In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. In Part II, we go through the three steps of evolution that an IA function must traverse so that it can move beyond its traditional audit duties under Sarbanes-Oxley (SOX) compliance and testing of financial controls. These three steps of evolution are: (1) Strengthening internal controls for financial reporting and SOX compliance; (2) Enhanced analytics; and (3) Risk optimization for other business functions. Kelly believes that companies must go through these three steps of evolution and in this prescribed order. 

The profession has been working as a whole since the passage of SOX back in 2001. It included strong internal controls for financial reporting, disclosure controls and compliance controls. Here companies would see which of these they had in place, which were working or effective and which could be removed or deleted. SOX 302 governs the disclosure controls and SOX 404 governs internal controls over financial reporting. The key is that once you have the appropriate internal controls required by SOX you can begin to test, see how they work and see what types of data they are generating. The fundamental bedrock is strong internal controls. If you have bad controls, they will give you bad data that will lead to bad conclusions and trouble at some point.

From this foundation of step one, the IA function is ready to move to a more analytics-based function. Kelly provided an example, “you could see how many of our invoices are paid before a purchase order arrives and you could see how often we are closing the books at the end of the month, within seven business days after the end of the month as opposed to out in 10 days.” It would allow an analysis of whether your finance function is narrowing that window or not? Finally, once you are able to build up a sufficient body of analytics, you can then move to a more risk monitoring, risk management and optimization for other business functions. This is a more robust risk management process. Kelly emphasized that you cannot take these steps out of order.

This evolution drives the importance of data governance up the priority list for internal auditors, compliance officers and risk officers. Kelly said that you need to consider the taxonomy of your data. This would include the “data you are generating, validation that the data is fitting, that it makes sense from a value perspective.” It would also include issues such as whether the data is in the right format and is it complete? While such issues as completeness of data, accuracy of data, validations and clear data taxonomies, all have long been considered by external audits for their financial audits, IA will now need to be more vigilant on such questions.

Kelly believes this will make “data governance closer to becoming an effective internal control, even like an entity level control.” Data governance is going to have to apply across all business processes to achieve this. It would allow you to document your risk management process, in a very data driven way and harbor the confidence in it because your data governance is robust. Kelly said, “it is such an important thing that we have nailed it time and time again. Internal audit and the business functions all work together to understand this is the data we have, this is how we classify it, this is how we validated, this is how we know it’s all complete.” This also means that a Chief Audit Executive will need to work with the Board of Directors and C-Suite executives to ensure data governance has their attention as an entity level concern.

This also brings up the issue of taxonomy which Kelly described as “the dictionary or vocabulary of data”. He provided an example from the compliance arena, third parties. What are all the types of third parties your organization engages with and what is the taxonomy you are going to apply to such a diverse group as resellers to joint venture partners to sales agents? Further, do you want a taxonomy that splits it down to “sales agents by region, by country or something else?” There must be some type of definition so that all compliance professionals are clear on the definition of what a third party is, so they can be tagged for data analysis. They would all fit in this taxonomy and then a you can analyze the data presented as there is a clear understanding of each definition. 

In Part III, we consider some specific examples.