Auditing disruption

A number of new technologies such as radio-frequency identification (RFID), in combination with advanced wireless services (e.g. 5G mobile and wireless broadband technologies) have now enhanced the ubiquity of the internet—it is accessible from almost any point—as well as its mobility—it is accessible from small, portable hand-held devices.

We live in a world of 3D printing, household connectivity with remote access to heat, water, doors, intruders and windows, semi-autonomous vehicles, assisted parking, and robots replacing humans in the performance of repetitive tasks.
 

Transforming the role of audit

Technologies such as robotic process automation, cloud computing, natural language generation, intelligent content recognition, intelligent chatbot, predictive modelling and blockchain are creating new opportunities and risks for organizations and are rapidly reshaping businesses. We have moved from the management of manual analysis to much larger data sets and automated analysis of unstructured data. These new innovations are recognizing patterns, identifying outliers and anomalies and performing predictive analysis with greater speed, accuracy and efficiency.

Auditors are intensifying transformation initiatives by investing in new technologies to improve the efficiency and productivity of audit procedures. This evolution in the sufficiency and source of audit evidence puts further emphasis on management’s internal control over financial reporting with more in-depth analysis and insights.

Emerging technologies, emerging risks

Risk assessment is a mindset that requires appropriate professional skepticism and judgment. An appropriate risk assessment begins with a thorough understanding of the process. The extent of the procedures necessary to gain this understanding varies with the nature and the complexity of the entity and its operations. An entity with a completely automated process is likely to have a different level of inherent risk across all relevant assertions compared to an entity that has a semi-automated or manual process.

Risks emanating with technological evolution that can impact an organization include:

• Lack of scientific knowledge and experience about the potential impact and risk-absorbing system, which may incur uncertainty.
• Poorly designed technologies can increase and multiply processing and operational errors.
• Algorithms used for these technologies may be incomplete, outdated, or biased due to inappropriate input, flawed assumptions, inappropriate modeling techniques, coding errors and overfitting of automation algorithms.
• Integration with existing technologies, along with mitigation tactics that are unknown or unproven, may lead to open exposures e.g. nanotechnology.
• Complexity of integration and system dependencies such as risks related to the Internet of Things, especially as regards automation, robotics and machine-to-machine communication.
• Misalignment or misconfiguration of these technologies may result in material weaknesses in internal controls over financial reporting.
• Risk of non-compliance of data privacy standards if the implementation lacks required protection controls.

Additional audit procedures for emerging risks

Audit has made enhancements through proactively assessing and gaining insight into the new risks associated with these technologies to assess whether appropriate controls are being implemented to detect, and prevent, new and emerging risks. Senior engagement teams play a fundamental and irreplaceable role as sponsors to push the use of analytics or other technologies and bring the benefits of using technological tools to life, ensuring their appropriate use and leading to meaningful insights for their teams.

Significant professional judgment is required when designing analytics, interpreting results and determining how the results influence the audit plan.

The ability of the auditor to analyze data underlying the financial information represented in the financial statements enable the auditor to have a deeper understanding of what has actually occurred in the financial reporting system—which is beneficial to the auditor in making inquiries of entity personnel. This provides the auditor with more granular information to assess the nature of the response to inquiries of entity personnel and have a more robust basis against which to assess or challenge the response.

Where emerging technologies have been implemented, risk assessment and audit procedures need to take into account the considerations below:

1. Data classification, privacy and protection
   In addition to the testing of areas of General IT Controls relevant to the automated controls and/or computer-generated information identified in the scope for IT Audit involvement, other areas like data privacy standards and regulations can be considered to ensure the compliance with international best practice standards. As auditors, we often receive a list of security programs from management that are currently in place, however, first we need to make sure the right information has been identified and data sets are clearly defined for testing. Considering the continuous change, auditors confirm that the definition and protection of data is being carried out by taking reports directly from IT and checking test results.
2. Use of third-party service organizations
   The use of third-party organizations to deliver critical services is a growing trend. In determining the sufficiency and appropriateness of the audit evidence, auditors review that management has evaluated whether appropriate controls are in place to prevent misuse of any confidential customer information aggregated by third-party service organizations. The benefit is an objective opinion about a standardized set of objectives tested only once to minimize business disruption.
3. Enhanced review of security and privacy procedures
   While the importance of addressing cybersecurity is widely acknowledged, auditors can review risk registers to ensure that risks in relation to data security and privacy have been adequately identified and assessed according to the risk management process within the organization, and that managers are working to, and within, risk tolerances. Auditors review cyber breach incidents and try to understand what went wrong, ensure remediation compliance and probe for other areas of vulnerability to help combat future attacks.
4. Application-generated reports and data
   When using emerging technologies as part of robust fact-based risk assessment or further audit procedures, there should be careful consideration of the following items:

- Nature and use of application general reports and data;

- Assessment of the risk to which reports relate;

- Complexity and quality of reports and data;

- Complexity of judgment and conclusion;

- Significance of the report and data; and

- Likelihood that insufficient or inappropriate report and data could cause auditors to reach inappropriate conclusions.

New skill sets: adapt to thrive

Disruptions brought on by the Fourth Industrial Revolution are strengthening auditors through the utilization of new digital tools and the embracing of new capabilities offered by technology to meet the statutory requirements. The ongoing development of skills and adoption of automated tools are essential to gain more business insight and risk management tools. From data analytics to blockchain technology to artificial intelligence, auditors must continue to harness technology for better and more informed decision-making.

New talent is always essential for future success and education programs have been adapted and focused on increasing specialist expertise and stimulating the mindset. A continuous evolution of the skills we seek from graduate recruits and lateral hires is also necessary. Education systems can keep up with the changing industry in order to fill the skills gap through technological advancement and adaptation. Students should learn to handle high complexity and develop high social cognition by using cognitive enhancement tools to accomplish complex tasks.

The use of technology in the financial statement audit is evolving and exceeding stakeholder expectation. In an increasingly complex and high-volume data environment, the use of technology and data analytics offers opportunities for the auditor to obtain a more effective and robust understanding of the entity and its environment, enhancing the quality of the auditor’s risk assessment and response. Appropriate risk assessment procedures result in the adequate identification or assessment of relevant risks of material misstatement that, in turn, may result not only in obtaining appropriate audit evidence to support the audit opinion, but also result in avoiding unnecessary, poorly articulated, ineffective, or duplicative audit procedures.

This journey is evolutionary rather than revolutionary; however, the pace of the evolution is key. Auditors will need to stay abreast of recent developments in this space to consider how to tailor audit procedures to take advantage of disruptive technology benefits as well as address incremental risks.

by Haseeb Akram, Director, Audit & Assurance, Deloitte Middle East