The Evolution of Audit in the Wake of the Pandemic

The practice of audit is age-old, though the many models and methods have evolved over time. The audit community has faced significant challenges, ranging from misalignment with auditees to ignorance about changing risk areas with technology advances. One challenging area for auditors is the interconnected business environment.

The auditor’s role in the interconnected business environment is complex and vast; of foremost importance is to understand how business functions and how different verticals interlink.

Even before beginning the audit, it is essential for the auditor to take a holistic approach to examining the overall mechanism and operations of the interconnected business environment.

To serve organizations well and conduct high-quality audits, tomorrow's auditors will need to be digitally adept. Adoption of data analytics, distributed ledger technology (DLT), robotic process automation (RPA), drone technology, machine learning (ML) and other emerging technologies is on the rise.

Many businesses have been compelled to establish remote work operations and adopt digital technologies due to the coronavirus pandemic, whether they were ready or not. Consequently, COVID-19 has substantially expedited the development of virtual audit capabilities. The winds were already shifting, owing to the introduction of new technologies and increased investor expectations, but COVID-19 significantly increased the pace. Auditors have been experimenting with new technologies and working with big data to execute higher-quality, more efficient and better-targeted audits. The digital revolution is transforming the auditing process into something completely different—a redesigned auditing experience.

The Landscape of Audit

The auditing profession is being disrupted. Technology is quickly evolving, and the real-time economy is transforming how data are received and processed. Audits are still carried out regularly, expressing opinions on past data, but COVID-19 shattered the status quo in a short time span. At the outset of the pandemic, federal and provincial securities authorities gave organizations some leeway with deadlines, but they still needed to speed up their digital procedures for continued quarterly and yearly reporting. The pandemic pushed everyone involved to adopt a new auditing approach, and cloud- based data extraction technologies were put to the test straightaway. Some IT auditors have lagged in technology advances, and, as a result, the gap between current technology practices and accounting and assurance methods has become more significant in both the public and commercial sectors. With the advancement of cloud computing technologies, new risk has emerged, and new controls must be designed to ensure the security of information managed and stored in the cloud. Audits must also be tailored to the cloud's unique requirements and characteristics.

Going forward, auditors need to continue to adapt to changing business models and gain better understandings of the various digital technologies utilized by organizations.

Emerging technologies have the potential to increase audit quality while adding value. Audit is transitioning from a reactive, backward-looking activity to a proactive, predictive, forward-looking one that operates in real time. It offers a way to assist businesses by delivering timely information.

THE PANDEMIC PUSHED EVERYONE INVOLVED TO ADOPT A NEW AUDITING APPROACH, AND CLOUD- BASED DATA EXTRACTION TECHNOLOGIES WERE PUT TO THE TEST STRAIGHTAWAY.

The Auditor’s New Role

Auditors base their audits on inquiry, observation and reperformance. For generations, auditing has been based on adhering to established principles. However, technology is clearly changing how audits are performed today and how they will be conducted in the future. For example, auditors are able to carry out an audit differently after extracting and downloading all of a client’s financial reporting data, including supporting documents. In the past, there was generally an anticipated error rate when an auditor used a statistical sampling technique on a batch of invoices. However, having remote access to all of a client’s data has allowed the implementation of new, improved data and analytics (D&A) procedures that can verify every single transaction, ensuring that any error is a hard error.

The pandemic necessitated transformation—there was no time for debate. Traditional hurdles to auditor data access—client opposition and lack of preparedness—were rapidly overcome. Audit technology was tested, and it was successful. As the industry progresses toward the objective of continuous auditing, clients will be able to view real-time information.

The pandemic has accelerated technological investment in continuous auditing. As a result, auditors have become analysts, too. This shift allows auditors to give more significant insights into organizational processes, as they are now aware of the entire process life cycle and the related technologies. To be effective, an audit must help managers and business directors achieve their strategic objectives. Future audits must meet this challenge, or auditing itself could become obsolete.

