Skip to main content

How audits can be transformed when access to data is no longer the bottleneck

Advances in information technology and data & analytics capabilities offer significant opportunities for all layers of an organization to work in a more effective, efficient, and controlled way. Applying data & analytics is often one of the first steps organizations undertake to reach these goals. Although most organizations are aware of the value that can be unlocked, there is much left to be gained in terms of the actual application of data & analytics procedures in the audit, risk, and control domains. In this article, we will illustrate how the Data & Analytics capabilities of in-memory database technology can enable and support all lines of defense.

Introduction

Without a doubt, all departments of an organization are impacted by the rise of data & analytics, but specifically in the audit, risk, and control domain applying technology-supported data & analytics can reshape the way of working and unlock significant value. For those organizations that make use of data & analytics to support the three lines of defense, the typical end-to-end process consists of some form of data copy, e.g. the extraction of ERP data and transfer of data to a Data Warehouse, running data and analytics procedures, and finally consolidating insights from these outcomes. New in-memory database technologies like SAP HANA, however, offer significant opportunities to reshape this end-to-end process.

In-memory database technology introduces the ability to integrate audit analytics much deeper into the audit, which allows the external auditor to perform audit procedures more efficiently, effectively, and accurately. When this process is streamlined, data procedures can be performed shortly after financial periods close while maintaining consistency, flexibility and ease of use, which makes any findings and insights a lot more useful and relevant to the business. Furthermore, when the approach is centralized and harmonized, internal control and audit functions will be able to rely on the results to exercise control and perform audit procedures.

First, we will introduce the concept in-memory database technology offered by one software vendor: SAP AG. Next, the performance promise of this technology is described, as well as the impact on audit procedures. Lastly, we illustrate this impact through a use case in which we industrialized the approach.

Introducing in-memory database technology: SAP HANA

In 2010, SAP AG introduced its SAP HANA database technology. Ever since the introduction there has been a lot of excitement around this new technology. However, many organizations struggle to obtain business value from this technology, as they do not take complete advantage of the possibilities in-memory database technology brings. In the course of this article we will focus on the value SAP HANA technology can bring for an organization.

SAP HANA technology vs. SAP S/4HANA explained

The terms SAP HANA and SAP S/4HANA are quite commonly used in conversations, which poses the question whether both terms can be used interchangeably. The short answer is “no”. There is a difference: SAP HANA is an in-memory database technology which acts as the core technology for both SAP or non-SAP applications, whereas SAP S/4 HANA is a new generation ERP solution which runs on SAP HANA database architecture, and offers new functional updates and applications to streamline business processes.

SAP HANA

SAP HANA technology can be best described as a modern database technology. What makes it different from a classical database technology is that data is stored in a column-oriented way and that data is stored in-memory.

  • Column-oriented storing of data is the concept of storing all data for a database table in one location, instead of the classical approach in which all data for one row is stored in the same location. The main advantage is the possibility to compress similar types of data in a single column, which means that significant volumes of data can be stored in one system.
  • Storing data in main memory instead of on a physical disk provides a magnitude of faster data access possibility and in extension faster querying (data and analytics) and processing. However, if all data would be stored in main memory, this would have a huge impact on the costs. Therefore, SAP developed an approach which they termed “Dynamic tiering” which observes data access patterns, and stores frequently accessed, or “hot”, data in-memory while the less frequently accessed “warm” data is stored on disk, which is less costly.

S/4 HANA

SAP S/4HANA, which is short for “SAP Business Suite 4 SAP HANA”, will form the new ERP SAP core application environment for the coming years. It is the successor of SAP R/3 and SAP ERP and is optimized for SAP HANA in-memory technology. It is expected that SAP S/4HANA will become the SAP standard in the upcoming years, as support for the previous release (ECC 6.0) will be deprecated per 2025. S/4 is an ERP software package which aims to cover all day-to-day processes of an organizations (such as ‘order-to-cash’, ‘source-to-pay’, ‘plan-to-make’ and ‘record-to-report’). As S/4HANA only runs on SAP HANA databases (in contrast to SAP’s earlier products R3 and ECC which could also run on database platforms from other database software vendors) it is packaged as one product: SAP S/4HANA.

The performance promise

In a report published by Gartner in June 2019 ([Idoi19]), it is stated that businesses now commonly deliver business insights via modernized analytics. A second wave of modern platforms that disrupt IT-led enterprises are expanding their capabilities. Data and analytics leaders are looking at in-memory technology to help them expand their analytics modernization to quickly deliver insights to the business and the performance capabilities of SAP HANA technology are key components to this strategy.

