Uploaded by Mark Kyle P. Andres

PR-108 Information Technology Audit CH02

advertisement
Hi! It’s Sir Rob. Today, I am going to discuss Chapter 2 of the course in IS audit. Our topic is “The
Impact of Information Technology on Audit.
Globally, companies, the audit profession, professional bodies and regulators are increasing their
focus on the impact of technology particularly information technology. There are clear benefits that
technology can bring, from operational efficiency to financial inclusion and greater insights. However,
alongside these benefits comes a range of risks many of which are still not fully understood. In this
presentation, we will try to understand the Impact of I.T from both the point of view of the client and the
auditor.
As always, in the practice of accountancy, we should remember to be professional, perform
effectively and efficiently follow standards and document our work adequately and properly.
TOPICS:
1.
2.
3.
4.
5.
Conducting Business in Data Space
Disruptive technologies and the Auditors
Evolving or Emerging Technologies
Opportunities in Data Analytics
Effects of Technology on Audit (Summary)
Our topics for this discussion are:
1. Conducting business in technology space discusses the shift from know your
customers to know your data and how entities are discovering their data and insights
out of these.
2. Disruptive Technologies and the Auditors shifts our attention to how technologies
already here are changing the auditing landscape, putting more responsibilities to the
auditor.
3. Evolving or Emerging Technologies focuses on emerging new technologies not yet
widely adopted and advances in areas of technologies that will change the way the
auditors conduct the audit.
4. Data Analytics Opportunities looks at the prospect of the auditing profession being
commoditized or reduced to becoming simple commodities in the eyes of audit
clients who might invest in data analytics technologies that allow them to perform
audit capabilities.
5. Effects of Technology on Audit summarizes the discussions in simple terms.
1st Topic: Conducting Business in Data Space
This topic introduces the concept of know your data and how the client entity uses the concept
to conduct a more efficient business and enhance the I.T controls. This concept enables the auditor to
evaluate the I.T Governance initiatives of the entity and the maturity of its I.T culture.
Technology is changing the way a business is conducted and data is analyzed. There is an
increasing focus on data management. Know Your Data (KYD) is the new buzzword replacing Know Your
Client (KYC).
We, in the 21st century have access to a huge volume of data more than any generation
before us and with each day that volume of data grows even larger. One of the many consequences of
the COVID-19 Pandemic has been the continuous news coverage stressing the importance of data. We
are regaled daily with graphs and statistics that few people understand or want to understand.
The challenge with all data is working out which are worth using and how to best use it.
It is about knowing your data.
KNOW YOUR DATA (KYD) (SLIDE)
•
•
•
Where it comes from
What’s in it
What it means
Know your data where it comes from, what’s in it and what is means. It all starts from there. You
know your data helps the business understand data sets with the goal of improving data quality.
DATA is an important asset at all organizations no matter their business, their size or their
structure. Without data an organization would not exist. So, the decisions made about data are critical.
Many organizations have little understanding or visibility into its data.
Effective data discovery is NOT easy because of the increasing number of data systems, the
interconnectivity between them and the diversity of the environments. Some data discovery is easy while
other types are more difficult.
BENEFITS OF KYD (SLIDE)
Knowing what data an org’n has and where it is allows the organization to:
•
•
•
•
•
•
•
•
•
Capture
Categorize
Manage
Protect
Migrate
Reduce
Share
Display
Repurpose
When you know what data you have and where it is, you can capture, categorize, manage, protect,
migrate, reduce, share, display and repurpose information.
BENEFITS OF KYD (SLIDE)
Knowing what data an org’n has and where it is allows the organization to make well-informed
decisions to:
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
Enhance Privacy
Add security
Meet regulatory items
Achieve Compliance
Forecast
Control Cost
Hiring, firing
Minimize Risks
Increase Employee Satisfaction
Improve Customer satisfaction
Protecting IP
These capabilities are critical for making well-informed decisions including those on;
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Enhancing privacy
Adding Security
Meeting regulatory items
Achieving compliance
Forecasting
Controlling costs
Hiring, firing
Minimizing risks
Increasing employee satisfaction
Improving customer satisfaction
Protecting Intellectual Property and the list goes on.
For discovery and knowing, management need to ask and get answers for data related questions
such as:
✓ What data systems are used in the organization?
✓ What data are collected from people in your organization and those outside of
the company?
✓ Who can access these data?
✓ How is the data managed?
What options are available for organizations that help them to discover its own data and get
better knowledge and control?
ENTITIES CAN DISCOVER DATA BY:
1. Data System Inventory
- Organizational data is created and moved, copied, modified, shared, and translated
across many data systems including shallow systems. An entity needs to understand what
data systems are used, who has access to these data systems, and what data is in these
data systems. Therefore, a critical need is having an accessible up-to-date data system
inventory in place. Before an entity can do data governance or data intelligence, policies
addressing data privacy, integrity security and availability, it must know what it has.
Creating a data system inventory will require some question asking and research.
2. Common Knowledgebase
- Understanding data requires a business glossary and data definitions. Having this
knowledge will improve satisfaction especially with staff who will have a better
understanding of the data. Having a common knowledgebase of data governance related
content including business glossary, data definitions, data system inventory, reference
data report specifications, data quality rules, data policies, and other information is
critical. With access by all a common knowledgebase makes data discovery and
knowledge a lot easier.
o Business Glossary is one of the harder pieces of data governance as often
discussions, sometimes heated, are necessary to firm up the business glossary
entries.
