Is Digital Transformation a Benefactor or Disruptor to the Audit?

Yu Loong Goh Director, IT Risk Services, PwC Vietnam 04/12/23

Digital transformation of the audit involves the adoption of technology in the delivery of a significant portion of the audit process. Many auditors today often wonder if digitalisation will pose a threat to their career and relevance of their profession in the future. As organisations embrace technology, they demand auditors demonstrate the same or differentiating impact in the delivery of their services. While digitalisation may mean or manifest differently depending on different professionals, they are often demonstrated in 4 key domains such as the following

Data analytics

One of the oldest and more mature forms of digitalisation revolves around data analytics and their various manifestations. All audit procedures involve various degrees of analytics as part of the methodology. For example, analytical procedures involving common tools such as spreadsheets or statistical analyses are forms of data analytics but at a lesser complexity level.

At a higher level, for over 2 decades at least, auditors have been utilising Computer Assisted Audit Tools/Techniques (CAATs) or spreadsheet macros to assist with processing large volumes of data to detect errors, unusual transactions and assurance over integrity of computed results through independent reperformance. As IT resources become significantly more affordable through time, more powerful tools become available to auditors to perform more complex analytics with greater coverage and ease of use. Hence there is an ever increasing expectation to an auditor beyond just an assurance function but also an advisory role to optimise value to stakeholders.

Although not mandatory or prescribed, some auditors adopt data driven audits as a differentiator to the value of their services beyond just compliance to auditing standards and defined methodologies. This involves auditing the full or significant portion of the auditees data population through use of programming languages, data technologies or business intelligence to detect even the smallest transactions in value or frequency for quantification and investigation. Not only for deriving insights, these seemingly immaterial or insignificant transactions may reveal hidden loopholes, likely indicators of errors or fraud which on its own or cumulatively may pose an exposure to a risk which would be extremely unlikely to be detected through manual or substantive sampling procedures. This is often adopted by complex industries such as financial institutions, retail or other industries with high volumes of transactions or dependencies on technology services such as telco and utility companies.

The challenges faced however is the need to employ or train audit professionals with the programming skills and mastery of data tools in order to achieve the desired results. Most auditors do not have IT or strong technical qualifications unless they are IT auditors. Yet most IT auditors do not deliver non-IT audit projects. Hence traditional auditors without any IT exposure or education need to upskill themselves on IT or data skills which are quite foreign to them. The extra requirement with a sharp learning curve on top of already demanding audit procedures may be construed as a disruptor to them.

Digital Enterprise Resources

Digital solutions and applications such as ERP and eGRC are increasingly deployed across various organisations. The ability to consolidate processes and data across the organisation enables auditors to focus more on automated controls and functionalities to deliver the audit. This approach attempts to eliminate reliance on manual controls or substantive procedures to achieve:

Reduce sampling errors

Eliminate testing bias

Reduce human errors during the audit process

Faster and easier artifact collection

Because these solutions enable key controls and processes to be centralised through proper configurations or implementation, the need to deploy traditional sampling or manual audit procedures become irrelevant. Some audit teams in mature markets have at least 50% or more of their audit procedures executed or delivered through the expertise of IT audit specialists in some heavy IT dependent auditees such as Telcos. This is not just to drive higher efficiencies but also the nature of the auditees processes themselves which makes manual audit procedures ineffective.

By relying on the functionalities of these ERP or equivalents, the auditor may focus their attention on areas that matter such as configurations, programs and general IT controls to reduce manual intensive audit procedures. Sampling of minimal representative samples (if application controls and general IT controls are effective) eliminates sampling bias and human errors.

On the other hand, the auditor is required to scope and execute an audit to align on with the extent and maturity of the organisations implementation. Technical knowledge of the enterprise resource solution is critical to identify the correct risk areas, test procedures and recommendations. These would often require the auditor to audit through the system rather than around the system. Hence traditional auditors without the necessary technical edge or experience will be at a disadvantage.

Process Automation

Process automation involves utilising tools or programs to carry out routine or manual intensive tasks. This may be utilised by the audit profession to automate tasks such as:

Data transformation and extractions

Documentation and reporting

Computations

Validations

The digital auditor is able to work with IT to run programs which can extract the necessary data, in the required formats and where possible include some calculations/rules which can be readily used. The auditor may be able to write scripts or programs which can replace the need to manually prepare test templates, required validation tasks and even generate desired outputs even on large populations of samples or data.

