WIXLIB

Risk Governance and Control: Financial Markets & Institutions/ Volume 7, Issue 4, Fall 2017, Continued - 2business landscape that is characterised bysignificantly increasing volumes of data, and thebanking industry is probably leading the way (PwC,2014:2; PwC, 2015:17). These rising expectationshave already been officially recognised by the IIA intheir global report, The pulse of the profession Enhancing value through collaboration: A call toaction (IIA, 2014:1). Perversely, perhaps, the IIA’sResearch Foundation (2015a:7), in their 2015 (CBOK)report on Staying a step ahead: Internal audit’s useof technology, indicated that globally the use and/oradoption of technology-based tools by internal auditfunctions is still at a relatively low level.Given the extremely large number oftransactions processed in a bank, and the risksinvolved, the achievement of broader audit coveragewith regard to a bank’s risk universe shouldrealistically be possible, but only with the adoptionand optimal use of GAS. In addition, GAS enables theinternal auditor to test an entire population,compared to the traditional sampling approach, withits additional risk of not always being representativeof the audit population. In comparison, fullpopulation testing should increase the level ofreliance that can be placed on the auditor’s opinionrelative to the reliability of the result when only aportion of the population was subject to the internalauditor’s assessment. Although the benefits of usingGAS in the execution of internal audits are wellknown, there are varying levels of maturity (theextent and effectiveness of use) in the use of thesetools by different internal audit functions. Thisarticle (see section 2 for a detailed discussion of theresearch objective and methodology) explores theextent and effectiveness of the use of GAS as ameans of gathering audit evidence for the evaluationof the effectiveness of a bank’s risk management,governance and internal controls. A number ofmaturity assessment frameworks have beendeveloped to measure the extent and effectivenessof the use of data analytics in a number ofindustries. Internal audit’s maturity in the use ofGAS can be assessed according to these dataanalytics maturity frameworks. This article howevermakes use of an analysis of the followingframeworks and scales to serve as a specificbenchmark for the assessment of the current levelsof maturity of use of GAS by internal audit functionsin the locally controlled South African bankingindustry: The Audit Command Language’s (ACL) auditanalytic capability “maturity” model (ACL, 2013:4); Deloitte’s maturity model for internal auditanalytics (Deloitte, 2013:5); EY’s internal audit analytics maturity model(Ernst & Young, 2014:4); PwC’s data analytics maturity scale (PwC,2013:2); KPMG’s data analytics maturity assessment(KPMG, 2013:5); IIA’s data analytics maturity model framework(IIA, 2016b:40) and IIA’s data analysis usage maturity levels (IIA,2011:21).The research findings in this article form partof the results of an extensive study done by Smidt(2016), on the use of GAS by internal audit functionsin the South African banking industry, performed infulfilment of a PhD degree in Auditing. This articlehighlights the research findings with regard to thematurity of the use of GAS by internal auditfunctions in the South African banking industry andis the first in a series of two articles. The secondarticle will highlight the different uses of GAS as adata analytics tool by the internal audit functions inthe South African banking industry.In the next section the research objective andmethodology is discussed, and this is followed by aliterature review, empirical findings and aconclusion.2. RESEARCH OBJECTIVE AND METHODOLOGYGiven the already elevated and increasing volumesof data and transactions that form part of the dayto-day business activities of a bank, and the highlevels of personal and professional risk faced by abank’s board of directors, management and itsinternal auditors, this article will be guided by thefollowing research objective:To measure the existing practices of internalaudit functions in the locally controlled South Africanbanking industry regarding the use of GAS, against abenchmark developed from recognised data analyticmaturity models, in order to assess the currentmaturity levels of the locally controlled South Africanbanks in the use of this software for tests of controls.The primary method of data collection used inthis article was by means of a structuredquestionnaire (quantitative method), which was thenfollowed up with a semi-structured telephonicinterview, but only in cases where further clarity wassought from the respondents (qualitative method).The quantitative data, for the purposes of thisarticle, was analysed through the use of descriptivestatistics. The structured