By Miklos A. Vasarhelyi, Ph.D., J. Donald Warren Jr., Ph.D., Ryan A. Teeter, Ph.D. And William R. Titera, CPA
How the Audit Data Standards and audit tools can enhance auditor judgement and assurance.
Big Data demands and enterprise resource planning (ERP) systems are now commonplace in the business environment and not restricted to larger audit engagements. Auditors must deal with the lack of transparency that automated systems create by placing computer procedures and configurable controls between the auditor and data. To facilitate data access and automation opportunities for auditors, the AICPA Assurance Services Executive Committee (ASEC) has developed a new set of data specifications, the Audit Data Standards (ADS), and is exploring ways to work with vendors to facilitate the development of semiautomated to fully automated audit tools.
By shifting the tool set, auditors and companies will be freed from dependence on disparate data systems and repeated requests for data. The audit program will become a mix of automated steps, manual linkages, and auditor judgement that will improve the quality of evidence and strengthen the assurance function. The result will be a flexible, modular approach that can be adapted and expanded as the environment changes.
THE AUDIT DATA STANDARDS (ADS)
Auditors often cite the process of requesting data as one of the primary obstacles in completing their engagement. ASEC has developed voluntary IT audit data standards that aim to address the issue by creating a common data store that would replicate existing enterprise data and make it accessible to auditors, either on a continuous or periodic basis.
The goal behind ADS is to make data available on demand. As a start, the AICPA has worked with companies, ERP vendors, and internal and external auditors to understand what data they need.
The first release in this new ADS series included a set of base standards, as well as ones covering the general ledger and accounts receivable. These were designed with retail and commercial sectors in mind. The second wave will fill out the rest of the “order-to-cash” process, the “procure-to-pay” process, and the accounts payable subledger. Plans are underway to develop other significant business processes, then to tailor them for industry sectors (such as financial services, health care, etc.). International differences may also be considered.
THE AUDIT PLAN
The traditional audit plan typically entails a series of preordered steps with the objective of addressing a series of audit assertions, relative to the value of assets and flow of resources. Higher-level assertions are supported by a series of subassertions relating to issues such as existence, completeness, valuation, and accuracy of the organization’s transaction accounts.
Audit organizations have historically fulfilled this verification by performing audit procedures mandated by a mixed set of GAAS, including audit procedures based on prior experience, evaluation of controls, and professional judgement. Many of these standards have been in place since well before current technologies were available, advanced analytic methods were developed, and data evolved into “Big(ger) Data.”
The modular audit, supported by data organized using ADS, will transform the audit plan into a control program that uses a mix of manual methods, automated modules, and defined decision points to improve the assurance function in an evolutionary (not revolutionary) path. The new audit plan is more detailed with more discrete steps aimed at taking advantage of formalization and automation. The future audit environment will be driven by the automated audit plan in conjunction with IT systems (including ERPs), the extraction of data according to the ADS into a common data repository, and audit apps (see Exhibit 1).
INTEGRATING ANALYTICS WITH JUDGEMENT
Integrating analytic methods and new technological evidence into complex decision processes has been common in disciplines ranging from medicine to astronomy. Decision-makers must understand the nature of the evidence received, be willing to rely on it, and automate simple decisions (while still controlling more complex decision structures).
The modular audit falls into this pattern and presents a quandary to the auditor: what tools to use, what simple decisions to delegate, what experience to formalize, and where to rely on intuition and unstructured knowledge. Although there is a compelling case for the modular audit, this audit is not mechanical but very much decision-based and driven by humans.
Auditors should look at their existing audit program and objectives as a master control program, which would guide the auditor on data to be collected, tools to be used, and where traditional methods and judgements should be employed.
The transition from an existing audit program to the more comprehensive and informative master control program can follow these steps (see Exhibit 1):
- Identify audit assertions and procedures. Although it is expected that many vendors will supply some preprogrammed master control plans, many large firms will prefer to develop their own programs. This will require the formalization of audit steps in view of assertions and preplanning contingent on the outcome of the prior steps.
- Identify common data points and build a common data repository. The proposed data standards will determine and facilitate both data provisioning and applications usage. Most common ERPs and popular accounting packages will eventually have a common data repository layer provisioning the necessary data.
- Develop automated audit apps based on the audit plan. Audit programs are to be progressively automated with the use of the common data repository and the adoption of a progressive set of apps. Auditors will “link” the results with more traditional audit evidence gathering, inference, and decision-making.
- Deploy audit apps and audit by exception/trend analysis/risk assessment. Adapt the audit program with the realities of the audit findings by performing additional analyses, adding more apps, and reevaluating the early steps. Human decision-making will serve to glue together the pieces of evidence and analysis obtained with the apps. This linkage will allow further formalization of judgements, improved legal defensibility, and the formalization of higher and higher forms of judgment.
Eventually, the audit will include intensive logging of the company’s production activities, as well as of audit actions and outcomes. These logs will help to clarify variations from original processes as well as document and support the audit practices.
DEPLOYING AUDIT APPS
Audit “apps” are defined as formalized audit procedures that can be performed by a computerized tool. An app may perform tasks as simple as computing ratio analyses, or it may perform complex queries that identify trends and allow auditors to drill down into the data to discover the specific causes of an abnormal account or activity. Audit apps are similar to computer-assisted audit tools (CAATs), but they differ in that they are built around the common data repository and are designed to be highly interchangeable. Furthermore, an online community may be developed where auditors and developers can create and share audit apps based on popular software tools. Audit apps may consist of a script or procedure that compiles, analyzes, or presents data in a number of formats, for example (see Exhibit 2):
- Dashboard—provides a quick snapshot of a data state;
- Analytic—statistical or summary procedure;
- Query—pulls records matching specific criteria;
- Trend—evaluates values over time;
- Ratio—compares relationships of data;
- Data matching—used to find duplicate or missing data; or
- Classification—groups data elements on similar attributes.
Choosing or developing audit apps begins with the audit plan. An audit plan covers many objectives and areas. Defining the key steps in the audit, either from an existing audit plan or from scratch, allows auditors to determine which audit procedures can be supported by technology and which require more manual work, all of which require the auditors’ judgment. As the audit plan is redefined in the current context of the organization, new and different tests and functions centered on the continuous flow of data are likely to be discovered.