Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Future of “Big Data” Risk Analytics and Obsolescence of the Traditional Internal Auditor


Published on

As organizational data management matures, corporate data becomes more accessible, and analytics continue to advance the future where internal audit must evolve to be data-centric or be rendered irrelevant. In this session, a globally recognized leader in data analysis for the past 30 years will illustrate this shift, what it means for internal audit leaders, and how to embrace the shift through people, process, and technology to make internal audit a trusted and sought-after advisor in the data-centric business environment inside today’s leading organizations.

Published in: Business
  • Be the first to comment

  • Be the first to like this

The Future of “Big Data” Risk Analytics and Obsolescence of the Traditional Internal Auditor

  1. 1. 1Source: THE FUTURE OF “BIG DATA” RISK ANALYTICS AND OBSOLESCENCE OF THE TRADITIONAL INTERNAL AUDITOR By Dan Zitting, Chief Product Officer, ACL The Way We Are Paid As Auditors Shows the World Has Changed Recently I spoke with a private recruiter who is among the best I’ve ever seen at placing high-caliber internal auditors in the best companies and departments. I was curious to better understand why it appears that internal audit salaries are relatively flat, yet I constantly hear from audit leaders that they can’t find people with the skills to innovate within their teams. My brain nearly exploded when they replied, “Frankly no one in management truly needs the services of the traditional auditor anymore; what they need is for the promise of ‘big data' to materialize.” For literally 40 years now (over 10 years before the release of Microsoft Windows 1.0 and 20 years before the term “business intelligence” was commonly used), ACL has been pushing the audit, risk and compliance oriented professions to embrace the power of data. However, it is only now that I am convinced the tide is crushingly shifting. When I further pushed this same recruiter, they told me that when they accept positions to fill from clients, they require that the employer be ready to pay a salary of $83,600 for an experienced auditor. When recruiting experienced analytics experts (whether for a data analytics team inside internal audit or elsewhere in the organization), they currently demand $123,800 in comp with a signing bonus between $10k and 20k. Oh snap! When looking at leaders, it got even worse—audit leaders (managers and directors) pulling a demand of about $117,000 compared to a high- caliber analytics team leader at a striking $162k with a $20k+ signing bonus.
  2. 2. 2Source: What Does This All Mean? It’s simple—traditional internal auditors simply are not valued as the trusted advisors of senior management on matters of risk or as analytics experts with the business savvy to ask the right questions are. The traditional auditor is obsolete, and they generally don’t yet realize it. Meaningful stories about every organization, whether commercial or public sector, are hidden in its data. Amongst those are stories about the effectiveness of internal controls, stories about the effectiveness of risk management, stories about the behavioral ethics and regulatory compliance, stories about the reliability of financial information, and stories about the performance of the organization. Those who can uncover and re-tell those stories in meaningful ways are about to completely replace those who do a few interviews, complete a couple of checklists, and test a few samples so they can effectively guess at pre- defined questions that they assume actually matter. There simply is no place for the traditional internal auditor, either at the table with management or at the table of the audit committee. The Databots Are Coming! Over the course of the industrial revolution, robots have systematically replaced workers in the manufacturing process. Over the course of the now quickly evolving data revolution, data bots will systematically replace knowledge workers in the audit, compliance and risk management process—bad news for the traditional internal auditor. In fact, a recent Handelsblatt article (Germany’s Wall Street Journal) actually predicted that accountants and auditors will be replaced by robots (databots) faster than any profession on earth except tax advisors and telemarketers over the next 20 years. I recently had a corollary discussion with Renee Murphy, a lead analyst for GRC at Forrester and one of the smartest industry analysts I’ve ever met. Her full-time job it is to look at the profession and technology trends to understand how organizations will optimize value in the future, and one of her comments that most directly caught my attention was, “even as an ex-auditor, I can tell you the traditional auditor is barreling toward obsolete, and they generally don’t even realize it.”
  3. 3. 3Source: Well With That Happy Outlook, What Might We Do Now? The good news though is that enterprise data is complicated, and it is going to be an exceptionally fruitful environment for those with the skills to develop the “databot environment,” driving real efficiency and mountains of value into an organization’s bottom line. Thus, this salary split we’re already beginning to see above. The opportunity is for a new breed of entrepreneurial auditor to take control and lead the charge to make our largely broken approach to traditional internal auditing obsolete. It seems apparent that the mandate for innovation and forward progress in the audit, risk and compliance professions— without the massive over-complication usually surrounding the discussions of “big data”—should be effectively three-fold: 1. Get a clear view of what's important based on organizational strategy: In this stage, it is time