Data Access | The AI-Ready Audit

Governing standard

IIA 2024

Principle 6, Standard 6.2

Access requirement

Unrestricted

Mandatory, not conditional

Charter status

Mandatory

Required by IIA minimum charter standards

Governance risk

Write access only

Read-only is architecturally consistent

The professional standard

The 2024 IIA Global Internal Audit Standards establish that internal auditors must have unrestricted access to the data, records, and other information necessary to fulfill the internal audit mandate.

The word "unrestricted" is not qualified.

This requirement appears in Principle 6 -- Authorized by the Board -- and is a mandatory component of the audit charter under Standard 6.2. The word "unrestricted" is not qualified. It does not include exceptions for governance lockdowns, ERP transitions, or data ownership concerns. When audit cannot access data directly and reliably, the professional standards governing the function are not being met.

What the charter must say

Under the IIA's minimum charter requirements, the internal audit charter must explicitly authorize full, free, and unrestricted access to all records, data, information, physical properties, and personnel.

Board responsibility

A condition the board is responsible for ensuring

The 2024 Standards, analyzed in detail by BDO, establish that board support for the function must include unrestricted data access as an essential condition -- not a recommended practice, but a condition the board is responsible for ensuring exists.

Governance consistency

ERP frameworks should be reviewed for charter alignment

Organizations that have invested in post-ERP governance frameworks should review whether those frameworks, as currently designed, are consistent with the charter requirements they have approved. A governance framework that inadvertently blocks charter-required access creates a compliance gap at the board level.

Charter minimum

Explicit authorization, not implied permission

The charter must explicitly authorize access -- implied permission is not sufficient under the 2024 Standards. This means audit leadership should review charter language to confirm it uses the access language the standards require, and update it if it does not.

Evidence quality and the intermediary problem

Internal audit evidence is held to a higher reliability standard than internal reporting. Audit findings carry organizational and professional accountability; operational dashboards do not.

Reliability chain

The chain of custody runs through someone else's process

When data must pass through an intermediary team that does not own validation of what it provides, the reliability of audit evidence becomes contingent on a team external to the audit function. When findings are challenged -- and significant findings will be challenged -- audit's ability to defend the underlying data is weakened.

ICAEW guidance

Analytics credibility depends on data quality governance

ICAEW's guidance on analytics governance identifies data quality as the primary credibility risk in analytics-driven audit work -- noting that trust can be rapidly lost due to inaccurate or unreliable results. This is not achievable through an intermediary who does not own validation.

Practical consequence

Two problems emerge simultaneously

First, audit evidence reliability becomes contingent on an external process. Second, when significant findings surface and management pushes back, the audit team's ability to stand behind the evidence is structurally compromised by its dependence on the intermediary's extraction and validation.

Read-only access is not a governance risk

The governance concern that drives ERP access lockdowns is write access -- the risk that users can make unauthorized changes to transactions, master data, or system configurations.

Audit is not asking for an exception to governance

SAP's own access architecture distinguishes explicitly between display authorization and write authorization, with display-only being the baseline minimal-risk configuration. Granting audit read-only access with expanded query scope is architecturally consistent with the governance principles that justified the lockdown. Audit is asking for access that the governance framework should have included from the start.

SAP architecture

Display vs. write: a built-in distinction

SAP's authorization framework separates display-only access from write access at the object level. Granting audit display authorization for the tables and transactions relevant to its mandate does not implicate any of the risks that drove post-ERP access lockdowns.

Governance alignment

Read-only is consistent with lockdown principles

The principle behind post-ERP governance lockdowns is preventing unauthorized changes to data and configuration. Read-only access is entirely consistent with this principle -- it is, by definition, incapable of producing the risk the lockdown was designed to prevent.

The reframe

Oversight access was always part of the framework

Internal audit's access requirement is not a late-stage request that conflicts with governance. The IIA Standards require it. The audit charter mandates it. The governance framework should have included read-only audit access in its design -- and correcting that omission is not an exception, it is a completion.

What effective access looks like

The goal is not maximalist access. It is access that lets audit follow the evidence without structural impediments.

Five characteristics of functional audit data access

Direct, validated access to source system data -- without routing through a reporting layer or intermediary team
The ability to self-direct data queries in an exploratory, iterative way as the engagement develops
Native system tools where available -- SAP Fiori analytics apps, Business Integrity Screening for continuous monitoring
Microsoft Power BI integration for visualization and reporting, consistent with enterprise tool preferences
Documentation of data extraction and validation as part of the working paper file, preserving the evidence chain

The disclosure obligation

If data access limitations materially constrain internal audit's ability to fulfill its mandate, the IIA Standards require the chief audit executive to disclose this to the audit committee and discuss the implications.

This is not an escalation tactic. It is a professional requirement.

This disclosure obligation is built into the standards that govern the function. It is not discretionary. Organizations that understand this typically find ways to resolve access constraints before the disclosure becomes necessary -- because the alternative is an audit committee conversation that nobody wants to have after the fact.

ERP transition context and timeline Assess your data access maturity

Next in the playbook Continuous Monitoring →