The new auditing role may include duties such as (figure 1):

• Providing effective feedback to top management
• Performing adaptability testing of new technology
• Giving continuous input for improving processes
• Improving operational standards
• Handholding implementation of standard operating procedures (SOPs)
• Creating awareness of information systems security and cybersecurity

The new role of the auditor may include:

• Ability to plan and execute, keeping the big picture in mind
• Ability to integrate adaptability into the audit design
• Ability to increase focus on key risk areas to improve assurance
• Ability to use process mining to analyze data

Challenges Ahead for the Auditor

The future auditor needs to be equipped with specific skill sets to take a multidisciplinary approach. The challenges the auditor has to meet include:

• Understanding complex business operations
• Being adept with trending technologies
• Being able to use the latest audit tools and techniques
• Adapting to the need for agility
• Being able to address regulatory compliance in a changing landscape

IT auditors recognize the need to increase their experience and expand their abilities while upgrading their policies, procedures, staffing and technologies to combat the growing difficulties and dangers posed by an ever-changing technological landscape. Organizations that want to best their competitors will need IT auditors who have the right combination of experience, credentials and abilities to address the wide range of challenges the digital world presents. Those organizations that invest in their workforce today will be well prepared when changes occur.

Technology and Tools That Help the Auditor

Internal auditors have progressed from auditing around the computer to auditing via the computer, as underlying tools and technologies used in enterprise operations have improved over time with complex technologies and processes as shown in figure 2. Machine learning (ML), cognitive computing and artificial intelligence (AI) are among the creative and disruptive technologies that organizations now embrace daily. This has resulted in fresh hazards that were previously unknown, as the internal auditing of such processes (i.e., those that involve emerging technologies such as ML, cognitive computing and AI) is extremely difficult and requires extensive expertise and training. Nevertheless, by gaining increased awareness and knowledge of new technologies, internal auditors can address both existing and new risk areas and provide findings that assist business decision makers to act faster, more confidently and with deeper insights, resulting in increased value. Internal audit analytics, in particular, may aid in the development of a more efficient, risk-based planning process by detecting which organizations are at higher risk and require further attention, and by increasing the efficiency, coverage and value of discrete audit reviews.

AI FINDINGS ARE, AT BEST, PROBABILISTIC PREDICTIONS BASED ON DATA CORRELATION INFERENCES AND SHOULD NOT BE CONSIDERED ABSOLUTE FACTS.

As a result of these developments, auditors are evolving as well. There is a greater emphasis on auditing quality, with a greater focus on risk and professional skepticism. To address some of these new problems, auditing standards are being improved. To be effective when auditing systems and data, auditors must utilize IT tools, such as computer-assisted audit tools (CAAT), and understand both a system’s business purposes and its operating environment. Internal audits can assist in navigating complicated business circumstances across a variety of business domains by incorporating analytics into the audit process. Data-driven audit analytics is a novel technique to integrating analytics into internal audits. The technique improves audit quality because it enables auditors to more effectively audit the large amounts of data held and processed in IT systems of larger clients. Auditors can extract and modify client data and analyze them, which helps auditors better understand the client’s information and identify risk.

How Technology Will Alter the Face of Auditing

There are three important areas in which technology will alter the face of auditing: cognitive analysis, ML, and intelligent robotics automation (IRA) and RPA.

Cognitive Analysis
Cognitive analysis, or AI, has the ability to sift through massive amounts of data and perform digital analyses in ways that are difficult for teams of auditors. Algorithms in cognitive technology enable software to absorb information, reason and think in human-like ways. Cognitive analysis includes ML technology, which enables computers to adjust their paths and attempt new tactics when they meet barriers or unknowns in carrying out their tasks.

Machine Learning
ML is expected to have a significant influence on the audit profession. For example, KPMG’s cloud- based audit began with the launch of KPMG Clara, which employs IBM Watson (ML technologies).¹ Smaller Certified Public Accountant (CPA) enterprises will have additional resources as ML techniques become more widely available.

