University of Economics in Prague
Faculty of Finance and Accounting
Finance and Accounting
MASTER THESIS
USE OF TECHNOLOGY IN AUDIT
Author: Bc. Tatiana Bibicheva
Supervisor: doc. Ing. Vladimír Králíček, CSc.
Academic year: 2021
1
Declaration
I hereby declare that I am the sole author of the thesis entitled “Use of Technology in Audit“. I duly marked out all quotations. The used literature and sources are stated in the attached list of references.
I grant the University of Economics in Prague permission to reproduce and to distribute copies of this thesis document in whole or in part.
In Prague on ... …...
Tatiana Bibicheva
2
Acknowledgement
I hereby wish to express my appreciation and gratitude to the supervisor of my thesis, doc. Ing. Vladimír Králíček, CSc for the support provided with the search of interviewees for the case study and for guiding me across the whole process of working on the present thesis.
I hereby wish to express my appreciation and gratitude to professional auditors for their time and experience shared for this master thesis.
3
Abstract
Process automation is one of the crucial priorities of almost each company in the current time and audit firms are not an exception. Since the time when first calculating machines were used to ease human work in terms of data processing and evaluation, many tools have been developed and implemented into day-to-day activities both on personal and firm levels. Thus, we have an opportunity to observe this trend, undertake an attempt to understand it, use it in our work, modify and improve. With such an eternal development process, it is highly important to follow it and not to be lost in this way, especially in the time when efficiency and effectiveness are key goals of modern society. This thesis aims to focus on such trends in relation to audit, identify the development curve, its current status and prospective. It will provide a reader with the most updated information including examples and professional opinions of people involved in audit engagements and having experience with the newest technological achievements.
Keywords
Audit, automation, technology development, data, blockchain, artificial intelligence, cyber security, regulation.
4
Contents
List of abbreviations 5
Introduction 6
Background 6
Problem description 7
Purpose and research questions 8
Outline of the Thesis 9
Research design 10
Qualitative approach 10
Systematic literature review 10
Case Study Approach 12
Literature review - results 17
Data 17
Blockchain 20
Artificial intelligence 24
Cyber security 26
Risks and regulation 29
Ethics 31
Case study – general results 34
Case study - country-specific results 43
Russia 43
Czech Republic 49
United States 52
Conclusion 57
List of references 60
5
List of abbreviations
ACCA - Association of Chartered Certified Accountants AI - Artificial Intelligence
ATT - Automation Tools and Techniques CAATs - Computer-aided audit tools CPA - Certified Public Accountant
IAASB - The International Auditing and Assurance Standards Board IFRS - International Financial Reporting Standards
GAAP - Generally Accepted Accounting Principles IFAC - International Federation of Accountants ITGC - Information Technologies General Controls ISA - International Standards on Auditing
PCAOB - Public Company Accounting Oversight Board SEC - The Security and Exchange Commission
6
Introduction
Background
One of the main goals of audit is to verify and evaluate various indicators of financial statements. Further, the results contribute to the overall understanding of a reporting entity’s operation activities, confirm its financial statement’s reliability and their compliance with the standards. This information is widely used by investors and loan providers as soon as they do not have the ability to insider access to internal reports as a rule, thus auditor opinion becomes the bridge for business relationships.
The role of auditor is to ensure the reduction of the risks coming from reports about ethical, social, corporate responsibility of its clients. And currently we can observe that the interest in the auditor's work is only increasing, which is coming from the
sophistication of the regulatory segment and business environment overall.
As any other institution, audit is constantly developing and transforming as the result of both external and internal processes. Thus, the first authority granted to an external firm to provide opinion about the true and fair representation of information in financial statements of particular companies was for the Security and Exchange
Commission in 1934. SEC, which had the audit oversight among its other functions, and assisting public accounting firms became liable to provide the certain assurance about the client’s reports that they fulfil the requirements of generally accepted accounting principles (GAAP).
The regulation of this area has been becoming more and more complex throughout the years with the development of the business sector and appearance of new models and schemes of companies’ working structure. Having that, the audit has undergone serious changes and modifications. New sociological and technological streams, volume of information shared between people and firms, real time business make global accounting companies and associations do research on the future of audit and
implementation of technologies in audit work as soon as the traditional methods stop meeting all the requirements and being efficient.
The problem here is the quantity of informational streams, which is high for the business environment and significantly lower for the regulation sector. Any market
7 changes happening in the world are posted on the internet almost immediately after their occurrence and become accessible almost to everyone. Market players can react to these changes and modify their strategies and decisions in real time. Unfortunately, at the same time, traditional accounting systems lack similar mobility.
Auditors need to adjust their approach to solve this issue by implementation of new solutions such as usage of technologies, which can allow them to collect, process, consolidate and analyse data and large amounts of information in a short time.
Examples of such tools could be smart machines, new media content and programmes.
Without any doubts that will require significant investments in terms of time and projects financing.
The trend existing in the audit currently is the orientation at risks and their sources.
However, this is not only about risks of the audit process itself, rather risk orientation in utilizing different approaches, or sources, of data gathering by auditors. New tools help to properly address possible risks and allow performing estimations and sample
selection through various algorithms and automated analytical procedures. These are part of three main streams in modern audit advancement: digitalisation, working with Big Data, real time accounting and auditing.
Problem description Digitalization
Digitalisation is the process which characterizes the current industrial stage - the fourth industrial revolution. During the past two decades society has passed through the mass adoption of personal computers, phones, various gadgets and all of them became a huge source of information. Global, medium and small enterprises deeply integrated
technologies in their daily activities, they became an inevitable part of all processes happening in companies including their financial performance. Considering that the systems used are often interconnected and imply the functions of monitoring and evaluating performance of the network functionality, audit will perform checks of systems’ final output but also the analysis of intermediate working reports, that are generated automatically without human intervention. The purpose of this in some cases is to shift the initial focus from the monitoring of result to the monitoring of processes
8 which lead to results and detect and prevent all possible sources of the risk. Even though such an approach is already becoming part of standard audit procedures, it is still
pending new technological solutions such as artificial intelligence that would assist auditors throughout engagements due to increased volume of the data to be audited.
