Big Data demands and enterprise resource planning (ERP) systems are now commonplace in the business environment and not restricted to larger audit engagements. Auditors must deal with the lack of transparency that automated systems create by placing computer procedures and configurable controls between the auditor and data. To facilitate data access and automation opportunities for auditors, the AICPA Assurance Services Executive Committee (ASEC) has developed a new set of data specifications, the Audit Data Standards (ADS), and is exploring ways to work with vendors to facilitate the development of semiautomated to fully automated audit tools.
By shifting the tool set, auditors and companies will be freed from dependence on disparate data systems and repeated requests for data. The audit program will become a mix of automated steps, manual linkages, and auditor judgment that will improve the quality of evidence and strengthen the assurance function. The result will be a flexible, modular approach that can be adapted and expanded as the environment changes.
THE AUDIT DATA STANDARDS (ADS)
Auditors often cite the process of requesting data as one of the primary obstacles in completing their engagement. ASEC has developed voluntary IT audit data standards that aim to address the issue by creating a common data store that would replicate existing enterprise data and make it accessible to auditors, either on a continuous or periodic basis.
The goal behind ADS is to make data available on demand. As a start, the AICPA has worked with companies, ERP vendors, and internal and external auditors to understand what data they need.
The first release in this new ADS series included a set of base standards, as well as ones covering the general ledger and accounts receivable. These were designed with retail and commercial sectors in mind. The second wave will fill out the rest of the “order-to-cash” process, the “procure-to-pay” process, and the accounts payable subledger. Plans are underway to develop other significant business processes, then to tailor them for industry sectors (such as financial services, health care, etc.). International differences may also be considered.
THE AUDIT PLAN
The traditional audit plan typically entails a series of preordered steps with the objective of addressing a series of audit assertions, relative to the value of assets and flow of resources. Higher-level assertions are supported by a series of subassertions relating to issues such as existence, completeness, valuation, and accuracy of the organization’s transaction accounts.
Audit organizations have historically fulfilled this verification by performing audit procedures mandated by a mixed set of GAAS, including audit procedures based on prior experience, evaluation of controls, and professional judgment. Many of these standards have been in place since well before current technologies were available, advanced analytic methods were developed, and data evolved into “Big(ger) Data.”
The modular audit, supported by data organized using ADS, will transform the audit plan into a control program that uses a mix of manual methods, automated modules, and defined decision points to improve the assurance function in an evolutionary (not revolutionary) path. The new audit plan is more detailed with more discrete steps aimed at taking advantage of formalization and automation. The future audit environment will be driven by the automated audit plan in conjunction with IT systems (including ERPs), the extraction of data according to the ADS into a common data repository, and audit apps (see Exhibit 1).
INTEGRATING ANALYTICS WITH JUDGMENT
Integrating analytic methods and new technological evidence into complex decision processes has been common in disciplines ranging from medicine to astronomy. Decision-makers must understand the nature of the evidence received, be willing to rely on it, and automate simple decisions (while still controlling more complex decision structures).
The modular audit falls into this pattern and presents a quandary to the auditor: what tools to use, what simple decisions to delegate, what experience to formalize, and where to rely on intuition and unstructured knowledge. Although there is a compelling case for the modular audit, this audit is not mechanical but very much decision-based and driven by humans.
Auditors should look at their existing audit program and objectives as a master control program, which would guide the auditor on data to be collected, tools to be used, and where traditional methods and judgments should be employed.
The transition from an existing audit program to the more comprehensive and informative master control program can follow these steps (see Exhibit 1):
- Identify audit assertions and procedures. Although it is expected that many vendors will supply some preprogrammed master control plans, many large firms will prefer to develop their own programs. This will require the formalization of audit steps in view of assertions and preplanning contingent on the outcome of the prior steps.
- Identify common data points and build a common data repository. The proposed data standards will determine and facilitate both data provisioning and applications usage. Most common ERPs and popular accounting packages will eventually have a common data repository layer provisioning the necessary data.
- Develop automated audit apps based on the audit plan. Audit programs are to be progressively automated with the use of the common data repository and the adoption of a progressive set of apps. Auditors will “link” the results with more traditional audit evidence gathering, inference, and decision-making.
- Deploy audit apps and audit by exception/trend analysis/risk assessment. Adapt the audit program with the realities of the audit findings by performing additional analyses, adding more apps, and reevaluating the early steps. Human decision-making will serve to glue together the pieces of evidence and analysis obtained with the apps. This linkage will allow further formalization of judgments, improved legal defensibility, and the formalization of higher and higher forms of judgment.
Eventually, the audit will include intensive logging of the company’s production activities, as well as of audit actions and outcomes. These logs will help to clarify variations from original processes as well as document and support the audit practices.
