How big data and analytics are transforming the audit

  • Share

The massive volumes of data now available inside and outside companies, and the power of new data analytics technologies, are fundamentally changing the audit. EY’s Roshan Ramlukan explores the possibilities and explains the key issues facing auditors as they embrace big data and analytics.

Historically, data was something you owned and was generally structured and human-generated. However, technology trends over the past decade have broadened the definition, which now includes data that is unstructured and machine-generated, as well as data that resides outside of corporate boundaries.

“Big data” is the term used to describe this massive portfolio of data that is growing exponentially. The general view is that big data will have a dramatic impact on enhancing productivity, profits and risk management. But big data in itself yields limited value until it has been processed and analyzed (for more, see The value of data analytics).

Analytics is the process of analyzing data with the objective of drawing meaningful conclusions. Major companies and organizations have recognized the opportunity that big data and analytics provide, and many are making significant investments to better understand the impact of these capabilities on their businesses. One area where we see significant potential is in the transformation of the audit.

“It’s a massive leap to go from traditional audit approaches to one that fully integrates big data and analytics in a seamless manner.”
  • Transforming the audit

    As we continue to operate in one of the toughest and most uneven economic climates in modern times, the relevance of the role of auditors in the financial markets is more important than ever before. Audit firms must continue their robust audits to serve the public interest by increasing quality on a continuous basis and by delivering more insights and value to the users of the financial statements. Professional skepticism, and a continued focus on the quality of audit evidence, are required throughout an audit. Meanwhile, companies are expecting an enhanced dialogue with their auditors and more relevant insights.

    While the profession has long recognized the impact of data analysis on enhancing the quality and relevance of the audit, mainstream use of this technique has been hampered due to a lack of efficient technology solutions, problems with data capture and concerns about privacy. However, recent technology advancements in big data and analytics are providing an opportunity to rethink the way in which an audit is executed.

    The transformed audit will expand beyond sample-based testing to include analysis of entire populations of audit-relevant data (transaction activity and master data from key business processes), using intelligent analytics to deliver a higher quality of audit evidence and more relevant business insights. Big data and analytics are enabling auditors to better identify financial reporting, fraud and operational business risks and tailor their approach to deliver a more relevant audit.

    While we are making significant progress and are beginning to see the benefits of big data and analytics in the audit, we recognize that this is a journey. A good way to describe where we are as a profession is to draw parallels with the TV and film subscription service Netflix. When the company started in 1997, it adopted a DVD-by-mail model, sending movies to its customers, who returned them after an evening or a week of entertainment. Netflix always knew that the future was in online streaming of movies, but the technology was not ready at that time, nor was high-speed consumer broadband as prevalent as it has since become.

    Today, we are engaged in the audit equivalent of DVD-by-mail, moving data from our clients to EY for use by auditors. What we really want is to have intelligent audit appliances that reside within companies’ data centers and stream the results of our proprietary analytics to audit teams. But the technology to accomplish this vision is still in its infancy and, in the interim, we are delivering audit analytics by processing large client data sets within our environment, integrating analytics into our audit approach and getting companies comfortable with the future of audit.

    The transition to this future won’t happen overnight. It’s a massive leap to go from traditional audit approaches to one that fully integrates big data and analytics in a seamless manner.

  • Barriers to integration

    There are a number of barriers to the successful integration of big data and analytics into the audit, though they are not insurmountable.

    The first is data capture: if auditors are unable to efficiently and cost-effectively capture company data, they will not be able to use analytics in the audit. Companies invest significantly in protecting their data, with multilayered approval processes and technology safeguards. As a result, the process of obtaining client approval for provision of data to the auditors can be time-consuming. In some cases, companies have refused or have been reluctant to provide data, citing security concerns.

    Moreover, auditors encounter hundreds of different accounting systems and, in many cases, multiple systems within the same company. Data extraction has not historically been a core competency within audit, and companies don’t necessarily have this competency either. This results in multiple attempts and a lot of back and forth between the company and the auditor on data capture.

    Today, extraction of data is primarily focused on general ledger data. However, embracing big data to support the audit will mean obtaining sub-ledger information, such as revenue or procurement-cycle data, for key business processes. This increases the complexity of data extraction and the volumes of data to be processed.

    While it is reasonably easy to use descriptive analytics to understand the business and identify potential risk areas, using analytics to produce audit evidence in response to those risks is a lot more difficult. One problem with relying on analytics to produce audit evidence relates to the “black box” nature of the way in which analytics works, with algorithms or rules used to transform data and produce visualizations or reports. When the auditor gets to this stage, they need to find the appropriate balance between applying auditor judgment and relying on the results of these analytics.