Big Data
According to the Oxford dictionary, big data is sets of information that are too large or too complex to handle, analyse or use with standard methods. New systems
development is primarily focused to ensure high information velocity, information variability, ability to analyse this information despite the complexity and opportunity to automate the analysis based on algorithms, comprehensive statistical models.
Nowadays, audits have already done the largest progress in terms of working with big data and its analysis.
Real time audit
Audit so far was oriented mainly on the checks of the retrospective, already documented information which makes the audit work seasonal, time-consuming and, consequently, selective. However, the development stream can suggest new approaches and transform audit into the monitoring process. These new approaches are aimed to reconsider the initial considerations and make audit not a tool of assessment of past performance but rather to forecast and correct present performance, be an assistant, not a controller. To make this possible the model systems such as Blockchain could be used as well as presence of new technologies on the basis of artificial intelligence. (Pankov V, 2019).
Purpose and research questions
The purpose of this thesis is to provide a reader with the information about the current state of the implementation of new technological solutions in audit processes, its obstacles and prospective to answer the questions:
1. How to make audits more efficient?
2. What is the present knowledge base of experienced auditors in terms of implementation of new technologies in engagements?
9 To be able answer these questions, this thesis will cover the most recent publications of Big 4 audit firms, audit oversight boards as well as previous research papers devoted to technological usage in the regulatory sectors. The historical development of automated tools, their integration and potential will be overviewed in the literature review part.
Further, the case study in the form of interviews will provide a reader with the
specifications of audit work and its relation to automation processes. The participants of these interviews are practicing auditors working in the field of financial audit and data analysis at the Big 4 (PwC, KPMG, Deloitte, Ernst & Young) as well as smaller firms as APOGEO Audit, s.r.o., NEXIA AP a.s., Finex-Audit, Interaudit. This composition of responders will allow to compare the approach towards technologies in companies of different sizes and provide a more complex picture. Additionally, in order to generalize the output of the discussions, three different regions will be compared: the Czech Republic as representative of the European Union, the United States of America and Russian Federation.
The data collected will give an opportunity to assess the current state of technological advancement in the audit profession and its development curve.
Outline of the Thesis
My thesis is structured into the four parts. The first part is aimed to describe the research methodology used and the way the research questions to be answered during the entire thesis. The second part is devoted to the literature review that will provide a reader with the theoretical base of the topic. The third part is practical, it is formed as a case study, which allows to obtain empirical evidence of technology adoption in the audits. The last part is a summary and conclusion of the work done as well as the theoretical and practical contribution, limitations of the study and further research potential.
10
Research design
Qualitative approach
The method chosen for the research is qualitative analysis, which includes the systematic literature review and case study.
According to many researchers, this method is widely used to gain insights into the lived experience, provide answers to the authors inquiries and guide the way research is conducted, which makes it flexible, adaptive and practically valuable (Atkinson, 2017).
Considering the area of the investigation captured by this work, empirical evidence provides an opportunity to appropriately address the unstructured dataset inherent to this field and deeply investigate the subject giving the space for more detailed overview.
Another benefit (Peshkin, 1993) of a qualitative approach is an opportunity to discuss the topic from different angles. The discussion results, however, could be open-ended and encourage further investigation. Considering the fact that there is no such term as wrong answer, the research provides the space for making own conclusion.
Additionally, elimination of strict specific framework allows us to collect and assess data based on present performance and future potential rather than past experience
(Hammersley, 2000). This creates value for long-term periods and can be used later for comparison of expected and achieved results in the field of study.
The structure of the present research is divided into the two main parts: systematic literature review and a case study. The main strategy chosen is a method of deduction, where the data collected from primary sources such as academic papers, regulatory official documents and articles, and first-hand information of the representatives of audit companies is extrapolated to derive some generic conclusions.
Systematic literature review
The systematic literature review represents one of the main parts of each research work.
It ensures the validity, timeliness, reliability and non-repeatability of the work. In order to make it scientific, the author must ensure the quality of the information reviewed and transposed.
The descriptive method of systematic literature review is chosen for this thesis, which means that the main goal of it is not to expand already existing knowledge but rather
11 provide a reader with the current state of the literature by a certain point of time (i.e. the time of review).
The descriptive method in turns splits into next subcategories as narrative review, metasummary and scoping review. This thesis uses the first category - narrative review.
The main attributes of this approach are collecting information that supports the
outcome/ conclusions presented by the author and preparing the knowledge pool for the gathering of empirical evidence in the case study. (Yu Xiao and Maria Watson, 2019) The primary source of information used are electronic databases such as ProQuest and JSTOR and others. They are suppliers of the scientific texts and prior research works on the similar topic. The next sources are electronic databases of the oversighting boards IAASB and PCAOB. The information stored there are standards on auditing, latest articles, video-conferences held for the discussion of the most important and relevant topics applicable for the audit profession. Additionally, the articles of the Big 4 audit companies were used in the analysis as representing the scientific value and the most recent information from the work field. The official websites of the programs mentioned in the work were also searched in Google and reviewed in order to provide more detailed data.
The quality of the data is ensured by using the authorised databases and official websites of the widely known public authorities and companies.
Limitations and validity
Although the narrative review approach assumes analysis of the broad scope of various literature, the searching process can be biased by the author due to prior knowledge and experience and overall subjectivity. In order to minimize this risk, the consultations with professionals in audit representing different countries were held in the informal
discussions prior to the research process. Moreover, the various types of literature were reviewed, among them are scientific papers, books, standards and legislative texts, articles and releases.
Another limitation faced is the scope of literature reviewed. The topic of this thesis assumes processing of information which is usually difficult to obtain due to
12 confidentiality applicable for audit and the processes started happening there just
recently, thus the scope of available research papers is limited. In order to present this thesis in the best possible format, additional sources as articles published by authorities and audit companies were used as their nature also assumes significant research
contribution.
Lastly, the literature reviewed does not differentiate much geographical regions and countries as it is aimed to describe the lastly achieved digital advancement in audit in the world as whole. However, some specific examples are present in the work below.
Case Study Approach
The second part of this thesis is represented by a case study. It, in turns, is represented by semi-structured interviews held with 15 participants from the audit firms of different sizes and three different countries: the Czech Republic, the United States of America and Russian Federation. The professional opinion and experience will give an
opportunity to obtain reasonable understanding and the supporting evidence to the theoretical part.
