Benford's law for integrity tests of high-volume databases: a case study of internal audit in a state-owned enterprise.
| Autor | Morales, Hector Ruben |
Introduction
International Standards on Auditing (ISA) encourages auditors to use analytical procedures during the planning, execution and completion phases of the audit to identify, among others, the existence of unusual trends (ISA 300, 2009; ISA 315, 2016; ISA 330, 2006). Motivating this study is the fact that internal auditors operating in state-owned enterprises (SOEs) in emerging economies need to employ analytical techniques that allow them to discharge their duties without interfering with the political process that might ask to ignore rules, procedures and best practices in corporate governance. This study focuses on mitigating uncertainty by providing a test interpreted as an indicator of the confidence or alert of the possible inherent or pre-existing risk of the computerized data that are made available to the internal auditors in their routine tasks.
The inherent risk of information is determined by the characteristics of the entity and the information system under analysis. Auditors cannot change the inherent risk level, but if the auditor knows it, audit planning and execution can be better tailored. ISA 315 (2016) and ISA 330 (2006) define it as an a priori measure of risk that is independent of the applied controls. To properly measure the inherent risk level before evaluating the existence and effectiveness of internal controls, the auditor needs to find and investigate possible errors or material differences. International regulations urge internal auditors to act in computerized environments to evaluate the reliability of the data used by testing controls and applying substantive data tests at the transaction level (ISA 315, 2016; ISA 330, 2006). The literature documents the advantage of leaving proper audit trails (Okundaye et al., 2019) and propitiates the testing of large data sets to generate evidence of consistency in the data (Cleary and Thibodeau, 2005), one of which is Benford's law (Nigrini, 2019).
Benford's law considers certain digits to appear more frequently than others in a given data set, and it is used to verify whether or not the behaviour of a set of numbers conforms to expectations, assuming no interference or manipulation. It predicts that more than 30% of the numbers begin with digit 1, 18% with digit 2, and it descends successively to 9 with an incidence of less than 5%. This pattern of numbers behaviour responds to a logarithmic function (Benford, 1938). In the broad field of assurance, Hill (1995) is one of the first authors to suggest the presence of possible risks of irregularities or fraud when the behaviour of a representative set of data does not comply with Benford's distribution. This line was continued by Nigrini (1999, 2019), but in all cases, its application was circumscribed to transactions.
This study reports the results obtained from eight enterprise resource planning (ERP) modules of a large SOE in Argentina's energy sector. Each module contained 3-12 years of operational data. To test compliance with Benford's law, the number of records (size) of the tables of each module was used, including more than 1,900 tables with 4,500 million records. The results show that Benford's law is satisfied when all modules are considered, but the same does not hold when modules are considered individually. The decision to further investigate is political and outside the auditor's hand, but at least they can leave a paper trail showing the results of an unbiased analytical test.
The contributions of this study are twofold. First, it explores the usage of Benford's law at a dimension above the transactional level (i.e. at the meso level), something that has been unexplored in the literature. In an ERP system, the meso level is the tables that conform to each module and is an issue not covered in Nigrini's (2017) literature review, where five new perspectives on using Benford's law in auditing are presented. Analysing the meso level is deemed to be an important area to explore as (non-)compliance with Benford's law could potentially indicate an issue with the completeness of the modules that the internal auditor is provided for assessment. Second, by selecting a case from an emerging economy from Latin America that has institutions rooted in Civil law, this study expands our understanding of the internal audit function (IAF) (Kotb et al., 2020) particularly in emerging economies (Salcedo, 2021). Although Benford's law is frequently used in economics and finance, very little is available for applications in Latin American countries (Carrera, 2015). Furthermore, previous literature has documented that internal audit departments in emerging economies do not function effectively due to political interference (Emmanuel et al., 2013) and inadequate support from top management (Ahmad et al., 2009). As such, shedding light on a rarely discussed aspect of internal auditors working in SOEs in Latin America enhances our understanding of the profession outside Common law environments.