Organizations that perform analytics without in-memory database technology encounter difficulties in obtaining data from their complex architecture of IT systems and are often set back due to the huge data volumes. As such, creating unified insights on top of this is often perceived as cumbersome, slow and labor-intensive. SAP HANA technology promises direct reporting and analytics in a central source on top of huge volumes of real-time transactional data.

Impact on the audit

When all ERP transactional data can be accessed, processed and analyzed in real time in one system, this implies the following for audit procedures;

  • Grabbing the momentum. Historically, audit data analytics suffer from throughput times of ‘weeks’ if not ‘months’ to go from data to insights. With real-time analytics, audit insights can be presented at any time to the relevant stakeholders, for instance right after period close, based on a single data copy.
  • Bring analytics to the data, instead of data to the analytical environment. As all data to be analyzed resides in one system, any analytical needs from the business can be fulfilled immediately without having to wait for the data to become available in an analytical environment which is only refreshed periodically.
  • Automation of routine activities. Routine-, standard-, and labor-intensive test procedures can be fully automated, allowing auditors to spend more time on the identification and mitigation of high-risk items requiring significant human judgement and effort.
  • One source of truth: Decisions by all parties involved, ranging from the business to the external auditor, are made based on the same fact sheet.
  • Being quickly able to respond to changes in the risk universe. Opposed to rigid audit procedures it is possible to make use of ad-hoc and tailor-made analytics on a flexible basis to react promptly on changes in the risk universe.
  • Audit continuously. The technology enables companies to turn data-driven audit analytics into real-time monitoring rules that automatically trigger alerts towards the right people in the organization, embedding the control mindset into daily operations.
  • Equipping the business to be in control. Actionable insights, generated on a continuous basis, allow process stakeholders to exercise more control, thereby reducing the work required for the other lines of defense.
  • Focus on putting insights into action. There is significant less effort required in the end-to-end process to go from ERP data to insights, as data sources do not need to be merged or reconciled with each other. This allows process stakeholders to focus on the follow up of the risk insights (automatically) generated.
  • Test fewer systems. We typically find that fewer systems are required to be in scope of an audit as the number of data migrations within the landscape is reduced and risks of data in transit are therefore not run.

To illustrate the aforementioned advantages, we refer to the next section for a use case.

How the global audit changed: a use case

Organization

We look at a leading Fast Moving Consumer Goods company with branches in more than 170 countries. To support their daily operations, a complex IT landscape which consists mainly of software products delivered by SAP AG has been in place for years. Refer to Table 1 for general characteristics of the company and their IT landscape.

As there were a significant number of SAP components and the corresponding interdependencies in the SAP landscape were highly complex, there was notable room left for standardization. For this reason, a program was launched to considerably simplify and rationalize the ERP architecture by introducing SAP HANA technology.

C-2019-4-Emens-t01-klein

Table 1. Characteristics of the organization and their IT landscape. [Click on the image for a larger image]

Introducing the global audit

As this organization is operating on a global scale, it is of utmost importance that the financial audit is not only effective, but also performed efficiently and consistently across the world. Based on this ambition, data & analytics were introduced to create a data-driven audit. In this data-driven audit, procedures previously completed manually for risk assessment, controls evaluation, and substantive testing are supported by data & analytics routines. Instead of having to rely on a sampling approach, it becomes possible to focus on the full population of relevant transactions. An example related to control evaluation is the analysis of segregations of duties in the order-to-cash process to identify whether any business users have maintained sales orders and increased the credit limit of the same customer within the audit period. Another example of a D&A routine related to substantive testing is the identification of high-risk journal entries by analyzing all general ledger entries produced by all entities in scope against a set of predefined criteria.

In total, 160+ scripts are applied on six business processes and more than 50 controls. The generated insights and exceptions are distributed to 100+ audit teams across the globe for the teams to be used in their local procedures to form their audit opinion.

C-2019-4-Emens-t02-klein

Table 2. Key figures of the global audit. [Click on the image for a larger image]

From data to audit insights on a global scale

The aforementioned D&A-supported audit approach was initiated before the introduction of in-memory database technology. To illustrate the impact of this technology, we will describe the steps involved to go from data to insights prior and after the implementation of SAP HANA technology.

Prior to the use of SAP HANA database technology

C-2019-4-Emens-01-klein

Figure 1. End-to-end process to go from data to audit insights prior to the introduction of SAP HANA technology. [Click on the image for a larger image]

Figure 1 outlines the steps involved to deliver audit evidence through data & analytics. The end-to-end process resemblances, on a high level, the one as described by [Loo15] and generic in a sense that it is applicable to all types of ERP systems used to record business transactions. What follows is a more detailed breakdown of the steps involved to go from ERP data stored in the SAP system of the organization to audit insights used by audit teams around the globe.

