External auditors were among the very first auditors to embrace data analysis as an important technology component of the audit process. I suspect I should not admit it, but I began to specialize in this area, within what was then one of the Big Ten, more than 30 years ago. During the 1990s, all of (what was then) the Big Six firms acquired site licenses for ACL data analysis software. Many of the firms were very influential in promoting the first use of analytics within the internal audit departments of their clients.
So, how far has the external audit profession progressed since those days when mainframe computers ruled and the very first commercially available microcomputer was just launched? I would rate the progress of the external audit world at about the same level as internal audit—with some great success stories, alongside a fair amount of wheel-spinning and disappointment.
There is still a long way to go to realize the full potential, but there are now many encouraging signs that a new spike in progress is underway.
For years we have heard how Big Four firms have used ACL software to analyze very large client data files to obtain rapid insight into risk areas. The firms have built suites of analytic tests specifically for testing general ledger journal entries in support of SAS 99 requirements to consider fraud in financial statements. Currently, many of the leading firms are investing heavily in large global projects with the objective of transforming the external audit process through the use of technology—with data analysis playing a key role and embedded closely into audit procedures. Many of the firms also see analytics as key areas for the provision of services to internal audit, risk, and compliance functions.
What are the driving factors behind all this investment? I expect most partners would refer to the need to improve audit quality, efficiency, effectiveness, while reducing risk. Of course, the underlying reason is that it makes good business sense.
So many industries have transformed their business models through technology that it is not surprising that the external audit business should want to do the same. Maybe all of these are good learning points for those internal audit and risk and compliance departments that are still in the very early stages of use of data analytics.
I believe another factor underlying many external audit firms’ current initiatives is a genuine sense that to fail to use technology effectively is professionally unacceptable and irresponsible. As a simple example: how can it be sufficient to select a small judgmental sample of transactions for scrutiny in order to conclude upon the validity of a very large financial statement line item—when it is possible to analyze every one of an entire population of millions, or even billions, of transactions and balances? Or, another question: how can you justify not using technology to audit systems that are completely technology dependent?
The public accounting and auditing bodies of the world are not exactly renowned for being at the forefront of change—but, as I have written before in this blog, I have been impressed by the efforts of the AICPA to publish Audit Data Standards. This is one important step in addressing a practical barrier to the use of data analysis. The AICPA is also currently looking at other ways to support the use of data analytics, such as standardized tests.
It will be interesting to see how external auditors respond to the trend for their clients to use technology in a more integrated way across the functions of internal audit, risk management and compliance.
We see leading organizations increasingly using a common technology platform to identify and assess risks and controls, as well as manage the internal audit and reporting process. The use of data analytics should be embedded throughout these processes. This trend makes a lot of sense. The question is the extent to which external auditors will make use of these systems to impact their own risk assessment and audit procedures and, ideally, avoid duplicating efforts more than necessary.
Although The IIA does refer in its professional guidance to the need to consider the use of data analysis, and produced some useful Global Technology Audit Guides on the topics, neither The IIA nor the AICPA has yet come up with strong and specific guidance on the role of data analysis in meeting audit standards. IIA president, Richard Chambers, has certainly done a great job in identifying increased use technology as a key area for the future of the profession—as have many CAEs in their responses to surveys. But there is still a significant performance gap between what the leaders of the internal audit profession are saying and expecting, and what some internal audit departments are actually delivering.
In the end, I think there are two compelling reasons that will continue to close this performance gap and drive the use of software and data analysis within all forms of audit, risk, and compliance:
(Source: ACL Blog)