Hi! It’s Sir Rob. Today, I am going to discuss Chapter 2 of the course in IS audit. Our topic is “The Impact of Information Technology on Audit. Globally, companies, the audit profession, professional bodies and regulators are increasing their focus on the impact of technology particularly information technology. There are clear benefits that technology can bring, from operational efficiency to financial inclusion and greater insights. However, alongside these benefits comes a range of risks many of which are still not fully understood. In this presentation, we will try to understand the Impact of I.T from both the point of view of the client and the auditor. As always, in the practice of accountancy, we should remember to be professional, perform effectively and efficiently follow standards and document our work adequately and properly. TOPICS: 1. 2. 3. 4. 5. Conducting Business in Data Space Disruptive technologies and the Auditors Evolving or Emerging Technologies Opportunities in Data Analytics Effects of Technology on Audit (Summary) Our topics for this discussion are: 1. Conducting business in technology space discusses the shift from know your customers to know your data and how entities are discovering their data and insights out of these. 2. Disruptive Technologies and the Auditors shifts our attention to how technologies already here are changing the auditing landscape, putting more responsibilities to the auditor. 3. Evolving or Emerging Technologies focuses on emerging new technologies not yet widely adopted and advances in areas of technologies that will change the way the auditors conduct the audit. 4. Data Analytics Opportunities looks at the prospect of the auditing profession being commoditized or reduced to becoming simple commodities in the eyes of audit clients who might invest in data analytics technologies that allow them to perform audit capabilities. 5. Effects of Technology on Audit summarizes the discussions in simple terms. 1st Topic: Conducting Business in Data Space This topic introduces the concept of know your data and how the client entity uses the concept to conduct a more efficient business and enhance the I.T controls. This concept enables the auditor to evaluate the I.T Governance initiatives of the entity and the maturity of its I.T culture. Technology is changing the way a business is conducted and data is analyzed. There is an increasing focus on data management. Know Your Data (KYD) is the new buzzword replacing Know Your Client (KYC). We, in the 21st century have access to a huge volume of data more than any generation before us and with each day that volume of data grows even larger. One of the many consequences of the COVID-19 Pandemic has been the continuous news coverage stressing the importance of data. We are regaled daily with graphs and statistics that few people understand or want to understand. The challenge with all data is working out which are worth using and how to best use it. It is about knowing your data. KNOW YOUR DATA (KYD) (SLIDE) • • • Where it comes from What’s in it What it means Know your data where it comes from, what’s in it and what is means. It all starts from there. You know your data helps the business understand data sets with the goal of improving data quality. DATA is an important asset at all organizations no matter their business, their size or their structure. Without data an organization would not exist. So, the decisions made about data are critical. Many organizations have little understanding or visibility into its data. Effective data discovery is NOT easy because of the increasing number of data systems, the interconnectivity between them and the diversity of the environments. Some data discovery is easy while other types are more difficult. BENEFITS OF KYD (SLIDE) Knowing what data an org’n has and where it is allows the organization to: • • • • • • • • • Capture Categorize Manage Protect Migrate Reduce Share Display Repurpose When you know what data you have and where it is, you can capture, categorize, manage, protect, migrate, reduce, share, display and repurpose information. BENEFITS OF KYD (SLIDE) Knowing what data an org’n has and where it is allows the organization to make well-informed decisions to: ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Enhance Privacy Add security Meet regulatory items Achieve Compliance Forecast Control Cost Hiring, firing Minimize Risks Increase Employee Satisfaction Improve Customer satisfaction Protecting IP These capabilities are critical for making well-informed decisions including those on; 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Enhancing privacy Adding Security Meeting regulatory items Achieving compliance Forecasting Controlling costs Hiring, firing Minimizing risks Increasing employee satisfaction Improving customer satisfaction Protecting Intellectual Property and the list goes on. For discovery and knowing, management need to ask and get answers for data related questions such as: ✓ What data systems are used in the organization? ✓ What data are collected from people in your organization and those outside of the company? ✓ Who can access these data? ✓ How is the data managed? What options are available for organizations that help them to discover its own data and get better knowledge and control? ENTITIES CAN DISCOVER DATA BY: 1. Data System Inventory - Organizational data is created and moved, copied, modified, shared, and translated across many data systems including shallow systems. An entity needs to understand what data systems are used, who has access to these data systems, and what data is in these data systems. Therefore, a critical need is having an accessible up-to-date data system inventory in place. Before an entity can do data governance or data intelligence, policies addressing data privacy, integrity security and availability, it must know what it has. Creating a data system inventory will require some question asking and research. 2. Common Knowledgebase - Understanding data requires a business glossary and data definitions. Having this knowledge will improve satisfaction especially with staff who will have a better understanding of the data. Having a common knowledgebase of data governance related content including business glossary, data definitions, data system inventory, reference data report specifications, data quality rules, data policies, and other information is critical. With access by all a common knowledgebase makes data discovery and knowledge a lot easier. o Business Glossary is one of the harder pieces of data governance as often discussions, sometimes heated, are necessary to firm up the business glossary entries. 3. Data Governance Framework - Entities need some structure around their data and does the importance of having a data governance framework in place. There are several IT governance frameworks available in the market, the most popular of this is COBIT or Control Objective for Information and Related Technologies, which is a framework created by ISAKA for information technology management and IT governance. The framework is business focused and defines a set of generic processes for the management of IT with each process defined together with process inputs and outputs, key process activities, process objectives, performance measures and an elementary id maturity model. 4. Data Request and Data Quality Issue Processes - Entities need to have in place a data request process for new reports, new definitions, data exports, etc. and a data quality issue submission process. both processes are important for data discovery. 