USING DATA ANALYTICS FOR AUDIT EVIDENCE
Technology is shaping and changing our lives. Answering machines are long gone as people feel the need to be connected at all times. Information needs to be on tap as even looking up a book takes too long. Some employees who traditionally worked from their desk at the office, now work remotely from home or even from a different country, as staff mobility is not even about relocation anymore.
The audit profession is also re-inventing itself but maybe not at the pace we’d like to believe. Whereas auditing has been around in one form or other, for around 3,000 years, Mautz and Sharaf started to give shape to the theory of auditing in 1961 with their publication of The Philosophy of Auditing. Since then, we have seen a significant increase in guidance on how to conduct an audit as standards were issued by bodies such as the International Auditing and Assurance Standards Board (IAASB) and the American Institute of CPAs (AICPA). However, questions continue to be raised by the public as to whether such the bodies are doing enough to ensure that the profession keeps with the pace of technology.
In considering whether International Standards on Auditing (ISAs) are outdated given that they were drafted before the availability of data analytics techniques, during September 2016, the IAASB’s Data Analytics Working Group (DAWG) felt the need to issue a call for comments through its paper entitled Exploring the Growing Use of Technology in the Audit, with a Focus on Data Analytics. The general consensus was that ISAs were not ‘broken or a barrier to the application of data analytics in the audit’.
IAASB’s DAWG defines data analytics largely on the definition used in an AICPA publication entitled Audit Analytics and Continuous Audit – Looking Toward the Future. The DAWG states that The quality of a financial statement audit can be enhanced by the use of data analytics. Data analytics, when used to obtain audit evidence in a financial statement audit, is the science and art of discovering and analyzing patterns, deviations and inconsistencies, and extracting other useful information in the data underlying or related to the subject matter of an audit through analysis, modelling and visualization for the purpose of planning or performing the audit.
The use of Audit Data Analytics (ADAs) is thus seen as an enhancement to and not as a replacement of audit evidence. It can assist during the entire audit workflow.
In the risk assessment process, ADAs can be used to provide better insight and support to the auditor in identifying and assessing the risks of material misstatement in terms of ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment. Such ADAs may constitute preliminary general ledger account transaction analysis, correlation of revenue against industry expectations and analysis of betting behaviours in an Internet Gaming (iGaming) company.
In testing controls, an entire year’s financial information may be used in order to:
- evaluate whether segregation of duties policies are being followed by checking whether transactions are authorised by an appropriate employee;
- evaluate whether commissions given to merchants involved in electronic payments are in accordance with set expectations, given the associated risks of the business relationships and intermediaries involved; and,
- determine whether divergencies exist between sales (or purchase) orders, invoices and payments.
Substantive analytical procedures are defined by ISA 520 Analytical Procedures paragraph 4 as evaluations of financial information through analysis of plausible relationships among both financial and non-financial data. ADAs using predictive models can determine whether transactions recorded are in accordance with pre-set expectations using regression models. If the auditor has the capacity and capability to access and handle large volumes of data, he can, for example, analyse an iGaming company’s betting transactions in more detail and better determine which transactions may need further investigation on the basis of correlations with other player behaviour, gaming logic and probability of outcome. Whereas statistical sampling techniques provide the auditor with an understanding within a statistical confidence level and materiality thresholds for the sampled population relying on the assumption of homogeneity, ADAs single out anomalies that warrant further investigation. This may be compared to choosing the coloured marble in a transparent jar, rather than selecting a sample of marbles blindly, on the back of statistical models, and concluding on the number of coloured marbles in the jar on the basis of the sample selected. Sampling techniques can assist in forming a conclusion on the population being tested, though ADAs can provide further insight as to whether there are any transactions that are unexpected given the auditor’s understanding of the business.
With electronic data being used as audit evidence, the auditor needs to evaluate the reliability of the information to be used as audit evidence in terms of ISA 500 Audit Evidence. ISA 500(9) states that for information produced by the entity to be relied upon for audit purposes, the auditor needs to obtain audit evidence that it is complete and accurate, and that it is of sufficient precision and detailed to merit its use. In an electronic dimension, information can be changed at will without any trace, unless systems are appropriately supported with sufficient relevant controls. Just as spreadsheets can be modified entirely without any tracking of their source, system databases can also have the same pitfalls without adequate manual and automated control infrastructures. Likewise, if management promotes a culture to circumvent controls to get things done, it would increase an auditor’s professional skepticism as to the reliance that can be placed on that data for ADAs. In a corporate environment where physical manual controls are given more importance than their automated counterparts, ADAs would have little validity in providing audit evidence on their own, without being able to extend the assurance attained through manual controls testing over underlying data used.
Auditors using ADAs may fall in the pitfall of relying on the data as if it is authoritative solely on the basis that numbers reconcile between them or the accounts they represent. Like any other piece of information paper provided by the client, electronic data needs to be verified using the guidance of ISA 500. The source of the data, the processing and the output need to be understood and controls verified to confirm that the audit procedures are based on reliable information. Also, auditors are required to design and perform audit procedures to obtain sufficient appropriate audit evidence (ISA 500 (1)), and therefore they need to be knowledgeable of the process applied by the tools including any algorithms which may not be immediately visible to the user.
The audit profession needs to mature even further. In their report Audit Quality Thematic Review – The use of data analytics in the audit of financial statements, the Financial Reporting Council noted ADA practices adopted by a number of audit teams. They noted that audit teams need to review their existing audit approaches to identify testing that ADA replaces as it seems that auditors are reluctant to trust the tools given the inexperience in using them to generate primary audit evidence. At times auditors used ADAs solely for adding value to their audit committee reports without constituting any audit evidence in arriving at their opinions, with the risk of verging into providing non-audit services.
It is clear that audits need to evolve further into embracing technology and the benefits that ADA bring. In 50 years we have gone from paper ledgers to databases to cloud computing and now to blockchain technologies. Auditors need to re-invent themselves. They need to be ready to embrace the future of technology and not just the challenges brought about by the current ones. Audit procedures need to be revisited in order to ensure that they are leveraging upon the possibilities available with today’s technology. Is it still efficient to adopt statistical sampling techniques in environments where millions of transactions are processed daily? The regulators, the Malta Institute of Accountants, The Accountancy Board and international bodies need to discuss and share knowledge on what is acceptable, best approaches and considerations in adopting ADAs. As we get to terms with the technology, we need to make sure that our audit methodologies are enhanced to make use of current techniques to provide better insight to the auditor and audit committees.
In the words of Robert M. Pirsig, ‘If you run from technology, it will chase you.’