Data Extraction

The process starts with the extraction of data from the ERP system. Given the sheer number of controls to be analyzed, and depth of analysis performed, it is not feasible to rely on standard SAP reports only to generate insights required. Data is extracted by means of extraction programs deployed in the SAP ERP systems to cope with the large data volumes. In total six processes are being analyzed. Data extracted ranges from master data in these processes to accounting data, logistic data, and configuration data on business transaction level.

Data Transfer

Once data is extracted from the SAP ERP systems it resides on the SAP Application servers. To analyze the data, it needs to be transferred to the IT landscape of the external auditor. Multiple options exist in this stage of the process, ranging from a (well-secured) online file transfer environment to a physical pickup. No matter the carrier, when data is copied, completeness checks are performed to verify that all data that was saved on the ERP system has been copied to the carrier.

Data Upload

Once the data has been transferred, it is uploaded to the external auditor’s analytical environment for analysis. After the upload is completed, data checks are carried out to ensure the completeness and accuracy of the data before the “staged” dataset can be used in the subsequent analysis phases.

Data Analysis

After the data is deemed accurate and complete, 160+ scripts in the external auditor’s analytics environment are executed on the data to combine the extracted raw tables (e.g. master data, sales data, etc.) and generate relevant audit insights.

Insights reporting

In the previous step, relevant audit insights have been generated for more than 50 controls. The insights gained are then split and distributed among the teams in each country, resulting in over 10 thousand files per audit run (160+ scripts and 100+ teams). This is a necessary step since local teams need to evaluate the results because processes (and therefore findings on those processes) may deviate locally from the global standard.

Putting SAP HANA database technology to work

C-2019-4-Emens-02-klein

Figure 2. External audit process using SAP HANA technology in the organization’s IT environment. [Click on the image for a larger image]

Figure 2 outlines the steps involved to deliver audit evidence with the use of SAP HANA technology.

Data & Analysis

Two key characteristics of SAP HANA technology are: all ERP operational data is uniformly and in real-time available in one source, and significant volumes can be analyzed in a fast way. As a result, less work is required related to data extraction and transfer to the external auditor’s environment, as analytics are applied in the system directly, anytime, on this data.

To illustrate based on our use case, the throughput time decreased from two months to less than one week. In the old process, the data that could be analyzed depended on the data that was extracted from the ERP system, and the auditor’s analysis environment may not have all the tables required for ad-hoc analytics. As the analytics are applied in the same system where all the data (tables) reside, this constraint is not applicable anymore. With a throughput time of one week, it becomes possible to run analytics whenever required, as well as to run ad-hoc (new) analytics due to e.g. changes in the risk universe or new insights into a business process resulting from interviews or other observations. Also, in the old situation the extraction of data tables from the ERP server put significant load on the system for multiple days for every audit, and safeguards were put in place to make sure that enough data space would be available on the application server and that the extraction batch jobs would not fail. This is no longer necessary, ensuring a more reliable audit process and – timeline. We furthermore note that data transfer to – and upload in – the auditor’s external data environment is not applicable anymore. Correspondingly, the risks involved related to data integrity and privacy in the data transfer are also mitigated. Lastly, the number of completeness and accuracy checks required has significantly decreased; the number of data files received from the company has decreased from 400+ SAP ERP tables per system, to 50 audit reports in total.

Insights reporting

It is no secret that audit teams work under pressure to complete all audit procedures in time; any delays in receiving the required risk assessment, controls evaluation, or substantive test risk insights following from the D&A approach and used in follow up audit work have a significant impact on the overall timelines of the audit. In the new process, audit insights are available for all teams across the globe, anytime, anywhere, and on any device via online dashboards. The risks involved with any delays in the end-to-end process have therefore been significantly mitigated. In addition, the online web environment has drill-down features for the dashboard user to filter on different data attributes, for instance to support dynamic conversations with the audit client.

Value for the external auditor

The previous section already hints at realized efficiencies and unlocked opportunities in the end-to-end process, given that the number of steps required have significantly reduced. What follows is an overview of the value created for the external auditor.

Real-time analytics result in an efficient and flexible audit process The reduced number of steps involved to go from data to analysis to insights is reduced significantly, as the need for data extraction, data transfer, and completeness & accuracy reconciliations has become obsolete. As a result, audit insights are available right after financial period close and can be followed up directly, instead of weeks or months after the fact. To put this into perspective, audit insights related to the full fiscal year are available at the beginning of January, which means that fewer or no roll-forward procedures are required.
All stakeholders work from the same fact sheet A single source of truth for data and audit facts forms the basis for all stakeholders involved across all layers of the organization (including all layers of defense) as well as the external auditor. As a result, all parties involved work from the same fact sheet, and all communications can focus on risk evaluation, root cause analysis, and an approach for remediation.
Fewer audit procedures required as data in transit is minimized We anticipate that a reduced number of audit tests need to be performed because data is no longer distributed throughout the IT landscape and data at rest forms the basis of the audit. In other words, tests concerning data completeness and accuracy at the transfer phase no longer have to be performed if there is no data in transit between the organization and the external auditor, as well as within the IT organization of the audit client.

