2018 Audit Team Trends With Scott Jones
Q: If you could build the ideal audit team for your industry, how many auditors would you have on your team?
Scott: I recently retired from a company that worked in aerospace and defense, and five would be ideal for that company – one Chief Audit Executive (CAE), one financial person dedicated to Sarbanes-Oxley, one IT auditor, and two general auditors.
Q: What would be the specific skillset of each team member?
Scott: The CAE would be a CIA (Certified Internal Auditor) and have more than five years of experience. Ideally, the CAE would also have a Masters in Accounting.
All general auditors would have a bachelor’s degree in accounting, business, or equivalent, a minimum three years of experience and their CIA designation. For a defense company, I’d expect one of the general auditors to have had experience in government contract compliance, since one of the top risks in that industry is failing to comply with U.S. government contracting regulations. The Sarbanes-Oxley auditor would have five years’ experience in financial reporting and internal controls, as well as a CPA designation. The IT auditor would need a CISA (Certified Information Systems Auditor) certification and five years of experience since this is a high-risk area for the defense industry.
I would expect every auditor to have some competence with data analytics; nevertheless, the profession seems to be fairly split on this. Some like to have a dedicated audit analytics staff that support everybody else, but I prefer to see each auditor have sufficient expertise that they can carry out basic data analytic tasks independently for each audit. You get more insight if you are familiar with the process, metrics and people involved, and then you analyze the data. It is a debatable point, but I think this way you will get more valuable insights than from someone who is unfamiliar with the process or with the process significance of the numbers.
Q: How do you think the audit teams of 2017 and 2018 will differ?
Scott: A lot of things will remain the same, especially given the Standards haven’t changed very much. We’ll still see an emphasis on CIA and also CPA in heavily financial organizations. We’ll likely see expertise in data analytics increasing. We will also see IT audit continue to increase.
Based on polling work done this year, organizations indicate that they need to use data analytics; nevertheless, it’s only being used in about 20 percent of audits. This number seems low to me because I have trouble envisioning any audit that doesn’t have a data analytics component. So, I expect to see a drive to increase the use of data analytics, which will require either more expertise among audit staff or an increasing use of analysts, one or the other.
As the new standards roll in, there will be more revenue recognition activities during the next couple of years. There will also be an increasing emphasis on cybersecurity given an expanding need on the IT side to assure that the right controls are in place to protect against cyber threats. If we consider all of the companies that have been exposed in the last year and whose reputations were damaged—and certainly there will be some big settlements coming out of it—that will drive companies to do more in that area. And if you’re going to put controls in place, then you need to test to ensure they are effective. That’s a natural role for IT audit.
Coming out of these exposures, we may also see new industry standards and regulations. The U.S government has issued regulations specifying the IT controls that defense contractors must have. Other industries will follow suit with what the government has done and say there are certain controls that must be in place to do business with them. That will drive additional auditing.
Network logs and computer systems are massive, but there is probably room to perform more data analytics in those areas. Information security staff should be doing their own analytics to detect any intrusions, but as time goes on internal audit may need to do an independent analysis of information (like log data) to validate that there is no evidence of intrusions, and to validate the conclusions from information security regarding the effectiveness of IT controls. That will be a growing area.
Q: How do you think changes in the 2017 audit landscape will affect audit teams in 2018? (e.g., PwC was at the time of this interview in court because a regulator was attempting to hold the company liable for losses arising after PwC failed to detect fraud at a bank that later collapsed.)
Scott: Cases like the PwC case will drive the use of data analytics. Nevertheless, I have a real problem with lawyers designing rules that would hold auditors to an unreasonable expectation, particularly that an external auditor would be able to detect every instance of fraud. Certainly, the sampling strategy commonly used is not effective for detection of fraud. To have any chance of finding fraud, the auditor must begin with the complete population.
To detect all of the fraud requires an infinite amount of time and an infinite amount of money. So the discussion must be about materiality and risk appetite. The standards have always said, “reasonable assurance” not “absolute assurance”, and in reality very little fraud is detected by internal or external auditors. Usually the first hint is a tip from somebody outside of audit. A hotline system or other communication means are a lot more important for detecting fraud than audit is. Nevertheless, data analytics provides excellent tools for detecting indicators of fraud risk, so I expect that this will also drive increased use of data analytics.
Q: What role do you foresee data analytics playing in the audit teams of 2018?
Scott: In the near term it will go down two paths. Some companies are interested in having a data analytics expert or taking the ‘data analytics team’ approach. In this case they would have a staff of data analysts who process all of the data and hand off the results to the audit team. Although dedicated analytics staff may be short on process knowledge, it is easier to develop a few people with greater expertise in data analytics. As long as they communicate well with the audit team, the auditors should be able to get what they need.
My personal experience, however, is that the people who are closest to the work or closest to the processes develop the best insights into what’s going on. The purpose of doing data analytics is to get insight into the process. people with process knowledge are more likely to take some pattern they see in the numbers and relate it to a behavior they’ve seen in the business—things that a dedicated analyst isn’t going to see. If you have a dedicated staff, I think you’re going to miss opportunities. But, the downside is that you then need to train up all of your people in data analytics, and that requires an investment.
To learn what our other industry experts had to say about these questions, download your copy of the full 2018 Audit Team Trends Report now.
About Anu Sood:
Anu Sood is the Director of Product and Corporate Marketing at CaseWare Analytics and is responsible for the company’s global marketing strategy. Prior to CaseWare Analytics, Anu worked in various roles in the high-tech industry and her accomplishments range from writing software for telephone switches to launching a new global satellite communication service. Anu has extensive experience in strategic marketing, corporate communications, demand generation, content marketing, product management, product marketing and technology development.