To address the need for efficiencies, software vendors in the market provides solutions which can help automate routine or manual tasks within or even outside the organisation to support the audit. Tasks that previously required physical interactions such as visuals and web extractions can be scheduled and executed continuously if set up properly.

When aligned with a matured data environment and integrated enterprise resource model, the digital auditor may implement continuous auditing capabilities. This ideal state enables the auditor to implement near time detection of actual or potential exceptions not just to the auditors but may also be inherited by the first lines of defence.

To achieve continuous auditing capabilities, considerable financial investment and effort is needed to set up. Foremost, recruiting and training the right audit professionals with the necessary advanced programming, knowledge of the organisations tools and audit skills are needed, a rare and expensive combination. Secondly, there must be a willingness to purchase the appropriate tools and infrastructure to support the required data, tasks and automation. Some solutions may come in the form of simpler PC applications but others may require supporting IT infrastructure or even integration with the organisations systems. Web-based solutions may be able to offset a significant portion of the costs, there are also some reservations about hosting data on external cloud solutions.

Artificial Intelligence (AI)

Artificial Intelligence (AI) has been the hottest topic recently especially with the public introduction of solutions such as ChatGPT. The practical application of AI has seen a surge across various sectors from academia, entertainment, legal and slowly into the audit profession. Whilst the uptake of AI in the audit profession is slow, many are seeing key areas where AI can be adopted.

The auditor may utilise AI to assist in identifying key risks associated with a process or scope in mind at a global or industrial level. This expands widely on the available knowledge base or experience limited only within the organisation or network they work in to drive greater insight and value added scope areas. AI not just provides a standard list of risks, it may also help factor in additional requirements and considerations about the auditors industry, scope and processes to tailor fitting results to the auditor.

In addition, with the ever changing regulatory requirements both locally and overseas, auditors can utilise AI to research and extract a comprehensive list of requirements promptly as a single source of reference instead of pouring through many separate sources for information. That eliminates the risk of auditor oversight while developing their work programs.

Some auditors may use AI to assist in analysing data and information to produce rapid analytical results and derive conclusions on behalf of the auditor. Complex technical skills may not be required by auditors to design complex algorithms to mine hidden information or process unstructured data. Prior to AI, even with technical skills, many results are limited to exception trapping scenarios and their experience of what to detect for. In the legal profession, some attempts were made to allow AI to make judgements for some cases hence bypassing the element of professional or human judgement purely based on the merits of available data and rich repository of historical cases which it is being fed with.

AI allows new and innovative methods to execute audit procedures outside of standard or traditional procedures. New risks, regulations and methodologies are constantly updated in the AI universe, often outside of the auditors knowledge or require constant research to remain updated. Some university students even resorted to AI to submit their academic assignments be it theses or programming code which impressed even experienced lecturers.

Auditors may utilise AI to help design appropriate work programs to support their audit procedures. This significantly saves time researching and designing work programmes as part of their audit scope. This allows audit teams without highly experienced or technically strong skills to plan and execute assignments with reasonable quality.

However, AI is not without its limitations. AI is not expected or allowed to substitute human judgement. The audit profession does not recognise or allow audit opinions to be derived from AI sources without demonstration of the auditors professional judgement and personal evaluation of the results at hand. At present, external auditors are not allowed to utilise public AI resources such as ChatGPT as part of their audit methodology.

There is limited governance or regulations over the integrity or reliability of information within AI sources. As a result, information bias or unreliable data may be consciously or unintentionally included in the AI environment. This is evident with the introduction of the Algorithmic Justice and Online Platform Transparency Act in 2023 by the US Congress to prevent discriminatory or harmful decision making through AI. The auditor must independently review and evaluate AI generated results before acceptance, sometimes with considerable effort.

AI requires a very wide base of information and continuous learning to remain relevant and effective. Access to such requirements are often restricted either to big corporations or public sources. The former requires heavy investment to build these capabilities into the methodologies or solutions they use. Even if adopted, AI capabilities are often focused into operational or performance driven objectives instead of audit or risk areas. Public sources on the other hand pose a potential data security threats and organisations are prohibited to release information for processing.

Digitalisation of the audit profession is nonetheless inevitable and most if not all audit professionals are required to embrace technology in their audit procedures. Nonetheless digitalisation does not allow the auditor to forsake their professional judgement and responsibilities fully to digitalisation without accountability. Awareness of the disruptors of the digitalisation journey is critical to maximise the value of their audits with proper management of their risks and limitations.