Continuous Audit Implications of Internet Technology: Triggering Agents Over the Web in the Domain of Debt Covenant Compliance

Transcription

1 Continuous Audit Implications of Internet Technology: Triggering Agents Over the Web in the Domain of Debt Covenant Compliance Jon Woodroof University of Tennessee DeWayne Searcy University of Tennessee Abstract The Canadian Institute of Chartered Accountants and the American Institute of Certified Public Accountants have together called on the research community to show how continuous audit (CA) could be implemented in various auditing domains. In response to this call, we look at the domain of debt covenant compliance, and we utilize Cold Fusion, a leading web applications development technology, to design and demonstrate an implementation of a continuous process audit within this domain. We design and demonstrate a system that uses agents sent over the Internet to continuously monitor whether actual values of client s variables are in compliance with standards for these variables set out in the debt covenant agreement all from a remote location, the loan officer s desk. Keywords: continuous audit, debt covenant, workflow, Cold Fusion 1. Introduction In a society that produced instant coffee, instant soup, instant breakfast, and instant pudding, it is not surprising to find out that we are currently developing an insatiable appetite for instant information. Web technology is spoiling users by eliminating the time between the wanting of information and the getting of information. From stockbrokers to car dealers, technology is rapidly making the middleman an artifact. From a single electronic source, users can retrieve sports scores, buy a hot stock, find out weather forecasts for the weekend, view detailed maps and directions, be apprised of traffic updates, purchase a ticket-less airline reservation, order groceries, and even make a car purchase with customized specifications. Thanks to our new e- culture, we have acquired a taste for instant information, and it is already too late to turn back. This new culture is having an impact on the information expectations of decision-makers and other users of financial information. Users are becoming less willing to accept static, periodic financial statements presented in a one-size-fits-all format. It is now both technologically and economically feasible for users to have real-time access to corporate databases. This feasibility, coupled with the increasing sophistication of users, opens the way for decision-makers to customize the components of information they use to make investment and credit decisions. Web technology is increasing the pressure for reports of financial information to be made available to users on a continuous basis, thus creating the need for continuously auditing this information. A continuous audit (CA) is an assurance service where the time between the occurrence of events underlying a particular subject matter and the issuance of an auditor s opinion on the fairness of that report is significantly compressed, or even eliminated. A CA is the natural evolution of the integration of technology into the audit domain. Although the concept of CA is now almost a decade old [9], only recently have technologies emerged that are both widely available and affordable, making implementation of CA feasible. With this technology, web-based applications can be developed that allow users of financial information to receive audited reports in real-time. Automating audit workflows can make the audit more efficient for the auditor and more affordable for the client. Additionally, automating audit workflows can make the audited report, which is the focus of this paper, more relevant (and thus, more valuable) to the decision-maker. Because of /01 $10.00 (c) 2001 IEEE 1 1

2 technological advances and the current audit environment (to be discussed in detail in the following section), public interest in the concept of CA is growing. The Canadian Institute of Chartered Accountants and the American Institute of Certified Public Accountants have together called on the research community to show how CA could be implemented in various auditing domains. The following domains are among those suggested by these institutes [4]:! an entity s compliance with its published policies and practices regarding authenticity, integrity and nonrepudiation of electronic commerce transactions;! the effective operation of controls over specified systems or processes; and! specific financial information in connection with debt covenant compliance. In response to this call, we utilize Cold Fusion, a leading web applications development technology, to demonstrate an implementation of CA within the domain of debt covenant compliance. Debt covenants are components of an overall loan agreement that emerge from the negotiation process between a lender and a borrower. The loan agreement establishes the type of loan, repayment schedule, covenants, and pricing [12]; as well as the monitoring relationship between the parties involved [15]. Debt covenants are included in the lending agreements with banks, insurance companies and others to protect the interest of the lender while providing the flexibility management requires in running a profitable business [12]. In a continuous auditing environment, compliance