December 1, 2015 by Doug King, National Data & Analytics Leader, Audit; and Lee Alfrey, National Lean in Audit Leader, KPMG in Canada
As the risk landscape becomes more and more challenging – from the complexity of risks faced to heightened regulatory pressure on organizations to prioritize risk issues – finding ways to augment existing corporate risk management and mitigation arsenals is becoming critical.
Two increasingly popular techniques being leveraged by audit professionals, “data & analytics” (D&A) and “lean in audit,” should be attracting the attention of audit committees and risk professionals alike. These innovative audit approaches are outlined in detail in KPMG’s recent report, The audit is changing: How techniques in D&A and Lean in Audit are enhancing quality and value in the digital evolution.
Developed both as a response to board and audit committee expectations for enhanced audit value, and as the result of improved technological capabilities, the D&A-enabled approach to the audit is proving to be the next logical phase in audit innovation. It also has a direct impact on identifying and reducing risk.
Data, of course, has always been fundamental to both auditors’ ability and mandate to provide assurance around financial statements. However, where they previously had to work with cross-sections and samples of data, D&A technology increasingly allows access to, and analysis of, virtually 100% of organizational financial statement data.
A range of advanced analytical techniques can now be applied to that mass of data that may raise risk flags that would not have popped up before, in areas that may previously have been only sparsely explored. For example, deep, granular analysis may identify unusually large or difficult-to-explain transactions. It can even go to the level of examining task segregation in specific areas, unearthing instances of individuals performing conflicting organizational duties.
It should be noted the auditor’s goal and role remain unchanged: to opine on financial statements. However, the end result, due to the far more sophisticated analytical techniques in play, is that the organization aims to get a deeper picture of its data than previously possible.
The auditor is not providing risk advice, but rather risk analysis and insight that the companies themselves may be able to act on.
For its part, lean in audit is a technique developed from an industrial productivity improvement methodology focused on eliminating wasteful activity.
If D&A offers a different way to understand data, lean in audit takes a different approach to the whole audit process and its various sub-processes.
Rather than relying on a compartmentalized, rigidly sequential approach to audit execution, lean in audit is collaboratively based, helping to ensure that auditors, key executives, management and audit systems managers interact throughout the audit.
Utilizing experiential tools such as walkthroughs and flowcharts of actual financial processes, the knowledge exchanged between audit stakeholders is vastly expanded, as is the possibility for business improvement insights to be developed.
As with D&A, any insights that may emerge into how things might be done differently or better are simply the result of conducting the audit in a different way, not of any additional consultative service on the part of the auditor. All insights are available to auditor and client alike, allowing process improvement to occur on all sides.
This may result in companies seeing ways to work more efficiently and engage their people more actively, and in auditors gaining a deeper understanding of key corporate processes.
CO-CONTRIBUTORS TO VALUE
It may seem on the surface that D&A and lean in audit are operating in separate value spheres, but in reality, the two approaches work quite well together. While lean in audit’s contribution to risk may not be as obvious as that of D&A, it emerges more clearly when seen in conjunction with D&A.
For example, a deep D&A data analysis may unearth a problematic anomaly. It may then be possible for a lean in audit-based process analysis and review to find out whether or not the problem is the function of an underlying process, perhaps a controls breakdown.
The organization can then take steps to close that gap.
Working together, D&A and lean in audit leverage previously unavailable tools and techniques, helping to bring enhanced audit value to companies that effectively act on the information they receive.
WELCOME RISK SUPPORT
Boards and audit committees have come under significantly increased pressure since the financial crisis. The global economy is more complicated and board risk responsibilities are expanding.
Penalties for regulatory infractions resulting from risk-prevention missteps are getting stiffer, and directors are finding themselves, often individually, liable for corporate failures. In such a climate, directors – the audit committee, in particular – should find very appealing the potential for both D&A and lean in audit insights to help them detect outliers and potential risk issues.
Initially, audit committees might find the prospect of learning another new process daunting given the way their duties have expanded in recent years. The fact that they will have access to more information means they may find themselves looking into risk areas they have not had to deal with as yet.
Today, however, as new risk responsibilities continue to find their way onto the agenda, it is hard to see how access to more and better data – and a methodology to apply that data in the most efficient manner possible – would not be welcome.
Another potential benefit to the audit committee is that once the organization fully embeds D&A in the audit process, the data will aim to accumulate over time and will be permanently accessible. This will help make internal benchmarking capabilities far more powerful.
Moreover, D&A technology will assist with the collection and application of a vast range of external industry data that will be universally available on the Internet – StatsCan data on unemployment, for example. This will help make it easier for organizations to benchmark themselves against their peers and find out how others are handling risk and demonstrating appropriate governance.
It should also support the development of a deep, ever-growing informational database for better understanding industry and data trends.
Boards and audit committees that are hesitant to accept emerging technological approaches to the audit may want to ask themselves a few key questions around risk:
• Is the organization decentralized or centralized, and how does that affect the ability to track risk?
• Does the organization engage in a very large number of individually small transactions?
• Does the organization employ a lot of people?
• Are there enough variables in the data that it would benefit from granular D&A analysis?
• Would the company benefit from streamlining and closing gaps in the existing controls environment?
SELLING OUT TO TECHNOLOGY OR BUYING IN?
There is a sense for some that advanced approaches such as D&A or lean in audit are, in some way, selling out the audit to technology. Similarly, there has been concern that too proactive an approach to data analysis could raise questions of independence on the part of the auditor, a risk which would, if valid, present a potential regulatory quagmire for client and auditor alike.
Neither of these concerns holds water, as neither approach is in any way an extra consultation or advisory service. Technology simply gives auditors better ways to do things they have always done.
As a result, companies and their directors are finding themselves in possession of a much deeper picture of their own data and processes, information they can independently apply to help manage risk, improve business and, indeed, put to whatever use they see fit.
These two audit approaches not only enhance audit value, but also often produce insights that businesses can use to manage risk and improve their business results.