- With more sources of data input that go beyond the limits of historical data coming into play, the nature of the audit process will undergo a transformation: from an essentially reactive exercise delivered in hindsight into an increasingly forward-oriented and anticipatory endeavour.
The technological changes that are gathering steam in the auditing profession are redefining the meaning of an audit and what it entails. The host of ground-breaking technologies from artificial intelligence, blockchain, robotic process automation to machine learning, which are at different stages of development, has already had and will continue having a step change in the provision of audit and assurance services for the foreseeable future. The implementation of new technologies confers distinct benefits, such as increased operational efficiency, higher-quality and more insightful audits, greater financial inclusion, and more informed decision-making processes. With more sources of data input that go beyond the limits of historical data coming into play, the nature of the audit process will undergo a transformation: from an essentially reactive exercise delivered in hindsight into an increasingly forward-oriented and anticipatory endeavour. By the same token, the role of the auditor will have to evolve. In addition to possessing the necessary technical skillset, they will need to be conversant with the various new technologies so as to deliver higher value-added assurance to their clients. So, in what ways is technology reshaping the landscape of audit, and what are the concomitant risks?
According to a report published by the ACCA and Chartered Accountants Australia and New Zealand, data analytics was, in comparison with the other technologies, at the most sophisticated stage of development, being most embraced by firms. Data analytics seeks to draw conclusions from raw data to aid decision-making. Data sets can be converted into a pre-set, comprehensible format, enabling both auditors and clients to recognise patterns and derive meaning more easily. A sizeable proportion of firms is already incorporating data analytics into their testing procedures, distancing themselves from conventional sampling methods. The main advantage of using data analytics is that it can provide auditors with a more holistic view by taking the full population of transactions into account, as opposed to a mere sample. Through the more comprehensive data coverage, auditors are expected to deliver more lucid insights into areas of heightened risk, as well as being more meticulous and accurate in spotting anomalies with the help of “data-mining” tools. For an increasing number of clients, a snapshot of items comes up short and does not quite cut the mustard anymore.
The International Auditing and Assurance Standards Board, however, sounds a note of caution against equating having a more detailed picture afforded by data analytics with having omniscience in respect of financial goings-on in a company – and correspondingly – holding auditors to a higher standard: “Being able to test 100% of a population does not imply that the auditor is able to provide something more than reasonable assurance opinion or that the meaning of ‘reasonable assurance’ changes.” Completeness of data cannot be guaranteed, especially if clients operate on multiple data systems or are not forthcoming with certain data, invoking security concerns and erecting a barricade of privacy. In any case, the process to obtain the requisite approval to access a client’s data could be very time-consuming. Additionally, since the focus of extraction has traditionally been on information stored on the general ledger, retrieving data from the subledger will add to the complexity of the task and the amount of data that needs to be processed.
Machine learning is an application of artificial intelligence, referring to the process of using algorithms and data to teach a computer to learn without direct and explicit instruction. It automates analytical model building and uses these models to generate predictions and identify patterns from data analysis. Similar to how we learn, machine learning is also an iterative process, which means that the more the machine is exposed to relevant data, the better it is able to internalise patterns, and the more solid recognition of these patterns becomes. Its responses are being continuously fine-tuned through the repeated exposure to relevant data. An example of how machine learning could be used in audit is, for example, programming the machine to identify potential outliers. If a company was found not to align with industry benchmarks, the auditor would have to make a judgment call as to whether the inconsistency was actually an outlier and attribute a cause to it. The auditor’s response fed into the machine would then be applied to parallel situations in the future. The more cycles the continuous feedback loop completes, the easier it is for the machine to detect deviances as it sifts through large swathes of data.
The major caveat, however, is that the efficacy of machine learning depends, to an overwhelming extent, on the data that is meant to be instructive. Bias may creep in if certain characteristics in a data set are deemed more important in the absence of context, thereby leading to skewed outcomes. Furthermore, there is a risk that the machine may pick up the “bad habits” of a human auditor during the shadowing phase and perpetuate his or her mistakes.
Robotic process automation
Whereas artificial intelligence seeks to emulate the workings of human intelligence, robotic process automation (“RPA”) seeks to replace human labour in the performance of repetitive and routine tasks. An apt analogy would be comparing it to very advanced Excel spreadsheet macros. The former is the “thinker”; the latter is the “doer”. RPA is usually implemented when data dispersed across different systems needs to be integrated, or when information needs to be fed from one system into another. If a human being undertook this type of work, it would involve logging in and out of systems, and copying and pasting relevant information in a highly repetitive and tedious manner. Unlike robots that can work non-stop, a human being would be hard-pressed to sustain an optimal level of concentration over a long period of time; therefore, the work performed by an individual would be more susceptible to error. In the ACCA report compiled by the ACCA and Chartered Accountants Australia and New Zealand, the term “swivel chair automation” is used to describe this type of technology, evoking the image of an employee constantly swivelling their chair from one system to another to extract and input information.
