New developments in computer software could lead financial executives and accountants to completely change the way they conduct corporate audits. The question is whether that would be a good thing — and whether it could prevent the next Enron.
So-called continuous-auditing software promises to transform the process of financial auditing by changing it from an archival activity that is performed at the end of a month, quarter, or year to a process that could be done on a continuous, nonstop basis. The promise is that this type of system could catch — and stop — illegal financial transactions before any damage is done.
But critics of such software say it blurs the line between auditing and monitoring. That’s a line, they say, that few companies — or their independent auditors — wish to cross. Worse, in their view, is the idea — put forward by some proponents of continuous-auditing software — that the software could actually shut down an entire transactional system whenever it detected a major transgression. That, they fear, wouldn’t just cross the line, it would obliterate it.
Welcome the Auditbot
Even if auditing software were pushed to this limit, could it stop the next Enron or WorldCom? Probably not, say experts. As Don Schulman, leader of the global financial-management solutions practice at PricewaterhouseCoopers Consulting, puts it: “The CEO who wants to cheat and lie can take [a transaction] out of the system and tell the CFO to change it.”
For all that, the basic idea behind continuous-auditing software, sometimes known as “auditbot” technology, is fairly simple: A piece of software runs in concert with standard financial-application suites such as those offered by SAP, Oracle, and PeopleSoft, monitoring each transaction conducted by the suite and watching for violations of the company’s rules and practices. (These rules are programmed in beforehand by the company’s internal audit group or an outside auditor.) If and when the software detects a violation, it issues a warning report or an alert to top management.
Such auditbots are built around a kind of software known as a rule-based system. In contrast to most software, which represents information in a relatively static way, a rule-based system constantly compares one data type with others, using the programmer’s classic “if-then” formulation. For example, a standard computer system for determining the day of the week would simply store calendar information, in effect saying, “Today is Monday and tomorrow is Tuesday.” But for the same task, a rule-based system would compare days, saying, in effect, “If today is Monday, then tomorrow is Tuesday.” In an accounting situation, a rule-based system could formulate: “If an invoice is paid in full, then book the payment as revenue.”
Much of the early work on continuous-auditing software was done in the telecom industry, which, not coincidentally, was one of the first to have real-time electronic records of all its transactions — in this case, telephone calls — on hand. One of these early projects was undertaken at Bell Labs (now AT&T Laboratories) in the mid-1980s and led by a pioneer in the field, Miklos Vasarhelyi, today a professor of accounting and information systems at Rutgers University. The system, called CPAS (Continuous Process Auditing System), was tested over a four-year period but was never implemented. One reason, says Vasarhelyi, was that it raised hackles among other departments. “Our detractors within the company said, ‘This is not auditing, it’s monitoring,’” he recounts. His take? “Auditing is supervision.”
Still, that debate hasn’t prevented other companies from testing auditbots. They include those that conduct large numbers of real-time transactions, mainly financial-services companies such as Citibank, Schwab, and PayPal, says Vasarhelyi. “With online, real-time technology, it is possible to get very close to the transaction, take a global view of it, and pick up an understanding of things that are not cricket,” he explains.
Ifs, Ands, or Bots
While independent auditors say they’re interested in applying auditbots to their clients’ systems, to date it has been internal audit departments, not outsiders, that have taken the first steps. The reason is mostly a matter of trust. “Quite rightly, companies don’t want to put things on their computers they don’t fully understand the implications of,” says John Fogarty, director of audit methodology, policy, and procedures at Deloitte & Touche. “They want to consider how [auditbot software] would interact with their other systems, and they want to consider the security issues. It’s not a casual thing.” Instead, independent auditors are turning to Web-based tools as the next step in automating corporate audits.
Another barrier to the widespread adoption of auditbots is the mind-numbing complexity of enterprise applications — and the fact that multinational, multicompany corporations rarely standardize on a single version of a single suite. “ERP [enterprise resource planning] software is a misnomer, because these systems are not really enterprisewide,” says Fogarty. “As a result, automated techniques can be applied to some systems, but not really to all.”
Critics of auditbots argue that auditing can never be totally automated, and will always require human intervention. “You can’t audit a company in real time, because judgments and estimates are involved, and human beings make those after the fact,” insists Brian Kinman, head of PricewaterhouseCoopers’s enterprise risk-management practice.
Adds Frank Gori, global director of assurance services at Ernst & Young: “Technology tools are only tools. The most important element in the auditing process is your people bringing skepticism to the table to ensure quality.”
Even Vasarhelyi admits that auditbots are unlikely to usher in an era of flawless financial reporting. In the first place, it’s relatively easy for bad guys to keep one step ahead of the software, much the way computer-virus makers engage in a kind of arms race with computer-security experts. By the time the security gurus have figured out how to detect and disable the latest virus, the evil virus-makers have unleashed new ones. A similar arms race could erupt between corporate crooks and auditbot developers. And even if the software triumphed, says Vasarhelyi with a sigh, “if management is really crooked, they’ll do something [else] anyway.”
While the widespread use of auditbots is still a blue-sky dream, in the here and now, independent auditors are increasingly relying on Web-based software.
Ernst & Young, for one, supplies its teams with a Web-based portfolio of audit tools called EY/NexGen. Currently in what the firm labels “early adoption mode,” NexGen helps multinational teams collaborate by providing a suite of Web-based software tools that let team members share documents and communicate with one another.
NexGen also lets a project manager bring in subject-matter experts from around the world on an as-needed basis, explains Frank Gori, E&Y’s global director of assurance services. “Anyone with user access and a password can engage in the review or creation of work papers in real time,” he says. NexGen also provides online-collaboration software that lets professionals working on an audit project conduct virtual meetings over the Internet.
After some 18 months in development and testing, NexGen is being rolled out to E&Y’s Business Risk Services Group and selected clients. It augments, but probably won’t replace, the firm’s standard desktop auditing tool, called EY/AWS 1.5 (AWS stands for Auditor’s Work Station); small clients — those without multinational operations — simply don’t need the benefits NexGen offers. “For a small client with, say, $20 million in revenue, using a tool like NexGen is like bringing a howitzer to the table,” says Gori.
Similarly, Deloitte & Touche uses two Web-based audit systems. The first, known as ACL Web, is based on a commercial application from ACL Services Ltd., though it has been customized for Deloitte’s auditors. ACL Web addresses a key barrier to automated auditing: incompatible data formats. To help Deloitte auditors get a client’s data into a single format, ACL Web acts as a kind of self-help kiosk, providing lists of questions and terminology so auditors can work with a client’s IT department. The Web-based tool also provides preprogrammed tests that auditors can apply to the data, rather than have to create new tools on the fly, explains John Fogarty, Deloitte’s director of audit methodology, policy, and procedures.
Deloitte’s second Web-based system is somewhat experimental. Developed with software vendor Intacct Corp., it takes the entire automated-audit process one step further by actually embedding the audit system into the accounting system. Among other benefits, this eliminates the need to reformat financial data before it can be audited. Although the current product is suitable only for small and midsize accounting firms, that could change, says Fogarty: “We developed it as something we might use in our own practice.” Nothing blue-sky about that.