Cover story: Crisis management - is technology the key to audit's pressing issues?
Can technology boost audit quality and solve the crisis in the audit profession? Lesley Meall explores some possibilities.
Audit is in crisis – again – but this time it may be existential. “It’s a watershed moment. If we don’t fix this, I don’t think we’ll have a profession in 20 years’ time,” commented Michael Izza, ICAEW chief executive, earlier this year when the UK parliament issued its final report into the collapse of Carillion. Perspectives on the exact nature of the crisis in audit, reasons for it and possible solutions all vary widely across the very many stakeholder groups – understandably. Even members of the accountancy profession, including auditors, hold diverse opinions.Blame is placed on internal and external auditors, company boards and management, regulators, politicians, Big Four dominance, company complexity, the intricacies of standards for audit and financial reporting and erosion of the institutional trust model. Suggested remedies include: break up of the Big Four; audit-only firms; assurance of the entire annual report; greater powers and resources for regulators at the Financial Reporting Council (FRC); separate entities for standard-setting and enforcement; abolition of the FRC; technology; and the distributed trust model technology can enable.
Revisiting the past
If you have a sense of déjà vu, it may be because we have been here before – or at least somewhere nearby. In the quest for audit quality, almost all of these matters (and more) have been carefully considered (and acted upon) by experts at the European Commission, UK Competition and Markets Authority, Financial Conduct Authority and the FRC. However, as the wheels of change tend to turn slowly in policymaking, regulation and standard-setting, while technology advances at a fast and furious pace, perhaps it’s time to look more closely at how this can improve audit quality.Precedents exist. “Firms of all sizes use technology in some shape or form to enhance their audit approach,” says Lesley Clarke, senior manager, professional standards, ICAEW. Use of software applications for accounts production and audit automation is commonplace and has already delivered benefits. Some firms are using audit data analytics to enhance audit quality; some are considering this; some are exploring the potential to boost audit quality with cutting-edge tools that exploit artificial intelligence (AI) and blockchain.
Alex Peal, head of audit and assurance at James Cowper Kreston, has been exploring audit data analytics for the past couple of years and he has shared the firm’s experiences with ICAEW (at tinyurl.com/CH-TechEss and icaew.com/aafwebinars). So far, however, audit automation software has had the biggest positive impact on the firm’s audits. “We switched from traditional paper files and hand-written schedules over a decade ago, because we wanted to make sure that everyone in the firm worked on a consistent basis with a set methodology for doing things,” explains Peal. This consistency feeds into audit quality.
An electronic system can make it easier for a firm and individual auditors to stay on top of relevant regulations and standards for financial reporting and International Standards on Auditing (ISAs) and help it to follow developments in best practice. “If you get new or revised ISAs or a new Companies Act, that can be more easily updated across the board, you know that everyone is using the right version and doing things in the way they are meant to be done,” says Peal. Using audit automation tools to better record and address risks can also enhance audit quality.
Paul Freeman, IT director at Ormerod Rutter (which uses CCH Audit Automation) picks up the theme. “In terms of quality, the framework enforced by the audit software has allowed us not only to better record risks but has also ensured that risks are addressed in an appropriate and consistent manner.” Ormerod Rutter used to start with the entire audit pack and pare this down, subject to the risks that the team discovered. Now it takes almost the opposite approach to the process.
Mixed blessings
“We start with the essentials and build up the audit approach based on the risks that are discovered. This has resulted in a far more focused and higher quality audit,” says Freeman. Because Ormerod Rutter uses CCH Accounts Production too, connectivity between this and the audit automation software also feeds into audit quality. “Integration between the solutions has improved the flow of data both ways, eliminating inefficiency and removing transposition errors,” he says – and improved the quality and efficiency of the functions these systems automate.Although such tools can (and do) enhance audit quality, they do not guarantee this. If a software application is kept up to date to reflect developments such as the arrival of new auditing or financial reporting standards (like FRS 102) and the changes have been appropriately implemented, then its use can justifiably reinforce a firm’s confidence that its auditors are consistently on top of relevant regulations and standards. If not, overdependence on software can have a negative impact on audit quality.
“Firms have used accounting software for many years. It is an invaluable tool, helping to ensure that presentation and disclosure within financial statements complies with requirements, but care is needed not to over-rely on it,” says Clarke. Errors in coding of base data or ticking the wrong box can easily lead to errors or omissions in outputs, which in turn may have a negative impact on the quality of audit. Deciding how much trust to place in a software application or service is one of the many judgement calls that auditors must make.
“Firms should always make sure they are familiar with reporting and disclosure requirements and should robustly review the output,” says Clarke. ICAEW’s Audit Monitoring 2018 report (tinyurl.com/CH-RegArea) notes that “some firms place too much reliance on their software, and blame it for not picking up errors and omissions”. It also notes that firms are more likely to identify errors and omissions if they make good use of disclosure checklists. For example, customising them for individual clients and certain types of audit can contribute to audit quality.
Over the past decade or so, many professions have embraced technology as a route to greater efficiencies and enhanced quality. Now that technology is starting to fundamentally reshape what is possible in business – and audit – expectations are shifting. Volumes of digital data are growing exponentially and the speed at which some technologies are emerging, advancing and being adopted by companies (that are audit entities) is accelerating. Approaches to technology (and its use) by those in the audit ecosystem will need to evolve to match this.