to do what I call the “GRC Grind.” The GRC Grind is the painful but must-be-done process of identifying what’s actually important to the business in terms of controls by deconstructing its top level strategy into key goals/objectives, the enterprise-level risks that are likely to threaten the achievement of those goals, the process- and project-level control-objectives that mitigate those enterprise risks, the process-level risks that threaten achievement of the control objectives, and the actual controls that mitigate the process-level risks. This set of controls should define what is truly important to the business operationally. The last step of the GRC Grind is to map compliance requirements to those controls and any “overhead controls” to the framework that are required for compliance reasons but not already captured. Once completed, this will create a complete picture of governance that will meaningfully push forward the organizational assurance that will achieve its performance goals. 2. Automate the “menial” audit work away: With the clear picture of the broader business developed through the GRC Grind, there will undoubtedly be basic control testing and monitoring that needs to be done, core “must-monitor” compliance areas, basic risk rating, and standard operational auditing that needs to be done by location, process, entity, etc. All of this work is opportunity for automation through data. This is where traditional data mining and data analytics come into play. By building fully repeatable and sustainable data mining analytics that evaluate a risk/control/etc. on an ongoing basis and automating prescriptive communication and remediation processes for red flags, we are creating the databots that eliminate the need for traditional audit work, freeing up time and resources to uncover the really big stories going on in the business. 3. Help the organization look forward by uncovering the meaningful stories in the organization through its data: Where the real future internal auditor will then spend the majority of their time is developing and sharing the perspectives on organizational risk and performance that look forward on the organization’s likelihood of achieving its objectives. The only way to truly do this is through data, using risk analytic techniques that are foundationally forward looking in nature. The term “predictive analytics” is grossly overused and essentially useless, implying some sort of magical statistical algorithms that are magic in their ability to dictate what the future will look like. What is important is using analytics to weave a forward-looking picture. For example, by analyzing and correlating some basic data on product sales and customer usage patterns, we can relatively easily develop a story about our general ability to engage and retain a customer after their purchase to ensure success and advocacy. Similarly, by analyzing and correlating some basic data around systems access, it is relatively easy to create a forward-looking picture of where in the organization cybersecurity vulnerability may exist. Lessons From The Field: Start Small And Evolve, But ACTUALLY Start! Embracing the shift to “data-driven” is the first step certainly, however it’s Step 2—actually doing something—that really matters. 80% of the failure I see in building data programs in internal audit comes from never getting started. Organizations tend to spend an inordinate amount of time worried about what tool to buy, how to get budget for training, tiptoeing around conflict on getting access to data with IT, etc.—none of which actually relates to the objectives, risks and controls we want to analyze.
  4. 4. 4Source: I recently did a session at the 2016 IIA GAM conference in Dallas with Laura Biland who leads up the data analytics efforts (among other roles) in the internal audit team at Texas Instruments (TI), the Fortune 200 semiconductor manufacturer. What I like about Laura and her program at TI is that they have systematically developed their capabilities and innovated around how they look at audit through data since they started in 2008. While they have had all the typical struggles (access to data, auditor skill sets, etc.), they’ve continually pushed through to where they are now in a position to really transform how they look at audit across the organization. The timeline of their experience she shared at the conference looks like the following: The punchline here is that they have been on an 8+ year journey now, but by taking it one step at a time with even very limited resources dedicated specifically to data analytics, they are now in a place where a good chunk of mundane audit work (coverage of approximately 200 risk/control points) is completely automated and systematically looked after on a continuous basis. They are now moving into scoping out all audits with data analysis so no time is wasted in areas of minimal risk, and ultimately into more forward-looking analysis to assess risk across the enterprise. They are well ahead of most companies when it comes to transforming internal audit because they simply got started, made time, got small successes, built on the learning gained, and iterated until they had a sustainable program in place. This agile approach to transformation through data is what I see bringing (unfortunately, currently few) internal audit shops back to the strategic advisor table in the new data-centric world of digital business. Register for our related upcoming webinar!
  5. 5. 5Source: Article from Protiviti KnowledgeLeader – KnowledgeLeader is a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. Free 30-day trials are available. Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Named one of the 2015 Fortune 100 Best Companies to Work For®, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.