PR108 Information Systems Audit Ch02 - The Impact of IT on Audit PDF

PR108 INFORMATION SYSTEMS AUDIT Ch02 - The Impact of IT on Audit By: Robert E. Regala Link to Youtube video: https://youtu.be/m-ffxy-ZsKk OPENING SLIDE Hi! It’s Sir Rob! Today I am going to discuss Chapter 02 of the course IT Audit. Our topic is “The Impact of IT on Audit.” Globally, companies, the audit profession, professional bodies and regulators are increasing their focus on the impact of technology, particularly Information Technology. There are clear benefits that technology can bring—from operational efficiency to financial inclusion and greater insights. However, alongside these benefits comes a range of risks, many of which are still not fully understood. In this presentation, we will try to understand the impact of IT from both the points of view of the client and the auditor. As always, in the practice of Accountancy, we should remember to be professional, perform effectively and efficiently, follow standards, and document our work adequately and properly. SLIDE 02 TOPICS Our topics for this discussion are: 1 Conducting Business in Technology Space, discusses the shift from “Know your customers” to “Know your data” and how entity’s are discovering their data and insights out of these. 2 Disruptive Technologies and the Auditors, shifts our attention to how technologies already here are changing the auditing landscape, putting more responsibilities to the auditor. 3 Evolving or Emerging Technologies, focuses on emerging new technologies not yet widely adopted, and advances in areas of technologies that will change the way the auditor conducts the audit. 4 Data Analytics Opportunities, looks at the prospect of the auditing profession being commoditized or reduced to becoming simple commodities in the eyes of audit clients who might invest in data analytics technologies that allow them to perform audit capabilities. 5 Effects of Technology on Audit, summarizes the discussion in simple terms. SLIDE 03 On with our first topic: “Conducting Business in Data Space.” This topic introduces the concept of “Know Your Data” and how the client entity uses the concept to conduct a more efficient business and enhance the IT controls. This concept enables the auditor to evaluate the IT governance initiatives of the entity and the maturity of its IT culture. SLIDE 04 Technology is changing the way business is conducted and data is analyzed. There is an increasing focus on data management; ‘Know Your Data’ (KYD) is the new buzzword replacing ‘Know Your Client’ (KYC). We in the 21st Century have access to a huge volume of data. More than any generation before us. And with each day that volume of data grows ever larger. One of the many consequences of the COVID-19 pandemic has been the continuous news coverage stressing the importance of data. We are regaled daily with graphs and statistics that few people understand or want to understand. The challenge with all data is working out which are worth using and how to best use this. It is about knowing your data. SLIDE 05 Know your data, where it comes from, what’s in it, what it means. It all starts from there. Know Your Data helps the business understand datasets with the goal of improving data quality. Data is an important asset at all organizations – no matter what their business, their size, or their structure. Without data, an organization would not exist, so the decisions made about data are critical. Many organizations have little understanding or visibility into its data. SLIDE 06 Effective data discovery is not easy because of the increasing number of data systems, the interconnectivity between them and the diversity of the environments. Some data discovery is easy while other types are more difficult. When you know what data you have and where it is, you can capture, categorize, manage, protect, migrate, reduce, share, display, and repurpose information. SLIDE 07 These capabilities are critical for making well-informed decisions, including those on enhancing privacy, adding security, meeting regulatory items, achieving compliance, forecasting, controlling costs, hiring, firing, minimizing risk, increasing employee satisfaction, improving customer satisfaction, protecting intellectual property and list goes on. For discovery and knowing, management need to ask and get answers for data-related questions such as: What data systems are used in the organization? What data are collected from people in your organization and those outside of the company? Who can access these data? How is the data managed? What options are available for organization that helps them to discover its own data and get better knowledge and control? SLIDE 08 Entities can discover their own data by: 1. Data System Inventory - Organizational data is created, moved, copied, modified, shared, and translated across many data systems including shadow systems. An entity needs to understand what data systems are used, who has access to these data systems, and what data is in these data systems. Therefore, a critical need is having an accessible, up-to-date data system inventory in place. Before an entity can do data governance (data intelligence) policies addressing data privacy, integrity, security, and availability, it must know what it has. Creating a data system inventory will require some question asking and research. 2. Common Knowledgebase - Understanding data requires a business glossary and data definitions. Having these knowledge areas will improve satisfaction especially with staff who will have a better understanding of the data. Having a common knowledgebase of data governance related content including business glossary, data definitions, data system inventory, reference data, report specifications, data quality rules, data policies and other information is critical. With access by all, a common knowledgebase makes data discovery and knowledge a lot easier. Business glossary is one of the harder pieces of data governance as often discussions (sometimes heated) are necessary to firm up the business glossary entries. 