Professional Documents
Culture Documents
TECPLN14726 IAAE Data Analytics - Web Version ICAEW
TECPLN14726 IAAE Data Analytics - Web Version ICAEW
This publication forms part of the International Auditing Perspectives series. It is part of
the online resources of International Accounting, Auditing & Ethics. If you would like
to find out more about the issues raised in this publication, please contact Katharine
Bagshaw (Manager, Auditing Standards) at kbagshaw@icaew.com
To find out more about how International Accounting, Auditing & Ethics can support
the implementation of international standards visit icaew.com/iaae or contact
Deborah Chaplin (Director, Faculties) at deborah.chaplin@icaew.com
© ICAEW 2016
If you want to reproduce or redistribute any of the material in this publication, you should first get ICAEW’s
permission in writing. ICAEW will not be liable for any reliance you place on the information in this publication.
You should seek independent advice.
ISBN 978-1-78363-447-7
Data analytics for
external auditors
INTERNATIONAL AUDITING PERSPECTIVES
An International Accounting, Auditing & Ethics initiative
Contents
Introduction 1
4. Work in progress 17
4.1 Smarter testing: sharpening the focus of data analytics 17
4.2 Thinking again about why and how we test internal controls 18
4.3 Encouraging innovation and respecting the value of data analytics 20
4.4 Reconsidering the audit approach to fraud 21
4.5 Enhancing the dialogue between auditors and regulators 21
4.6 Determining the skills needed in the next generation of auditors 23
4.7 Looking forward 26
Auditor data analytics is about enhancing audit quality. There are different
angles on what this means in practice but audit quality is a common objective
of auditors, regulators and standard-setters alike. A high-quality, focused and
effective audit is aligned with the way the audited entity manages its data and
operations. Data analytics offers a practical way for auditors to manage some
important aspects of IT systems in larger audits. Competitive tendering for listed
company audits has sharpened the focus on data analytics, and audit committees
now routinely ask prospective auditors how they are going to use it in the audit.
ICAEW is unique in its ability to draw on the views of a wide range of experts on
pressing professional matters such as these. Our knowledge of standard-setting,
regulation and audit practice enables us to articulate the issues with an unusual
degree of clarity. This publication is the output of interviews with 12 ICAEW
members with a strong working interest in data analytics. They are listed at the
end of this publication and we are extremely grateful to them for their time and
candour. We have quoted them at length, to illustrate the strength of feeling, the
sense of opportunity and the sheer energy that data analytics has created within
the profession. The willingness of interviewees to express fear and uncertainty,
and to be specific, dispels any notion that they are simply pitching for their firms.
We thought that the 90 minutes we allocated to interviews might be too much; it
was often not enough.
The single most important and consistent message that comes out of the
interviews is that everyone with an interest in audit has an opportunity –
probably a rare one – to think again about what we all want from audit, and how
data analytics might be able to transform it.
This publication is about possibilities. Its purpose is to ask fundamental questions
about the opportunities data analytics provides for the profession, regulators,
standard-setters, investors and academics to rethink and reinvent audit, for the
benefit of society as a whole. Its purpose is also to raise levels of awareness of data
analytics issues, and to inform and educate business, auditors, investors and others
about recent developments in the use of data analytics in external audit.
Data analytics challenges everyone. Giving serious consideration to the
possibilities requires vision. We do not believe that the existing audit model
is broken – far from it. But it has necessarily been constrained by many
technological limitations that have now vanished. We have the chance to
think again about what we want audit to be. We have choices.
In section 4 of this publication we discuss six key issues we believe need to be
addressed to open the debate. This will help ensure that audit remains relevant
and valuable and that the profession continues to thrive. If we do not address
these issues, others will. Are they the right issues? Have we described them well?
3 Data analytics goes beyond what was previously possible by manipulating metadata in the underlying data
model to express relationships between different tables and fields. Metadata is ‘data about data’, such as who
generated a document, when, and the type of content such as debits or credits, or the number of lines of text
in a journal.
4 Illustration from Halo reproduced with permission of PwC. Halo © 2016 PwC. PwC refers to the PwC network and/or one
or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
Halo is also a registered trademark owned by PwC. All rights reserved.
A question arising from this PwC graphic might be whether someone from outside the
finance department is posting journals. Auditors can use the tool to drill down into the
data to identify specific journals which may need to be tested.
5 Illustration from Halo reproduced with permission of PwC. Halo © 2016 PwC. PwC refers to the PwC network
and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure
for further details. Halo is also a registered trademark owned by PwC. All rights reserved.
6 © 2016 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Essential IAAE features include factsheets, practical guidance, webinars, case studies and topical
articles, plus a regular ebulletin with the latest technical developments.
