BI improves auditors’ vision
In previous months, we’ve looked at how BI and data analytics are useful for detecting fraud. A related BI application gaining wider currency is internal audit. Managing risk and improving internal audit effectiveness are two ways a BI system can pay for itself.
Or, looked at another way, BI can help internal audit pay for itself. According to the PwC 2013 State of the Internal Audit Profession Study, only 44 percent of executives felt that internal audit contributed significant value to their firm. Only 37 percent of management rated internal audit’s performance as strong. What’s more, the survey respondents gave internal audit low marks in leveraging technology. Clearly, there’s a problem here – or maybe it’s an opportunity.
Traditionally, auditors rely on periodically sampling transactions and other financial data maintained by a company. This used to be an adequate means of assessing whether the company’s financial statements presented its financial position “fairly, in all material respects,” in CPA parlance. But sampling doesn’t always pick up patterns that can indicate a failure of internal controls – duplicate payments, unusually high expense reports, unnecessarily high credit limits on purchasing cards, retroactive pay changes, and other financial risk areas.
Enter Continuous Auditing (CA), the purpose of which is to replace, or at least augment, the traditional periodic audit. Along with the widespread adoption of BI by large companies, CA is a logical next step in the evolution of internal audit as a value generator, to address the low management-approval figures cited above.
The key benefit is timeliness. A traditional audit does verify that the company’s financial statements are accurate, but by the time the report is out, several months may have gone by. And by then, if there were deficiencies (for example, in internal controls), the horse may already have left the barn, along with the other livestock and half the tractor fleet. Continuous auditing can find exceptions as they happen, while there’s still time to stop payment on a check, cancel a shipment, or reach out and stop an embezzler before he’s had time to get to the border.
The accounting profession is, by its nature, slow to embrace change, and new methods aren’t always adopted quickly. Such has been the case with CA. The obstacles usually involve cost, in both money and time, and a certain amount of inertia on the part of auditors to change established practices. A recent white paper published by the American Institute of Certified Public Accountants noted that CA “is a costly undertaking, and payback period, which is often projected to be quite lengthy, is an important consideration.”
Nonetheless, CA has been effective in improving compliance and reducing risk at early-adopting companies. A Rutgers case study of Unibanco, a Brazilian bank that began implementing CA in 2000, found that the company’s audit function performs “detective” and “deterrent” roles, and that it has significantly reduced financial losses and improved compliance with regulations, policies and procedures. Auditors perform daily tracking of such things as check advances, overdrafts, returned checks, Federal tax payment cancellations, and electronic funds transfers. The Rutgers study shows big improvements in fraud detection and internal audit efficiency.
BI is tailor-made for this type of thing. Dashboards for manual monitoring and exception and KPI reports for continuous automated oversight make it possible to catch and respond to non-conformities almost immediately.
It’s not just for auditors, either. The University of Michigan’s Office of Internal Controls has implemented a BI system for examining financial processes to find opportunities to reduce risk, as described in the school’s Business and Finance Newsletter. This kind of “upstream” monitoring is designed to catch possible financial losses, exceptions, and other risk items before they reach the audit stage, reducing the cost of audit (both internal and external, with the meter running) and Sarbanes-Oxley compliance.
There are, of course, parts of the audit process that can’t be automated – looking up source documents filed away in a vault, to verify data that were entered into a general ledger system, is always going to require human intervention. When fraud is suspected, there’s no substitute for what geographers call “ground truth.” But the automation of routine verification/monitoring procedures frees up an auditor to spend more time on higher-value tasks, such as identifying ways to reduce risk, that require more judgment and a higher-level perspective.
A paradigm shift such as continuous audit seldom happens overnight; successful practitioners recommend implementing CA in small doses encompassing manageable segments of an enterprise. But the ability to assess a company’s finances on a daily basis (which goes hand-in-hand with the risk assessment tasks internal audit is increasingly asked to take on) represents a big step forward. For an idea of how the migration path works in practice, KPMG has developed a maturity model that describes the path from traditional auditing to CA.
Internal audit may not be as much fun as some of the BI topics we cover in this column, but you can bet that a few years down the road, an updated Internal Audit Profession Study will reflect the role of BI in helping auditors add value to a firm.
By John Kafalas
This monthly column covers Business Intelligence and data analysis issues. If you have questions, comments, or topic suggestions, please contact the author.
Copyright ©2014 4Sight Technologies, Inc. All rights reserved.