The interviews consist of 17 preliminary developed open-ended questions and additional smaller questions appearing during the discussions divided into several sections:
1. General questions about the future of audit;
2. Minimum educational requirements and the place of the IT education for the audit profession; development of technical skills;
3. Usage of technologies in audit procedures;
4. The role of Blockchain;
5. The role of the Artificial Intelligence (AI);
6. Data security
7. The effect of audit standards and legislation on the integration technologies in audit;
8. Opinion of auditees on integration of technologies into the audit processes.
(Please refer to the Appendix part for the full list of questions).
13 These sections divide the case study into two parts: the general findings and country- specific findings, which are considered to be reasonable to analyse separately.
The semi-structured interview with open-ended questions is deemed to be appropriate for the evidence gathering as it allows flexibility and immediate reaction during the discussion. Additionally, it provides the option to get an opinion which would not be biased by the authors’ subjectivity and would be sufficiently explained.
Due to the audit business seasonality and time-constraint of conducting the research, some evidence (5 out of 15) was obtained in written format through either Google forms (3) or direct emails (2). Nevertheless, this is not considered a deficiency of the case study as provides all the necessary data for the further analysis.
The remaining part of interviews (10) was held via phone discussions lasting from 40 to 80 minutes, which allowed to collect the data in an amount compliant with the
minimum required for the research thesis.
Selection of case companies
The selection of companies was based on the few assumptions:
1. It deems to be appropriate to compare the audit firms of different sizes for better analysis to have an opportunity to provide a conclusion regarding the full audit market and not only part of it;
2. It deems to be appropriate to compare several large regions to be able to generalize the outcome of the discussions.
a. the discussion with respondents representing the same company but in different regions should provide better snapshot.
The searching process of the respondents was organised through email invitations to participate in interviews sent to audit professionals.
The audit firms represented in the case study are the Big 4 (for all three regions) and smaller audit firms as APOGEO Audit, s.r.o. and NEXIA AP a.s. (the Czech Republic), Finex-Audit, Interaudit (Russian Federation). The United States represented by the Big 4 only.
14 All the firms selected provide the high quality audit services and at the same time
integrate new technological solutions in the working processes, thus the opinion
provided by their representatives is deemed to be reliable, valid and relevant to be used in the case study as the primary source.
Primary Data
The answers obtained during the in-depth interviews (both in written and verbal formats) are considered to be the primary source of the data collected for the analysis taking place in the case study.
The respondents are professionals with working experience in audit over 5 years (please refer to the Table 1 below):
# CoCode Company Division Position Date Length Verbal interviews
1 RU EY Consulting Manager 16.4.2021 81 min
2 RU EY Audit Manager 18.4.2021 68 min
3 RU KPMG Audit Senior Associate 11.4.2021 56 min 4 RU PwC Audit Senior Associate 11.4.2021 52 min
5 RU Finex Audit Director 11.4.2021 46 min
6 RU Interaudit Audit Director 13.4.2021 42 min 7 US Deloitte Audit Senior Associate 6.4.2021 52 min 8 US KPMG Audit Senior Associate 5.4.2021 55 min 9 US PwC Audit Senior Associate 3.4.2021 65 min
10 CZ PwC Audit Manager 5.4.2021 44 min
Written answers
11 CZ Deloitte Audit Director 16.4.2021 Email
12 CZ KPMG Audit Partner 19.4.2021 GoogleForm
15
13 CZ APOGEO Audit Partner 26.4.2021 GoogleForm
14 CZ NEXIA Audit Partner 16.4.2021 GoogleForm
15 CZ NEXIA Audit Partner 12.4.2021 Email
Table 1: Interview participants. Source: author.
Important note, the quotations used in the case study are adjusted in order to deliver the idea in compressed format in case they were received verbally. The quotations of written answers are adjusted to add more details that are included in the related
question and responded in shorter format (i.e. the direct quotation would be incomplete without inclusion of the question text). Thus, the quoted text should be considered as a part of analysis. The reason for such a format used is to visualize the results and make them easier to follow.
Secondary Data
To support the specific information gathered during the interviews and provide more details on the facts mentioned during the discussions with professionals, the official websites of the companies they represent were used.
Additionally, the information taken from official boards and countries’ legislation is taken to support certain conclusions.
The information contributing to the research conducted are officially published articles, announcements, overviews and legislative texts.
Limitation of the case study
As was already mentioned, due to the business seasonality, the sample size of the
potential respondents was significantly affected. The time chosen for the interviews was April, which assumes less work pressure than during January-March, however, still a part of the busy season.
Additionally, the regions chosen are among the largest and cover significant part of the world, however, the generalization has its limitations without having into account other countries as, for example, China or Japan as representatives of technological giants on the East, or Brazil as representative of South America region, South Africa in the African
16 continent or Australia. This is something that could be considered as a take-away point for further studies and research projects in the future.
Lastly, it became impossible to find the representatives of smaller audit companies in the United States for this research. This gap can be compensated by the fact that the vast majority of businesses in the US are audited by the Big 4 and, therefore, it alone can present the American audit market in the analysis.
17
Literature review - results
Profit maximization and creating trust and value of the firm are the main goals of any business undertaking. Although they pertain to different categories, when the one is a commercial goal and the second is ethical, they are still interrelated and depend on the condition of existence of an external independent control system, which will ensure fairness and effectiveness. Such external control systems can be auditors (Nikolskaya, 2000).
At the same time, audit firms also often represent the private sector of the economy, which concerns its performance, success and profitability. Thus, eternal development is crucial to stay on the same stage with industries.
The tools used before the technological boom were limited by piece of paper and pen, however, later, IBM computing machines of 1964 (AICPA, 2012) were allowed to be traded to the public and the audit firms got an opportunity to significantly improve the quality of the work they perform and address many risks associated with the manual audit.
Currently there are four main streams among the evolving technologies according to the Institute of Chartered Accountants in England and Wales (ICAEW, 2018) and they are represented by data, blockchain, artificial intelligence and cyber security. Each of these streams will be discussed in detail below.
Data
Data is the essential part of any economic activity and audit is not an exception. Since the volumes, forms and sources of it are only increasing, tools which are able to process them and help to get a result are vital.
Informational systems
The audit quality started to be associated with usage of informational technologies based on automation of various informational systems allowing faster analysis and working with data. All these systems can be recognised under several groups (Golysheva, 201 7).
18 The first one is office programs and applications such as text redactors and
spreadsheets, which became the essential part of audit engagements. Spreadsheets, for example, made it possible to work with tables, perform different types of analytics such as aging, regression, ratio analysis and many others. Among the most popular sets is Microsoft Office, which includes MS Word, MS Excel, MS PowerPoint and MS Access.
For some more sophisticated calculations such statistical systems as SPSS, which is developed by IBM (https://www.ibm.com/docs/en/spss-modeler/18.1.1?topic=tutorial- preparing-data-analysis-data-audit), SAS, which is provided by SAS institution
(https://www.sas.com/en_us/software/stat.html), and others are widely used.
Another group combines accounting systems such as SAP, QuickBooks, which represent the subject of revision for auditors. These are tested to ensure their correct usage and implementation at working space. Such tests are usually become a part of ITGC (i.e. IT General Controls), which we will cover later.
Also, it is important to mention electronic libraries with available information about the latest version of accounting and audit standards applicable under different regulations (local or international). Thus, in case of, for example, audit under ISA, auditors have access to the system with the legal texts from IFAC (IFAC, 2019) and have an ability to quickly search for relevant information by means of key words, titles, number of a standard and guidance, which positively impacts on the time spent to ensure correct data to rely on during performance of audit procedures.
Informational systems used for financial analysis of a company represent one more group. They often help to set a plan for a company’s development, find out weak points and estimate opportunities for business expansion. Such systems are able to construct and display a full report of financial indicators including comments to them in text format based on a company’s financial statements. Many of them also allow auditors editing the analysis methods and add their own if consider them relevant. The main advantage of such programs is greater quality and consistency of analysis performed. An example of such a system can be Oracle, which incorporates automated data analysis as well as machine learning, which significantly decreases human bias appeared in manual processes.
19 And lastly, audit firms use in their engagements internally (for larger firms such as Big 4) or externally developed software, which are aimed to combine all necessary
information for project performance, such as methodologies, templates, special set ups related to a specific standards, calculators and many other features. The main goal is to simplify the revision process, assist auditors and reduce audit risk to its minimum.
New solutions for efficient and effective audit
Among new tools which are currently represent the new must-to-know for auditors are those, which allow to obtain valuable insight from the data analysed, those, which can process big volumes of raw data and visualize them in order to make comprehensive things simpler, those, which can derive data from the different sources with minimum human interaction (Omer, Nashat, 2017).
● Data analysis
Among the powerful data analytical tools, the most famous are Qlick, R Studio, Matlab and Alteryx. However, the last one differs with its user-friendly system and orientation towards the audit demands.
The application is aimed to make the ETL (i.e. Extract, Transform and Load) process easier (Alteryx, 2019). That means that the auditor will spend less time on making data suitable for further analysis and the biggest advantage of this application is an option to build a workflow that can be used unlimited number of times for the raw data derived in the same format.
According to the survey conducted in the study of Gregorio Convertino and Andy Echenique (2017), data analysts spend around 60% of their time organizing and preparing their data, then performing any activities and assessment based on it. This bottleneck is solved by Alteryx solution, which allows limited manual performance of repetitive tasks.
● Data visualization
Since data analytical tools are created to make the work with data easier, visualization tools are created to make it even easier, provide better insights and help users to derive
20 conclusions and hypotheses. (Alawadhi, 2015) They help to deliver the outcome of
analysis to the public, which can be represented by management, stakeholders or other target groups. Tableau and Power BI by Microsoft are the leaders of this market and combine all four main elements for successful visualisation: function, form, integrity and interestingness. They are powerful applications that simplify the decision-making process while working with Big Data.
● Robotization
The last group of tools that worth to mention is related to robotization and the start of programming.
The amount of repetitive work in the audit profession could be enormous, that requires hundreds of hours to process and deliver the final result. Hence, auditors start to find a solution that would assist them with simple straight-forward, but time-consuming, processes such as “open folder - open file - find this parameter - copy it - open another file - past it” and other similar operations.
One of the easiest solutions offered by the market is Ui Path (Gotthardt, Koivulaakso, 2019), which requires minimum knowledge of coding from a user and can reperform simple manual operations in the form of process mining. Created algorithms can be stored in form bots and used later in the working field. An example could be invoice extraction from a client’s system of filling in certain parts of templates.
For more advanced usage audit firms develop some simple programs in house using programming languages as Python. This option is useful in case the process to be performed is either too long or too comprehensive and will require significant space to be saved. Programs can eliminate this issue and provide a powerful time-saving tool to auditors.
Blockchain
Industry 4.0, Blockchain 1.0 and 2.0
It is a well-known fact that the modern time is associated with the fourth industrial revolution. While the first two brought mechanization and electricity to humanity, the third gave electronics, the fourth is called digital (Liu, Wu, Xu, 2019). It fuses digital
21 technologies with physical and biological spheres and expands at an exponential pace (Schwab, 2016). The processes it represents are based on networks that exclude a need in middlemen. Automatization and digitalization are aimed to remove simple manual processes and the main provider of these tools is Blockchain technology.
The main idea is decentralization (Swan, 2015). Instead of monetary transactions, for example, that requires attendance of banks and some payments for services they
provide, Blockchain 1.0 offers a currency that can be traded and used in daily operations without banks or anybody else, only network and a user. The system ensures reliability and effectiveness without a need to even store your bookkeeping somewhere.
Next to cryptocurrencies, there is also Blockchain 2.0 (Swan, 2015) which is a much more sophisticated tool. It offers such inventions as smart contracts. The main principle of it is to get a digitally signed computable agreement between several parties by means of a software agent. These agreements are set on scripting language containing graphical tack with protocols for easier navigation.
The main advantages of smart contracts are time and costs saving, automation and virtual presence (i.e. digital signature), inessential presence of a lawyer. They are already used in e-commerce and have great potential to appear in other sectors. As a transition point, hybrid paper-plus-code contracts also exist. They represent a fully working contact written in machine-executable language and at the same time it is duplicated in paper form for the purpose of traditional recourse.
