analytics because they are a small audit organisation. The literature illustrates that the lack of staff is the most common justification for not using data analytics (Botez, 2018). Coderre (2017) argues that a small internal audit team does not give the indication that small medium practices should be less efficient and effective. Unless the small and medium sized internal audit practices are not adopting analytics, they are failing to address risk, perform testing of controls, examining compliance, and improving business operations at the highest degree (Coderre, 2017). Accordingly Peters (2017) make known that, data analytics software can be used for basic data analysis and complex data interrogation across numerous transactions, including the assessment of control performance and exception reporting. However, regardless of the highlighted good uses numerous internal audit teams still rely on spreadsheet based tools and applications rather than more on sophisticated analytics and data mining tools (Peters, 2017).
Coderre (2017) claims that, small and medium sized internal audit practices need to make an informed decision, about not using data analytics. This includes examining the costs and benefits and thereafter make a decision. Because by just looking at current resources, which may be overused, and then decide about not using data analytics may not be a valuable decision. Coderre (2017) outlines that, it is not a question of doing additional work with the same resources. However, Small and medium sized internal audit practices need to ask if there are tasks which should not be performed or if there are better ways that are effective and efficient of performing the same tasks. Small and medium sized internal audit practices will need to determine the value add for the tasks not being performed. Then determine if they can continue to do without data analytics (Coderre, 2017). The incorporation of data analytics into the internal audit process includes the use of software to detect significant trends and exceptions in large amounts of data (Peters, 2017).
Software Package for Data Analytics
Coderre (2017) illustrates that the common question for the internal audit practices who are at the early stage of adopting data analytics is normally the choice of an appropriate software package. Coderre (2017) notes that, the answer should be decided based on the internal audit unit’s short and long term plans of analytics. It is also pointed out that Internal audit must start through the use of existing tools, this includes standard reports and excel, but this does not mean being limited by what the internal audit practice has. The small and medium internal audit practices should find out what analytic software packages are being used by other practices. These practices should than decide according to their requirements and including short and long term plans for using analytics, and when exhausted all current capabilities such elsewhere. On the other hand, options include ACL, Tableau, SaS, TeamMate Analytics, and many others (Coderre, 2017).
Figure 2. demonstrates the capabilities that data analytics can offer many other opportunities to improve audit quality.
As revealed in Figure 2, Data analytics is a key element in the strategy to improve audit quality, it offers more in depth knowledge about the business, and equipping the auditor to focus on items of greater audit interest. Jackson et al. (2016) agrees with De Bonhome through indicating that internal auditors performs independent assignment on behalf of the board of directors of the company. Although these assignments will vary, they will relate to the evaluation of the efficiency, economy and effectiveness of the company’s internal control systems and business activities and to the evaluation of whether the company has identified and is responding to the business risks faced by the company (Jackson et al., 2016).
De Bonhome (2017) supports the idea that, internal auditors must limit overall audit risk to a low level, and reasonable assurance must be at a high level. If audit risk is 5%, the level of assurance is 95% in mathematical terms. The main objective of limiting overall audit risk should be to provide reasonable assurance when analysing exceptions and the use of data analytics will not be resulting in absolute assurance (De Bonhome, 2017).
As in internal audit procedure, De Bonhome (2017) states that, abnormalities identified through data analytics need to be analysed, sorted and clustered, because not all abnormalities can be risky but some can be justified. Although there can be deviations that can be justified, this includes a system being configured to prevent pricing changes, and a manual price change is a deviation. However, should this price change be duly approved, there is no issue to be reported by the internal auditor.
Indeed, the ability to analyse the entire population is a sign of value being added from analytics. Therefore, internal audit practices that incorporates analytics are likely to identify a wider range of other capabilities (LaValle, 2011). Olley (2021) agrees with De Bonhome by illustrating that the importance of data analytics in its abilities to be used to analysing data, and the discovery of transactions that do not fit normal patterns, assist significantly in the achievements of the internal audit objectives. The discovery of these transactions which do not fit normal patterns may have a higher impact of causing audit risk or even indicate fraud. Hence data analytics abilities may cause auditors to worry that they will be replaced by machines (Olley, 2021).
Olley (2021) emphasizes that data analytics tools do not eliminate auditors out of the auditing system, however, analytic tools free auditors to look at analysis results and determine what and when additional actions should be taken. Hence when auditors use data analytics tools, more available time is created for providing insight to their clients. In addition, because of audit data analytics results auditors can also offer value added services (Olley, 2021).
