SUMMARY
The future of auditing is a data-driven audit, which extracts and analyzes digital data stored in client accounting systems. To help conduct data-driven audits, audit firms are developing audit analytic platforms (AAPs). This paper focuses on one key application tool of AAPs that analyzes the entire population of general ledger transactions. These general ledger analytics tools (GLATs) use assessment routines to assign a risk score to each transaction, helping guide the auditor’s planning, risk assessment, and selection of high-risk transactions for substantive procedures. GLATs help support audit quality and provide valuable new insights about client operations. We discuss the analytics routines used by GLATs, the forces driving their use, and some potential limitations of this technology.
Data Availability: Data are available from the authors.
JEL Classifications: M4.
We did not know that we had this data all of this time.
—Anonymous Audit Client
I. INTRODUCTION
Data and analytics have always been the foundation of financial statement audits. However, data sources have shifted from paper documents to digital information stored in accounting systems, creating the need for a “data-driven audit.”1 Likewise, data analytics has shifted from manual paper calculations in Excel to generalized audit software (e.g., IDEA) and other automated audit tools. Building on these advances, audit analytic platforms (AAPs) have emerged as software tools that act as decision support systems for auditors. AAPs include multiple analytic capabilities, such as data extraction, data capture, data analysis, and data visualization as well as team/client communications. Our goal is to provide a high-level overview of AAPs and to investigate an increasingly important AAP tool, the general ledger (G/L) analytics tool (GLAT), which focuses auditors’ substantive tests on high-risk transactions.
Auditors use GLATs to analyze all company transactions in the G/L system. Specifically, GLATs use analytic routines2 to assign a risk score to each transaction, helping guide the auditor’s planning, risk assessment, and selection of high-risk/unusual transactions for substantive procedures. Because all transactions are analyzed, GLATs can better identify financial statement inaccuracies and improve the detection of occupational fraud by identifying “unusual” or “inappropriate” journal entries even when they are below the materiality threshold (FRC 2017, 2020).
GLATs represent a relatively new innovation in the audit process.3 They provide a foundation for a data-driven audit, which KPMG defines as “extracting data, using technology to analyze that data consistently, including at the transaction-level, and then focusing our testing on the areas of highest risk” (KPMG 2022). Data-driven audits support audit quality and help auditors provide valuable new insights about client operations (Crowe 2023). Thus, GLATs support a shift from sampling to assessing 100 percent of company transactions from a risk perspective, providing more value for the audit dollar. As GLAT usage expands, both regulators and audit practitioners need to understand how they work and innovate the audit process, and help create emerging best practices (e.g., O’Leary and Selfridge 2000).
The authors developed insights about GLATs by interacting with auditors from numerous audit firms in a variety of ways. Our main source was an audit leader from a top seven audit firm who shared his/her extensive knowledge of AAPs, including data extractors and the use of GLATs.4 We supplemented this information by knowledge obtained from (1) joint presentation with an EY auditor at an “AIS Bootcamp,” (2) class presentations by multiple audit firms,5 (3) follow-up conversations with auditors,6 and (4) an author’s Fall 2023 Big 4 Externship.
The rest of the paper imparts some of what we learned from these audit visionaries as follows. Section II describes AAPs and GLATs, Section III examines risk-scoring analytic routines, Section IV analyzes the drivers of GLATs, and Section V concludes.
II. AAPS AND G/L ANALYTICS TOOLS
AAPs7 support the audit workflow with an analytic investigation of digitized (i.e., computerized) audit data. AAPs include valuable resources (e.g., searchable accounting standards) to help guide and conduct the audit. Thus, AAPs are not just automating audit processes but instead are radically transforming them. Although AAPs do require large expenditures on hardware, software, and staff training, they also help promulgate a standard methodology and standard processes across geographically dispersed audit offices and engagement teams (KPMG 2022), digitally “pushing” new information and processes throughout the firm. Because they are digitalized and standardized, AAPs can assess how well auditors are adhering to the methodology/process by monitoring individual audit progress and AAP use.
