cfo.com

Print this article | Return to Article | Return to CFO.com

The Never-Ending Audit

Can software prevent future Enrons? Also: Application service providers now tout their implementation and managerial expertise.
Peter Krass and Scott Leibs, CFO Magazine
October 1, 2002

New developments in computer software could lead financial executives and accountants to completely change the way they conduct corporate audits. The question is whether that would be a good thing--and whether it could prevent the next Enron.

So-called continuous-auditing software promises to transform the process of financial auditing by changing it from an archival activity that is performed at the end of a month, quarter, or year to a process that could be done on a continuous, nonstop basis. The promise is that this type of system could catch--and stop--illegal financial transactions before any damage is done.

But critics of such software say it blurs the line between auditing and monitoring. That's a line, they say, that few companies--or their independent auditors--wish to cross. Worse, in their view, is the idea--put forward by some proponents of continuous-auditing software--that the software could actually shut down an entire transactional system whenever it detected a major transgression. That, they fear, wouldn't just cross the line, it would obliterate it.

Welcome the Auditbot
Even if auditing software were pushed to this limit, could it stop the next Enron or WorldCom? Probably not, say experts. As Don Schulman, leader of the global financial-management solutions practice at PricewaterhouseCoopers Consulting, puts it: "The CEO who wants to cheat and lie can take [a transaction] out of the system and tell the CFO to change it."

For all that, the basic idea behind continuous-auditing software, sometimes known as "auditbot" technology, is fairly simple: a piece of software runs in concert with standard financial-application suites such as those offered by SAP, Oracle, and PeopleSoft, monitoring each transaction conducted by the suite and watching for violations of the company's rules and practices. (These rules are programmed in beforehand by the company's internal audit group or an outside auditor.) If and when the software detects a violation, it issues a warning report or an alert to top management.

Such auditbots are built around a kind of software known as a rule-based system. In contrast to most software, which represents information in a relatively static way, a rule-based system constantly compares one data type with others, using the programmer's classic "if-then" formulation. For example, a standard computer system for determining the day of the week would simply store calendar information, in effect saying, "Today is Monday and tomorrow is Tuesday." But for the same task, a rule-based system would compare days, saying, in effect, "If today is Monday, then tomorrow is Tuesday." In an accounting situation, a rule-based system could formulate: "If an invoice is paid in full, then book the payment as revenue."

Much of the early work on continuous-auditing software was done in the telecom industry, which, not coincidentally, was one of the first to have real-time electronic records of all its transactions--in this case, telephone calls--on hand. One of these early projects was undertaken at Bell Labs (now AT&T Laboratories) in the mid-1980s and led by a pioneer in the field, Miklos Vasarhelyi, today a professor of accounting and information systems at Rutgers University. The system, called CPAS (Continuous Process Auditing System), was tested over a four-year period but was never implemented. One reason, says Vasarhelyi, was that it raised hackles among other departments. "Our detractors within the company said, 'This is not auditing, it's monitoring,'" he recounts. His take? "Auditing is supervision."

Still, that debate hasn't prevented other companies from testing auditbots. They include those that conduct large numbers of real-time transactions, mainly financial-services companies such as Citibank, Schwab, and PayPal, says Vasarhelyi. "With online, real-time technology, it is possible to get very close to the transaction, take a global view of it, and pick up an understanding of things that are not cricket," he explains.

Ifs, Ands, Or Bots
While independent auditors say they're interested in applying auditbots to their clients' systems, to date it has been internal audit departments, not outsiders, that have taken the first steps. The reason is mostly a matter of trust. "Quite rightly, companies don't want to put things on their computers they don't fully understand the implications of," says John Fogarty, director of audit methodology, policy, and procedures at Deloitte & Touche. "They want to consider how [auditbot software] would interact with their other systems, and they want to consider the security issues. It's not a casual thing." Instead, independent auditors are turning to Web-based tools as the next step in automating corporate audits.

Another barrier to the widespread adoption of auditbots is the mind-numbing complexity of enterprise applications--and the fact that multinational, multicompany corporations rarely standardize on a single version of a single suite. "ERP [enterprise resource planning] software is a misnomer, because these systems are not really enterprisewide," says Fogarty. "As a result, automated techniques can be applied to some systems, but not really to all."


Critics of auditbots argue that auditing can never be totally automated, and will always require human intervention. "You can't audit a company in real time, because judgments and estimates are involved, and human beings make those after the fact," insists Brian Kinman, head of PricewaterhouseCoopers's enterprise risk-management practice.

Adds Frank Gori, global director of assurance services at Ernst & Young: "Technology tools are only tools. The most important element in the auditing process is your people bringing skepticism to the table to ensure quality."

Even Vasarhelyi admits that auditbots are unlikely to usher in an era of flawless financial reporting. In the first place, it's relatively easy for bad guys to keep one step ahead of the software, much the way computer-virus makers engage in a kind of arms race with computer-security experts. By the time the security gurus have figured out how to detect and disable the latest virus, the evil virus-makers have unleashed new ones. A similar arms race could erupt between corporate crooks and auditbot developers. And even if the software triumphed, says Vasarhelyi with a sigh, "if management is really crooked, they'll do something [else] anyway."

Audit.com
While the widespread use of auditbots is still a blue-sky dream, in the here and now, independent auditors are increasingly relying on Web-based software.