Indeed De Bonhome (2017) reveals that data analytics can be applied throughout the phases of the audit. For that reason, below are some examples of data analytics considerations and routines per audit phase and how it differs from traditional audits. The Table 1 below determines that data analytics techniques can be incorporated in the audit approach and that data analytics offers opportunities to improve the audit quality:
Table 1 How Audit Data Analytics Differs From Traditional Auditing |
||
---|---|---|
Adopting data analytics | Traditional Audit | |
Testing entire data sets | Data analytics software performs testing on the entire data set, not only samples, allowing more thorough audits to be performed. There is the possibility for error, when conclusions are established on the auditor’s knowledge of the entity. For example, an auditor may possibly miss the fact that some transactions have been processed on a weekend when the entity’s business hours are only Monday’s to Friday’s. In this case, data analytics could capture these transactions as “Unusual Days.” |
Data is analysed by sampling a data set using traditional spreadsheets and establishing conclusions based on the selected samples and the auditor’s knowledge of the entity. This creates the possibility for error because the entire data set is not examined. |
Using data from any source | Data analytics software makes the possibility to integrate data from multiple sources easily and the extraction of data from any source, enabling auditors to run analyses quickly and efficiently, providing higher quality insights and more value to their clients. | In the 2020s, audit practices will continue to be under pressure to provide more value to their audit clients. Indeed this is because it can be difficult to develop strong insights when data is blown-out across multiple files, systems, and solutions. |
Bringing data analytics into the audit workflow | Data analytics brings automated testing into established audit workflows, assisting in the simplification of the audit engagements and providing useful reports for future audit evidence. |
Analytics software usage is not part of an audit workflow. Auditors use data analysis separately or depend on additional data specialists. Consequentially resulting in longer audits, more costs and no visibility of the tests that are performed. |
Artificial intelligence and machine learning applications | Data analytics software works similarly as human auditors but uses artificial intelligence (AI). Based on the available data set, the analytic software has machine learning (ML) capabilities that adapts its algorithms to provide the most accurate results. Analytics software provide meaningful results that calls for further review because of using AI and ML, this enables analytics software to quickly and accurately examine all of the transaction and trial balance entries in an engagement’s data set. Also further reviews may look at areas of concern that may have been identified in the initial analyses. |
None |
Tailored analytics | Conducting deep analysis often requires additional time usage, and additional money which most clients are not willing to commit. However, with automated data analytics tools they allow auditors to dig deeper into data without using significantly additional staff time. Furthermore, data analytics permits several audit testing to be tailored based on the characteristics of each entity. |
Due to the large amounts of available data, fraud detection can often be difficult with traditional auditing practices. |
The Concerns Around Data Analytics
Botez (2018) on the other hand argues that, even if the benefits are clear, there are limitations on data analytics:
1. The quality of the audit may decrease because of detection risk resulting from data that is not relevant to the audit being analysed.
2. The 100% testing of the population does not imply the auditor can provide anything other than a reasonable assurance.
3. Professional judgment is still necessary to assess the reasonableness of accounting estimates and presentations.
4. Data analytics cannot replace the reasoning of professional judgment. In addition, technology needs to be used cautiously and not overly trusted.
Botez (2018) further indicates that, the additional concerning factors exists which influences data analytics use in audits:
The data acquisition process is a challenge since it is connected to the existence of a large database which the entity must transfer to the auditor in order to apply data analytics. This process will involve data security and confidentiality issues, along with the existence of a storage space;
Conceptual challenges When an audit involves data analytics it will also involve asking for data and addressing questions that have not been requested in the past. This may create issues related to the attitude of the audited entity;
Legal and Regulatory Challenges security and confidentiality of data in different jurisdictions and the movement of data between them can create concerning challenges;
Availability of resources The audit team need to be supported by people with certain skills (i.e. data analytics);
Under a rapid change of circumstances the way in which supervisors and regulatory bodies maintain their supervision may also call for a rapid change;
The investment in preparing and creating auditors' qualifications (skills) to gain knowledge, abilities and experience in data analytics use.
When the auditor believes they can rely on IT systems, the data provided by the IT system should be reliable (Dagilienė & Klovienė, 2019). Since the data used is created in the majority of the entity, the auditor should reassess its ability to gather sufficient and adequate data acquisition standards. Botez (2018) further illustrates that before placing reliance on data provided by the audit client, auditors should consider various associated obstacles. This includes the fact that data analytics triggers questions on IT generic controls, especially the impact of the test results, the minimum level tested and the impact of any deficiency in IT controls. Auditors should also consider the relevance and reliability of data obtained from third parties, especially when completeness, accuracy and reliability cannot be established. According to Dagilienė & Klovienė (2019), the nature of audit evidence obtained through data analytic procedures when initially using a Risk Based Approach procedure should also be considered.
The literature review addressed the IIA’s requirements on technology based audit and other data analysis techniques as a critical tool for effective internal audit organisations. Indeed, it was pointed out that the landscape of the internal audit function is changing because of the rise in “big data.” With this rise in big data, data analytics significantly is changing the field of internal auditing, because of manual processes having transformed to automated processes. Internal auditors therefore can use data analytics to provide deeper insights about the workings of a businesses and to provide the best service for their clients.
