Testing payroll during an audit can be a tedious manual process, the kind of grunt work that has long been viewed as the “dues” paid by young auditors before they advance in their careers. Recently, however, one computer-savvy associate at PwC decided not to pay those dues.
Instead, the associate — “someone at the most junior levels of an audit team,” according to vice chair and assurance leader Wes Bricker — built their own computer model to quickly evaluate the reasonableness and appropriateness of any given payroll expense. And rather than hand out a stern warning against deviating from long-established audit processes, PwC sent the associate’s data workflow and visualization tool to its Digital Lab for vetting, and then rolled it out for use by all of its audit teams. To date, the Digital Lab has shared approximately 7,500 of these “citizen-led” digital assets across the firm.
Welcome to the new world of auditing, where people and technology are inextricably intertwined, leading to audits that are faster and more efficient and, perhaps most important, creating the opportunity for major improvements in audit quality.
Faster first, then better?
The last decade has seen a significant increase in the audit profession’s adoption of a range of software and hardware solutions that have reduced or eliminated a great many manual tasks, streamlined data collection and other audit processes, and given auditors a new level of flexibility. Whether intentional or not, the primary result of this increased adoption has been efficiency gains, with firms able to conduct audits more quickly and with fewer people.
“Firms have been investing heavily over the past several years in several different advanced technologies to enable both remote work and automation of basic tasks, much of which goes to efficiency,” said Julie Bell Lindsay, the executive director of the Center for Audit Quality.
Besides producing general efficiency gains, the investment also paid off in allowing auditors to switch to working remotely during the COVID-19 pandemic, and spurred even further adoption of new technologies. “The rapid acceleration to remote work in the past year due to the pandemic has also led to increasing creativity by firms, such as using cameras and livestream technology to test inventory without a site visit,” said Erik Asgeirsson, the president and CEO of CPA.com.
Using drones or smart glasses to check inventory without visiting a client’s warehouse, or using APIs to gather their financial data more quickly, or building a bespoke tool to automate payroll testing are all great examples of using technology to streamline an audit, and they’re certainly valuable.
But do they make an audit better?
Experts in the field are quick to point out that they create the possibility of making the audit better. “The more we can make mundane processes automated,” explained Tim Landry, an assurance services partner in the national quality control group and assurance applications technology leader at Top 100 Firm Marcum, “the more we’ll free our teams up to use their brainpower and knowledge.”
Time, energy and expertise once spent on rote tasks can be redirected toward higher-value work on the audit — and many people assume that it will — but it can also simply allow firms to take on more audits, or to get by with fewer staff.
There are some ways, though, that efficiency gains do contribute directly to audit quality. “The increasing automation of inputs enabled by the cloud and intelligent workflows reduces redundant, manual data entry, which can introduce error,” noted Asgeirsson. Fewer fat-finger errors is a clear plus, as is the consistency of calculation, tabulation and so on that comes with taking tasks like that out of human hands.
And at their best, efficiency technologies empower audit staff and augment their capabilities, which can only have positive results for quality. As Bricker puts it, “Automation is how technology can harness points in the audit process to achieve synergy between our people and the machines that they use, so that the sum is greater than those individual parts.”
While the boost to audit quality from technologies that are primarily efficiency-related is — or can be — real, it’s not where the biggest potential gains lie.
“I think there’s no single area in the audit that can’t be improved by technology,” said Christian Peo, national managing partner of audit quality and professional practice at Big Four firm KPMG. “The field is ripe; it is ready for further incremental improvements.”
For the present, the biggest potential seems to lie in four areas, where audit firms have already begun applying technology to good effect: consistency and standardization, initial risk assessment, better and deeper use of data analytics capabilities, and the use of artificial intelligence.
(Click here to see Wes Bricker's "4 key concepts in audit quality.")
“Same As Last Year” has become something of a euphemism for the thoughtless repetition in audit processes, but standardization and consistency in repetition can actually contribute to audit quality.
“Robotic process automation software is often associated with driving efficiencies, but is also used to drive consistency and ensure a higher volume of work is done accurately, from the perspective that repetitive tasks that were previously done by humans can be automated, thereby eliminating the potential for human error,” said Tammy Mooney, senior director of audit innovation at the American Institute of CPAs.
At an even higher level, establishing high-quality procedures and then ensuring their regular application through audit systems can make sure that all audit work is done at the highest level.
“Standardization is about taking a look at where we can work at scale on a centralized basis,” explained PwC’s Bricker. “It’s not a cost decision — it’s about consistency of execution, which contributes to quality.”
A prime example of this kind of higher-level standardization pushing audit work to a higher level is KPMG’s centralized audit platform, KPMG Clara (based on the Latin “clarus” for “bright” or “clear”). “Clara is probably our most important technology, and that’s because it not only is the workflow and drives the auditor to apply the methodology that is consistent with the standards, but it also is the platform to allow for other technologies to be embedded in and incorporated into our audit methodology,” said Peo. “You can create all kinds of technology, but if they’re not really embedded in your audit methodology and they’re just sitting on a shelf waiting for an audit team to pull them off the shelf and use them, then it won’t be consistently used, and it actually might not be used quite correctly if it’s not incorporated into your audit methodology.”
In a similar vein, the professionwide Dynamic Audit Solution project led by the American Institute of CPAs, CPA.com and CaseWare International aims to embed a brand-new audit methodology into a software application that will, among other things, make sure the methodology is consistently applied from one audit to another, while not succumbing to the mindless repetition of SALY. The project aims to release its first iteration this year; the three partners have already released a number of attest tools that offer the same type of consistency of approach in their OnPoint A&A Suite.
A focus on risk
The risk assessment phase that helps kick off every audit needs all the improvement it can get, according to Cathy Rowe, vice president of product management at Wolters Kluwer Tax & Accounting US, thanks in part to changes three years ago in the peer review process for audit firms that place it under heavy scrutiny.
“What firms did before is no longer going to be good enough,” she warned. “Firms had to adopt the right methodology to drive assessing risk and doing that linkage, and assessing risk at the assertion level, and making sure that every audit had a specific risk. Now we’re nearing the end of that three-year period this fall, and I think the real call to action for firm is, are they following the risk assessment standards, and if they’re not, they need to, because it will have a direct impact on their audit quality and on the success of their future peer review.”
Top 100 Firm Baker Newman Noyes has implemented technology in part to help it systematize and deepen its approach to risk, according to Patrick Morin, principal of information systems and risk assurance. “We rolled out a new methodology that we subscribe to, and what the solution does is require the auditor to more formally document all of the risks for the engagement, based on the nature of the client and the industry they’re in and the type of accounting activities, and integrate that risk assessment with all of the underlying software applications and their databases as well as their operating systems. Then you need to brainstorm what the risks are, enumerate the controls, and then, based on all that, test it.”
“Basically, it forces the auditor to make sure that they’ve looked at everything from the controls side, from the business process as well as the IT process, and where those intersect,” he explained. “The tool allows us to ensure that we’ve been thorough and by default have a much more effective audit, and it makes us prioritize where we put the most effort on our jobs.”
A risk-based audit methodology backed by technology is critical for improving the quality of risk assessments, according to Rowe, “so that you have a higher emphasis in the planning process and having that understanding of your client to identify the risks that are unique for that client based on the data that you’re getting in, and being able to then tailor your engagement for that client for the risks that you have identified, being able to have that linkage between the steps that you do and the risk — really having a purpose for what you’re doing and why.”
Cloud storage, better data pipelines and related technologies are enabling earlier and more complete data acquisition for audit teams, contributing significantly to better risk assessment. “This capability, along with expanded data analysis capabilities, can significantly improve the auditor’s understanding of the entity and provide for an enhanced risk assessment process,” said the AICPA’s Mooney. “In other words, the tools can assist the auditor in gaining a deeper understanding of the entity, better identify risks (or transactions that occurred due to the risk) and focus on what matters most in the audit.”
But risk assessment isn’t the only area where improvements to auditors’ ability to acquire and manipulate data can make a difference to quality.
Big on data
At Marcum, data analytics are so important that the firm has set up a standalone group, the Data Solutions Center, which specializes in data analysis tools and testing.
