Big Data Is Only as Good as You Let It Be
Big data; big topic.
It has been fascinating to watch the way this concept has taken root in the nomenclature; in the business world; in board rooms; and, more specifically, in internal audit discussions, planning, seminars, and conferences.
Do a quick Google search and you see topics like "What is Big Data?," "Big Data: The Next Frontier for Innovation, Competition, and Productivity," "Big Data: A Revolution that will Transform the Way We Live, Work, and Think," "Big Data: The Management Revolution," and "Big Data's Impact on the World." (I did the search; I found these in the first two pages.) You would think holy writ had been visited upon us by high.
And so, many auditors struggle with understanding how we should respond to the risks and opportunities provided by big data.
Part of the answer (and a quite simple answer at that) came out of a speech given by Michael Dell. (You may recognize the name and, in so doing, may recognize that he might have a thought or two on the subject.) During a keynote speech for the University of Texas' Entrepreneur Week, he talked about Dell and big data. (An overview is available in this Forbes article.) His speech is primarily focused on the actions taken by the company, but he also made a couple of statements that help put the whole problems/opportunities related to big data in an appropriate perspective. And they are comments that internal auditors need to take to heart if they want to effectively evaluate and (maybe more importantly) use big data.
Quote the first: "How much of [the] data that companies or organizations store is actually being used to create better outcomes or better decisions or better results or better anything — particularly in real time? ...The dirty secret is, almost none of it.
Quote the second (and this one is much shorter, much pithier, and cuts to the chase much quicker): "What problem are you trying to solve?"
The first lesson for internal audit is that, in the performance of any audit you need to find out if the auditee (organization, unit, process owner, etc.) knows what it is doing with its data.
(Quick aside: If you are not looking at the way your organization analyzes data, you may want to go back and take a closer look at COSO. Information and Communication; it's right there in the cube; it's a key component of a strong control framework; it is an area you need to be reviewing.)
First, is the wealth of data out there? Does the company have "big data?" If not, then you have your first issue. Any company not capturing that information is missing out on something that has become more fundamental than an opportunity — it is the only way to maintain competitive equality.
If they do have the data, then ask the follow-up question. Are they using it? If they are using it, how are they using it? And the most important question — the second question introduced by Mr. Dell — what problem are they trying to solve? Do they even understand what they are trying to do when they look at all that glorious data?
And I want to quickly add that this is not just for big picture, strategy-level audits; this is not just to placate the occasional IT itch; this is not just an every once in a while, when it might accidently suit me, only if I have the time kind of question. This is a question that every unit, every department, every process should be asking. And a question internal audit should be asking in every audit. Everyone from marketing to purchasing to accounting to C-Suite to mailroom to R&D to sales to multi-billion dollar project assessment to petty cash should be aware of the data, and should be determining how best the data can be used. And audit, in the review of every one of these processes, departments, or business units should make sure they are doing so.
Just ask the questions, add answers, and shake vigorously. Instant audit finding.
All well and good. Yeah! A win for internal audit. But one thing I have learned in lo these many years — any question that should be asked of an auditee should also be asked of the internal audit department.
Which leads to one of the greatest failings I've seen for internal audit departments when it comes to CAATs.
A lot of programming is done, a lot of data is released, a lot of foot-pounds of energy are expended, and, at the end of the day, a lot of time is wasted. I have watched auditors ask the IT staff for information. And the IT staff looks at the auditors quizzically, goes back to their terminals, and returns with reams of information. And when the audit comes to conclusion, the auditors have nothing to show for their brave foray into the world of CAATs. And the auditors' lament is often couched in terms such as "IT just didn't give me what I needed" or "IT didn't understand what we were trying to do" or "IT couldn't find the basic information" or any other of the litany of excuses that comes about when work is done and nothing comes from the effort.
In reality, it all comes back to that simple, second question. The auditors didn't understand what problem they were trying to solve. And, by forging ahead without understanding something so basic, the information they received was gobbledygook, folderol, gibberish, and codswallop. They didn't know what question they were trying to answer, so they didn't know what data they needed, so the data they received did nothing but fill up the relatively scarce commodity of time.
Vow to yourself to never again ask for data unless you can do two things: 1) know what question you are trying to answer and 2) be able to articulate that question and answer to anyone who is providing you data.
And then throw those same questions to the next auditee who crosses your path.
Posted on Mar 10, 2014 by Mike Jacka
Share This Article: