Auditors are understandably excited about the potential of data and analytics to change what we offer and how we offer it. But in the race to reach the promised land, we should remember that many client IT systems are not ready to deploy our new D&A tools. Until they are, the full potential of D&A is some way off.
Almost three quarters of CEOs questioned in KPMG’s 2015 CEO Outlook said they felt their companies were struggling to keep pace with new technologies. Internal processes and technology typically suffer from under-investment as most companies prioritise systems supporting frontline sales and customer experience. The result is outdated, patched and complex back-office IT systems.
The financial services industry feels this issue particularly acutely because their products have such long lifespans. A life insurance policy for example might last more than 50 years. Companies will record a policy document in one system that is totally incompatible with successor systems 20 years’ later.
What’s the point?
Auditors might advise clients to update their technology, but too few clients see legacy IT systems as a business weakness. And if boards believe that competitors have a similarly lackadaisical attitude to updating systems, that only entrenches the current view. If it ain’t broke, why fix it?
Right now, the use of data and analytics is so new, and evolving so fast, that many organisations simply don’t understand its potential. Without clearly identifying the upside, a good number are understandably nervous about letting third parties ‘plug in’ their software and run routines. They fear data loss or, in the worst-case scenario, an IT failure that sweeps across their business. Explaining the value of these tools will become one of the modern auditor’s greatest challenges.
We can only use D&A to get forward-looking risk analysis and model potential business scenarios if we have access to readily-available and relevant data. The most forward-thinking companies are already building in control systems as they update their IT systems – this is not hype, it’s happening now – and it should allow them to do much of the data analysis, processing and monitoring work themselves. And as the technology develops, the possibilities are compelling – soon it may be possible for artificial intelligence to verify statements (though regulators will still have to be satisfied that any advances constitute appropriate audit evidence).
Without this kind of investment in the tech, an auditor’s focus will necessarily remain on simple questions such as whether a transaction has the necessary data points to match purchase, invoice and sales ledgers. That gets nowhere near the value D&A can bring in identifying cultural, management and business risk issues. For example, using D&A might have shown a company that a transaction failed to match because of an invoicing problem – an anomaly the company should be able to address and fix. Auditors have an important role in explaining to clients the potential of D&A and encourage the requisite level of investment in systems.
Too often and for too long, companies have seen the audit as a mandatory tick-box exercise that is of limited value in raising performance. D&A is starting to shift that perception by showing how companies can turn data into an asset. Until a company reaches that level of understanding, auditors must be careful to manage expectations. Just because the audit of the future will look at every transaction, rather than a small sample, that does not mean we can change the audit approach overnight. But by highlighting how a company’s out-dated legacy systems are stopping it harnessing that potential, the audit itself could become a catalyst for a company’s IT transformation.
So finally to the auditors themselves. Any audit employing D&A technology will only be as sophisticated as the questions we pose. Do we have the auditors to pose these questions? It will take the brightest minds in our industry to make data and analytics a reality. But ultimately, D&A will only ever augment the skills of a good auditor. It will not replace them. Not yet anyway.