IRA and RPA
RPA refers to software acting on other software instances to automate predictable and structured data operations. IPA differs from RPA in that it blends AI modules with RPA to handle inference-based procedures. Since audit automation is both a required and sufficient condition of continuous audit, it is worth looking at how RPA and IPA may help with constant audits. Furthermore, an exploration of cost-benefit analysis of RPA and IPA implementation and the influence of RPA and IPA on auditor time allocation may be useful.

Competencies Required for the Next-Generation Auditor

Although advanced technologies offer a great deal of data for an auditor to use in decision-making, the auditor is the one who ultimately must make the decisions. When it comes to detecting correlations between data sets or variables, technology is a game changer. However, understanding the context behind the result and the causality of the output in relation to the inputs supplied requires human insight and experience. AI findings are, at best, probabilistic predictions based on data correlation inferences and should not be considered absolute facts.

The digital revolution has enhanced and affected organization models, processes and efficiencies, and it has disrupted business models. Many organizations have incorporated ecommerce, mobile applications (apps), enterprise resource planning (ERP), blockchain, cloud computing, RPA, the Internet of Things (IoT), ML and AI technologies. Therefore, the internal audit function must be reoriented and improved to suit the strategies and methodologies in use in this digital age.

Some competencies that may be required for the next generation auditor include:

• Holistic understanding of business
• Interdisciplinary approach to audit
• Effective communication skills at all business levels
• Ability to understand emerging technologies
• Ability to predict future challenges
• Ability to take a business-centric approach
• Ability to plan and execute, keeping the big picture in mind
• Ability to integrate adaptability into the audit design
• Ability to increase focus on key risk areas to improve assurance
• Ability to use process mining to analyze data

Adapting to Audit in Interconnected Business

Policymakers must develop suitable audit standards and appropriate analytic tools for big data. They must combine and clarify practical demands in light of business trends to further smart audit practices that increase audit assurance and audit quality. The guidelines should encourage businesses to handle internal data consistently and effectively and to validate exogenous data regularly for adequate evidence and confidence. New standards should be established not only to manage data, but also to review and regulate the inclusion of new technologies in audit procedures for analytical uses (such as distributed ledger and neural networks).

THE NEED FOR MORE CREATIVE AUDITING STANDARDS FOR BIG DATA AND ANALYTICS MIGHT BE A CATALYST FOR ADVANCEMENT IN SMART AUDITING METHODS AND PROCESSES.

The need for more creative auditing standards for big data and analytics might be a catalyst for advancement in smart auditing methods and processes. Audit enterprises must establish strategic plans for data management and analytics in the future and increase efforts to adopt new techniques inside their businesses. Audit enterprises can offer proper training and incentives to encourage auditors to use big data and analytics in their fieldwork to get better insights. Aside from supporting organizational initiatives, audit professionals should aim to cultivate favorable attitudes toward the ways big data and analytics may improve the auditing process and encourage development of skill sets and capabilities related to the latest technologies, such as AI and ML.

Effectiveness of an Audit Program

An effective audit program requires consideration of five important aspects (figure 3):

