Yes, Automating ICFR Helps, But… 

Internal audit and GRC professionals talk all the time about the importance of automating internal controls. Now we have some fresh academic research demonstrating what sort of benefit a company can gain from following that path.

The research comes from Musaib Ashraf, an accounting professor at Michigan State University who published a nifty paper several weeks ago exploring how automation of internal control over financial reporting (ICFR) can help a business. Thanks to some clever analysis of what companies disclose in their annual reports about ICFR, Ashraf concluded that automation can indeed help companies in several important ways — although not in the immediate timeframe one might expect, and automation might also introduce other risks to financial reporting that the board, CFO, and internal audit function would still need to address. 

Let’s start with the question Ashraf was trying to answer. Historically, financial reporting has been managed by people. People can make mistakes when executing internal controls, either through error or fraud. Policing those mistakes takes time and money, in the form of manpower, audit fees charged by your external auditor, and oversight from the board’s audit committee. So automation of your ICFR should reduce that potential for mistakes and save the company time, money, and headache, right? 

Indeed so, Ashraf found. Except, audit fees and oversight from the audit committee both tend to increase in the first few year after an automation project, and then decline in subsequent years as everyone gets used to life with automated ICFR. The evidence also suggests that while automation leads to fewer material weaknesses in your financial reporting (yay!), those material weaknesses are likely to be worse when they do happen (ugh). 

All in all, Ashraf’s conclusions do support the argument that, yes, you should automate your financial reporting as much as possible — but companies also need to understand what the benefits of automating ICFR really look like, and anticipate the new risks to financial reporting you’re likely to encounter. 

What the Research Says

Back to Ashraf’s research. He examined the SEC filings of publicly traded companies from 2009 to 2019, searching for terms such as “machine learning,” “artificial intelligence,” “process automation,” “robotic process” and so forth in the Controls & Procedures footnote that companies are required to publish every quarter. Using such terms would indicate that the company is trying to automate its ICFR. 

That detail about the Controls & Procedures footnote is important. Under SEC rules, that’s where companies are required to disclose any material change to their financial reporting processes. So Ashraf reasoned that if a company mentions ICFR automation in its Controls & Procedures footnote, that automation must be part of a material change to the company’s ICFR.

Once Ashraf identified those companies that were talking about automating ICFR (in total he found 422 of them), he then examined what happened to those companies’ external audit fees, how often the board’s audit committee met every year, and how often the company subsequently reported a material weakness in its financial reporting.

For the sake of brevity, we non-academics are going to skip the statistical analysis he explains in his paper. Suffice to say, he had the following findings which should intrigue any internal control professional:

  • Companies that introduced automation to their financial reporting were 62 percent less likely to experience a material weakness.
  • Companies that introduced automation were also likely to experience fewer financial restatements and fewer class-action shareholder lawsuits.
  • ICFR automation led to higher external audit fees and more audit committee meetings in the initial years after implementation.
  • Those companies then enjoyed lower external audit fees and fewer audit committee meetings in subsequent years.
  • When ICFR-automated companies did suffer a material weakness anyway, the markets typically had a worse reaction. This suggests that while automation leads to fewer material weaknesses, those weaknesses tend to be a bigger deal when they do happen.

Critics will argue that Ashraf’s findings could be explained by reasons other than automation of ICFR. For example, maybe the company is improving its IT systems overall, and that improves financial reporting regardless of any specific ICFR automation project. Or maybe the external auditor has been improving its own processes to examine a client’s ICFR, and that led to the enhanced financial reporting. 

Those are fair points to raise, but Ashraf did consider them (in statistical analysis techniques beyond my novice understanding) and still reached the same conclusions. To wit:

Automation is significantly associated with a lower incidence rate of internal control material weaknesses, suggesting that firms that introduce automation benefit from higher quality financial reporting due to a stronger internal control environment… I further find that automation is associated with decreased monitoring over the financial reporting process and with more material weaknesses when they do happen.

Let’s assume Ashraf’s conclusions are correct. What would they mean for internal audit teams, audit committees, and others in charge of ICFR?

Swapping One ICFR Risk for Another

Let’s step back and appreciate the bigger picture Ashraf’s research is painting. Essentially, as companies automate ICFR processes, they are trading the risk that humans will make a mistake for the risk that automated ICFR will make a mistake. 

Look at things through that lens, and Ashraf’s findings make sense. Of course audit fees and audit committee meetings would increase in the first year after ICFR automation; everyone is skittish about how reliable the new system will be, so they monitor it closely. Then, as everyone gains confidence in how the automated ICFR performs, they naturally pay less attention to it; audit fees and audit committee meetings decline in subsequent years. 

My question is this: If we’re trading the risk of human error for automated ICFR error, how should the company change its control activities to adapt to that new risk profile? 

For example, say you automate the comparison of invoices to purchase orders, and confirmation that a vendor is on the master vendor list before sending payment. You’ve eliminated human involvement from those transactions, so perhaps you could eliminate the control of a supervisor reviewing that work.

On the other hand, you now need stronger IT general controls, to be sure nobody can tamper with those automated ICFR processes — say, by creating a backdoor in the code that allows someone to alter invoice data. You’d also need to change how you audit those now-automated processes. It wouldn’t be enough simply to examine the process, and confirm that all amounts paid matched all invoices submitted. You’d also need audit procedures to assure that the invoice data wasn’t tampered with, or that payment account numbers weren’t altered. 

In other words, by automating ICFR, you need to retool your internal controls and anti-fraud programs away from oversight of humans, toward governance of IT systems. That might involve very different audit procedures, and possibly different audit personnel if you don’t have the right team.

I also wonder how regulators will respond to this. For example, will SEC enforcement staff take a more unforgiving position if a company with automated ICFR experiences a restatement or fraud, and that company never bothered to update its control environment? Will the PCAOB update its audit standards for data analytics? Food for thought, and future posts.

Regardless, Ashraf’s paper gives us a better sense of the new environment that automated ICFR creates. The question is whether your governance systems can adapt to survive in it.

Leave a Comment

You must be logged in to post a comment.