3. Data Governance Framework – Entities needs some structure around their data and thus, the importance of having a data governance framework in place. There are several IT Governance frameworks available in the market. The most popular of these is COBIT or “Control Objectives for Information and Related Technologies,” which is a framework created by ISACA for information technology (IT) management and IT governance. The framework is business focused and defines a set of generic processes for the management of IT, with each process defined together with process inputs and outputs, key process-activities, process objectives, performance measures and an elementary IT maturity model. 4. Data Request and Data Quality Issue Processes – Entities need to have in place a data request process (for new reports, new definitions, data exports, etc.) and a data quality issue submission process. Both processes are important for data discovery. 5. Understand you user’s data behavior – This includes items such as data sharing agreements with others, specifications on integrations and data movement/changes (data lineage). Make sure that this information is documented. 6. Data Governance Solution - Since the entity’s data could be everywhere, it needs a solution that can traverse data systems. And have a framework, have the necessary processes and workflows in place and be able to manage the data governance related content and have it in a common knowledgebase. 7. Automate and integrate where possible – Entities should not depend on manual entry. There’s just too much risk of error. Entities can add workflows for data stewards where possible, including the approval of data definitions and report specifications. Entities should also document all the integrations in specifications so it knows what is in the integration and how the data was modified. 8. Data Models - Bringing in your technical data models is easy with a tool such as the Data Cookbook (automatic and import). SLIDE 09 Intelligent decisions stem from the ability to discover, classify, optimize, and take advantage of your data. The first step is finding or discovery of your data. I’m not sure who said, “knowledge is power”, but it is so true. After discovery, the next step is knowing. The better the knowledge you have of your data, the better your data will be. And that leads to better information which leads to better data-driven (or data-informed) decision making, both in terms of improving the operations and the controls over IT infrastructure. SLIDE 10 Disruptive Technologies Our second topic is about “Disruptive Technologies.” This topic is about how new technologies greatly affect the audit strategy and procedures in Audit firms, and how the auditors are coping with the challenges brought about by disruptive technologies. It also includes a discussion of the pros and cons to the auditor when adopting such technologies. Though technological adoption is, in general, can be said as a necessity for running an audit firm, the approaches and strategies are distinctly different. A digital CPA is not only using technology but also employing it to transform their business environment to be relevant and future-ready for clients and staff. A lot of technology-deep Accounting, Consultancy, and Audit firms are today focused on helping the CPAs to be ready for the integration of technology into audit practices, using those tools to not only become more efficient, but also more effective. That is where they try to operate, at the intersection of efficiency and effectiveness, especially in fraud detection. Even in the same firm, there may be different offices who use more technology throughout the audit. There are different comfort levels with how people use technology. In a lot of cases, you’ll find stories of the same audit staff who maybe on one partner’s audit engagement and that partner says that he doesn’t like technology and wanted everything done manually with paper; and he’ll be on a different audit partner’s engagement and that partner wants everything done electronically. Certainly, the firms are moving towards encouraging the use of technology, but they just haven’t forced all the partners to get there. That’s the struggle that some firms have: the specific approach that the partner wants to encourage the audit team to use. On the whole, however, there is a recognition that certainly, technology is the way forward and it’s just a matter of time, of how quickly everybody gets there. SLIDE 11 Clayton Christensen popularized the idea of “disruptive innovation” in The Innovator's Dilemma, published in 1997, which received the Global Business Book Award for the best business book of the year. The concept has been growing in interest over time since 2004, according to Google Trends data. Originally, the concept was related to business theory, defined as innovation that creates a new market and value network or enters at the bottom of an existing market and eventually displaces established market- leading firms, products, and alliances. It has since been applied to technology as well. Technology, being a form of social relationship, always evolves. No technology remains fixed. Technology starts, develops, persists, mutates, stagnates, and declines, just like living organisms. The evolutionary life cycle occurs in the use and development of any technology. SLIDE 12 Regarding this evolving process of technology, Christensen said: “The technological changes that damage established companies are usually not radically new or difficult from a technological point of view. They do, however, have two important characteristics: First, they typically present a different package of performance attributes—ones that, at least at the outset, are not valued by existing customers. Second, the performance attributes that existing customers do value improve at such a rapid rate that the new technology can later invade those established