“We are seeing clients with ever more complex finance systems and ever increasing data volumes. It is often no longer feasible to get the evidence needed in an audit through the use of manual tests alone. Technology and audit software tools have to be utilised to address this challenge,” says Matthew Campbell, technology audit director at KPMG. Audit data analytics software enables auditors to analyse huge populations of data and test every item, to better understand clients’ businesses and systems – and associated risks. “Auditors can focus on the higher risk items and therefore deliver a higher quality audit.”
Automating routine tests in the audit process also allows auditors to spend more time on the judgemental areas that require the application of professional judgement when reaching audit conclusions. “Predictive analytics allows auditors to independently challenge management’s assumptions in areas of judgement – such as forecasting and future views on profitability or cash flows – bringing quality and depth to the challenge of management,” says Campbell. Data analytics can be used to independently recalculate complex modelling or calculations performed by the client entity.
Assessing the possibilities
“We see increasing use of data analytics across the profession,” says Mike Suffield, the FRC’s acting executive director for audit and actuarial regulation. There are large scale bespoke analytics with over a thousand hours of dedicated development time and standard tools and techniques being rolled out across entire practices, creating opportunities and challenges for the UK audit regulator and standard setter. “Anecdotally, it appears that such tools are contributing to audit quality. Now the use of these techniques are scaling up, we are considering potential metrics that would enable us to assess this,” Suffield adds.The FRC is not yet seeing the use of cognitive tools, machine learning and other manifestations of AI, according to Suffield, but it is aware of firms investing and innovating in this area. Kingston Smith, for example, has spent around two years experimenting with Ai Auditor, a platform developed by fintech firm MindBridge. It’s a tool for sampling journals: all general ledger transactions go through the AI; it does completeness tests on the data; ranks all transactions on the basis of risk; then selects a sample. It’s a fast learner.
Kingston Smith began exploring AI for its audit efficiency potential, but Ai Auditor can enhance efficiency and audit quality. It learns from weightings its users apply to risk factors to improve its ability to identify “normal” and “risky” transactions. “You need to be sceptical about the output and test it, not accept it at face value,” says Karen Wardell, a Kingston Smith partner who shares insight in The essential guide to audit tech (tinyurl.com/CH-TechEss). AI sampling could be more robust than random samples selected by audit team members.
“Advances in audit offer exciting new ways of performing audits,” says Suffield, and the FRC reviews what firms are doing and its own skills to keep its inspections and inspectors informed. “We continue to augment our cadre of specialist IT audit inspectors and general inspectors. A couple of years ago we issued our thematic review of data analytics use in financial statement audits, confirming our view of the potential to improve audit quality. We aim to refresh that exercise in 2019 to take account of more recent developments.”
The potential for technology to enhance audit quality can emerge from some unexpected places. Increased focus on data protection during preparations for the EU General Data Protection Regulation gave MHA MacIntyre Hudson better insights into technology in all sorts of areas (see Chartech at tinyurl.com/CH-HelpHin) and expanded one partner’s perspective on the kind of evidence the firm should be looking for during audits
“As an auditor I think that every time we go out and audit now, we should be asking to see the data breach register,” says Andrew Moyser, the MHA MacIntrye Hudson partner who is also the firm’s data protection officer. “Auditors should be asking whether affected audit entities have a data breach register and looking to see what’s on it,” he says. Given the potential financial and reputational costs of data breaches, data protection measures down the supply chain could also merit closer scrutiny. Though such concerns (and even horror stories like Carillion) may become less of a problem in the future.
A blockchain-based system is being developed with the potential to boost audit quality and reshape the audit and assurance ecosystem. Auditchain is a “decentralised continuous audit reporting protocol ecosystem for enterprise assurance, reporting and disclosure”. Some of you may need to read that more than once before the words gel into something meaningful. Some of you may already be heading for auditchain.com to learn more about it. Some of you may want to revisit icaew.com/blockchain to brush up on crypto-transactions or distributed ledgers.
The future of assurance
Jason Meyers, founder and chair of the company, positions Auditchain as “a foundation on which products (such as enterprise resource planning systems and analytics) and services (such as audit) will be made interoperable”. According to Auditchain, its ecosystem can enable 100% population testing; immutable records of transactions; real-time streaming of financial statements and contemporaneous audit opinions, reports and analysis; and it disrupts the existing business model for audit by changing how it is funded and how auditors are engaged and compensated.Audit stakeholders contribute part of the assurance costs by purchasing subscriptions to enterprise financial and control data through Auditchain. The more detail subscribers demand, the more they pay for it. Premium levels of assurance can be requested and paid for (using tokens) by enterprises through a library of engagement contracts, rather than continued use of single enterprise/auditor engagements. “Decentralised consensus-based attestation for a reward is how crypto-transactions are validated on most public blockchains. Auditchain will make this possible for enterprise data sets,” says Meyers.
Technology has already enabled a distributed trust model to disrupt industries like hotels (Airbnb) and taxis (Uber). Why would the ecosystem around financial and non-financial reporting, disclosure and assurance be immune? Meyers says: “Auditor adoption of the network can lead to greater independence and increased operational efficiencies within the assurance industry, giving a wide range of auditor selection for decentralised enterprise assurance and allowing larger audit firms to focus on other areas of consulting.” Perhaps the crisis in audit isn’t existential after all.