The future of auditing in the world of automated accounting.
Twelve years ago, FiveThirtyEight debuted on the World Wide Web. QuickBooks held well over 90% of the retail accounting software market, Microsoft Groove was the ‘cloud’ tool for enterprises, and I got my CPA license. Today, numerous modelers publicly offer their election predictions, there are at least half a dozen competitive cloud accounting solutions on the market, and document syncing has been replaced with simultaneous editing. For me, and the thousands of accounting professionals around the world, technology has changed how we work, but the essence of what we do has remained the same. We create value from information.
Ask a random business professional what comes to mind when you say ‘CPA’ and there’s a good chance ‘audit’ will be an answer. The financial statement audit has retained its core objective over decades of technological change, that of opining on the fair presentation of information in accordance with a set of standards. Audited financial statements provide value: A comparable and consistent reflection of the state of a business. And, while financial statement audits are solely performed by CPAs/CPA firms, accounting professionals engage themselves in other audits as well, such as internal audits of controls or compliance within a business.
Audits have value; they assure us of what is well and inform us of what issues may be present.
Hard work creates value, and there is no question that when a business undertakes an audit, the business has its own effort to make. Substantiating the completeness or existence of an accounting balance with invoices, approval forms, cancelled checks, and bank statements, can be daunting. And as if the auditing process isn't inscrutable enough, every industry has its own nuances that add complexity. The result can be exhausted finance leaders whose efforts are not well understood. Software has alleviated some of the challenges, but technology has its limitations and imperfections.
Prior to the SaaS boom at the end of the last decade, most businesses selected a primary accounting system and purchased customizations to meet their needs. For example, a company might buy ERP A, and then document storage solution B, having vendor C build an integration, so clicking on journal entry D opens contract E in a new window. Today, APIs have replaced hard integrations, but the accounting tech stack remains cobbled together. A tradeoff persists between a best-in-class process, and a singular end-to-end source of truth.
As professionals, we might criticize the marketplace for creating an accounting environment where gaps between systems create risks of loss of information or control. We can push for change, and make compensating efforts in the interim.
Better yet, we can proactively evolve and foster innovation, individually, both on a business level and as an accounting community.
In fact, we have already seen efficiency and effectiveness gains in accounting and auditing from present technology.
The value of instant availability and robust identity.
A discussion of accounting automation is incomplete without addressing the innovations in data collection.
Accounting systems now pull financial transactions from banks, point-of-sale systems entries pushed daily from closed registers, and customer contract renewals triggering billings and electronic payments. Generally speaking, any arms-length transaction is traceable to a source event. With timestamps and unique identifiers prevalent within underlying databases, it’s much easier to tell right now that a purchase or sale occurred, and flowed properly into the accounting system. Combine this with the 99% uptime of the cloud and we can basically view a business’s present economics on a cash basis on demand. When accessing systems, users authenticate under established identity standards, and often take advantage of single-sign-on to balance complex passwords and multi-factor-authentication with ease of use.
The near instantaneous flow of transaction data has offered the accounting function the opportunity to transform what were once monthly processes into weekly, or even daily, processes.
For any business working on cash flow improvements, there’s an expectation that bank and ledger balances are soft-reconciled, at least at the end of the work week, if not every morning once the bank feeds have synced. Time-consuming month-end reconciliations for volumes of paper checks and deposits in transit are nearly non-existent. And, alongside these control improvements, we see reductions in fraud risk. With cash monitored daily, our chances of detecting misappropriations of cash are much higher and recovering assets may happen quickly with better chance of success.
The audit function has tremendously benefitted from instant availability. First and foremost is the concept of continuous auditing.
Accounting systems today offer clear evidence of when controls have been performed. It’s easy to see when a reconciliation was last completed, if and when a reviewer approved a journal entry before it was posted, and that the automated depreciation entry reduced the fixed asset balances in the GL and the subledger. Auditors can access this information easily with numerous systems offering robust view-only permissions. Auditors can perform control testing at more convenient hours and from easier locations, with audit evidence easily re-retrievable when detailed review of workpapers is performed.
Near real-time execution and observation of the accounting function demands a robust form of identity management.
While it is easy to manage access within a system, it is not as easy to genuinely know that the electronic User A, who performed an action, is actually Person A. Fortunately, open authentication standards allow use of single-sign-on (SSO), where we can move from emails, to spreadsheets, to journal entries after logging in once at the start of the workday. What we now see are reductions in shared accounts and logging on as other users. Who would want to share the keys to one’s personal kingdom at work? We also see commenting as a form of review with cloud document systems tagging users who leave and resolve review notes. This would not be reliable evidence of internal controls without a strong identity system running behind the scenes.
Continuous auditing is the concept of performing procedures throughout the entire period under audit rather than at set times.
Continuous auditing is not entirely new; the IRS has piloted the idea with some of the largest corporate taxpayers and almost every multi-billion-dollar public company has auditors on site daily. What is new is, as mentioned previously, the flow of information. Auditors can obtain transaction data, whole populations in fact, on demand, even as transactions occur, if access allows. Here are just a few of the consequences of this access to information:
- Auditors can leverage analytics to examine routine transactions for reasonableness. For example, a computer can identify consistency in the order-to-cash transaction flow. More broadly, access to good information and ongoing analysis of that information has led to the development of predictive models to recognize patterns in big datasets that imply risk and require investigation.