Impact on audit
Taking all above mentioned into consideration, a question might appear: does it mean that blockchain technology can eliminate audit work if all transactions are captured by the secured system? The answer is no. Even though such an assertion as occurrence would be covered, an auditor still needs to verify the nature of a transaction i.e. if it is legal, authorised, involves a related party, correctly classified in financial statements etc.
Apart from that, Information Technologies General Controls (ITGS), should be
performed to ensure reliance on the systems (if they can be manipulated). Auditors also need to consider an additional source of information that affects a company’s financial
22 statements, policies created by a client in relation to usage of digital assets and liabilities in business processes, and which are not properly addressed in the accounting
standards yet.
Audits involving crypto assets
Audits Involving crypto assets is a hot topic for discussions now. Both IFAC (2020) and PCAOB (2019) are trying to provide insights towards the appropriate attitude for
working with such types of assets and to give an opportunity to audit companies to deliver high-quality service.
IFAC (2020) states that crypto assets create a new branch of assets as they alone maintain currency, inventory and commodity, financial instruments and intangible assets. Their recognition on the profit and loss statement side would be also completely new: mining, minting, airdrop and others will appear there. Cost bases should be completely revised as well, for instance, inventory valuation or fair value assessment.
According to PCAOB (2020), Blockchain technology is not magic and does not guarantee to be inherently trustworthy. As any other item from financial statements, crypto assets should be considered on all stages of audit. Thus, the first important stage is control standards and internal policies related to digital assets. At the planning, a team composition should be properly discussed as it should reflect the need to be competent and knowledgeable, have specialized skills in the areas of cryptography and related legal requirements. In the risk assessment process, auditors should also identify what are sources of potential misstatement, what are business strategy and objectives as they may be different from the attitude used for traditional types of assets and might be different from company to company.
COVID
The relevance of Blockchain cannot be underestimated under the pandemic circumstances, which the world faced in the year of 2020. Based on the Business Harvard Review article (Hoek, Lacity, 2020), COVID-19 has pushed this technology forward to its adoption.
23 One of the best examples would be participation of the well-known global companies and organisations as IBM, WHO (World Health Organisation), Oracle, Microsoft in development of a platform which is aimed to collect data about COVID spreading, hotspots and deliver it to hospitals, public organisations and individuals.
Another company called Tymlez in association with Dutch government created a
network on the Blockchain basis for analysis of the supply chain of medical devices. The system eliminates the need in multiple intermediaries and developers, which can
significantly save time and costs for users.
Having these facts mentioned, it is crucial to understand that the business world
transforms in a rapid way, requires quick decisions and results, and audits should meet these requirements. Possibly, that the financial statement of year 2021 will notably differ from reports of past years, and the regulation segment should be prepared for this challenge.
Opportunities
Since the Blockchain platform is a tool which is undoubtedly useful for the regular market, it also could become a valuable feature in the modern way of auditing.
According to the Deloitte article (2018), along with the development of the technology, such change as testing of bank statements and confirmation letters could be done directly on the platform on publicly available ledgers without asking a client to assist with it. Moreover, the opportunity to eliminate sample selections as a strategy at all appears as soon as there is a possibility to test the entire population, which will provide a much higher level of assurance gained and will make the audit opinion even more precise. And lastly, usual time split considered in almost each audit engagement (interim and final) could be challenged as the process will become ongoing and will require continuous online presence throughout the whole period of a year audited.
Based on the example of India’s Blockchain solutions audit framework described by KPMG (2018) in their study, the platform will remarkably change the walk-through process and will affect the areas to be audited. Going further with the development, such customized audit frameworks will be necessary for secure implementation of audit solutions.
24 Ernst & Young (2016) in its turn discusses the possible future of Blockchain integration in audit processes in such words that the technology will allow to automate the revision, make it real-time and the data audited will be in the form of a code which with help of artificial intelligence will dramatically improve the quality of the service.
Artificial intelligence
Sophistication of the business environment, enormous volume of data it generates makes the traditional audit inefficient as was mentioned previously. End users of
information need to get it maximum useful and presented in the most concise format. It has to be done by means of analysis of various types of raw data consisting of not only financial (numerical) inputs but also non-financial. This falls down into the scope of behavioural economics and requires special smart technologies as artificial intelligence (Yakimova, 2020).
The main principle lying in the work of this technology solution is generating new information based on patterns learned from prior experiences. A distinctive feature of these patterns is that their logic is not straight forward and cannot be captured by simple algorithms, and this is applicable to the audit profession. Large volume of
procedures, including planning, execution and control, requires professional scepticism and professional judgment, which is hard to automate. Professor of Accounting at Bentley University in the US Mohammad J. Abdolmohammadi (1987) did an attempt to classify the audit work on structural, semi-structured and unstructured tasks with the main focus on complexity of task to be performed by asking managers and partners of the US CPA firms and conducting an experiment based on their answers. The conclusion he came to was that generalization of tasks' nature requires understanding the
background of the audited company, sample size and analysis of other qualitative data, and thus there is no such statistical model that could substitute auditor’s work. Later, other researchers did attempts to classify the qualitative inputs, which have an impact on businesses, and which are used for their analysis and comparison with each other.
Expert systems
By means of expert systems, which simulated intellectual human capability and could process the information from previously gathered knowledge, subjective factors could be
25 analysed without human intervention (Smith, L. Murphy, 1994). Models based on the expert systems were already implemented for risk assessment, assessment of effective work of internal audit and assessment of audit decisions based on the qualitative characteristics. Altogether they allowed the automatization of semi-structured and unstructured data.
Most of them were developed in house on such programming languages as Pascal, LISP and others by people clearly understanding what result they expect to see as a system output. For example, KPMG developed and successfully implemented already in 1980- 90s its own application Loanprobe for the purposes of bank audits (). At the same time Ernst & Young used an application called ASQ (also developed internally) to automate audits of manufacturing companies (Smith, L. Murphy, 1994).
Genetic algorithms
Genetic algorithms, which are inspired by the theory of natural evolution developed by Charles Darwin (Mallawaarachchi, 2017), generate optimal problem solutions based on selection of the fittest population and reproducing its patterns on the next “generation”.
In the process, these algorithms usually come through five stages as initial population selection, fitness function, sample selection, crossover and mutation. This approach was incorporated by auditors to find the optimal decision in relation to fraudulent activities.
Neuro network
The modern approach of working with artificial intelligence is creation of neural
network models, which are significantly more complex than expert systems and genetic algorithms and based on machine learning which is able to work with Big Data, retrieve the key elements from it, assess its context and emotional composition and generate solutions. The data sources might be social media, publications (not only presented in electronic format but also scanned from paper files), announcements and news, pictures, videos and interviews, phone and email conversations and so on, all of them can be used for the risk assessment and other procedures.
Although not all possible functionality of neural networks is implemented in audit, the process of robotization mentioned in the chapter devoted to Data presents and advances
26 from year to year. Already now it is a cable of scanning, detection and providing
analytical snapshot of information from different sources (Boillet, 2018), which is a valuable contribution and time-saver. An example of this could be an audit of insurance companies, which requires to manually come through internal policies and contracts and compare them with customer complaints, which could be presented on files with different formats like PDF or Word, and with sufficient training artificial intelligence can perform this work with much lower risk of non-detection.
Another way artificial intelligence to be integrated in the audit process is usage of picture and video detection tools while performing procedures over inventory stock count in places difficult to reach, unsecure places and in large warehouses. Such
appliances as drones with machine vision and further processing by AI could minimize the risks and cut time spent on this.
Overall, audits with AI also become faster (Brennan, Baccala, Flynn, 2017). Delegation of time-consuming repetitive tasks to machines can give an opportunity to perform testing of 100% of the population and eliminate sample selection. This would increase quality and satisfaction on results from both auditors and clients as they would be provided with more valuable feedback.
The development of AI is long-term activity as well as its integration. To make it more independent, such areas as behavioural and cognitive processes are currently under the deepest study (Dickey, Blanke, Seaton, 2019). As soon as it becomes mindful, able to do conclusions and opinions, audit could become a fully automated service.
Cyber security
The question on cyber security arising in response to technology development. Reliance on computers, gadgets, networks and clouds in working processes is becoming highly risky. Each year there are news about large enterprises or even governments which have suffered money losses and other significant problems relating to hacker attacks or accidental data leakages (Agarwal, 2020). This sensitive topic is becoming even more crucial in terms of auditing as soon as this service is created to check and control the most valuable to companies’ information and provide the opinion about its correctness and fairness to the public.
27 According to ACCA study (2020), cybercrime typology brakes into four categories:
cyber-trespassing, cyber-deception and theft, cyber-porn and obscenity, and cyber- violence. The common crime that auditors might face is cyber-deception and theft, which in turn falls apart through cyber fraud and transfer of wealth (IP attacks). The motives of such an attack could be immediate or future financial gain, while
consequences for victims could be regulatory inquiries, lawsuits, penalties and reputational damage.
● Phishing
One of the most common cases of cyber security deficiency is phishing, which is known as fraudulent activity related to stealing the sensitive data by “requesting” a person to share it or access it differently due to user’s inattention.
● Spear phishing
Spear fishing is related to more personalised and targeted attacks that increases chances of a situation where a recipient shows interest. The results are usually counted in
millions of dollars each year. The process of spear phishing usually involves collection of information about a target, creation of trustworthy credentials (i.e. email address) by a hacker, sending an email with an urgent request that would force a person to do an action before thinking, and sending a malicious attachment or link that would affect a target’s system and network.
● Vishing
This type of cybercrime is related to telephone systems, which are more exposed to longer records and consequently greater chances to success. Cyber criminals encrypt or mask real telephone numbers so that the call recipient could see a legitimate version.
● Ransomware
Ransomware pertains to malware that blocks a victim’s system with a goal to receive a ransom payment to get it unlocked.
● Accidental data leakage
28 Another deficiency which frequently appears is data leakage causing by lack of attention of staff in terms their usage of external (not authorised by a company they work for) sources or networks:
- External sources as a PDF converter could store the information once it was uploaded there, consequently, it might be accessed by other interested parties and used for their benefit.
- External networks as public wi-fi also represent unsecure unencrypted systems which provide opportunities to install malware to a PC or other device and capture everything that is done on this gadget.
● Targeted (severe) attacks
Target hacker attacks pertain to comprehensive malicious unauthorized processes against a target company in order to gain or destroy information for their own benefit.
To minimize the risks, companies sophisticated their systems, ensure physical access control, require individual user accounts and acquire different tools to ensure systems safety.
Based on Business Harvard Review (Sharton, 2020), corporate sector data breaches consist of 90% from phishing with an average cost of $3,8 million. Remote work during the pandemic makes the problem even more critical as the volume of data has only increased and opportunities to check external requestees is limited. According to FBI’s Internet Crime Complaint Centre, for the year of pandemic the number of cybercrimes has increased four times also because of new users and rapid development of 5G technologies. Due to this fact, companies, whose work is associated with sensitive
information, invest their resources into employees’ training on a regular repetitive basis (once or twice per year).
According to CPA journal (Wertheim, 2019), the main issues that should be properly addressed to ensure cybersecurity are lack of business focus, inadequate understanding of risks and monitoring, insufficient training and internal systems testing, as well as testing and updating of incident response plan (IRP). Assistance of third parties could also obtain an independent objective view and help to develop a protected cyber environment.
29
Risks and regulation
Since the audit is a highly regulated industry, integration of the new technological solutions is a subject of prior approval by the independent accounting standard-setting bodies as IASB. According to McKinsey (2015), the regulation environment creates obstacles for innovations which are not precisely covered by the regulatory frameworks, however, according to Hurtt, Brown-Liburd, Earley and Krishnamoorthy (2013), these frameworks contribute in building trust in the system and are important for financial markets despite they indeed create challenges for the regulatory industry digital transformation.
As was stated by IAASB (2017) about technologies expansion and their consistency with the regulation, ISAs do not prohibit and at the same time do not promote
automatization. Rather, these standards try to make auditors aware about possible risks arising from new opportunities and suggest the procedures to consider for mitigating all possible sources of a risk. They acknowledge the use of technologies by business and necessity of audit to comply with the level they set in this field.
One of the earliest references was related to Computer-Assisted Audit Tools, or CAATs.
The aim of these tools was simplification of the audit process with greater quality by using a combination of basic software like spreadsheets and some other advanced
developed in-house. This approach allows auditors to significantly reduce the number of samples and test only these transactions which are subject to greater risk. CAATs make it possible through analysis of the whole list of transactions and determine items
representing specific risks relevant for the financial statement line item tested.
