Why is data analytics important in the internal audit process? And why should internal auditors approach data themselves? For several reasons, including that it helps improve audit quality and acquires better insights on a business. But there are many more causes that we uncover today.
Yusuf Moolla, Director and Co-Founder of Risk Insights, will help us understand the role of data in performance audits. Yusuf has over twenty years of experience in data and assurance. He previously worked for two Big Four firms, Deloitte and KPMG, leading audits and data projects worldwide. Yusuf is also the Co-Host of The Assurance Show, a podcast for internal auditors and performance auditors that focuses on data and risk, and Co-Author of The Data-Confident Internal Auditor.
Welcome back to CFO Weekly, where we're talking with financial leaders about how to build efficiency in their teams, create time for strategy, and ultimately get results with your host Megan Weis. Let's jump right in.
Megan Weis: Today my guest is Yusuf Moolla, a senior risk and assurance consultant with more than two decades of experience. Yusuf has worked in top-tier professional services firms in Australia, the UK, and South Africa. He is a certified internal auditor and has a background in business intelligence, financial systems, and information technology. Yusuf helps performance auditors and internal auditors confidently use data for more effective better quality audits.
He works closely with clients both locally in Australia and around the world, supporting them through data-focused consulting, advice, delivery, and coaching. Yusuf is the co-founder of Risk Insights as well as co-host of The Assurance Show and co-author of The Data-Confident Internal Auditor. Yusuf is passionate about demystifying the use of data and communicating insights in plain language without losing meaning. Yusuf is a global leader in data-focused assurance.
Yusuf, thank you so much for being on today's episode.
Yusuf Moolla: Megan, thanks for having me.
Megan: Yes, today we're going to be discussing data and the role it plays in performance audits. I'm looking forward to learning about how we can use data for more effective, higher-quality audits, but first, let's learn a little bit about you.
Megan: Take us through your career journey and how it is that you ended up where you are today.
Yusuf: Okay, so spent a bit of time at a university in South Africa. South Africa is where I started my career. That's where I grew up, in Johannesburg. Spent a bit of time at the university there, the University of the Witwatersrand. What was then the Business Intelligence Team, quite enjoyed working with data there. I then moved on to Deloitte and spent just over a decade with Deloitte in various roles across both external audit and internal audits and a bit of security and IT controls and those sorts of areas.
Once, while I was at Deloitte, obviously, a lot of the audit work back in the early 2000s was either quite manual or didn't involve a lot of the use of data back then, but there was an opportunity to use data. I found myself in a situation where the audit manager that I was working for quite early on, was quite interested in the use of data and exposed me to it. I had really early on exposure in how data can be used for audits, external audits at that time, and then slowly internal audits.
I spent about 10 years with Deloitte, a few years with KPMG in between in Australia, and then about five years ago, it's almost six now, about six years ago, that colleague of mine from KPMG and I decided to branch out on our own and start our own little practice and we've been doing that since. Mainly, professional services, and now, for the last six years, working for myself.
Megan: Out of curiosity, when you say data, what kind of data are we talking about, and where is it coming from?
Yusuf: All sorts. [chuckles] Both inside the organizations that we work with, and we work with both public sector organizations and corporates, but also open data. Particularly, for public sector, open data is quite important, but it's also useful for corporates as well. We're talking about all sorts of mapping data and population data and the like that you can get from the open domain. Primarily, it would be data inside our client organizations so financial data and non-financial data.
A lot of the time the work that we do audit-wise, and this is sort of internal audit and performance audit, is around citizen data or customer data because obviously, that's the focus stuff or should be. It is or should be at the focus of most organizations. A lot of financial data involved as well for various reasons. Sometimes for the actual analysis itself. Sometimes to look at things like fraud, and sometimes to triangulate the other data that we have so a reconciliation point. Financial data is almost always involved either directly in the analysis or in order to do some form of reconciliation of the other data that we're looking at.
Megan: Okay, and before we move on and talk about your current organization, what inspired you to branch out on your own?
Yusuf: That's a good question. There were several things with a few of them being that, I guess, I wouldn't say that it was one of the few options that I had because it's obviously lots of options coming out of a place like Deloitte, but I just found in the last few years of working that I wanted to do something that didn't have the constraints of a very, very large organization. I said, "Why don't I just try doing this small thing myself, and then let's see what happens. Maybe I'll get back into the usual workforce after that."