    The value of integrating big data and analytics into the audit will only be realized when used by auditors to influence the scope, nature and extent of the audit. This will require them to develop new skills focused on knowing what questions to ask of the data, and the ability to use analytics output to produce audit evidence, draw audit conclusions and derive meaningful business insights.

    It requires a ground-up initiative to better understand and influence the education students get at universities and colleges, enhancing learning and development programs, and establishing the appropriate implementation and enablement programs to support audit teams to effectively integrate big data and analytics into the audit.

  • Analytics dilemmas

    A further issue is how auditing standards and regulations can be aligned with the use of data analytics. In general, the auditing profession is governed by standards that were conceived some years ago and that did not contemplate the ability to leverage big data. Below are four areas that require further consideration.

    1. Substantive analytical procedures: these examine the reasonableness of relationships in financial statement items, to uncover variations from expected trends. However, the standard doesn’t cover using big data-based analytics to provide “substantive evidence.” One of the key differences with analytics techniques is that the procedures are used to identify unusual transactions or misstatements, based on the analysis of the data, and usually without the auditor establishing an expectation. Big data and these kind of analytics techniques did not exist when the standard was conceived, so were not considered as a source of audit evidence. The gap creates uncertainty regarding the relevance and applicability of analytics in providing anything more than indicative evidence.

    2. Validating the data used for analytics: as auditors receive information from the client, they determine its clerical accuracy and completeness, and whether it is appropriate as audit evidence. This applies whether they receive printed documents (such as contracts) or electronic data.

      But audit analytics do not use or rely on reports generated by the system; instead, relevant master and transaction data is extracted directly from the underlying databases. Procedures are then performed to validate the accuracy and completeness of the data, and it is reconciled to system-generated reports. The auditor is then confident that their analysis is based on the same data the company uses to produce its financial information.

      While the standards provide some guidance in this area, they could not have anticipated the type and volume of data that auditors are extracting. Inevitably, there are limitations in the extent to which auditors can derive evidence from the procedures that may be performed in relation to such data.

    3. Defining audit evidence: the standards provide a hierarchy of evidence, with third-party evidence at the top and management inquiries at the bottom. However, the standards do not indicate what type of evidence analytics provides. It is possible to relate some of these types of tests to the current framework in the standards, but not all. Without a proper description of the type of evidence that analytics provides, auditors are reluctant to claim it as evidence, thus negating the benefits.

    4. Precision: an audit is designed to detect a material misstatement. When companies record revenues amounting to billions of dollars and users of the financial statements expect them to be free of material misstatements, what level of precision do the auditors require of their data analytics? The standards need to provide more guidance in this area.

      Ultimately, the audit of the future could look quite different from the audit of today. Auditors will be able to use larger data sets and analytics to better understand the business, identify key risk areas and deliver enhanced quality and coverage while providing more business value. But to achieve this transformation, the profession will need to work closely with key stakeholders, from the businesses they are auditing to the regulators and standard-setters.

      Roshan Ramlukan is a partner in EY’s Global Assurance practice and leads the organization’s Audit Transformation analytics initiative. He is based in Boston in the US.


  • Key considerations for the audit committee

    We have identified three key areas the audit committee and finance leadership should be thinking about now when it comes to big data and analytics:

    1. External audit: develop a better understanding of how analytics is being used in the audit today. Since data capture is a key barrier, determine the scope of data currently being captured, and the steps being taken by the company’s IT function and its auditor to streamline data capture.

    2. Compliance and risk management: understand how internal audit and compliance functions are using big data and analytics today, and management’s future plans. These techniques can have a significant impact on identifying key risks and automating the monitoring processes.

    3. Competency development: the success of any investments in big data and analytics will be determined by the human element. Focus should not be limited to developing technical competencies, but should extend to creating the analytical mindset within the finance, risk and compliance functions to consume the analytics produced effectively.
  • How RoboCop is reducing financial reporting fraud

    In 2013, the US Securities and Exchange Commission (SEC) announced new initiatives aimed at better identifying financial reporting fraud through the use of big data and analytics tools.

    One of these is the Accounting Quality Model (AQM), often referred to as “RoboCop.” AQM is a fully automated system that analyzes a company’s filing within 24 hours of it being posted to EDGAR, the SEC’s online database of submissions from companies. The system is designed to identify high-risk activity by comparing the current filing with those of companies in the filer’s industry peer group.

    The SEC subsequently expanded the model’s capabilities to include a scan of the management discussion and analysis sections of annual reports. SEC analysts have developed lists of words and phrasing choices that are common among past fraudulent filers. These lists have been turned into risk factors and integrated into AQM’s review process.

    AQM assigns a risk score to each filing, assessing the likelihood that fraudulent activities have occurred. The AQM risk score is used by SEC inspection staff to prioritize inspections, and the nature of issues identified by AQM help influence the scope and focus of the inspection.

April 2015


Download article