Data analytics’ role in business assurance: Audit technology takes center stage (Part 1)
 

by John Verver CA, CISA, CMC




 

The need for assurance and audit

 

The past eight years have seen unprecedented business turbulence, with corporate fraud and subsequent corporate collapses compounded recently by one of the worst periods of economic uncertainty in memory. It is hard to think of another time when there has been as great a need for assurance over the integrity of business activities, and for that matter, those of government as well.

 

The need for internal audit, a profession dedicated to providing assurance, is greater than ever, and auditors are increasingly recognized as playing a critical role within the organization. Expectations are also rising that internal audit should be providing not only assurance over the business, but also the value-added activities that the profession has declared as part of its mandate.

 

How much assurance does audit achieve?

 

Most auditors are well aware that in times of overall budgetary constraints, the risks of fraud and error increase considerably. The recent “Occupational Fraud: A Study of the Impact of an Economic Recession” by the Association of Certified Fraud Examiners (ACFE) determined that the majority of respondents have found that the level of fraud by employees has increased, layoffs are affecting internal control systems, and fraud levels are expected to increase.

 

What do we mean by audit providing assurance? The literal definition of assurance, according to Webster’s, is “full confidence, freedom from doubt, certainty.” The Institute of Internal Auditors (The IIA) refers to the profession providing “assurance that internal controls in place are adequate to mitigate the risks, governance processes are effective and efficient, and organizational goals and objectives are met.” Therefore, the profession should provide organizations confidence and freedom from doubt over the effectiveness of risk management and controls.

 

The question I believe the profession needs to consider now is the extent to which audit actually provides confidence and freedom from doubt.

 

Let’s look at some traditional audit processes. Most involve a cyclical auditing approach, along with some form of sampling and manual testing and analysis, probably involving a walkthrough examination of the controls that are meant to be in place. Typically, having performed an assessment of a control at a particular point in time, reliance is placed on the presumed effectiveness of the control throughout a period, backed up by some limited compliance and substantive testing.

 

But what level of assurance is actually achieved when using a judgment or random sample approach to testing controls? How do we know that the controls in place are sufficient to address key risks inherent to the business process? Does audit have reliable insight into the risks of potential error, fraud and abuse?

 

It is only by examining the entirety of what has actually occurred that auditors can come close to providing a satisfactory level of assurance. What do I mean by this? Internal audit should examine every transaction to: 1) determine whether it complies with the controls that are designed to be in place and, 2) check for indications of activities and risks for which no control was designed in the first place. If we can do both these things – and, of course, do so efficiently – we can achieve a far higher level of assurance than through traditional audit approaches.

 

The role of technology

 

How can internal audit achieve this higher level of assurance? The answer is through the use of technology – specifically, data analytics technology.

In addition to increased assurance, data analytics enables:

 

·                      Audit and testing of 100% of transactions

·                      Risk assessment

·                      Continuous auditing

·                      Continuous monitoring

·                      Efficient coverage of the audit plan

·                      Enhanced quality of audit and findings

·                      Closer working relationship between audit and management

·                      Freeing audit resources to focus on new risk areas

·                      Quantifiable value-add

Comprehensive transactional analysis is shown to identify and reduce instances of fraud and error, as well as to make audit processes more efficient. The use of data analytics provides not only increased assurance, but also direct benefits to the bottom line, which is presumably what every business is seeking to achieve.

 

Over the past 30 years, business transactions have become increasingly electronic and data analytics technology use has evolved to now support a wide range of audit techniques. This provides numerous benefits in terms of efficiency and effectiveness. However, the vast majority of data analytics usage is still fundamentally based on a judgment and random sample approach described above.

 

What do the experts say?

 

The audit profession has clearly supported the use of data analytics technology in multiple surveys and reports over the past couple of years. Reports from The IIA and the Big Four accounting firms consistently refer to the critical role of technology to support audit’s evolving role.

 

For example: “Nearly 9 in 10 (auditors) rated continuous monitoring and auditing applications as most important, with data extraction and analysis, fraud detection, and risk analysis software close behind,” and “Chief Audit Executive interviewees said consistently that the ability to conduct data analysis was an essential skill for the future.” (PricewaterhouseCoopers, “Internal Audit 2012”)

 

Yet, recent surveys report a significant gulf between what is deemed important and what is actually taking place. A Protiviti 2009 survey found that the areas of Audit Process Knowledge in which there is the greatest “Need to Improve” are:

  1. Continuous Auditing and Computer-Assisted Audit Techniques (tied)
  2. Data Analysis Tools
  3. Fraud Monitoring
  4. Fraud Detection/Investigation.

 

PricewaterhouseCoopers’ 2009 survey and report on the “State of the Internal Audit Profession” reveals that “internal auditors are still grappling with a skills gap in technology…Only 28% reported incorporating data-mining and data-analysis tools for more than 25% of their audit work.”

 

This statistic is very telling. Despite the proven value of incorporating transactional analysis into the audit process and the successes of some internal audit departments, why is the profession generally behind in integrating analytics as a core part of audit strategy and process?

 

Reaping the benefits

 

It is known that extensive use of data analytics can transform the effectiveness, efficiency and value-add of internal audit. By providing the results of analysis to auditee departments, audit is able to drive the benefits of audit analytics into the business. At the same time, internal audit is able to provide a new level of assurance to the audit committee and other stakeholders.

 

While the overall objective appears very compelling, there is still a gap between the widely-accepted ideal and real-world execution.

 

What is preventing audit from more widespread use of analytics? Successfully incorporating analytics into the audit process takes time, skills and resources. The approach requires appropriate technology. However, successful use of analytics is clearly not just about technology: the people and process aspects are critical.

 

For a long time, the use of data analytics has tended to end up in the hands of specialists. Frequently, these specialists have made great contributions to their teams and the audits in which they are engaged. But if audit is to be serious about integrating analytics as a fundamental component of audit strategy, and actually reaping the rewards they can provide, then it needs leadership and direct involvement from senior audit management.

 

Overall, the most important requirement is a commitment to change, followed up by a solid plan.

 

 

-------- End of Part 1 -------

 

In the second part of this article, John Verver will address the practical aspects of integrating data analytics into internal audit and how to achieve the benefits of the entire range of analytics usage, including continuous auditing and continuous monitoring.

 

John Verver is Vice President of Services and Product Strategy for ACL Services. He has been heavily involved in audit technology for more than 30 years. An acknowledged thought leader on audit analytics, continuous auditing and continuous monitoring, Verver is an inaugural member of the Center for Continuous Auditing’s advisory board. He was a key contributor to The IIA’s General Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment and is a frequent speaker at global audit and control conferences. www.acl.com

 

 

 

 

 

The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®