Organizations act in a very dynamic and international environment. This requires a financial auditor to constantly adapt to new developments. In addition to automating the financial audit workflow (e.g., electronic audit files), auditors usually begin by performing some data analytics of transactions (e.g., analysis of journal entries): a good step forward which, for example, helps comply with the increasing number of regulatory requirements. However, quite frequently the financial audit approach is not updated or adjusted and the real benefits of the application of data analytics in a financial audit context are not fully exploited. Therefore, a new approach is called for, which we refer to as the “data driven dynamic audit”.
Data analytics aiming to enable a more effective and efficient audit is becoming more and more common in (financial) audit approaches from both internal and external auditors. However, the application of data analytics in today’s financial audit approach is mainly focusing on the analysis of routine transactions in the company, e.g., transactions and controls in the purchase-to-pay-process and on the analysis of manual journal entries. Although a further embedding of this type of data analytics in the end-to-end financial audit approach remains necessary, much progress still needs to be made when it comes to developments to engage with data analytics in the non-routine transactions of a company. This includes the application of data analytics in the areas of risk assessment, impairment testing, benchmarking, anti-fraud procedures, going concern, etc.
This article explores several developments in the sources and types of data which can be used in the financial audit and how these may impact the audit approach and the auditor.
Data Driven Approach
Both internal and external auditors have a wide variety of data available that can be relevant from a financial audit point of view. In most cases, however, the auditor focuses on data that is available in the organization itself. Generally this data is from a ‘known’ and structured source, e.g., the organization’s ERP environment or Business Intelligence environment.
The (data) landscape is changing and growing in the sense that organizations are also exploring the possibilities of utilizing data from outside the organization’s perimeter, with a view to improving the management’s view and creating new business opportunities. This change in the use of data as part of the daily operations in an organization also has an impact on the data and information the auditor needs for his financial statement audit. The financial auditor will not only need to join the data journey within the organizations, but also needs to include externally available data to implement a data driven dynamic audit.
Over the last few years, the effect of the changing data landscape on the audit approach has gradually increased and more and more auditors are embracing these technologies, increasingly using information technology in the audit. However, as was noted in a recent American Institute of Certified Public Accountants (AICPA) whitepaper: “For the most part, IT has been used to computerize and improve the efficiency of established processes rather than transform or replace them. Consequently, improvements have been incremental rather than transformative” ([AICP14]). Accordingly, a lot of work still needs to be done to transform the audit rather than improve on what auditors have been doing over the last 50 years.
When we take the example of a medium-sized retailer with a relatively simple IT backbone and automation, the financial auditor will probably rely on his own knowledge of the industry and a structured balance sheet and income statement based on the organization’s ERP system to perform the risk assessment and plan for the audit procedures. However, the use of public data can also have an impact on how we interpret risks residing in the environment of the organization, even more than in the case of using internal data alone. Numerous books and articles have been written on subjects such as the impact of social media on the business of a retail organization (e.g., how to address complaints made via social media). If, however, social media influence the retail organization, why should not the auditor use this data to plan his risk assessment procedures for the financial audit?
To better understand the different categories of data and the relevance of these categories for the financial auditor, a Data Category Framework has been defined. This framework (see Figure 1) includes the data available within a company as well as externally available data. In addition, the framework links structured (e.g., databases) and unstructured (e.g., video, social media) data to either category. The four individual elements are described below.
Figure 1. Data Category Framework.
Structured Internal Data
This category of data typically refers to the data sources managed, owned and created by the organization itself and contains the transactional data that is used in the core business and supporting processes of an organization. The data life cycle from creation to destruction normally follows a predefined, structured path, determined by e.g., the company’s policies and procedures, in combination with the way the system has been set up. Examples include the transactional data stored in the ERP system (AP/AR invoices, Purchase Orders etc.), customer data stored in the organization’s CRM environment or personnel data stored in the HR system. We refer to this data as structured internal data, irrespective of where the data is physically stored – be it in the cloud, on the premises or with a hosting provider.
An international retail organization buys its own production forest to ensure the delivery of high-quality wood for its own production. The forest, however, is adjacent to a protected wildlife area. Threats to occupy the production forest have recently been posted on social media by activists claiming that the production forest threatens the fragile wildlife in the nearby protected area. Should the financial auditor be aware of such threats for his audit of the impairment test on the biological assets of the company? It is very much the question whether the financial auditor will be able to adequately audit the impairment test by solely using the data available within the organization.