The review of the literature in this section also revealed that the current maturity of data analytics implementation within audit practices is rated low, because of the lack in skill and the lack of using innovative technology. Indeed, a suitable methodology was recognized, assisting audit practices to understand the five point methodology and learn how to use it. It also was revealed that as data analytics usage increases in order to support decision making, it enhanced that organisations ability to move from one level of analytic capability to the next. However, this section also revealed what is new in using data analytics which was not done during the traditional audit. Conversely, this section exposed that even if the benefits are clear for using data analytics in audit practices, there are limitations and concerning factors. The next section in this article will be exploring the detailed explanations of the research design incorporating qualitative research.
Research Design
Creswell (2012) expresses that qualitative design is suited in cases where research problem is being addressed and where one does not know the exact variables and the need to explore. Qualitative is useful in cases where the literature is not giving more information about the phenomenon of study and more clarity might be brought forward by participants. Indeed, qualitative was chosen in this study because it is mysterious for many small and medium audit practices. Similarly, Pajo (2018) agrees with Creswell that the qualitative research aims at gathering insights and depth into topics a researcher wants to know about. As a result, due to the literature yielding little information about the phenomenon of this study within the small and medium sized audit practices in Durban, there was therefore a need to learn more from participants through exploration.
According to Flick (2018) a qualitative research interview seeks to understand the world from the subject’s point of view, in order to unfold the meaning of people’s experience and to discover their lived world before scientific explanation. Brinkmann & Kvale (2018) agrees with Flick by specifying that qualitative interviews are commonly semi-structured with themes to be covered and also includes some prepared questions. Indeed, the target population of the study was the small and medium sized audit practices within Durban (Umhlanga and CBD area). The interview were planned for only 20 to 30 minutes each on a once-off bases. The researcher ensured that their daily tasks were not compromised during the interview. The participants were given an opportunity to ask the researcher questions during the interview process for any clarity.
The data from the first interview was analysed in the spreadsheet by extracting the key themes. From then on, the preliminary codes were assigned to describe the content. Thereafter a search for patterns or themes or connections in the codes across the different interviews was performed. These patterns or themes or connections were reviewed and defined using the software called NVivo. The report detailing the findings from the researcher-administered questionnaire was produced, which was in response to the problem presented (as defined by the research questions) and also presented the “solution” or “answer” to those questions. According to NVivo (2020) the NVivo software is intended to assist users organize and analyse unstructured or non-numeric data such as those derived from an interview. It arranges information; study relationships in the data; and combine analysis with linking, shaping, searching and modelling (NVivo, 2020).
The analysis of results according to the study objectives
After having specified the research objectives under the introduction section of this article, listed below is a brief outline of how the set objectives were achieved in this study through the data collected. Furthermore, based on the discussions on the Literature Review, the research questions were developed.
Objective 1: To determine the extent of use of data analytical software by small and medium sized audit practices
This objective was meant to define the magnitude of usage when it comes to data analytical software in the internal audit activity and in achieving its full potential given the growth of big data within the small and medium sized audit practices in Table 2.
Table 2 There Are Iia Standards That Are To Be Followed, Which Ones Are Applicable To Your Practice? |
|
---|---|
Participant A | It depends on the type of the audit engagement |
Participant B | All IIA Standards are applicable to our practice |
Participant C | Standards that are applicable to my practice are as follows: 1. Attribute Standards 2. Performance Standards; and 3. Implementation Standards |
Participant D | All of them |
Participant E | All IA standards are applicable, coming from a consulting firm, our methodology is built around the IA standards. By following the methodology, you are applying the standards. |
Participant F | Yes, I don’t remember them |
Participant G | All IIA standards are applicable to me as an auditor as well as to the organisation that I work under. |
Participant H | Attribute and Performance Standards |
Participant I | All of them |
Participant J | The organisation is compliant with the IIA, therefore all the standards are applicable and followed. All the IIA standards are applicable |
Each participants was asked to specify the IIA Standards that are applicable to their practice. Majority i.e. 90% of participants deemed that all the IIA Standards are applicable to their practice. The participants indicated that all internal auditors are accountable for being compliant with the standards. This also included IIA Standards related to individual objectivity, proficiency, and due professional care and also those that are relevant to the performance of their job responsibilities. Other 10% of the participants explained that the applicable IIA Standards depends on the type of audit engagement. The participants further stated that it is the chief audit executive’s responsibility to ensure that the internal audit activity conforms to the IIA Standards.
