
Building a Data Analytics Program That Works, Sticks, and Scales
A blueprint to starting and growing Internal Audit's use of Data Analytics
Building a Data Analytics Program That Works, Sticks, and Scales
By Jim Tarantino, CISA, CRISC, ACDA
This is article 2 of a three-article series on data analytics and internal audit. You can read article 1: 12 Data Analytics Pain Points to Avoid here.
It’s tempting to shoot for the stars when getting started with data analytics. After all, data analytics are capable of achieving tremendous value for Internal Audit and their stakeholders. Potential benefits are significant and wide-ranging, from improved audit efficiency, coverage, and testing accuracy to better decision making, valuable insights, continuous risk monitoring, and more. Why not be ambitious and dive straight into the deep end of the pool?
Because that’s exactly the approach that leads many data analytics efforts to falter or fail.
With data analytics, a deliberate, agile, well-balanced approach will get you to your target maturity state faster. Balance is absolutely vital, so that none of the five key elements of your data analytics program — people, process, technology, data, and governance — get too far ahead or behind. For example, heavy technology investments won’t get you anywhere without upskilling your people and adapting your process. These five elements form a single wheel that must be continually calibrated to keep it rolling ahead smoothly; I’ll share that graphic and guidance in an upcoming Enabling Positive Change newsletter.
To build a data analytics program that works for your Internal Audit team, withstands the inevitable challenges, and has the capacity to evolve to meet your organization’s changing needs, CAEs need to be engaged and hands-on through three make-or-break inflection points in the journey to data analytics maturity: They need to make it work, make it stick, and make it scale. This three-point approach simplifies the more traditional five-step maturity models (e.g., ad hoc, repeatable, managed, integrated, optimizing), distilling the data analytics maturity journey down to the three key points where CAEs really need to lock in and lead. Here’s what that means and what to do at each stage.
1. Make It Work
What’s Involved
“Making it work” means that you’re having some initial success leveraging your team’s initial baseline skills, technology, and data to produce and consume simple data analytics within Internal Audit. These early-stage results help CAEs assess the value of the analytics and decide where it makes sense to invest more resources.
Obviously, assessing value is a judgment call. CAEs’ views on what is and isn’t valuable will vary based on their own experience and opinions, and their organization’s needs and priorities. Value typically emerges in two primary categories:
- Increased assurance. Examples include increased audit coverage in high-risk areas, employing full population testing rather than relying on samples, opening the door to more continuous auditing in key areas, and ensuring more consistent and timely analysis.
- Enhanced insights. Analytics can help Internal Audit surface insights, issues, or opportunities that may not otherwise have been detected, ultimately helping management think about risk management or controls in a different way. For example, analytics may indicate that:
- A risk is more or less severe than management thought.
- Control costs outweigh the risks they were designed to mitigate.
- A control is being circumvented (e.g., 20% of invoices exceed the accounting system’s AP invoice tolerance setting).
- Poorly configured business application control logic is still allowing transaction exceptions to be processed undetected by management.
How to Do It
- Start simple. Instead of jumping in at the deep end of the pool, start by leveraging what you already have. Use in-place technologies and reliable pre-existing data to identify 1–2 business process areas where your analytics leads can get started. Experiment with 5–7 core analytics to begin understanding what’s possible and what it will take to achieve your desired outcomes (e.g., better coverage model, improved scoping, audit efficiencies).
- Establish program foundations while achieving initial wins. At this stage, Internal Audit users are developing foundational data analytics literacy that will enable them to become better producers and consumers of analytics over time. The function is also building a basic data analytics suite that provides Internal Audit with the tools needed to provide value (i.e., increased assurance, enhanced insights) while delivering preliminary results showcasing that value.
- Leverage initial successes as proofs of concept (POCs). Methodically build on your early successes. Find and follow the ideas that have legs. What insights does management see as valuable? Which repeatable analytics have staff learned that are worth reusing in the future?