For the auditor, structured internal data is a rather convenient category. This type of data has been used as part of the financial statement audit for decades and is usually the basis for all testing procedures. As a rule, this category of data is also the starting point for applying data analytics procedures as part of the audit approach (data analytics for automated control testing, manual journal entry testing etc.). Opportunities for further enhancement of data analytics routines in this area lie in using this data to drive the internal aspects of the risk assessment, performing analytical procedures as part of the planning phase of the audit, further optimizing the use of this data in both interim and year-end audit procedures (e.g., the application of process mining tooling as part of the process walkthroughs) as well as using this data for predictive analytics.
By using suitable analytical procedures, the results of the analytics on this type of data can provide almost complete assurance over the correlation between the cash and goods movements, for example, limiting the additional requirements to perform substantive test procedures in the year-end audit. See also the article regarding the goods/money flow data analytics by Bram van der Heijden and Satiesh Bajnath in this issue of Compact.
Unstructured Internal Data
Presumably, even the larger part of the data residing within an organization can be categorized as unstructured internal data. Estimations are that 80% of companies’ data is unstructured ([Wiki15]). This category of data is known by the fact that it does not normally follow the regular data life cycle flow; no predefined policies or processes are in place to govern the data from creation to destruction and the systems supporting this category of data are usually more like data sharing platforms. Examples of this category include SharePoint environments, an organization’s internet and intranet websites, videos, PowerPoints, emails, firewall traffic, etc.
From an auditor’s point of view, this type of data can be of high interest for the financial statement audit, as these data sources normally provide the guidance on the organization’s processes, input for the risk assessment as well as evidence for the control testing (e.g., approval emails, process descriptions).
Examples of unstructured data in the audit
A listed company has created a SharePoint environment to document its Risk and Control Matrices (RCMs) as well as the test procedures for its Internal Control Statement. Over time, such a SharePoint becomes a valuable source of data for the auditor as it can include all kinds of approval emails, procedures and work instructions, results of the control testing etc. By applying data analytics procedures (e.g., advanced text analytics), the auditor can gain insight into possible gaps in the risk assessments that have not been addressed in the RCMs.
In case of a serious security hack (the Sony hack in 2014, for example) including information leakage of the company’s IP, the firewall log data or email traffic can be analyzed to identify possible unwanted traffic and to evaluate the risk of a devaluation of a company’s assets, for example in the case of unwanted access to intellectual property. In a scenario of identifiable personal data leakage, the auditor should also be aware of possible claims or fines and, as a result of this, of the potential impact on accounting (provisions) and financial statement disclosures.
Structured External Data
The use of structured external data is already being explored in the audit domain and is characterized by the fact that the data life cycle follows a path similar to that of internal structured data, except that the data is not owned or managed by the organization itself. This category of data includes data coming from, for example, analysts or subject matter experts, industry data, going concern analytics or from the organization’s supply chain environment.
This data category is very promising, not only from an auditor’s point of view, but also for the organization itself. However, the application of data analytics using this category of data in a financial audit setting is limited.
Examples of unstructured data in the audit
WoodMackenzie is an international intelligence organization specializing in analyzing data within the energy, metal and mining industries. For oil fields around the world, WoodMac created several industry databases that include detailed data on the volume of their production capacity, possible future decommissioning dates etc. Organizations themselves hardly use this type of industry data as they have it in their own systems. The external auditor, however, can use this external data in evaluating the oil wells for the purpose of challenging the organization in this process, and specifically in identifying the potential impact on the financial statements (e.g., asset valuations and reserves disclosures).
When performing a supply chain audit, the auditor normally relies on data coming from the organization’s own ERP environment. Opportunities to increase assurance throughout the value chain, however, lie in combining the internal data from the company’s ERP environment with the external data of its suppliers (sales of organization A should be equal to the purchase of organization B). However, it would require the full co-operation of the supplier to gain access to the data.
Unstructured External Data
The last data category – unstructured external data – can likewise be utilized for the audit. This category of data follows a completely different life cycle path, can be created ‘by the many’ and ‘for the many’, comes from data sources normally irrelevant to the financial audit (e.g., radio and TV) and in some cases does not even have a clear source of the data (e.g., social media).
