|
PATTERN CHASER
Audit Analytics for Internal Audit in Financial Services
|
|
|
|
Rigour You Can Perform Is Not Rigour
Audit’s quietest failure mode: work that proves diligence instead of testing controls. This is the anatomy, and the one question that exposes it.
|
|
Hey Reader 👋
The workbook was perfect. Colour-coded tabs, tick marks consistent down to the font, a summary chart up front that could pass for analytics. The reconciliation control it tested had been dead for months.
Nobody lied. Nobody cut corners. Everyone followed the methodology. That is what makes this failure mode so quiet: it looks exactly like diligence.
I call it Spreadsheet Theatre. Audit work that performs rigour instead of producing it. The workbook is immaculate. The control is broken.
Today: why sensible functions end up performing rigour, what the real thing looks like and the question that tells you which one your file contains.
In today’s issue:
| ↳ |
Why functions perform rigour and why nobody chose to |
|
| ↳ |
Three markers that separate real testing from beautiful testing |
|
| ↳ |
One question that exposes the difference on any audit file |
|
Examples are composites drawn from industry experience and peer conversations. Survey figures are from the IIA’s published research.
|
|
|
|
DEEP DIVE
The Anatomy of Performed Rigour
Why functions perform rigour
Start with why, because nobody chooses theatre.
What gets inspected gets polished. A reviewer with forty files and a deadline verifies what a skim can verify: formatting, cross-references, completeness, sign-offs. Whether the testing logic could actually catch a failure takes an hour of thought per file. So review notes chase tick marks, and careful auditors learn that polish is what passes review.
Conformance is measured. Discovery is not. The quality machinery wrapped around audit checks whether the process of audit was followed and filed. There is no checklist line for found something that mattered.
Time pressure does the rest. When the file is the deliverable, the file gets the hours. The testing it documents gets what is left.
|
The profession measured its own gap
In the IIA’s Vision 2035 survey of 6,506 internal auditors worldwide, 91 per cent rated data analytics as extremely or very important to the profession’s future. 25 per cent reported advanced or high-level implementation. Continuous monitoring: 79 per cent called it important, 27 per cent run it at depth. A third reported low or no implementation of the tools they had just called essential.
|
A 66-point gap between what the profession says and what it practises. That is not a skills shortage announcement. It is the residue of incentives: importance is free to declare, and implementation is the thing the incentives never asked for.
What real rigour looks like
Real rigour and performed rigour look identical in a file review. The file is the performance. The difference lives in three places.
|
|
Marker 1
It Touches the Population
Real testing recomputes, re-performs, rebuilds. Attribute ticks confirm a signature exists. Re-performance confirms the control worked. If the analytics evidence is a screenshot of a dashboard pasted into the file, that is documentation of analytics, not analytics.
|
|
|
Marker 2
It Changes What Happens Next
Somewhere in the file, a result re-drew a sample, killed a scope, escalated a finding or re-opened a conversation with the business. If fieldwork never changed, the analysis was either lucky or decorative.
|
|
|
Marker 3
It Answers What a Walkthrough Cannot
An interview can explain a process. Only the data can expose one. If every conclusion in the file could have been reached in the walkthrough meeting, the data work was scenery.
|
|
|
That reconciliation workbook is real in texture. Attribute testing confirmed signature present and date present, dozens of hours of it, every quarter. The first time anyone re-performed the rec against the underlying accounts, unreconciled items were rolling forward month after month. The sign-offs had kept coming the whole time.
Here is the uncomfortable part. The attribute testing conformed perfectly. It would have passed any file review in the country. The control had not operated for months, and nothing in the methodology was ever going to notice.
The one question
You cannot tell performed rigour from produced rigour by reading the file. You expose it by interrogating the testing logic. One question does it.
|
|
If this control had failed, would this testing have caught it?
|
|
|
Ask it at the start of scoping, on last year’s file, while there is still time to change the plan. Not mid-fieldwork, when the answer becomes an accusation.
Attribute testing usually answers no. Re-performance usually answers yes. Testing built on what the data shows usually answers yes. Testing built on what management provided usually answers no.
Two supporting variants work at function level. What did this audit find that management did not already know? And: show me the audit where the analytics changed the conclusion. If either question produces silence in your team meeting, the silence is the finding.
No new tools, no budget, no Python. It is a lens. It works on the next file you open, and it costs one honest hour at scoping.
|
|
|
|
WHAT’S POSSIBLE
The Re-performance Layer
Most control testing verifies that evidence of the control exists. Signatures, dates, screenshots, attachments. Whether the control actually did its job is inferred, not tested.
Now picture one control family, say reconciliations, wired differently. The underlying data feeds flow into a layer that re-performs the control’s own logic across the full population every period. It rebuilds each reconciliation from source, recomputes the breaks, re-derives the exception list the control should have produced and compares it with what the control reported.
The output is a verdict per control, per period. Operated: recomputation matches what was reported. Drifted: it matches, but the exceptions are growing. Performed: the evidence exists, the sign-offs exist and the recomputation cannot reproduce the result.
Card networks and clearing houses have worked this way for years. Positions are recomputed daily from raw flows. Member attestations are a cross-check, never the evidence.
What changes for audit: the default question stops being is there evidence the control ran, and becomes does the control’s output survive recomputation. Sampling becomes the fallback for what cannot be rebuilt, not the method of first resort. One failed recomputation outweighs a year of tidy sign-offs.
|
|
You did not learn this craft to produce beautiful evidence of process.
You learnt it to find what is wrong before it costs someone. The workbook was never the work. It is the receipt.
Rigour you can perform is not rigour.
|
Run the question on one file this week. Then hit reply and tell me which way it answered. I read every one.
|
|
Before you go
The private version of that question
The one question works on a file. It also works on a career. The Future-Ready Auditor Scorecard takes two minutes: five dimensions, scored, no audience. You find out instead of perform.
|
|
|
|
|
WHAT’S ON MY RADAR
Worth your time this week.
|
🔍 THE PATTERN
The Audit Explosion. In 1994 an LSE accounting professor named the dynamic this issue lives inside: checking that substitutes for substance, and organisations that redesign themselves to be auditable rather than effective. Free, 64 pages, still the sharpest description of why your workbook looks the way it does.
|
|
🧠 THE MIND
Don’t Let Metrics Undermine Your Business. Surrogation: the measure quietly replaces the goal it was meant to track. It is how cross-selling targets became millions of fake accounts at one US bank, and how review checklists became the definition of audit quality.
|
|
📊 THE PROOF
Allocation of Physician Time in Ambulatory Practice. Doctors spend nearly two hours on records and desk work for every hour with patients, measured with a stopwatch across 430 clinic hours. When the file becomes the deliverable, every profession produces the same pathology. Audit is not special.
|
|
🗞️ WHERE IT’S HEADING
Voice of the CEO: What to Learn From the Pulse Data. The IIA’s chief executive reads the 2026 North American Pulse: functions closely aligned to strategy report 30 per cent higher funding sufficiency. Boards are pricing impact while the file proves conformance. Worth knowing which one your function is selling.
|
|
|
|
|
SHARE
Know a colleague who’d find this useful? Send it on.
|
|
See you next week,
Tony Abraham
Data Science & AI for Internal Audit
|
|
How did you like today’s issue?
|
|
|
