Audit Standards and Data Analytics?

While giving a presentation on Analytics during a recent event, one of the meeting participants asked how the Audit industry felt about data products created using Analytic processes.  On first thought, I consider Analytics to be a form of “analytical procedures”.  This was my response but I had to qualify it by acknowledging that I wasn’t sure how different auditing standards addressed the topic.  Over the last few days I’ve been able to do some research and pull together a quick synopsis of how the most commonly used Audit standards define the work behind Analytics.  In summary my initial impression was pretty close… several of major Audit standards define this type of work and emphasize the reliability of data that underpin Analytic data products.

Analytic Procedurs Graphic

I was quite surprised to realize that the publication dates for each of these standards were several years old but defined Analytic Procedures (terms differ slightly for each standard) in a general format that clearly covers Analytic data products.  Here’s a synopsis in alphabetic order of the standards body in APA format:

Government Accountability Office. (2009) Assessing the Reliability of Computer-Processed Data. Washington DC: Authors. The GAO sets standards for performing financial and performance audits in government. This document outlines considerations that auditors should consider in reviewing data analytic products, dashboards, models, or other analyses. http://www.gao.gov/products/GAO-09-680G

Government Accountability Office. (2011) Government Auditing Standards. Washington DC: Authors. The GAO sets standards for auditing government, and Appendix I, A6.04 of this document defines “analytical processes” to include “…computations, comparisons, separation of information into components, and rational arguments to analyze any evidence gathered to determine whether it is sufficient and appropriate.” Section 6.66 also states “Auditors should assess the sufficiency and appropriateness of computer-processed information regardless of whether this information is provided to auditors or auditors independently extract it.” Section 7.13 requires audit reports to “explain how the completed audit work supports the audit objectives, including the evidence gathering and analysis techniques, in sufficient detail to allow knowledgeable users of their reports to understand how the auditors addressed the audit objectives.” http://gao.gov/products/GAO-12-331G

Information Systems Audit and Control Association. (2011) Data Analytics- A Practical Approach. Rolling Meadows, IL: Authors. This association publishes information technology audit standards. Their white paper defines “data analytics” as “processes and activities designed to obtain and evaluate data to extract useful information” This paper describes different types of Data Analytics on a maturity scale that tops out at “Continuous Monitoring:” where analytics are fully automated, embedded in production systems, and running at regularly scheduled intervals. http://www.isaca.org/knowledge-center/research/researchdeliverables/pages/data-analytics-a-practical-approach.aspx

International Auditing and Assurance Standards Board. (2008) International Standards on Auditing 520 Analytical Procedures. New York, New York: Authors. This independent standards body issues standards for conducting financial audits of companies worldwide. The cited document describes auditors’ use of analytical procedures as a method of obtaining relevant and reliable audit evidence that should be performed near the end of an audit to assist the auditor when forming an overall conclusion on the accuracy of financial statements. The definition of analytical procedures in this standard is “evaluations of financial information through analysis of plausible relationships among both financial and non-financial data”. http://www.ifac.org/publications-resources/basis-conclusions-isa-520-redrafted-analytical-procedures

Public Company Accounting Oversight Board. (2010) AU Section 239 Substantive Analytical Procedures. Washington, DC: Authors. This private sector, nonprofit corporation publishes standards that are approved by the US Securities and Exchange Commission for auditing financial statements of companies traded on US markets. This document provides guidance on the use of analytical procedures in the planning and overall review states of all audits. This document states three purposes for using analytical procedures: a) to assist the auditor in planning the nature, timing, and extent of other auditing procedures, b) as a substantive test to obtain audit evidence about particular assertions related to account balances or classes of transactions, c) as an overall review of the financial information in the final review stage of the audit. http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00329.pdf

The Institute of Internal Auditors Research Foundation. (2009) Global Technology Audit Guide 13. Altamonte Springs, FL: Authors. This guidance-setting body provides mandatory and recommended guidance for internal auditing. https://www.theiia.org/bookstore/product/global-technology-audit-guide-gtag-13-fraud-prevention-and-detection-in-an-automated-world-download-pdf-1464.cfm

The Institute of Internal Auditors Research Foundation. (2011) Global Technology Audit Guide 16. Altamonte Springs, FL: Authors. This guidance-setting body provides mandatory and recommended guidance for internal auditing. https://www.theiia.org/bookstore/product/global-technology-audit-guide-gtag-16-data-analysis-technologies-download-pdf-1576.cfm

The Institute of Internal Auditors Research Foundation. (2013) International Standards for the Professional Practice of Internal Auditing. Altamonte Springs, FL: Authors. This guidance-setting body provides mandatory and recommended guidance for internal auditing. The referenced document defines “technology-based audit techniques” as “Any automated audit tool, such as generalized audit software, test data generators, computerized audit programs, specialized audit utilities, and computer-assisted audit techniques (CAATS).”Section 1210.A3 states that “internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.” https://na.theiia.org/standards-guidance/Pages/Standards-and-Guidance-IPPF.aspx