- Use POC outcomes to build your business case for additional investment. For example, did a new analytics-driven insight help you recover significantly more dollars than in prior years? At this stage, CAEs should be able to point to specific POC outcomes to make a compelling case for the additional investments needed to take the program to the next level.
- Be strategic about investing additional resources. Based on how you’re measuring value, where is it worth investing more resources (e.g., leveling up leads’ skills in a specific analytics area, developing analytics routines or data pipelines, investing in enabling technologies)?
2. Make It Stick
What’s Involved
“Making it stick” means ensuring consistent, repeatable, and sustainable data analytics practices. At this stage, you and your analytics leads have established baseline technologies, literacy, and practices. Now, the key is (1) broadening digital literacy and adoption across a wider swath of your team, (2) updating Internal Audit’s professional practices to more effectively integrate analytics into audits, and (3) implementing data analytic life cycle practices to plan, develop, test, operate, and retire data analytics.
This doesn’t mean turning everyone on your team into expert developers who are producing analytics. By this point, however, all team members should be comfortable identifying data analytics opportunities and consuming and leveraging the analytics leads’ work products.
Unfortunately, making it stick is also the stage where many data analytics programs lose traction and momentum, making proactive planning and commitment from leadership crucial. As Enabling Positive Change newsletter #15 “12 Data Analytics Pain Points to Avoid” (2/22/25) explained, common hurdles include:
- Loss of key team member(s) highly skilled in data analytics, leaving teams scrambling or back at square one.
- Inadequate recruiting/training for data analytics competencies by Internal Audit leadership.
- Overreliance on an analytics-focused third-party consultant no longer in the budget.
- Inadequate focus on documenting data analytics practices, with overloaded analytics leads given little time or incentive to document processes.
- Failure to adapt Internal Audit methodologies and processes to incorporate the extra steps or time needed to integrate analytics effectively (e.g., feasibility planning, data discovery).
- Misalignment with overarching expectations/priorities for on-time, on-budget work.
- Lack of a long-term strategic roadmap to support the investments required to ensure consistent, repeatable, and sustainable data analytics practices (e.g., personnel, training, technologies, updates to methodologies, processes, and performance metrics).
Being mindful of these common challenges gives you a clearer path around them, as well as a better chance of avoiding them in the first place. Here’s what to do.
How to Do It
- Document data analytics processes. Effective documentation is essential for ensuring consistent, repeatable, and sustainable data analytics. As processes mature, it’s vital to invest time, focus, and ongoing commitment to codifying them.
- Update practices and methodologies to integrate data analytics. It takes time and effort to brainstorm and plan analytics (ensuring feasibility and value), conduct data discovery, and embed effective data governance. Align professional practice expectations with audit scheduling, resourcing, and timelines that incentivize analytics and allow time for their adoption.
- Build and support learning pathways to upskill and increase adoption across your team. Develop structured curricula outlining the different pathways that align with Internal Audit’s data analytics needs and vision (e.g., baseline analytics literacy, analytics producer, analytics consumer, analytics specialist). Invest in and provide tools and training to support each pathway.
- Update Internal Audit’s strategy, mandate, and vision to include the department’s data analytics strategy (e.g., planned investments), related talent management strategy (e.g., recruiting, retention, ongoing training, incentives), and maturity roadmap.
- Establish and track value realization metrics. Develop performance measures that help you prove analytics’ value and ensure it improves over time, such as a checklist of questions assessing value realization (e.g., whether analytic performed as expected, increased coverage, saved time or money, increased precision of attribute testing, reduced manual effort in cyclical or rotational audits over time, shifted staff hours from audit to advisory, percentage of business applications under digital review). Document results, share in audit report appendices, and keep strengthening your business case.
3. Make It Scale
What’s Involved
“Making it scale” means adapting and coordinating your data analytics program to integrate analytics production and consumption across organizational defense lines and enable Internal Audit as a true independent, data-enabled assurance function and business advisor. At this stage, you’ve built and documented a data analytics development life cycle that reliably provides the right data at the right time in the right format using the right set of tools. You’ve built a cohort of analytics producers and consumers within Internal Audit, and mapped out a robust business case and sustainable path to long-term value realization. Metrics are in place to measure program effectiveness, identify areas for improvement, and incentivize greater digital proficiency.