Ernst & Young, for one, supplies its teams with a Web-based portfolio of audit tools called EY/NexGen. Currently in what the firm labels "early adoption mode," NexGen helps multinational teams collaborate by providing a suite of Web-based software tools that let team members share documents and communicate with one another.

NexGen also lets a project manager bring in subject-matter experts from around the world on an as-needed basis, explains Frank Gori, E&Y's global director of assurance services. "Anyone with user access and a password can engage in the review or creation of work papers in real time," he says. NexGen also provides online-collaboration software that lets professionals working on an audit project conduct virtual meetings over the Internet.

After some 18 months in development and testing, NexGen is being rolled out to E&Y's Business Risk Services Group and selected clients. It augments, but probably won't replace, the firm's standard desktop auditing tool, called EY/AWS 1.5 (AWS stands for Auditor's Work Station); small clients--those without multinational operations--simply don't need the benefits NexGen offers. "For a small client with, say, $20 million in revenue, using a tool like NexGen is like bringing a howitzer to the table," says Gori.

Similarly, Deloitte & Touche uses two Web-based audit systems. The first, known as ACL Web, is based on a commercial application from ACL Services Ltd., though it has been customized for Deloitte's auditors. ACL Web addresses a key barrier to automated auditing: incompatible data formats. To help Deloitte auditors get a client's data into a single format, ACL Web acts as a kind of self-help kiosk, providing lists of questions and terminology so auditors can work with a client's IT department. The Web-based tool also provides preprogrammed tests that auditors can apply to the data, rather than have to create new tools on the fly, explains John Fogarty, Deloitte's director of audit methodology, policy, and procedures.

Deloitte's second Web-based system is somewhat experimental. Developed with software vendor Intacct Corp., it takes the entire automated-audit process one step further by actually embedding the audit system into the accounting system. Among other benefits, this eliminates the need to reformat financial data before it can be audited. Although the current product is suitable only for small and midsize accounting firms, that could change, says Fogarty: "We developed it as something we might use in our own practice." Nothing blue-sky about that. -- P.K.

Outsourcing

ASPs: Alive and...Well, Alive
If you were a CFO at a prospective client company, you had to love the pitch: instead of paying hefty licensing fees to a software vendor and then waiting for your internal IT department to roll out, say, a big enterprise resource planning system, why not rent it from a company that was expert in deploying and managing it? You'd save a massive capital outlay, be able to predict your monthly expense, and add or reduce capacity as needed.

True, your counterparts at the companies that offered this new approach (dubbed ASPs, for application service providers) didn't have it so good: the infrastructure needed to offer such services was costly, the per-user/per-month pricing scheme didn't produce the up-front cash infusion that could have helped firms find their feet, and the companies most eager to embrace this new approach proved to be the dot-coms, which very soon stopped paying bills altogether.

Soon the market leaders were either declaring Chapter 11 (USinternetworking, also known as USi) or seeing their share prices plunge as precipitously as a theme-park waterslide (Corio Inc. went from $22 a share at its July 2000 initial public offering to about 70 cents as of press time). Announcements of client wins dwindled, bad news for an industry that admitted even in good times that survival depended on achieving critical mass.


ASPs, it seemed, would soon join Kozmo.com delivery boys and the Pets.com sock puppet as Internet entities that never quite crossed the chasm. But USi and Corio have survived, smaller ASPs have remained quietly robust, and established software firms and outsourcers are now offering ASP-like service options to customers that want to be relieved of the burdens of software management.

In August, for example, Visa International began relying on Corio to manage its PeopleSoft human resource applications. Although Visa did not disclose terms, a company spokesman said that one primary driver was the desire to focus internal IT efforts on transaction processing, the heart of Visa's business.

John Ottman, Corio's executive vice president of worldwide markets, says that while most ASP deals usually result from a "precipitating event" such as a merger or a move to a new software system, increasingly companies are opting for ASPs simply as a way to "re-rationalize" their approaches to IT. "Visa didn't see HR as contributing a bottom-line benefit," says Ottman, "so it made sense to let someone else manage it."

Most ASPs, in fact, now concentrate on managing software versus renting it. Whereas they once harbored dreams of a "one-to-many" model in which they licensed software from vendors and then rented it to many clients, that has proved unfeasible (although software makers themselves do offer this option). Instead, ASPs now tout their implementation and managerial expertise; they are hired guns, not wholesalers.

This shift has been so profound that research firm Gartner says most ASPs should now be classified as "AMOs" (applications management outsourcers). "Pure play" ASPs do exist, but they tend to be smaller firms such as Salesforce.com, Employease, and WebEx, which make their own software available in a Web-based, pay-for-what-you-use model.

Despite their troubles, ASP pioneers USi and Corio continue their drive for critical mass. In August Corio announced plans to buy the ASP assets of Qwest CyberSolutions LLC, and in May USi completed a restructuring plan and merged with InterPath, a competitor and sibling (both are backed by Bain Capital). Gartner analyst Christopher Ambrose says the market shakeout has not yet been resolved. He sees growing demand for AMO and ASP services, but says such demand will also attract more competition from IBM, EDS, Accenture, Oracle, and a host of would-be ASPs.

"We know we have to prove ourselves every day, to new customers and existing clients," says Ottman. "But most companies haven't even looked seriously at the ASP option yet." When they do, he says, the advantages of having someone else manage complex software will be clear. --Scott Leibs




CFO Publishing Corporation 2009. All rights reserved.