New developments in computer software could lead financial executives and accountants to completely change the way they conduct corporate audits. The question is whether that would be a good thing--and whether it could prevent the next Enron.

So-called continuous-auditing software promises to transform the process of financial auditing by changing it from an archival activity that is performed at the end of a month, quarter, or year to a process that could be done on a continuous, nonstop basis. The promise is that this type of system could catch--and stop--illegal financial transactions before any damage is done.

But critics of such software say it blurs the line between auditing and monitoring. That's a line, they say, that few companies--or their independent auditors--wish to cross. Worse, in their view, is the idea--put forward by some proponents of continuous-auditing software--that the software could actually shut down an entire transactional system whenever it detected a major transgression. That, they fear, wouldn't just cross the line, it would obliterate it.

Welcome the Auditbot
Even if auditing software were pushed to this limit, could it stop the next Enron or WorldCom? Probably not, say experts. As Don Schulman, leader of the global financial-management solutions practice at PricewaterhouseCoopers Consulting, puts it: "The CEO who wants to cheat and lie can take [a transaction] out of the system and tell the CFO to change it."

For all that, the basic idea behind continuous-auditing software, sometimes known as "auditbot" technology, is fairly simple: a piece of software runs in concert with standard financial-application suites such as those offered by SAP, Oracle, and PeopleSoft, monitoring each transaction conducted by the suite and watching for violations of the company's rules and practices. (These rules are programmed in beforehand by the company's internal audit group or an outside auditor.) If and when the software detects a violation, it issues a warning report or an alert to top management.

Such auditbots are built around a kind of software known as a rule-based system. In contrast to most software, which represents information in a relatively static way, a rule-based system constantly compares one data type with others, using the programmer's classic "if-then" formulation. For example, a standard computer system for determining the day of the week would simply store calendar information, in effect saying, "Today is Monday and tomorrow is Tuesday." But for the same task, a rule-based system would compare days, saying, in effect, "If today is Monday, then tomorrow is Tuesday." In an accounting situation, a rule-based system could formulate: "If an invoice is paid in full, then book the payment as revenue."

Much of the early work on continuous-auditing software was done in the telecom industry, which, not coincidentally, was one of the first to have real-time electronic records of all its transactions--in this case, telephone calls--on hand. One of these early projects was undertaken at Bell Labs (now AT&T Laboratories) in the mid-1980s and led by a pioneer in the field, Miklos Vasarhelyi, today a professor of accounting and information systems at Rutgers University. The system, called CPAS (Continuous Process Auditing System), was tested over a four-year period but was never implemented. One reason, says Vasarhelyi, was that it raised hackles among other departments. "Our detractors within the company said, 'This is not auditing, it's monitoring,'" he recounts. His take? "Auditing is supervision."

Still, that debate hasn't prevented other companies from testing auditbots. They include those that conduct large numbers of real-time transactions, mainly financial-services companies such as Citibank, Schwab, and PayPal, says Vasarhelyi. "With online, real-time technology, it is possible to get very close to the transaction, take a global view of it, and pick up an understanding of things that are not cricket," he explains.

Ifs, Ands, Or Bots
While independent auditors say they're interested in applying auditbots to their clients' systems, to date it has been internal audit departments, not outsiders, that have taken the first steps. The reason is mostly a matter of trust. "Quite rightly, companies don't want to put things on their computers they don't fully understand the implications of," says John Fogarty, director of audit methodology, policy, and procedures at Deloitte & Touche. "They want to consider how [auditbot software] would interact with their other systems, and they want to consider the security issues. It's not a casual thing." Instead, independent auditors are turning to Web-based tools as the next step in automating corporate audits.

Another barrier to the widespread adoption of auditbots is the mind-numbing complexity of enterprise applications--and the fact that multinational, multicompany corporations rarely standardize on a single version of a single suite. "ERP [enterprise resource planning] software is a misnomer, because these systems are not really enterprisewide," says Fogarty. "As a result, automated techniques can be applied to some systems, but not really to all."

• 1
• 2
• 3
• next »