questionnaire (refer toSmidt (2016:306) also gathered additional qualitativedata through the use of a limited number of openended questions. The qualitative data providedadditional insight regarding the current frequency ofuse (i.e., level of maturity) in the use of GAS, thesecond article in this series provides insight into thereasons for including GAS in their respective auditmethodologies.The locally controlled banking populationconsists of 10 banks, all of which have local in-houseinternal audit functions, and are permitted toconduct the business of a bank in South Africa(Reserve Bank, n.d.). The research populationtherefore consisted of Chief Audit Executives (CAEs)of in-house internal audit functions from the ten(10) locally controlled banks that were at that stage(2016) registered with the South African CentralBank (Reserve Bank), and that were thus permittedto conduct the business of a bank in South Africa (alist of these 10 locally controlled banks is includedin Annexure A). The locally controlled banks werespecifically selected as their internal auditmethodologies and procedures have been developedand maintained by their respective South Africanhead office internal audit functions, in compliancewith South African legislation. Internal auditmethodologies used in the locally operating foreignbanks have been developed and are maintained atthe banks’ international head offices, and weretherefore excluded from this research because of thediversity of jurisdictions and legislation governingthese functions.191

Risk Governance and Control: Financial Markets & Institutions/ Volume 7, Issue 4, Fall 2017, Continued - 2The total number of questionnaires returnedwas nine from the ten banks. The questionnaireswere followed up by a semi-structured interviewwith the nine participating CAEs (but only in caseswhere further clarity was sought from therespondents).3. LITERATURE REVIEW3.1. A brief overview of the impact of informationtechnology and big data on collecting audit evidencePaperless business environments are the norm, aninternal audit functions have to adapt in order todeliver on their mandates. A comparison betweenthe traditional (paper-based) audit evidence andelectronic audit evidence revealed that thetraditional means of collecting audit evidence fortests of controls purposes will, in a paperlessenvironment now be inappropriate and impracticalto apply, especially in the present-day businessenvironment which is dominated by “big data” (alsorefer to section 1) (Williamson, 1997:69; Shaikh,2005:409; Caster & Verardo, 2007:69; Coderre,2009:4; Josiah & Izedonmi, 2013:2; Brown-Liburd &Vasarhelyi, 2015:6; IIA, 2016b:6; Singh & Best,2016:35). It should be noted however, that theoverall objectives of the internal audit function (toprovide independent assurance over the adequacyand effectiveness of a company’s risk management,control and governance processes) to a large extentremains unchanged (Madani, 2009:514; IIA, 2016b:8).The rapid evolvement of data (electronic evidence)and the development of software tools andtechniques to enable analysis of that data has had asignificant impact on “how” the internal auditfunction goes about obtaining audit evidence inorder to still deliver in terms of its statement ofresponsibilities (IIA, 2016b:8).3.2. Technology tools and techniques use by internalaudit functionsThe advances in the use of technology inorganisations’ business processes (as was mentionedin section 1 above) over the last few decades has putinternal audit functions under pressure to adapt tothis “new” business environment, which ispredominantly driven by technology. An additionalpressure on the internal audit function is the risingexpectations of its key stakeholders requiring anincrease in audit coverage in an effective andefficient manner (IIA, 2014:1; PwC, 2014:2; PwC,2015:17; Tusek, 2015:188). For this reason, theinternal audit function has had to find innovativeresponses to these “pressures” so as to continue todeliver on its mandate (refer to section 1). Theupskilling of internal audit functions and theimplementation of technology-based tools wasprobably one of the most significant responses tothese “pressures” (Motubatse, van Staden, Steyn &Erasmus,2015:269).Business’adoptionoftechnology necessitated the adoption of technologybased tools and techniques by internal auditfunctions (IIA, 2011:2; Olasanmi, 2013:68; Mahzan &Lymer, 2014:328).The increased pressure on the internal auditfunction to adopt and/or use technology-based toolsis given added impetus by the Standards (Standard1220.A2, Due Professional Care) and by currentlyrecognised best practice guidance for internal auditfunctions, as stipulated in the King III Report. KingIII requires the internal audit function to adopt andimplement tools and techniques in order to stayabreast of the ever evolving