5. Understand your user’s data behavior - These include items such as data sharing agreements with others specifications on integrations and data movement/changes make sure that this information is documented 6. Data Governance Solution Since the entities data could be everywhere it needs a solution that can traverse data systems and have a framework have the necessary processes and workflows in place and be able to manage the data governance related content and have it in a common knowledge base 7. Automate and integrate where possible Entities should not depend on manual entry there is just too much risk of error. Entities can add workflows for data stewards where possible including the approval of data definitions, report specifications. Entities should also document all the integrations in specifications so it knows what is in the integration and how the data was modified. 8. Data models Bringing in your technical data models is easy with a tool such as the Data Cookbook, it's about automatic and import data importing data models. intelligent decisions stem from the ability to discover, classify, optimize, and take advantage of your data. The first step is finding or discovery of your data. I’m not sure who said knowledge is power but it is so true after the discovery the next step is knowing. The better the knowledge you have of your data, the better your data will be and that leads to better information which leads to better data-driven or data-informed decision-making both in terms of improving the operations and the controls over IT infrastructure. 2nd Topic: Disruptive Technologies Our second topic is about disruptive technologies. This topic is about how new technologies greatly affect the audit strategy and procedures in audit firms and how the auditors are coping with the challenges brought about by disruptive technologies now. It also includes a discussion of the pros and cons to the auditor when adopting such technologies. Though technological adoption is in general can be said as a necessity for running an audit firm the approaches and strategies are distinctly different. A digital CPA is not only using technology but also employing it to transform their business environment to be relevant and future ready for clients and staff. A lot of technology deep accounting consultancy and audit firms are today focused on helping the CPAs to be ready for the integration of technology into audit practices, using those tools to not only become more efficient but also more effective. That is where they try to operate at the intersection of efficiency and effectiveness especially in fraud detection. Even in the same film there may be different offices who use more technology throughout the audit. there are different comfort levels with how people use technology, in a lot of cases you'll find stories of the same audit staff who may be on one partner's audit engagement and that partner says that he doesn't like technology and wanted everything done manually with paper and the same stuff he'll be on a different audit partner's engagement and that partner wants everything done electronically. Certainly, the firms are moving towards encouraging the use of technology but they just haven't forced all the partners to get there. that's the struggle that some firms have the specific approach that the partner wants to encourage the audit team to use. on the whole however, there is a recognition that certainly technology is the way forward and it's just a matter of time of how quickly everybody gets there. Clayton Christensen popularized the idea of disruptive innovation in the Innovators Dilemma published in 1997 which received a Global Business Book Award for the best business book of the year. The concept has been growing in interest over time since 2004 according to google trends data. Originally, the concept was related to business theory defined as innovation that creates a new market and value network or enters at the bottom of an existing market and eventually displaces established market leading firms products and alliances. It has since been applied to technology as well. technology being a form of social relationship always evolves no technology remains fixed. Technology starts, develops, persists, mutates, stagnates, and declines just like living organisms. The evolutionary life cycle occurs in the use and development of any technology. Regarding this evolving process of technology, Christensen said, “the technological changes that damage established companies are usually not radically new or difficult from a technological point of view.” They do however have two important characteristics: 1) they typically present a different package of performance attributes, ones that at least at the outset are not valued by existing customers; and 2) the performance attributes that existing customers do value improve at such a rapid rate that the new technology can later invade those established markets and code. Disruptive technologies now here, such as those related to data science, are also having a profound impact on the skills required of auditors, finance and accounting professionals and regulators which has implications for educator’s recruitment policies and staff development needs. Now, let us look at some insights from both clients and providers of assurance and audit services. The following slides will feature the comments of these at a Breakfast Briefing jointly organized by the Institute of Chartered Accountants in England and Wales (ICAEW) and the Dubai Financial Services Authority (DFSA) on December 13, 2017 at the DFSA. The first of this expert is Marcus Freeman, the CFO of Chalhoub Group at the time of the breakfast meeting. He is now the President of Operations and the Deputy Group Chief Executive Officer. Chalhoub Group is a privately held luxury goods retailer and distributor headquartered in Dubai, United Arab Emerates. The Chalhoub Group is the largest retail operator in the middle east. It played a cruacial role in developing the luxury sector in the region. The company has more than 12,000 employees in 14 countries. The second expert is Steven Drake, a Partner, Middle East Leader-Risk Assurance and Capital Market and Accounting Advisory Services(CMAAS) in Pricewaterhouse Cooper—one of the big four international Audit Firms. The third expert is Khurram Siddiqui, a Partner, Global Robotics Leaderand MENA Digital Leader, Financial Accounting Advisory Services(FAAS) at Ernst and Young—another big four International Audit Firm. And the last expert is Hishiam Farouk, CEO and Global Board Member at Grant Thornton. Grand Thornton LLP is the American Member firm of Grand Thronton International—the seventh largest accounting network in the world by combined fee income. Grand Thornton LLP is the sixth largest US accounting and advisory organization. When asked the question, When will advances in technology result in a real step change in how business is done and what will be different? The panel of experts gave the following comments: From the audit perspective, Hisham reflected that technology will continue to eliminate the requirement for human clerical and vouching procedures which will increase time efficiency and reduce headcount. However, value will continue to be sustained from understanding the client’s business model. Data analytics is increasing the accesibility of data. However, human intervention still required to filter the data and to communicate and advise client effectively. We can expect the