TIAPS ALB_Module 2E. Data Analytics for Internal Auditing

2E. Data Analytics for Internal Auditing
2E Learning Outcomes
On completion of this section, students will be better able to:
• Describe tools and methods used in data analytics.
• Select appropriate data analytics techniques.
2E.1 Data Analytics and Internal Auditing
IIA Internal Audit Competency Framework: Information Technology
General Awareness: Describe the basic concepts of IT and data analytics. Describe the
various risks related to IT, information security, and data privacy. Recognize the purpose and
applications of IT control frameworks and basic IT controls.
Applied Knowledge: Apply data analytics and IT in auditing. Identify and assess various risks
related to IT, information security, and data privacy. Apply IT control frameworks.
Expert: Evaluate the use of data analytics and IT in auditing. Recommend actions to address
IT risks, information security, and data privacy. Evaluate the use of IT control frameworks. 62
The opportunity to access and analyze large amounts of data has been considerably
enhanced through technology. This is true for organizational managers as well as the
internal audit function. There are many potential benefits, including:
• Improving risk identification, analysis, and control.
• Increasing the level of assurance auditors can provide.
• Enhancing efficiency.
• Providing clearer reporting.
• Delivering greater internal audit quality. 63
The ability to be agile and responsive in the face of an ever-changing risk landscape
requires the application of sophisticated tools. Often when we refer to data analytics we
consider a broad-range of tools and methods that are automated and intelligent. However,
many analytical processes and data visualizations can be performed manually (with a
calculator or basic spreadsheet functions), albeit with a high degree of human input. Such
techniques and tools can be taken together or used in isolation. The role of the human
internal auditor is still essential to provide insight, creativity, and judgment. The technology
opens previously unimaginable opportunities. This includes:
• Accessing, recording, and analyzing large amounts of data very quickly.
• Combining internal and external data sets.
• Benchmarking performance.
• Identifying and reporting unusual transactions, irregularities, and anomalies in real
time through continuous monitoring and continuous auditing.
• Anticipating issues and addressing them before they occur.
62
Internal Audit Competency Framework, The IIA, 2022.
63
See Wolters Kluwer “Five benefits of data analytics for internal audit.”
70

The purpose remains to identify weaknesses in risk management and control and to
implement improvements. Like any tool, their utilization is dependent on the intelligence and
creativity of the user. Application of technology does not guarantee better outcomes. Poorly
used tools that are not well understood by the auditor may produce confusing, misleading, or
inaccurate findings.
2E.1: Reflection
To what extent does your internal audit unit use data analytics as part of its work?
What expectations do your clients and stakeholders have regarding the use of data
analytics?
What is the greatest barrier to greater use of data analytics?
71

2E.2 Data Analytics Methods
Analytical methods can be grouped according to their main purpose.
• Descriptive methods are designed to report activity and often includes aggregating
and summarizing large amounts of data using averaging and other techniques for
making comparisons.
• Diagnostic methods are used to interpret information and identify likely causal
relationships and trends.
• Predictive methods are used to make forecasts by extrapolating known data and
creating models based on trends and known interdependencies and correlations.
• Prescriptive methods go one step further than predictive methods and suggest
actions to optimize future performance.
Prior to applying any analytical technique it will be important to validate the data and apply
data hygiene techniques, removing duplicates and inconsistencies. Unstructured data (like
emails, social media posts, contracts, and recordings of phone calls) must be organized and
structured before it is possible to process it. The analysis can only be as good as the data
you start with. Common types of data validation checks include:
• Data type check, confirming the entry of data in a data field is consistent.
• Code check, confirming data conforms to valid values according to set rules.
• Range check, confirming data falls within any set parameters.
• Format check, confirming data consistently matches defined formats.
• Consistency check, confirming logical consistency that matches the process or
activity recorded.
• Uniqueness check, confirming identifiers such as IDs or emails are unique. 64
The following analytical methods are described below and may be utilized manually or by
applying technological tools:
• Variance Analysis.
• Trend Analysis.
• Reasonableness Testing.
• Ratio Estimation.
• Benchmarking.
Many other methods (e.g., decision trees, time series, fuzzy logic) are also available.
2E.2.1 Variance Analysis
Variance analysis involves comparing two similar sets of data and attempting to find reasons
for any differences. Typically the comparison is between actual outcomes and one or more
of the following:
• Expected or desired outcomes.
• Predicted or forecast outcomes.
• Budgeted outcomes.
• Historical outcomes.
• Comparable benchmarks.
64
See Data Validation, Corporate Finance Institute, 2023.
72