The problem is I enjoyed it so much [inaudible 00:05:22] but working for a quarter-million strong organization is can be quite constraining, constricting. That was one of the main reasons for jumping out. Also, I really enjoyed my time at Deloitte. I think I learned a lot.
Megan: I worked there too. I loved it as an organization.
Yusuf: It's awesome. It's a very big ship, and what we are talking about is-- There's a different type and level of value that you can provide to your clients as a small organization, let's just say that.
Megan: Yes, I agree. Actually, that was eventually the reason I left Accenture was just because it gotten so huge, and you almost felt pigeonholed in an environment like that.
Yusuf: That's right. Exactly right.
Megan: Let's talk about your current organization, Risk Insights, and what it is that you guys do.
Yusuf: Sure. We're a consulting firm in Brisbane. We primarily work with public sector organizations and medium-sized corporates. We do have a few large corporates, but medium-sized corporates tend to be where we prefer to play. What we provide is both performance audits and internal audit support to those organizations. Performance audit is primarily in the public sector, and then internal audit would be across the public sector and corporates.
Most of the work that we do involves the use of data. What that means is we're either helping internal audit teams use data, or we're working with other C suite execs or senior managers and helping them through particular types of audits that require heavy use of data so recalculations and the like that they might want. Most of our work involves the use of data although we do a little bit outside of that as well.
Megan: What are your proudest achievements since founding Risk Insights?
Yusuf: I think one of the main, obviously, challenges we've had in the last little while was in 2020, and a lot of the big consulting firms were able to continue to operate. In fact, a lot of them were very strong through that period. Because of the nature of the clients that we have, we had a reasonably slow 2020, and so being able to stick with it and stick through that cycle and not-- I guess we were. It was getting close, but we managed to talk ourselves out of exiting at the time.
I think that's one of the-- Simply coming through that cycle is potentially-- This sounds really strange, but coming through that cycle feels like one of the greatest achievements we've had. We've had a 20, sort of 21, 22 that's been sorta knock out the park relative to all previous years. We're really glad that we did [unintelligible 00:08:15] I guess it's not about what we've delivered, but more about just staying in business, which I believe is, from speaking to a lot of people, if you're able to stay like that for five years, and then hopefully, it will be-- You able to see other cycles through.
Megan: Yes, you guys have made it through two of the toughest years in history I'm sure.
Yusuf: That's right, yes. I've never seen anything like this, not even the GFC hit this bad in certain areas.
Megan: I saw on your profile that you help people get over their fear of data. What do you think most people are afraid of when it comes to data?
Yusuf: Within the internal audits, so within the audit sphere, generally, internal and performance audit, I think there's been a lot of fear recently generated through just hype. Lots of jargon, lots of complex-sounding concepts like machine learning and artificial intelligence that people that just want to use data, in its most basic form, can be a bit scared that they have this mountain that they need to climb over, and it isn't. It is really very simple for anybody to use data directly themselves. I think that that's the fear created by this unknown thing, that unknown data thing that needs to be overcome for sure.
Megan: I think it's intimidating for a lot of people and just the sheer amount of data that's available these days.
Yusuf: That's right, yes.
Megan: Why should CFOs support the use of audit data for analytics?
Yusuf: For a CFO, there's so many things that fall directly within the financial accounting area, if you like, which is, I guess, traditional CFO area, but of course, CFOs nowadays are involved in so much more across the organization that for a CFO, a lot of the CFOs that we speak to want to understand what's going on beyond just the direct financial accounting area that they may have carried over, of course, with lots of financial planning and forward analysis and helping with achieving strategy.
They need to look beyond just the financial data that they have.
A lot of times, individual departments or divisions will know their own data very well and analyze their own data very well. The internal audit team is uniquely placed because they have access to data across the organization. They have unfettered access to data and information. What that means is that they are in a particularly unique position to bring data together from several sources to provide that holistic view.