“We’ve built this team and bolted it on as a service to the audit group,” explained partner and chief information and digital officer Peter Scavuzzo. “The audit group sends over data, and the team is doing hundreds and hundreds of analytics for all these audits, with pure data analytic competency — and they give it back to the auditors, consistently at the same level of quality.”
The DSC has a library of test templates, and if an auditor on an engagement wants a new test run, it gets sent to the firm’s audit transformation team for review before getting added as a template for all audit teams to use. “As someone comes up with a new test, 900 other people may have an interest in it, and they can look at the list and say, ‘I love that test,’” said Scavuzzo.
Its sole focus on data analytics gives the DSC a level of expertise that the average auditor can’t hope to match; it has been so successful that Marcum has made its capabilities available to its advisory and tax departments, and is considering offering its services to clients. “We have even had a couple of accounting firms that have approached us about sending their audit work to our solution center,” Scavuzzo noted. “Maybe it’s not a terrible idea.”
According to Peo, KPMG is in the pilot stages of getting transaction-level detail and doing transaction-level scoring on it — “really taking a look at detailed transactions, so you’ll get all of the ledger detail of, say, revenue transactions, and instead of having an individual look at revenue at a top level and come up with, ‘Well, this is what I think from a complexity standpoint,’ and all the factors that are in the standard that tell you this is how you think about the level of risk and how you respond to it, the routines that we run that data through can spit out an answer that is then consistent across all of the audits.”
“Analytics is a clear example of what you can do now,” added Wolters Kluwer’s Rowe. “Being able to get comfortable with working your clients’ data so that you can really validate the estimates that you’re making; you can do your sampling much faster; you can have a consistent process for your entire firm in terms of running the analytics and executing the steps much faster, and being able to work with 100 percent of the data, so that you are moving away from looking for a needle in a haystack to having the data kind of tell the story for the auditor.”
Besides testing, there are opportunities in bringing together disparate sets of data. “You’ll see things you never thought you’d see from multiple data sets,” said Scavuzzo. “Auditors can take AP by itself or cash by itself, but there are aspects of relationships between all those when they are aggregated all together, and a different rule set could surface other, different insights.”
Nontraditional data sources also offer opportunities for better-quality audits. According to the CAQ’s Lindsay, auditors are now using machine learning tools to scan third-party-verified reviews of a company’s products to assess whether the company’s warranty reserve liabilities are accurate and sufficient. “In other words,” she said, “is what the company is saying they need from a warranty reserve liability accurate with how customers are perceiving the product? It’s allowing a broader review of information that only further improves the overall quality of the audit.”
Mention of machine learning naturally leads to its cousin, artificial intelligence, the fourth major area where audit quality is likely to see major gains.
(Click here to learn about "Game-changing technologies in audit.")
Just the beginning
AI and machine learning is being applied all across the accounting profession, not just in auditing, but in many ways they are still in their early days.
“One of the future aspects that firms are going to need to start looking into — and we’ve done this to some degree — is cognitive computing, the simulation of human thought and the use of human models, like AI,” said Marcum’s Landry. “If we can train a program that is AI-based to read documents and summarize them based on parameters we establish, you can take the time away from our associates and run it through this system and have them spend more time looking at the accounting aspects of what is found through the AI technology, rather than having them sit there and read 600 pages.” He noted, though, the cognitive systems require a lot of training, and must be continuously fed new examples until they understand what they’re looking for.
KPMG actually has a tool in a pilot phase to read contracts and business agreements, looking for audit-relevant information. “A two-page contract is easier for someone to read through, but when you get to a thousand-page contract, a loan agreement, a debt agreement — those are hard to go through, and very labor-intensive,” said Peo. “Having technology read through those documents much faster than a human could and identify key terms — it’s a great tool for us.”
It’s important to remember that in many cases auditors won’t just use a technology — they may need to audit them, as well. All sorts of organizations are or will soon be using AI in business-critical functions, according to Brian Fox, the founder of Confirmation and vice president of strategic partnerships in the tax & accounting business of Thomson Reuters, and an emerging company called Monitaur aims to give auditors the ability to audit an AI-based system, he said.