This can help managers identify and react to problems or opportunities. Some causes of
variances are purely random and can be eliminated. The comparison of two sets of data can
help determine the extent to which they are correlated.
Variance analysis is discussed further in Module 3.
2E.2.2 Trend Analysis
Trends are changes (or variances) in data over time. The changes observed may be:
• Random, to be identified and eliminated or ignored.
• Cyclical, recurring over short cycles, such as higher demands for customer services
at certain times of the day or week.
• Seasonal, recurring over longer cycles, such as peaks and troughs in sales of ice
cream over a year.
• Underlying trends, being the true long-term pattern, often over multiple years, having
isolated random, cyclical, and seasonal factors. Often underlying trends are most
apparent when we can compare data from the some point in a cycle, season, or year
over multiple cycles, seasons, or years.
2E.2.3 Reasonableness Testing
Reasonableness testing is another form of variance or trend analysis in which reported or
apparent performance is compared with what might reasonably have been expected, once
the forecast is adjusted to take account of everything that is known. Variances may highlight
errors or deliberate misstatements. When there seems to be no reasonable explanation,
when things look too good or too bad to be true, then it deserves further investigation.
2E.2.4 Ratio Estimation
Findings based on a sample of data can be extrapolated to make assumptions about the
remaining data or used as the basis for forecasting. Larger samples help reduce the
likelihood of bias but there is no guarantee the sample is representative of the whole
population. Statistical modeling is used to calculate the degree of confidence in the analysis.
2E.2.5 Benchmarking
Comparing actual performance with benchmarking data can help identify errors,
weaknesses, and opportunities for improvement to align more closely with best practice.
2E.2: Reflection
Consider these commonly used methods for analysis of data:
Variance analysis
Trend analysis
Reasonable testing
Ratio estimation
Benchmarking
Which of these do you commonly use?
Which of these do you feel you need more help in developing your competency?
73

2E.3 Data Analytics Tools
To help with the heavy lifting, auditors can take advantage of a wide array of technological
solutions all of which are being used increasingly in service delivery, marketing, sales,
human resources, finance, budgeting, and accounting. There are audit specific applications
– both customized and off-the-shelf – for:
• Smart apps.
• Utilization of big data.
• Artificial intelligence.
• Machine learning.
• Natural Language Processing NLP.
• Robotic process automation.
• Drones.
• Artificial reality.
Many proprietary tools are available. Vendors often provide consultation, technical support,
and training to aid the adoption of solutions. Comparison websites are useful to help identify
suitable options depending on organizational need and available resources. 65
For the internal audit function, such enablers may be used to support the following:
• Remote auditing, using drones, artificial reality, robots, teleconferencing, and other
similar tools.
• Automated audit management, using audit software for planning, communication,
storage and access, reporting, supervision, monitoring, and open issue tracking.
• Advanced data analytics, using number-crunching, machine learning, artificial
intelligence, and data visualization tools.
• Internal cooperation and collaboration with other functions, especially assurance
providers, through alignment with governance, risk management, and internal control
platforms.
• Significant reduction of manual and repetitive tasks and unnecessary duplication of
data sets through robot process automation and reconciliation.
• Continuous auditing through artificial intelligence.
Artificial intelligence (AI) is a “hot topic” which much discussion about apps such as Chat
GPT which may revolutionize many activities. It is not possible to predict exactly how AI will
impact internal auditing but it is clear it creates new opportunities. Manual tasks such as data
extraction can be automated much more quickly and without errors. Rather than relying on a
sample, AI can perform analytics on complete population sets and in real time to identify
trends, anomalies, errors, and potential fraud. AI can also anticipate new and emerging risks
through rigorous interrogation of historical and recent data.
Internal audit functions are often criticized for being slow to adopt technology in comparison
with other functions. A recent article recounted the excuses commonly given by auditors:
• Don’t have the budget.
• Don’t have the time.
• Don’t have the right people.
65
See for example, The Best Data Analytics Tools & Software of 2023, Forbes, 2023.
74

