In the last column in this space, 1 the introduction
described the current IT environment and reasons
why circumstances are driving an increasing
demand for subject matter experts (SMEs) in
CAATs, data mining and data analytics. Needless
to say, there are a variety of needs in business
today for effectual data analytics.
For several years, there has been a burgeoning
segment of the IT profession known as business
intelligence. A range of tools has been developed
and used to assist businesses in mining valuable
information from its own data to enable it to have
more effective strategic and operational insights
into executive decision making. Data analytics,
as used herein, is similar to business intelligence.
Because of the ways data analytics can be used and
benefits gained from examining data, there is ample
opportunity to apply the same methodology to IT
assurance or IT reviews of this growing segment.
This space has also included a series of articles
that, when combined, describe the process of
using CAATs from data extraction, 2 to data
transformation3 and now to data analytics.
The series is modeled after the data warehouse
concept of ETL (extract, transform and load)
when building the warehouse database. This
article will describe factors for the IT auditor to
consider in conducting data analytics.
DESIGNING AN ANALYTIC PROGRAM
There are several key aspects of designing an
effective analytic program. Those aspects can be
determined through a series of questions:
• Who are the key players?
• What data are needed (tables and fields)?
• What are the purpose and scope of the testing?
• Who will get the report?
• Where are the data residing?
• How will data be requested and/or obtained?
• What tools will be used to perform data
analytic tests or procedures and why?
• How will the tools selected be used
Answering these questions will enable the IT
auditor to design an effective analytic program.
Obviously, the IT auditor must have some
knowledge of the organization, systems, data files
and tools available, as well as the capabilities of
The IT auditor will need to follow a methodology
in getting the data and analyzing the data properly. 4
The approach is similar to that of an IT assurance
project or, for internal audit, IT reviews.
As with all assurance and review projects, the
process begins with defining the scope of what
needs to be done. This can be done by answering
• What is the purpose of the audit?
• What is the objective of the audit’s conclusions?
• What parameters need to be applied to the data
to accomplish that purpose?
• Where are the data found in the financial or
• What is the risk (e.g., in data reliability)?
• What does the scope of the source data need
to be in order to meet the objective and
• What other information will impact the nature,
timing and extent of the procedures to
After answering these questions, the IT
auditor should be able to determine the best
approach to take to satisfy the objectives and
purpose. Next, a planning meeting, where issues
such as the specific procedures and tests can be
discussed, should be set. Consideration should
be given to relevant data that lie outside the
auditee’s systems and data files (e.g., cloud,
data center, industry data), and to any issues in
getting data, such as usefulness and reliability.
Individuals from both IT and the business
should be involved, as both perspectives prove
Tommie Singleton, CISA,
CGEIT, CPA, is the director
of consulting for Carr Riggs
& Ingram, a large regional
public accounting firm.
His duties involve forensic
valuation, I T assurance and
service organization control
engagements. Singleton is
responsible for recruiting,
training, research, support
and quality control for those
services and the staff that
perform them. He is also a
former academic, having
taught at several universities
from 1991 to 2012. Singleton
has published numerous
articles, coauthored books
and made many presentations
on IT auditing and fraud.
What Every IT Auditor Should Know
About Data Analytics
Do you have
to say about
Visit the Journal
pages of the ISACA
web site ( www.isaca.
org/journal), find the
article, and choose
the Comments tab to
share your thoughts.
Go directly to the article: