|
THE NEVER-ENDING AUDIT
Can software prevent future Enrons?
By Peter Krasss
New developments in computer software
could lead ¤nancial executives and accountants to completely
change the way they conduct corporate audits. The question
is whether that would be a good thing - and whether it could
prevent the next Enron. So-called continuous-auditing software
promises to transform the process of ¤nancial auditing by
changing it from an archival activity that is performed at
the end of a month, quarter or year, to a process that could
be done on a continuous basis. The promise is that this type
of system could catch - and stop - illegal financial transactions
before any damage is done.
But critics of such software say it blurs the line between
auditing and monitoring. That's a line, they say, that few
companies - or their independent auditors - wish to cross.
Worse, in their view, is the idea - put forward by some proponents
of continuous-auditing software - that the software could
actually shut down an entire transactional system whenever
it detected a major transgression. That, they fear, wouldn't
just cross the line, it would obliterate it.
Welcome the Auditbot
Even if auditing software were pushed
to this limit, could it stop the next Enron or WorldCom? Probably
not, say experts. As Don Schulman, leader of the global financial-management
solutions practice at PricewaterhouseCoopers Consulting, puts
it: "The CEO who wants to cheat and lie can take [a transaction]
out of the system and tell the CFO to change it."
For all that, the basic idea behind continuous-auditing
software, sometimes known as "auditbot" technology,
is fairly simple: a piece of software runs in concert with
standard financial-application suites such as those offered
by SAP, Oracle, and PeopleSoft, monitoring each transaction
conducted by the suite and watching for violations of the
company's rules and practices. (These rules are programmed
in beforehand by the company's internal audit group or an
outside
auditor.) If and when the software detects a violation, it
issues a warning report or an alert to top management.
Such auditbots are built around a kind
of software known as a rule-based system. In contrast to most
software, which represents information in a relatively static
way, a rule-based system constantly compares one data type
with others, using the programmer's classic "if-then"
formulation. For example, a standard computer system for determining
the day of the week would simply store calendar information,
in effect saying, "Today is Monday and tomorrow is Tuesday."
But for the same task, a rule-based system would compare days,
saying, in effect, "If today is Monday, then tomorrow
is Tuesday." In an accounting situation, a rule-based
system could formulate, "If an invoice is paid in full,
then book the payment as revenue."
Much of the early work on continuous-auditing
software was done in the telecom industry, which, not coincidentally,
was one of the first to have real-time electronic records
of all its transactions - in this case, telephone calls -
on hand. One of these early projects was undertaken at Bell
Labs (now AT&T Laboratories) in the mid-1980s and led
by a pioneer in the field, Miklos Vasarhelyi, today a professor
of accounting and information systems at Rutgers University
in the US. The system, called CPAS (Continuous Process Auditing
System), was tested over a four-year period but was never
implemented. One reason, says Vasarhelyi, was that it raised
hackles among other departments. "Our detractors within
the company said, 'This is not auditing, it's monitoring,'"
he recounts. His take? "Auditing is supervision."
Still, that debate hasn't prevented other
companies from testing auditbots. They include those that
conduct large numbers of real-time transactions, mainly financial
services companies such as Citibank, Schwab, and PayPal, says
Vasarhelyi. "With online, real-time technology, it is
possible to get very close to the transaction, take a global
view of it, and pick up an understanding of things that are
not cricket," he explains.
Ifs, Ands or Bots
While independent auditors say they're
interested in applying auditbots to their clients' systems,
to date it has been internal audit departments, not outsiders,
that have taken the first steps. The reason is mostly a matter
of trust. "Quite rightly, companies don't want to put
things on their computers they don't fully understand the
implications of," says John Fogarty, director of audit
methodology, policy, and procedures at Deloitte & Touche.
"They want to consider how [auditbot software] would
interact with their other systems, and they want to consider
the security issues. It's not a casual thing." Instead,
independent auditors are turning to Web-based tools as the
next step in automating corporate audits (see box).
Another barrier to the widespread adoption
of auditbots is the mind-numbing complexity of enterprise
applications - and the fact that multinational, multicompany
corporations rarely standardize on a single version of a single
suite. "ERP [enterprise resource planning] software is
a misnomer, because these systems are not really enterprisewide,"
says Fogarty. "As a result, automated techniques can
be applied to some systems, but not really to all."
Critics of auditbots argue that auditing
can never be totally automated, and will always require human
intervention. "You can't audit a company in real time,
because judgments and estimates are involved, and human beings
make those after the fact," insists Brian Kinman, head
of PricewaterhouseCoopers's enterprise risk-management practice.
Adds Frank Gori, global director of assurance
services at Ernst & Young: "Technology tools are
only tools. The most important element in the auditing process
is your people bringing skepticism to the table to ensure
quality."
Even Vasarhelyi admits that auditbots
are unlikely to usher in an era of flawless financial reporting.
In the first place, it's relatively easy for bad guys to keep
one step ahead of the software, much the way computer-virus
makers engage in a kind of arms race with computer-security
experts. By the time the security gurus have figured out how
to detect and disable the latest virus, the evil virus-makers
have unleashed new ones. A similar arms race could erupt between
corporate crooks and auditbot developers. And even if the
software triumphed, says Vasarhelyi with a sigh, "if
management is really crooked, they'll do something [else]
anyway."
|
Web-based Software
Audit.com
TWhile the widespread use of auditbots
is still a blue-sky dream, in the here and now independent
auditors are increasingly relying on Web-based software.
Ernst & Young (E&Y), for
one, supplies its teams with a Web-based portfolio of audit
tools called EY/NexGen. In what the firm labels "early
adoption mode," NexGen helps multinational teams collaborate
by providing a suite of Web-based software tools that let
team members share documents and communicate with one another.
NexGen also lets a project manager
bring in subject-matter experts from around the world on an
as-needed basis, explains Frank Gori, E&Y's global director
of assurance services. "Anyone with user access and a
password can engage in the review or creation of work papers
in real time," he says. NexGen also provides online-collaboration
software that lets professionals working on an audit project
conduct virtual meetings over the Internet.
After some 18 months in development
and testing, NexGen is being rolled out to E&Y's Business
Risk Services Group and selected clients. It augments, but
probably won't replace, the firm's standard desktop auditing
tool, called EY/AWS 1.5 (AWS stands for Auditor's Work Station);
small clients - those without multinational operations - simply
don't need the benefits NexGen offers. "For a small client
with, say, US$20 million in revenue, using a tool like NexGen
is like bringing a howitzer to the table," says Gori.
Similarly, Deloitte & Touche
uses two Web-based audit systems. The first, known as ACL
Web, is based on a commercial application from ACL Services
Ltd., though it has been customized for Deloitte's auditors.
ACL Web addresses a key barrier to automated auditing: incompatible
data formats. To help Deloitte auditors get a client's data
into a single format, ACL Web acts as a kind of self-help
kiosk, providing lists of questions and terminology so auditors
can work with a client's IT department. The Web-based tool
also provides preprogrammed tests that auditors can apply
to the data, rather than have to create new tools on the fly,
explains John Fogarty, Deloitte's director of audit methodology,
policy, and procedures.
Deloitte's second Web-based system is
somewhat experimental. Developed with software vendor Intacct
Corp., it takes the entire automated-audit process one step
further by actually embedding the audit system into the accounting
system. Among other benefits, this eliminates the need to
reformat financial data before it can be audited. Although
the current product is suitable only for small and midsize
accounting firms, that could change, says Fogarty: "We
developed it as something we might use in our own practice."
Nothing blue-sky about that.
PK |