With appropriate configuration, robots can be programmed to open PDFs, read documents, identify relevant information, and notify the user of any errors or ambiguities. Since it is protocol and rule based, RPA can help auditors alleviate the burden of routine and labour-intensive tasks, such as form-filling, calculations, reconciliations, internal control testing, substantive testing, and preparation of audit documentation. For example, an RPA program could be configured to automatically match purchase orders with invoices and shipping documents, as well as check for any inconsistencies. All the activities can be monitored in real time. On the other hand, the reliability of RPA tools may be of concern and should be subject to periodical testing. Unreliable tools can generate erroneous outputs. It is, therefore, advisable to carefully consider which quality assurance mechanisms to put in place to validate RPA tools, such as conducting frequent audits of configurations as well as data simulations to check inputs and expected outputs.
Blockchain can be defined as a distributed and immutable ledger that contains information of every transaction since its creation. All participants on the network have access to the ledger. As transactions are only recorded once, they share a uniform and identical view of records. Blockchain’s immutable nature also means that it is tamper resistant: In order to correct an entry, a new entry must be inserted to rectify the error. Both entries would then be visible to all participants, leaving a clear audit trail. Blockchain can be used to verify reported transactions in an audit. For example, rather than examining a client’s bank statements and different documents relating to a particular transaction, auditors could consult blockchain ledgers. Currently, a low-value transaction takes around ten minutes to be validated in a single-block verification; a high-value transaction takes around one hour to be validated in a six-block verification.
But the use of blockchain to obtain audit evidence needs to be qualified. The record of a transaction in a blockchain ledger may serve as sound audit evidence for the financial statement assertion of occurrence; for example, it could be used to ascertain whether the transfer of an asset from the seller to the buyer has taken place. Complete legitimacy and transparency of the information recorded in the ledger are, however, not a foregone conclusion, with the possibility of on-the-side transactions being excluded from view. Furthermore, the nature of the transaction itself could be prone to fraud and pose a higher risk of material misstatement, for example, in the case of a transaction conducted not on an arm’s length basis involving two related parties.
With every new opportunity comes an attendant risk. While some of the specific risks and limitations associated with each emerging technology have been discussed above, a common underlying shortcoming is worth highlighting. The closed, self-learning and “black box” nature of algorithms can lead to obscurity and a lack of transparency as to their inner workings. The process by which a particular conclusion has been reached may be inscrutable to the auditor, who is ironically striving to instil transparency and clarity with a tool whose operation remains fundamentally a mystery.
Implications for human auditors
In light of the exponential growth of novel technologies, it has been argued that it is only a question of time before all professional services providers will be able to deliver more or less the same technology-driven solutions to their clients. In the absence of exclusive ownership over the technology itself, there seem to be very few barriers to entry. The ever-looming threat is the commoditisation of audit and assurance services, and perhaps the gradual disintermediation of the profession. But is this fear justified and substantiated? As shown in the previous sections, it is indeed undeniable that the unremitting march of automation is uprooting roles that traditionally carry out routine and administrative tasks. However, reducing the remit of work done by auditors to simply analysing financial data and vouching would be doing the audit profession a great disservice.
A sound cerebral skillset encompassing critical-thinking, problem-solving, reasoning, and investigative skills is of paramount importance to being a successful auditor. Technology can no doubt take over the role of performing descriptive analytics, but artificial intelligence still has a lot of catching up to do to replace the professional and nuanced judgment of a human auditor. The accuracy and efficiency of machine learning models may mean auditors would have to investigate fewer anomalies. Nevertheless, sound analytical human input cannot be dispensed with. Auditors will still have to attribute meaning to anomalies as they arise, albeit less frequently, and decide whether they are one-off instances or point to a systematic issue. Extricated from the more time-consuming and repetitive procedures, auditors should ponder how they can add value to their services through consolidating their relationships with clients.
Closing the skills gap
According to a survey conducted by the ACCA in 2019, 62% of respondents who were ACCA members and affiliates – upon being asked about their knowledge of any given relevant term, such as artificial intelligence, machine learning, natural language processing, data analytics, and robotic process automation – had either not heard of the term, or had heard of it but did not know the meaning, or possessed only a rudimentary understanding. Only 13% of respondents said they possessed a “high” or “expert level” of understanding of the above terms. Technology upskilling must increasingly be seen as a must if firms want to give full play to the potential that the various innovative technologies offer. Audit teams would need to be well-versed in their operation and maintenance. It follows, then, that if auditors are re-assigned to concentrate more on higher-value tasks which demand a different skillset, training would also need to be given to hone their, for example, communication, leadership, analytical, problem-solving, and creative-thinking skills as well as professional scepticism.
Technology: More of a friend than a foe
Disruptive technologies have heralded a new age where it has become imperative to view artificially intelligent machines and the likes thereof as a friend than a foe, for they enable auditors to deliver even more robust assurance to their clients. The future of audit will still have human auditors at its core, with machines being an indispensable and hardworking helping hand. It is the partnership between emerging technologies and the cognitive capabilities, judgment and professional expertise of the human auditor that will ultimately create high value-added assurance. Whether the dynamics of the partnership might change for the worse when artificial intelligence is able to supersede human intelligence, is, however, anyone’s guess.