- Exceptions and overrides to internal controls are more easily identifiable through logs and alerts. These issues can now be escalated effectively, in some cases with the benefit of anonymity.
- Areas of risk are more easily targetable. For example, it is easier to identify C-Suite expenses and vendors associated with those expenses.
Overall, auditors can approach risk-based auditing more thoughtfully and proactively. Problems can be explored before the effects of control deficiencies escalate. Areas of risk are no longer explored just once during an audit cycle. A constant flow of information gives auditors ample lead time to adjust audit plans and reduce the risk of incorrect conclusions from on-the-fly reactions.
Three core areas for Improvement.
Technology has made such a positive impact on accounting and auditing, but that doesn’t mean we don’t have work to do. Here I want to explore some of what remains in this domain.
First is the topic of application controls.
Simply put, if the code in an application is unchanged, an automated process that works once will always work for the period in which no changes were made. We need to see a greater, and more publicly available, evaluation of automated integrations, one form of application control.
For example, if payroll system A interfaces with accounting system B, and there have been no changes to system A or system B with regards to that connection, everyone who uses the two systems should have that information as audit evidence that transaction flows between the systems are complete, real, and accurate. We need a simpler means of sharing this information than costly SOC 1 Type II reports, which not all system providers may obtain, and for which not all system users may have the means to make sense of ‘user control considerations.’ A central, open database, with testing and results done in open source programs, would be ideal.
Second is system separation. Technology (not just accounting tech) currently operates in a do-one-thing-great space, where software companies compete to handle just one or two processes at competitive prices. As a result, systems are imperfect and lack considerations for use in the accounting workflow. For example, communication platforms, like Slack and Microsoft Teams, are great places to obtain that needed approval of a cash disbursement or document a review, but these platforms make it easy to delete messages. We might be open to giving auditors access to accounting systems, but not necessarily internal communication platforms.
The broader software community has a long way to go in offering an affordable means to add control when their products become a part of the accounting workflow.
Third is keys to the kingdom. Auditors have examined, and always will examine, segregation of duties. A hurdle nearly all companies face is that someone has access to perform (or grant themselves the ability to perform) all the functions in a major accounting cycle.
We certainly need to ensure that individuals cannot unilaterally misappropriate assets or misstate the financial statements. However, on the audit side, we need to not get tied down in the granularity of a workflow and remain focused on the adverse outcomes that need to be prevented or detected. On the systems side, we need easier means to deliver monitoring information.
For example, individual audit log reports for system administrators should be automatically generated and easily accessible, rather than having to request them on demand through a filtered menu exercise.
Following some of what I mentioned in the continuous auditing section above, systems could have more alerts around the risk areas arising out of broad access.
A bright future.
As technology pushes accounting and auditing forward, I see a number of positive possibilities.
Continuous auditing has the opportunity to evolve the assurance business model. The redistribution of effort over wider blocks of time (vs. seasonal busy periods), and the ability to focus procedures based on data, could lead to more focused engagements.
Perhaps private businesses will only need agreed-upon-procedures addressing accounting areas requiring the most assurance, and the transparency of systems within a cloud marketplace will foster confidence in the rest of the accounting information.
Historically, an audit’s value stems from assurance that financial statements representing the past are materially correct so that they can be inputs to user evaluations of future business performance (that is to say, valuation).
As audits become closer and closer to being ‘current,’ there becomes the possibility that audits (or some form of assurance) might be able to attest to the present operating environment and financial condition of a business. Assurance may be able to expand into earnings forecasts and other forward-looking information that, while judgmental, have substantial objective inputs. This could lead to more efficient price discovery in public equity markets, and allow private companies to close on financings faster and assess the strength of a company’s operating environment, and its reliability in reflecting today’s financial condition. This shift from backward to forward-looking assessment can help a company perform more effectively to achieve business results and may not be reflected in the current pricing model.
Risk-based auditing starts with the risks to a company’s business and how management addresses them. As technology creates process efficiencies, accountants and auditors will have more time for examining risks, hopefully collaboratively. Audits do not have to be mundane compliance exercises.
Audits can be a welcome opportunity to understand how businesses can be improved through prevention or detection and correction of what can go wrong in the ordinary course of operations.
Adoption of software tools that automate accounting processes makes teams more efficient and helps eliminate human error. Technology offers the means to monitor and control user actions. Today’s systems also contain machine learning elements which replicate human behavior over time. Technology fosters an efficient environment for accountants and auditors. However, accounting is inherently judgmental, and systems cannot replace the thoughtfulness that a finance team imparts into its work or the assessment by an auditor for the construct of reasonableness. What we can best strive for is an environment in which best-in-class systems are integrated, capturing data in a timely manner, processing it consistently, and flowing information to reports on demand. With a robust, automated accounting environment, professionals can direct their energies to collaborating on the best ways to improve information quality, prevent asset misappropriation, and detect financial statement misstatements. Ultimately, effectively addressing a business’s most critical risks will allow an organization to offer meaningful predictors of future outcomes and foster strong capital markets.
Airbase offers a one platform solution to manage all non-payroll spend. It provides oversight and control over spending with real-time reporting and automatic syncing directly to your general ledger. Control all payments – physical cards, virtual cards, ACH, and checks – from one place. Close faster. Empower employees. Control spend.