The data behind the curtain: beyond the big data hype are practical ways to probe information for insights on organizational risks.

Author:Jackson, Russell A.
Position::TECHNOLOGY - Column

Big data is a lot like the Wizard of Oz in the 1939 film classic. Like Dorothy and the citizens of the Emerald City, businesspeople don't know exactly what it is, or what, precisely, it can do, but they know if you go about it correctly and do everything it tells you to do, it can make wonderful things happen. Pull back the curtain, though, and it's just a more expansive way to analyze and leverage information to do your job better. "Big Data is just a lot of data," says Norman Marks, a former chief audit executive (CAE) and current IaOnline blogger. "There is no difference except the volume."

That understanding is crucial to maximizing data analytics for internal audit. "Too many shops make the mistake of starting with data and how they can run analytics against them," Marks explains, "when they should be thinking about providing assurance and consulting services related to the risks that matter to the organization." Internal audit departments, he explains, tend to run the routines that come with the data-mining software they purchase--or the ones they're used to writing--and come up with interesting information that has a fatal flaw: It relates to risks that aren't important in the big picture. "The better approach to data analytics is to know what risks you need to address--the risks that matter to the organization as a whole," he Comments, "Only then consider how analytics can help obtain insights into those risks."

Data, in other words, is data. And data analytics is simply inspecting, cleaning, transforming, and modeling that data to highlight the useful information it contains; to suggest conclusions that can be drawn from the data; and to support decision-making based on those conclusions. The insights gleaned through analytics can be historical, real time, or predictive. They can be risk-focused, such as on control effectiveness, fraud and abuse, and regulatory noncompliance, or performance-focused, such as on increased sales or decreased costs.


Key sources of data for analysis include the organization's enterprise applications and databases--such as financial, human resources, customer relationship management (CRM), and purchasing systems--and external data warehouses. "Our audit team has a quick view into outlier transactions," says Aneta Youngblood, IT audit director at Caterpillar Inc. in Peoria, Ill., "and we can focus on understanding them as part of the audit." But many internal audit leaders have difficulty securing that data or running it through their internal systems, such as when different business units run on disparate IT solutions instead of a common enterprise resource planning system, she adds. "We found that partnering with business units we audit helps with obtaining the data as well as building out their existing business analytics capabilities."

Another challenge is getting data for ad hoc tests, considering the...

To continue reading