Most algorithms are static, so an auditor can test them and be comfortable that they’re operating as they would have earlier in the year, but artificial intelligence changes over time, so that an AI tool at a bank might make different lending decisions in December than it did in June.
“AI decision-making changes and is updated as it learns over time,” Fox said. “Therefore, the auditor needs the ability to verify at the end of the year whether the AI made the correct decision in the middle of the year, even though it might have made a different decision now given what it has learned since the historical point in time.”
Into the future
As important as these four areas are, they are hardly the only ones where technology can improve the quality of audits. Staff and client collaboration tools, for instance, are already beginning to allow firms to better deploy their human capital, making sure that the right auditor is assigned to the right engagement.
Nor have they taken their final shape; as technologies of all kind advance, their ability to improve the quality of audits will advance as well.
In some cases, this will be a matter of combining two different developing solutions. “With data analytics powered by machine learning, we’ll eventually see the development of more precise risk assessment and benchmarking to spot anomalies that may require further confirmation or exploration,” noted CPA.com’s Asgeirsson.
“What’s coming down the line is how we can augment the auditor with artificial intelligence,” added Wolters Kluwer’s Rowe, “taking the story with our data, and layering on artificial intelligence to be predictive in terms of what risks you may want to consider or similar clients may have had similar risks in that industry, and also being more predictive in terms of what are the best steps to address those risks.”
PwC’s Bricker, meanwhile, sees potential in enhancements to the structuring and formatting of financial data at earlier stages in the process. “I think the next step change is really framed around digitization of corporate reporting and business reporting,” he said. “We’ve had digital representations of financial statements and audit reports for years, but over the last 15 years, we’ve increasingly structured that content. We’ve structured that content at the point of disclosure — that’s the XBRL and 10-K filings and so forth — there’s more and more opportunity to structure it at earlier points in the process, from point of entry in accounting systems to flow the whole way through reporting. Those innovations impact the preparation of information, which then impacts the auditing of that information.”
Looking further down the road, many experts believe that blockchain has the potential to have a major impact on auditing — just not yet. The distributed ledger technology includes features that make it practically impossible to change or falsify earlier information, or to disguise who is adding records to the system, which has obvious benefits for auditors, but it’s still far from widespread adoption in the broad corporate world.
“When distributed ledger hits mainstream, we will perhaps see a seismic shift in audit quality, and to some degree, some audit needs will go away and the emphasis of audit will change,” said Baker Newman Noyes’ Morin. “We’ll be looking more at the ethical application of the tools that leverage distributed ledger, as well as maybe audit compliance to other attributes other than just the numbers themselves.”
Marcum’s Scavuzzo similarly feels that blockchain may be a game changer, but that its impact isn’t likely to be felt in the next three to five years.
More immediate potential for improvement to audit quality, though, is seen in the ability to move closer and closer to a real-time audit, as finance and accounting systems get faster, and auditors gain access to them on a more regular basis.
“We really only audit at the end of the year, but we know the financial markets move substantially every quarter that a company releases its earning statements,” said Thomson Reuters’ Fox. “For the first time, technology is going to allow us to do full quarterly audits or semiannual audits. You could do monthly, you could go to weekly and daily; you get into the continuous audit.”
That ability to see where a company stands at any point, and what mistakes it may be making in reporting or new activities it may be undertaking, can let an auditor intervene earlier or being to prepare for new challenges; as a window into what’s going on, it also gives the auditor ever-greater opportunities for catching fraud at all levels, and adding value to an audit.
“Right now, we clearly have to tackle material misstatements due to fraud; we’re missing those in droves and we’re getting a black eye,” said Fox. “If and when we get to the point where we’re really good at finding material misstatements due to fraud, then the next layer is, let’s cut out employee theft, let’s cut out those types of fraud, and hopefully continue to get smaller and smaller and drive it out. That’s the ultimate goal.”
That goal may be far down the road, but it’s never too early to start preparing for it.
“We have to think ahead for the next 10 to 15 years,” said Marcum’s Landry. “The way we audit now is going to be completely different from how we audit in the future. Now is the time to find efficiencies and improve audit quality by implementing new techniques and new approaches.”