For a CFO who's looking to understand what impacts they might be or what they need to understand from beyond what they would normally be used to within the financial domain, working with internal audit on some of those matters can help them achieve that objective. Of course, internal audit do look at where the controls are working well and whether they obviously often, whether there is potential for fraud, but obviously a CFO with integrity that's doing the work well won't really worry too much about that. If you are looking to explore beyond financial, involving internal audit and helping them get the data that they need to do their job can help you as a CFO.
Megan: Just taking a look at the data. I know so many organizations out there are operating in disparate systems that don't really talk to each other and a lot of the processes are still manual. How do you get trust in the data that you're using? That data has integrity?
Yusuf: Yes, so quality of data is quite an important thing. Sometimes this data that you can't work with and you got to find an alternate, but often-- Because internal audit are generally quite interested in ensuring that the evidence that they collect is off sound quality. There'll be a range of procedures that the internal auditors follow. Some of them involve just exploring the data initially, making sure that they can see the full range of data that they have within the domain. Some of it involves reconciliation to other sources like financial statements and the like, so it's important to ensure that you get quality data if you are looking to provide assurance of sorts.
However, if it's purely about exploration, so if you want to try to understand what certain customers are saying or how certain customers are feeling, you may be able to get away with less than that. The objective that you're looking at will define the objective of the work that you're doing will drive what level of quality you need in the data set that you're getting, that you can still use data that isn't of very high quality, but that then you would use for a particular type of analysis to achieve a particular type of objective.
In the most cases though, you do need to make sure that you're using data that has a level of integrity. As an auditor or as a CFO, if you coming across data that isn't of good quality, that's a good thing as well, because that's an opportunity for you to influence that part of the organization or that whoever controls, owns that system to improve that level of data. If you can find a good link to why you need better data, what decision can't be reached or what sort of analysis can't be conducted because of that bad data. If you come across it, that's the opportunity to improve it.
Regardless of what the situation is, whether you have good quality data and can't use it or you have good quality data and can use it, or you have bad quality data and can't use it, or bad quality data and can use it, there's always going to be an outcome therefore in terms of a decision or some outcome for the business overall in terms of what needs to happen.
Megan: Let's go back to something you said a few minutes ago about auditors and their access to information across departments. You recently posted something on LinkedIn that said, a successful audit find solutions across departments. What does this mean? What does that mean to you?
Yusuf: Yes. If we think about the perspective of the board, senior management, customers, anybody outside the direct line management that we would deal with day to day, they'll be aware of departmental boundaries and silos. In most cases, they won't really care too much about it. They want to know the answer to the question that they have, or they want to know how something affects the organization overall.
The traditional, what internal audit have traditionally focused on when trying to go across departments is in the fraud area. This is where they bring together data from payroll and procurement to see whether there's anybody on payroll that's also a vendor or anybody that's a vendor that happens to be related to somebody that's also on payroll. That's bringing data together from two completely separate sources. Sometimes they might both be in finance, but often your payroll areas in HR and your procurement areas in finance and the two don't talk to each other. Payroll people will know their data very well, procurement people will know their data very well, but it's not very often that you would get people looking across the two.
Internal order are in that position to look across both and come up with or understand what's going on more holistically than just within that individual silo. Internal order, they should be looking across departments to try to understand what's going on. There's lots of other examples like that transactions area and customer complaints area, or the customer complaints area and some broker sales area. There's lots of different ways in which you can bring data together from multiple departments in order to get a view that everybody outside the organization or that leads the organization would automatically have, but nobody inside would've potentially thought about.
Megan: Yes, that's true. I didn't even think about that, but organizations are so siloed and everybody has their own data and it's probably pretty rare that someone's looking across those silos at multiple sources of data.
Yusuf: That's right. Yes.
Megan: What advice do you have for auditors looking to use data for more effective and higher quality audits?
Yusuf: The first thing is to use data. You'll be amazed at the number of auditors that are continuing to shy away from it as organizations or as teams, but also as individuals. I think it's important that really every auditor is able to do this directly themselves. In the old days, we'd have completely separate IT audit teams that would go and take care of technology controls and look at access control and the like, and that's happens less and less nowadays.
Often when you're doing an internal audit, the internal auditor would be aware of how access works and know who has access to what, what area of the system, or who has access to the system directly and test those sorts of things, because we've slowly learned as internal auditors what technology controls mean and what access controls mean. Similarly, we need to all be able to at least have an understanding of how data works and a basic ability to analyze it.