3. Data Governance Framework
- Entities need some structure around their data and does the importance of having a data
governance framework in place. There are several IT governance frameworks available in
the market, the most popular of this is COBIT or Control Objective for Information and
Related Technologies, which is a framework created by ISAKA for information technology
management and IT governance. The framework is business focused and defines a set of
generic processes for the management of IT with each process defined together with
process inputs and outputs, key process activities, process objectives, performance
measures and an elementary id maturity model.
4. Data Request and Data Quality Issue Processes
- Entities need to have in place a data request process for new reports, new definitions,
data exports, etc. and a data quality issue submission process. both processes are
important for data discovery.
5. Understand your user’s data behavior
- These include items such as data sharing agreements with others specifications on
integrations and data movement/changes make sure that this information is documented
6. Data Governance Solution
Since the entities data could be everywhere it needs a solution that can traverse data
systems and have a framework have the necessary processes and workflows in place and be
able to manage the data governance related content and have it in a common knowledge
base
7. Automate and integrate where possible
Entities should not depend on manual entry there is just too much risk of error. Entities can
add workflows for data stewards where possible including the approval of data definitions,
report specifications. Entities should also document all the integrations in specifications so
it knows what is in the integration and how the data was modified.
8. Data models
Bringing in your technical data models is easy with a tool such as the Data Cookbook, it's about
automatic and import data importing data models. intelligent decisions stem from the ability
to discover, classify, optimize, and take advantage of your data.
The first step is finding or discovery of your data. I’m not sure who said knowledge is power
but it is so true after the discovery the next step is knowing. The better the knowledge you
have of your data, the better your data will be and that leads to better information which
leads to better data-driven or data-informed decision-making both in terms of improving the
operations and the controls over IT infrastructure.
2nd Topic: Disruptive Technologies
Our second topic is about disruptive technologies. This topic is about how new technologies greatly
affect the audit strategy and procedures in audit firms and how the auditors are coping with the challenges
brought about by disruptive technologies now. It also includes a discussion of the pros and cons to the
auditor when adopting such technologies.
Though technological adoption is in general can be said as a necessity for running an audit firm the
approaches and strategies are distinctly different. A digital CPA is not only using technology but also
employing it to transform their business environment to be relevant and future ready for clients and
staff. A lot of technology deep accounting consultancy and audit firms are today focused on helping the
CPAs to be ready for the integration of technology into audit practices, using those tools to not only
become more efficient but also more effective. That is where they try to operate at the intersection of
efficiency and effectiveness especially in fraud detection.
Even in the same film there may be different offices who use more technology throughout the audit.
there are different comfort levels with how people use technology, in a lot of cases you'll find stories of
the same audit staff who may be on one partner's audit engagement and that partner says that he doesn't
like technology and wanted everything done manually with paper and the same stuff he'll be on a different
audit partner's engagement and that partner wants everything done electronically. Certainly, the firms
are moving towards encouraging the use of technology but they just haven't forced all the partners to get
there. that's the struggle that some firms have the specific approach that the partner wants to encourage
the audit team to use. on the whole however, there is a recognition that certainly technology is the way
forward and it's just a matter of time of how quickly everybody gets there.
Clayton Christensen popularized the idea of disruptive innovation in the Innovators Dilemma
published in 1997 which received a Global Business Book Award for the best business book of the year.
The concept has been growing in interest over time since 2004 according to google trends data. Originally,
the concept was related to business theory defined as innovation that creates a new market and value
network or enters at the bottom of an existing market and eventually displaces established market leading
firms products and alliances.
It has since been applied to technology as well. technology being a form of social relationship
always evolves no technology remains fixed. Technology starts, develops, persists, mutates, stagnates,
and declines just like living organisms. The evolutionary life cycle occurs in the use and development of
any technology. Regarding this evolving process of technology, Christensen said, “the technological
changes that damage established companies are usually not radically new or difficult from a
technological point of view.” They do however have two important characteristics:
1) they typically present a different package of performance attributes, ones that at least at the
outset are not valued by existing customers; and
2) the performance attributes that existing customers do value improve at such a rapid rate that
the new technology can later invade those established markets and code.
Disruptive technologies now here, such as those related to data science, are also having a profound
impact on the skills required of auditors, finance and accounting professionals and regulators which has
implications for educator’s recruitment policies and staff development needs.
Now, let us look at some insights from both clients and providers of assurance and audit services.
The following slides will feature the comments of these at a Breakfast Briefing jointly organized by the
Institute of Chartered Accountants in England and Wales (ICAEW) and the Dubai Financial Services
Authority (DFSA) on December 13, 2017 at the DFSA.
The first of this expert is Marcus Freeman, the CFO of Chalhoub Group at the time of the breakfast
meeting. He is now the President of Operations and the Deputy Group Chief Executive Officer. Chalhoub
Group is a privately held luxury goods retailer and distributor headquartered in Dubai, United Arab
Emerates. The Chalhoub Group is the largest retail operator in the middle east. It played a cruacial role in
developing the luxury sector in the region. The company has more than 12,000 employees in 14 countries.
The second expert is Steven Drake, a Partner, Middle East Leader-Risk Assurance and Capital Market
and Accounting Advisory Services(CMAAS) in Pricewaterhouse Cooper—one of the big four international
Audit Firms.
The third expert is Khurram Siddiqui, a Partner, Global Robotics Leaderand MENA Digital Leader,
Financial Accounting Advisory Services(FAAS) at Ernst and Young—another big four International Audit
Firm.
And the last expert is Hishiam Farouk, CEO and Global Board Member at Grant Thornton. Grand
Thornton LLP is the American Member firm of Grand Thronton International—the seventh largest
accounting network in the world by combined fee income. Grand Thornton LLP is the sixth largest US
accounting and advisory organization.