• Don’t have the right leadership.
• Don’t have proper support.
• Don’t have the right knowledge on the team.
• Inertia and complacency. 66
What can internal audit do about these obstacles? A lack of the right people and sufficient
budget can be significant inhibitors which is why it is necessary to persuade senior
management and the governing body. Internal audit managers should develop a robust
strategic plan aligned with organizational priorities and based on a clear vision of an
advanced, agile, and responsive function in which utilization of technology plays a central
role. The mission of helping management and the board make timely interventions to
support organizational success is the justification needed for investing in internal audit digital
transformation. To attract the best talent and to deliver the maximum value requires audit
functions to be leaders of innovation. It can be easy to be complacent about the current state
and essential to break that mindset in favor of continuous positive momentum, even if taken
incrementally. Audit leaders can start small and build on success. Senior management and
the governing body may not be pressing the audit function to change but it should be part of
every auditor’s DNA to strive for continual improvement. Sometimes an external quality
review can help provide added weight to the case for investment in technology. As the
advocate for continuous improvement, audit managers need to implement processes for
identifying and evaluating opportunities for improving the delivery of service excellence.
In addition to the use the internal audit function may make of artificial intelligence and other
technological innovations, they also represent potential opportunities and threats for other
parts of an organization. Internal auditors need to be well informed to be able to offer
meaningful assurance, insight, and advice. The IIA has produced a three part series to help
internal auditors. 67 The guidance references four different kinds of AI:
Type I. Reactive machines: This is AI at its simplest. Reactive machines respond to
the same situation in exactly the same way, every time. An example of this is a
machine that can beat world-class chess players because it has been programmed
to recognize the chess pieces, know how each moves, and can predict the next
move of both players.
Type II. Limited memory: Limited memory AI machines can look to the past, but the
memories are not saved. Limited memory machines cannot build memories or “learn”
from past experiences. An example is a self-driving vehicle that can decide to change
lanes because a moment ago it noted an obstacle in its path.
Type III. Theory of mind: Theory of mind refers to the idea that a machine could
recognize that others it interacts with have thoughts, feelings, and expectations. A
machine embedded with Type III AI would be able to understand others’ thoughts,
feelings, and expectations, and be able to adjust its own behavior accordingly.
Type IV. Self-awareness: A machine embedded with Type IV AI would be selfaware.
An extension of “theory of mind,” a conscious or self-aware machine would be
66
Garyn, Hal, “Why Is Internal Audit Often A Tech Laggard?” Internal Audit 360, 2022.
67
Global Perspectives & Insights, The IIA, various.
75

