Use business intelligence to

lessen audit risk

by Steven Cohen, Softline Pastel managing director
Until now, business intelligence (BI) software hasn’t really been
of interest to auditors because the auditing process has been
focused so tightly on the client’s financial rather than operational
information. So what’s changed – and why does BI now constitute
a means of lessening audit risk?
Well, the main reason is that an auditor’s traditional ways of interrogating
a client’s financial data, in order to establish the accuracy of the
information as well as the client’s levels of regulatory compliance, no
longer go far or deep enough.
Information technology (IT) has become so pervasive in organisations now
that the sheer volumes of data flowing from the front, customer-facing
office and the rest of the supply chain to the administrative, or back office,
is being measured in terabytes.
So there’s much more information to sift through. That adds both the risk
of not working through all the relevant material and pricing thorough-
enough audits out of the market.
And then there’s the additional work imposed by Sarbanes Oxley
requirements. As Peter Alfele, an audit partner in the Hampton Roads
practice of American firm Cherry, Bekaert & Holland, wrote in Virginia
Business earlier this year: “In general, audit clients should expect their
auditors to perform more work to gather information and form an
understanding of the business and its environment, perform more
extensive procedures to evaluate internal control design, shift portions of
the work relating to understanding the business, its environment, and its
internal control to a period of time well in advance of the organisation's
fiscal year-end, and involve more experienced audit personnel in
gathering information about the company and its internal control.”
As business changes so auditors must adapt
In fact, the combination of fast-developing IT and ever-tightening
regulatory frameworks creates enormous risk for auditors simply because
the types of organisations on which audits used to be carried out
effectively don’t exist any more.
Quoting Alfele again: “business models have evolved rapidly in the last
decade. For example, the use of e-commerce, the outsourcing of business
operations overseas, and the use of complex financing techniques have
changed the way businesses operate and the risks they face. These
changes no longer are restricted to larger companies - smaller, privately
held organisations have been forced to change to stay competitive.

“This dynamic business world requires an audit process that can adapt
easily to changing circumstances. A fundamental feature of the revised
[Sarbanes Oxley] audit process is its ability to adapt to the unique facts
and circumstances of businesses.

“The new audit process requires auditors to obtain a thorough

understanding of their clients' information processing system, evaluate
the design effectiveness of the controls over that system, possess
detailed knowledge of their clients' operations, their business objectives
and strategies, and the risks to achieving these objectives.

“Armed with this knowledge, auditors can then develop customised

procedures that vary depending on the dynamics of the business
environment and each client's operations. This emphasis on customised
audit approaches is a shift away from the current widespread use of
standardised audit procedures and checklists.”

In other words, auditing firms that are not able to customise their
procedures are at risk – as are the audits they undertake. BI technologies
help reduce that risk by automatically providing auditors with the kind of
information that allows them to very quickly understand “their clients'
operations, their business objectives and strategies, and the risks to
achieving these objectives”.
A rather remarkable example of doing exactly that is Canada Post's
internal auditors’ use of a BI system to analyse the potential for cost
containment, recovery and efficiency gains in the organisation’s collection
and delivery operations, which are distributed across the country in 450
installations. Implemented in late 2005, the BI system allowed quick
access to data from the corporate SAP system, enabling the audit team to
pinpoint control weaknesses and potential exceptions. In just one month,
the audit team identified CDN $10,000 in bonus overpayments and almost
CDN $4 million in excessive overtime.
Losing the time to think
A corollary of the massive increase in the volume of information being
driven by pervasive IT systems is the fact that managers are becoming so
snowed under by that information that their decision-making capabilities
are actually being impaired rather than supported by IT.

By way of example, the findings of a report commissioned by Attunity and

performed by the United Kingdom research firm, Loudhouse, is as
applicable here in Africa as it is for the senior management of the 200
United States and 200 British commercial corporations with more 500
employees who were interviewed.