with the debt covenant can be monitored on-line (via the web) by the lender. Loan officers (each morning and continuously throughout the day) could access a web page that lists all of the loans for which they are responsible, the debt covenant agreements and criteria for each loan, and the continuous determination of compliance on each loan. Facilitating and accelerating lender/borrower communication through a CA can significantly reduce the lender s uncertainty regarding the borrower s financial condition. Reducing uncertainty minimizes default risk, thereby allowing the lender to lower the interest charged on the loan. In today s highly competitive commercial lending business, the premium charged by lenders for default risk can reach 2 percentage points [12]. We use Cold Fusion as a vehicle for demonstration; however, other technologies could as easily be adopted for implementation. For example, XML (extensible Markup Language) could be used. In July of 2000, the XBRL (extensible Business Reporting Language) specification was released. XBRL is the first XML taxonomy for financial reporting. XBRL is a XML-based tagging system that information supply chains utilizing disparate software applications will be able to use to automatically create, exchange, and analyze financial reporting information. Such information could include annual and quarterly financial statements, general ledger information, and audit schedules. We design and demonstrate a system that uses agents and alarm triggers sent over the Internet to continuously monitor whether actual values of client s variables are in compliance with standards for these variables set out in the debt covenant agreement all from a remote location, the loan officer s desk. 2. The changing audit environment The audit environment is changing. One of the technologies that has been instrumental in this change is Electronic Data Interchange (EDI). EDI, a standardized and structured means of transmitting data between trading partners, has produced significant efficiencies for major industries and corporations by greatly compressing business cycle times. Recently, because of falling technology costs and the Internet, smaller industries and firms have begun utilizing EDI. As Internet security, authentication, and privacy concerns continue to be addressed and solved, more and more firms will choose to do business using web-based EDI. With widespread adoption of EDI, the use of programmed controls in place of manual controls will surely increase. And as the use of programmed controls increase, so too will the need for advanced automated audit tools and techniques that take advantage of technologies associated with distributed networks. Much of the testing an auditor does can now be done off-site audit routines can be designed and executed remotely to test transactions and controls on a continuous basis, and the test results can then be compared with actual results [4]. Due to the ever-widening EDI environment, many economic events are currently being identified, captured, measured, categorized, and aggregated without any paper documentation. Therefore, reliance by auditors on traditional substantive testing must be reduced simply because the paper trail of source documentation is evaporating. EDI replaces purchase orders, sales invoices, shipping forms, checks, bills of lading, material requisitions, and other documents with structured electronic transactions. This phenomenon is reducing the amount of time required to produce audit-class financial reports and has contributed to the flat demand for the annual financial statement audit (an opinion regarding the fairness of publicly traded firms annual financial statements that has /01 $10.00 (c) 2001 IEEE 2 2

3 traditionally been the primary product the accounting profession has offered to information users). In many instances, audited financial statements made available on an annual or even quarterly basis arrive after financial decisions have already been made. One analyst made the observation, The current system is like timing your cookies to a smoke alarm! [5]. The relentless advance of technology has changed the nature, timing and evidence of the audit process, and has made the notion of CA not only feasible, but also necessary. What is more, organizations are linking their real-time accounting systems to various Internet sites that allow many of their financial statement items values to be continuously updated with fair valuations [14]. Even accounts that do not readily lend themselves to continuously updated valuations (i.e. adjustment accounts, like depreciation) could be linked to Internet sites that provide market values for company automobiles, trucks, and equipment based on mileage or hours of operation. Additionally, many financial statement accounts are being managed in real-time. For example, Just-In-Time (JIT) inventory processes, managed by trading partners who supply merchandise to an organization as the result of customer pull in the supply chain, make possible online, real-time reporting of inventories on corporate balance sheets. Likewise, JIT cash management procedures, where suppliers of capital are given access to an organization s cash flows, make possible real-time monitoring and evaluation of cash, payable, and receivable account balances [5]. For CA to become widely adopted, however, it must be seen as technologically and economically feasible [11]. All that is needed to design and implement CAcapable applications is an agreement by the parties involved, and a web server running web application server software 1. Not only is the technology to support CA currently available, but also the cost of implementing CA has dramatically fallen Debt covenant compliance domain 1 For smaller applications, web-scripting solutions such as Microsoft's Active Server Pages (ASP) and Netscape's server-side JavaScript may be appropriate. But for larger applications, web application servers offer several advantages; 1) they provide sophisticated application development environments that are designed specifically for the web; 2) they provide an effective way to scale as user demand increases; and 3) they provide a way to seamlessly integrate web applications with legacy datasources [6]. The application server demonstrated in this paper is Cold Fusion Application Server 4.0 by Allaire. 2 Application server software can be purchased for under $2,500. What is more, these application servers do not have to be owned they can be affordably leased. For firms that can become comfortable relinquishing some control over the security of their data to a 3 rd party, there are many web hosting sites running these application servers that can be leased for less than $30 a month. A CA is most viable in domains where the following two conditions exist simultaneously [4]:! Continuous information is vital to critical decisionmaking processes and,! Users perceive that a CA would improve the reliability of the information and would significantly enhance their decision-making ability. The debt covenant compliance domain would seem to be an ideal arena for CA. A debt covenant compliance domain involves three components, 1) a borrower, 2) a lender, and 3) the loan agreement between the two parties detailing the debt covenants 3. Violation of any debt covenant triggers a technical default, influences corporate financial and accounting policy, and could cause an immediate acceleration of the debt payment [12,16,10]. In most cases, a technical default will not lead to a lender calling the note; however, such defaults can significantly impact the borrower in other ways, such as causing an increase in the interest rate, a modification of the borrower s operations, and an issuance of new debt covenants [7,8,3]. Thus, it is imperative that the loan be structured to minimize the costs and consequences to the borrower, while protecting the interests of the lender. Structuring a debt covenant in the context of CA is a process for accomplishing this objective. In essence, both parties to the loan are motivated to engage in a CA debt covenant agreement. On-line, real time access to the borrower s data allows the lender to minimize default risk and provides the borrower with a lower interest rate on the loan. A CA allows the lender to continuously monitor the financial condition of the borrower through evergreen 4 financial statements and accounting-based ratios. The speed of communication increases dramatically from the traditional monthly or quarterly financial statements to real-time, online financial statements and ratios. In addition, the numbers are continuously monitored by an independent auditor, providing assurances on the reliability and validity of the information provided to the lender. In addition, a CA can provide the lender with timeseries data on the financial variables of interest. This 3 Debt covenants are ex ante restrictions on management s post-contract actions to mitigate default risk [2]. Debt covenants can require certain actions (e.g., make available financial statements at regular intervals), and/or preclude certain actions (e.g., incurring additional debt), and/or require the maintenance of certain financial ratios (e.g., liquidity, net worth, profitability, interest coverage) by the borrower [12,7,15]. 4 Evergreen reports are audit reports that are available whenever a user accesses a web page containing the subject matter of a CA. Evergreen reports are dynamically dated according to the timestamp created when the user accesses the site /01 $10.00 (c) 2001 IEEE 3 3

4 protects the lender from borrowers managing the numbers. In other words, traditionally, the lender would receive a borrower s quarterly or annual financial statements and determine compliance based on those historic amounts. Within this traditional environment, a borrower has the opportunity to manage the accounts to make sure they are in compliance with the debt covenants. In a CA environment, the lender is able to determine compliance more frequently (e.g., weekly or daily) and chart the variables of interest, thus minimizing the borrower s ability to manage the numbers. 