Data Analytics and External Auditing
Data analytics is a new discipline for auditors. It requires a substantial investment in information technology. It is an important part of the response of larger and mid-tier firms to market demands in the larger-company audit market. Data analytics can be applied to a wide range of assurance engagements. Data analytics enables auditors to manipulate a complete data set – 100% of the transactions in a population – and for non-specialists to visualise results graphically, easily, and at speed.
Data analytics enables auditors to improve the risk assessment process, substantive procedures and tests of controls. While using such models Auditors need to understand them, and to exercise significant judgement in determining when and how they should be used.
Some businesses already analyse their own data in a similar manner to auditors and cover some of the same ground. As these business analyses become deeper, wider and more sophisticated, with a focus on risk and performance, it seems likely that they will align at least in part with the risks assessed by external auditors. That in turn will affect management expectations about the focus and scope of external audit.
Auditing once involved a full examination of every transaction through the system. Auditors started to question this fully substantive approach in the 1950s. By the mid 1970s, risks analysis and controls testing, sampling and flowcharts, risk-based auditing standards and the concept of materiality were the norm. They have been the hallmarks of external auditing ever since. But had it been possible at either of those points in time to examine all of the invoices automatically, cheaply and fast, it is very unlikely that we would be where we are today.
In the modern era, data analytics challenges many established concepts, including the concept of an audit itself, as well as the way they are performed and regulated. Questions arise as to the importance of the distinction between risk assessment, substantive procedures and tests of controls when a complete data set is examined and at one level, data analytics should enable auditors to see the big picture again.
Data analytics represents a large-scale and long-term investment for auditors. While third-party providers can turn some of the fixed development costs into variable costs, most large firms to date have chosen to build their own platforms. Firms have not yet achieved the efficiencies that such projects require but this should change over time as auditors, regulators and standard-setters work out how to integrate these new techniques into the regulatory infrastructure.
Auditing standards are written on the assumption that it is rarely possible to test 100% of the transactions entered into by any entity. This is no longer true. One view is that the sheer scale of the work that can be performed using data analytics techniques changes everything and that, as a result, auditing standards need a root and branch modernisation to reflect the new techniques. Another view is that the basic concepts are sound and that auditing standards simply need to be modernised to reflect some powerful new audit techniques.
The challenge is not only to ensure that auditing standards can accommodate the new tools, but also to ensure that they contribute to audit quality, the level of assurance obtained by auditors and the value of the audit to investors and other stakeholders. Auditing standards, and regulatory scrutiny of their application, must also continue to encourage innovation in audit.
How Data Analytics can be utilised to improve Audit quality?
Data analytics involves the extraction of data using fields within the basic data structure, rather than the format of records. A simple example is Power View, an Excel tool which can filter, sort, slice and highlight data in a spreadsheet and then present it visually in variety of bubble, bar and pie charts.
Many data analytics routines can now easily be performed by auditors with little or no management involvement. Many routines can be performed at a very detailed level, and/or in total. The higher-level routines can be used for risk analysis to find a problem, while the more detailed analysis can be used to sharpen the focus, and provide audit evidence and/or insights.
Some routines can provide audit evidence to support judgements relating to the appropriateness of methods used in calculating accounting estimates. If a business has a policy of writing off any receivable over 90 days, for example, an analysis of the application of the method when credit notes are removed might result in the method appearing less appropriate if the routine shows that a large number of credit notes relate to billing errors.
Data analytics has been developed with a view to improving audit quality. Audit quality does not lie in the tools themselves – although it clearly cannot be achieved without tools that are fit for purpose rather it lies in the quality of analyses and judgements thereby facilitated. The value is not in the transformation of the data, but in the audit evidence extracted from the conversations and enquiries that the analytics generates.
How far the data analytics be utilised depends on the relationship between the maturity of an organisation’s IT systems and the extent to which management is open to the new techniques. Data analytics seems to work best where a business has been through a process of transformation, where ‘ … the cadence is more real time than quarterly’, particularly if management is in investment mode and is at a sufficiently mature stage of development to deal with risk through management controls, rather than focusing on transactions and data.
Auditors take a broad view of the benefits of data analytics to management. They talk about enhancing the quality, transparency and granularity of the audit report, audit execution and communications with management as well as insights.
Management wants more than the data it provides presented back in a different format. The sort of insights management is looking for include:
- views on control gaps: if there are control deficiencies that are subsequently remediated, are the outcomes as expected or hoped for? Have the blocks been removed? Is the right data released?
- quantification or measurement of the impact of manual interventions, control failures, the extent to which process is being applied and the consistency of controls application;
- the root causes of exceptions;
- internal benchmarking; and
- visualisation, often through dashboards.
Management is also looking for intelligent comment on integrity of management information not in the shape of management letter written six months after the year end rather six weeks after the year end.