However, specifications about CAATs appeared in ISAs at the times when technologies were not so advanced like present, thus, currently, there is a common situation when auditors do not know how to integrate evidence obtained through Automated Tools and Technologies (ATT) to standard models.
In order to be relevant, deliver high-quality service and meet expectations of industries, which consume audit work, and reflect modern practices and developments, IAASB (2020) has started revision of its standards in relation to ATT adoption in audits:
30
● ISA 315 Identifying and assessing the risks of material misstatement through understanding the entity and its environment (Revised 2019)
In December 2019 the international standard on auditing 315 was updated with the part devoted to automated tools and techniques used during the audit procedures. The authors of the standard admitted that ATT can be used for the risk assessment and provided examples, which brought much more clarity to the requirements mentioned there. One of the possible situations, when an auditor is allowed to use ATT, is
observation and inspection stage. Previously auditors were required to be present physically at the inspected premises, however, the new update allows the use of remote observation tools, which could be a drone, for example. Currently, while the pandemic and shuttled doors, such opportunity becomes a great solution.
● ISA 520 Analytical procedures
In September 2020 IAASB published a short guideline across frequently asked questions about usage of automated tools and techniques in performing audit
procedures in addition to ISA 520 effective from 2009. The article emphasize that not all procedures are needed to be automated for effective and efficient audit, however, it agrees that ATT are able to process much larger volume of raw data taken from different sources, analyse, disaggregate it, visualize, if needed, and provide an auditor with the thoroughly done summary of all possible sources of a material misstatement and help to develop a more precise expectations. The crucial point here is to obtain sufficient
evidence over all relevant assertions despite the method used and do not forget to include the reason for the assessment done.
These and other changes are part of integration of them in standard audit practices.
However, this process is also accompanied by new challenges and considerations such as test of controls.
According to Al Naqvi (2020) the governance of a new automation tool or system (as example AI) is based on the model of understanding how safe and stable this tool is and besides how transparent and accountable it is.
31 Considering it (please refer to Figure 1 below), emerging technologies or already existing ones could be tested and the process of their integration into the audit processes would become more straight-forward and easily explainable, which would lead to
standardization and agreement on the best approaches.
PCAOB sets regular discussion sessions, which are aimed to come through the existing obstacles around the automation topic and arranges research projects to test the shared ideas. Among the latest one was an overview of the process of auditing cryptocurrencies.
Figure 1: The AIAI Governance Model. Source: Al Naqvi, 2020.
Ethics
Discussing the greater efficiency and transparency of the automated tools that have been already integrated in audit as well as those which come later, it is still important to consider the ethical side of this matter.
This work has already mentioned the greater volume of data that can be processed with new technologies as well as form of this data, which can be presented not only in text format but also pictures, video and audio. New systems are developing in a way to
32 recognise even the emotional context of the analysed material. And here it is a good point to stop and think if this way is a correct one, should it have some limits and borders that must remain “uncovered”.
Jesse F. Dillard and Kristi Yuthas in their research work (2001) discussed the ethical issue of implementation of expert systems in accounting and auditing. The area they investigated was legal consequences of audit failure, who is responsible for erroneous audit judgement? As the base for their conclusions, they used the responsibility theory of Richard Niebuhr, the main principle of which lies in the agents’ communication, and Lampe and Finn theory, which expand the AICPA model of ethical decisions of auditors.
Both of them consider dialogue between an audit firm and its client to build trust and loyalty, obtain transparency, consider roles and power neutrality to solve responsibility issues.
Linda J. Skitka and Kathleen L. Mosier (1999) in their work devoted to decision making and human biases automation processes causing an example of excessive reliance on the automated systems. According to them, this results in a greater number of mistakes and overlooks that people do when working with smart programs and automated tools. This finding can raise a question on the quality of service provided and undermine the trust that clients have towards audit firms.
ICAEW (2018) also discussed the ethical question and machine learning. The university found a conflict between the need to use external data for the machine learning process and GDPR policies. A client agrees to share its accounting information within one external firm (i.e. auditor), however, the usage of AI means that the data could go further and could not be already unshared.
Ivy Munoko, Helen L. Brown‑Liburd, Miklos Vasarhelyi (2020) did comprehensive study on the ethical aspect of AI integration in audit processes, which acknowledges current technologies development and at the same time expresses concerns regarding the negative impact of AI implementation. The main point is that the work currently performed by less experienced auditors, which contributes to their educational progress, will be substituted by machines and that will adversely result in CPA “pipeline”.
Potential deprofessionalization is the one of matters that should be addressed in order
33 to avoid negative impact on exclusive jurisdiction, autonomy of the audit profession and given authority.
34
Case study – general results
This chapter is devoted to empirical results obtained partially introduced in the chapter Research Design. The aim of this chapter is to present the findings obtained during the discussions with audit professionals that can be aggregated and analysed together.
The nearest future of the audit profession
In light of the new changing environment, when automatization is not a question of “to be or not to be” but rather “when” and “where”, significant changes in the audit
profession are expected. More and more people having experience with public accounting are concerned about the possibility of full automation of audit work. For instance, the popular international newspaper The Economist published in 2016 an article about accounting jobs that are likely to be automated, audit was in second place.
Currently, this statement has not lost its value and has been discussed with practicing auditors.
Figure 2: Accounting jobs are likely to be automated. Source: The impact on jobs:
Automation and anxiety. The Economist, 2016
Speaking about the nearest future of the next three-five years, the trend to minimize the human resources and hire new automated tools should become more and more obvious (please refer to Figure 2). That statement is supported by all the respondents despite the country or size of an audit firm:
35
“Audit as a profession can lose its value and become less important within sometime in the future due to automations… to avoid such situations auditors have set a course for expansion of their competence. Now audit is not only about financial reporting but also about accounting standards interpretation and delivering them in a clearer way, about implementation of new tools by businesses such as bitcoins and many others. As a result, the audit would not disappear, but job duties can change”.
Senior Associate, PwC US This point is further developed with arguments in regard to obligation of certain
companies to be audited and in some cases by large audit firms as Big 4. This is relevant for all countries where respondents are from.