4. Model of CA In the debt covenant compliance domain, auditors could be asked to continuously audit and report on specific financial information relating to debt covenant compliance subject matter. This type of communication requires the use of digital agents. Digital agents emulate Internet clients, sending requests to activate processes on or to retrieve information from Internet servers. Figure 1: Model of CA in the Debt Covenant Compliance Domain In a CA environment, a digital agent is a set of electronic instructions (software) that acts on behalf of the auditor to perform some service related to the subject matter being audited. The auditor sends a digital audit agent to communicate with the client s database. In essence, the agent is a query sent remotely to perform audit tasks on the client s database. Figure 1 shows our model of how CA can be structured in the domain of debt covenant compliance. The model, as outlined, has five stages. Below is a summary of the events occurring within each stage: Stage One: The loan officer sends debt covenant parameters to the auditor and requests a debt covenant compliance evergreen report. Stage Two: The auditor sends a digital audit agent to communicate with the client s database to provide specific account information regarding debt covenant compliance. Stage Three: The audit agent runs Balancesheet.cfm located on the client s server. Balancesheet.cfm is a web page that displays the client s real-time account balances (see Figure 2 for an example). Stage Four: The audit agent compares the realtime account balances against the debt covenant agreement to determine compliance. Stage Five: An evergreen audit report is generated and displayed to the loan officer (see Figure 3 for an example). There are several important criteria of the model that are assumed: the CA environment; the components of a reliable and secure system; the security, authenticity, and confidentiality of data transmissions; and the CA debt covenant agreement between the parties involved (discussed above). The following paragraphs discuss each of these underlying assumptions. 4.1 CA environment The CA environment oval in the model actually represents two CAs one initiated by the loan officer and the other by the auditor. The CA initiated by the loan officer provides assurance regarding whether the client is in compliance with the debt covenant agreement. The CA initiated and monitored by the auditor provides assurance regarding whether the client s accounting system is in compliance with stated management policies and procedures. In the CA environment criterion, there is the assumption that the auditor has the proficiency to undertake a CA engagement. The auditor must be proficient, not only with the subject matter of the audit, but also with various aspects of information and web technology, in order to be able to design and maintain the process for continuous audit/ reporting. There is also the assumption that there is a high degree of automation of the processes that capture, store, /01 $10.00 (c) 2001 IEEE 4 4

5 aggregate, and report information related to the subject matter being audited so that it is available in real-time. This automation applies to routine hard data, non-routine hard data, and soft data [4]:! Routine hard data: Routine hard data is data underlying the subject matter of the audit that is clearly definable and easily interpreted and measured.! Non-routine hard data: Non-routine hard data is data that requires information from other sources and a calculation to make them interpretable and measurable. Automating this type of data is becoming possible as systems become more and more integrated and as information technology advances.! Soft data: Soft data is data with a high degree of subjectivity that requires assumptions and judgment by the client s staff. Automating this type of data is becoming more and more feasible with advances in information technology such as neural networks and intelligent agents. This is a critical criterion. Without a commitment by companies to make key financial figures available to auditors in real-time, CA is not feasible. As has already been stated, technologies are currently available that enable this real-time accounting. Over 93% of the Fortune 150 companies and 52% companies listed on the NASDAQ currently include financial information on their websites [13]. The challenge now is for firms to make this information available to users in real-time. The CA initiated by the loan officer is completely dependent upon the reliability of the CA initiated by the auditor. Any assurance provided to the loan officer about debt covenant compliance would be meaningless without some underlying assurance regarding the reliability of the accounting system producing the information. 4.2 Components of a reliable and secure system The automated processes within the CA environment must be highly reliable. Reliability encompasses process integrity, security, availability, and maintainability [1]:! Process integrity: Process integrity is the capability of the system to capture, store, aggregate, and report information related to the subject matter being audited completely, accurately, and in real-time.! Security: Controls must be in place to insure that data and processes have not been compromised by unauthorized access. Where violations have been detected or suspected, alarms must be triggered to the auditor and the site must give notice or be temporarily disabled.! Availability: Availability is the degree to which the CA report is available. Controls must be implemented to insure a high degree of availability. This can be accomplished through redundant resources, including backup ISP and mirror processing.! Maintainability: There must be an agreed to amount of time each month when the site will be unavailable so that scheduled maintenance can be performed. 