In addition, it was mentioned that the applicable IIA Standards to their practice consist of two main categories, which are, Attribute, Performance and Implementation Standards. The Attribute Standards was mentioned to be explaining the characteristics needed in order to perform internal auditing for organizations and at individual level. The Performance Standards discusses the nature of internal auditing and offer quality conditions to measure the performance of these services. The participants also mentioned that Attribute and Performance Standards apply to all types of internal audit services. The Implementation Standards was revealed by the participants as providing the requirements associated to assurance or consulting services of both Attribute and Performance Standards. These empirical findings are supported by the literature which states that the Institute of Internal Auditors is creator and custodian of the International Standards for the Professional Practice of Internal Auditors, to which all members must adhere (The Institute of Internal Auditors, 2018) in Table 3.
Table 3 With Most Internal Controls Changing To Automation, Increasing The Creation Of Electronic Data, Does It Affect You, If So In What Way? |
|
---|---|
Participant A | No, I am not affected. |
Participant B | No, it has not affected our practice. |
Participant C | Yes, it does affect me in a positive manner. However, the use of electronic systems allows internal auditors to be more efficient and effective in assisting the organisations achieve its intended purpose and objectives. |
Participant D | Yes, I’m aware of the fourth industrial revolution but they don’t affect me thus since I’m assigned mainly to government sector and the government is not quick to adapt to changes more especially technology, however the computer age era evolution shouldn’t be a problem in the internal auditing because already we’ve had computerized auditing tools e.g. CAAT. |
Participant E | As an individual they are, as companies are now looking for auditors who can audit systems as well and whom can utilise data analytics systems and write scripts. |
Participant F | Yes, in a good way, it’s much simpler than printing. |
Participant G | Yes ,I does affect me in that as an Internal Auditor I am now required to move with times and change the way to I use to perform audit and now start to understanding Information Systems, and start adapting to using IT/data analytical software tool when performing audit. |
Participant H | This affects me in a way that I have been trained. It poses a challenge that requires my knowledge to be uplifted. It opens an opportunity for internal audit to merge with IT audit so that one of the auditor can perform both audits. |
Participant I | Yes it does affect me in knowing and understanding the technology that bring the automation. There is now the need to further understand the technology that enables automation from a governance, risk and compliance perspective. |
Participant J | Yes, they do in a positive way, because it has assisted me in working more efficiently and being able to also perform continuous audits using automation and also performing analysis of the data much easier and efficiently. |
The focus of this research question was on the impact of internal controls changing to automation and the effect this has on participants. The response to this question reveals that 70% of the participants are affected by the change of internal controls to automation. Many participants indicated that these changes do affect them in a positive way, because it has assisted them in working more efficiently and being able to also perform continuous audits using automation and also performing analysis of the data much easier and efficiently. It was also revealed that they must now know and understanding the technology that brings the automation. There is now the need to further understand the technology that enables automation from a governance, risk and compliance perspective.
However, the other 10% participants highlighted the fact that as much as this affects them they have been trained. It also poses a challenge that requires their knowledge to be upgraded. It opens an opportunity for internal audit to merge with IT audit so that one of the internal auditor can perform both audits. While another participant emphasised that as an Internal Auditor they are now required to move with times and change the way they use to perform audits and now start to understand Information systems, and start adapting using IT/data analytical software tool when performing audit. However these changes now possess a risk for most internal auditors with an industrial knowledge since companies are now looking to employ auditors who can perform systems audit as well as utilise data analytics systems and write scripts.
The remaining 30% participants did not agree on the automation of internal control affecting them since their clients are the government sectors and as much as they are aware of the 4th industrial revolution they feel it would not affect them. This is because they believe that the government sectors are not quick to adapt to changes more especially technology.
These empirical findings are in agreement with the literature which states that internal audit practises should be using technology based audit technique to embrace the change brought by the information age (Coderre, 2017). This is because the digital age comes with new challenges and opportunities for the internal auditor (Consultancy.Uk, 2018). This is the same reason the IIA Standards illustrates the importance of using technology based audits or data analytics especially if the responsibilities of internal auditors are to be met (The Institute of Internal Auditors, 2017) in Table 4.