AAPs have the potential to enhance audit quality through a variety of tools (FRC 2017, 2020) (Exhibit 1). AAPs use GLATs to “gain quantitative insights and visibility over the data captured within the business sub-system and G/L” (KPMG 2017, 1). This section summarizes the basic GLAT steps of data extraction, data analysis, and transaction identification for substantive procedures.
AAP Capabilities
The left oval captures the primary characteristics of AAPs, and the right oval drills down on the GLAT portion of AAPs, summarizing some of the GLAT capabilities.
AAP Capabilities
The left oval captures the primary characteristics of AAPs, and the right oval drills down on the GLAT portion of AAPs, summarizing some of the GLAT capabilities.
Step 1: Data Extraction
The data-driven audit is initiated by extracting the data from the client’s enterprise resource planning (ERP) system. The goal is to develop an efficient, repeatable process so that client data can be easily loaded into an AAP. Unfortunately, setting up the data extraction process can be very labor intensive, requiring deep knowledge of client data. Most audit firms use specialized skilled information technology (IT) teams to handle this process. If a client uses packaged software like SAP, the database organization is well documented, and an AAP interface is built in, facilitating the process. The extraction process should not change unless additional information is required/requested, a client converts to a new ERP, or there is a major update/release/patch applied to the ERP.
Step 2: Data Analysis
Once the data are loaded into the AAP, a variety of tools analyze the data. GLATs, the focus of this paper, analyze 100 percent of the G/L transaction data to identify “risky” transactions using a variety of analytic routines (Exhibit 1). To date, we have seen over 30 different analytic routines as described in Section III.
Step 3: Transaction Identification
GLAT analysis is used to identify transactions needing further analysis by substantive procedures. One approach is to count the number of routines that identify a transaction as risky. For example, a transaction that is identified as risky by three routines (e.g., large, ending in 999, and having a posting date earlier than the transaction date) is riskier than a transaction identified as risky by just one routine. Exhibit 2 illustrates this approach with the highest risk transactions as the red dots above the line on the right side of the scatter plot. Substantive procedures would be conducted on those red transactions.
Example of Transactional Scoring
In this exhibit, each transaction is represented as a dot. The location of each dot is based on the absolute value of the impact on the income statement on the y axis and the risk score on the x axis. There are different ways of computing the risk score. A sample approach is the number of routines that the transaction is identified as a “risk,” and the more routines that the transaction is so identified is placed further to the right.
Example of Transactional Scoring
In this exhibit, each transaction is represented as a dot. The location of each dot is based on the absolute value of the impact on the income statement on the y axis and the risk score on the x axis. There are different ways of computing the risk score. A sample approach is the number of routines that the transaction is identified as a “risk,” and the more routines that the transaction is so identified is placed further to the right.
The number of high-risk (red dot) transactions is largely a function of the choice of key GLAT parameters. In Exhibit 2, both the choice of the value of the financial impact and the number of routines “failed” drive the number of “high-risk” items. Thus, choosing the parameters is a tradeoff between generating a high number of potential exceptions that could be false positives compared with a screening that may be too limited, excluding some high-risk transactions and affecting audit effectiveness. This could lead to some concerns among auditors to trust the tool to have such an important role in selecting transactions to audit.
The choice of those two parameters is critical and varies by client and year as conditions change. However, selecting those parameters is just one approach to identify so-called exceptional exceptions (Issa 2013). As noted in PCAOB (2023, 20), “The auditor may decide to test specific items within a population because they are important to accomplishing the objective of the audit procedure or because they exhibit some other characteristic (e.g., they are unusual or risk-prone).”
