ASA - South Africa's Leading Accountancy Journal

“Until now, business intelligence (BI) software hasn't really been of interest to auditors because the auditing process has been focused so tightly on the client's financial rather than operational information. So what's changed – and why does BI now constitute a means of lessening audit risk?”

BUSINESS INTELLIGENCE AND AUDIT REPORTS

Well, the main reason is that an auditor's traditional ways of interrogating a client's financial data in order to establish the accuracy of the information as well as the client's levels of regulatory compliance, no longer go far or deep enough.
Information technology (IT) has become so pervasive in organisations now that the sheer volume of data flowing from the front, customer-facing office and the rest of the supply chain to the administrative or back office is being measured in terabytes. So there's much more information to sift through.

That adds both the risk of not working through all the relevant material and pricing thorough-enough audits out of the market.

And then there's the additional work imposed by Sarbanes Oxley requirements. As Peter Alfele, an audit partner in the Hampton Roads practice of American firm Cherry, Bekaert & Holland, wrote in Virginia Business earlier this year: "In general, audit clients should expect their auditors to perform more work to gather information and form an understanding of the business and its environment, perform more extensive procedures to evaluate internal control design, shift portions of the work relating to understanding the business, its environment and its internal control to a period of time well in advance of the organisation's fiscal year-end, and involve more experienced audit personnel in gathering information about the company and its internal control".

In fact, the combination of fast-developing IT and ever-tightening regulatory frameworks creates enormous risk for auditors simply because the types of organisations on which audits used to be carried out effectively don't exist any more.

Quoting Alfele again: "business models have evolved rapidly in the last decade. For example, the use of e-commerce, the outsourcing of business operations overseas, and the use of complex financing techniques have changed the way businesses operate and the risks they face. These changes no longer are restricted to larger companies - smaller, privately held organisations have been forced to change to stay competitive.

This dynamic business world requires an audit process that can adapt easily to changing circumstances. A fundamental feature of the revised [Sarbanes Oxley] audit process is its ability to adapt to the unique facts and circumstances of businesses.

The new audit process requires auditors to obtain a thorough understanding of their clients' information processing system, evaluate the design effectiveness of the controls over that system, possess detailed knowledge of their clients' operations, their business objectives and strategies, and the risks to achieving these objectives.

Armed with this knowledge, auditors can then develop customised procedures that vary depending on the dynamics of the business environment and each client's operations. This emphasis on customised audit approaches is a shift away from the current widespread use of standardised audit procedures and checklists.

In other words, auditing firms that are not able to customise their procedures are at risk – as are the audits they undertake. BI technologies help reduce that risk by automatically providing auditors with the kind of information that allows them very quickly to understand "their clients' operations, their business objectives and strategies, and the risks to achieving these objectives".

A rather remarkable example of doing exactly that is Canada Post's internal auditors' use of a BI system to analyse the potential for cost containment, recovery and efficiency gains in the organisation's collection and delivery operations, which are distributed across the country in 450 installations. Implemented in late 2005, the BI system allowed quick access to data from the corporate system, enabling the audit team to pinpoint control weaknesses and potential exceptions. In just one month, the audit team identified CAD $10,000 in bonus overpayments and almost CAD $4 million in excessive overtime.

A corollary of the massive increase in the volume of information being driven by pervasive IT systems is the fact that managers are becoming so snowed under by that information that their decision-making capabilities are actually being impaired rather than supported by IT.

By way of example, the findings of a report commissioned by Attunity and performed by the United Kingdom research firm, Loudhouse, is as applicable here in South Africa as it is for the senior management of the 200 United States and 200 British commercial corporations with more than 500 employees that were interviewed.

Half of the managers surveyed complained that they have insufficient time to focus on the key business issues and priorities that they regard as most important for their companies.

Managers are frustrated with the inordinate amount of time they spend collecting and synthesising information in order to make decisions and take actions.

But for as long as it's not being used, the issues raised by the survey impact on auditors in two ways. The first is that these kinds of pressures on modern managers make it all the more imperative that auditors get a quick, unambiguous picture of the business very early in the auditing process. You can't assume that management is on top of every aspect of the business.

