Auditors will be augmented with technology towards becoming Augmented Auditors 4.0 (Audit 4.0) if the profession wants to remain relevant. As a profession, auditors currently find themselves somewhere between Audit 2.0 and Audit 3.0, with many still relying on outdated tools in a modern business environment.
Given the volume of transactions which businesses process daily, the large disparity between market values and book values, and the complexity of business (and related laws, regulations and standards) many have argued that financial statements (produced long after year-end) have no place in a real-time, data-driven world.
As a consequence, auditors and audit reports no longer add any real value to financial and business decision-making. Some have gone further to state that auditors no longer add value, since they spend most of their audit time on routine and mind-numbing tasks generating working papers, and their audit procedures (substantive audit procedures and high-level substantive analytical procedures) rely on the incorrect evidence with auditors seeking physical audit evidence in a digital world. An argument has even been made that the average auditor does not understand the risks in a digital world. The focus on historical financial only information does not help the argument, where the consensus view among businesspeople is that the value is in data and future forward-looking analytics. The list of reasons why audit should change is endless.
The world is changing rapidly. Society is changing. Accounting and auditing are changing. Client needs and expectations are changing. These changes are driven by societal factors changing due to the Fourth Industrial Revolution (4IR). What has not changed, however, is that clients still want their auditor to add value at a reduced cost. There is no doubt that 4IR will impact markets, professions and jobs, but 4IR will not change what we, as auditors, do, but rather how we do it.
The biggest shift that is expected to occur is the shift from focusing on financial statements to assurance on other information, whether providing assurance on business reports or providing assurance on the data used in systems or business decision-making. It is the purpose of this article to highlight some of the changes that auditors can expect in the profession. Only key changes have been highlighted − it is not the purpose of this article to identify all the expected changes.
Auditors typically position themselves to currently spend approximately the same amount of time on data collection and processing as they spend on interfacing clients using their technical ability to solve problems and service clients. The one part of their jobs can be computerised, the other cannot. It is not only important to consider how auditors’ work will be impacted, but it is also worthwhile to consider how the audit process will be influenced. The following section highlights some (but not all) of the changes which are expected to occur.
Pre-engagement activities
When evaluating an auditor’s ability to service a client, the skills capabilities and availability of resources question is now more complex. It stands to reason that auditors will need to make a significant investment in its technical capabilities. Auditors will also need to invest in human capabilities by upskilling existing staff, while at the same time recruiting new staff with not only IT skills but also staff with skills in the fields of data science, humanities and arts. These new recruits have skills that will allow them to understand the future business risks, develop services and understand people. The challenge of how to price services will become more complex because labour hours will not work for people, nor artificial intelligence (AI) machines performing tasks previously completed by people.
Audit planning
ISA 315 is no longer sufficient. Understanding the client’s business is no longer sufficient. In changing environments where stakeholders are becoming more important than shareholders, it is also necessary for auditors to understand the ecosystems of their clients. This impacts on an auditors’ current understanding of risk, which in turn impacts:
- Materiality Auditors historically focused on only quantitatively material errors and only recently started giving attention to qualitative aspects in determining materiality and evaluating errors. This is expected to be replaced by risk-based materiality figures where AI analyses the entire general ledger and based on transactional data and unstructured external data predict high-risk balances and areas on which the audits should focus.
- Control objectives and assertions Since the risk spectrum changes in a connected world, so too will the audit assertions evolve to not only focus on transactions, balances, and disclosure but rather on being forward focused as well.
- Audit strategies With the advent of AI to audit, substantive-based or risk-based audit strategy are expected to evolve to relying on risk-prediction (based on historic information) audit strategy where the auditor makes a risk assessment, as well as a future risk prediction.
Gathering audit evidence
The nature of evidence has already changed from manual to digital evidence, from historical to forward-focused evidence. Any auditing student will tell you that you can pass a substantive procedures question by memorising the procedures. Any audit trainee will tell you that you can audit any balance by printing downloaded model audit procedures. Intelligent cloud-based databases update with new procedures in real-time based on transaction patterns from all over the world. Non-representative sample methods and sizes can either be replaced by 100% sampling or intelligent samples (with a focus on exceptions and high risks and make inroads into fraud identification). Intelligent cloud-based databases rely on the collective knowledge (that is, aggregated problems into algorithms) of all users across the globe connected to the database and updates in real-time as new transaction patterns are identified. The moment new fraud is detected, the pattern is updated to the cloud and incorporated into the software of all registered users and model audit programs.
Computerisation of most business processes has also given auditors the opportunity to investigate new sources of data contained in, for example, marketing or operational systems. Other new external data sources such as social media posts, new input devices such as IoT, drones, augmented reality, chatbots, and contract analysis tools create opportunities for auditors to integrate multiple data sets and apply new tools and techniques. Substantive analytical procedures can be augmented with Big Data analysis and visualisations, which will aid in identifying new relationships between data sets and better pattern recognition which in turn will result in better predictions being made.
With IT governance taking prominence, there is room for the test of controls to expand its focus away from manual and financial controls to other IT controls. General and application controls are expanded to include other device controls (such as non-financial controls) as well as cyber- and fraud-detection controls. An increase in workflow automation allows many of these tests of controls to be automated on a continuous real-time basis relying on cognitive analytics and AI. This changes the focus of tests of controls to preventative (including continuous), away from detective and corrective controls.
Recent cyberattacks also emphasise the need for containment controls.
Reporting
Continuous automated auditing allows for providing historical assurance, as well as providing assurance for prediction models (real-time data and output/forecast assurance). This will require new forms of reporting not audit reports, but assurance reports. With visualisation templates and dashboards gaining popularity, there is also the expectation that reports will become more simplified, easier to understand.
Besides what we report on changing, new reporting frameworks, which reflect value to stakeholders, are expected to gain prominence. One example is the Recognised Comprehensive Accounting Principles (RCAP) Reporting 300 accounting blueprint, which proposes a multi-layered income statement and balance sheet. This proposes an expansion of:
- Comprehensive income to gross value generated; full comprehensive income
- A – L = E to total comprehensive assets and total comprehensive liabilities and market value of owner’s equity
Modern technologies will not make auditors obsolete. Unresponsive auditors will make themselves obsolete. Modern technologies will augment auditors’ existing capabilities to provide better services and allow them to expand their assurance services to Audit 4.0 level.
AUTHOR | Professor Riaan J Rudman CA(SA), PGDA, MBusSc, MAcc, Stellenbosch University