IAAE is a partnership offering and helps Professional Accountancy Organisations (PAOs) to provide
high quality technical support to their members, thereby supporting the professional and commercial
environment locally.
Working in partnership encourages the development of local technical knowledge within PAOs,
allowing them and their members to be better positioned in their local
regulatory markets.
ICAEW
Want to find out more?
To find out more about how International Accounting, Auditing &
Ethics can support the implementation of international standards visit
icaew.com/iaae or contact Deborah Chaplin (Director, Faculties) at
deborah.chaplin@icaew.com
BUSINESS
10 WITH CONFIDENCE icaew.com/iaae
Data analytics for external auditors
3. R
outines, tools and solutions:
the technical challenges of
data analytics
Larger systems such as SAP, Oracle and JD Edwards involve ‘blocks’ from which a company
can build its own database. This is what gave rise to the basic technical problem
experienced by larger firms in the late 1990s – extracting data from systems in a usable
format. Auditors have had to map all of the coding for each of these systems, in every
permutation, for every large client, in order to develop a usable interface. They also have
to do this for fully bespoke systems. Auditors are developing multiple strategies to enable
them to interface with this myriad of systems. This is the first and most important hurdle
they have to clear when tailoring an offering. One interviewee reports 450 different
accounting systems in its auditable client base, although 60% of those are represented
by a small number of systems, including SAP and Oracle, both of which accommodate a
great deal of core scripting.
Auditor investment in mapping all of these variations should mean that firm offerings
will be scalable as well as efficient. Mapping involves articulating data attributes and
understanding how they transcribe into the real world, and understanding the importance
of differences between, for example, the date an item is initiated, the date it is keyed in,
and the date it is approved and posted, all of which may be different. Understanding
Software vendors specialising in data extraction, standardisation and analysis can extract
information using web links, from proprietary accounting systems widely used by smaller and
medium-sized companies. Such packages rarely permit much tailoring. Vendors can produce
information suitable for audit, and analyse it.
Data and transactions can be analysed in many different ways – by transaction type,
by account or activity code or with reference to many different data components.
Transformation is about making the data useable. One emerging issue is the extent to
which data has to be changed (often simplified) in order to do that. Key decisions firms
always have to make before making any such changes, which require careful thought and
consume resources, are about the quality of audit evidence that is likely to be obtained from
the routine, and whether management is able to transform the data, which makes life a great
deal easier from a regulatory standpoint. Nervousness about ‘changing’ client data is an issue
but sometimes it is unavoidable. For example, data extracted from ledgers which erroneously
denominate transactions in currencies that stopped being legal tender many years ago
instead of euros, has to be altered to make any sense of it.
7 The General Data Protection Regulation is a major EU overhaul of data protection legislation and is set to be
introduced in 2017. The current requirement to register with the Information Commissioner is to be scrapped
and the emphasis will be on accountability and documentation. Class actions will be permitted, fines may be
linked to turnover and some compensation will be unlimited.
8 Firms also point out problems with unregulated competition in the advisory market in the form of consultants
who grow organically, with little planning, change control, or product design. Some are passing themselves off
as having audit expertise without the discipline of repetition – having performed the same routines in different
contexts many times.
However data analytics tools are developed, they have to be merged with practice
methodologies, but they often permit staff to be creative about how they go about achieving
an audit objective. This means that staff also need to be very clear about the audit objective
of every routine they run and how it fits with auditing standards.
Support and first-hand accurate knowledge has never been more valuable to the audit profession – if you’re not
already a member of the Audit and Assurance Faculty, then now is the time to join.
To join the Audit and Assurance Faculty or to find out more about the benefits,
visit icaew.com/joinaaf
BUSINESS
16 WITH CONFIDENCE icaew.com/aaf
Data analytics for external auditors
4. W
ork in progress
4.2 Thinking again about why and how we test internal controls
Developments in business, IT and audit methodologies in recent years mean that high-
level management controls over the financial reporting system as a whole are now more
important than they once were. The focus of many audits is increasingly on these, rather
than on lower-level transaction processing controls which are well established and mature,
as are the tests of controls applied to them by auditors.
‘ … management controls over the completeness of related party
transactions are always an issue, but related-party transactions are only a risk
if those controls aren’t there. Other risks are less of an issue now because we
interrogate the entire data set – the only controls we think we should have
to look at in this case are controls over completeness.’
When sampling is a necessity, the need for risk assessment and the evaluation and testing
of internal controls makes sense, but data analytics has refocused the risk assessment
and internal controls evaluation in some ways. For example, stratifying a population,
important in sampling to deal with controls applied in different ways to different strata, is
less important from a risk analysis point of view if an entire population is being tested for a
single characteristic representing increased risk, such as the understatement of transactions
with related parties.