organisationallandscape, and especially with regard to anorganisation’s risk and assurance needs (IOD,2009:98; IIA, 2016c:7). In the IIA’s ResearchFoundation’s (2015a:5), in their 2015 (CBOK) reportentitled Staying a step ahead: Internal audit’s use oftechnology, it appears that the adoption andimplementation of technology-based tools byinternal audit functions is increasing, but that thereis still room for improvement.It is worth noting how the usage of some ofthese technology-based tools has changed over the10 year period since the IIA’s 2006 CBOK study wasconducted. For comparison purposes the five mostfrequently used technology-based tools identifiedduring the 2006 CBOK study are compared with theequivalent 2015 usages in Table 1 below.Table 1. Increase in internal audit’s use of technology-based toolsTechnology-based toolemployed by internalauditContinuous/real-timeauditingComputer assistedaudit technique (caat)A software tool for dataminingFlowchart or processmapping softwareElectronic work papers(Source: IIA, 2015a:9)Cbok 2006 percentageusage (indicates themoderate to extensiveuse as indicated by theresearch participants)Cbok 2015 percentageusage(indicates the moderate toextensive use as indicated bythe research participants)PERCENTAGE CHANGEBETWEEN THE CBOK2006 AND CBOK 2015STUDIES37%44%Increase of 7%52%48%Decrease of 4%39%53%Increase of 14%43%52%Increase of 9%65%72%Increase of 7%The results presented in Table 1.1 aboveindicate that there has been an overall increase inthe use of the most popular technology-based toolsover the past 10 years, with the exception of CAATs.This upward trend in the use and implementation oftechnology-based tools may possibly be anindication that the internal audit function (globally)is actively and positively responding to thepressures it has been under to ensure that itsauditing approaches remain relevant and keep pace192

Risk Governance and Control: Financial Markets & Institutions/ Volume 7, Issue 4, Fall 2017, Continued - 2with the evolvement of technology. A decline of 4%was however noted in the usage of CAATs as atechnology-based tool. The reason behind thisdecline is unclear, but could possibly be linked to aninterpretation issue with regard to the broaddefinition of what CAATs entail (this was suggestedin the IIA’s 2015 CBOK study). In spite of thisdecline, increasing the use of CAATs still remains atop priority for internal audit functions. Smidt(2014:152), in his study on the use of sampling byinternal audit functions in the South African bankingindustry, found that 90% of respondents indicatedthat the use of CAATs (specifically GAS) could be“utilised more frequently” within their respectivedepartments. This relatively low use of technologyenabled tools was also further accentuated by theIIA’s Research Foundation (2016a:6), in their 2016(CBOK) report on Regional Reflections: Africa, where57% of respondents from South Africa indicated thattheir internal audit functions only utilise technology“to some extent”, or rely solely on manualinterventions in the execution of their duties.Another study conducted by Protiviti (2015a:19) inthe USA – From Cybersecurity to Collaboration:Assessing Top priorities for internal audit functions confirmed that improving the adoption rate ofCAATs remains a top priority for internal auditfunctions in order to improve the function’s skillsetin technology-enabled tools and techniques.Although a number of different technologybased tools are available for internal audit functions’use (as was highlighted in Table 1.1), these will notform part of the scope of this article. The mostpopular and frequently used CAAT by internal auditfunctions is GAS (Kim, Mannino & Nieschwietz,2009:215; Lin & Wang, 2011:777; Mahzan & Lymer,2014:328). It is therefore the intended purpose ofthis article to assess the use of GAS as a technologybased audit tool (as mentioned in sections 1 and 2).3.3. Data analytics maturity frameworks for internalaudit functionsData analytics enable internal auditors to provide“hindsight, insight and foresight”. All three of thesetogether can be referred to as the internal auditfunction’s “line of sight” (ACL, 2013:3). This “line ofsight” enables internal auditors to providemeaningful feedback to their various l(hindsight), current (insight into the current controlenvironment) and future (foresight) (IIA, 2011:6;ACL, 2013:3; Deloitte, 2013:3; KPMG, 2013:2; PwC,2013:4; Coderre, 2015:39; Deloitte, 2016:2). To put itdifferently, the primary or basic forms of dataanalytics are focused on answering questions suchas: “what happened?” or “why did it happen?” Inother words, it is focused on providing feedbackfrom historical and at best, current perspectives.These types of analytics are known as descriptiveand diagnostic analytics (Deloitte, 2013:3; IIA,2016b:14). They are useful to improve the