aware of itself, know about its internal states, and be able to predict the feelings of
others. 68
The guidance also highlights potential opportunities and threats.
Opportunities
• The ability to compress the data processing cycle.
• The ability to reduce errors by replacing human actions with perfectly repeatable
machine actions.
• The ability to replace time-intensive activities with time-efficient activities (process
automation), reducing labor time and costs.
• The ability to have robots or drones replace humans in potentially dangerous
situations.
• The ability to make better predictions, for everything from predicting sales of certain
goods in particular markets to predicting epidemics and natural catastrophes.
• The ability to drive revenue and grow market share through AI initiatives.
Threats
• Unidentified human biases are imbedded in the AI technology.
• Human logic errors are imbedded in the AI technology.
• Inadequate testing and oversight of AI results in ethically questionable results.
• AI products and services cause harm, resulting in financial and/or reputational
damage.
• Customers or other stakeholders do not accept or adopt the organization’s AI
initiatives.
• The organization is left behind by competitors if it does not invest in AI.
• Investment in AI (infrastructure, research and development, and talent acquisition)
does not yield an acceptable ROI. 69
Which of these apply to your situation?
2E.3: Reflection
Don’t have the budget.
Don’t have the time.
Don’t have the right people.
Don’t have the right leadership.
Don’t have proper support.
Don’t have the right knowledge on the team.
Inertia and complacency (we don’t need to do more – clients and stakeholders are happy).
68
Artificial Intelligence, Internal Audit’s Role, and Introducing a New Framework Part 1, The IIA, 2017.
69
Artificial Intelligence, Internal Audit’s Role, and Introducing a New Framework Part 1, The IIA, 2017.
76

2E.4 Data Visualization
Auditors gather data from many sources and in different ways. Examples include:
• Interviewing people or conducting focus groups within or outside of the areas being
audited.
• Using questionnaires or checklists to collect information, including observations and
opinions from people who work in or deal with the business area being audited.
• Observing the workings within a business area over a period of time to spot issues or
inconsistencies.
• Vertical auditing, in which the auditor monitors one process from beginning to end to
identify any issues.
• Documenting formal practices and procedures within a business area.
• Accessing informal documentation that may provide insights into ad hoc processes
and procedures. 70
Data must be validated by:
• Evaluating whether the data has come from a reliable source and makes sense in
context with the auditors’ overall understanding of the business area.
• Considering how many sources the data are derived from, as well as how long they
took to obtain, to determine if these factors raise risks to data integrity. 71
Data visualization can be defined as
the practice of translating information into a visual context, such as a map or graph, to
make data easier for the human brain to understand and pull insights from. The main
goal of data visualization is to make it easier to identify patterns, trends and outliers in
large data sets. The term is often used interchangeably with others, including information
graphics, information visualization and statistical graphics. 72
Software makes it easy to create appealing graphics to communicate key information
succinctly and powerfully. It can also be a temptation for overelaborate and complex pictures
that obscure more than they reveal. Choice of colors, 3-D effects, font size, animation, and
other graphical elements combined with decisions regarding what data to include and to
what level of detail create challenges for an auditor completing a report or preparing a
presentation. 73 Auditors should be familiar with the best way to use pie charts, bar charts,
and so on. Some common techniques are described below, based on a Harvard Business
School list. 74
70
Data Analytics Part 2: Gathering, Understanding, and Visualizing Data, The IIA, 2022.
71
Data Analytics Part 2: Gathering, Understanding, and Visualizing Data, The IIA, 2022.
72
Data Visualization, TechTarget, Business Analytics, 2022.
73
Examples of data visualization tools can be found at The Best Data Visualization Tools of 2023, Forbes, 2023.
74
See Harvard Business School online, https://online.hbs.edu/blog/post/data-visualization-techniques
77