Now, you’re ready to broaden adoption further and value realization across the wider organization. Making it scale requires fine-tuning your toolkit and analytics to enable the flexibility required to meet the organization’s evolving needs. An adaptive data analytics architecture is vital for helping Internal Audit become the agile, independent advisor consistently providing a valuable challenge to the business alongside increased assurance around risk management and controls effectiveness.
How to Do It
Use targeted yet flexible data analytics to enable Internal Audit to perform independent ongoing assessments of the effectiveness of management’s monitoring. For example, Internal Audit can use analytics to:
- Challenge key business rules. Ideally, third-line data analytics evolve to help assess — and identify opportunities to improve — the effectiveness of management’s business rules, such as excessive false positives or negatives in monitoring logic. For example, an Internal Audit team analyzed a fraud detection rule flagging transactions over $10,000 and found 95% were false positives, creating unnecessary costs. Data analytics revealed that using anomaly detection based on transaction patterns could reduce false positives by 60% while maintaining fraud detection rates. This insight helped management refine monitoring logic, improving efficiency and risk mitigation.
- Perform audit follow-up procedures. Ensure that Internal Audit or management have taken appropriate action regarding any outliers identified. For instance, if data analytics flagged unusual expense reimbursements, follow-up data procedures can verify whether management remediated the anomalies and implemented tighter controls (e.g., downward trend in exceptions over time). This ensures corrective actions are effective and prevents recurring issues.
- Identify risks beyond the risk and controls matrix (RACM). Identify risks beyond the risk and controls matrix (RACM) by leveraging data analytics to assess actual business process performance against objectives. For example, auditors analyzing accounts payable data may detect improper payments (e.g., transactions made to incorrect payees, incorrect amounts, unusual payment dates, purchases of atypical goods and services). If data suggests strong compliance, a limited inquiry may suffice, but if anomalies indicate potential fraud or control gaps, more substantive audit procedures are warranted.
- Provide first- and second-line teams with analytics they can adopt and sustain. The optimal state is to empower stakeholders across the organization with analytics they can use to improve operations, make better decisions, and continuously monitor key risks. Transitioning analytics’ ownership to management also frees up Internal Audit to focus on other analytics efforts.
- Provide effective risk management oversight. Analytics can support Internal Audit in helping the first and second lines assess the effectiveness of their risk management monitoring, operations, and response. Think of it like case management: Do they have a high ratio of open to closed cases? How much time does it take to close cases, on average? How many aging hi-risk cases do they have?
Commit to the Journey
While CAEs should remain involved through the entire journey to data analytics maturity, they should be closely involved at these particular inflection points. By leveraging their relationships, business acumen, and understanding of organizational strategy, they can facilitate access to the data, tools, and teams essential to helping Internal Audit’s data analytics leads succeed at every stage of the journey.
The journey demands ongoing commitment, increasing levels of investment, and a strategic, deliberate, well-balanced approach. So, avoid the temptation of immediately reaching for the stars, be planful, and commit to incremental progress and investment over time. You can reach for the stars once you’ve built the launch pad that enables your analytics rocket to take off.
Ready to level up your data analytics game and start working toward solutions? Instructor Jim Tarantino leads the Internal Audit Collective’s new data analytics program, DRIVE, designed to enable Internal Auditors of all levels to better integrate data analytics into their work. Register today.
When you are ready, here are three more ways I can help you.
1. The Enabling Positive Change Weekly Newsletter: I share practical guidance to uplevel the practice of Internal Audit and SOX Compliance.
2. The SOX Accelerator Program: A 16-week, expert-led CPE learning program on how to build or manage a modern & contemporary SOX program.
3. The Internal Audit Collective Community: An online, managed, community to gain perspectives, share templates, expand your network, and to keep a pulse on what’s happening in Internal Audit and SOX compliance.