Additionally, auditors highlight the importance of data interpretation and critical
thinking, which, at this stage of technological advancement, is never possible to be done by a computer alone:
“Significant part of tasks usually performed by junior staff can be automated”
Manager, PwC CZ
“...but these automations would rather not fully substitute the work done by associates and interns but supplement it and help to skip the process of data cleansing to be able to devote time to understanding of clients’ processes”.
Senior Associate, KPMG RU Changes that are the most expected in the profession are related with minimization of administrative work such as data preparation and documentation. It is expected that the audit work will become even more judgemental due to introducing the new technical tools, which could help audit firms to save their resources and stay competitive on the market.
Respondents also highlight IT audit, test of internal controls, which is becoming more relevant these days and importance of which will continue to grow. The representative of Deloitte in the Czech Republic also sees that audit can split into two segments, one of which would be related to IT audit and possibly will be provided rather by IT-technology
36 companies through various controlling applications, real-time monitoring, fully
automated systems and other tools than by audit firms. The second segment, in turns, would be assurance over the judgments incorporated in the financial statements (accounting estimates, valuations, going-concern assumptions) which will be a special expertise of auditors.
Introducing of Blockchain
The popularity of Blockchain was on its top in 2018 when the exchange rate for one of the main digital currencies bitcoin reached its peak of 14 thousand US dollars per 1 currency unit. The response of businesses (and Big 4 was not an exception) was immediate. PwC launched digital assets services in 2016 and announced to continue keeping this strategy so that to make it live by 2020. KPMG together with Microsoft announced Blockchain Nodes, which would help to build stronger relationships with clients by offering the latest prototype solutions based on the Blockchain system and optimize business processes with its help. Each year the number of clients showing their interest in this technology is increasing, which requires audit & advisory firms to react accordingly.
Despite such announcements, the auditors having real experience with their clients do not see the option of mass integration of this technology in the daily working processes.
Talking about cryptocurrencies, the respondents note that their presence among the assets of clients is more than rare case since that requires approval from authorities to use it, accept and do payments by means of it:
“Restrictions implied by the government in relation to cryptocurrencies do not allow digital assets to develop so that they could become a new normality for the Russian economy”
Senior Associate, PwC RU The US view on this is also not very clear:
“We need to understand that buying cryptocurrencies nowadays should be
accompanied with a thought that you probably will never see the real money invested in it again. Their volatility is so high that they do not allow to build some expectations,
37 so companies accepting receipt in bitcoin try to minimize risks by choosing the most stable digital currency available on this market and at the same time exploring new opportunities”.
Senior Associate, PwC US Czech audit firms also admit that it is rare for their clients to have digital currencies presented among their financial statements:
“That would create some complexity over recognition, qualification, reporting and valuation”.
Partner, Nexia CZ As for auditing, the opinion of the responders is not homogeneous. Some of them
believe that digital assets would require specific knowledge, and it might cause hiring either external specialists as valuators or coaching of the internal staff to perform the necessary audit procedures and ensure that nothing was missed. On the other hand, some professionals were more confident about crypto assets and compared the process of working with them with valuation of bonds or other financial instruments specifically mentioned in IFRS 9:
“The audit of cryptocurrencies is not a complex procedure. In most cases it can fall into the standards over financial instruments and be assessed in the similar way. However, I do not exclude the option of hiring external specialists who would do procedures over the present value of cryptocurrency”
Senior Associate, PwC RU This point of view is supported also by the US representative of the similar audit firm and also highlighted that one of the firm’s branches has already accepted the payment for the audit service provided in cryptocurrency, and this might be a unique case just for a while. The firm chose bitcoins for the transactions as it considered it as the most stable and reliable.
38 Speaking about Blockchain 2.0, some of the respondents believe that the appearance of digital assets can create a bubble and highlight the generally existing trend that if anything reaches its tops in short, it can fall shortly as well.
Smart systems
Artificial intelligence represents the highest level of technological advancement at this moment and all the respondents agreed that it would be a powerful and useful tool in audit.
The biggest issue that is created by technologies and can be solved by them is
understaffing of audit firms. This is unfortunately the common trend in the profession despite the size of a firm or its geographical location, and all the respondents share the same opinion that this trend would only increase. This solution can be seen in the form of delegation of a significant portion of manual repeatable tasks to the computer.
The majority would see that delegation as data processing, preparation and selection performed by a computer. However, there is also a possibility to automate testing procedures if they involve standard documentation. It was summarised as:
“Takeover of automated processes and controls, prediction of possible significant risks, simplification of keeping the audit file, tagging.”
Partner, NEXIA AP CZ Already now the smart technologies are assisting auditors in their job, and one of the respondents shared the idea of the tool used:
“There is an option to transform internal conference calls recorded in a text format.
The technology of voice recognition is called Language Service of AI and it is especially useful in communications held in other languages than native, so a written form would assist a person when something was missed by him due to language barrier or speed of speech”.
Senior Associate, PwC US
39 Some of the respondents also noted that their firms are working on the development of new tools based on the features of AI and in some cases the Beta testing already takes place (Partner, APOGEO Audit CZ).
Discussion the potential practicability of AI, the auditors suggest following ideas that they think would significantly help in their work:
“Standard assistant in the form of a chat-bot would be a good solution. There is not always an opportunity to ask someone and the searching process can take a
significant portion of precious time. However, if there would be such a chat-bot, where you can ask a question like how many samples are required under this level of risk, everybody would gain from it”.
Senior Associate, KPMG RU
“The synchronisation of the email box with the platform created for the requests, which usually have limited space to provide better insight on an inquiry or issue appeared, would reduce the time spent on administration of this part of audit work”.
Senior Associate, PwC RU
“AI can be included in the review process and can be integrated in the platforms used by auditors, and I think it is not a far future. AI could also help with review of
contracts and meeting minutes and provide an output based on accumulated
experience. Probably some judgemental tasks such as testing of accounting estimates could also be delegated in the nearest future also”.
Manager, PwC CZ Although AI may identify things to investigate further and find hidden correlations or predict consequences (Partner, KPMG CZ), some procedures still should be performed by a human, such as judgemental matters, calls and inquiries of personnel. That is an incremental part of audit work and hardly can be replaced by a machine at least in the nearest future.
Data security