I think that a lot of auditors will be able to use a lot of the data to answer the questions that they have almost completely themselves. I think in some cases you can get help externally to your team from other people within the organization or even outside. If you're able to do that directly yourself, what that means is that you know exactly what the subject matter expert that is coming in is doing.
It's not a black box, which helps you understand both what is needed and then interpret the results that come out of it and understand the exceptions. I think there's a utopian future that I see where all auditors are using data directly themselves up to a certain point and producing better results as a result.
Megan: Do you think that auditors need specific data training? Are there books out there that you'd recommend or any way to advance an auditor's knowledge on how to use data to its fullest?
Yusuf: I guess there have been a few over the years. We didn't come across any in our travels that broke down in a very simple way with an explanation, which is why we wrote our own. I don't want to say there's this one book that we wrote that is fantastic. We did write our own that explores each of the different areas and approaches that auditors can take. Then there is training available.
What I've found is that a lot of the uplift in skill anyway comes from training on the job, so learning by example, taking an order that you have and working through it and trying it out. Of course, there's lots of organizations like ours that would help provide coaching and training along the way, but just doing purely training that has no bearing on or on the direct bearing on the individual audits that you're doing might be a little bit difficult.
I think once you see data in your own audit, the audit that you're conducting, and you can relate it and see what the potential might be in terms of outcomes, it makes it a lot easier and a lot more exciting to then pick those skills up. My recommendation is no matter who you're working with or how you're doing it is try to learn on a live audit that you're doing and maybe think about six months in advance or three months in advance what orders do I have coming up where I could use data, and then scheduling some support either internally or externally to help use data as part of that audit.
Megan: Great advice. As you look internally at Risk Insights, what's one of the biggest challenges that you and your team are facing in, let's say the next quarter or two? Sounds like you guys are growing quite quickly at the moment.
Yusuf: We are. As a non-accountant, I will say that our taxes are due next week. To me, that is the greatest challenge that we have. All of those tier accounts that somebody has to reconcile. The biggest challenge is staffing. Somehow people seem to have just disappeared around the world. I don't know where they've gone. I don't quite understand because nobody has been hiring a billion people. They just seem to have either disappeared or they don't want to work anymore. Something's happened, right? Then everybody's feeling it.
There's so much demand for the work that we do, but just so difficult to find people to train up and help us to execute that. That definitely is the greatest challenge. It's just supply of talent. Obviously, the alternative is going to universities and raising challenges ourselves, if you like, as opposed to getting experienced people in, which is so much more difficult to do because there's a big gap between a university graduate and somebody that's been in the workforce for five or six years.
Yusuf: We just have to do that. There's not much of an option because the talent pool is almost zero at the moment.
Megan: I'm like you, I'm confounded as to where did everyone go? They seem to have retired early or I want to know their secret.
Yusuf: Exactly. They talk about the great resignation. You resign and then what? They're sitting on the beach?
Megan: I wonder if they'll come back in a year or so. I don't know. I guess none of us know at this point, but it is a problem. You're definitely not the first person to have mentioned staffing as their greatest concern. Just one more question about, what tools or technologies are you guys using internally that's helping to make your lives easier?
Yusuf: I'm happy to mention specifics because I think it's always useful to know names.
Megan: Yes, I agree.
Yusuf: The thing that we use for data analysis is an open-source tool called KNIME. That's K-N-I-M-E. It's started at a University in Germany, and it's grown since then to be one of the leading advanced analytics platforms available. It is open-source, which means you can download the platform and use it unlimited for free. The only limitation, if you like, is that if you want the collaborative server version, the analytics platform that you download for free is something you can use locally on your laptop. You can even put it onto the server. You just don't have the collaboration features that would come with something bigger, which then you would go into a commercial arrangement for.
We use that. It is graphical user interface that's sort of low code, no code type interface. Anybody really can pick it up. It is a sort of Swiss Army knife, and we love it. You can go all the way from basic ingestion of data and transformation of data, all the way to complex advanced machine learning routines. That's KNIME. That's probably about 80% of the work that we do happens in there.
