Leveraging technology for enhancing Public Audit

Leveraging technology for enhancing Public Audit


Neelesh Kumar Sah, Principal Director, Centre for Data Management and Analytics (CDMA), SAI India

Introduction

Public Audit works in an environment characterised by its audited entities and that of the country that they operate in, politically, economically and technologically. Public audit is an important link in the delivery of public services with specific responsibility of ensuring oversight and accountability of executive to the people of a country.

The second decade of the twenty first century continues to witness the development in technology as always and with enhanced vigour. So much so, that, some say the amount of data created in last one or two years is equal to the data created throughout the history of mankind. This has been facilitated by developments in various aspects of the overall organisation of information systems and their management.

Information systems, generically, have predated any technological advances made by human kind. For an organisation, information systems, hitherto, have relied on the layout of organisation structures that have evolved over time and the communication systems developed to support them. It relied on the oral and written communications, initially which has been understood as the manual systems.

Advent of computing through computers, their interconnectivity, interoperability, and capture of myriad information sets on computers in different formats has resulted in completely different outlook to the manner in which modern day information is created, processed, stored and shared.

In the field of accounting and auditing what is relevant is that the information sets are created in databases, shared, processed, analysed and used for reporting. These data sets could be the ones obtained from the audited entities or entities relevant for a particular audit or created by the auditors themselves during the process of audit. The auditors need to understand handling of data not only from other entities but also to create their own data sets and use during the audit process and reporting.  As such it is important to understand the evolution of databases and related enabling technologies influencing technical and application architectures.

The related technologies that have assisted this evolution have been related to the file formats, storage capacity, processing capacities of the computers/ servers and very importantly networking technologies. The basic components of a computerised system, like the operating system, application system, the database management system and the dissemination and interactive application systems through the evolution of personal computers and networking technologies have made it possible to create diverse and complicated application, database and technical architectures, supporting complex business architectures. The storage and processing capacities of multiple computers/ servers, thus, could be leveraged.

Public Service

What does such developments hold for the public service?

The citizens interact with their governments for various services they expect from them. The governments have various organs that deliver services. Citizens are therefore required to approach the government through multiple contact points. To enable citizen to interact with ONE government, the integration of government services is a necessary transformation that could occur. The advent of advance information systems with capacities to hold tremendous data coupled with capacity to share and transmit data through the interconnected systems provides the platform for such integrations.

Many governments have already taken steps towards such integration through e-governance projects. Across the government there may be presence of different stages of evolution of such integration – from totally independent manual systems to independent computerised systems to computerised partially integrated systems to fully integrated and automated systems. The governments knit their service delivery mechanism according to their stage of evolution with a view to have a completely automated, integrated system providing a single window for all government services.

Evolution of Government systems

In pursuit of achieving the principles of e-governance as above, the e-governance systems follow a trajectory of maturity, indicating different levels. Layne and Lee outline four stages of evolution of the e-government systems. Cataloguing , transaction , vertical integration  and horizontal integration . The UN also categorized the e-Government evolution to Emerging presence , Enhanced presence , Interactive presence , Transactional presence , Seamless or fully integrated presence .  There are other models as well. Each of the model primarily tracks the evolution from a minimalist to a comprehensive system of e-governance. This has largely been facilitated by the developments in technology as well as developments in computational know how.

Public auditors have to track and keep pace with these developments and levels of technological evolution in the government systems.

Facets of technological impact on government functions

The government services were provided through in situ computer systems by different government departments not too long ago, across the counters. Abundant emphasis on reaching out to the citizen with services and information has been on the web based systems for quite some time now. The web services transformed from one sided service providers to interactive platforms where the citizen could also upload information into the databases. These service deliveries are increasingly moving to the app based mobile sets. Emergence of social media has also provided another platform to government and its functionaries to provide information and some services through these modes.

Single delivery portals provide single platform for integration of different government services. Use of unique identifiers of the citizen or entities interacting with the government makes such integration possible.