Technique and Description
A pie chart is a segmented circle depicting relative
proportions of categories. Used for. An exploded pie
chart highlights a segment or segments of particular
relevance.
A bar graph compare multiple categories of data.
Variants include vertical, horizontal, segmented,
and others.
A histogram looks similar to a bar chart, but it
illustrates how a variable changes.
A Gantt chart organizes events in relation to each
other to show their relative timing, how they are
linked, and their current status.
A heat map organizes data with different colors
(often using a spectrum from cold to hot) to indicate
relative size and significance.
A box and whisker diagram illustrates frequency
and marks the upper and lower quartiles in the form
of a box and the median as a line inside the box.
The “whiskers” show the range from the highest and
lowest values.
A waterfall chart shows a stepwise progress of a
variable in relation to another factor.
An area chart is a line graph under which the areas
are shaded.
A scatter plot illustrates the relationship between
two variables.
A pictogram uses a relevant icon or picture to show
relative size or changes in a variable. The picture
may be repeated or scaled in proportion.
A timeline depicts related information arranged in
chronological order.
A highlight table deploys colors within a data grid
to show areas of significance.
A bullet graph variation of a simple bar graph to
show live data variances with benchmarks, targets,
or expected values.
A choropleth map is a shaded geographical map.
A word cloud is an array of words using font size to
show relative frequency.
A network diagram comprises nodes and links that
illustrate connections between different points.
A correlation matrix uses colors to emphasize
emphasis and appeal.
Usefulness
Useful for conveying simple messages
about comparative weightings
Useful for quick comparison of size.
Useful for illustrating changes over
time or in relation to another variable.
Useful for project management.
Among other applications, heat maps
are often used to show risk data.
Useful for communicating frequency
data and its relative spread.
Useful for communicating significant
moments of change in values.
Provides a visual cue of relative
proportions.
Useful for a quick visual determination
if there is a direct, indirect, or negligible
relationship between two variables.
Useful for a quick and impactful
illustration of relative proportions.
Useful for illustrating developments
over time.
Useful for communicating such
features about the data as
highest/lowest, trends, anomalies, etc.
Useful for showing current activity in
comparison with desired outcomes and
for creating dashboards.
Useful for depicting regional variations.
Useful for showing the most frequently
occurring topics or words from
unstructured information.
Useful for identifying relationships
among individuals, teams,
organizations, geographical locations,
centers of activity, and more
Useful for communicating correlation
coefficients easily.
78

The secrets to successful visualized reporting are:
• Using the appropriate technique to communicate what you are trying to show.
• Keeping it simple.
• Avoiding excessive use of colors, animation, special effects, etc.
• Including only what is relevant.
• Avoiding inclusion of every data point but be careful not to create misleading
graphics.
• Helping the intended audience focus on what is most important.
2E.4: Reflection
From recent internal and external reports you have seen, identify examples of good and bad
practice with respect to presenting data, and share these examples with your fellow
students.
What is it about the examples you have that make the data presentation effective or
ineffective?
Do you feel confident using graphics to represent data in your audit reports and
presentations?
Have you asked your clients whether they find your reports (especially tables and
graphics) clear and helpful?
What more can you do to improve the user-friendliness of data as presented in your
reports?
79

References and Additional Reading
7 Ways to Win the Internal Audit Budget Argument with your CFO, AuditBoard, 2019.
https://www.auditboard.com/blog/7-ways-to-win-the-budget-argument-with-your-cfo/
Artificial Intelligence, Internal Audit’s Role, and Introducing a New Framework Part 1
Becoming agile: A guide to elevating internal audit’s performance and value, Deloitte, 2017.
https://www2.deloitte.com/content/dam/Deloitte/global/Documents/Finance/gx-fa-agileinternal-audit-introduction-elevating-performance.pdf
The Best Data Analytics Tools & Software 2023, Forbes, 2023.
https://www.forbes.com/advisor/business/software/best-data-analytics-tools/
The Best Data Visualization Tools of 2023, Forbes, 2023.
https://www.forbes.com/advisor/business/software/best-data-visualization-tools/Brown,
Brené, Dare To Lead: Brave Work, Tough Conversations, Whole Hearts, 2018.
Collins, Jim, Good To Great: Why Some Companies Make the Leap…And Others Don’t,
Harper Collins, 2001.
Computer Assisted Audit Techniques (CAATS): Definition, types, advantages and
disadvantages, Accounting Hub. https://www.accountinghub-online.com/computerassisted-audit-techniques/
COSO Internal Control – Integrated Framework, COSO, 2017.
COSO Enterprise Risk Management – Integrating with Strategy and Performance, COSO,
2017.
Data Validation, Corporate Finance Institute, 2023.
https://corporatefinanceinstitute.com/resources/data-science/data-validation/
Data Visualization, TechTarget, Business Analytics, 2022,
https://www.techtarget.com/searchbusinessanalytics/definition/data-visualization
Data Analytics Part 2: Gathering, Understanding, and Visualizing Data, The IIA, 2022.
https://www.theiia.org/globalassets/site/content/articles/global-knowledgebrief/2022/data-analytics-part-2-gathering-understanding-and-visualizing-data/dataanalytics-part-2--final.pd
Garyn, Hal, “Why Is Internal Audit Often A Tech Laggard?” Internal Audit 360, 2022.
https://internalaudit360.com/why-internal-audit-is-a-tech-laggard-and-how-to-fix-it/
Global Knowledge Brief: Audit Team Transformation, The IIA, 2019.
https://www.theiia.org/globalassets/site/content/articles/global-knowledgebrief/2019/april/audit-team-transformation/audit-team-transformation_iia_global_kb.pdf
Global Perspectives & Insights, From Conformance to Ambition: Applying the Internal Audit
Ambition Model, The IIA, 2020.
https://www.theiia.org/globalassets/documents/content/articles/gpi/2020/august/globalperspectives-and-insights---ambition-model_final-1.pdf
80