4.3 Secure transmission Transmission of information between parties must be authorized and have confidentiality, integrity, and authentication.! Authorization: Authorization has to do with limiting information access to authorized users. Only authorized users should be able to access the transmitted information. This can be accomplished through firewalls, passwords, and biometric devices.! Confidentiality: Confidentiality has to do with ensuring the privacy of the transmitted information. This can be accomplished through various encryption techniques.! Integrity: Integrity has to do with being able to detect message interception and tampering. The evergreen reports must be safeguarded against unauthorized changes. Techniques used to ensure transmission integrity are hashing and integrity checks.! Authentication: Authentication has to do with verifying the origin of the communication. This can be accomplished with digital signatures, challenge-response techniques, passwords, and biometric devices. In the application demonstrated here, a database was designed in Microsoft Access. The database has general and special journals where daily business transactions are captured, as well as general and subsidiary ledgers where transactions are aggregated. Also, a stored procedure was designed that generates current balances in the accounts so that real-time financial statements (Income Statement, Balance Sheet, Statement of Retained Earnings, and Statement of Cash Flows) are automatically generated. Thus, each transaction entered into the accounting system through the journals is immediately reflected in the financial statements. Finally, there is the assumption that /01 $10.00 (c) 2001 IEEE 5 5

6 auditor reports would have to be evergreen and be produced automatically. The Internet address of the demonstration of a debt covenant CA is Figure 2 shows the dynamically created evergreen Balance Sheet report from this site. Figure 3a: CA Report on Debt Covenant Compliance Figure 2: Real-Time Web Balance Sheet 5. Evergreen audit reports The evergreen audit report provides three levels of assurance, each with varying degrees of significance and types of actions required by the auditor:! Level #1 -- an assurance regarding the reliability of the client s system;! Level #2 -- an opinion regarding the fairness of the real-time financial statements provided by the firm based upon the CA; and! Level #3 -- a specific analysis of debt covenant compliance. If there are no exceptions at any level, an unqualified report is given. An example of a CA unqualified report can be seen in Figures 3a and 3b. Notice that the CA report is time-stamped June 1, 2000 (1:51:48 P), the time the loan officer made the request. Figure 3b: CA Report on Debt Covenant Compliance Level #1 assurance relates to the reliability and transmission security of the CA environment (see Figure 1). This level is the most significant, and any exception requires the immediate attention of the auditing firm. As mentioned earlier, systems reliability encompasses process integrity, security, availability, and maintainability. Transmission security involves authorization, confidentiality, integrity, and authentication. Breach of any of these components, with the exception of maintainability (a Level #3 exception), has the potential to damage the underlying system, transmission, and data infrastructure causing significant loss of resources. Figure 4 displays an example of a Level #1 exception report /01 $10.00 (c) 2001 IEEE 6 6

7 A Level #1 exception prevents financial statements and ratios from being generated. If the reliability of the CA system and/or security transmission is in question, then any information generated from that system should be viewed as unreliable. Audit agents employed in the CA notify the auditor of a Level #1 exception via . The notification occurs regardless of the actions taken by the loan officer. violation is not waived and that the borrower is in violation of the loan agreement. The loan officer usually waives the violation or takes other remedial actions. Figure 5 displays an example of an exception report on a technical violation of a debt covenant. Figure 5: Level #3 Technical Violation Report Figure 4: Level #1 Exception Report Level #2 assurance relates to whether the borrower s financial statements fairly represent the client s operations, in compliance with generally accepted accounting principles. Level #2 violations relate to the underlying accounts of the borrower that comprises the financial statements and ratios. Level #2 exception reports are qualitatively similar to the issuance of a qualified or adverse opinion currently available to auditors under the American Institute of Certified Public Accountants Statements on Auditing Standards. CA agents trigger level #2 exceptions as they monitor the client s transactions and processes. Level #3 assurance is concerned with debt covenant compliance. Exception reports are generated to notify the borrower and the auditor of a technical debt covenant violation (e.g., when a financial ratio exceeds or falls below a threshold value). As noted earlier (and especially due to the perpetual nature of a debt covenant managed through a CA), in most situations the note payment is not accelerated