audit in the 21st century

One of the big annoyances in my working life is the procedure for claiming expenses.  Our University seems eager to retain processes which would have made sense in the first half of the 20th century, which involve a large – and increasing – volume of paper.

One of the problems with this is that as a method of holding people to account, it’s very poor.  The big items of expenditure are conference registration fees, airfares, and hotel bills.  In many cases, the receipt for each of these reaches me by email.  The process of claiming the money involves printing out those emails (PDFs, whatever), and stapling them to a claim form.  If the cost is in foreign currency, I also (bizarrely) have to nominate  an exchange rate, and print out a page from somewhere like to prove that that rate existed at some nearby point in time.

Of course, any of those evidences could trivially be falsified.  It really wouldn’t take long to make one up, or to inflate the price and pocket the difference.   That would be fraud, of course, and liable to land one in gaol and out of a job, if detected.  But the same is true of filling in false numbers on the expenses claim itself: the invoice print-outs really add very little to the trustworthiness of the process.

So why must we do it?  Ah, blame the auditors.  They want evidence, because they’ve always collected evidence.  Their latest wheeze is to ask for boarding passes to prove the journey really happened – never mind that these, too, can be printed out at home (if they exist on paper at all).  Indeed, on some airlines, you can check in, print the boarding pass, and then cancel the check-in, and then cancel the booking, but I digress.  Audit is a powerful tool, a powerful control for integrity, if it has good evidence to work with.

Today, a huge range of transactions are covered by nothing by electronic records. [Indeed, I’ve been a customer of my ISP for over ten years, and have never exchanged a piece of paper or a fax with them.  I wonder what their auditors scrutinize.]  These audit processes work because most people are using the system honestly, not because the processes are rigorous enough to catch wrongdoing.  I’d really question their value.

Is there an alternative?  Well, the world of provenance would say so: but how much traction does that really have in commerce?  The world of PKI would say so, and offer electronic signatures over all the important invoices: but that’s a 20-year-old (or more) idea that we seem no closer to adopting now than when it was first proposed.  Perhaps we could do something with email interception or bouncing – so all the relevant messages would get copied to the finance office as well as to me. Ideally, they’d be equipped with tools a little like those used by Tripit, not to extract my itinerary, but to extract the full statement of costs.  If any travel providers did begin to sign their invoices, such software would be best-placed to verify the signatures and make them available to the auditors.  I sense a business opportunity there.

What we really can’t do is just carry on regardless: paper records of transactions are becoming redundant, and trying to make them persist will look more and more anachronistic.  Worse, it will make the security control more and more far removed from the heart and true evidence of the transaction whose integrity it is supposed to protect.

Someone out there must study accounting and security, but I don’t know who.  They must be thinking about these things.  Any pointers?

Comments are closed.