Service Auditors Should Rethink and Reinvent AAF, ISAE and SOC Evidence Using Data Analytics

Audit quality can be enhanced through using data analytics, and bring about more meaningful and quicker results to benefit the regulator, management and auditors. Data analytics is a practical approach to manage the way data flows through information systems.

Consider for instance how AAF, ISAE and SOC internal controls reporting would benefit from an analysis of unusual or repeating items for a large volume of transactions for payroll, master trust contributions or biogas weighbridge inputs. Consider too from getting this evidence what better controls for prevention, detection, management reporting and governance reporting could be built-in to capture 100% of transaction activity over a set period.

Data analytics (DA) is the process of examining data sets to draw conclusions about the information they contain and best applied using purpose-built software. It enables the service auditor to not only manipulate a complete data set of 100% of transactions in a population but also display the results graphically quickly and simply for the benefit of management, board and trustee directors. It can also be set to manage and monitor the information regularly desired by regulators.

An extract from the ICAEW 2016 publication ‘Data analytics for external auditors’ states some of the commonly performed data analytics routines:

  • Comparing the last time an item was brought with the last time it was sold, for cost/NRV purposes.
  • Inventory ageing and how many days inventory is in stock by item.
  • Receivables and payables ageing and the reduction in overdue debt over time by customer.
  • Analyses of revenue trends split by product or region.
  • Analyses of gross margins and sales, highlighting items with negative margins.
  • Matches of orders to cash and purchases to payments.
  • ‘Can do did do testing’ of user codes to test whether segregation of duties is appropriate, and whether any inappropriate combination of users have been involved in processing transactions.
  • Three-way matches between purchases/sales, goods received/dispatched documentation and invoices.

Service auditors using data analytics would be following in the footsteps of large systems developed companies like Oracle, SAP and Microsoft. The audit and AAF, ISAE and SOC assurance based approaches for risk analysis and controls testing, sampling and materiality need not exclude DA.

Although a challenger, data analytics should enhance rather than replace audit and assurance. It gives the opportunities to introduce external data and non-financial elements into the AAF, ISAE and SOC controls reporting framework. However, there may need to be a reworking of what is acceptable evidence to meet the demands of international audit and assurance standards.

To move forward we need to prioritise two things:

  1. engagement of management, board and trustee directors and the regulator in the discussion of what would be their top ten areas for data analytics reporting, an
  2. crack the operational issues of how to obtain good quality raw data we need to perform DA.