Developments in the electronic business transactions using electronic payments have enabled government functions to be remotely conducted, like payment of taxes and fees for services from the government or its agencies or payments made by the government to its beneficiaries . A unified payment interface  also goes a long way in facilitating such services, in real time.

Cloud computing has emerged as a big enabler for remote storage, processing and delivery of services to the users in the government as well as to the citizen. This goes a step further to enable online transaction processing (OLTP) and thus provide real time services to citizens.

The government has also started using different technologies to improve its policy making, planning and response systems. Use of satellite data (remote sensing data) along with the Geospatial information system (GIS) has started playing important role in policy design, planning and emergency response, like in environment management, town planning, disaster management, wasteland management, monitoring illegal constructions, open cast mining, flood inundation and flood hazard zonation, administrative boundaries, deforestation, monitoring creation of public assets etc.

Accuracy of information is ensured by using geotagging, the information collected using the Global Positioning System (GPS). This makes the data to be useful even for social projects being delivered by the government .

The app based mobile systems along with the cloud services facilitate the service delivery not only through the portals but also provide the services on the go. The citizen could access the services from anywhere in the world. While giving the flexibility of use to the citizen, there may also be issues of adequate recognition of the citizen and their location for ascertaining jurisdictions etc.  The use of GPS can be very helpful in these scenarios as well.

The trinity of Jan-dhan , Aadhar  and Mobile (JAM ), in India, pretty much sum up the integration and transformation into the e-governance service delivery to the citizen of India .

The above are a few illustrations of the use of technology by the governments in delivering government services.

Public Audits

Public audits are, essentially, audits conducted on behalf of the public on government performances. They take the modes of compliance audits, financial audits or the performance audits. Each mode of audit has its own requirements. However, one common characteristic of all audits is that they look for information to substantiate their audit findings.

The stages of an audit process include audit planning (including identification of audit objective(s), scope, audit units, audit sample), audit evidence collection, analysis, conclusion and reporting. Each of these stages depend on the processing of information obtained and created during the audit process. The auditor is confronted not only with the large data sets (Volume) of today from the audited entity but also data sets from various sources (Variety). When the systems are working real time, it may become pertinent for public auditors to also process data in real time (velocity).

The objective of public audits is to assure the citizen on adequate functioning of governance mechanisms in the country.

Audit is ultimately concerned in obtaining relevant information from the audited entities or others to substantiate its audit assertions or objectives, by applying suitable analytics on the information. Public Auditors have a wide jurisdiction, auditing whole of government and its entities. As such the problem of obtaining the data sets in a readable form by the auditors from multiple sources is the first issue they have to grapple with.

Data access

One of the obvious ways to tackle issues of data access is through involvement of audit from the design stage of the IT systems. It may be possible to incorporate the audit requirements into the system design. The data in requisite format can be generated, thus, by the audited entity and provided to the auditors. It may be provided to the auditors on the entity’s sites through an access to the system. This could be a read only access without any transaction rights so that the system’s performance is not affected. The data may also be provided through backup files created in the entity’s environment and shared on a removable media with the auditors. Better, still, will be when the audited entity is connected to the auditors’ systems and the data is populated on the auditor’s systems. Cloud services provide further flexibility to the remote access for the auditors. Auditors with a mobile app with capability to access the data from the audited entity’s systems is another totally random access mode to the auditors.

There clearly is a series of progression in the way auditors can access data from their audited entities, indicating the SAI’s maturity levels along with that of the government systems between access of manual records to real time access of data.

th1

Figure 1: Data Access Maturity Levels in SAIs

However, most often than not, it will be seen that the audit is not involved at the system design stage. Even if the government wishes to involve audit at the system design stage, the number of such instances makes it difficult for audit to get involved.

Data handling at different levels of data access maturity

In a manual system, the information was obtained by auditors in a manual form. This is increasingly becoming passé. Invariably, the information is available in electronic mode. The mode of access could be one of the stages in the figure above.

