COVID hasn’t really changed things for auditors – it has just brought things to the forefront that we should already have been doing. Things like: focusing on key risks to the organization, and embracing and maximizing the use of analytics. This article describes how an audit function can check on the robustness of the internal controls, identify and assess risks, prevent fraud, and provide assurance – remotely – by employing data analytics.
If I was talking about an automotive service station you would know exactly what I am talking about. Rather than taking apart your carburetor or removing the spark plugs to check on your combustion system, the service manager would run a number of diagnostics to check not only the combustion system, but also your tires, fluids, ignition systems, etc. The results would be used to determine which areas need a more detailed examination. You, the car owner, get to decide what if anything you want to have done (rotate the tires, 4-wheel alignment, oil change, new spark plugs, change transmission fluid, or sell the car).
The same is true of your health. You have an annual check-up to make sure your blood pressure, heart rate, respiration, prostate, etc. is OK. It is an overall indicator of your health and identifies any problem may arise so you can take the necessary preventive actions.
Your ERP was implemented, at a significant cost, to improve your operations. You rely on the information and reports that it provides. However, the system needs constant tweaks and updates to keep it running smoothly. Changes to business processes, new product lines and customers, additional modules added tot eh existing ERP and integration with legacy systems are happening all the time. So when was the last time you ran a “37-Point Check-up” on your ERP?
Why not have a set of standard analytics that can be run against your ERP system to give you a quick diagnostic of your ERP system? It can be simple things like checking for duplicates in master tables – which can result in you having customers that defaulted on payments still having valid, active customer numbers, or vendors with multiple vendor numbers which allows for duplicate invoices to be incorrectly paid; or employees with duplicate employee numbers … you get the idea. There are also tests that may be more complicated – like looking for separation of duties issues, or verifying that business process controls are still configured correctly in your ERP. And what about emerging risk, fraud, and efficiency or operations? The ERP should be helping you manage these as well. Is it?
In the past 30 years, I have developed thousands of analytics to validate ERP configurations, controls, etc in medium to large public and private sector industries. And I found that we I was usually running the same sets of tests in numerous companies with minimal modifications. These are different from many other companies’ analytics in that they are simply looking for transactions that make affect the financial statements. The analytics are evaluation the business process (e.g. accounts payable, account receivable, payroll, etc.) and providing assurance on the adequacy and efficiency of the process, the strength of the internal controls, and the fraud risk. This was the geneses of the concept of a 37-Point Check-up: a standard set of analytics to review your ERP controls and business process operations. But it was still not enough to provide true value to audit and to senior management.
Recently, our health system has provided the patient will the ability to see all health test results online. The problem is, I have no idea what “Troponin T: 11 ng/L” means. Is that a good reading or one that I should be concerned about; and how does it compare with the results from last year? The information was accurate and timely, but I still needed an expert to review the results and tell me what I need to know. The same is true for analytics – you can run the analytics at regular intervals and see the results in minutes, but interpretation is still a critical factor. While seeing the duplicate invoices results will help you get the overpayment back, it does not tell you what the underlying cause was and which controls need to be improved. Further, some analysis can be even more complicate to understand; and what test results are the most critical to the health of your organization (headache, rash, fever, low blood pressure). You can fix everything at once, what are the most critical results and where should management focus its time and effort?
Two things are needed to make the analytics more useful: visualization with trends, and an expert system.
- Visualization – integrated the analytics with Power BI to provide you with the ability to visualize the results and drill down to the actual flagged transactions.
- Expert system – use the computer to review results and provide both interpretation and recommendations for action.
This means that the “37 Point Check-up” of your ERP will provide you with an easy to understand assessment of your system controls, fraud risks, non-compliance areas, etc. and you can chose which recommendations will be implemented. You can also rerun the analytics in a month (or quarter) to see if your previous mitigation activities have had the desired effect – (is there still a problem?).
Auditors can build, test, and validate the analytics and provide them to management to use as a second-line of defence (continuous monitoring). At which audit only needs to ensure that the monitoring process is working and is effective.
How can you develop your own 37-Point Check-up?
The following steps are required to develop a series of analytics. These steps can be performed as part of an audit and you can combine the results of several audits to expand your Check-up to other areas:
- Obtain access to data – ensure audit has ongoing access to all information, not just when an audit is being performed
- Develop and maintain queries to extract required data – safeguard and maintain the extract queries
- Develop and verify analytics – use the results of audits to validate the analytics and identify risks, control weakness, non-compliance, etc. that were identified by analytics.
- Identify and re-run analytics on a quarterly basis – use audit results to determine which analytics should be re-run to assess management action on audit recommendations and risk mitigation activities; and the analytics to assess existing risk and identify emerging risks
- Develop multi-year trend files which will be used to track changing risk levels and identify audit universe.
- Assess new/emerging risks and data sources – use audits and the RBAP process to continually update the risks and analytics to ensure that data sources, risk landscape and analytics reflect the current risk environment
As part of the reporting phase of the audit, you must link the results of the analytics back to the controls and identify the appropriate recommendations. This has been covered in the articles: https://caats.ca/2019/02/25/the-death-of-continuous-auditing-part-1/ and https://caats.ca/2019/02/25/the-death-of-continuous-auditing-part-2/
My blog covers a wide range of topics from Risk-Based Audit Planning to how to code ‘duplicate’ tests. I invite you to read all articles: www.CAATS.ca/blog.
President, CAATS Chief
Data Analyst, RiverAA