Auditing in the Era of Big Data

Get ready for the era of Big Audit.

The auditing profession is starting to look at how to leverage Big Data in audits with some big investments into cutting-edge data analytics that could dramatically deepen the reach of external auditors into corporate books and records.

The push into the next generation of auditing, however, is mired in regulatory and legal complexity that promises to bog down the transformation.

Under the future vision of auditing, public companies would give auditors access not just to a sample of their transactions, but to their entire general ledger and their databases. “With these tools, auditors will have the capability to look at the underlying data, not just the summary data,” says Brian Fox, president of audit services firm Confirmation.com. “They will want all the transactional data, even if it's millions or tens of millions of records. It will be a different conversation.”

But don't expect the transition to happen overnight. External auditors have been slower than others to jump on the Big Data bandwagon, says Kelly Todd, shareholder with audit firm Forensic Strategic Solutions, which uses data analytics to conduct investigations. It's a massive leap to go from traditional audit approaches, which are based on sampling transactions, to an audit that would look at literally everything. “The reality is with data analytics, you have the ability to look at 100 percent of the transactions,” she says. “You can see the footprint of the beast, the unusual patterns, and the things that don't make sense.”

As analytic technology becomes more readily available and as audit firms take a beating from regulators and the capital markets over audit quality issues, external auditors are turning to Big Data for answers. “Virtually all of the Big 4 and others have very sizable projects around transforming the effectiveness of external audit procedures through the use of technology,” says John Verver, vice president of audit technology firm ACL. “They're focused on the quality of the audit, reducing the risk, and improving the efficiency and effectiveness.”

Auditors have long used analytical procedures in their audit work, says Dorsey Baskin, managing partner at Grant Thornton and a member of the assurance services executive committee of the American Institute of Certified Public Accountants. Existing auditing standards require the use of analytical procedures to plan the audit and to wind up an engagement, or to perform “the smell test” at the end of the audit, he says. The kind of data analytics firms are now investigating are far more complex, he says. “The audit tool kit looks the same as it did 50 or 60 years ago,” he says. “If we were doctors, that would be pretty frightening. This has tremendous potential, but it's still early. We're still experimenting.”

Deloitte & Touche, for example, says it is looking at the potential to leverage tools in three different ways. The first, says Joseph Ucuzoglu, national managing partner for Deloitte, is to audit large or complete sets of data, rather than just samples of data. The second is to leverage artificial intelligence to search not just data but also text, looking for red flags and tell-tale terms. The third area is to look beyond the data a company produces to examine data available elsewhere.

“With these tools, auditors will have the capability to look at the underlying data, not just the summary data.”

—Brian Fox,

President,

Confirmation.com

The firm is developing a series of trials and testing them on a small scale to assure the techniques work, Ucuzoglu says. “We are still doing traditional audit techniques, but once we prove the concept, we can take it to a larger stage,” he says. The technology won't replace human auditors, but will remove the rote tasks, examine more data, and give auditors better information to consider, he says. “It will free up professionals to spend their time on the highest value areas,” Ucuzoglu says. That aspect is actually exciting to auditors, he says, who are looking for ways to engage and retain more young talent in the profession.

Audit firms are tooling up for the transformation in a variety of ways, not the least of which is buying consulting businesses where the technology and the analytical skills reside. The Public Company Accounting Oversight Board, however, has expressed some concern over the firms' return to the consulting business with an eye on whether it compromises the auditor's ability to perform an independent audit.

Regulatory Skepticism

PCAOB member Lewis Ferguson recently said regulators are concerned about the economic model for audit firms—fees for audit are flat while the real growth lies in consulting services—and whether that could jeopardize audit quality. “Part of what's driving the acquisition binge is to acquire the businesses that have those analytical skills,” he says. “To that extent, I understand why the firms are driven to make these acquisitions, but that's not the only kind of acquisitions they're making.” The firms make a valid argument that they need to invest in technology and analytics for the sake of the audit, he concedes. “This could fundamentally change the way we do audits,” he says. “If anything it is likely to make the audit better.”

AUDIT DATA STANDARD WORKING GROUP

Below the AICPA's Audit Data Standard Working Group provides information on its voluntary, uniform audit data standards.

ASEC's Emerging Assurance Technologies Task Force established the Audit Data Standard working group to help develop new technologies that will contribute to the effectiveness, timeliness, and efficiency of the audit process. One of the main projects that this task force has been working on is developing a standardized data model that management, internal auditors and external auditors could utilize for enhanced analytics that would further improve the timeliness and effectiveness of the audit process.

One of the challenges that management and auditors face is obtaining accurate data in a usable format following a repeatable process. As a result, the working group has developed a voluntary, uniform audit data standards that identifies the key information needed for audits and provides a common framework covering: (1) data file definitions and technical specifications, (2) data field definitions and technical specifications, and (3) supplemental questions and data validation routines to help auditors better understand the data and assess its completeness and integrity The standards are offered in either of the following two file formats: (1) flat file format (pipe-delimited UTF-8 text file format) and (2) eXtensible Business Reporting Language Global Ledger Taxonomy Framework (XBRL GL).

The first issuance of the Audit Data Standards includes the following standards.

Base Standard: The base standard document includes information on formats for files and fields that should be used in conjunction with each audit data standard document.

General Ledger Standard: This standard includes information specific to General Ledger accounts.

Accounts Receivable Sub-ledger Standard: This standard includes information specific to the Accounts Receivable sub-ledger.

Source: AICPA.

Another concern for regulators, says Ferguson, is whether auditing standards need some revision to facilitate the use of more advanced technology that would make traditional sampling techniques unnecessary or even obsolete. “We have to assure our standards are not forcing auditors to do things that are simply no longer relevant,” he says.

That's a concern for auditors as well, says Baskin. “The standards are based on what we could do 50 years ago,” he says, which is sampling, not examining all transactions. So even if auditors could look at all transactions, the standards would still require sampling, he says, leading to unnecessary redundancy and inefficiency. The PCAOB has also insisted through its inspection process that auditors test the completeness and accuracy of any database auditors rely on for audit evidence, an impossibility if auditors were to use externally available market data in their analysis, he says.

There are additional hurdles, Baskin says. “One of the things holding us back is every audit engagement team would have to design its own program, get client files, figure out how they are organized and what's in them, and program the analytics,” he says. “If we have a data standard so we can get access to the data in a standard format, it becomes much more efficient and attractive for auditors.” AICPA's ASEC is exploring how to produce standards for companies to follow to produce data in a format that lends itself to data analytics, he says, and has so far produced standards for the general ledger and accounts receivable.

Some auditors may also resist over fear of a new litigation risk, says Peter Bible, a partner with audit firm EisnerAmper. “In hindsight, if something goes wrong for whatever reason, you can always be challenged or criticized or found at fault for not doing something,” he says. Auditors will have to wrestle, for example, with what to do about small or immaterial mistakes that are bound to turn up with more detailed analytics, says Baskin. “The software might overwhelm you with anomalies that have to be investigated,” he says.

Still, folks like Ucuzoglu are excited about the potential. “Audit firms haven't substantively changed the way the profession goes about doing an audit in a long time,” he says. “This is frankly overdue.”