IT FILE – Risk management in a laptop

Over the past few months, a handful of companies audited by Arthurd, of course, it involves computers. John Stokdyk reports. Andersen will have experienced a trend that is threatening to transform the auditing process.

When an Andersen business auditor arrives, the first thing he or she will do is sit down and open up a Compaq laptop. Each machine is configured the same, and connects via the office network to Andersen’s global business audit ‘knowledge base’.

Over the weeks that follow, the questions the auditors ask and the procedures they follow will be driven by the wisdom contained within ‘global best practice’ data banks maintained at the firm’s US headquarters in Chicago.

Big Sixers display their wares

Andersens joins KPMG, Coopers & Lybrand and Ernst & Young in trumpeting its technologically assisted auditing services. These techniques are the first fruits of several years’ investment and research into knowledge management.

David Whitmore, managing partner of Andersen’s insurance practice, says the firm’s business audit system took three years to develop. ‘It was a heck of an investment and a heck of an effort. Our people had to rethink the way they address auditing,’ he says.

The business audit framework takes two weeks to learn and will be rolled out to the firm’s 25,000 auditors over the next 18 months. The system is designed to identify the risks facing particular businesses and help manage those risks better, he adds.

Robert Hodgkinson, a partner in Andersens’ professional standards group, explains: ‘Instead of looking at financial statistics and asking, “What risks are here?”, we look at the business and ask what risks it will face over the next three or four years which might impact on its financial statements this year and next.’

The best-practice databases allow Andersen auditors to benchmark their clients and zero in on where they should direct their attention. The database also lets them check local reporting and professional requirements, he adds.

The business audit process is based on a conceptual ‘funnel’ that filters audit information through a series of on-screen tools to focus auditor and client on the key risk management issues. The top tier starts with the global best-practices knowledge base.

Drawing on prompts from the system’s business risk-modelling module, the auditor tailors an individual framework for the business and works with the client to construct a ‘risk map’, rating key factors against their significance to the business and their likelihood of happening.

The business risk model is constructed before the financial audit is carried out, but its findings will ultimately feed through to the financial reporting system.

‘The risk map comes into its own as a discussion tool and for presenting to the audit committee,’ explains Whitmore. It also generates a coloured chart on a single piece of A4 paper, he says, ‘which chief executives love’.

The analysis includes a detailed assessment of the client’s IT systems and reporting procedures. An information flow-charting tool helps auditors map the systems used and how information flows between them.

Automaton generation

Critics who suggest these computerised tools will de-skill auditors and create a generation of laptop-toting automatons are given short shrift.

‘It gets auditors away from the confrontational approach,’ says Hodgkinson.

‘They can sit down with the client, help them to identify risks and help them look at how they can control them. For example, fraud indicators are built into the database, which can give auditors and their clients a better chance of preventing it from happening.’

Whitmore describes the business audit tools as a prompting mechanism.

‘It takes away a half to two-thirds of the time it used to take to do the “grunt” work and allows auditors to do more thinking.’

Rather than de-skilling auditors, it requires them to go through a cultural change, says Whitmore. Instead of serving their dues for a few years concentrating on standard audits, we have to develop a different competency model,’ he says.

‘Auditors get the opportunity to develop more specialist knowledge more quickly. And, where in the past you proved yourself as a professional by showing you knew more than other people and not telling them, today you have to prove yourself by showing how much knowledge you can share,’ adds Whitmore.

KPMG’s head of audit, Gerry Acher, says his firm is into the second wave of its computer-assisted Audit 2000 regime. Roughly 100 of KPMG’s UK clients have experienced the process, which is built around a business measurement process similar to Andersens’.

‘Computer tools play an increasingly important part in any business process these days,’ says Acher.

‘They enable you to navigate much more quickly and are the way KPMG and all the other firms are going. Those who haven’t moved to this holistic view, backed up with business models, won’t be able to do an effective audit in five years’ time.’

Related reading