21.4 Data Analytics, Exceptions, and Follow-Up
Key Takeaways
- The 2026 AUD blueprint covers requesting, preparing, transforming, and evaluating the reliability of data used in planned audit procedures.
- Audit data analytics can identify relationships, trends, and notable items, but the auditor must determine the appropriate audit response to the output.
- Before relying on analytics output, auditors test completeness, accuracy, authenticity, and susceptibility to management bias in the source data.
- Exceptions are not automatically misstatements; they may be errors, control deviations, fraud indicators, or false positives, and each requires investigation.
- Good follow-up ties each exception to the affected assertion, corroborates explanations, and considers whether the finding changes the risk assessment or planned procedures.
Analytics Begin With Reliable Data
The 2026 AUD blueprint explicitly covers the use of data and information: data requests, preparing and transforming data, evaluating the reliability of data, and audit data analytics (ADA). It also asks candidates to use outputs such as reports and visualizations to identify relationships, trends, or notable items, and then select the appropriate audit response.
Audit data analytics are automated tools and techniques used to discover, organize, structure, analyze, or present data to generate useful audit information. They can scan an entire journal-entry population, match sales to shipping records, identify duplicate payments, age receivables, recompute payroll, or flag unusual users posting manual entries after hours. The output is never the endpoint; it is a disciplined way to focus audit attention. The reliability of any conclusion depends entirely on the reliability of the underlying data, which the auditor must establish first under AU-C 500.
Data Request and Transformation
A strong data request is specific: it names fields, date ranges, transaction types, source systems, extraction criteria, and file format. For a journal-entry analysis the auditor may request entry number, date, posting time, preparer, approver, account, amount, description, source module, reversal flag, and period. For revenue cutoff the auditor may need invoice date, shipment date, delivery terms, customer-acceptance date, credit-memo date, and cash-receipt date.
| Data issue | Why it matters | Example audit response |
|---|---|---|
| Incomplete extraction | Analytics may miss exceptions | Reconcile row counts and totals to the general ledger |
| Incorrect filters | Population may not match the objective | Inspect query criteria; rerun with corrected dates |
| Duplicate or blank keys | Joins may create false results | Clean keys; validate unmatched records |
| Management-prepared file | Bias or alteration risk | Agree selected records back to source systems |
| External data | Relevance and authenticity risk | Evaluate source, date, and consistency with other evidence |
Transformation includes cleaning dates, standardizing vendor names, mapping fields, removing inappropriate duplicates, and joining tables. The auditor documents enough that another experienced auditor can understand what data was used and how the output was produced.
Exception Analysis Is Audit Work, Not a Conclusion
An exception is an item that violates the rule or expectation embedded in the analytic. It might be a true misstatement, a control deviation, a fraud indicator, a system-mapping artifact, or a false positive. AUD questions repeatedly test whether the candidate jumps too fast from exception to conclusion.
Worked example: an analytics routine flags duplicate vendor payments sharing the same vendor, invoice number, and amount. The auditor should inspect supporting invoices, payment approvals, credit memos, and subsequent refunds.
- If the duplicates are real, consider whether expenses or payables are overstated and whether the control over invoice entry failed (a possible control deficiency).
- If they are false positives caused by legitimate installment billing, document that conclusion and refine the query.
Notice the spread of possible meanings from one identical pattern. The CPA-level skill is determining what the output means for the audit, not mechanically recording every flagged row as an error.
Follow-Up Workflow
- Tie the analytic to a specific assertion and planned procedure.
- Validate the completeness and accuracy of the source data.
- Review the transformation logic, joins, filters, and thresholds.
- Run or inspect the output and identify notable items.
- Investigate exceptions using source documents and system or external evidence.
- Ask follow-up questions that address the cause, not just the description.
- Classify each exception: misstatement, control deviation, fraud risk, or false positive.
- Accumulate results and decide whether the risk assessment, sample design, or substantive procedures must change.
A full-population scan does not eliminate professional judgment or AU-C 530 sampling discipline when the analytic still relies on attribute thresholds the auditor must interpret. Even a complete scan can be undermined by an incomplete rule, unreliable data, or exceptions that demand human interpretation. The auditor must also guard against automation bias, the tendency to over-trust a clean-looking dashboard.
CPA Exam Signals
Expect simulation exhibits with spreadsheet extracts, pivot tables, visualizations, or exception lists. The best answer almost always addresses both data reliability and follow-up evidence. If the source data came from a client-run query, the auditor typically validates the query criteria, reconciles totals to the general ledger, and traces a selection of records back to the system of record before drawing any inference.
| Output type | What it can reveal | Required auditor step |
|---|---|---|
| Journal-entry dashboard | After-hours or round-dollar entries | Investigate preparer, approval, and business rationale |
| Three-way match report | Unmatched POs, receipts, invoices | Trace to documents; assess completeness or occurrence |
| Receivables aging visual | Deterioration in collections | Reassess allowance estimate and going concern |
| Duplicate-payment list | Possible overstatement | Inspect invoices, approvals, and refunds |
Distractor answers to reject: assuming a client file is complete because it came from accounting, deleting items from documentation, or concluding fraud from a pattern alone. Analytics generate leads; professional skepticism and corroborating evidence turn leads into conclusions.
An auditor receives a client-prepared journal entry file for an after-hours posting analysis. Before relying on the exception report, which step is most important?
A duplicate-payment analytic identifies two payments with the same vendor, invoice number, and amount. What is the best next step?