Table 4 How Will You Describe The Data Analytics Implementation In The Practice? |
|
---|---|
Participant A | It’s the use of large data, usually the whole population is used for audit testing purpose. |
Participant B | In the practice that I am in (Retail) data analysis is not a critical requirement, as there is limited data to work on. |
Participant C | Basically, data analysis is when the internal auditor investigate variances picked up during the analysis of data when comparing the results of prior year to current. This assist in determining whether the organization / auditee is aware of the gaps identified and resolve accordingly. |
Participant D | There are so many data analyst tools such as CAAT even Excel can be used to analyse data, but anyway for the sake of your research it has been good thus far. |
Participant E | Well in my company we have a separate data analytics department that handles all data analytics requirements. |
Participant F | Intermediate |
Participant G | Our organisation has a Unit within IT Auditors that specialise in IT Audits, therefore it has not started in allowing traditional Internal Auditors to getting exposure in IT Audits and start acquiring data analytical skills. |
Participant H | I would suggest that it be made compulsory that the firms have data analytics software for their auditors and all other tools that will assist in auditing the systems and electronic data without having to print the documents. |
Participant I | It is challenging in the sense of budget and expectation. Business processes need to be understood above anything else and most of the time this is not documented and accounted for when deploying data analytics. Furthermore, legacy systems have certain data that will need to be cleaned before it can be used and comes with its on challenge. These two points are not usually taken into account and they are the ones that make most of the difference. |
Participant J | We have extensively applied the use of data-analysis to an extent that there's a team of Auditors that specialise in data analytics. These auditors assists the other auditors with performing all the analysis of data to ensure that they perform their audits efficiently and effectively. |
As indicated there were different perspectives from participants pertaining to the description of the data analysis implementation in their practices. 50% of the participants indicated that their practices are extensively using data analysis, since there are internal auditors who are specializing in data analytics. These internal auditors assist the other internal auditors with performing all the analysis of data to ensure that they perform their audits efficiently and effectively. It was also revealed that the practices are using both traditional internal audit to provide the other internal auditors without IT skills an opportunity to slowly acquire the skills from the experienced data analytical internal auditors.
Furthermore, approximately 30% participants stated that in their internal audit practice data analysis is not a critical requirement since there is limited data to work on. It was elaborated by one of these participants that, their implementation maturity is limited and does not affect them since their clients are the government sector and this sector is not quick to adapt to changes more especially in technology, however it was also stated that this should not be a problem in the internal auditing because already there are computerized auditing tools such as CAAT available to assist when needed.
10% of the participants in this study indicated that in their practice they do not have a data analysis software. This participant added that it should be made compulsory that the practices have data analytics software’s for their internal auditors, and all other tools that will assist in auditing the systems and electronic data without having to print documents.
Finally, 10% of the other participant(s) highlighted that it is challenging in their practice to implement data analytics because of budget and expectation issues. It was also revealed that business processes need to be understood and most of the time this is not documented and accounted for when deploying data analytics. Furthermore, legacy systems have certain data that will need to be cleaned before it can be used and comes with its own challenge. It was also mentioned that these two points listed above are not taken into account and they are the ones that make most of the difference.
These empirical findings support the literature which states that current maturity in data analytics within many audit practices is rated low because of the lack in implementing innovative technology (Consultancy.Uk, 2018). Also, Lowe (2018) states that, the small and medium sized internal audit practices continue to fall behind on IT use and the perceived importance for audit testing, audit report writing, and client administrative management applications in Table 5.
Table 5 What Is Your Experience Associated With The Use Of Data Analytical Software And How Different Is It From The Traditional Internal Audit? |
|
---|---|
Participant A | Data analytics software make things easier than the traditional method and with the softwareyou can look at the total population. |
Participant B | Data analysis is a very useful tool in scrutinizing data for validity and accuracy produced bythe business system. |
Participant C | It woks much faster and more efficient. |
Participant D | The above widely tools have been in existed for some time and which some organizations currently still use them and I haven’t seen any different. |
Participant E | I personally am not using any software as the company caters for that for all the teams. Theonly data analytics i use is Excel. |
Participant F | It adds more value to the client, by interrogating the data directly. |
Participant G | No experience. |
Participant H | None. I have not been exposed to the use of data analytics. |
Participant I | No experience. |
Participant J | It has increased my efficiency and effectiveness, it actually reduces the room for human error unlike traditional effectiveness Internal Audit ways. |
In this research question the researcher explore the experiences of participants in using the data analytical software in the audits function and how it is different from the traditional internal audit. 40% of participants have agreed that the software’s have increased their efficiency and effectiveness. They believe data analytics performed through internal auditing at their practice has actually reduced room for human error, unlike traditional internal audit.
10% of participants had different opinions such as data analysis is useful in scrutinizing data for validity and accuracy. While, another 10% disagrees about these software’s being different through indicating that these tools have been in existence for some time and which some organizations currently still use (referring to CAATs).
Another 10% of participants have experienced data analytics as a software that makes things easier than the traditional method and believe that the use of the software can perform an internal audit at the total population rather than a sample. Furthermore, the participant believed it adds more value to the client, by interrogating the data directly.
As much as some participants have been expose with the different forms of software’s in their performance of internal audit, some have not been exposed. 30% of the participants stated they have personally not been using any sophisticated data analysis software. The only data analysis used is Microsoft Excel which is a basic tool.
These empirical findings support and contradicts the literature. It supports the literature by stating that data analysis proved increased functionality especially with the capabilities to efficiently process larger amounts of data (The Institute of Internal Auditors, 2012). The audit data analytics tool also includes the ability to gain competitive advantage, manage operations and to plan strategically in this computer age era (Consultancy.Uk, 2018). Nevertheless, the empirical findings contradict the literature because compared to CAAT tools, the Audit Data Analytics tools involve more special knowledge and skills such as advance statistical techniques or data mining, which is a rare skill to internal auditors causing a challenge (Li et al., 2018).
