Data Analytics as an Audit Tool

Data analytics is defined as the process of inspecting, cleaning, transforming, and modeling data with the goal of highlighting useful information, suggesting conclusions, and supporting decision making.

Common uses of data analytics:

  • Customer resource management (CRM) – Analytics can help companies monitor and understand customer actions and create more targeted advertising and services.
  • Business intelligence – Business analytics can be used to provide current and historical views of business operations as well as providing predictions about future operations. For example, analytics can be used to search through large volumes of business data such as sales data and identify faster moving products. Businesses may then make decisions based on the data.
  • Fraud detection and analysis – Analytics can be used to search through data in financial systems of record such as accounts payable systems searching for questionable transactions that could be fraudulent.

Data analytics for IT auditing

Data analysis can also be used as an effective auditing tool. In the past, auditors have used sampling methods to test a portion of a population and extrapolate the results of the sample over the whole population. Data analytics can be used to test full populations without the need to extrapolate sampling results. Rather than selecting 25 or even 50 samples from a population of 10,000 records, data analytics allow an auditor to test all 10,000 records and provide an exact percentage of the identified errors rather than extrapolating an expected number of errors over the population being tested.

Examples of IT audit analytics

  • Test physical and logical access logs against approved access lists to ensure that no unauthorized individuals accessed physical locations or systems.
  • Check physical and logical access lists against terminated and current employee listings to identify unauthorized users.
  • Identify new hires or employee transfers that have received access to specific systems or specific roles within systems (e.g., write access) to pick samples for testing that are all valid as opposed to sampling a new hire or transfer that may not have received elevated access to the specific system being audited.