on a technical violation. Technical violations are pre-configured as a Default Waive. In a Default Waive configuration, all technical violations are waived, except those that are explicitly denied. When a Level #3 exception report is generated regarding technical violations of the debt covenants, a button appears on the web page allowing the loan officer to notify the auditor (via ) that the technical A Level #3 report is also produced when the system is down for maintenance (i.e., maintainability component of system reliability). In this case, the loan officer would get a message on-screen stating the system is temporarily down for scheduled maintenance. A log file is maintained on the auditor s web server that tracks the issuances of and responses to exception reports, among other items. The log provides an audit trail available to the auditor for periodic review as part of the audit process. 6. Summary and conclusion The movement of firms of all sizes to implement EDI has brought significant efficiencies and cost reductions to supply chains -- compressing cycle times, eliminating redundant procedures among trading partners, and reducing the amounts of paper source documents on which firms have traditionally relied. Because the paper trail of source documentation is evaporating, the nature, timing and evidence of the audit process is changing. Additionally, due to a perceived lack of relevance caused by audit reports arriving too late to impact investment and credit decisions, the demand for the traditional audit is diminishing. These factors are changing the audit environment, and sparking an interest in CA and other assurance services. In response to a specific call to the research community by the Canadian Institute of Chartered Accountants and /01 $10.00 (c) 2001 IEEE 7 7

8 the American Institute of Certified Public Accountants, we have demonstrated an implementation of CA within the domain of debt covenant compliance. We have utilized Cold Fusion, a leading web applications development technology, to design and demonstrate a system that uses agents and alarm triggers sent over the Internet to continuously monitor whether actual values of client s variables are in compliance with standards for these variables set out in the debt covenant agreement. There are stringent criteria that must be met for a webbased CA system to be feasible: all parties (lender, borrower, and auditor) must be motivated and have the expertise to participate; the borrower must make key financial figures available to auditors in real-time; the underlying systems of a CA environment must be reliable and secure; there must be security, authenticity, and confidentiality of data transmissions between parties; and there must be an agreement on the degree of noncompliance and amount of downtime that will be tolerated. Without these key criteria being met, CA in the domain of debt covenant compliance will not be feasible. But with such criteria in place, automating audit workflows and compliance requests in the debt covenant domain has the potential for great benefit to all parties, including reducing cycle times, lowering the risk associated with the loan to the lender and the cost to the borrower, providing convenience and flexibility, and making an auditor s report more relevant to decisionmakers. 7. References [1] American Institute of Certified Public Accountants. CPA SysTrust Service A New Assurance Service On Systems Reliability, Assurance Services, 1999, [2] Begley, J., and Feltham, G. A., An Empirical Examination of the Relation Between Debt Contracts and Management Incentives, Journal of Accounting and Economics, Vol. 27, 1999, p [3] Beneish, M., and Press, E., Cost of Technical Violation of Accounting-Based Debt Covenants, The Accounting Review, April 1993, p [4] Canadian Institute of Chartered Accountants. Research Report on Continuous Auditing. Toronto, [5] Elliott, R. Assurance Services and the Audit Heritage, Auditing: A Journal of Theory and Practice, Vol. 17, Supplement, [6] Gopalakrishnam, V., and Parkash, M., Borrower and Lender Perceptions of Accounting Information in Corporate Lending Agreements, Accounting Horizons, Vol. 9(1), 1995 p [7] Gordon, G., and Kahn, J., The Design of Bank Loan Contracts, The Review of Financial Studies, Vol. 13(2), 2000 [8] Garris, J., 1999, PC Magazine, May 14, html. [9] Groomer, S.M. and Murthy, U.S., Continuous Auditing of Database Applications: An Embedded Audit Module Approach, Journal of Information Systems, Spring, [10] Healy, P., and Palepu, K., The Effectiveness of Accounting-Based Dividend Covenants, Journal of Accounting and Economics, Vol. 12, 1990, p [11] Kogan, Sudit, and Vasarhelyi, [12] Palepu, K., Bernard, V., and Healy, P., Introduction to Business Analysis and Valuation, 1997, Southwestern Publishing Co., Inc., Cincinnati, OH. [13] Petravick, S., "Online Financial Reporting," The CPA Journal, February [14] Rezaee, Z., Ford, W., and Elam, R., Real-Time Accounting Systems, Internal Auditor, April 2000, Vol. LVII(2), p [15] Rosman, A. J., and Bedard, J. C., Lenders Decision Strategies and Loan Structure Decisions, Journal of Business Research, Vol. 46(1), 1999, p [16] Sweeny, A., Debt-covenant Violations and Manager s Accounting Responses, Journal of Accounting and Economics, Vol. 17, 1994, p /01 $10.00 (c) 2001 IEEE 8 8