Objective 2: To examine the impact or consequences of non compliance of the use of data analytic software by the small and medium sized audit practices.
This objective was intended to demonstration penalties associated with the disobedience in conforming with the IIA Standards, especially the imposed ‘must’ use of technology based audits and other data analytic techniques, as stated under Section 1220.A2 in Table 6.
Table 6 Briefly State The Impact Or Consequences Of Non-Conformance With The Iia Standards Your Practice Has Enforced Through Conducting Quality Assurance And Improvement Program (Qaip)? |
|
---|---|
Participant A | A consequence management policy is in place which states the process to be taken for non-adherence to Quality Assurance standards. |
Participant B | There is a Standard and consistent method which is followed for every audit. |
Participant C | Consequence management is always enforced if there is non-compliance with the IIA standards. In addition to this, normally the audit on quality assurance is performed by the independent body or external audit firm. This is done once in 5 years and in case there is non-compliance, the organization obtain the qualified audit opinion. |
Participant D | Obviously, non-compliance with IIA Standards would render internal audit activity useless and redundant. |
Participant E | Our company conforms to all QAIP requirements and this is also enforced by the internal QAR department that ensures all quality requirements are met |
Participant F | Critical. |
Participant G | None. |
Participant H | We have not received the communication regarding this. |
Participant I | None. |
Participant J | Fine, and also disciplinary. |
It was noted through participant’s response that 30% have no consequences of non conformance imposed on them for non conformance with the IIA Standards. While 70% agree that in their individual practices they do encounter consequences of non conformance with the IIA Standards if they are breached. These empirical findings revealed that there is a Quality Assurance and Improvement Programme (QAIP) which has to be develop by every internal audit practice designed to identify non conformance in the internal audit activity. Non conformance is an indication of the failure of the internal audit activity to conform to the Definition of Internal Auditing and the Standards and the application of the Code of Ethics (The Institute of Internal Auditors, 2018). This non conformance has consequences which each practice deals with in accordance to their specific management police since such non- conformance could threaten the organisation’s ability to achieve goals.
Objective 3: To determine factors and reasons for any non compliance
This objective was expected to highlight root causes for being non compliant with IIA Standards, especially the imposed ‘must’ use of technology based audits and other data analytic techniques, as stated under Section 1220.A2 in Table 7.
Table 7 What Has The Practice Done To Ensure They Have Individuals With Data Analytics Capabilities? Has The Practice Supported The Internal Auditors With Trainings And Software, And Given Sufficient Time To Develop The Skills? |
|
---|---|
Participant A | Nothing as yet, but there is a dedicated data analytics team which IA can consult should they need training or any assistance. |
Participant B | Currently there is no staff member with data analytics capabilities. |
Participant C | This has not been implemented due to financial constraints, only a group of individuals do attend trainings and the transfer of skills to others is always a problem. |
Participant D | Yes, trainings are done. |
Participant E | Well in my company we have a separate data analytics department that handles all data analytics requirements, If an internal auditor wishes to have data analytics capabilities, they may train should the training be available |
Participant F | Not enough |
Participant G | Our organisation has IT Auditors who specialise in IT Audit. However; the organisation has not done anything to support Internal Auditors in developing and acquiring data analytics skills. |
Participant H | No, no support has been given to international auditors to develop skills for data analytics. |
Participant I | The audit function has made data analytics as part of its strategy. Yes training is provided. |
Participant J | Identified individuals that were interested in also becoming ACL specialists, took them for training those that were not yet attended any training. The selected auditors then provided internal training to the other team members. |
The responses from 30% of the participants noted that in their internal audit practice, management identified interested internal auditors who want to become ACL specialists, and upskilled them through training. The selected internal auditors thereafter provide internal training to other team members. While 70% of the participants representing the majority has indicated that currently their practices has not done anything to support Internal Auditors to develop and acquire data analytics skills. However, it was also revealed that there is a dedicated data analytics team which internal audit can consult should they need training or any assistance. Other causes to the lack of effort shown by their practice is the financial constraints associated with these data analytics software tools
These empirical findings may contradict the literature slightly. This is because the literature points out that auditors from small and medium sized internal audit practices do not see IT applications as important to their businesses and clients (Lowe, 2018). However, the empirical findings agree with the fact that the small and medium sized internal audit practices do not know how to go about in improving audit quality through data analytics (Soileau, 2016) in Table 8.