When the data was shared in removable drive, the auditors need to have hardware compatible to run the media, a CD, DVD or a tape drive. Along with the capacity to run the media, the auditors need to have application where the data can be read from the media. With various sources of data, this is bound to create issues with relation to the applications, if not the hardware compatibility.

Public auditors should  plan well in advance to put in place the necessary hardware and software. The public auditors also need to ensure authenticity of data received, so that, audit conclusions are non-refutable.

Read only rights are typically the view rights granted to the auditors at the entity’s systems. These rights should be exercised on backup data rather than on live data for the reason that the analysis through queries can impact operation of the system. However, the read only rights should also facilitate copying of the requisite data/ results of analysis. Authenticity of data need to be ensured by getting the results authenticated by the audited entity.

In electronic transfer of data, the data in file form is transferred using the network or direct connection. The authenticity of data is ensured through the use of encryption techniques or digital signatures.

In online access of data through the cloud services the compatibility of the systems at both ends of the auditors and the audited entity is required to be ensured. The data is downloaded directly from the servers, mostly the backup servers, at the audited entity’s end through a predefined module. The authenticity of the data can be ensured by using the public key infrastructure (PKI).

The real time systems provide access to live systems and the information contained therein in a real time mode. Real time data access provides possibility of real time processing. This has the potential of development of continuous monitoring and continuous auditing approaches. Analysis of real time systems may not be humanly possible and as such, embedded audit modules become very important in such cases. These modules provide auditors with insights to focus their audits on, apart from providing audit evidence. The authenticity of data is ensured not only through the PKI, but they are supplemented through the time stamps embedded into the data structures. Auditors need to prepare for such real time access possibilities.

The mobile based apps provide another opportunity to the auditors where the above access modes, especially the online and real time access modes are exploited through the use of mobile apps. Auditors need to be abreast with the issues related to the new technologies that keep on unfolding.

Data Analytics

Once the data is accessed by public auditors, Data Analytics is the next major activity. They receive large and variable data sets.

A preliminary step to the data analytics is to make the data clean and in a format usable for analytics. This happens due to the different data sets and possible inconsistencies in the data sets, due to different data formats or data structures. Incompleteness of data sets can be another cause requiring data cleaning. Linking relatable data sets can always throw up a challenge to an auditor due to inconsistencies in data entry for common fields. Data cleaning, in such situations can become the most tedious and time taking effort in the use of data by public auditors. However, there are solutions available that ensure that these inconsistencies are identified and addressed. Master data management (MDM) used by many large companies when confronted with different databases becomes very relevant here.

It becomes important to analyse the relatable data sets. To carry out the same, the techniques of analytics exploit advanced statistical techniques. The data sets are joined, appended as per requirement of a particular audit. The techniques of classification, clustering, decision tree, regression etc. are employed, by executing appropriate queries on the data sets.

Many applications have also developed capacity to carry out these analytics through, what is called, machine learning. The applications have the capability to identify patterns and relationships between data sets. This assists the auditors in understanding the data sets. Understanding data sets in an electronic environment is a major component in understanding the organisation, at the beginning of the audit process. The applications also have the capacity to read various types of data formats.

The unstructured data sets, image files (including satellite data), flat files, text files, websites, legacy systems, social media, apart from the database files can be read and patterns, compilations can be identified from these data sets. The unstructured data in terms of text data can be used to create a text cloud identifying the words or phrase most repeated indicating their importance. The applications also provide capacities to search specific words or phrases from text data. The data from social media (also text data) can be analysed accordingly. Image data can be analysed based on the tags associated with the files which provide basic information on the image files. The satellite imageries are used for ascertaining changes over time period. These require specific capacity to study the images to understand the patterns. The same is available in many countries today and is increasingly being used for environment audits and audits related to town planning, flood control and social programmes.

It is possible today to carry out analytics on relatable data from different sources and different data formats.

The analytic results are shown in typical data formats but can also be visually presented which enhance the appreciation of patterns underlying data sets and their relationships, through what is generally called data visualisation. Data visualisations are done through statistical graphics, plots or information graphics. Data visualisation could also be used in presenting audit results in an efficient and effective manner for the citizens/ parliaments, in the same manner as it is used to understand the organisation/ data by the public auditors. There are many applications providing data visualisation capacity on large data sets of different formats.