To perform data analytics on this category of data, an auditor needs to be equipped with more than just basic analytical skills to analyze, process and assess the usability of this data as part of the (financial) audit. He needs to invest in (advanced) tooling to retrieve and process the data, he needs to develop analytical skills to analyze and interpret the data and he needs to understand the impact of this data on the audit as well as his profession.
The current technology or the availability of adequate tooling to analyze the data is not primarily the issue. Social media or news analysis solutions (e.g., Bottlenose, Owlin) are already available in the marketplace. The challenge rather lies in convincing the auditor to use this kind of data and to use these insights for the purpose of meaningful information for the audit approach.
Example of unstructured data in the audit
A traditional financial audit starts with a risk assessment and planning phase at the beginning of the year. Risks are normally determined on the basis of last year’s audit, the insights in the organization and sector knowledge of the audit team. Whilst this information used to be sufficient to drive most risk assessments, the information used was rather limited and based on static information. By using social media data and news analytics, for example, the auditor can analyze more news and information streams with a view to understanding specific risks or trends for the company. Furthermore, this can be done not only at the beginning of the audit, but on a continuous and automated scale, enabling the auditor to adapt audit procedures whenever necessary and provide the organization with insights of its environment that it might not even be aware of.
Example of an external unstructured data analytics solution: Bottlenose
Bottlenose is a web-based unstructured data analytics solution that uses complex algorithms to analyze large amounts of streaming data. This ranges from Twitter and online news-feeds to radio and TV broadcasts. On a daily basis, Bottlenose analyzes over 72 billion data records. Such an enormous amount of data can never be analyzed by one person, Bottlenose provides unique opportunities in a (financial) audit setting.
Let us revert to the earlier example of a retailer who owns his own production forest. By using an online and live stream analytics solution such as Bottlenose, the organization as well as the auditor can immediately spot any potential threats to its biological assets once a message has been posted online (and goes viral). Rather than waiting for the actual damage to be done and being too late in identifying the impact on the valuation of the assets, the organization can immediately point out this development and act upon the potential impact.
Figure 2. Bottlenose.
Impact on the Financial Audit
All these new and improved capabilities and potentialities of data analytics as discussed in the previous section will have a significant impact on financial statement audits and open the door to further audit innovations. When determining the potential impact of the aforementioned data categories on the innovation of the audit approach, we can cluster this in the following brackets of improved quality:
- Quality of execution
- Quality of insights
- Quality of opinion
In this paragraph we will describe the audit innovations in all three.
Quality of Execution – Towards a Dynamic, Tailor-Made Risk Audit Approach
Traditional financial statement audits are planned and performed following four sequential steps (see the Audit Methodology shown in Figure 3). Every audit starts with audit planning (including a risk assessment) and continues with controls and substantive testing, after which the audit findings are evaluated and the audit opinion is issued. The control evaluation is typically performed in the fall during the interim audit, while the substantive end-of-year testing procedures are performed after the balance sheet date.
Figure 3. KPMG Audit Methodology.
New capabilities and potentialities of data analytics can have a major impact on the traditional audit procedure. The availability of internal, structured transactional data has already had an impact on current financial statements audits. It allows audit teams to switch – among other things – from a control-based audit approach to a substantive audit approach with multiple testing periods throughout the year while testing large transactional processes such as purchase-to-pay or order-to-cash transactions. The more powerful the data analytics tooling, the more the financial statement auditor will be able to identify and follow up on potential errors in the data analyzed at an early stage. This will allow financial statement auditors to tailor the audit approach specifically to the transactions with higher risks soon after the transaction has taken place, allowing auditors to perform a dynamic, tailor-made risk audit.
Quality of Insights – Towards an Enhanced Audit
In addition to audits of transactional data (internal structured data), the developments in data analytics methodology and tooling also enable auditors to use external and unstructured data in financial statement audits. The purpose is to perform risk assessments, external benchmarking, challenge the valuation of certain assets, identify misbehavior of employees of the audit client and to perform anti-fraud procedures. As yet, this type of data is not common in the majority of the current financial statement audits. Extending data analytics in the audit by using external and unstructured data will allow auditors to enhance audit insights and provide new and fresh perspectives for the audited companies and, if relevant, the users of the auditor’s reports.