audit being delivered by smaller technology conversant audit teams who use data analytics to understand the business drivers and also have the wider business acumen to understand both boardroom requirements and shareholders phsychology and are able to communicate the information appropiately. Machine learning and artificial intelligence are still not in the stage where they can replace that human input. As clients use more technology, they are increasingly taking on more risk, and their stakeholders will require a new suite of assurance services to address these new risks. So, while demand for traditional historical data-focused audit services may decline. Steven saw significant opportunities to develop new real-time and forward-looking assurance services. Khurram commented that until recently Bitcoin had been a phenomenon treated with great speticism. However now, large financial inatitution are talking about how to embrace it and the underlying blockchain technology. Similary, the only option for the audit profession is to embrace the developments in digital technology. Khurram considered that ultimately it is always human who are the driving force behind developments in technology. Before ERP Solutions where the norm, there was a period of concern that the rule of human input in accounting was superseded. However, in reality, with increasing complexity of systems, humans continue to be required to manage them and in some cases the human oversight increases with technology. The future is one human and machines work together outsourcing repetitive and periodic tasks to machine allows humans to focus on problem solving, envisioning and strategizing areas where judgment a key role. So rather than suffocating the profession, technology will expand and change the types of services provided to clients. Khurram saw technology expanding and changing the types of servcies provided to clients. Describing what the future of it would like, Khurram stated that the way audit is performed may change significantly in the future. We are moving from continous control monitoring (CCM) to continue transaction monitoring(CTM) which happens on the client site in real time with a copy created for the auditors. The use of blockchain technology makes these huge changes possible. Khurram also commented on another change in audit driven by technological advances. He said, regulators may mandate that an audit signoff include further value adds. For example, the ways audit firms caveat their work with respect to fraud detection is likely to change, since technology will allow auditors to check every single journal entry. (24:03-32:03) Marcus agreed that audits would add more value to corporates if they also encompassed a forward-looking and real-time aspect, but questioned whether the larger professional services firms are best place to offer those services. He raised the question: Is the audit profession as we know it best place to mitigate these new corporate risks? He saw technology as a driver leveling the playing field for small audit firms or even technology businesses to compete as equals. The bottom line for auditor and the audit firms is to embrace technology to keep abreast with clients that adopt technology to stay competitive in their respective industries. It is needless to emphasize that audit clients expect the independent auditors to be one step ahead of them in terms of knowledge and skills. Keeping relevant with competence in new technologies will maintain the quality of service to audit clients and thus, maintain the prestige of the auditing profession. TECHNOLOGY AND FRAUD Several slides back, Khurram Siddiqui hinted that because of the ability of the auditors to look at larger data, it sets and possibly check every single journal entry driven by technological advances; “regulators may mandate that an audit sign off include further value adds”. For example, the way audit firms can get their work with respect to fraud detection is likely to change reducing the audit expectations gap. Surely fraud detection is one of the highly contested areas of the expectations gap which is of course the difference between the expectations of society and the auditee especially regarding the detection of fraud and the actual responsibility of the auditor regarding fraud detection which is, as the audit standard says, auditors are not responsible for detecting fraud. For one thing that has never been one of the overall objectives of the auditor as prescribed in PSA 200. However, because audit firms are and should embrace technology to transform their services to be technologically relevant and future ready for audit clients and audit firms or audit teams, that expectation gap may be narrowed or may even be closed with the auditor stepping up armed with technological tools to better detect material misstatements due to fraud. Let us also discuss how the auditor may approach new technologies with a focus on how the users of technology might use it to commit fraud. And in this way the auditor acquires an understanding of the functionalities of the technology. Such understanding will help the auditor develop audit procedures to detect if the window to commit fraud has been breached by fraudsters. One of the key things is to look at the new technologies out there and the first questions auditors should ask is: • how would a bad guy or a fraudster use this technology to commit financial fraud? • is there an opportunity for them to manipulate the technology in a way that maybe nobody hasn't thought about yet? and the most important of all audit questions; • is there a way they can use this technology to circumvent the auditor's procedures? That's the lens to which auditors should look at new technologies. There is definitely a requirement for auditors to understand the workings of the technology. Maybe not the bits and the bytes and the program codes that they are written in, but understanding the functionality of the technology. In order to understand the functionality, the auditors should understand the initial intended use of the technology. because the initial intended use may be for one particular purpose and while it may have a portability in other areas, it may not really achieve the audit objective that auditors may assume that technology does. Blockchain may be one of those for example, digital signatures is another. There may be some things that people assume or imply with the technology that may not be the underlying core or basis of the technology. Auditors certainly do not want to put any emphasis on reliance on an aspect of technology that is not appropriate. For example, digital signatures, digital signatures initial intended use is originally for two parties who knew each other and needed this on a legal document, specifically real estate contracts, so that they could do it efficiently. At the time, what the electronic digital signatures do not do is validate the identity of the user. The whole point was that the two parties were already known to each other and so, digital signature is just a means so that they can sign the document electronically. Yet so much of the market assumed that digital signature companies were validating the identity of the users. Now, many years later, we're starting to see that functionality take place. We're starting to see that over in Scandinavia, DocuSign is getting ready to come out with some tools that validate the identity of the signer. But that's not implicit in the tool and certainly hasn't been for the last 10 to 15 years that the technology