Sorry, I missed posting last week as I was at ACL Connections 2016. It was another great conference – lots of experienced users as well as new users. The user forum folks got to together for a dinner and had a chance to meet face-to-face. I asked each of them to describe a “cool” analysis they had done and almost everyone talked about use REGEXFIND() or REGEXREPLACE() which made me realize that I have to buckle down and learn these powerful functions.
Lesson-Learned – you can’t stop learning about new features and capabilities.
I was ask to give a short presentation on the future of analytics and decided to post my speaking notes here. I looks back in order to look forwards – discussing what was happening in audit and analytics; and how ACL responded.
1980’s – Analytics wasteland
- I started my audit career in the late 1980’s, but I had already been using computers for 8-10 years. These were primarily mainframe or mini-computers. I used punched cards to submit my programs to the computer and had to understand and use JCL, TSO and ISPF as well as the application software or program I was running.
- My first PC cost over $10K and did not have a hard drive; but things were changing rapidly, and 6 months later we acquired an IBM XT which had a 10Mb hard drive.
- Audit was primarily concerned about being an early warning to management that things had gone wrong. Kind of an oxymoron – but management wanted to find out about what went wrong before anyone else did – so we were an early warning of past errors.
- For my first audit I performed a manual review of hundreds of thousands of telephone calls – by flipping through several feet of computer reports. In another audit, I manually entered thousands of amounts into an adding machine to verify report subtotals. There had to be a better way.
1990’s – growth of analytics
- Audit took on a “control” perspective. Audits sought to determine if control were adequate and effective.
- We were starting to see the use of computers in audit. The concept of 100% testing rather than sampling was being explored. However, it was usually only one or two individuals; and analysis was performed for a single purpose.
- Data was still very much mainframe based – so you had to know how to extract and download the data. In the early 1990’s download speeds were approaching 1Mb an hour. But there were other roadblocks: IT felt they owned the data and getting it was difficult. You had to address questions about: audit’s authority to access the data; security; use of personal information; and the ability to understand and analyze the data – so not much has changed in 25 years on this front.
- ACL for DOS and MVS (Mainframe) was introduced – followed in the mid-90’s by ACL for Windows.
- ACL also started offering training and consulting services – so auditors had analytics help for the first time.
2000’s – analysis takes hold
- Audit is now looking at risk rather than focusing on controls.
- Data is stored in large integrated ERP systems with centralized data bases
- Analysis is used in all aspects of the audit process
- More people performing analysis and scripts are being built to re-run analysis
- ACL responded to the increase in ERP systems by developing Direct Link for SAP
- ACL also entered a new phase of advocating on behalf of auditors; working with the IIA and other professional organizations; producing whitepapers and technology guides.
2010-2015 – analysis established
- Audit is adapting a more continuous approach; looking at efficiency and effectiveness of business operations; using analytics to provide not only hindsight, but also insight and foresight
- Analysis is being used not only to examining controls, but also to perform risk assessment and monitoring
- ACL introduces AX and GRC – expanding into non-audit areas and supporting a more structured analytics environment; improving workflow and documentation; and providing everyone with access to results.
- ACL continues to support its users with ACL Forum, User Group, Inspirations and the ACL Academy
2016+ – analysis flourishes
- Audit will be focused more on emerging risk and the identification and assessment of business opportunities – adding even more value to senior management.
- We will continue to see the integration of audit, compliance and monitoring functions
- Analysis will be more instantaneous – fully automated risk assessment and control testing
- Data analysis will have an even larger impact and more people will be involved
- Big Data will increasingly be used to identify emerging risk and opportunities
- ACL will take more of an enterprise view of analytics and provide increased analysis functionality – in order to be able to handle Big Data – such as the integration with R and Python
Analytics will be used for:
- Continuous risk and control assessment
- Artificial intelligence/machine learning to identify fraud risk and anomalies
- On demand data-mining to support management
- Assessment of business opportunities (e.g. M&A activities, new product lines, etc.)
- Assessment of KRIs and KPIs related to strategic objectives
There will be three tiers of analytics users:
- Data scientists – who build the data repository as well as the real hardcore analytics
- Local data analytics champions – who will be able to build impactful analytics for the teams in their regions against the central data repository
- Analytic consumers – who will act upon the analytics provided – includes auditors, managers, compliance and monitoring functions
Auditors will need to understand:
- Integrated business processes
- The data side of business risks and opportunities
- How KRIs affect KPIs and impact strategic objectives\
- How to interpret the results of analytics
- How to draw conclusions and make recommendations in real time – based on the results of analytics. No more taking 6 months to produce a final report.
- How to present the results of analytics to management – who often don’t know the difference between mean, median and mode.
It will be challenging and exciting – I hope you enjoy the ride.