III. G/L ANALYTICS TOOL ASSESSMENT ROUTINES
The goal of GLAT risk assessment routines is to identify the transactions that are “not normal” and therefore may have a high(er) risk of error or fraud. GLAT routines consider the who, what, where, when, why, and how of each transaction to assign it a risk score. Because GLATs can quickly score transactions, auditors can use the information in both audit planning and execution. Some factors affecting risk scores include account usage and volatility patterns relative to historical performance. For example, if a business is closed on the weekends, manual journal entries made during the closed hours would be viewed as higher risk than automated, recurring journal entries. Likewise, journal entries made at the end of the period or during closing with atypical account patterns would be viewed as higher risk. In addition, longer/shorter posting times than normal can be viewed as higher risk. For example, why did it take two more weeks to post an entry that on average posts in one week? Transactions might be assessed as risky because of the transaction amount (e.g., transactions ending in .99 or transactions just under some policy/target such as $9,999) or cutoff analysis.
Unexpected journal entry account combinations affect risk scores. For example, sale transactions should include a debit to cash/accounts receivable and a credit to sales. GLATs may use ERP codes, which are saved as part of the transaction, to help determine expected transaction accounts. For example, Exhibit 3 shows some key document types for SAP for accounts payable (e.g., KZ for vendor payment) and accounts receivable (e.g., DZ for customer payment) and how they are sent to the G/L. GLATs would expect KZ vendor payment transactions to include a debit to Accounts Payable and a credit to Cash. KZ journal entries using different accounts would be flagged as high risk. Exhibit 3 also includes external data (e.g., industry key performance indicators), which auditors can use to evaluate the reasonability of company data/results.
The following are some additional questions that can be analyzed by a GLAT:
Who entered the transactions? Was there management override?
When was the transaction entered? Weekends? End of month? End of year?
Is the posting date before the transaction date?
Where was the transaction entered? From a remote location? On-site?
Was the transaction manual?
Is the transaction material?
Are there any transaction patterns by day? Month?
Do current-year transaction patterns repeat in previous years?
Do journal entry ownership patterns reflect desired segregation of duties?
Unlike prior computer-assisted audit tools (CAATs), AAPs use GLATs to automatically evaluate 30 or more indicators and benchmarks to evaluate transactions. In addition, historically, CAATs did not risk score transactions. Further, artificial intelligence (AI) may help AAPs and GLATs to become more attuned to each company’s operations and employee’s normal behaviors, making the identification of company-specific irregularities more precise over time (PwC 2018).
High-Level View of a GLAT
This exhibit illustrates the integration of SAP’s ERP system information into AAPs and use of that information in a GLAT. Blue indicates company digital data files/sources, purple indicates auditor’s tasks using a GLAT, and green indicates external data.
High-Level View of a GLAT
This exhibit illustrates the integration of SAP’s ERP system information into AAPs and use of that information in a GLAT. Blue indicates company digital data files/sources, purple indicates auditor’s tasks using a GLAT, and green indicates external data.
IV. DRIVERS OF G/L ANALYTICS TOOLS
FRC (2017) reports that by 2017, all six large audit firms in the United Kingdom were using analytics to test journal entries. Likewise, our audit visionaries began using increased amounts of technology about seven years ago. Some large audit firms have even made analysis by their GLATs mandatory unless an audit client obtains an exemption. COVID’s social distancing and travel restrictions, necessitating a new less human interactive audit, most likely accelerated the application of GLATs (PCAOB 2021). We now discuss additional drivers of AAPs and GLATs.
Exhibit 4 summarizes the drivers from both the auditor and client perspectives. Top drivers include time savings, better insights, and improved audit quality. Time savings are realized from automated data extractions and fewer substantive tests. Automated data extractions reduce the time required by client’s IT staff and the auditor to prepare/procure the data. According to several audit firms, a traditional audit may have examined a sample of 400 revenue transactions with substantive procedures, but a similar GLAT audit may only need to examine the 40 highest risk scored transactions. With fewer items being tested, there are fewer requests for client supporting documentation, saving time for both the auditor and client.8
Automated data extractions create an “open book” of client data so auditors receive more data than ever before, yielding additional insights about the clients’ operations. Auditors can share these insights without making (prohibited) recommendations. The insights allow audit firms to provide more than just an SEC-mandated audit, making clients feel like they are getting better value for the audit dollar.
