Edited by: Farah Araj

Raddad Ayoub & Indumon Das 


EY’s Risk Analytics leadership team explain data analytics and how it is positively impacting both companies and the internal audit profession

In an exclusive interview, Internal Auditor – Middle East spoke to Raddad Ayoub and Indumon Das from EY’s  Advisory teams in the EMEIA  and the Middle East respectively.  Raddad is a Partner with more than 17 years of experience and is a member of EY’s Europe, Middle East, India and Africa Risk Advisory – Center of Excellence.  Indumon is a Senior Manager in the Risk advisory team in the Middle East and North Africa Firm, with over 12 years of experience and leading the MENA Risk Analytics team.  Both are pioneers in the risk analytics space in the Middle East region. In addition, they are both active supporters of the UAE Internal Auditors Association (UAE-IAA) and have delivered presentations at several of its conferences.

Internal Auditor – Middle East conducted a telephone interview with Raddad Ayoub (RA) and Indumon Das (ID).

What is Risk analytics and how did it come about?  

RA:  Risk Analytics is the discipline of data analysis in the context of Risk Management. We continue to see a growing importance for fact-based decision making. This compounded with the exponential growth in the sheer amount of information we are generating every day, has made it important for risk management to adapt as well. today,  has become just as important for business stakeholders to have access to operational as well as risk information in the decision making process. KRI’s and KPI’s are two sides of the same coin. Organizations looking at one without the other is potentially missing on the bigger picture.

ID:  Agreed…Technically, Risk Analytics is a combination of Data Analytics tools and techniques to help organization to optimize the risk exposures and maximize the business opportunities to improve performance, increase profit and achieve business goals. The inception of Risk Analytics shifted the intuition based decision making paradigm to the data driven insights methodology, which the stake holders can accurately measure, quantify and foresee the risks.

 How are companies in the Middle East benefiting from data analytics?

RA: The risk horizon in MENA is changing rapidly, multiple segregated views over risks and opportunities are no longer useful, as they can cause organizations to lose track of real risk and performance indicators. And with an abundance of technology solutions available in the market, implementation without a clear unified strategy will also prove detrimental, increasing noise and reducing visibility. The largest challenge we foresee today is how well equipped organizations are to collect and assimilate data, and translate that into relevant information, that can in turn be used to hunt for real flashing red lights. Decision makers are measured by their ability to digest the immense volumes of information into insights, identifying first-movers advantages, while avoiding challenges that may have severe repercussions to their own organizations.

Organizations need to enable their lines of defense with a uniform structure and enable technology that looks at all traditional aspects of risk management, and capitalize on emerging analytical and dynamic visualization capability. This should be with two clear goals in mind: One, aligning the entirety of their Risk Management Operations to be clearly in line with business strategy; two, leverage the aggregation of the various risk function capabilities with information to Detect, Hunt and Respond to the risks and opportunities that really do matter to the organization

ID: In today’s dynamic business environment in the MENA region most of the leading organizations irrespective of the sector or size adapted to Risk Analytics to manage their risks effectively and efficiently. It is difficult to classify the leading countries in terms of the adaptation, however UAE, KSA and Qatar are the early adapters of this concept. The adaptation primarily materialized in risk areas such as operations, regulatory compliances, supply chain, finance and credit

So how can data analytics be used from an internal audit perspective? 

ID:  Big data and Analytics is changing the traditional way of managing the business, and internal audit function cannot stay away from it. The IA function must adapt analytics to keep pace with or outpace the business. In the context of IA, analytics is the analysis/mining of the entire population of data to gain the insights and reduce risks to improve the business performance and maximize the business value.

Analytics can be embedded into the entire IA lifecycle- from Risk Assessment, Audit Planning, Audit Execution, Audit Reporting, Action Plan to Continuous controls monitoring.

IA Analytics enables the IA function to explore the unprecedented data using various analytics techniques such as descriptive, predictive and prescriptive (machine learning etc..) from both external and internal sources. Hence IA function can identify the hidden patterns and attributes that were never visible before and increase the audit coverage.

Nowadays, Analytics become an inevitable part of IA function that many of the audits cannot be done without the analytics element on it for example; Inventory, Financial Statements, Account Receivables and Account Payables.

What about using data analytics for continuous auditing?

ID:  By definition Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments. Data analytics tools and technology plays a pivotal role in facilitating continuous audit by helping to automate the data extraction processes, identifying exceptions or anomalies, analyzing patterns and trends, sending customized alerts for the stakeholders and building dynamic dashboards for digital devices.

Building the continuous audit capabilities into the IA function is a journey that involves significant time and effort. EY has developed the maturity model (Refer: Appendix- IA Analytics maturity model Image) that provides a useful way to measure an organization’s IA analytics progress. Many of the early adapters of data analytics in the MENA region has already achieved the Continuous Audit Maturity level and further pushed the analytics to management and continuous control monitoring phase (optimized maturity level).


Do you think the use of data analytics would impact internal audit’s relationship with the Audit Committee and other key stakeholders?

RA: Audit Committee members and executives are privy to sector trends in relation to risk management, we increasingly see AC members demanding more insightful reporting, and deeper analysis and predictive insights into what can go wrong and where.

ID:  Companies are moving toward using the IA function for comprehensive, top-down enterprise risk assessments and stakeholders are placing a greater emphasis on how IA can play a role in evaluating and mitigating risk. The role of IA is shifting from an independent assurance function to that of a trusted management advisor with the help of IA analytics. IA analytics provides deeper visibility of the risks, enables dynamic monitoring of risk and mitigation plans, helps to predict the future risks and identify the new business opportunities.

There seem to be several data analytic tools in the market. How can internal auditors decide on what is the best tool for their department?

ID: Yes indeed, the current market is flooded with numerous analytics tools and technologies which makes the tool selection process a bit complex, but since the tool is one of the key success drivers of the IA analytics journey, it is really important to select the right tool for your business. Ideally          an IA function should select the tools based on four capability parameters;

  1. Self-service analytics: Whether the tool is easy to use with very minimal technical knowledge?
  2. Variety and size of data: What type and size of data the tool can work with?
  3. Data visualization: How easy to visualize the data and make the user engaging reports?
  4. Mobility: Whether the tool or output can work on mobile devices?

Since the inception of self –service, data visualization, big data and mobile analytics concept the traditional IA analytics tools are shadowed by modern analytics tools and they are becoming very prominent in the Audit Analytics industry.

“KRI’s and KPI’s are two sides of the same coin. Organizations looking at one without the other is potentially missing the bigger picture”, – Raddad Ayoub, Partner, EY

Any recommendations on how internal auditors can start their data analytics journey? 

ID:  IA must integrate analytics into its audit processes to keep pace not only with the business but also with the organization’s competitors, hence Analytics is not a “nice to have” but a “must have” component for the IA function.

RA: In our region, Internal Audit is at the forefront of risk management and takes the driving seat to change in our discipline. Frequently, we see risk transformation initiatives, including those related to data risk analytics, championed by the Internal Audit Function, although they may not be the exclusive stakeholder (and sometimes even a third party to that transformational scope!). By adopting leading transformational initiatives, Internal Audit is playing its role in protecting the organizations most important assets, and ensuring that the science and art of risk management stays ahead of change.