The remainder of this paper is structured as follows. The second section reviews the literature on IAF, focusing on digital analysis in the public sector, paying attention to the relevant discussions coming from emerging economies as well as on applications of Benford's law. The third section reviews the details of the company and country where the case is developed by providing evidence of its uniqueness and common traits that might be present in other countries or companies justifying a more extended use of the proposed tool by internal auditors. The next section describes the data and analyses performed together with a discussion and implications for practice. The write-up closes with a conclusion that highlights the key contributions.
Literature review
The roles and practices of internal auditors have not been as profusely studied as those of external auditors and public accountants. IAF size has been considered a predictor of information technology (IT) tools and responsibilities; the larger the IAF within the government unit, the more comprehensive the IT risk assessment and use of sophisticated audit technologies (Garven and Scarlata, 2021). There is a set of studies linking internal audit quality and external auditors work; lately, this stream of research has moved into big data and refined analytics tests (Boskou et al., 2019), and little by little studies done outside countries governed by Common law start to emerge (Oussii and Boulila Taktak, 2018). Another lens used to study the work and practices of internal auditors have been their role and place in corporate governance, particularly when the IAF reports to managers and the audit committee as well as to other powerful interest groups such as unions (Erasmus and Coetzee, 2018); but again, in this line of research, there is little if anything about the reality of non-Common law countries (Hay and Cordery, 2018; Kabuye et al., 2017; Kotb et al., 2020). Limited research has suggested that internal auditors working in SOEs of emerging economies are pressured to please diverse powerful groups (Young et al., 2008) to the point that a Latin American president needed to make an open call for more professional internal audits (Ruiz-Tagle, 1998). The remainder of this section identifies the existing disperse literature to show that no previous study has extended the testing of an existing tool, Benford's law, in a novel environment in Latin America, which increases the external validity of Benford's law tools to assess the inherent risk of large database information.
Digital analysis and IT audit
Some of the challenges that the audit profession is currently facing involve the increased use of Big Data and the application of advanced analytics by clients (Appelbaum et al., 2017). Big data is characterized by client data that exhibit enormous volume, high velocity and a large variety (Cukier and Mayer-Schoenberger, 2013). The emergence of big data provides a broad range of opportunities for auditors to utilize Audit Data Analytics (ADA) (Appelbaum et al., 2017). As defined by Byrnes et al. (2015, p. 92), "Audit data analytics (ADA) is the science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing the audit." Due to the challenges that auditors face in evaluating financial and non-financial structured and unstructured data, auditing has begun to adopt and employ a variety of data analytics and artificial intelligence (AI) tools to gain insight into the auditee's performance (Kokina and Davenport, 2017). Evidence has emerged that AI can also be combined with robotic process automation to improve audit efficiency and effectiveness (Zhang, 2019). As a matter of fact, it has been shown that a variety of internal audit procedures can be automated (AICPA, 2015). To further support this assertion, recent literature notes that new technologies (e.g. data analytic tools) are being progressively implemented in internal audit departments (Betti and Sarens, 2021).
Various ADA tools have been proposed in the literature to perform analytical procedures at various phases of an audit (Appelbaum et al., 2016, 2017). These analytical models range from simple substantive tests to more advanced predictive techniques (Appelbaum et al., 2017). Among the ADA tools is the application of Benford's law for big data analysis (Lanham, 2019).
Benford's law
Frank Benford, a physicist at GE Research Laboratories, conducted a study of digit frequencies in tabulated data (Benford, 1938). Benford empirically tested the first digit frequencies of 20,229 observations (20 lists of relatively large numbers) and 2,968 observations (10 lists of relatively small numbers). His empirical results showed that 30.6% of the large numbers had the number 1 as the leading digit...
Para continuar leyendo
Solicita tu pruebaCOPYRIGHT GALE, Cengage Learning. All rights reserved.