The second is that your own staff is probably under the same kind of pressure – unable to find the time to think about the audit because they're too busy gathering data in a business environment that is becoming increasingly foreign to them.

It's becoming foreign because, as highly sophisticated enterprise resource planning (ERP), supply chain management, human resources management, customer relationship management and business process management software applications begin to collect and merge information from every corner of the organisation into either huge centralised databases or siloed business unit databases, the sources of the information that goes into the financial statements are becoming either more distributed or more complex.

The company bookkeeper or accountant is no longer the sole repository and controller of all the information auditors work from. Just about every department inputs financial information directly into the system as well as accessing and using that information to improve the company's performance overall.

All of which means that, because the source of the information is changing, the type and nature of the questions auditors should be asking about financial statements is having to change.

Then there's the fact that business processes are being rationalised, consolidated, integrated – making some of the places where you might have gone to look for information about financials vanish or appear in a different computer file in a different part of the system.

And while auditors have their own very sophisticated interrogation methodologies, these don't help much when you're confronted with client software – such as the kinds of ERP systems that multinationals have - that you don't know how to use. Auditors are, after all, not IT specialists and can't possibly be expected to know every piece of business software in use today.

In other words, auditors are at very considerable risk in a business world driven by IT.

Which is where business intelligence comes in. True business intelligence includes five basic activities - reporting, in-depth analysis, statistical analysis and mining, monitoring/alerts and on-time delivery of relevant information in a format appropriate to the user.

And it's this last activity that is of interest to auditors. Clearly, as an auditor, you can't insist that your customers implement BI systems purely for your sake.

Yes, many of the large corporates and multi-nationals are now using BI in one form or another. e-Bay, for instance, has a BI system that provides realtime information on 16 million products broken down into 27 000 categories. McDonald's has 50 000 BI user licences. Here in South Africa, Spoornet, Nampak, and Foschini are all using enterprise-strength BI systems to give them in-depth information on their employees, customers, suppliers, services and products in such a way as to enable them more appropriately to map their services and products to their markets. For them, BI is as much a forward-looking tool as it is a means of analysing their history.

Wayne Eckerson of The Data Warehousing Institute in America believes that companies that invest in BI also have an advantage when it comes to regulatory compliance. "We have preached the business benefits of delivering secure, standardised and accurate reports for decision making. The compliance industry, on the other hand, emphasises the penalties of not delivering secure, standardised and accurate reports for decision making.

In other words, both industries have the same goals, but different approaches for getting there. Both desire to deliver accurate, valid information to decision makers. However, the BI industry offers a carrot, the compliance industry a stick! Organisations that have heeded the call of BI already have the expertise, if not the processes and tools, for complying with new, informationcentric regulations."

Obviously, if you're auditing organisations like these, you can simply request the reports and data you need and they'll be dropped onto your desktop within seconds.

But, when that's not the case, it might be worth investing in some BI tools of your own. And it needn't cost you the earth.

Remember, eventually all the information about an organisation has to end up in one form or another in its accounting system. So, you can start your BI interrogation there.

How? Well, even mid-market accounting packages have some form of BI add-ons now. Add-ons with which you can supplement your own interrogation tools in order to see, for instance, a client's:

Obviously, you can do a lot of this kind of work manually or using spreadsheets, but it takes time, adds cost to the audit, and significantly increases your risk of making errors.

However, a BI tool that works to the rules you give it, can deliver this kind of information to you in realtime, enabling you to spot exceptions and get a feel for the business very quickly.

And even the most basic BI functionality should give you the ability to perform "what if analyses" on the financial information you're given.

All of which will give you an insight into the business that is fact-based as well as trend-based, so that you can go straight to the heart of your client's issues. And that positions you to be more pro-active in your service to the client – which is going to boost client loyalty and, therefore, your own sustainability.

In other words, having BI capability not only reduces audit risk – it can actually drive revenue for you.

Steven Cohen BCom, BAcc, CA(SA) is the Managing Director of Softline Pastel and is also one of the founders of the Softline Group.