Given that all transactions are risk scored, audit risk should be reduced when compared with a traditional audit. More insightful journal entry selections for substantive testing lead to more insightful conversations between the auditor and client around the client’s financial processes. In fact, a GLAT audit tends to find more areas of concern than a traditional audit, making audit clients believe the audit firm is now really examining the data to help prevent financial restatements.
The FRC (2020) and PCAOB (2021) outline additional ways that audit data analytics, including GLATs, can improve audit quality (FRC 2020, 4; PCAOB 2021, 5–6):
Aid professional skepticism
Deepen understanding of entity’s processes
Enable the testing on large or complex datasets
Identify potential fraud
Identify unusual patterns and exceptions
Identify indicators of management bias (upward/downward asset valuation bias)
Management awareness that all transactions will be analyzed acts as a deterrent.
Joe Ucuzoglu, former Chairman of Deloitte LLP, stated, “Our clients are making significant investments in advanced technologies. They expect our audits to keep pace” (Davenport 2016). Thus, the ability to conduct a data-driven audit is becoming increasingly important to keep and attract audit clients. Audit firms realize that although substantial time and money investments may be required to set up AAPs and GLATs, in the long-run, the audit may become more efficient, helping to keep audit clients.
Drivers of AAPs and GLATs
Driver . | AAP/GLAT Impact . | Auditor Perspective . | Client Perspective . |
---|---|---|---|
Time | Setup time for data extractions initially requires substantial time, but automated in the future | Less auditor time required to procure data after initial setup | Less time to procure data in the future. May not want to switch auditors due to initial setup time |
Fewer transactions identified for substantive tests | Less auditor time to perform substantive testing | Less employee time required to answer auditor questions and provide documentation | |
Insights into client operations/better value for audit dollar | Setup requires auditors to understand client’s accounting processes and industry. | Better understanding of client processes and industry leads to better analysis. | Learn about the company’s data and operations from the auditor |
Have access to 100 percent of client data. | Expanded analysis provides insights about client operations. | Use audit insights to improve operations, leading to the perception of “better value for audit dollar” | |
Audit quality | All transactions analyzed | Leads to more insightful conversations between the auditor and client around the client’s financial processes | Knowledge that auditors are examining all the data, helping ensure that financials will not need to be restated |
Substantive tests focus on high-risk transactions. | Should reduce audit risk as riskier transactions are investigated | More areas of concern identified, helping reduce the temptation for employees to commit fraud | |
More areas of concerns are typically found than in a traditional audit. | Prepares for continuous audit | ||
Audit market competition | The audit market is competitive in terms of audit fees. | Although a substantial time and money investment may be required to set up a data-driven audit, in the long-run, audit may be more efficient. | May not want to spend time with another audit firm setting up the process |
Competitor auditors would incur the same initial costs. | |||
Client innovation | AAPs and GLATs represent innovations in the audit market. | More efficient, less risk audit | Making investments into advanced technologies and expect the auditor to do the same |
Driver . | AAP/GLAT Impact . | Auditor Perspective . | Client Perspective . |
---|---|---|---|
Time | Setup time for data extractions initially requires substantial time, but automated in the future | Less auditor time required to procure data after initial setup | Less time to procure data in the future. May not want to switch auditors due to initial setup time |
Fewer transactions identified for substantive tests | Less auditor time to perform substantive testing | Less employee time required to answer auditor questions and provide documentation | |
Insights into client operations/better value for audit dollar | Setup requires auditors to understand client’s accounting processes and industry. | Better understanding of client processes and industry leads to better analysis. | Learn about the company’s data and operations from the auditor |
Have access to 100 percent of client data. | Expanded analysis provides insights about client operations. | Use audit insights to improve operations, leading to the perception of “better value for audit dollar” | |