has been available. For an auditor, you really have to understand the technology and see how a fraudster can maybe use it. One of the primary potential legal liability the auditors face is the fraud aspect of the engagement. The more there is automation, the more auditors have the ability to look at larger data sets and not just samples of data. Technology have opened the possibility of looking at all the data and offering tools that effectively and efficiently do that. Users of the financial statements will definitely look more to the auditors to effectively identify significant material misstatements due to fraud. This capability is one of the more significant things that auditors should incorporate into their audit practices more fully. Articles about audit recently decry the lack of a fraud university which is to imply that auditors are not actually trained to detect fraud in higher education programs such as BS Accountancy. That really is a valid concern and so it revolves upon the Board of Accountancy and the Commission on Higher Education to train future CPAs in identifying risks of fraud. That is really where the public and the users of the financial statement will really look to auditors to do a better job as we go forward. There is a scarcity of an auditing firm that has ever been sued for conducting an efficient audit but there are numerous cases of firms that had been sued for missing either a significant material misstatement due to error or fraud. Because of that exposure, it is incumbent on auditors to utilize the technology tools in a way that will help them achieve and perform their job in a way that the public and the users of the financial statements expect of them. There is a scarcity of an auditing firm that has ever been sued for conducting an efficient audit, but there are numerous cases of firms that had been sued for missing either a significant material misstatement due to error or fraud. Because of that exposure, it is incumbent on auditors to utilize the technology tools in a way that will help them achieve and perform their job in a way that the public and the users of the financial statements expect of them. Evolving Technologies & Auditors: Our third topic is about evolving or emerging technologies. This is about how upcoming technologies, artificial intelligence or AI, blockchain, cyber security and improvements in data capabilities will affect the audit strategy and procedures of auditors and how the auditors could cope with the challenges brought about by these technologies. Technology is directing changes in the way clients run their businesses, changing their business models and processes. Auditors need to stay ahead of these changes in order to provide relevant advice and support services. In response to this, audit firms are both recruiting and partnering with a variety of technology experts. Audit firms need to invest in digital initiatives including AI, blockchain, cyber security and developments in data capabilities. These initiatives across multiple technologies will equip them to expand their assurance services to deal with the new technology-driven risks that their clients face and safeguard their digital assets. Khurram is very on point when he stated that, “Regulators, auditors and clients all have a role to play. The new talents required are all around programming, coding and leveraging the technology that is around us. Data security, AI development and robotics will all be transformational and blockchain is just unavoidable. We are living on a cusp of change. Regulators are working through this upheaval whilst global professional service firms are aiming to be early adopters of this technology”. ❖ Artificial Intelligence and how it will affect IS Audit Artificial intelligence or AI refers to machine undertaking tasks which require some kind of intelligence which typically refers to things such as learning, knowing, sensing, reasoning creating, achieving goals and generating, and understanding language. Recent progress in ai has been based on techniques such as machine learning and deep learning, whereby algorithms learn how to do things such as classify objects or predict values through statistical analysis of large amounts of data, rather than through explicit programming. Its emerging impact on IS audit: AI enables the analysis of a full population of data and can identify outliers or exceptions. By creating sophisticated machine learning-based models, auditors can also improve fraud detection. Audit is said to be further transformed by deep learning, a form of AI that can analyze the unstructured data such as emails, social media posts, and conference call audio files. An example of how AI can be applied to the audit is in new contract review. Machine learning tools allow humans to analyze a larger number of contracts, such as leases, in a much shorter time frame than is possible with a traditional manual review. In a recent pilot, AI tools were able to accurately extract information from lease contracts using pre-selected criteria in the vast majority of cases a higher level of precision than the average human reviewer is capable of. Definitely, aspects of judgments are becoming digitized and continually enhanced in the area of machine learning and artificial intelligence. Robotic process automation or RPA is already being used in audit execution, particularly for repetitive tasks like revenue and payroll testing. This is already here. By making it possible for auditors to work better and smarter, AI will help them to optimize their time enabling them to use their human judgment to analyze a broader and deeper set of data and documents. ❖ Blockchain Blockchain is a foundational change in how records are created, kept and updated. Rather than having one single owner, blockchain records are distributed among all their users. The success of the blockchain approach is in using a complex system of consensus and verification to ensure that even with no central owner and with time lags between all the users, nevertheless, a single agreed upon version of the truth propagates to all users as part of a permanent record. This creates a kind of “Universal entry bookkeeping”, where a single entry is shared identically and permanently with every participant. Each participant in a blockchain, each node keeps a copy of all the historical transactions that have been added to the ledger and by comparing to the other nodes copies, each record is kept synchronized. Unlike in a traditional ledger system, there is no node with special rights to edit or delete transactions. In fact, there is no central party at all. One of the situations in which blockchains can be useful is when a trusted central party is either unavailable or too expensive. Recording a transaction in a blockchain may or may not provide sufficient, appropriate audit evidence related to the nature of the transaction. In other words, a transaction recorded in blockchain may still be unauthorized, fraudulent or illegal, executed between RELATED PARTIES, linked to a site agreement that is off-chain, and incorrectly classified in the financial statements. Furthermore, many transactions recorded in the financial statements reflect estimated values that differ from historical cost. Auditors will still need to consider and perform audit procedures on management's estimates, even if the underlying transactions are recorded in a blockchain. Widespread blockchain adoption may enable central locations to obtain audit data and the auditors may develop procedures to obtain