DEPLOYING AUDIT APPS
Audit “apps” are defined as formalized audit procedures that can be performed by a computerized tool. An app may perform tasks as simple as computing ratio analyses, or it may perform complex queries that identify trends and allow auditors to drill down into the data to discover the specific causes of an abnormal account or activity. Audit apps are similar to computer-assisted audit tools (CAATs), but they differ in that they are built around the common data repository and are designed to be highly interchangeable. Furthermore, an online community may be developed where auditors and developers can create and share audit apps based on popular software tools. Audit apps may consist of a script or procedure that compiles, analyzes, or presents data in a number of formats, for example (see Exhibit 2):
- Dashboard—provides a quick snapshot of a data state;
- Analytic—statistical or summary procedure;
- Query—pulls records matching specific criteria;
- Trend—evaluates values over time;
- Ratio—compares relationships of data;
- Data matching—used to find duplicate or missing data; or
- Classification—groups data elements on similar attributes.
Choosing or developing audit apps begins with the audit plan. An audit plan covers many objectives and areas. Defining the key steps in the audit, either from an existing audit plan or from scratch, allows auditors to determine which audit procedures can be supported by technology and which require more manual work, all of which require the auditors’ judgment. As the audit plan is redefined in the current context of the organization, new and different tests and functions centered on the continuous flow of data are likely to be discovered.
Each audit app can run independently of, or in conjunction with, other apps to provide assurance on the overarching accounting information system. Most could be scheduled to run automatically on a daily or weekly basis. Auditors may be able to choose audit apps that fit their risk-based audit from an online community. They also may be able to share tools they have developed and get feedback from other auditors who are doing similar audit tasks. Ultimately, the auditors would use a dashboard with indicators informing them of high-risk business processes and alerting them when individual transactions appear outside of acceptable materiality thresholds defined by the auditors and included in audit apps.
Although apps as advocated here do not yet exist, many existing audit applications from commercial software, from academic research efforts, or from audit firm toolkits can be turned into apps. Piece by piece, the modular audit can be developed and enhanced around these audit apps and the common data store.
An automated audit eventually includes an increasing number of new forms of audit evidence, which may include alerts from continuous monitoring/audit procedures, analytic contingency tables (e.g., if “event” occurs, initiate an additional audit module), or forward-looking data from operations. In situations where there is a reasonable suspicion that a company’s production data may have been altered, additional controls (called metacontrols) can verify the audit trail of system access and process logs for unusual behavior, similar to network intrusion detection tools. The use of these techniques relies on adequate logging and well-controlled super-user access.
AUDIT PRODUCTS IN THE FUTURE
The implementation of ADS will provide auditors with readily accessible data in the application of audit apps and, combined with partial automation of strategic functions within the audit, will free auditors to use their professional expertise and judgment in more productive and useful ways.
On the audit side, less time will be spent extracting, pairing, and formatting data (which the automated process does for them), so auditors can devote more time looking for trends, outliers, and anomalies, and applying professional skepticism, including intuitive skepticism. The auditor will be able to work with management to gather additional audit support, resolve glaring issues, and develop a more risk-based approach to the overall audit plan.
Organizations’ use of automated transaction and controls monitoring also will create an opportunity for auditors to evaluate the audit apps and monitoring techniques. Skilled auditors would evaluate the status of the monitoring platform, the scope and appropriateness of rules and analytics, and the functionality of specific rules. By developing an understanding of the ADS and audit apps, both technically and conceptually, the auditor will be in a position to shift the audit program to include this controls evaluation.
The issuance of the ADS and its further development will bring the vision of automation closer to reality, as multiple sources of audit apps are expected to rapidly become available. Audit software vendors have large libraries of scripts that can be developed into immediately usable apps.
As auditors gain greater access to data and audit procedures that can be performed by a computerized tool, the role of the audit will become more like a master control plan, which includes greater automated controls and greater timeliness.
The audit environment requires auditors to be more forward-looking and generate new methods and techniques for evaluating enterprise data.
Given access to a common subset of audit-specific data, as proposed by the AICPA Assurance Services Executive Committee, auditors can overcome one of the main audit challenges to an engagement—data access.
A community surrounding audit apps will encourage auditors to develop and deploy better analytical tools. This allows greater creativity and promotes understanding of underlying analytics by the audit community.
Analytics are only part of the equation. As more work is performed automatically, auditors will have the opportunity to focus more on honing their judgment to the client’s environment. This may require additional training for the auditors, but it will produce higher-quality audits.
Miklos A. Vasarhelyi (firstname.lastname@example.org) is the KPMG Distinguished Professor of Accounting Information Systems and director of the Rutgers Accounting Research Center/Continuous Auditing & Reporting Laboratory (CARLAB) at Rutgers University in New Brunswick, N.J. J. Donald Warren Jr. (email@example.com) is an assistant professor at the University of Hartford in West Hartford, Conn. Ryan A. Teeter (firstname.lastname@example.org) is a clinical assistant professor of accounting information systems at the University of Pittsburgh. William R. Titera (email@example.com) is a retired partner at Ernst & Young LLP.
To comment on this article or to suggest an idea for another article, contact Neil Amato, senior editor, at firstname.lastname@example.org or 919-402-2187.
Audit Data Standard working group resources site
Bill Titera explains Audit Data Standards on video