An explosion of data and major strides in analytics are challenging companies to reassess their policies, infrastructure, and capabilities around the use of technology, data and analytics (D&A), privacy, cybersecurity, and financial reporting in order to make better business decisions.
Given their oversight roles, how can boards and audit committees help ensure that the company is getting the appropriate insights while taking the necessary precautions to protect the company, its employees, customers, and others?
"The first thing boards need to ask is ‘how is the company itself organizing its data and who is responsible for it?’" said Roger O’Donnell, Global Head of Audit Data and Analytics for KPMG. "And, more broadly, the board needs to think about the company’s strategy and ensure that its policies for collecting and using data make sense in the context of the business. If something were to happen that was not intended, does the board understand the potential risk to the business and the brand?"
O’Donnell was joined in the discussion of D&A oversight on the March KPMG/NACD Quarterly Audit Committee Webcast by moderator Jose R. Rodriguez, Executive Director and Partner-in-Charge of the KPMG Audit Committee Institute.
According to the 2017 KPMG CEO survey, 71 percent of CEOs consider their company to be a "technology company," yet 49 percent have concerns about the integrity of the data on which they base decisions; and 61 percent are concerned about integrating artificial intelligence and machine learning into their business operations. These challenges—and the accelerating pace and complexity of data-driven technologies—highlight the critical role boards and audit committees have to play in helping to assess the risks and opportunities presented by the company’s use of data and analytics.
Boards and audit committees should have a holistic view of the company’s strategy around D&A— specifically what data is collected, how it is used, and who oversees that effort. Some companies employ a chief data officer, others have an aggregate data function with the office of the chief information officer, and, in many cases, the CFO’s office is becoming much more involved, said O’Donnell.
Among the key questions for directors to consider:
O'Donnell says that this conversation for directors is two-fold: "There are security decisions related to your infrastructure choice—on-site hardware versus cloud, but there are also questions for boards to consider around what type of information and data is captured and how it is used." With regard to the strategy that the company has set forth, does the way the company is utilizing information, specifically customer data, align with customer understanding and privacy expectations? "This has to go right through the CEO's office to ensure that there's a strategy in place so that everyone understands what data is being collected, how it is being utilized, and who is receiving it," said O'Donnell.
"I think boards have a responsibility to ensure that they're protecting the business and the brand and to ensure that customers aren't going to feel that their privacy was violated or manipulated or their information was used in a manner for which it wasn't originally provided," said O'Donnell.
Digital advances in areas such as mobile and cloud computing, automation, and artificial intelligence are transforming the ways companies do business, creating demand for new and improved internal controls and risk management. At the same time, automation and advanced analytics are helping internal audit improve performance. Adoption of digital technologies also creates challenges for internal audit that audit committees may want to focus on. "What's the resource complement for internal audit, as well as others in the organization, to help support greater analysis of things like procurement decisions and T&E?" asks O'Donnell.
O'Donnell suggests looking at what the company can automate into an analysis platform—general ledger information, journal entries, customer data—and presenting that to internal audit to better focus their analysis.
Regarding the external audit and the development of smart audit platforms, O’Donnell says that greater use of data and analytics in the audit can enable more analysis of larger volumes of data, which can help the audit team to better assess anomalies, exceptions, and how to handle them. Other outcomes include earlier indicators of control risk, greater scenario analysis, stress testing, and customer trends as indicated in the figure on the next page.
"From an audit perspective, we can move from limited samples to a place of complete analysis and looking at 100 percent of transactions," said O’Donnell. "I use the word ‘analysis’ as opposed to ‘audit’ because I think the combination of D&A and auditor determinations is going to give the company indications and information that management can react to." These technologies don’t eliminate the need for people. There can still be false positives and false negatives because the number of anomalies in a larger data pool will, by definition, be bigger."
"Putting together structured and unstructured data, having the expertise to unpack the information, and then having the right skill sets to look at how information comes together to drive analytics and business decisions all depend on whether the right questions are being asked," said O’Donnell. With greater insight, the company’s view on revenue, valuation, and even credit decisions can become more predictive. How might the company gain insight and better communicate information on adjusted non-GAAP earnings and nonfinancial metrics, the value of intangible assets, and key performance indicators? How can the company use D&A to fine-tune projections?
From shirts with biometric capabilities to engines that are capturing data, companies are gathering more information to help them make better decisions, for everything from vehicle maintenance schedules to personal health and well-being. Banks can monitor customer spending patterns and user locations to decide whether to deny credit card transactions to help prevent fraud. IBM Watson is helping medical providers analyze cancer treatment cure rates based on patient data in order to suggest more effective, personalized courses of treatment. This type of information flow and related action can add value in the supply chain, to investment decisions, and even in financial reporting.
Looking forward, in which areas would the auditor’s use of technology/data and analytics provide the greatest value and insights to investors:
Of 658 audit committee members, other directors and C-level executives surveyed during the Webcast on March 22, 2018. Percentages may not equal 100 due to rounding.
As board members think through the challenges that exist with the advancement of D&A, it's also important to view the opportunities and the long-term benefits, said O'Donnell. "Does the company have the right workforce with the right skillsets to manage through these changes? Has the board ensured the right level of governance and oversight to serve the company as it implements new systems and processes and also to help protect the data that the company captures and the information it derives?"
In your view, what are the greatest challenges to integrating data and analytics into the audit?
Of 658 audit committee members, other directors and C-level executives surveyed during the Webcast on March 22, 2018.
For the full replay and other highlights, visit kpmg.com/aciwebcast.
The KPMG Board Leadership Center champions outstanding governance to help drive long-term corporate value and enhance investor confidence. Through an array of programs and perspectives—including KPMG's Audit Committee Institute, the WomenCorporateDirectors Foundation, and more—the Center engages with directors and business leaders to help articulate their challenges and promote continuous improvement of public- and private-company governance. Drawing on insights from KPMG professionals and governance experts worldwide, the Center delivers practical thought leadership—on risk and strategy, talent and technology, globalization and compliance, financial reporting and audit quality, and more—all through a board lens. Learn more at kpmg.com/blc.
Part of the Board Leadership Center, KPMG's Audit Committee Institute focuses on oversight of financial reporting and audit quality and other issues of interest to audit committee members, including risk oversight, internal controls, and compliance. Learn more at kpmg.com/aci.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.