audit evidence directly from blockchains. However, even for such transactions the auditor needs to consider the risk that the information is inaccurate due to error or fraud. This will present new challenges because a blockchain likely would not be controlled by the entity being audited. Impact on IS Audit • Move from CCM to CTM Ultimately the technology a client uses will be audited by another set of quality assurance technology. • Regulators will require audit of client technology models, which may be a higher level technology In the future regulators will require client technology models composed of robotics and blockchain to be audited by another level of code. A script will come to audit a script. • Evaluation of additional General IT controls over blockchain data The IS auditor will need to extract data from the blockchain and also consider whether it is reliable, this process may include considering general information technology controls related to the blockchain environment. It also may require the auditor to understand and assess the reliability of the consensus protocol for the specific blockchain. This assessment may need to include consideration of whether the protocol could be manipulated as more and more organization explore the use of private or public blockchains. Auditors need to be aware of the potential impact this may have on their audits as a new source of information for the financial statements. They will also need to evaluate management’s accounting policies for digital assets and liabilities which are currently not directly addressed in International Financial Reporting Standards or in Generally Accepted Accounting Principles. They will need to consider how to tailor audit procedures to take advantage of blockchain benefits as well as address incremental risks. Despite these complexities blockchain technology offers an opportunity to streamline financial reporting and audit processes. Today, account reconciliations; trial balances; journal entries; subledger extracts and supporting spreadsheet files are provided to an auditor in a variety of electronic and manual formats. Each audit begins with different information and schedules that require an auditor to invest significant time when planning an audit. • Allow auditors to obtain unalterable evidence in a consistent, recurring format In a blockchain world the auditor could have near real time data access via read-only nodes on blockchains, this may allow an auditor to obtain information required for other audit in a consistent, recurring format. • Continuous audit of organization using blockchain As more and more entities and processes migrate to blockchain solutions, accessing information in the blockchain will likely become more efficient. For example, if a significant class of transactions for an industry is recorded in a blockchain, it might be possible for an auditor to develop software to continuously audit organisations using the blockchain. This could eliminate many of the manual data extraction and audit preparation activities that are labor intensive and time consuming for an entities management and staff. • Enable focus on riskier and more complex transactions while conducting routine auditing in near real time Speeding up audit preparation activities could help reduce the log between the transaction and verification dates, one of the major criticisms of financial reporting. Reducing log time could offer the opportunity to increase the efficiency and effectiveness of financial reporting and auditing by enabling management and auditors to focus on riskier and more complex transactions while conducting routine auditing in near real time. With blockchain-enabled digitization auditors could deploy more automation, analytics and machine learning capabilities such as automatically alerting relevant parties about unusual transactions on a near real time basis. Supporting documentation such as contracts, agreements, purchase orders and invoices could be encrypted and securely stored or linked to a blockchain by giving the auditors access to on unalterable audit evidenc, the pace of financial reporting and auditing could be improved. While the audit process may become more continuous, auditors will still have to apply professional judgement when analyzing accounting estimates and other judgments made by management in the preparation of financial statements. In addition, for areas that become automated they will also need to evaluate and test internal controls over the data integrity of all sources of relevant financial information. Opportunities for Future Roles for professional accountants in the blockchain system As blockchain system standardised transaction processing across many industries and CPA including auditors may be able to help provide assurance to users of the technology. The CPA may be able to feel a potential future role because of their skill, independence, objectivity and expertise. The following list of potential new rules for a CPA is illustrative only in not all inclusive, significant regulatory and professional hurdles may remain before I CPA is able to take on these potential roles. 1. Auditor of Smart Contracts and Oracles. As described above, smart contracts can be embedded any blockchain to automate business processes. Contracting parties may want to engage an assurance provider to verify that smart contracts are implemented with the correct business logic. In addition, an auditor could verify the interface between smart contracts and external data sources that trigger business events without an independent evaluation users of blockchain technologies faced the risk of unidentified errors or vulnerabilities. To take on this new role a CPA auditor may need a new skill set including understanding technical programming language and the functions of a blockchain. This type of role also raises important questions for the auditing profession including: - What type of skill sets does the profession need to remain relevant - What factors would impact assurance engagement risk? - What would an assurance providers ongoing responsibility entail once a smart contract is released into a blockchain? In the context of a financial statement audit, management will be responsible for establishing controls to verify whether the smart contract source code is consistent with the intended business logic. An independent auditor auditing an entity with smart contract blockchain is likely to consider management control over the smart contract code however many companies may choose to reuse smart contracts built by other entities already active on a blockchain. Future auditing standards and auditing guidance may need to contemplate this technology and thereby bring clarity to the role of the CPA in those scenarios. 2. Service Auditor of Consortium Blockchains Prior to launching a new application on an existing blockchain, platform or leveraging, or subscribing to an existing blockchain product, users of the system may desire independent assurance as to the stability and robustness of its architecture. Instead of each participant performing their own due diligence, it may be more efficient to hire a CPA to achieve these objectives. In addition, critical blockchain elements, for example cryptographic key management, should be designed to include sophisticated general IT controls that provide ongoing protection for sensitive information, as well as processing controls over security, availability, processing, integrity, privacy and confidentiality. On an ongoing basis, a trusted and independent third party may be needed to provide assurance as to the effectiveness of controls over a private blockchain. This type of services raises important questions for the profession. When providing insurance across a blockchain, who is the client? How would a CPA auditor assess engagement risk for an autonomous system? How would independence rules apply to users of a blockchain? 