Still, that debate hasn’t prevented other companies from testing auditbots. They include those that conduct large numbers of real-time transactions, mainly financial-services companies such as Citibank, Schwab, and PayPal, says Vasarhelyi. “With online, real-time technology, it is possible to get very close to the transaction, take a global view of it, and pick up an understanding of things that are not cricket,” he explains.
Ifs, Ands, or Bots
While independent auditors say they’re interested in applying auditbots to their clients’ systems, to date it has been internal audit departments, not outsiders, that have taken the first steps. The reason is mostly a matter of trust. “Quite rightly, companies don’t want to put things on their computers they don’t fully understand the implications of,” says John Fogarty, director of audit methodology, policy, and procedures at Deloitte & Touche. “They want to consider how [auditbot software] would interact with their other systems, and they want to consider the security issues. It’s not a casual thing.” Instead, independent auditors are turning to Web-based tools as the next step in automating corporate audits.
Another barrier to the widespread adoption of auditbots is the mind-numbing complexity of enterprise applications — and the fact that multinational, multicompany corporations rarely standardize on a single version of a single suite. “ERP [enterprise resource planning] software is a misnomer, because these systems are not really enterprisewide,” says Fogarty. “As a result, automated techniques can be applied to some systems, but not really to all.”
Critics of auditbots argue that auditing can never be totally automated, and will always require human intervention. “You can’t audit a company in real time, because judgments and estimates are involved, and human beings make those after the fact,” insists Brian Kinman, head of PricewaterhouseCoopers’s enterprise risk-management practice.
Adds Frank Gori, global director of assurance services at Ernst & Young: “Technology tools are only tools. The most important element in the auditing process is your people bringing skepticism to the table to ensure quality.”
Even Vasarhelyi admits that auditbots are unlikely to usher in an era of flawless financial reporting. In the first place, it’s relatively easy for bad guys to keep one step ahead of the software, much the way computer-virus makers engage in a kind of arms race with computer-security experts. By the time the security gurus have figured out how to detect and disable the latest virus, the evil virus-makers have unleashed new ones. A similar arms race could erupt between corporate crooks and auditbot developers. And even if the software triumphed, says Vasarhelyi with a sigh, “if management is really crooked, they’ll do something [else] anyway.”
While the widespread use of auditbots is still a blue-sky dream, in the here and now, independent auditors are increasingly relying on Web-based software.
Ernst & Young, for one, supplies its teams with a Web-based portfolio of audit tools called EY/NexGen. Currently in what the firm labels “early adoption mode,” NexGen helps multinational teams collaborate by providing a suite of Web-based software tools that let team members share documents and communicate with one another.