Data and analytics (D&A) is about creating a better quality and more insightful audit. However, that does not mean it is necessarily more efficient or a panacea for all audit risk.
The main use of D&A in an audit is to test larger, if not entire, populations of core data; data that is currently assessed through system control testing and small samples. Such work is usually the domain of junior auditors. It is not particularly expensive, there is not much room for efficiency, and findings, while often important, are rarely truly insightful. The effective use of D&A introduces expensive technology, which at least initially requires technical experts to understand, install and operate. While this creates an opportunity for more junior colleagues to learn skills, to my mind these changes are unlikely to produce a significant cost saving.
What they can do, is increase the quality of the audit of core data and can reveal some interesting insights into control failings and process efficiency. The ability or otherwise for an audit to be able to use such technology on a company’s systems can also say a lot about the quality of those systems or whether the company is under invested (the ‘technology deficit’ so many businesses have come to realise they are suffering from).
Where a company has strong systems and IT, then they can often realise significant savings, not from an audit fee reduction but when they start to adopt the technology themselves and make it part of their control structure. At that stage, the auditor’s work is minimised as it focuses solely on whether the new technology driven controls have been correctly operated by those companies.
Equally, D&A cannot eliminate the risks of audit failure. If you look at the big corporate failures over the past 20 years, corporate fraud has not arisen from basic data processing. It relates to the behaviour of management or a lack of understanding of risk.
Enron was not about the quality or accuracy of core data, but a flawed business model and arguably getting away with very poor technical accounting. The banking crisis was at least partly the result of a lack of understanding of risk and poor risk management.
Data and analytics doesn’t help you analyse the risks of a business case, the strength of the business model, or indeed bad accounting that might remove a liability from the balance sheet or add revenue that will never be earned. These are grey areas where fraud can thrive and where a good auditor will spot problems.
The big advantage D&A will bring is that – by removing process – it shifts the audit’s focus even more towards those management judgements that can significantly affect a company’s reported performance. Then when tech can get into that area then audit failure may be even less than a risk. The structures management put in place (not least in terms of technology) to manage risk and control are what influence business success or failure. More focus on these key areas has to be good news.