3. Administrative Function Permission blockchain solutions may benefit from a trusted independent and unbiased third party to perform the functions of a central axis granting administrator. This function could be responsible for verification of identity or a further vetting process to be completed by a participant before they are granted access to a blockchain. This central administrator could validate the enforcement and monitoring of the blockchain's protocols. If this function is performed by a user or node of the blockchain, then an undue advantage could exist and trust among consortium members could be weakened. Since this role would be designed to create trust for the blockchain as a whole, due care will be needed when establishing both its function and its legal responsibilities. As a trusted professional an independent CPA may be capable of carrying out this responsibility. However, this role would raise new questions for the profession. By taking on such a critical role, is the assurance provider independent from the blockchain participants? Could the CPA auditor conduct financial statement audits on those participants? 4. Arbitration Function Business arrangements can be complex and result in disputes between even the most well-intentioned parties. For a permissioned blockchain, an arbitration function might be needed in the future to settle disputes among the consortium-blockchain participants. This function is analogous to the executor of an estate—a role typically filled by various qualified professionals including CPA auditors. Participants on the blockchain may require this type of function to enforce contract terms where the spirit of the smart contract departs from a legal document, contractual agreement or letter. Further, consideration should be explored to determine whether an arbitration function is necessary. If CPAs want to take on this role, critical questions will need to be answered such as: What legal framework would be used to settle disputes? What skill set would be required for a CPA auditor? Could this role create unintended threats to independence regarding attest clients? There are still many unknowns with respect to how blockchain will impact the audit and assurance profession, including the speed with which it will do so. Blockchain is already impacting auditors of organizations using it to record transactions and the rate of adoption is expected to continue to increase. However, in the immediate future, blockchain technology will NOT replace financial reporting and financial statement auditing. Audited financial statements are a cornerstone of business, and play a key role in debt and equity financing participation in capital markets, mergers and acquisitions, regulatory compliance in the effective and efficient functioning of capital markets. Financial statements reflect management assertions including estimates, many of which cannot be easily summarized or calculated in blockchains. 3. GROWING CONCERNS OVER CYBER SECURITY While cyber security is not new to the IS auditor because it is part of the system of internal control of the IT infrastructure, specifically controls over the security and integrity of data, it has come to the fore and focus of concern because of the increasing cases of data breaches and reuse of commercialization of personal data. Cybercrime and threats to computer systems have become a major concern of businesses around the world. Our growing reliance on IT and the internet has also greatly increased the impact of hacking, security failures and the loss of systems. At the same time, cyber attackers have become more sophisticated and organized. Cyber security covers measures that protect network systems devices and data from attack., unauthorized access, or damage. Good practices in cyber security also cover a wide range of activities to monitor IT environments, detect intrusions or bridges, and respond to security failures. Organizations face many challenges in building effective risk management around cyber security, including the spread of cyber risk across all organizational activities, the external nature of many of the threats and the pace of the change in the risk. The pandemic may have offered criminals extra opportunities to defraud their victims. For example, you might have not missed the news about many DepEd employees whose Land Bank accounts have been defrauded using the phishing method of scamming people. Levels of fraud in the United Kingdom were already on the app. According to the most recent annual fraud indicator compiled by Portsmouth University's Center for Counter-fraud Studies, fraud is costing the UK economy 137 billion pounds each year with losses rising by 56 percent in the past decade. Recent technology driven improvements to data capabilities include: ✓ the ability to access very large amounts of data ✓ new sources of data particularly unstructured data such as text and images and ✓ greater emphasis on speed and real time data Different uses of data and associated analytics tools highlight different aspects of these characteristics. The ability to process large volumes of data enables analysis of entire data sets rather than just samples or examination of more granular data. Linking together data from different systems or new data from third parties can provide fresh insights. Technology now allows: ✓ access to vast amounts of data which if analyzed appropriately can offer an extraordinary view of the organization. ✓ It is also changing the way business is conducted and data is analyzed. ✓ There is an increasing focus on data management. ✓ Moreover, the advent of cloud computing and cloud storage has opened up the possibilities of collecting and analyzing data on a previously unimaginable scale. IMPACT ON IS AUDIT Going beyond the confines of company data allows auditors to collect and analyze broader industry data sets that were previously inaccessible. These enable the auditors to better identify informational outliers and increases their ability to generate business insights and focus on business and financial reporting risk. The evolution of technology challenges the current value proposition of the audit moving to offshoring allowed all the trims to cut costs and now automation will enable firms to cut the time required to complete an audit. Within a decade an audit will be completed within a fraction of the time given access to real-time data. Audit fees have typically been charged based on the time taken to conduct the audit. But audit firms will no longer be selling time. Hisham suggested that ‘’the audit profession will need a new value model that clients can understand. With the use of technology, fees will be based on knowledge connecting that knowledge to strategy mitigating the specific risk of the organization and becoming the advisory driving force for the organization's board and stakeholders.’’ OPPORTUNITIES IN DATA ANALYTICS Opportunities in data analytics is our fourth topic. Data analytics is not in the curriculum of BS Accountancy in the university. Yet, as early as 2007, in a seminar I attended, a board of accountancy member expressed apprehension that big data analytics will overshadow much of the function of management advisory services. With its broader range of data than MAS coupled with data analytics tools, managers can have a better view of the organization's operations and discover more insights hidden in big data. Even hidden insights that have the potential to propel the entity to industry leadership. When asked the question: What opportunities in recent evolutions does data analytics bring to auditors? Here are the insightful comments of the four resource experts who attended the aforementioned breakfast meeting in DFSA. Against the backdrop of recent evolutions in technology, • Steven Drake proposed: We initially consider the concept of what is an audit now and what will be the audit of the future. Typically, an audit has looked at historical financial statements and provided an opinion. Steven commented that: ‘’Data analytics is doing more than just change the way we will do an audit. It will change what an audit in the future will look like.’’ As clients adopt new technology, they will be looking to wider assurance services to mitigate risks in their business beyond the focus on historical information. Technology is disrupting the audit process by increasing automation to drive efficiencies. • Khurram Siddiqui highlighted key areas of change: ‘’Traditionally the audit approach was a combined risk assessment using substantive sample testing and assessment of control. Now With technology enabling us to test the full population of entries and not only a sample, we move away from asking ‘what could go wrong?’ to ‘what has gone wrong?’ We have more certainty and precision with regards to the transactions, and more transactional evidence of control weaknesses. Furthermore, aspects of judgment are becoming digitized and continually enhanced in the era of machine learning and artificial intelligence. ‘’ • Hisham Farouk commented that: ‘’The professional services firms continue to respond to increased use of technology by their clients. This evolution started as clients moved to using accounting software and ERP solutions and now another phase begins where the profession is beginning to connect to those client systems. We are now not only analyzing data, because clients have greater connectivity and accessibility of data, but through machine learning the quality of the data we are able to extract is far better enhancing both the efficiency and rigor of the audit process.’’ • From a CFO perspective, Marcus Freeman commented that: ‘’The ability of technology to allow the testing of entire populations shifts the perspective on the value of an audit. Data analytics allows the auditors to provide both a helicopter view of the financials and a detailed and complete view of the accounting records and resulting to more insights. There is now more pressure for an audit to focus on detecting fraudulent transactions, as technology now exists to highlight any journal entries that are deviating from the standard process and other anomalies.’’ Marcus cautioned however that: ‘’In a matter of time, all the global audit firms will be able to offer similar technological solutions. And since the technology itself is not proprietary, there appear to be limited barriers to entry. And so, nothing stopping smaller technologies saggy players entering this market to offer the same technological solutions. Data analytics can also support a CFO in maintaining the internal control environment. So, what is stopping corporates from investing in audit technologies themselves to mitigate the need for external audits? Both these factors could see the audit being commoditized.’’ The last evolving technology we will discuss is the advances to data capabilities. Data is at the heart of all economic activity including the accounting profession. Recent technology-driven improvements to data capabilities include the - ability to access very large amounts of data - new sources of data particularly unstructured data such as text and images and - greater emphasis on speed and real time data Different uses of data and associated analytics tools highlight different aspects of these characteristics. The ability to process large volumes of data enables analysis of entire data sets rather than just samples or examination of more granular data. Linking together data from different systems or new data from third parties can provide fresh insights. Technology now allows access to vast amounts of data which if analyzed appropriately can offer an extraordinary view of the organization. It is also changing the way business is conducted and data is analyzed. There is an increasing focus on data management. Moreover, the advent of cloud computing and cloud storage has opened up the possibilities of collecting and analyzing data on a previously unimaginable scale. Impact on IS Audit Going beyond the confines of company data allows auditors to collect and analyze broader industry data sets that were previously inaccessible. - this enables the auditors to better identify informational outliers and increases their ability to generate business insights and focus on business and financial reporting risk - the evolution of technology challenges the current value proposition of the audit moving to offshoring allowed all the trims to cut costs and now automation will enable firms to cut the time required to complete an audit. (changes the value proposition of audit; fees could later be based on knowledge, not time spent) - within a decade an audit will be completed within a fraction of the time given access to real-time data. Audit fields have typically been charged based on the time taken to conduct the audit but “audit firms will no longer be selling time. Hisham suggested that, “the audit profession will need a new value model that clients can understand. With the use of technology fees will be based on knowledge connecting that knowledge to strategy, mitigating the specific risk of the organization and becoming the advisory driving force for the organization's board and stakeholders.” Opportunities in Data Analytics is our fourth topic. Data analytics is not in the curriculum of bs accountancy in the university yet as early as 2007 in a seminar I attended a board of accountancy member express apprehension that big data analytics will overshadow much of the function of management advisory services. With its broader range of data than MAS (Management Advisory Services) coupled with data analytics tools, managers can have a better view of the organization's operations and discover more insights hidden in big data, even hidden insights that have the potential to propel the entity to industry leadership. When asked the question, what opportunities in recent evolutions does data analytics bring to auditors? Here are the insightful comments of the four resource experts who attended the aforementioned breakfast meeting in DFSA. Against the backdrop of recent evolutions in technology, Steven Drake proposed we initially consider the concept of what is an audit now and what will be the audit of the future. Typically an audit has looked at historical financial statements and provided an opinion. Steven commented that, “data analytics is doing more than just change the way we will do an audit it will change what an audit in the future will look like”. As clients adopt new technology they will be looking to wider assurance services to mitigate risks in their business, beyond the focus on historical information. Technology is disrupting the audit process by increasing automation to drive efficiencies. Khurram