Sometime in their careers, management accountants are likely to participate in data collection for their organization’s internal or external audits. The process of identifying the source of audit information to satisfy requests and prepare schedules can be tedious and time-consuming, especially if performed manually. The process is compounded if multiple systems and data sources must be accessed when the information isn’t in the same format. Automating the extraction of financial and nonfinancial transaction information from enterprise resource planning (ERP) systems simplifies the task, saving time and money. International Organization for Standardization (ISO) 21378, Audit Data Collection (ADC), facilitates and streamlines the audit process. Developed by the ISO Project Committee (PC) 295, ADC was the first ISO project to focus on auditing. First approved for study in 2015, it was released in 2019 as ISO 21378 ADC.
Founded in 1947 to develop voluntary global standards for products, services, and systems to promote quality, safety, and efficiency, ISO has issued a wide range of standards. Since inception, more than 24,000 standards have been released. Some of the most popular are standardized currency and time and date codes, standards for food safety management, and standards for manufacturing and service quality. Imagine the chaos that would ensue if every software program used different time and date formats. Some standards can earn a company’s quality processes a certification such as ISO 9001 Quality Management Systems from the ISO 9000 Quality Management family. Compliance with this standard provides a high level of quality assurance for products and is commonly used in manufacturing organizations to focus on continuous process improvement.
ISO 21378 AND THE PC 295 PROJECT
The scope of the ADC project was to provide a specification for internal and external auditors to obtain accounting transaction information from an organization’s ERP system, including content and format requirements of accounting data elements and data interface output files. ISO was responsible for managing the project at the global level with 18 member countries designated as participants in the standard’s development along with 22 observing countries serving as members of the PC. A small group of participants served as members of a working group that developed the standard in working sessions and then shared the results with other members during periodic meetings. The American National Standards Institute provided support to the U.S. delegation’s technical advisory group.
Figure 1: Audit Data Collection Standards Business Modules
The project’s major requirement was to develop a neutral standard independent from accounting and ERP systems to bridge auditors with audit clients and organizations, software developers, and IT organizations. ERP systems developers use various formats that differ from system to system. The separate standards previously developed independently in China and the United States served as the starting point for the standard. China’s standard was based on its Golden Audit project, which provided standard financial and enterprise data to the China National Audit Office (CNAO). A series of reports was created by the participating entities throughout the country submitting the files electronically to the CNAO for auditing. The CNAO uses these reports to reconcile data from an enterprise’s accounting software and other data published by the enterprise. The China Electronics Standardization Institute developed and governed the standards used in the preparation of data files.
The American Institute of Certified Public Accountants sponsored a separate audit data collection project. Its working group’s goal was like China’s effort—to develop a standardized format for audit data to address data file and field definitions, technical specifications, and data validation to support the integrity and completeness of the audit data and to promote the use of transaction data for audit analytics and analysis. Standard accounting subledger processes such as general ledger, order to cash, fixed assets, and inventory were designed. While both standards provided input for the development of the ADC standard, simply combining the two standards didn’t satisfy broader stakeholder interests represented by the countries serving on the PC. Many challenges faced the global standard, including reconciling different financial and nonfinancial terminology, requirements for public company and government data, different data formats, statutory and regulatory requirements, and differences in financial statement reporting requirements (such as value-added tax and other taxes).
The final model represented many compromises made by the PC to ensure a robust standard design that would address its global stakeholders’ requirements. In Figure 1, the business modules in the Audit Data Collection Standards (ADCS) represent standard accounting modules in ERP systems. It also shows the linkage, process flows, and interface between them, representing the data integration and sharing that occurs in ERP systems.
Each business module shown in Figure 1 is supported with a separate ADC data file format. Implementing the standard requires following the extracting, transforming, and loading steps. A company needs to write a script to extract transaction data from its ERP database to convert it to the appropriate ADCS file format for the general ledger module. Then the data needs to be cleansed for accuracy (transformed) and shared with the organization’s auditors for loading into the audit program.
Automating audit data collection through data extraction to predefined file formats that can in turn be imported into automated auditing programs provides major efficiency improvements to both sides of the audit equation—the client and the auditor. The benefits don’t stop with auditing because an organization can also use the data to support internal data analytics. In both cases, the accuracy and the efficiency provided by this approach streamline transaction data analysis.
The opinions included are those of the author and not necessarily those of the U.S. Air Force Academy, the U.S. Air Force, or any other federal agency.
February 2022