It may not be otherwise to say that in times to come the focus of public auditors will change from gathering evidence to analysing data and that too from multiple data sets of varying formats. This will bring about a big improvement in the efficiency of public audit process. This will also require a quantum shift in the audit approach for the public auditors, with corresponding upgrades required in their audit standards and guidelines related to data access, data cleaning/ organisation, analytics and presentation.

Data Repository

While the discussions mostly hover around the capacity to access and analyse the data sets from the audited entities, it is important to create and manage a data repository of all data sets that are accessed by auditors and use them over time to create a time series analysis, apart from the need to retain audit evidence. This can be facilitated through development of analytic models during the first time the data sets are received and analysed. The models will become richer by accretion of data sets every year or at pre defined periods. The data structure remaining same or mostly similar can make the time analysis possible. The data repository should also hold the results of the data analytics, especially those which are one-time effort for the auditors. Development of appropriate data classification and storage protocols become important at this juncture.

Some recent open source based frameworks (Hadoop, NewSQL etc) provide solutions to store data sets having different formats (Big Data) and also provide platform to support the analytics. These specific solutions depend on partitioning of databases either vertically or horizontally. They exploit the capacities to map and reduce the data sets. They also use the limited index searches on the portions of data sets and parallel processing to yield real time results. These solutions have a distributed architecture, and include components such as distributed concurrency control, flow control, and distributed query processing. These frameworks provide potential for dealing with large data sets and multiple data sets with relative ease than that with the capacity of dealing with the baseline of RDBMS only. Analytic engines could rest on these platforms utilising their potential of storing huge databases and being able to process them.

In times to come, a good data repository may determine the potential and maturity level of an SAI.

Audit Automation

Audit process is mostly a standard process. The techniques may have varied but they encompass the audit planning (based on risk assessment, identifying audit objectives, selecting audit unit, selecting audit sample and identifying evidence to be collected), audit execution (collecting audit evidence), analysis, conclusion and recommendation stages with a follow up stage. The systems of allocation of audit resources, especially human resources, their deployment, field audits etc. are administrative processes that are also more or less standard in a SAI.

Such standard nature makes it possible for the audit process to be automated. Capacity of information systems to hold large amount of data in different formats and then analysing and presenting the same makes it possible to cover the gamut of the audit process and deployment as well. There have been various audit management tools available with limited capacities at different stages of audit. In an ideal world, a SAI could evolve a comprehensive system (akin to the ERP systems) integrating whole audit process with possible real time linkages to the audited entities, adequate data repositories, analytical platforms and report generation modules.

Experience in SAI India

SAI India has set up a Centre for Data Management and Analytics to address the situation evolving due to developments in the sphere of database, technical and application architectures. The centre is working to implement the Big Data Management Policy adopted by the SAI India in 2015. It has embarked on massive capacity development programme in the SAI on data analytics. It is in the process of setting up a data analytic and data repository platform to cater to all its field offices (90) spread across the country. In times to come, the SAI aims to evolve into an SAI with data repository making its public audits more efficient and effective.

Way Forward

Technology development follows the Moore’s law . It is expected to continue for at least another decade, with some pegging this phenomenon to continue for centuries. The fact remains, that apart from the computing powers of the integrated circuits (ICs) of the computers, the development of approaches on using the combination of hardware, software and data management principles provides tremendous potential. Governments will accordingly exploit these to improve public service delivery.

Public audit needs to keep pace in using the same developments to support its functions of accessing, analysing, storing and representing/reporting, while carrying out their functions of providing assurance to the citizens. While the developments keep happening, the same techniques and technologies will also be useful for auditors while dealing with information collected during audits. It will be important that the public auditors keep their engagement with the developments in technologies, techniques and solutions developed, by continuously updating themselves. Public audits can, only then, leverage technology effectively in discharge of its responsibilities.





Leave a Reply