Siddiqui highlighted key areas of change “Traditionally the audit approach was a combined risk assessment using substantive sample testing and assessment of controls. Now with technology enabling us to test the full population of entries and not only a sample we move away from asking what could go wrong to what has gone wrong. We have more certainty and precision with regards to the transactions and more transactional evidence of control weaknesses. Furthermore, aspects of judgment are becoming digitized and continually enhanced in the era of machine learning and artificial intelligence.” Hisham Farouk commented that, “the professional services firms continue to respond to increased use of technology by their clients this evolution started as clients moved to using accounting software and ERP solutions and now another phase begins where the profession is beginning to connect to those client systems. We are now not only analyzing data because clients have greater connectivity and accessibility of data but through machine learning the quality of the data, we are able to extract is far better enhancing both the efficiency and rigor of the audit process.” From a CFO perspective Marcus Freeman commented that, “the ability of technology to allow the testing of entire populations shifts the perspective on the value of an audit. data analytics allows the auditors to provide both a helicopter view of the financials and a detailed and complete view of the accounting records and resulting to more insights. There is now more pressure for an audit to focus on detecting fraudulent transactions as technology now exists to highlight any journal entries that are deviating from the standard process and other anomalies.” Marcus cautioned however that, “in a matter of time all the global audit firms will be able to offer similar technological solutions and since the technology itself is not proprietary, there appear to be limited barriers to entry and so nothing stopping smaller technologies saggy players entering this market to offer the same technological solutions. Data analytics can also support a CFO in maintaining the internal control environment. So what is stopping corporates from investing in all the technologies themselves to mitigate the need for external audits. both these factors could see the audit being commoditized.” Commoditization in business literature is defined as the process by which goods that have economic value and are distinguishable in terms of attributes end up becoming simple commodities in the eyes of the market or consumers. Marcus acknowledged that currently corporates leverage the audit partner relationship as a source of valuable business advice but this may become less important as machine learning tools provide more detailed analysis of the red line issues in the business and offer potential solutions. “There is a real risk of disintermediation of the audit profession perhaps even judgment can be commoditized.” So, what is stopping corporates from investing in all the technologies themselves to mitigate the need for external audits? Both these factors could see the audit being commoditized. Commoditization in business literature is defined as the process by which goods that have economic value and are distinguishable in terms of attributes end up becoming simple commodities in the eyes of the market or consumers. Marcus acknowledged that currently corporates leverage the audit partner relationship as a source of valuable business advice but this may become less important as machine learning tools provide more detailed analysis of the red line issues in the business and offer potential solutions. “There is a real risk of disintermediation of the audit profession perhaps even judgment can be commoditized” From a finance department perspective, the benefits of automation and machine learning are already being felt as businesses replace clerical headcount with machines. Although Marcus commented that what is still required in the near term is better qualified accounting personnel who know how to think, can apply judgement and can analyze and draw insights from data. After discussing the new disruptive technologies and the emerging or evolving ones, we can now summarize the significant impact of information technology on audit. In summary, what these experts are telling us are the disruptive and emerging technologies will do in the foreseeable future is: 1. Technology will allow auditors to check every single journal entry 2. Technology will continue to eliminate the requirement for human clerical and vouching procedures with human interventions still required to filter the data and to communicate and advise clients 3. Technology will reduce the size of the audit team to a smaller technology conversion team 4. Technology will give rise to a wider range of assurance services that the clients will ask auditors to provide while reducing the demand for traditional historical fs audit services 5. Technology will move IS audit from continuous control monitoring to continuous transaction monitoring which happens on the client side in real time with a copy created for the auditors 6. Technology will encourage regulators to mandate that an audit include value adding services such as respects fraud detection since auditors will be able to check every single journal entry 7. Technology will level the playing field in favor of small audit firms Given the speed of technological and digital advances it is imperative that those in the audit and finance profession invest in understanding and developing these technologies to benefit their respective sectors. This is a huge challenge particularly in audit where the pace of technological change specifically the move from sample testing to 100% population testing and from historic testing to real time testing is spreading the need to revisit the audit approach in an unprecedented manner. Technology will drive down the time again to conduct an audit as testing becomes more automated and conducted on a real-time basis. Views were expressed around the need to develop new methods for calculating audit fields based on technological resources used in the process and the value added by audit teams who derive insight from the data. There will be opportunities for the firms to develop more forward-looking assurance services, helping clients to manage risk and drive growth. Technological advances which could lead to the commoditization of the audit and even the disintermediation of audit firms by other technology players were considered potential threats of which audit firms need to remain vigilant. Advances in technology open up a debate on the skill sets that are relevant to the industry now and in the future while it is clear that lower level accounting and auditing skills can be replaced easily by technology human business acumen and communication skills remain crucial. The required combinations rests in a blend of human capital resources, incorporating specialized technology and digital skills, technical accounting and audit skills and professional skills such as communication, leadership and business acumen. While we are clearly on the cusp of a changing professional landscape it remains unclear exactly where the digital revolution is heading and regulators are grappling with how best to regulate these markets. In the interim the professional membership bodies, professional services firms and corporates need to engage with technological developments and respond to the benefits, risks and opportunities they bring.