Half of the managers surveyed complained that they have insufficient

time to focus on the key business issues and priorities that they regard as
most important for their companies
Managers are frustrated with the inordinate amount of time they spend
collecting and synthesising information in order to make decisions and
take actions.
Other key findings include:
 • 52 percent of managers complain about having insufficient time to
focus on key issues when asked to select their top three
frustrations/challenges.
• An inordinate amount of time - approximately a quarter of the
normal working week - is being spent gathering, collating and
massaging data versus analysing and acting on it; UK managers
spend an average of 11 hours per week; US managers spend an
average of 12 hours per week.
• 31 percent of managers indicated one of their top frustrations was
sourcing accurate, complete and reliable information.
• 50 percent of managers think they spend more time than they
should handling information.
BI would, of course, solve most of these problems!
But for as long as it’s not being used, the issues raised by the survey
impact on auditors in two ways. The first is that these kinds of pressures
on modern managers make it all the more imperative that auditors get a
quick, unambiguous picture of the business very early in the auditing
process. You can’t assume that management is on top of every aspect of
the business.
Alien environment
The second is that your own staff is probably under the same kind of
pressure – unable to find the time to think about the audit because they’re
too busy gathering data in a business environment that is becoming
increasingly foreign to them.
It’s becoming foreign because, as highly sophisticated enterprise resource
planning (ERP), supply chain management, human resources
management, customer relationship management (CRM), and business
process management software applications begin to collect and merge
information from every corner of the organisation into either huge
centralised databases or siloed business unit databases, the sources of
the information that goes into the financial statements are becoming
either more distributed or more complex.
The company bookkeeper or accountant is no longer the sole repository
and controller of all the information auditors work from. Just about every
department inputs financial information directly into the system as well as
accessing and using that information to improve the company’s
performance overall.
All of which means that because the source of the information is changing,
the type and nature of the questions auditors should be asking about
financial statements is having to change.
Then there’s the fact that business processes are being rationalised,
consolidated, integrated – making some of the places where you might
have gone to look for information about financials vanish or appear in a
different computer file in a different part of the system.
And while auditors have their own very sophisticated interrogation
methodologies, they don’t help much when you’re confronted with client
software – such as the kinds of ERP systems that multinationals have -
that you don’t know how to use. Auditors are, after all, not IT specialists
and can’t possibly be expected to know every piece of business software
in use today.
In other words, auditors are at very considerable risk in a business world
driven by IT.
Don’t rely on your clients’ systems
Which is where business intelligence comes in. True business intelligence
includes five basic activities - reporting, in-depth analysis, statistical
analysis and mining, monitoring/alerts, and on-time delivery of relevant
information in a format appropriate to the user.
And it’s that last activity that is of interest to auditors. Clearly, as an
auditor, you can’t insist that your customers implement BI systems purely
for your sake.
Yes, many of the large corporates and multi-nationals are now using BI in
one form or another. e-Bay, for instance, has a BI system that provides
realtime information on 16 million products broken down into 27 000
categories. MacDonald’s has 50 000 BI user licences. In South Africa,
Spoornet, Nampak, and Foschini are all using enterprise-strength BI
systems to give them in-depth information on their employees, customers,
suppliers, services and products in such a way as to enable them to more
appropriately map their services and products to their markets. For them,
BI is as much a forward-looking tool as it is a means of analysing their
history.
Wayne Eckerson of The Data Warehousing Institute in America believes
that companies that invest in BI also have an advantage when it comes to
regulatory compliance. “We have preached the business benefits of
delivering secure, standardised and accurate reports for decision making.
The compliance industry, on the other hand, emphasises the penalties of
not delivering secure, standardised and accurate reports for decision
making.

“In other words, both industries have the same goals, but different
approaches for getting there. Both desire to deliver accurate, valid
information to decision makers. However, the BI industry offers a carrot,
the compliance industry a stick! Organisations that have heeded the call
of BI already have the expertise, if not the processes and tools, for
complying with new, informationcentric regulations.”

And, I would add, are able to contribute to lessening audit risk.

Obviously, if you’re auditing organisations like these, you can simply

request the reports and data you need and they’ll be dropped onto your
desktop within seconds.
But, when that’s not the case, it might be worth investing in some BI tools
of your own. And it needn’t cost you the earth.
Remember, eventually all the information about an organisation has to
end up in one form or another in its accounting system. So, you can start
your BI interrogation there.
How? Well, even mid-market accounting packages have some form of BI
add-ons now. Add-ons with which you can supplement your own
interrogation tools in order to see, for instance, a client’s:
• Trading patterns thought the year versus the previous year
• Management accounts by month versus the previous year’s
• Revenue versus expense trends throughout the year with
comparatives
• Graphical representations of all the above with drill down
functionality
• Individual revenue and expense analysis with drill down to
underlying data
• Top selling inventory items
• Most active suppliers
• Most active customers.

Obviously, you can do a lot of this kind of work manually or using

spreadsheets, but it takes time, adds cost to the audit, and significantly
increases your risk of making errors.
However, a BI tool that works to the rules you give it, can deliver this kind
of information to you in realtime, enabling you to spot exceptions and get
a feel for the business very quickly.
And even the most basic BI functionality should give you the ability to
perform “what if analysis” on the financial information you’re given.
All of which will give you an insight into the business that is fact-based as
well as trend-based, so that you can go straight to the heart of your
client’s issues. And that positions you to be more pro-active in your
service to the client – which is going to boost client loyalty and, therefore,
your own sustainability.
In other words, having BI capability not only reduces audit risk – it can
actually drive revenue for you.