Table 8 What Are The Challenges Associated With Developing And Maintaining An Effective Data Analysis Capability In Your Practice? |
|
---|---|
Participant A | Not sure, but there are challenges. |
Participant B | There is no data analysis in the company. |
Participant C | Budget constraints |
Participant D | Purchase cost price are too high for a simple small audit firm. |
Participant E | Availability of training |
Participant F | Continuous updates and relationships with IT department |
Participant G | Lack of Knowledge and lack of understanding the importance of developing such skills for Internal Auditors. |
Participant H | This has not been communicated. I am not sure whether it is the cost associated with developing and maintain data analysis capability or whether the firm is comfortable with having to rely on IT auditors for that. |
Participant I | Remuneration packages. Data analytics is a specialised skill which makes it scarce and retaining individuals with such a skill set becomes costly. |
Participant J | There is less people that are interested in being data analyst, this has resulted in the analyst team being overworked. |
Given the underlined importance of data analytics capabilities by participants, this research question presents challenges associated with the development and maintenance of an effective data analysis capability in the small and medium sized internal audit practices. Regardless of data analytics capabilities, it was noted during the interviews that 90% of the participants agree that with the reality of big data, comes the challenge of analysing the data in a way that brings value to clients. Hence why data analytics was regarded as a specialised skill which is scarce and retaining individuals with such a skill set can become costly. It becomes more challenging when internal auditors in the practice show less interests in being data analyst, as it results in the analyst team being overworked.
Table 9 What Implementation Strategy Did The Practice Use In Phasing In Data Analytics In The Internal Audit Function? |
|
---|---|
Participant A | Not sure |
Participant B | There is no implementation strategy in the company. |
Participant C | The internal audit methodology clearly outlines the importance of phasing in the data analysis in our practice. However, it is not followed accordingly. |
Participant D | Trainings are done. |
Participant E | A separate department was created within the firm. |
Participant F | None. |
Participant G | Currently there are no implementation strategies. |
Participant H | None. |
Participant I | Hiring a specialist and a dedicated resource. |
Participant J | Identified individuals that already had analytics capabilities and those that were interested, sent those that did not have formal training for training, started including the team members in all the planning for all audits to identify areas that might require data analytics. |
In addition other participants noted that there is no data analysis in their company, due to the purchase cost price being too high for a simple small internal audit practices. However, it was also indicated that small and medium sized internal audit practices are also comfortable with having to rely on outsourcing IT assurance services, such as data analytics capabilities. This also results in the challenge of maintaining continuous updates and relationship with IT department, contributing to the lack of knowledge and lack of understanding the importance of developing such skills for internal auditors.
These empirical findings support the literature which states that over the past 20 years, CAEs struggled to incorporate a successful analytics program due to the three factors: 1) difficulty in accessing data; 2) lack of data analytics skills; and 3) the high costs to implement (Cernautan, 2017).
Objective 4: To recommend the steps to be considered in the implementation of data analytics by small and medium sized audit practices
This objective was meant for the selected participants in the study to identify recommendations for the effective implementation of data analytics by small and medium sized audit practices.
In this last research question the researcher explored implementation strategy used by the different practices in phasing in the data analytics in the internal audit function. About 50% of the participants indicated that they are not sure about their practices strategy used to phase in data analysis and that their practice does not have an implementation strategy. The remaining 50% of the participants stated that their practice provided trainings, and the internal audit methodology was updated to outline the importance of phasing in the data analysis. In addition, other respondents stated a separate department was created within the practice purely for data analysis as well as hiring a specialist and a dedicated resource.
These empirical findings contradict the literature which states that audit data analytics requires big planning, discrete action, and specific management approaches (Peters, 2017). It also requires the five-point methodology for successful implementation of analytics based on the maturity standing of an organisation (LaValle et al., 2011).
Summary of the Theoretical study
Indeed, internal auditors are affected by the change of internal controls to automation. These changes are viewed as affecting them in a positive way, because it has assisted them in working more efficiently and being able to also perform continuous audits using automation and also performing analysis of the data much easier and efficiently. The empirical findings indicated the importance of IIA standards to be adhered for effective implementation of data analytics. Due to big data that need to be analysed effectively, the individuals with expertise will have to be utilised in the maturity journey. Indeed, the small and medium sized practices maturity journey to using audit data analysis, is low especially as most have not started in allowing traditional internal auditors in getting exposure in IT audits especially acquiring data analytical skills.
The enforcement of the use of data analysis techniques is however a mandatory requirement contained in the IIA Standards under Section 1220.A2. Therefore, since these are mandatory requirements adherence to the IIA Standards is utmost important and non
conformance should be prevented. According to the Institute of Internal Auditors (2017). The study revealed that the IIA Standard compliance is best assessed by performing a Quality Assurance and Improvement Programme (QAIP). The program helps to assess the efficiency and effectiveness of the internal audit activity. The program includes the evaluation of the conformance with the IIA Standards especially as the computer age era and 4th industrial revolution changes the organisational internal control processes, hence quality processes of internal audit practices must evolve to withstand this change.