Global Risks Report 2023, World Economic Forum, 2023.
https://www3.weforum.org/docs/WEF_Global_Risks_Report_2023.pdf
Guidelines for Conducting a Quality Assessment (QA), Deutsches Institut für Interne
Revision e.V. (IIA–Germany), September 2007.
https://www.diir.de/fileadmin/fachwissen/standards/downloads/DIIR_Revisionsstandard_
Nr_3_englisch_V1.1.pdf
IIA Global Perspectives and Insights Artificial Intelligence three parts, The IIA, 2017-18.
IIA Competency Framework, The IIA, 2022.
https://www.theiia.org/globalassets/documents/standards/ia-competencyframework/2022-4103-sem-competency-framework-graphics-table_fnl.pdf
https://www.theiia.org/en/content/articles/global-perspectives-and-insights/2018/artificialintelligence-internal-audits-role-and-introducing-a-new-framework-part-1/
https://www.theiia.org/globalassets/documents/content/articles/gpi/2017/december/gpiartificial-intelligence-part-ii.pdf
https://www.theiia.org/en/content/articles/global-perspectives-and-insights/2018/artificialintelligence-part-iii/
IIA Position Paper: Staffing/Resourcing Considerations for Internal Audit Activity, The IIA,
2018. https://www.theiia.org/globalassets/documents/resources/staffing-considerationsfor-internal-audit-activity-may-2018/staffing-considerations-for-internal-audit-activity.pdf
The Institute of Internal Auditors’ Quality Assessment Manual for the Internal Audit Activity,
6th Edition. https://www.theiia.org/en/products/bookstore/quality-assessment-manual-forthe-internal-audit-activity-qa-manual/
Internal Audit Capability Model (IA-CM) for the Public Sector, The IIA, 2023.
https://www.theiia.org/en/promotions/bookstore/IA-CM/
Internal Audit’s Role in ESG Reporting, The IIA, 2021.
https://www.theiia.org/globalassets/documents/standards/implement-thestandards/2021/internal-audits-role-in-esg-reporting-independent-assurance-is-critical-toeffective-sustainability-reporting/white-paper-internal-audits-role-in-esg-reporting.pdf
International Professional Practices Framework, The IIA, 2016.
https://www.theiia.org/en/standards/international-professional-practicesframework/?gclid=CjwKCAiA0JKfBhBIEiwAPhZXDwsJCKbFTF34RJmKqKME7VhbLi9b0
s_GYUUIcz-ae9H7y8VAyBYe-RoCuH8QAvD_BwE
ISO 31000: Risk Management, ISO, 2018.
Landry, Lauren, “How to Delegate Effectively: 9 Tips For Managers,” Harvard Business
School, 2020. https://online.hbs.edu/blog/post/how-to-delegate-effectively
Lean Auditing (Part 1): Rethinking Internal Audit Using Lean Techniques to Enhance Value
and Improve Productivity, efficientlearning.com,
https://www.efficientlearning.com/blog/lean-auditing-part-one/
81