Then for the visualization nowadays, we used to use Tableau for a long time, which is still a fantastic product, but nowadays we use Power BI because frankly, it's just so much cheaper and it's so much easier to use, particularly for anybody that comes from a background with Microsoft products like Excel, because Power BI has a lot-- I think Power BI grew up from Excel. There's a good relationship there. When you talk to anybody in the finance area, they know Excel, of course. We love Excel. Learning something like Power BI is really easy. That's what we use for external for both our internal and external data work, then that's probably worth 90% of our day.
Megan: Lastly, as the director of Risk Insights, what's keeping you up at night, either for your own organization or maybe for the clients that you guys are serving?
Yusuf: The main thing that always concerns when you're dealing with lots of data, particularly client data, is security. With the way in which we're working nowadays, it is really important to make sure that we are completely secure. Most of the work that we do would be on client systems, so not taking any data outside of the organization. Sometimes, though, we are required to take the data and put it into our own environment. Obviously, we need to have pretty strict protocols and controls around security, but there's always risk. Regardless of what you do, the only way to not have any risk is to not do anything.
The only way to not have any cyber risk is to be completely blocked off from the Internet, which nobody really can do anymore. There's always a risk. It is something that we spent a lot of time ensuring that we are on top of, or at least not below. That's an ongoing battle for both us and our clients.
Megan: It's getting so sophisticated and it's relentless these days. It's a risk for everyone.
Yusuf: That's exactly right. We've seen some cyber-attacks where it wasn't about money and it wasn't about getting access to data, it was just because they could.
Megan: Yes, just for fun.
Yusuf: Just for fun. That's the equivalent of somebody's holding an automatic machine gun in the street and just shooting for fun. "I just want to do it. I don't want to kill anybody, but I just like shooting this thing in open." That it feels very similar when you see these guys that are having fun in the basement somewhere and say, "Oh, look, I could hack him," and not understanding what the consequences are on the organization that you're affecting.
Megan: That's for sure. Yet people just flexing their muscles in some way.
Yusuf: That's right, too.
Megan: Yusuf, thank you so much for being my guest today. We will.
Yusuf: Thank you very much. Appreciate your time.
Megan: I really enjoyed speaking with you and hearing about your experiences and the resulting insights and I wish you and Risk Insights all the best. To our listeners, please tune in next week and until then, take care of yourselves.
If you're ready to boost efficiency and streamline your accounting processes at significant cost savings, it's time to talk with Personiv. Their people-powered solutions have transformed the delivery of back-office tasks and general accounting functions for decades. Partnering with clients to provide everything from accounts payable to payroll services. See what Personiv can do for you by visiting personiv.com.
You've been listening to serious CFO Weekly presented by Personiv. Please subscribe wherever you get your podcast to hear all of our episodes. Want to learn more? Check out personiv.com. Thanks for listening.
In this episode, we discuss helping internal audit teams use data, why CFOs should support the use of audit data analytics, How a successful audit finds solutions across departments, using data for more effectively and higher-quality audits, among other exciting topics.
Helping Internal Audit Teams Use Data
Risk Insights is a consulting business specializing in using data for assurance projects. The company primarily works with public sector organizations and medium-sized corporations, providing performance and internal audits. Yusuf and his team help C-suite executives or senior managers use data for higher-quality audits.
“It is very simple for anybody to use data directly themselves”
Why Should CFOs Support the Use of Audit Data Analytics?
Aside from financial accounting, CFOs are involved in financial planning, forecasting, and strategy. To approach them effectively, a CFO needs to understand the data behind all processes by working with an internal audit team that has access to data across the entire organization.
“If you are looking to explore beyond financial, involving internal audits, and helping them get the data they need, can help you as a CFO”
Taking a Holistic Approach Towards Data
Most organizations are structured in departmental silos. Usually, managers know their data well but are poorly aware of other teams' data. But senior management wants answers and solutions to problems that affect the organization overall. Internal audit has access to data across the entire organization to understand organizational challenges holistically.
“A successful audit finds solutions across departments”
Using Data for More Effective and Higher-Quality Audits
Start using the data yourself, understand how it works, and analyze it. You'll get to better interpret the results and have a more accurate view of organizational challenges and processes.
“Many auditors will be able to use the data to answer the questions that they have almost completely themselves”
Instructions on how to follow, rate, and review CFO-Weekly are here.
Learn how Personiv can aid your finance processes.