When asked the question,
When will advances in technology result in a real step change in how business is done and what
will be different?
The panel of experts gave the following comments:
From the audit perspective, Hisham reflected that technology will continue to eliminate the
requirement for human clerical and vouching procedures which will increase time efficiency and reduce
headcount. However, value will continue to be sustained from understanding the client’s business model.
Data analytics is increasing the accesibility of data. However, human intervention still required to filter the
data and to communicate and advise client effectively. We can expect the audit being delivered by smaller
technology conversant audit teams who use data analytics to understand the business drivers and also
have the wider business acumen to understand both boardroom requirements and shareholders
phsychology and are able to communicate the information appropiately. Machine learning and artificial
intelligence are still not in the stage where they can replace that human input.
As clients use more technology, they are increasingly taking on more risk, and their stakeholders will
require a new suite of assurance services to address these new risks. So, while demand for traditional
historical data-focused audit services may decline. Steven saw significant opportunities to develop new
real-time and forward-looking assurance services.
Khurram commented that until recently Bitcoin had been a phenomenon treated with great
speticism. However now, large financial inatitution are talking about how to embrace it and the underlying
blockchain technology. Similary, the only option for the audit profession is to embrace the developments in
digital technology. Khurram considered that ultimately it is always human who are the driving force behind
developments in technology. Before ERP Solutions where the norm, there was a period of concern that the
rule of human input in accounting was superseded. However, in reality, with increasing complexity of
systems, humans continue to be required to manage them and in some cases the human oversight
increases with technology. The future is one human and machines work together outsourcing repetitive
and periodic tasks to machine allows humans to focus on problem solving, envisioning and strategizing
areas where judgment a key role. So rather than suffocating the profession, technology will expand and
change the types of services provided to clients. Khurram saw technology expanding and changing the types
of servcies provided to clients. Describing what the future of it would like, Khurram stated that the way
audit is performed may change significantly in the future. We are moving from continous control
monitoring (CCM) to continue transaction monitoring(CTM) which happens on the client site in real time
with a copy created for the auditors. The use of blockchain technology makes these huge changes possible.
Khurram also commented on another change in audit driven by technological advances. He said, regulators
may mandate that an audit signoff include further value adds. For example, the ways audit firms caveat
their work with respect to fraud detection is likely to change, since technology will allow auditors to check
every single journal entry.
(24:03-32:03)
Marcus agreed that audits would add more value to corporates if they also encompassed a
forward-looking and real-time aspect, but questioned whether the larger professional services
firms are best place to offer those services. He raised the question: Is the audit profession as we
know it best place to mitigate these new corporate risks? He saw technology as a driver leveling
the playing field for small audit firms or even technology businesses to compete as equals. The
bottom line for auditor and the audit firms is to embrace technology to keep abreast with clients
that adopt technology to stay competitive in their respective industries. It is needless to emphasize
that audit clients expect the independent auditors to be one step ahead of them in terms of
knowledge and skills. Keeping relevant with competence in new technologies will maintain the
quality of service to audit clients and thus, maintain the prestige of the auditing profession.
TECHNOLOGY AND FRAUD
Several slides back, Khurram Siddiqui hinted that because of the ability of the auditors to
look at larger data, it sets and possibly check every single journal entry driven by technological
advances; “regulators may mandate that an audit sign off include further value adds”. For
example, the way audit firms can get their work with respect to fraud detection is likely to change
reducing the audit expectations gap. Surely fraud detection is one of the highly contested areas of
the expectations gap which is of course the difference between the expectations of society and the
auditee especially regarding the detection of fraud and the actual responsibility of the auditor
regarding fraud detection which is, as the audit standard says, auditors are not responsible for
detecting fraud. For one thing that has never been one of the overall objectives of the auditor as
prescribed in PSA 200. However, because audit firms are and should embrace technology to
transform their services to be technologically relevant and future ready for audit clients and audit
firms or audit teams, that expectation gap may be narrowed or may even be closed with the auditor
stepping up armed with technological tools to better detect material misstatements due to fraud.
Let us also discuss how the auditor may approach new technologies with a focus on how
the users of technology might use it to commit fraud. And in this way the auditor acquires an
understanding of the functionalities of the technology. Such understanding will help the auditor
develop audit procedures to detect if the window to commit fraud has been breached by fraudsters.
One of the key things is to look at the new technologies out there and the first questions auditors
should ask is:
• how would a bad guy or a fraudster use this technology to commit financial fraud?
• is there an opportunity for them to manipulate the technology in a way that maybe
nobody hasn't thought about yet? and the most important of all audit questions;
• is there a way they can use this technology to circumvent the auditor's procedures?
That's the lens to which auditors should look at new technologies.
There is definitely a requirement for auditors to understand the workings of the technology.
Maybe not the bits and the bytes and the program codes that they are written in, but understanding
the functionality of the technology. In order to understand the functionality, the auditors should
understand the initial intended use of the technology. because the initial intended use may be for
one particular purpose and while it may have a portability in other areas, it may not really achieve
the audit objective that auditors may assume that technology does. Blockchain may be one of those
for example, digital signatures is another. There may be some things that people assume or imply
with the technology that may not be the underlying core or basis of the technology. Auditors
certainly do not want to put any emphasis on reliance on an aspect of technology that is not
appropriate. For example, digital signatures, digital signatures initial intended use is originally for
two parties who knew each other and needed this on a legal document, specifically real estate
contracts, so that they could do it efficiently. At the time, what the electronic digital signatures do
not do is validate the identity of the user. The whole point was that the two parties were already
known to each other and so, digital signature is just a means so that they can sign the document
electronically. Yet so much of the market assumed that digital signature companies were validating
the identity of the users. Now, many years later, we're starting to see that functionality take place.
We're starting to see that over in Scandinavia, DocuSign is getting ready to come out with some
tools that validate the identity of the signer. But that's not implicit in the tool and certainly hasn't
been for the last 10 to 15 years that the technology has been available. For an auditor, you really
have to understand the technology and see how a fraudster can maybe use it.
One of the primary potential legal liability the auditors face is the fraud aspect of the
engagement. The more there is automation, the more auditors have the ability to look at larger data
sets and not just samples of data. Technology have opened the possibility of looking at all the data
and offering tools that effectively and efficiently do that. Users of the financial statements will
definitely look more to the auditors to effectively identify significant material misstatements due
to fraud. This capability is one of the more significant things that auditors should incorporate into
their audit practices more fully.
Articles about audit recently decry the lack of a fraud university which is to imply that
auditors are not actually trained to detect fraud in higher education programs such as BS
Accountancy. That really is a valid concern and so it revolves upon the Board of Accountancy and
the Commission on Higher Education to train future CPAs in identifying risks of fraud. That is
really where the public and the users of the financial statement will really look to auditors to do a
better job as we go forward. There is a scarcity of an auditing firm that has ever been sued for
conducting an efficient audit but there are numerous cases of firms that had been sued for missing
either a significant material misstatement due to error or fraud. Because of that exposure, it is
incumbent on auditors to utilize the technology tools in a way that will help them achieve and
perform their job in a way that the public and the users of the financial statements expect of them.
There is a scarcity of an auditing firm that has ever been sued for conducting an efficient audit, but
there are numerous cases of firms that had been sued for missing either a significant material
misstatement due to error or fraud. Because of that exposure, it is incumbent on auditors to utilize the
technology tools in a way that will help them achieve and perform their job in a way that the public and the
users of the financial statements expect of them.
Evolving Technologies & Auditors:
Our third topic is about evolving or emerging technologies. This is about how upcoming technologies,
artificial intelligence or AI, blockchain, cyber security and improvements in data capabilities will affect
the audit strategy and procedures of auditors and how the auditors could cope with the challenges brought
about by these technologies. Technology is directing changes in the way clients run their businesses,
changing their business models and processes. Auditors need to stay ahead of these changes in order to
provide relevant advice and support services. In response to this, audit firms are both recruiting and
partnering with a variety of technology experts. Audit firms need to invest in digital initiatives including AI,
blockchain, cyber security and developments in data capabilities. These initiatives across multiple
technologies will equip them to expand their assurance services to deal with the new technology-driven
risks that their clients face and safeguard their digital assets. Khurram is very on point when he stated that,
“Regulators, auditors and clients all have a role to play. The new talents required are all around
programming, coding and leveraging the technology that is around us. Data security, AI development and
robotics will all be transformational and blockchain is just unavoidable. We are living on a cusp of change.
Regulators are working through this upheaval whilst global professional service firms are aiming to be early
adopters of this technology”.
❖ Artificial Intelligence and how it will affect IS Audit
Artificial intelligence or AI refers to machine undertaking tasks which require some kind of
intelligence which typically refers to things such as learning, knowing, sensing, reasoning creating,
achieving goals and generating, and understanding language. Recent progress in ai has been based on
techniques such as machine learning and deep learning, whereby algorithms learn how to do things such
as classify objects or predict values through statistical analysis of large amounts of data, rather than
through explicit programming.
Its emerging impact on IS audit:
AI enables the analysis of a full population of data and can identify outliers or exceptions. By
creating sophisticated machine learning-based models, auditors can also improve fraud detection. Audit is
said to be further transformed by deep learning, a form of AI that can analyze the unstructured data such
as emails, social media posts, and conference call audio files. An example of how AI can be applied to the
audit is in new contract review. Machine learning tools allow humans to analyze a larger number of
contracts, such as leases, in a much shorter time frame than is possible with a traditional manual review.
In a recent pilot, AI tools were able to accurately extract information from lease contracts using pre-selected
criteria in the vast majority of cases a higher level of precision than the average human reviewer is capable
of. Definitely, aspects of judgments are becoming digitized and continually enhanced in the area of machine
learning and artificial intelligence. Robotic process automation or RPA is already being used in audit
execution, particularly for repetitive tasks like revenue and payroll testing. This is already here. By making
it possible for auditors to work better and smarter, AI will help them to optimize their time enabling them
to use their human judgment to analyze a broader and deeper set of data and documents.
❖ Blockchain
Blockchain is a foundational change in how records are created, kept and updated. Rather than
having one single owner, blockchain records are distributed among all their users. The success of the
blockchain approach is in using a complex system of consensus and verification to ensure that even with no
central owner and with time lags between all the users, nevertheless, a single agreed upon version of the
truth propagates to all users as part of a permanent record. This creates a kind of “Universal entry
bookkeeping”, where a single entry is shared identically and permanently with every participant. Each
participant in a blockchain, each node keeps a copy of all the historical transactions that have been added
to the ledger and by comparing to the other nodes copies, each record is kept synchronized. Unlike in a
traditional ledger system, there is no node with special rights to edit or delete transactions. In fact, there is
no central party at all. One of the situations in which blockchains can be useful is when a trusted central
party is either unavailable or too expensive.
Recording a transaction in a blockchain may or may not provide sufficient, appropriate audit
evidence related to the nature of the transaction. In other words, a transaction recorded in blockchain
may still be unauthorized, fraudulent or illegal, executed between RELATED PARTIES, linked to a site
agreement that is off-chain, and incorrectly classified in the financial statements. Furthermore, many
transactions recorded in the financial statements reflect estimated values that differ from historical cost.
Auditors will still need to consider and perform audit procedures on management's estimates, even if the
underlying transactions are recorded in a blockchain.
Widespread blockchain adoption may enable central locations to obtain audit data and the auditors
may develop procedures to obtain audit evidence directly from blockchains. However, even for such
transactions the auditor needs to consider the risk that the information is inaccurate due to error or fraud.
This will present new challenges because a blockchain likely would not be controlled by the entity being
audited.
Impact on IS Audit
• Move from CCM to CTM
Ultimately the technology a client uses will be audited by another set of quality assurance technology.
• Regulators will require audit of client technology models, which may be a higher level technology
In the future regulators will require client technology models composed of robotics and blockchain to
be audited by another level of code. A script will come to audit a script.
• Evaluation of additional General IT controls over blockchain data
The IS auditor will need to extract data from the blockchain and also consider whether it is reliable,
this process may include considering general information technology controls related to the blockchain
environment. It also may require the auditor to understand and assess the reliability of the consensus
protocol for the specific blockchain. This assessment may need to include consideration of whether the
protocol could be manipulated as more and more organization explore the use of private or public
blockchains. Auditors need to be aware of the potential impact this may have on their audits as a new
source of information for the financial statements. They will also need to evaluate management’s
accounting policies for digital assets and liabilities which are currently not directly addressed in
International Financial Reporting Standards or in Generally Accepted Accounting Principles. They will need
to consider how to tailor audit procedures to take advantage of blockchain benefits as well as address
incremental risks.
Despite these complexities blockchain technology offers an opportunity to streamline financial
reporting and audit processes. Today, account reconciliations; trial balances; journal entries; subledger
extracts and supporting spreadsheet files are provided to an auditor in a variety of electronic and manual
formats. Each audit begins with different information and schedules that require an auditor to invest
significant time when planning an audit.
• Allow auditors to obtain unalterable evidence in a consistent, recurring format
In a blockchain world the auditor could have near real time data access via read-only nodes on
blockchains, this may allow an auditor to obtain information required for other audit in a consistent,
recurring format.
• Continuous audit of organization using blockchain
As more and more entities and processes migrate to blockchain solutions, accessing information in
the blockchain will likely become more efficient. For example, if a significant class of transactions for an
industry is recorded in a blockchain, it might be possible for an auditor to develop software to continuously
audit organisations using the blockchain. This could eliminate many of the manual data extraction and
audit preparation activities that are labor intensive and time consuming for an entities management and
staff.
• Enable focus on riskier and more complex transactions while conducting routine auditing in near
real time
Speeding up audit preparation activities could help reduce the log between the transaction and
verification dates, one of the major criticisms of financial reporting. Reducing log time could offer the
opportunity to increase the efficiency and effectiveness of financial reporting and auditing by enabling
management and auditors to focus on riskier and more complex transactions while conducting routine
auditing in near real time.
With blockchain-enabled digitization auditors could deploy more automation, analytics and
machine learning capabilities such as automatically alerting relevant parties about unusual transactions
on a near real time basis. Supporting documentation such as contracts, agreements, purchase orders and
invoices could be encrypted and securely stored or linked to a blockchain by giving the auditors access to
on unalterable audit evidenc, the pace of financial reporting and auditing could be improved.
While the audit process may become more continuous, auditors will still have to apply professional
judgement when analyzing accounting estimates and other judgments made by management in the
preparation of financial statements. In addition, for areas that become automated they will also need to
evaluate and test internal controls over the data integrity of all sources of relevant financial information.
Opportunities for Future Roles for professional accountants in the blockchain system
As blockchain system standardised transaction processing across many industries and CPA including
auditors may be able to help provide assurance to users of the technology. The CPA may be able to feel a
potential future role because of their skill, independence, objectivity and expertise. The following list of
potential new rules for a CPA is illustrative only in not all inclusive, significant regulatory and professional
hurdles may remain before I CPA is able to take on these potential roles.
1. Auditor of Smart Contracts and Oracles.
As described above, smart contracts can be embedded any blockchain to automate business
processes. Contracting parties may want to engage an assurance provider to verify that smart contracts
are implemented with the correct business logic. In addition, an auditor could verify the interface between
smart contracts and external data sources that trigger business events without an independent evaluation
users of blockchain technologies faced the risk of unidentified errors or vulnerabilities. To take on this new
role a CPA auditor may need a new skill set including understanding technical programming language and
the functions of a blockchain.
This type of role also raises important questions for the auditing profession including:
- What type of skill sets does the profession need to remain relevant
- What factors would impact assurance engagement risk?
- What would an assurance providers ongoing responsibility entail once a smart contract is released
into a blockchain?
In the context of a financial statement audit, management will be responsible for establishing
controls to verify whether the smart contract source code is consistent with the intended business logic. An
independent auditor auditing an entity with smart contract blockchain is likely to consider management
control over the smart contract code however many companies may choose to reuse smart contracts built
by other entities already active on a blockchain. Future auditing standards and auditing guidance may
need to contemplate this technology and thereby bring clarity to the role of the CPA in those scenarios.
2. Service Auditor of Consortium Blockchains
Prior to launching a new application on an existing blockchain, platform or leveraging, or
subscribing to an existing blockchain product, users of the system may desire independent
assurance as to the stability and robustness of its architecture. Instead of each participant
performing their own due diligence, it may be more efficient to hire a CPA to achieve these
objectives.
In addition, critical blockchain elements, for example cryptographic key management,
should be designed to include sophisticated general IT controls that provide ongoing protection
for sensitive information, as well as processing controls over security, availability, processing,
integrity, privacy and confidentiality.