Audit quality | All transactions analyzed | Leads to more insightful conversations between the auditor and client around the client’s financial processes | Knowledge that auditors are examining all the data, helping ensure that financials will not need to be restated |
Substantive tests focus on high-risk transactions. | Should reduce audit risk as riskier transactions are investigated | More areas of concern identified, helping reduce the temptation for employees to commit fraud | |
More areas of concerns are typically found than in a traditional audit. | Prepares for continuous audit | ||
Audit market competition | The audit market is competitive in terms of audit fees. | Although a substantial time and money investment may be required to set up a data-driven audit, in the long-run, audit may be more efficient. | May not want to spend time with another audit firm setting up the process |
Competitor auditors would incur the same initial costs. | |||
Client innovation | AAPs and GLATs represent innovations in the audit market. | More efficient, less risk audit | Making investments into advanced technologies and expect the auditor to do the same |
V. IMPLICATIONS
AAP and GLAT usage is not without some controversy. Development costs for AAPs/GLATs are most likely prohibitive for small audit firms, potentially increasing the technology gap between large and small audit firms.9,10 Moreover, even though the CAQ (2008, 23–25) discussed how CAATs can be used to identify journal entries to be tested, auditors may be reluctant to use AAPs and GLATs because of perceived regulatory risk due to a lack of regulations (PCAOB 2023) and requirements. The PCAOB (2023) has also expressed concerns that auditors may (1) over rely on company ERP-produced information, which a company could modify; (2) use GLATs inappropriately, sacrificing audit quality11; or (3) ignore the difference between tests of details and analytical procedures when using GLATs.12 It will be interesting to see how future PCAOB regulations affect GLAT usage.
Despite these issues, AAPs are transforming the traditional audit to a data-driven audit using a consistent audit methodology, with built-in monitoring of audit process and progress and a variety of analytic routines that affect the roles of auditors (e.g., O’Leary 2003). A pivotal AAP analytic tool is a GLAT, which generates a risk score for each G/L transaction. Some auditors are already using analytic routines for additional ERP subledgers/modules (e.g., accounts receivable/payable), helping expand the impact of a data-driven audit. Moving forward, auditors need to identify which analytic routines (and parameters) best detect different types of audit concerns as well as consider how new technologies (e.g., ChatGPT and other AI tools) will impact audit efficiency and effectiveness (O’Leary 2024).
REFERENCES
We use the term “data-driven audit” because it is consistent with the Chartered Accountants of Canada and AICPA’s publication The Data-Driven Audit: How Automation and AI are Changing the Audit and the Role of the Auditor (AICPA 2020).
Routines are independent computer-based analytic “tests” of transactions.
Although some audit firms have been using GLATs for more than five years, even some larger audit firms have just implemented GLATs within the last few years.
Our primary source had approval to help us but was required to remain anonymous.
For example, Grant Thornton representatives answered detailed questions about how their AAP and GLAT work.
Our investigation included three of the Big 4 audit firms.
Examples of AAPs include EY’s Helix, Deloitte’s Omnia, KPMG’s Clara, and PwC’s Aura.
Audit firms face a tight labor market due to competition from large (nonaudit) companies (Smith 2016).
U.S. global network audit firms use 16 audit technology tools in 2021 versus U.S. nonaffiliated firms’ usage of one tool (PCAOB 2023).
Small audit firms can combine low(er)-cost tools to enhance audit efficiency and effectiveness, including generalized audit software (e.g., IDEA and MindBridge) for G/L analytics, Power BI for data visualizations, Alteryx for audit automations, and a variety of audit management platforms (e.g., Diligent/ACL).
PCAOB (2023) examples include cutting corners to save money, not obtaining appropriate evidence to evaluate an audit assertion, or not appropriately evaluating the level of disaggregation of company information.
PCAOB’s (2023) proposal (1) outlines the auditor’s responsibilities for evaluating the reliability of client information provided to an AAP/GLAT and (2) instructs auditors to pay attention to the difference between tests of details and analytical procedures, which PwC (2023, 5) believes may become more difficult as technology evolves and recommends “a broader focus on the sufficiency and appropriateness of audit evidence.”