What Is Data Reliability Risk?
To meet the information challenges of their time, various accounting organizations promulgated guidance to help CPAs assess data reliability. For example, the GAO’s “Assessing Data Reliability” (December 2019), “describes the principles behind and steps involved in assessing the reliability of data used for audits” (p. 4). The report further defines risk as it relates to data reliability as “the likelihood that using data of questionable reliability could have substantial negative consequences for the auditing agency or on the decisions of policy-makers and others” (p. 16).
The information reliability risks that challenged the accounting profession throughout history have remained relatively constant. These timeless risks include completeness, accuracy, consistency, and relevancy. The standards classify mitigation strategies into two groups—general controls and application controls. General controls refer to risk mitigation activities that apply to all systems, including systems acquisition/development, external security (physical and cybersecurity), vendor management, and enterprise information organization and governance. Application controls focus on the accuracy of the data entered and processed. While application controls are typically the responsibility of business line managers and end-users, corporate technology or financial executives are responsible for general controls.
Despite this expertise, the accounting profession remains challenged to convince stakeholders to do better with their custodial responsibilities over data. Despite nearly 70 years of automated technology experience, practitioners struggle to implement and maintain cost-effective control strategies. These strategies could minimize the expenses incurred due to misuse and regulatory fines, and the missed revenue opportunities of not using available data more strategically.
Disappointingly, the role of CPAs in system development or acquisition development has decreased through the years.
Continuing Data Risk Management Challenges
This author’s examination of early CPA Journal articles reveals the profession’s fascination with a particular risk that could wipe out an organization and leave no appropriate audit trail. Our predecessors considered backup and recovery a critical control because electronic copies could easily have been damaged or destroyed, and an alternative copy was needed to mitigate this risk. Today, this process is referred to as “resiliency.” As evidenced by some organizations’ inability to recover from a malware attack (which requires excellent data backup), this challenge unfortunately remains prevalent.
Access controls and security was also a featured topic of early CPA Journals. As is true today, the profession was concerned with preventing unauthorized personnel from accessing critical resources–whether they were privileged insiders or unauthorized intruders. Early recommendations included implementing configuration management, monitoring log activities, and promoting need-to-have access. Unfortunately, a recent sample of technology-related government audits (as these audits are publicly available) performed during the past 10 years revealed that these issues continue to challenge the risk management community even today.
The analysis of data using computer-assisted audit techniques was another popular topic in early CPA Journals. Auditor-friendly software included standard testing routines to facilitate financial analysis and audit procedures. Similar to today’s data analytics, the profession imagined a more efficient, accurate audit. Some anticipated that continuous monitoring would revolutionize the services delivered by the profession. Unfortunately, these same promises are made about data analytics today.
Disappointingly, the role of CPAs in system development or acquisition development has decreased through the years. These activities reflect the use of automation to process data. Four decades ago, The CPA Journal highlighted the role that accountants could play in helping organizations better implement technology solutions that include controls, business policies, and regulatory requirements. CPAs expected that they could save organizations money compared with the more costly remediations that could occur after implementation by making these recommendations beforehand. Today, many organizations rush to cloud computing or use robotic process automation without fully considering the controls that may eventually need costly remediation.
Learning from the Past
As The CPA Journal celebrates its 90th anniversary, the profession must learn from past inadequacies to provide value-add to our stakeholders. Stakeholders will question the profession’s relevancy in the digital age if we cannot manage and leverage data to help them. Hopefully, future practitioners will have the necessary skills and courage to change to satisfy these expectations.