Data-driven risk assessment

Only about 28 percent of CAEs believe information gathered from audit is comprehensive enough to take immediate business action on.¹ Amid an evolving risk landscape in a digital environment, a data analytics–enabled audit can underpin the three lines with the right resources to build trust.

Building this trust may mean considering risk and impact to the IA plan more frequently; increasingly, IA is seeing a shift towards assessing risk more often than annually, with approximately 60 percent of IA functions now performing their risk assessments semiannually, quarterly, or more often.²

Layering internal and external data, along with technology into risk assessment and IA planning, provide better risk insights with efficiency, consistency, and quality. Use of data analytics enables the IA function to assess risk and provide insights to assist management decision-making on process improvements and control effectiveness. IA then becomes more dynamic, data-driven, and enabled by technology, as it delivers a balance of enhanced assurance and risk insights.

Considerations for IA

• Leverage technology for IA with organizational goals in mind. With insufficient integration of enterprise data and technology, there is a higher chance of failure of organization-wide risk and audit efforts.
• Lack of data integration can hinder accurate risk insights and misalign audit efforts. Consider utilizing internal and external data as indicators across risk categories.
• Dynamic audit planning and risk assessment should enable the monitoring of risks more frequently, outside of an audit, and give real-time insights. Analytics-driven risk assessment helps identify activities that may have bypassed existing controls.

Questions to ask/actions to take

• What enterprise data is available and accessible to be curated and used by IA?
• Is the right talent in place to enable desired delivery? The way audit teams want to work may need to be revisited to help retain the right talent.
• How are analytics planned and performed as part of each audit? How are quality and knowledge sharing ensured?
• Where are there opportunities for the business to automate process controls for efficiencies and global consistency? For many organizations, incorporating data analytics in the third line enables the benefits of continuous monitoring and a more practical step in the journey to digital risk management.

Footnotes:

¹ Gartner Audit Leadership Council “Audit at the Speed of Business” Scaling Assurance in a High-Change Environment 2021

² Polling results from KPMG CAE Share Forum held May 2022, approx. 600 respondents