Value for the organization

As described by [Daan11], business cases related to IT investments are usually not motivated by the desires of the external auditor to employ an innovative audit approach. Business cases are driven by the desire to improve the business; hence, what follows are important elements for a positive business case.

By actionable insights, first line of defense can exercise more control The solution brings clarity and actionable items which enable the control on processes to users all over the globe. These insights allow users to take a step back from the day-to-day activities and focus on risk and compliance areas that require attention and judgment.
Enabling a feedback loop back from audit insights to process improvement The solution is the first step in facilitating continuous control monitoring. With building blocks such as ‘alerting’ and ‘follow-up for remediation via workflows’, the loop can be closed in facilitating all lines of defense, ensuring appropriate processes for sustainable risk identification and mitigation.
Shift audit effort to high-risk findings and follow up When minor findings are resolved automatically and in a timely manner, all lines of defense can shift the focus to high-risk insights and follow-up, reducing efforts on manual and labor-intensive audit –and compliance support activities with little incremental value for the organization.
Basis has been established for an analytics-driven business The knowledge, skills, and capabilities gained to set up analytics on a global scale open the doors to incorporating other types of analytics in the business, for instance in the growth and efficiency domains (
[Donk14]). Rapid changes in the organization’s environment can be quickly analyzed as all data is always available (and not archived) for analysis.

Conclusion

In view of the significant advances in information technology capabilities available on the market, we have described how one of these technologies, in-memory database technology, can transform the way an audit is performed, and how control is exercised in business processes. As all required audit data resides in one system and can be analyzed in huge volumes in a fast way without involving data copies to analytical environments (e.g. data warehouses), it becomes possible to automatically generate risk and audit insights on a real-time basis and enable stakeholders to primarily focus on risk remediation and mitigation. This doesn’t just put the business in control; it also offers a single source of truth to all risk stakeholders ranging from the first line of defense to the external audit. Also, any analytical needs from the business can be quickly fulfilled without having to wait for the data to become available, for instance to respond to changes in the risk universe.

We illustrated this with a SAP HANA technology use case in which the external auditor’s data-driven audit approach significantly changed the risk and controls efforts executed by all layers of the audited organization.

It can be concluded that there is an exciting future is ahead for organizations that want to analyze large volumes of ERP transactional data in real time. However, we would like to conclude with three key takeaways which should be kept in mind:

Data & Analytics happens between the ears. No matter the superiority of the technology, the strength of the analysis performed, or efficiencies gained, the process to get from data report to relevant and actionable insights “happens between the ears”. Technology can enable the business in generating results in a fast, complete and easy to use way; it is, however, the step of getting actionable insights from the results that make an impact on the business; insights alone don’t initiate a change.

Top down and bottom up should come together. The technology supporting the delivery of relevant audit insights is one that is ‘top down’ in nature as all ERP data of all businesses is analyzed and insights are made available at a central level. However, these insights delivered are also a call for action; most value is generated when actionable insights are followed up by employees throughout the organization to ensure a better control of processes. This way, there is both a “push and pull principle” for risk insights, follow-up, and remediation.

A new way of thinking is necessary. Embracing a data-driven approach requires organizations to prepare their personnel and end users to work and think in new ways. Employees in the business are uniquely positioned to bring in anecdotal evidence based on their experiences from the past to put the figures from a report into perspective. Both worlds need to learn from each other: end users can benefit from a better understanding of how their systems and data & analytics work to adopt a data & analytics driven mindset. Vice versa, auditors should listen to the anecdotes presented by business employees and bring that perspective into their understanding of the process and the data.

References

[Daan11] Daanen, H.T.M., Biggelaar, S.R.M. van den & Veld, M.A.P. op het (2011). Audit Innovation. Compact 2011/0.

[Donk14] Donkers, J.A.M. (2014). Maurice op het Veld en Bram Coolen over Data & Analytics. Compact 2014/2.

[Idoi19] Idoine, C., Richardson, J. & Sallam, R. (2019). Technology Insight for Ongoing Modernization of Analytics and Business Intelligence Platforms. Gartner Research 2019/06.

[Loo15] Loo, L.P. van, Zegers, A.T.M. & Haenen, R.C.H. (2015). Data analytics applied in the tax practice: Turning data into tax value. Compact 2015/1.

Verified by MonsterInsights