IIA training and events

Research report: Data Analytics

Determining the potential value of data analytics in internal audit

Data Analytics: Is it time to take the first step?

Download the full report (pdf)


Executive summary

The purpose of this report is to enable the head of internal audit (HIA) to have a strategic discussion with their board/audit committee to help determine the value add of introducing data analytics into the function's methodology.

  • Most medium and large organisations are generating big data – huge volumes of data ranging from financial transactions to key metrics. Internal auditors, particularly in larger organisations, are making use of data analytics to both guide their audit plan and test controls.
  • Data analytics in internal audit is becoming more prevalent as time goes on. For some, it is no longer a question of when to implement it in their methodologies but how.
  • The report contains three case studies of internal audit functions ranging from large to small – Coca-Cola Hellenic, Credit Suisse and Dublin Airport Authority – that have incorporated the use of data analytics into their methodologies in order to reap the benefits of data analytics.
  • The three case studies (see summaries in the next section) show that the key benefits for the internal audit function are to:
    – Increase efficiency. For example, scripts can be re-used for periodic audits, resulting in efficiency benefits through using analytics vs performing the analysis manually
    – Increase effectiveness by performing whole-population testing instead of random or judgmental sampling
    – Improve assurance
    – Enable a greater focus on strategic risks by moving away from the more routine tasks which can be automated to a greater degree
    – Provide greater audit coverage
    – Realise significant savings, in terms of time and money, over the longer term.

Summary case studies

Coca-Cola Hellenic

[Increased assurance using whole-population testing and secondments to the data team to increase the requisite technological skills]

  • The internal audit function leverages the organisation’s (Enterprise Resource Planning) ERP system.
  • The ability to test 100% of the sample in various audits is where the real value lies as internal audit is able to provide much greater assurance.
    Increasing use of data analysis is becoming more common but there is still a need to go out and meet the business to get the intuitive feel that is necessary in an audit.
  • The challenge of getting people with a combination of internal audit leadership and data analytics skills will be an increasingly important issue to overcome in the future.
  • The HIA seconds members of his team into the data team in order to help up-skill them in the more technological side of data analysis, such as scripting.


Credit Suisse

[Data analytics is used in most audits including non-financial strategic risk areas such as culture]

  • Adopting data analytics transformed the function from a traditional judgement-based, sample-driven, manually intensive and reactionary audit process to one that is truly risk based, continuous/real-time and data centric. Buy-in from the function’s leadership and every auditor in the team was crucial. Sponsors should also recognise and accept that a period of incubation is necessary before tangible benefits can be delivered. Data analytics is integrated in to all parts of the internal audit cycle. It is, however, mainly used in fieldwork.
  • The ideal auditor who uses data analytics as standard in their audit methodology needs a blend of core analytics skillsets, business experience and a solid understanding of risk.
  • They go beyond making use of data analytics in financially oriented audits by utilising it in strategic risk areas such as the ‘risk and control culture’ aspects of their audits.


Dublin Airport Authority

[Enables the team a greater focus on strategic risk]

  • Prior to applying data analytics, 90% of the function’s time was spent on financial audits. Since incorporating data analytics the focus has shifted, with 50% of audits now concerning non-financial risks. This shift of focus improved the function’s overall effectiveness, as the key risks in the organisation are largely nonfinancial and the overall direction of internal audit is to operate on a more strategic level by looking at strategic risks.
  • Data analytics enables continuous auditing on specific business cycles but not necessarily all of them, especially in the case of smaller audit functions. It is important to weigh up the costs and benefits of introducing continuous auditing.
  • Data analytics can be applied in all audit functions regardless of size. Sophisticated applications require larger investment, but the basic application of using a desktop function can be incorporated into all internal audit functions with relatively low levels of investment.

 Download the full report (pdf)

Content reviewed: 11 October 2019