Lean Auditing (Part 2): Rethinking Internal Audit Using Lean Techniques to Enhance Value
and Improve Productivity, efficientlearning.com
https://www.efficientlearning.com/blog/lean-auditing-part-two/
Lean Auditing (Part 3): Rethinking Internal Audit Using Lean Techniques to Enhance Value
and Improve Productivity, efficientlearning.com
https://www.efficientlearning.com/blog/lean-auditing-part-three/
Local Management Guide: The Practice of Internal Controls, Office o the New York State
Comptroller, 2010. https://www.osc.state.ny.us/files/localgovernment/publications/pdf/the-practice-of-internal-controls.pdf
Mintzberg, Henry, Mintzberg on Management, Free Press, Simon & Schuster, Inc., 1989.
“One page audit report: maximizing efficiency, elevating impact,” AuditBoard, 2022.
https://www.auditboard.com/blog/one-page-audit-report-maximizing-efficiency-elevatingimpact/
Paterson, James, Lean Auditing: Driving Added Value and Efficiency in Internal Audit, Wiley,
2015.
“Planning for uncertainty: the rise of the flexible audit plan,” AuditBoard, 2022.
https://www.auditboard.com/blog/planning-for-uncertainty-the-rise-of-the-flexible-auditplan/
Practice Guide: Auditing Culture, The IIA, 2019.
https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/auditing-culture/pg-auditing-culture.pdf
Practice Guide: Auditing Third Party Risk Management, The IIA, 2018.
https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/auditing-third-party-risk-management/pg-auditing-third-party-riskmanagement.pdf
Practice Guide: Developing the Internal Audit Strategic Plan, The IIA, 2012.
https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/developing-the-internal-audit-strategic-plan/pg-developing-the-internal-auditstrategic-plan.pdf
The Agile Internal Audit Journey Series Part 1: Transforming Internal Audit To Add Greater
Value, BakerTilly, 2019. https://www.bakertilly.com/insights/the-agile-internal-auditjourney-series-part-i--transforming-internal-audit-to-add-greater-value
Practice Guide: Quality Assurance and Improvement Program, The IIA, 2012.
https://www.theiia.org/globalassets/documents/content/articles/guidance/practiceguides/quality-assurance-and-improvement-program/ippf-pg---quality-assurance-andimprovement-program.pdf
Risk Appetite: Critical to Success, COSO, 2020.
https://www.coso.org/Shared%20Documents/COSO-Guidance-Risk-Appetite-Critical-to-
Success.pdf
82

Risk Assessment in Practice, COSO, 2012.
https://www.coso.org/Shared%20Documents/COSO-ERM-Risk-Assessment-in-Practice-
Thought-Paper-October-2012.pdf
Risk in focus 2023: more risky, uncertain, and volatile times ahead, ECIIA, 2023.
https://www.eciia.eu/2022/09/risk-in-focus-2023-more-risky-uncertain-and-volatile-timesahead/
Wolters Kluwer “Five benefits of data analytics for internal audit.”
https://www.wolterskluwer.com/en/expert-insights/5-benefits-of-da ta-analytics-forinternal-audit
83

CIPFA: 77 Mansell Street, London E1 8AN
+44 20 7543 5600
cipfa.org
CEF: Cankarjeva cesta 18, 1000 Ljubljana, Slovenia
+386 1 369 61 90
cef-see.org
The Chartered Institute of Public Finance and Accountancy. Registered with the Charity
Commissioners of England and Wales No 231060. Registered with the Office of the
Scottish Charity Regulator No SCO37963.
84