On an ongoing basis, a trusted and independent third party may be needed to provide
assurance as to the effectiveness of controls over a private blockchain. This type of services
raises important questions for the profession.
When providing insurance across a blockchain, who is the client?
How would a CPA auditor assess engagement risk for an autonomous system?
How would independence rules apply to users of a blockchain?
3. Administrative Function
Permission blockchain solutions may benefit from a trusted independent and unbiased
third party to perform the functions of a central axis granting administrator. This function could
be responsible for verification of identity or a further vetting process to be completed by a
participant before they are granted access to a blockchain. This central administrator could
validate the enforcement and monitoring of the blockchain's protocols.
If this function is performed by a user or node of the blockchain, then an undue advantage
could exist and trust among consortium members could be weakened. Since this role would be
designed to create trust for the blockchain as a whole, due care will be needed when establishing
both its function and its legal responsibilities. As a trusted professional an independent CPA may
be capable of carrying out this responsibility. However, this role would raise new questions for
the profession.
By taking on such a critical role, is the assurance provider independent from the blockchain
participants?
Could the CPA auditor conduct financial statement audits on those participants?
4. Arbitration Function
Business arrangements can be complex and result in disputes between even the most
well-intentioned parties. For a permissioned blockchain, an arbitration function might be
needed in the future to settle disputes among the consortium-blockchain participants.
This function is analogous to the executor of an estate—a role typically filled by various
qualified professionals including CPA auditors. Participants on the blockchain may require this
type of function to enforce contract terms where the spirit of the smart contract departs from
a legal document, contractual agreement or letter.
Further, consideration should be explored to determine whether an arbitration function
is necessary. If CPAs want to take on this role, critical questions will need to be answered such
as:
What legal framework would be used to settle disputes?
What skill set would be required for a CPA auditor?
Could this role create unintended threats to independence regarding attest clients?
There are still many unknowns with respect to how blockchain will impact the audit and
assurance profession, including the speed with which it will do so. Blockchain is already
impacting auditors of organizations using it to record transactions and the rate of adoption is
expected to continue to increase. However, in the immediate future, blockchain technology
will NOT replace financial reporting and financial statement auditing.
Audited financial statements are a cornerstone of business, and play a key role in debt
and equity financing participation in capital markets, mergers and acquisitions, regulatory
compliance in the effective and efficient functioning of capital markets.
Financial statements reflect management assertions including estimates, many of which
cannot be easily summarized or calculated in blockchains.
3. GROWING CONCERNS OVER CYBER SECURITY
While cyber security is not new to the IS auditor because it is part of the system of internal
control of the IT infrastructure, specifically controls over the security and integrity of data, it has
come to the fore and focus of concern because of the increasing cases of data breaches and reuse
of commercialization of personal data.
Cybercrime and threats to computer systems have become a major concern of businesses
around the world. Our growing reliance on IT and the internet has also greatly increased the
impact of hacking, security failures and the loss of systems. At the same time, cyber attackers
have become more sophisticated and organized.
Cyber security covers measures that protect network systems devices and data from
attack., unauthorized access, or damage. Good practices in cyber security also cover a wide range
of activities to monitor IT environments, detect intrusions or bridges, and respond to security
failures.
Organizations face many challenges in building effective risk management around cyber
security, including the spread of cyber risk across all organizational activities, the external
nature of many of the threats and the pace of the change in the risk.
The pandemic may have offered criminals extra opportunities to defraud their victims.
For example, you might have not missed the news about many DepEd employees whose Land
Bank accounts have been defrauded using the phishing method of scamming people. Levels of
fraud in the United Kingdom were already on the app.
According to the most recent annual fraud indicator compiled by Portsmouth
University's Center for Counter-fraud Studies, fraud is costing the UK economy 137 billion
pounds each year with losses rising by 56 percent in the past decade.
Recent technology driven improvements to data capabilities include:
✓ the ability to access very large amounts of data
✓ new sources of data particularly unstructured data such as text and images and
✓ greater emphasis on speed and real time data
 Different uses of data and associated analytics tools highlight different aspects of these
characteristics.
 The ability to process large volumes of data enables analysis of entire data sets rather than just
samples or examination of more granular data. Linking together data from different systems or
new data from third parties can provide fresh insights.
Technology now allows:
✓ access to vast amounts of data which if analyzed appropriately can offer an
extraordinary view of the organization.
✓ It is also changing the way business is conducted and data is analyzed.
✓ There is an increasing focus on data management.
✓ Moreover, the advent of cloud computing and cloud storage has opened up the
possibilities of collecting and analyzing data on a previously unimaginable scale.
IMPACT ON IS AUDIT
Going beyond the confines of company data allows auditors to collect and analyze broader industry
data sets that were previously inaccessible. These enable the auditors to better identify informational
outliers and increases their ability to generate business insights and focus on business and financial
reporting risk.
The evolution of technology challenges the current value proposition of the audit moving to
offshoring allowed all the trims to cut costs and now automation will enable firms to cut the time required
to complete an audit. Within a decade an audit will be completed within a fraction of the time given access
to real-time data. Audit fees have typically been charged based on the time taken to conduct the audit. But
audit firms will no longer be selling time.
Hisham suggested that ‘’the audit profession will need a new value model that clients can
understand. With the use of technology, fees will be based on knowledge connecting that knowledge to
strategy mitigating the specific risk of the organization and becoming the advisory driving force for the
organization's board and stakeholders.’’
