Data-Driven Audits: Audit Analytic Platforms and General Ledger Analytic Tools Free

Data and analytics have always been the foundation of financial statement audits. However, data sources have shifted from paper documents to digital information stored in accounting systems, creating the need for a “data-driven audit.”¹ Likewise, data analytics has shifted from manual paper calculations in Excel to generalized audit software (e.g., IDEA) and other automated audit tools. Building on these advances, audit analytic platforms (AAPs) have emerged as software tools that act as decision support systems for auditors. AAPs include multiple analytic capabilities, such as data extraction, data capture, data analysis, and data visualization as well as team/client communications. Our goal is to provide a high-level overview of AAPs and to investigate an increasingly important AAP tool, the general ledger (G/L) analytics tool (GLAT), which focuses auditors’ substantive tests on high-risk transactions.

Auditors use GLATs to analyze all company transactions in the G/L system. Specifically, GLATs use analytic routines² to assign a risk score to each transaction, helping guide the auditor’s planning, risk assessment, and selection of high-risk/unusual transactions for substantive procedures. Because all transactions are analyzed, GLATs can better identify financial statement inaccuracies and improve the detection of occupational fraud by identifying “unusual” or “inappropriate” journal entries even when they are below the materiality threshold (FRC 2017, 2020).

GLATs represent a relatively new innovation in the audit process.³ They provide a foundation for a data-driven audit, which KPMG defines as “extracting data, using technology to analyze that data consistently, including at the transaction-level, and then focusing our testing on the areas of highest risk” (KPMG 2022). Data-driven audits support audit quality and help auditors provide valuable new insights about client operations (Crowe 2023). Thus, GLATs support a shift from sampling to assessing 100 percent of company transactions from a risk perspective, providing more value for the audit dollar. As GLAT usage expands, both regulators and audit practitioners need to understand how they work and innovate the audit process, and help create emerging best practices (e.g., O’Leary and Selfridge 2000).

The authors developed insights about GLATs by interacting with auditors from numerous audit firms in a variety of ways. Our main source was an audit leader from a top seven audit firm who shared his/her extensive knowledge of AAPs, including data extractors and the use of GLATs.⁴ We supplemented this information by knowledge obtained from (1) joint presentation with an EY auditor at an “AIS Bootcamp,” (2) class presentations by multiple audit firms,⁵ (3) follow-up conversations with auditors,⁶ and (4) an author’s Fall 2023 Big 4 Externship.

The rest of the paper imparts some of what we learned from these audit visionaries as follows. Section II describes AAPs and GLATs, Section III examines risk-scoring analytic routines, Section IV analyzes the drivers of GLATs, and Section V concludes.

AAPs⁷ support the audit workflow with an analytic investigation of digitized (i.e., computerized) audit data. AAPs include valuable resources (e.g., searchable accounting standards) to help guide and conduct the audit. Thus, AAPs are not just automating audit processes but instead are radically transforming them. Although AAPs do require large expenditures on hardware, software, and staff training, they also help promulgate a standard methodology and standard processes across geographically dispersed audit offices and engagement teams (KPMG 2022), digitally “pushing” new information and processes throughout the firm. Because they are digitalized and standardized, AAPs can assess how well auditors are adhering to the methodology/process by monitoring individual audit progress and AAP use.

AAPs have the potential to enhance audit quality through a variety of tools (FRC 2017, 2020) (Exhibit 1). AAPs use GLATs to “gain quantitative insights and visibility over the data captured within the business sub-system and G/L” (KPMG 2017, 1). This section summarizes the basic GLAT steps of data extraction, data analysis, and transaction identification for substantive procedures.

The data-driven audit is initiated by extracting the data from the client’s enterprise resource planning (ERP) system. The goal is to develop an efficient, repeatable process so that client data can be easily loaded into an AAP. Unfortunately, setting up the data extraction process can be very labor intensive, requiring deep knowledge of client data. Most audit firms use specialized skilled information technology (IT) teams to handle this process. If a client uses packaged software like SAP, the database organization is well documented, and an AAP interface is built in, facilitating the process. The extraction process should not change unless additional information is required/requested, a client converts to a new ERP, or there is a major update/release/patch applied to the ERP.

