A Time Savings Project Which Opens the Door to Improved Process Intelligence
A cost drain on most audit departments is control testing, which takes many forms but is generally a manual sample testing (i.e., 30 units) whether certain control attributes are working. Many audit and finance teams have asked how to automate their Sarbanes-Oxley (SOX) and control testing in order to release themselves from the chains of these manual testing requirements, sometimes sapping as much as 70% of their time budgets for the year.
At the same time, recent PCAOB inspection reports are noting various deficiencies in audits working to be compliant with Sarbanes Oxley. The deficiencies surround the use of technology and lack of evidence, especially in the areas of revenue testing, management override of controls, and completeness of general ledger information. All of these deficiencies could be ameliorated or removed completely using data analytics.
If It’s Broke, Fix It With Automation
Any study will show that automation can reduce testing times and costs by at least 20 times while improving quality, but yet a majority of organizations still spend a majority of their resource time budgets on manual management controls testing for external audit purposes.
Automation can dramatically change that, with additional fringe benefits including:
Improved Planning and Estimates
Rather than being resource-constrained at key times in the year, automated testing can be spread out over the course of the year with minimized testing effort.
In one example client system focused on user access and application control testing, the manual process testing time was reduced from over three months to a little less than two weeks. The main productivity loss was in manually organizing Excel spreadsheet outputs and the rote effort of tracing activity through the final reports. Practically all of this activity was automated with Excel macros and a variety of ACL scripts that only report deviations, which tend to be few each testing period. By highlighting all of the deviations at the onset, the audit team can further improve planning by calculating time estimates based on the actual results of ACL’s scripted testing.
Fraud Detection and Deterrence
Per the Association of Certified Fraud Examiner’s 2014 Report to the Nations on Occupational Fraud and Abuse, surveillance (of which analytics is a good part) has been proven to reduce fraud by two-thirds in value and cut in half the time to detect fraud.
With the data in hand, textual analytics can also be applied, which has been useful in testing Foreign Corrupt Practices Act (FCPA) compliance and otherwise reduce bribery in companies. What’s more, regardless of the report results, the proactive analytic approach deters future corrupt employee behavior, once they know a technology solution is watching.
Peace of Mind
Aside from knowing testing is now documented and defined to a set of scripted procedures, the system can be set to run automatically at specified times without anyone having to lift a finger. Then, for major issues over a specified tolerance, ACL’s NOTIFY command or ACL Results Cloud can efficiently forward and otherwise deal with the issue between periodic testing timeframes.
Analytics can serve as management control evidence in some cases which should be identified as test plans are developed. The blank exception report is an example of control evidence to support the existence and operation of a control.
In one client’s ACL installation, a duplicate payment control system is run daily to detect any deviations for invoices entered that day. Under this approach, any issues identified are dealt with the next day so practically no invoice payment goes out before being reviewed and edited accordingly. Additional reports could be added to this duplicate payment daily run, such as above average vendor payments or round dollar invoices to quickly identify other issues to review while a person is “under the hood” looking for duplicates. As explained later, tests can be built for improved understanding and control circumvention testing which further support controls.
Cost Recovery and Process Improvements
Cost recovery analytics focuses on the thin margins of error in any business process which should be managed or they can spiral out of control into larger issues. Cost savings can take their form in risk-based vendor audits, improved negotiations with vendors, and process inefficiencies that can all be quantified into bottom line cash savings for the organization. Remember that if a company has a 10% net profit margin, the identification if $1 million in cash-back savings is equivalent to $10 million in gross sales.
Opportunity to Improve Business Insights
The simple calculation of an audit team’s manual testing cost savings or duplicate payments recovered is small in comparison to the benefits of the understanding a business process more fully through analytics. Controls testing can turn from a sample approach to be more exception report based, where the team is challenged to creatively explore automated approaches for the formerly manual control test.
As explained in the related blog post, My Best Money Saving Audit Finding Ever, some of the most simple analytic insights to a process can render millions in savings for the organization. With their perspective, auditors are in a unique opportunity to provide management additional insights in improving operations or sales, once the data is in hand and tested for completeness. All of this is possible from first understanding the data being processed from a quality and context perspective to support control testing.
But How To Get Started? The Prototype Test Set
Prototyping is the act of building a test model so that it can be replicated and learned from for future exercises.
Software development has moved more to this approach than from a traditional waterfall of all requirements planning first before development in an effort to speed savings to the organization in line with automation. The analytic tests built with ACL scripts and visualization tools can become a perpetual cash register to business process owners looking for process improvements and savings, which are implemented as each process is automated, one at a time using a prototype test set approach.
More specifically to controls testing, prototyping a test set:
As a contingency, manual testing procedures in the area may still be performed while separately ensuring the new automated approach will be adopted by the business owners and external stakeholders. Rather than select one area to test, it is suggested that two process areas be chosen in order to compare results, while also creating at the onset a contingency plan if one process falls short in the new testing paradigm.
In the next blog post, we will discuss the four-step plan to getting the prototype off the ground in automating controls testing.