A recent news release by Robert Half, a staffing company that specializes in accounting and finance personnel, covered what it sees as the most important attributes required for auditors in the 21st century. “7 Attributes of Highly Effective Internal Auditors” covers the people dimension of the profession and focuses on the non-technical requirements of the role, including relationship-building, teamwork, and diversity. No doubt these skills are a must for just about anybody working in a modern (Western) corporation. For me, though, the most important quality on the list is at the bottom: continuous learning. That’s because the role of internal and external auditors will be transformed radically by big data, in-memory processing and other advances in information technology that will make enterprise automated fraud discovery and mitigation a reality before the end of this decade.
A bit of history: Before computers took over, auditors used to examine paper accounting records for suspicious physical evidence, such as erasures, out of sequence entries, blank spaces and different-colored inks. When companies first adopted computer-based accounting systems, auditors lost access to these clues that might point to fraud. Worse, numerous computer-based accounting frauds in the 1960s and 1970s were hard for auditors to spot because the proprietary systems of the day were far from transparent. These frauds led to the formation of the Treadway Commission, which promulgated the COSO framework, which was the underpinning of the Sarbanes-Oxley Act’s Section 404 requirements.
Meanwhile, somewhat ironically, the computer-based accounting systems that once aided swindlers are about to make it much more difficult to successfully commit financial fraud. (I have too much respect for the criminal mind to think for a moment that fraud will be impossible.) Big data and in-memory processing techniques are about to give auditors a clearer and more comprehensive picture of what to audit, and even provide alerts that a fraud is being committed. These systems will provide a digital equivalent to the search for erasures, suspicious sequences and missing items.
Applying automated governance and control techniques to electronic financial systems is nothing new. Since the 1990s, enterprise systems such as ERP have become far more transparent, and this has enabled business to use software to make it more difficult to successfully perpetrate financial fraud. Identity and access controls are an important barrier that ensures only those with the proper credentials are able to perform specific tasks or view sensitive information. Vendors such as Oversight Systems and Infor Approva, for example, provide software that performs continuous monitoring to ensure that control-related processes and policies are being observed. I see these as precursors to more comprehensive enterprise systems that will continuously monitor and review a broader set of data that comes from all financial management systems, including accounting, consolidation, planning and analytics (to name four), as well as supply chain and warehouse management systems and, perhaps, machine data.
Being able to view a comprehensive set of corporate data is a prerequisite for effectively automating enterprise fraud discovery. A completely effective system would be one that gives no false negatives (that is, it doesn’t miss a suspicious indicator) and no false positives (which waste time sending auditors on what turn out to be wild goose chases). Taking an enterprise approach to managing fraud is potentially much more efficient. It is also likely to have a better chance at spotting sophisticated frauds sooner because it should be able to connect many more dots than is currently feasible. Of course, no system will ever be 100 percent effective, so business will still need to employ other, non-automated techniques, including relying on tips. While uncovering material financial fraud is critically important, decades of experience have made it clear that automated systems usually fail in practice because they do not reliably limit false positives. Justifying the investment in automated fraud detection, mitigation and management depends on those systems’ ability to ensure that the cost of uncovering fraud doesn’t exceed the cost of the fraud itself.
The most challenging aspects of implementing an enterprise fraud detection and prevention system involve identifying the things that need to be monitored and measured, creating algorithms or describing patterns that define suspicious events, items, values, ratios or relationships (to name five), and then defining the thresholds and conjoint conditions (to name two) that indicate a situation that is worth investigating. Many of these algorithms and techniques are likely to begin as generic constructs, freely available to all. The art of establishing an “auditor in a box” will be in determining how to apply these algorithms and techniques to an individual company’s situation, and the science will be in the way they are implemented, since every company’s specific IT environment and systems provisioning makes each one a unique set of permutations of the generic model.
Which brings me back to the initial point of this piece: Information technology will transform the role of the auditor radically over this decade. The focus of the Robert Half list on people skills is well-taken, because automation is likely to diminish the relative importance of applying an auditor’s purely technical skills. As a result of automation, the number of people employed in internal audit teams is likely to decline. One can also hope that the hours required to complete an external audit will decline as well, although I won’t argue with skeptics who expect the Big Four and other auditing companies will somehow manage to maintain the number of hours billed. Those who remain in the auditing profession are likely to be occupied in more interpersonal and analytical tasks, and they will need to have more knowledge of IT systems and analytics. Those studying accounting today would do well to ensure they have sufficient background in information technology systems to be able to compete in a future where IT and accounting are even more tightly linked. Those working in audit roles today must take the seventh and last recommendation, to engage in continuous learning, to heart. Otherwise, they’re likely to find themselves in the same position COBOL programmers found themselves in a decade ago, their skills made obsolete by the march of technology.
Robert Kugel – SVP Research