Quality of Opinion – Towards a More Skeptical Audit
Improved data analytics techniques allow auditors to change the audited sample of transactions and/or challenge the management’s statements in a different way. Regulators and users of audits are demanding for professional skeptical auditors, and data analytics can enable the external financial statement auditors to change their audit approach and further challenge audited organizations in a different way. The use of data analytics for the audit of internal transactional data enables auditors to audit the entire population of processed transactions instead of the review of samples and/or internal controls over the transactional processing. Exceptions and errors can easily be identified and followed up based on the data analytics performed. Furthermore, the incorporation of data analytics on external and unstructured data in the audit will help auditors improve the quality of opinion. Likewise, external data can be used to challenge the management’s assertions. Any claims by the management with regard to asset valuations and antifraud-related issues are now typically supported by internal data, and can be challenged with the help of external data by implementing the data analytics techniques and tooling mentioned in this article.
Transforming the Financial Audit into a Data Driven Audit
The auditor can only successfully transform the audit by using (advanced) analytics and combining all different types of data categories in the audit. Risk of material misstatement on the valuation of a company’s assets can be better determined if risks residing outside organization are also taken into account. However, the success of this transformation does not depend on more activities within the framework of the financial audit, but rather requires a change in how existing tooling and technology are being utilized by the auditor to perform an effective and efficient audit. In other words, a change in the behavior of the auditor is more likely to be the critical success factor in this transformation. The tools that can drive this transformation are already available. The question is how, and to what purpose the tooling in the audit is used, and how much time the auditor spends using data analytics in the audit.
When plotting the actual time spent by the auditor when applying data analytics techniques in the financial statement audit, it turns out that most of the time is in fact spent on analyzing routine transactions (e.g., journal entry testing, automated controls within the purchase-to-pay process etc.), using internal structured data (see Figure 4).
The change in the behavior of the auditor would require him to flip the time pyramid by actually spending more time on non-routine transactions and reduce manual efforts in test procedures for routine transactions. After all, if the organization can automate its routine processes altogether, why should not the auditor follow the same approach and automate the entire routine testing? An additional side effect of this change is to further unlock the highest added value of the auditor, which is auditing the non-routine transactions rather than the routine transactions.
Figure 4. Possible impact of a Data Driven Dynamic Audit Approach on the efforts of the auditor.
The auditor cannot flip the pyramid just by himself, however. Once the auditor has made up his mind to change his approach into one where he performs manual audit procedures only where he cannot (yet) use data analytics, you could also argue that the auditor needs a different eco-system to be successful in applying data analytics on non-routine transactions. The non-routine transactions represent non-standardized processes, more often than not with a relatively high risk profile. To test such transactions, (costly) advanced data analytics would be required using tooling which as yet is not available to all auditors. In addition, it would require significant investment for any audit firm to develop such tooling and to train the auditors on how to apply such data analytics procedures. To design and build tools that support advanced data analytics, one would also need to have extensive expertise on the subject, and needs to understand how to perform analyses using automated tools and techniques. Such an ecosystem should combine external subject matter expertise (e.g., the academic world or specialist organizations such as WoodMac, referred to in the example above) with the right tools (e.g., partnerships with Google, Microsoft, IBM etc.) as well as the relevant experience of one’s own organization and the auditor.
The possibility of using data in the audit is not limited to internally structured data only, but also extends to external or even unstructured data. Advanced data analytics using unstructured external data has already proven to be a successful element to incorporate, for example, a continuous risk assessment in the audit, by using the external point of view (e.g., benchmarking) rather than the internal point of view only. We believe that these data categories should not be considered to exist in a vacuum, but should be combined in an overall audit approach, providing valuable, data driven insights into the quality of opinion, quality of insights and quality of execution of the audit. In addition, audit firms are also recognizing that they cannot do this all by themselves, and are building EcoSystems with third parties to be able to jointly transform towards the data driven dynamic audit.
[AICP14] P. Byrnes, T. Criste, T. Stewart and M. Vasarheyli, Reimagining Auditing in a Wired World, AICPA 2014/8.
[Wiki15] Wikipedia, Unstructured data, https://en.wikipedia.org/wiki/Unstructured_data, 2015.