OPPORTUNITIES IN DATA ANALYTICS
Opportunities in data analytics is our fourth topic. Data analytics is not in the curriculum of BS
Accountancy in the university. Yet, as early as 2007, in a seminar I attended, a board of accountancy
member expressed apprehension that big data analytics will overshadow much of the function of
management advisory services. With its broader range of data than MAS coupled with data analytics tools,
managers can have a better view of the organization's operations and discover more insights hidden in big
data. Even hidden insights that have the potential to propel the entity to industry leadership.
When asked the question:
What opportunities in recent evolutions does data analytics bring to auditors?
Here are the insightful comments of the four resource experts who attended the aforementioned
breakfast meeting in DFSA.
Against the backdrop of recent evolutions in technology,
•
Steven Drake proposed:
 We initially consider the concept of what is an audit now and what will be the audit of
the future. Typically, an audit has looked at historical financial statements and provided
an opinion.
 Steven commented that: ‘’Data analytics is doing more than just change the way we will
do an audit. It will change what an audit in the future will look like.’’
As clients adopt new technology, they will be looking to wider assurance services to mitigate risks in
their business beyond the focus on historical information. Technology is disrupting the audit process by
increasing automation to drive efficiencies.
•
Khurram Siddiqui highlighted key areas of change: ‘’Traditionally the audit approach was a
combined risk assessment using substantive sample testing and assessment of control. Now
 With technology enabling us to test the full population of entries and not only a sample,
we move away from asking ‘what could go wrong?’ to ‘what has gone wrong?’
 We have more certainty and precision with regards to the transactions, and more
transactional evidence of control weaknesses.
 Furthermore, aspects of judgment are becoming digitized and continually enhanced in
the era of machine learning and artificial intelligence. ‘’
•
Hisham Farouk commented that: ‘’The professional services firms continue to respond to
increased use of technology by their clients. This evolution started as clients moved to using
accounting software and ERP solutions and now another phase begins where the profession is
beginning to connect to those client systems. We are now not only analyzing data, because
clients have greater connectivity and accessibility of data, but through machine learning the
quality of the data we are able to extract is far better enhancing both the efficiency and rigor
of the audit process.’’
•
From a CFO perspective, Marcus Freeman commented that: ‘’The ability of technology to allow
the testing of entire populations shifts the perspective on the value of an audit. Data analytics
allows the auditors to provide both a helicopter view of the financials and a detailed and complete
view of the accounting records and resulting to more insights. There is now more pressure for an
audit to focus on detecting fraudulent transactions, as technology now exists to highlight any
journal entries that are deviating from the standard process and other anomalies.’’
 Marcus cautioned however that: ‘’In a matter of time, all the global audit firms will be
able to offer similar technological solutions. And since the technology itself is not
proprietary, there appear to be limited barriers to entry. And so, nothing stopping
smaller technologies saggy players entering this market to offer the same technological
solutions. Data analytics can also support a CFO in maintaining the internal control
environment. So, what is stopping corporates from investing in audit technologies
themselves to mitigate the need for external audits? Both these factors could see the
audit being commoditized.’’
The last evolving technology we will discuss is the advances to data capabilities.
Data is at the heart of all economic activity including the accounting profession.
Recent technology-driven improvements to data capabilities include the
- ability to access very large amounts of data
- new sources of data particularly unstructured data such as text and images and
- greater emphasis on speed and real time data
Different uses of data and associated analytics tools highlight different aspects of these
characteristics. The ability to process large volumes of data enables analysis of entire data sets rather than
just samples or examination of more granular data.
Linking together data from different systems or new data from third parties can provide fresh
insights. Technology now allows access to vast amounts of data which if analyzed appropriately can offer
an extraordinary view of the organization. It is also changing the way business is conducted and data is
analyzed. There is an increasing focus on data management. Moreover, the advent of cloud computing and
cloud storage has opened up the possibilities of collecting and analyzing data on a previously unimaginable
scale.
Impact on IS Audit
Going beyond the confines of company data allows auditors to collect and analyze broader industry
data sets that were previously inaccessible.
- this enables the auditors to better identify informational outliers and increases their ability to
generate business insights and focus on business and financial reporting risk
- the evolution of technology challenges the current value proposition of the audit moving to
offshoring allowed all the trims to cut costs and now automation will enable firms to cut the time required
to complete an audit. (changes the value proposition of audit; fees could later be based on knowledge, not
time spent)
- within a decade an audit will be completed within a fraction of the time given access to real-time
data. Audit fields have typically been charged based on the time taken to conduct the audit but “audit firms
will no longer be selling time. Hisham suggested that, “the audit profession will need a new value model
that clients can understand. With the use of technology fees will be based on knowledge connecting that
knowledge to strategy, mitigating the specific risk of the organization and becoming the advisory driving
force for the organization's board and stakeholders.”
Opportunities in Data Analytics is our fourth topic.
Data analytics is not in the curriculum of bs accountancy in the university yet as early as 2007 in a
seminar I attended a board of accountancy member express apprehension that big data analytics will
overshadow much of the function of management advisory services.
With its broader range of data than MAS (Management Advisory Services) coupled with data
analytics tools, managers can have a better view of the organization's operations and discover more
insights hidden in big data, even hidden insights that have the potential to propel the entity to industry
leadership.
When asked the question, what opportunities in recent evolutions does data analytics bring to
auditors?
Here are the insightful comments of the four resource experts who attended the
aforementioned breakfast meeting in DFSA.
Against the backdrop of recent evolutions in technology, Steven Drake proposed we initially consider
the concept of what is an audit now and what will be the audit of the future. Typically an audit has looked
at historical financial statements and provided an opinion. Steven commented that, “data analytics is doing
more than just change the way we will do an audit it will change what an audit in the future will look like”.