Once the data are loaded into the AAP, a variety of tools analyze the data. GLATs, the focus of this paper, analyze 100 percent of the G/L transaction data to identify “risky” transactions using a variety of analytic routines (Exhibit 1). To date, we have seen over 30 different analytic routines as described in Section III.

GLAT analysis is used to identify transactions needing further analysis by substantive procedures. One approach is to count the number of routines that identify a transaction as risky. For example, a transaction that is identified as risky by three routines (e.g., large, ending in 999, and having a posting date earlier than the transaction date) is riskier than a transaction identified as risky by just one routine. Exhibit 2 illustrates this approach with the highest risk transactions as the red dots above the line on the right side of the scatter plot. Substantive procedures would be conducted on those red transactions.

The number of high-risk (red dot) transactions is largely a function of the choice of key GLAT parameters. In Exhibit 2, both the choice of the value of the financial impact and the number of routines “failed” drive the number of “high-risk” items. Thus, choosing the parameters is a tradeoff between generating a high number of potential exceptions that could be false positives compared with a screening that may be too limited, excluding some high-risk transactions and affecting audit effectiveness. This could lead to some concerns among auditors to trust the tool to have such an important role in selecting transactions to audit.

The choice of those two parameters is critical and varies by client and year as conditions change. However, selecting those parameters is just one approach to identify so-called exceptional exceptions (Issa 2013). As noted in PCAOB (2023, 20), “The auditor may decide to test specific items within a population because they are important to accomplishing the objective of the audit procedure or because they exhibit some other characteristic (e.g., they are unusual or risk-prone).”

The goal of GLAT risk assessment routines is to identify the transactions that are “not normal” and therefore may have a high(er) risk of error or fraud. GLAT routines consider the who, what, where, when, why, and how of each transaction to assign it a risk score. Because GLATs can quickly score transactions, auditors can use the information in both audit planning and execution. Some factors affecting risk scores include account usage and volatility patterns relative to historical performance. For example, if a business is closed on the weekends, manual journal entries made during the closed hours would be viewed as higher risk than automated, recurring journal entries. Likewise, journal entries made at the end of the period or during closing with atypical account patterns would be viewed as higher risk. In addition, longer/shorter posting times than normal can be viewed as higher risk. For example, why did it take two more weeks to post an entry that on average posts in one week? Transactions might be assessed as risky because of the transaction amount (e.g., transactions ending in .99 or transactions just under some policy/target such as $9,999) or cutoff analysis.

Unexpected journal entry account combinations affect risk scores. For example, sale transactions should include a debit to cash/accounts receivable and a credit to sales. GLATs may use ERP codes, which are saved as part of the transaction, to help determine expected transaction accounts. For example, Exhibit 3 shows some key document types for SAP for accounts payable (e.g., KZ for vendor payment) and accounts receivable (e.g., DZ for customer payment) and how they are sent to the G/L. GLATs would expect KZ vendor payment transactions to include a debit to Accounts Payable and a credit to Cash. KZ journal entries using different accounts would be flagged as high risk. Exhibit 3 also includes external data (e.g., industry key performance indicators), which auditors can use to evaluate the reasonability of company data/results.

The following are some additional questions that can be analyzed by a GLAT:

• Who entered the transactions? Was there management override?

• When was the transaction entered? Weekends? End of month? End of year?

• Is the posting date before the transaction date?

• Where was the transaction entered? From a remote location? On-site?

• Was the transaction manual?

• Is the transaction material?

• Are there any transaction patterns by day? Month?

• Do current-year transaction patterns repeat in previous years?

• Do journal entry ownership patterns reflect desired segregation of duties?

Unlike prior computer-assisted audit tools (CAATs), AAPs use GLATs to automatically evaluate 30 or more indicators and benchmarks to evaluate transactions. In addition, historically, CAATs did not risk score transactions. Further, artificial intelligence (AI) may help AAPs and GLATs to become more attuned to each company’s operations and employee’s normal behaviors, making the identification of company-specific irregularities more precise over time (PwC 2018).