If auditors can see what has happened to all of the transactions finally recorded in a
system, why test controls applied during processing, if data analytics show transactions
to be properly valued and recorded? However, this does not mean that controls can be
ignored altogether. For example:
• a good understanding of the system producing the data on which the analytics is
performed is important in order to be able to design the relevant tests;
• three-way matching requires a clear understanding of ISA requirements as well as the
relevant systems;
• up-front processing controls which prevent errors in the first place are often more
important than detective controls applied later, acting as checks on the former; and
• management controls over completeness often need to be tested, even in a data
analytics context.
When thinking about control procedures, the boundaries between auditor and
management controls over data are important. The terminology used across different firms
is confusing. Terms such as ‘IT controls’, ‘management controls’, ‘transaction-processing
controls’, and ‘general controls’ overlap, and auditing standards refer to the ‘control
environment’ and ‘control procedures’.
In extracting all of the journals from the general ledger, auditors reconcile opening
and closing balances and perform other internal consistency checks. The data is then
checked back to source documentation and documentation from independent sources,
numerous exception reports are produced and each exception is followed up. Is there
any point, when this amount of work is being done on the integrity of the data, in
performing further tests of controls over that data?
The other view is that no matter what advances are made, in all audits, an understanding of
the design and implementation of controls is necessary to properly understand the business
and perform an adequate risk assessment, regardless of whether auditors intend to take a fully
substantive approach. This is because understanding the quality of the control environment is
essential to confidence in the integrity of the data set.
It is not uncommon to be given the wrong set of data, such as the backup, by accident. A
reconciliation of key totals to the trial balance on which the financial statements are based
will detect this and this is a standard routine classed either as an auditor control or as a
substantive procedure. However, while auditors may test cash receipts using data analytics,
analytics will not prove that the records really represent cash. Only understanding and testing
management’s controls over the processing of cash receipts will provide audit evidence that
the data in the system represents real transactions.
9 This is not currently permitted by paragraph 16 of ISA 330, The auditor’s procedures in response to assessed risks.
10 In this context, auditors also point out that the requirements to test journals in paragraph 32 of ISA 240,
The auditor’s responsibilities relating to fraud in an audit of financial statements, were never intended to deal with
the many thousands of journals that are now routinely produced when closing accounting periods.
In this EY graphic,18 colours represent the type of product that a business is selling,
analysed by sales and margin. Such analytics help auditors to understand and identify
risks relating to revenue, margin and standard costing. Unusual trends in performance can
be appraised, prompting higher-quality questions to be raised and more appropriate and
efficient audit tests to be designed.
The willingness and ability to learn fast and exercise judgement remain at the top of
the list of desirable qualities in trainees. But some firms are clear that the statistical and
mathematical skills needed to understand and manipulate the complex models underlying
some of the new technologies will, in the long run, play an increasingly important role in
making those judgements. Recruits already have to be more computer literate than they
once were.
16 Used with the kind permission of EY. © EY 2015, Payroll Analytics, EY UK&I Assurance Analytics.
17 ‘True’ clustering, using statistical models such as K-means and multivariate analysis in a trading business
might organise data into ‘self-organised’ clusters to help auditors explore known or previously unknown or
unrecognised relationships, as well as highlighting abnormal behaviour and outliers.
18 Used with the kind permission of EY. © EY 2015, Revenue Analytics, EY UK&I Assurance Analytics.
19 Firms believe that resistance, which is replicated in other professions, arises from failure to accommodate
increasing specialisation generally and an outdated belief that specialisation works in one direction only. Most
of us would prefer to have our root canal work performed by someone who does them every day, rather than
a more general dental practitioner. It may not be so obvious that we should have our teeth descaled by a
hygienist rather than the dentist, even if it should be.
In an increasingly complex and challenging business environment, the skill and efficiency with which you handle
financial reporting really matters.
The Financial Reporting Faculty provides highly accessible, practical and reliable assistance on financial reporting issues
to keep you up to date with new standards, regulations and practice.
Joining the Financial Reporting Faculty can save you time and keep you abreast of all the latest developments.
To join the Financial Reporting Faculty or to find out more about the benefits,
visit icaew.com/joinfrf
BUSINESS
Page footer WITH CONFIDENCE icaew.com/frf
29
ICAEW is a world leading professional membership organisation that promotes,
develops and supports over 145,000 chartered accountants worldwide. We
provide qualifications and professional development, share our knowledge,
insight and technical expertise, and protect the quality and integrity of the
accountancy and finance profession.
www.charteredaccountantsworldwide.com
www.globalaccountingalliance.com
ICAEW
Chartered Accountants’ Hall Moorgate Place London EC2R 6EA UK