As clients adopt new technology they will be looking to wider assurance services to mitigate risks in their
business, beyond the focus on historical information.
Technology is disrupting the audit process by increasing automation to drive efficiencies. Khurram
Siddiqui highlighted key areas of change “Traditionally the audit approach was a combined risk assessment
using substantive sample testing and assessment of controls. Now with technology enabling us to test the
full population of entries and not only a sample we move away from asking what could go wrong to what
has gone wrong. We have more certainty and precision with regards to the transactions and more
transactional evidence of control weaknesses. Furthermore, aspects of judgment are becoming digitized
and continually enhanced in the era of machine learning and artificial intelligence.”
Hisham Farouk commented that, “the professional services firms continue to respond to
increased use of technology by their clients this evolution started as clients moved to using
accounting software and ERP solutions and now another phase begins where the profession is beginning
to connect to those client systems. We are now not only analyzing data because clients have greater
connectivity and accessibility of data but through machine learning the quality of the data, we are able to
extract is far better enhancing both the efficiency and rigor of the audit process.”
From a CFO perspective Marcus Freeman commented that, “the ability of technology to allow the
testing of entire populations shifts the perspective on the value of an audit. data analytics allows the
auditors to provide both a helicopter view of the financials and a detailed and complete view of the
accounting records and resulting to more insights. There is now more pressure for an audit to focus on
detecting fraudulent
transactions as technology now exists to highlight any journal entries that are deviating
from the standard process and other anomalies.” Marcus cautioned however that, “in a matter of
time all the global audit firms will be able to offer similar technological solutions and since the technology
itself is not proprietary, there appear to be limited barriers to entry and so nothing stopping smaller
technologies saggy players entering this market to offer the same technological solutions. Data analytics
can also support a CFO in maintaining the internal control environment. So what is stopping corporates
from investing in all the technologies themselves to mitigate the need for external audits. both these
factors could see the audit being commoditized.” Commoditization in business literature is defined as the
process by which goods that have economic value and are distinguishable in terms of attributes end up
becoming simple commodities in the eyes of the market or consumers. Marcus acknowledged that
currently corporates leverage the audit partner relationship as a source of valuable business advice but
this may become less important as machine learning tools provide more detailed analysis of the red line
issues in the business and offer potential solutions. “There is a real risk of disintermediation of the audit
profession perhaps even judgment can be commoditized.”
So, what is stopping corporates from investing in all the technologies themselves to mitigate the
need for external audits?
Both these factors could see the audit being commoditized. Commoditization in business literature
is defined as the process by which goods that have economic value and are distinguishable in terms of
attributes end up becoming simple commodities in the eyes of the market or consumers. Marcus
acknowledged that currently corporates leverage the audit partner relationship as a source of valuable
business advice but this may become less important as machine learning tools provide more detailed
analysis of the red line issues in the business and offer potential solutions.
“There is a real risk of disintermediation of the audit profession perhaps even judgment can be
commoditized”
From a finance department perspective, the benefits of automation and machine learning are
already being felt as businesses replace clerical headcount with machines. Although Marcus commented
that what is still required in the near term is better qualified accounting personnel who know how to think,
can apply judgement and can analyze and draw insights from data.
After discussing the new disruptive technologies and the emerging or evolving ones, we can now
summarize the significant impact of information technology on audit. In summary, what these experts are
telling us are the disruptive and emerging technologies will do in the foreseeable future is:
1. Technology will allow auditors to check every single journal entry
2. Technology will continue to eliminate the requirement for human clerical and vouching
procedures with human interventions still required to filter the data and to communicate and advise clients
3. Technology will reduce the size of the audit team to a smaller technology conversion team
4. Technology will give rise to a wider range of assurance services that the clients will ask auditors
to provide while reducing the demand for traditional historical fs audit services
5. Technology will move IS audit from continuous control monitoring to continuous transaction
monitoring which happens on the client side in real time with a copy created for the auditors
6. Technology will encourage regulators to mandate that an audit include value adding services such
as respects fraud detection since auditors will be able to check every single journal entry
7. Technology will level the playing field in favor of small audit firms
Given the speed of technological and digital advances it is imperative that those in the audit and
finance profession invest in understanding and developing these technologies to benefit their respective
sectors. This is a huge challenge particularly in audit where the pace of technological change specifically
the move from sample testing to 100% population testing and from historic testing to real time testing is
spreading the need to revisit the audit approach in an unprecedented manner. Technology will drive down
the time again to conduct an audit as testing becomes more automated and conducted on a real-time
basis. Views were expressed around the need to develop new methods for calculating audit fields based
on technological resources used in the process and the value added by audit teams who derive insight from
the data. There will be opportunities for the firms to develop more forward-looking assurance services,
helping clients to manage risk and drive growth.
Technological advances which could lead to the commoditization of the audit and even the
disintermediation of audit firms by other technology players were considered potential threats of which
audit firms need to remain vigilant. Advances in technology open up a debate on the skill sets that are
relevant to the industry now and in the future while it is clear that lower level accounting and auditing skills
can be replaced easily by technology human business acumen and communication skills remain crucial.
The required combinations rests in a blend of human capital resources, incorporating specialized
technology and digital skills, technical accounting and audit skills and professional skills such as
communication, leadership and business acumen. While we are clearly on the cusp of a changing
professional landscape it remains unclear exactly where the digital revolution is heading and regulators are
grappling with how best to regulate these markets. In the interim the professional membership bodies,
professional services firms and corporates need to engage with technological developments and respond
to the benefits, risks and opportunities they bring.
Download