It emerged in this study that the introduction of new technology through the Computer Age era and the developing 4th Industrial Revolution (4IR) is the cause of change of internal controls in organisations. The much anticipated 4th Industrial Revolution also raises concerns in terms of how it will drive the changes in the performance of the internal audit activity and how these changes will affect the professional competency and due care. Failure to recognise and take advantage of the computer age era and 4IR opportunities, will impose risks on the value add and the improvement of organisational processes by the internal audit activity. Any lack of effort to develop existing internal auditing data analysis models by small and medium sized practices imposes risk on them falling further behind, lowering their competitiveness.
The maturity model characterises the stage from the least matured state to the most matured state of traditional auditing through to continuous assurance of enterprise risk management using technology based audits techniques. This means the progressive shift in internal audit practices by using the maximum degree of audit automation.
The study revealed that the small and medium sized internal audit practices are either data analytics naive or aware. This comes after the study revealed that there is either no analytics skills and or the internal audit practice has some skills of data analytics through having a team of auditors specialising in data analytics. While this is the case, it points out that the data analytics maturity journey linked to business requirement, internal auditor skills, experience, assurance and available funding is still in the early stage.
The study has shown that the small and medium sized internal audit practices focus on technical skills and tools when it comes to the adoption of data analytics into the internal audit function. However, this adoption requires a planning transformation, including transforming the execution, reporting audits and relationships with stakeholders. Such an adoption supplementary needs internal audit practices to pay attention on their audit methodology and or approach not only their technical capabilities.
This study recommends that each practise employ or train at least one internal auditor who will be able to use the audit data analytics. This will be a long term investment to the internal audit practice compared to the cost of training and hiring. The collaboration with big firms could possible speed up the utilization of data analytics by the small practices since they have more resources. Also, utilise the partway to maturity journey as a measure of where each practice can begin to implement audit data analytics. They must also consider developing Quality Assurance and Improvement Programme (QAIP) to identify non
conformance in the internal audit activity.
Berisha, G., & Pula, J.S. (2015). Defining Small and Medium Enterprises: a critical review.Academic Journal of Business, Administration, Law and Social Sciences,1(1), 17-28.
Booth, A., Sutton, A., & Papaioannou, D. (2016). Systematic approaches to a successful literature review.
Boshuizen, P., & Elder, B. (2016). Driving business performance using data analytics.
Coderre, D. (2017). So, Why Are You Still Not Using Data Analytics?
Consultancy.Uk. (2018). Data analytics to become a game changer for internal audit.
Creswell, J.W., & Poth, C.N. (2016).Qualitative inquiry and research design: Choosing among five approaches. Sage publications.
Davis, S. (2017). The Data Analytics Strategy.
Dawson, C. (2016).100 activities for teaching research Methods. Sage.
De Bonhome. O.G.E. (2017). Data analytics: the future of audit.
Flick, U. (2018).An introduction to qualitative research. sage.
Francis, T. (2019). Standards for the Internal Audit Function.
Global Technology Audit Guid. (2012). Information technology controls_2nd edition.
Hirth, R. (2009). Guide to Internal Audit USA: Protiviti Inc. (Accessed 20 April 2019).
Hoesing, M. (2010). Applying Data Analytics to IS Audit.ISACA Journal,4, 1-4.
Jackson, R. & Stent et al., W. (2016). Auditing notes for South African students. 10th ed, LexisNexis.
Kiyosaki, R.T. (2015).Unfair Advantage: The Power of Financial Education.
Kiyosaki, R.T., & Lechter, S.L., et al. (2012). Rich Dad's Prophecy. Warner Books in association with Cashflow Technology.
LaValle, S., Lesser, E., Shockley, R., Hopkins, M.S., & Kruschwitz, N. (2011). Big data, analytics and the path from insights to value.MIT sloan management review,52(2), 21-32.
Dagilien?, L., & Klovien?, L. (2019). Motivation to use big data and big data analytics in external auditing.Managerial Auditing Journal.
Olley, J. (2021). 5 Benefits of Adopting Data Analytics in Internal Audit.
Pajo, B. (2017).Introduction to research methods: A hands-on approach. Sage Publications.
Peters, I. (2017). Data analytics ? is it time to take the first step?
Soileau, J. (2016). Analytics & the small audit department: no matter the size of an audit function, analytics can be implemented for big gains.Internal Auditor,73(3), 35-40.
The Institute of Internal Auditors, I. (2016). Data Analytics and the Future of Internal Audit.
The Institute of Internal Auditors, I. (2018). Definition of Internal Auditing.
The Institute of Internal Auditors. (2017). Global Technology Audit Guide - Understanding and Auditing Big Data. IIA.
Tsai, C.W., Lai, C.F., & Chao, H.C. (2015). Big data analytics: a survey United Kingdom: Journal of Bigdata.