efficiencyof organisational processes and can also informstrategic decisions. More advanced analytics can beused to answer questions such as: “what mighthappen?” or, “what is the best/worst that couldhappen?” These types of analytics are known aspredictive and prescriptive analytics, which providea view of potential situations that could requirefuture action, such as updating the state of thecontrol environment to address a potentialmaterialising risk (IIA, 2016b:14). From an internalaudit perspective, the predictive capability ofanalytics is paving the way for internal auditfunctions to conduct risk-focused annual auditplanning, and also to focus audit efforts on high riskareas that warrant emphasis (Deloitte, 2013:3).In order to advance from simply providingbasic descriptive and diagnostic data analytics tomore complex data analytics (where predictive andprescriptive analytics are performed) requires aninternal audit function to evolve through thedifferent levels of maturity on the data analyticsmaturity continuum. It should be obvious that, aswith all new techniques and technologies, there aredifferent levels of maturity in the adoption and useof data analytics by internal audit functions. Areview of internal audit literature revealed sevendata analytics maturity frameworks (as mentioned insection 1), and these formed the basis for thedevelopment of the research instrument used in thisarticle.Goksen, Cevik and Huseyin (2015:209) statethat: “Maturity models are based on the premises thatpeople, organizations, functional areas, processes,etc., evolve through a process of development orgrowth in the direction of a more advanced maturity,going through a distinct number of levels [ownemphasis]”. It is clear that a maturity model orframework consists of specific levels, each withunique characteristics and that a form of growth orevolvement has to take place in order to advance toa more “mature” level. Each of the data analyticsmaturity frameworks mentioned above proposes adifferent set of levels of maturity and identifies thecharacteristics associated with each level of maturitywhen employing data analytics.To advance from one level of maturity to thenext requires an internal audit function to illustrategrowth or improvement with regard to their currentcapabilities in the use of data analytics for tests ofcontrols purposes. Functions demonstrating themost basic level of implementation (depicted as level0 and/or level 1) (also refer to section 4), only makelimited use of data analytics and perform basic dataanalytics procedures: in other words, they onlymanage to provide descriptive and diagnosticanalytics. By way of contrast, internal auditfunctions that have transitioned to a more maturestate and are illustrating capabilities to perform atlevels 4 and 5, have reached the levels wherecontinuous auditing and continuous monitoring canbe performed (also refer to section 3.4 for a briefdiscussion on continuous auditing and continuousmonitoring) where they can provide predictive andprescriptive analytics.It should however be borne in mind that thesuccessful employment of data analytics is not onlyreliant on the technological aspect (such as thespecific audit software tool used to performanalytics). Equally important to ensuring the successof a data analytics initiative are the aspects ofmanaging the people and the processes (ACL,2013:6; Deloitte, 2013:5; KPMG, 2013:11; PwC,2013:7; Coderre, 2015:40; IIA, 2016b:49). It couldhappen that a specific internal audit function is on ahigher level of maturity with regard to thetechnology it has at its disposal than it is on when193

Risk Governance and Control: Financial Markets & Institutions/ Volume 7, Issue 4, Fall 2017, Continued - 2assessing the level of maturity of the people aspect(i.e., do we have the necessary skills available toensure the data analytics initiative will besuccessful?). It is therefore important that thesethree components (people, process and technology)be assessed in conjunction in order to provide anoverall assessment of the level of maturity displayedin the use of data analytics by an internal auditfunction. Such an approach to measuring the level ofmaturity could provide CAEs with valuableinformation with regard to identifying the specificareas in need of improvement (people, processesand/or technology) which is prerequisite toadvancing the entire internal audit function to thenext level of maturity (IIA, ingmatterssuch as: thetrainingrequirements of the internal audit staff on the use ofGAS and conductin

automated audit tool, such as generalised audit software (GAS), test data generators, computerised audit programs, specialised audit utilities, and computer-assisted audit techniques (CAATs)" (IIA, 2016c:24). The most popular and frequently used of these technology-based tools is GAS (Braun & Davis,