Metric of the Month: Audit Control Violations

It’s safe to say that more automation means fewer control violations involving audits.
Mary C. DriscollApril 19, 2016

There has never been more pressure on finance leaders to ensure integrity in internal auditing and controls. Boards of directors want assurance that official financial statements are squeaky clean, with every piece of data in tables and in footnotes double-checked. There’s zero tolerance for such funny business, as a business unit booking revenue in one quarter while pushing related costs to the next.

In the digital age, manual/random audits no longer cut it. Companies with millions of transactions to audit need a more reliable way to gauge who and what needs to be investigated — before accidental errors or intentional malfeasance blow up to damage the company’s reputation and hurt investors. The pioneers are looking for solutions in technology-enabled auditing tools and processes.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

How prevalent are such problems? In an effort to reveal how financial management organizations use data analytics in their internal controls function, APQC examined the number of internal control violations per year per 1,000 employees at 70 companies. The best performers had 3.51 violations or fewer, while the worst performers were dealing with 34.23 violations or more. (See graph below.)

For a 10,000-employee company in the bottom quartile, that’s more than 340 controls violations annually. Consider, too, that this 340 number represents the best performance among the laggards. And that’s counting just the ones that were reported – many more could be slipping below the radar. These companies may be exposed to integrity thieves and not even know it.

How are the top quartile companies keeping violations down? APQC also looked at what percentage of companies in the data set has automated their primary controls. Companies in the top quartile had automated at least half of their primary controls. At the other end of the spectrum, the bottom quartile had automated 11.54 percent or fewer of their primary controls.

MoM Chart_April 2016_Updated

It’s safe to say that more automation means fewer control violations. All things being equal, it’s much easier to make an unintentional error or fudge an accounting entry when data are processed and audited manually. It’s also a whole lot more likely that a system screening 100% of transactions will find suspicious activity that a random audit might miss.

Automated transaction-processing systems, and direct links between systems, can cut down on the manual line-item journal entries that allow room for errors and bad intentions. If your company is seeing a lot of corrections, adjustments, and manual non-recurring journal entries, chances are your internal controls aren’t actually keeping things under control.

As companies invest in internal audit automation, the companies they hire to audit them are doing the same, on a larger scale. A recent Wall Street Journal article noted that the Big Four audit firms have invested millions of dollars in advanced data analytics and artificial intelligence technologies that can be customized to each client and told to crawl through enormous volumes of data, identifying outliers, recurring patterns, and audit risks.

These intelligent platforms use advanced algorithms to actually “learn,” making comparisons and spotting trends across a vast sea of data. They don’t take vacation days, they never get sick, and they work around the clock. But as powerful as they are, AI auditing systems can’t replace the humans working behind the desks in your audit department. The souped-up systems just allow people to make optimal use of their time and to focus on the “red flags” that might never have popped up in a traditional audit.

But all the automation in the world can still miss big problems if the intelligent auditing systems aren’t asking the right questions. Those are all about finding things that will have a real impact on business strategy. It doesn’t happen in a vacuum: Truly successful analytics are enabled by nicely fitting intersections among technical capabilities, enterprise knowledge, data governance, and smart leadership.

It’s time to move beyond basic automation and start asking the right questions. Because the robots aren’t just coming to change the world – they are already here.

 Mary C. Driscoll is a senior research fellow in financial management at APQC, a nonprofit business benchmarking and research firm based in Houston.