Are you looking outside enough? Online information services can give auditors a wider...

DURING THE LAST FEW YEARS, IT SEEMS that internal auditing has become more internal than ever. When using data analysis tools to meet compliance requirements of the U.S. Sarbanes-Oxley Act of 2002, auditors tend to focus on the organization itself as they review its accounts payable, inventory,

and general ledger data. Finding internal discrepancies, such as duplicate or missing items and unauthorized transactions, is a legitimate audit objective. However, many questions can only be answered by looking outside--at vendors, customers, and competitors--and comparing the organization's own data with that of others.

Today, the wealth of external data sources available on the Internet enables internal auditors to augment financial statement analysis, risk assessment, annual audit planning, and competitive intelligence reviews. By tapping into information from these sources, auditors can identify deficiencies that other organizations are experiencing.

SEC FILING DATA

Auditors don't have to work at a publicly traded company to benefit from reviewing the U.S. Securities and Exchange Commission's (SEC's) extensive online archive of disclosure filings to identify audit issues, evaluate external auditors, and assemble documentation for reviews. Public SEC filings identify industry and peer group trends, such as rising audit fees, changes in external auditors, and the types of restatements posted by similar organizations. Although SEC disclosures are available on the commission's Web site, online data services make it easier for auditors to locate the most relevant information.

IDENTIFYING ISSUES Although the basic information provided by online services is useful for identifying audit issues, paying close attention to how the online service provider tags and organizes the data can make the difference between an insightful and haphazard review. In compiling the data, the provider has already read the document and determined the issues to which it pertains. For example, the Audit Analytics service, provided by Manchaug, Mass.-based Ives Group, categorizes disclosures in a variety of ways. By searching company disclosures based on issue categories or key phrases, auditors can review significant deficiencies, company restatements, litigation, and material weaknesses, in each case filtering by company size, location, industry, or other criteria. Aligning the issues reported within the industry to the organization's current audit plan may identify gaps. Browsing the various issue categories can reveal areas that could be addressed better within the company or that are prone to external audit review.

LOOKING AT EXTERNAL AUDITORS Online providers summarize auditor-specific data such as audit opinions, changes in audit firms, current auditor listings, and audit and consulting fees. Using this data, auditors can perform a quarterly check comparing the fees the organization pays for audit services with the fees currently paid by its peers and those charged by competing external audit firms. They can also assess the quality of an audit firm in relation to its competition based on its industry focus, opinion types, and fees.

ASSEMBLING DOCUMENTATION An essential criterion for choosing an online service is its ability to drill down to additional information once a specific interest point is identified. For example, if an audit opinion by a company in a related industry stated that internal controls over financial reporting were ineffective, the specific text should be accessed and cited. Online archives enable an organization that needs to report a particular issue to compile a quick list of examples from companies that reported similar deficiencies. Detailed data sources such as audit committee member and executive biographies, company news, and direct links to SEC disclosure documents can help auditors assemble up-to-date presentations.

FINANCIAL STATEMENT DATA

Financial statement analysis (FSA) is generally assigned to the external auditor. Internal auditors could improve their risk assessments by using this information, but tend to miss the opportunity. Automated FSA tools enable auditors to:

* Put financials in context. Even when internal auditors do analyze financial statements, their approach often violates an important standard for analytical procedures. For example, completing a trend analysis based on prior-year information fails to follow the procedure called for by audit standards, because the auditor does not calculate an expectation of the balances before looking at figures for the current year. Rather than looking at the answer subjectively and rationalizing its existence, auditors must arrive at the estimate independently to put it in the correct context. Auditors can compile financial statement data for companies in similar industries as a baseline for estimates.

* Establish a rigorous standard of comparison. Ideally, internal auditors should base any comparison or trend analysis on a common set of rules used by others in the industry, but this is not always practical. Auditors may need to adjust expectations for special circumstances they are aware of in the business before comparing external data to current-year figures. An automated FSA tool can speed the comparison and enable auditors to assess special circumstances sooner. These tools also can ensure that other auditors will reach similar conclusions in the future. FSA spreadsheet templates are an inexpensive way to begin analyzing financial data electronically. More full-featured FSA applications are essentially budgeting and business-plan tools that allow users to import and export accounting package data. Products that combine analysis with benchmarking to external data sources, such as PricewaterhouseCoopers' AMM-BIT software, are most relevant for looking outside the organization. The key question for any external benchmarking package is not the number of companies it covers, but the depth of its coverage in the organization's industry.

Web-based tools, such as ProfitCents from Raleigh, N.C.-based SageWorks, automatically complete ratio analysis, industry comparisons, and trend analysis, then generate graphs and text to depict the company's financial health in plain language. ProfitCents also calculates a company's Altman Z score, which assesses the firm's potential for going bankrupt in the coming year.

VENDOR AND CUSTOMER DATA

Audit departments rarely have detailed information on the organization's top 25 customers and vendors, such as the validity of their business, their financial strength and fit with the organization, their risk ranking, and potential conflicts of interest. Most auditors may only be able to name the top two or three customers or vendors. Assuming internal auditors can obtain the list from the sales and accounts payable accounting modules, each of these vendors and customers could be a source for review.

Most auditors recognize that certain kinds of vendor or customer validations are relevant and needed, such as checking for vendors that have only a post office box address or whose mailing address matches an employee address, or verifying outstanding credit and debit balances with confirmation letters. Beyond checking these obvious items, auditors can obtain more comprehensive information about customers and vendors from sources like Dun and Bradstreet's Hoover's service, which covers 18 million public and private companies. The goal of using Hoover's is to secure detailed company information, news reports, and industry information to help assess the strength of the business partner from a market and financial risk perspective. Such information can identify trends impacting the top 25 customers or vendors of which business management may not be aware. Internal auditors can review the top management of each of the organization's business partners to ensure that no current employees are also affiliated with those entities.

Further analysis may identify opportunities for auditing vendors that are more prone to error or fraud given their financial and market condition. Auditors can also perform due diligence reviews of new vendors to ensure they do not present any unnecessary risks to the organization.

LOOKING TO THE FUTURE

Beyond looking at the SEC, customers, vendors, and external auditors, internal auditors can use external data sources for other tasks, such as comparing inventory values to similar goods elsewhere, identifying real estate price trends, tracking exchange rates, and accessing news feeds about regulatory changes. Many services provide e-mail alerts that can allow auditors to respond quickly to key changes in their industry. Having such instant data puts auditors in a position where they may be the first to alert the organization of marketplace changes.

Opening up to online information can make the audit department a more effective risk watchdog for its organization. Moreover, using online sources to learn more about the organization and its industry can improve the quality of audits.

RICHARD B. LANZA, CPA, CFE, PMP, is president of Audit Software Professionals in Lake Hopatcong, N.J.

DEAN BROOKS is president and owner of Ekaros Analytical Inc., a publishing and consulting company in Vancouver, B.C.

To comment on this article, e-mail the authors at richard.lanza@theiia.org.

Send "Computers & Auditing" story ideas to:

Tim McCollum

The Institute of Internal Auditors Inc.

247 Maitland Ave.

Altamonte Springs, FL 32701 USA

e-mail: tim.mccollum@theiia.org