1. Environment—The tone of an organization’s management is the basis for internal controls. The control environment encompasses integrity and ethical principles, management philosophy and operational style, and delegation of power and responsibility.
2. Quality—The objective, breadth and depth of an audit are determined by a variety of factors, including organizational needs, risk assessments and audit standards. Though The Institute of Internal Auditors (IIA), American Society for Quality (ASQ) and the International Organization for Standardization (ISO) have certain comparable methods, their overall audit requirements differ. For example, IIA engagements are more likely to focus on financial data and internal control, whereas ASQ engagements are more likely to concentrate on goods, processes and systems. Although quality auditing is most commonly associated with manufacturing, it may also be used to assess operational efficiency in service businesses. The ISO develops quality standards for technology and business in a variety of fields. The most popular of them are the ISO 9000 standards, which deal with quality management. Documentation, process planning, resource management, human resources, customer procedures and customer satisfaction are all covered by these standards. For example, ISO 9001:2015 Quality Management Systems—Requirements is dedicated to an organization's internal audit.² Therefore, enterprises preparing for audits or wishing to enhance their human resources processes must understand this standard thoroughly.
3. Efficiency—An efficiency audit highlights the uneconomic use of resources; the wasted capacity of idle machinery and equipment; poor decisions and resulting losses incurred; lower performance caused by rivalry and lack of cooperation among departments; and staff insufficiency—in terms of both number and knowledge in specific areas. A performance and efficiency audit is a diagnostic assessment method for analyzing objectives, plans, policies and actions in every step of an operation to identify hidden flaws and provide improvement suggestions in areas that have slipped management’s notice.
4. Impact—Through electronic data processing and electronic auditing, IT contributes to the reduction of audit risk. IT assists auditors in reducing the chance of audit task mistakes and increasing the likelihood of discovery, ultimately decreasing audit risk. IT's impact on auditors is evident in the field of internal control, which is shifting toward increasing control and auditing while decreasing risk. It is clear that new electronic data processing, advanced ML and AI techniques will have a significant quantitative and qualitative impact on reducing audit risk. These technologies are adding new means, mechanisms and capabilities for IT to reduce the likelihood of audit errors and increase the possibility of audit success.
5. Output—Most audits include aspects of product and process audits, but they are more focused on the larger picture. For example, system audits can assist in discovering the processes or products that affect the system's outputs if they are not fulfilling client expectations. Although these audits need a team of auditors, they are successful in identifying beneficial or negative practices. Findings are compiled into an audit report for management to review as with other types of audits.

Conclusion

The future of audit is no longer hypothetical. The future is here, and change is being accelerated by the COVID-19 pandemic, which is providing the impetus for more advanced technologies and innovations that will benefit the future of audit.

Advances in technology create both challenges and opportunities for the future audit, but a few fundamentals remain unchanged:

• Competency is still relevant.
• Automated tools will help, but they cannot replace judgment.
• The audit function should remain independent and separated from other operations.
• Agility, the need of the hour, should be applied where it makes sense and is required.
• The right questions, the auditor’s own creative insights, are still the essential tools for an initial audit assessment.

THE FUTURE IS HERE, AND CHANGE IS BEING ACCELERATED BY THE COVID-19 PANDEMIC.

In addition to mastering an increasingly complicated set of auditing tools and techniques, future auditors need to become more flexible and embrace changes in IT, data science and general business practices. Whereas previous audits were primarily transactional, future audits will be more linked. Audit enterprises must be aware of shifting auditor skill sets to manage the disruption risk associated with advanced technologies such as ML and AI by providing audit coaching and learning opportunities that enable auditors to evaluate systematic internal linkages and external environmental influences. Auditors must also demonstrate a thorough grasp of the intake, processing and output of data from various sources. Furthermore, while these technologies can significantly liberate auditors to explore their intuition, auditors must modify their thinking to be receptive to their own creative insights. Although it is hard to predict exactly how these technologies will affect the audit process in the future, now is the time to start thinking about their current influence and potential future consequences.

The characteristics of audit are changing drastically with each passing day, with new technology elements either totally replacing or redesigning old methodology. Specifically, internal audit is evolving continuously, and future auditors must expand their horizons and educate themselves on the latest technologies, not only for an efficient audit process but to enable smooth functioning of the business, too.

Endnotes

¹ KPMG, “KPMG Clara,” http://home.kpmg/xx/en/home/services/audit/kpmg-clara.html
² International Organization for Standardization (ISO), ISO 9001:2015 Quality Management Systems—Requirements, 2015, http://www.iso.org/standard/62085.html

Gopikrishna Butaka, CISA, CDPSE, CEH

Is a manager of information systems audit at the State Bank of India (SBI), a Fortune 500 company with more than 22,000 branches worldwide. Apart from conducting various audits, which include IS audits, IT migration audits and regulatory framework implementation audits, Butaka’s work also includes preparing and editing various policies for IT, cybersecurity and framework design. Butaka also coordinates the technical price negotiation committee, IT strategy committee and audit committee board meetings and ensures their implementation. Butaka is also an author focusing primarily on technology evolution and its impact on business and has contributed to dozens of articles for SBI’s in-house magazines on technology and management issues.