FRC (2017) reports that by 2017, all six large audit firms in the United Kingdom were using analytics to test journal entries. Likewise, our audit visionaries began using increased amounts of technology about seven years ago. Some large audit firms have even made analysis by their GLATs mandatory unless an audit client obtains an exemption. COVID’s social distancing and travel restrictions, necessitating a new less human interactive audit, most likely accelerated the application of GLATs (PCAOB 2021). We now discuss additional drivers of AAPs and GLATs.

Exhibit 4 summarizes the drivers from both the auditor and client perspectives. Top drivers include time savings, better insights, and improved audit quality. Time savings are realized from automated data extractions and fewer substantive tests. Automated data extractions reduce the time required by client’s IT staff and the auditor to prepare/procure the data. According to several audit firms, a traditional audit may have examined a sample of 400 revenue transactions with substantive procedures, but a similar GLAT audit may only need to examine the 40 highest risk scored transactions. With fewer items being tested, there are fewer requests for client supporting documentation, saving time for both the auditor and client.⁸

Automated data extractions create an “open book” of client data so auditors receive more data than ever before, yielding additional insights about the clients’ operations. Auditors can share these insights without making (prohibited) recommendations. The insights allow audit firms to provide more than just an SEC-mandated audit, making clients feel like they are getting better value for the audit dollar.

Given that all transactions are risk scored, audit risk should be reduced when compared with a traditional audit. More insightful journal entry selections for substantive testing lead to more insightful conversations between the auditor and client around the client’s financial processes. In fact, a GLAT audit tends to find more areas of concern than a traditional audit, making audit clients believe the audit firm is now really examining the data to help prevent financial restatements.

The FRC (2020) and PCAOB (2021) outline additional ways that audit data analytics, including GLATs, can improve audit quality (FRC 2020, 4; PCAOB 2021, 5–6):

• Aid professional skepticism

• Deepen understanding of entity’s processes

• Enable the testing on large or complex datasets

• Identify potential fraud

• Identify unusual patterns and exceptions

• Identify indicators of management bias (upward/downward asset valuation bias)

• Management awareness that all transactions will be analyzed acts as a deterrent.

Joe Ucuzoglu, former Chairman of Deloitte LLP, stated, “Our clients are making significant investments in advanced technologies. They expect our audits to keep pace” (Davenport 2016). Thus, the ability to conduct a data-driven audit is becoming increasingly important to keep and attract audit clients. Audit firms realize that although substantial time and money investments may be required to set up AAPs and GLATs, in the long-run, the audit may become more efficient, helping to keep audit clients.

AAP and GLAT usage is not without some controversy. Development costs for AAPs/GLATs are most likely prohibitive for small audit firms, potentially increasing the technology gap between large and small audit firms.^9,10 Moreover, even though the CAQ (2008, 23–25) discussed how CAATs can be used to identify journal entries to be tested, auditors may be reluctant to use AAPs and GLATs because of perceived regulatory risk due to a lack of regulations (PCAOB 2023) and requirements. The PCAOB (2023) has also expressed concerns that auditors may (1) over rely on company ERP-produced information, which a company could modify; (2) use GLATs inappropriately, sacrificing audit quality¹¹; or (3) ignore the difference between tests of details and analytical procedures when using GLATs.¹² It will be interesting to see how future PCAOB regulations affect GLAT usage.

Despite these issues, AAPs are transforming the traditional audit to a data-driven audit using a consistent audit methodology, with built-in monitoring of audit process and progress and a variety of analytic routines that affect the roles of auditors (e.g., O’Leary 2003). A pivotal AAP analytic tool is a GLAT, which generates a risk score for each G/L transaction. Some auditors are already using analytic routines for additional ERP subledgers/modules (e.g., accounts receivable/payable), helping expand the impact of a data-driven audit. Moving forward, auditors need to identify which analytic routines (and parameters) best detect different types of audit concerns as well as consider how new technologies (e.g., ChatGPT and other AI tools) will impact audit efficiency and effectiveness (O’Leary 2024).