markets.” SLIDE 13 Disruptive technologies, now here, such as those related to Data Science, are also having a profound impact on the skills required of auditors, finance and accounting professionals and regulators which has implications for educators, recruitment policies and staff development needs. Now, let us look at some insights from both clients and providers of assurance and audit services. The following slides will feature the comments of these at a breakfast briefing jointly organized by The Institute of Chartered Accountants in England and Wales (ICAEW) and the Dubai Financial Services Authority (DFSA), on December 13, 2017 at DFSA. Marcus Freeman, CFO, Chalhoub Group at the time of the breakfast briefing. He is now the President of Operations and the Deputy Group Chief Executive Officer. Chalhoub Group is a privately held luxury goods retailer and distributor, headquartered in Dubai, UAE. The Chalhoub Group is the largest retail operator in the Middle East. It played a crucial role in developing the luxury sector in the region. The company has more than 12,000 employees, in 14 countries. Steven Drake, Partner, Middle East Leader – Risk Assurance and Capital Markets and Accounting Advisory Services (CMAAS), Pricewaterhouse Cooper, one of the big 4 international audit firms. Khurram Siddiqui, Partner, Global Robotics Leader and MENA Digital Leader, Financial Accounting Advisory Services (FAAS), Ernst and Young, another big 4 international audit firm. Hisham Farouk, CEO and Global Board Member, Grant Thornton. Grant Thornton LLP is the American member firm of Grant Thornton International, the seventh largest accounting network in the world by combined fee income. Grant Thornton LLP is the sixth largest U.S. accounting and advisory organization. SLIDE 14 When asked the question “When will advances in technology result in a real step change in how business is done and what will be different?”, the panel gave the following comments: From the audit perspective, Hisham reflected that, ‘Technology will continue to eliminate the requirement for human clerical and vouching procedures, which will increase time efficiency and reduce headcount. However, value will continue to be sustained from understanding the client’s business model. Data analytics is increasing the accessibility of data, however human intervention is still required to filter the data and to communicate and advise clients effectively. We can expect the audit being delivered by smaller technology conversant audit teams, who use data analytics to understand the business drivers, and also have the wider business acumen to understand both boardroom requirements and shareholders’ psychology, and are able to communicate the information appropriately. Machine learning and artificial intelligence are still not at the stage where they can replace that human input.’ SLIDE 15 As clients use more technology they are increasingly taking on more risk, and their stakeholders will require a new suite of assurance services to address these new risks. So, while demand for traditional historical data-focused audit services may decline, Steven saw significant opportunities to develop new real-time and forward-looking assurance services. SLIDE 16 Khurram commented that, ‘Until recently bitcoin had been a phenomenon, treated with great skepticism, however now large financial institutions are talking about how to embrace it and the underlying blockchain technology. Similarly, the only option for the audit profession is to embrace the developments in digital technology’. Khurram considered that ultimately it is always humans who are the driving force behind developments in technology. Before ERP solutions were the norm, there was a period of concern that the role of human input in accounting was being superseded, however in reality with increasing complexity of systems, humans continue to be required to manage them, and in some cases the human oversight increases with technology. The future is one where humans and machines work together. Outsourcing repetitive and periodic tasks to machines allows humans to focus on problem solving, envisioning and strategizing, areas where judgement plays a key role. So rather than suffocating the profession, Khurram saw technology expanding and changing the types of services provided to clients. Describing what the future audit would look like, Khurram stated that, ‘The way audit is performed may change significantly in the future. We are moving from continuous control monitoring (CCM) to continuous transaction monitoring (CTM), which happens on the client site, in real-time, with a copy created for the auditors. The use of blockchain technology makes these huge changes possible.’ SLDE 17 Khurram also commented on another change in audit driven by technological advances, ‘Regulators may mandate that an audit sign off include further value adds. For example, the way audit firms caveat their work with respect to fraud detection is likely to change, since technology will allow auditors to check every single journal entry.’ SLIDE 18 Marcus agreed that audits would add more value to corporates if they also encompassed a forward-looking and real-time aspect, but questioned whether the larger professional services firms are best placed to offer those services. He raised the question, ‘Is the audit profession as we know it best placed to mitigate these new corporate risks?’ He saw technology as a driver levelling the playing field for small audit firms or even technology businesses to compete as equals. SLIDE 19 The bottom-line for the auditor and audit firms is to embrace technology to keep abreast with clients that adopt technology to stay competitive in their respective industries. It is needless to emphasize that audit clients expect the independent auditors to be one step ahead of them, in terms of knowledge and skills. Keeping relevant with competence in new technologies will maintain the quality of service to audit clients and thus, maintain the prestige of the auditing profession. SLIDE 20 Technology and Fraud Several slides back, Khurram Siddiqui hinted that because of the ability of the auditors to look at a larger data set and possibly check every single journal entry, driven by technological advances, ‘Regulators may mandate that an audit sign off include further value adds. For example, the way audit firms caveat their work with respect to fraud detection is likely to change,’ reducing the audit expectations gap. Surely, fraud detection if one of the highly contested areas of the expectations gap, which is, of course, the difference between the expectations of society and the auditee especially regarding the detection of fraud, and the actual responsibility of the auditor regarding fraud detection, which is, as the audit standards says: “Auditors are not responsible for detecting fraud.” For one thing, that has never been one of the overall objectives of the auditor as described in PSA 200. However, because audit firms are, and should, embrace technology to transform their services to be technologically-relevant and future-ready for audit clients and audit teams, that expectation gap may be narrowed, or may even be closed, with the auditor stepping up armed with technological tools to better detect material misstatements due to fraud. SLIDE 21 Let us also discuss how the auditor may approach new technologies with a focus on how the users of the technology might use it to commit fraud. And in this way, the auditor acquires an understanding of the functionalities of the technology. Such understanding will help the auditor develop audit procedures to detect if the window to commit fraud has been breached by fraudsters. One of the key things is to look at the new technologies out there and the first questions auditors should ask is: “How would a bad guy or a fraudster use this technology to commit financial fraud?” “Is there an opportunity for them to manipulate the technology in a way that maybe anybody hasn’t thought about?” And the most important of all audit questions: “Is there a way they can use this technology to circumvent that auditor’s procedures?” That’s the lens through which auditors should look at new technologies. SLIDE 22 There is definitely a requirement for auditors to understand the workings of the technology. Maybe not the bits and the bytes, and the program codes that they are written in, but, understanding the functionality of the technology. In order to understand the functionality, the auditors should understand the initial intended use of the technology. Because the initial intended use maybe for one particular purpose and while it may have a portability in other areas, it may not really achieve the audit objective that auditors may assume the technology does. Blockchain maybe one of those, for example. Digital Signatures is another. There maybe some things that people assume or imply with the technology that may not be the underlying core or basis of the technology. Auditors certainly do not want to put any emphasis or reliance on an aspect of technology that is not appropriate. SLIDE 23 For example, Digital Signatures. Digital Signatures’ initial intended use is originally, for two parties who knew each other and needed this on a legal document, specifically, real- estate contracts, so that they could do it efficiently. At the time, what the electronic digital signatures did not do is validate the identity of the user. The whole point was that the two parties were known to each other and so digital signature is just a means so that they can sign the document electronically. Yet so much of the market assumed that digital signature companies were validating the identity of the users. Now, many years later we’re starting to see that functionality take place. We’re starting to see that over in Scandinavia, Docu Sign is getting ready to come out with some tools that validate the identity of the signer. But that’s not implicit in the tool and certainly hasn’t been for the last ten to fifteen years that the technology has been available. For an auditor, you really have to understand the technology and see how a fraudster can maybe use it. SLIDE 24 One of the primary potential legal liability the auditors face is the fraud aspect of the engagement. The more there is automation, the more auditors have the ability to look at larger data sets, and not just samples of data. Technology have opened the possibility of looking at all the data and offered tools that effectively and efficiently do that. Users of the financial statements will definitely look more to the auditors to effectively identify significant material misstatements due to fraud. This capability is one of the more significant things that auditors should incorporate into their audit practices more fully. SLIDE 25 Articles about audit recently decry the lack of a “fraud university” which is to imply that auditors are not actually trained to detect fraud in higher education programs such as BS Accountancy. That really is a valid concern and so it devolves upon the Board of Accountancy and the Commission on Higher Education to train future CPAs in identifying risks of fraud. That is really where the public and the users of the financial statement will really look to auditors, to do a better job as we go forward. There is a scarcity of an auditing firm that has ever been sued for conducting an inefficient audit but there are numerous cases of firms that had been sued for missing either a significant material misstatement due to error or fraud. Because of that exposure, it is incumbent on auditors to utilize the technology tools in a way that will help them achieve and perform their job in a way that the public and the users of financial statements expect of them. SLIDE 26 Evolving or Emerging Technologies Our third topic is about “Evolving (or Emerging) Technologies.” This is about how upcoming technologies—Artificial Intelligence (AI), Blockchain, Cyber Security, and Improvements in Data Capabilities—will affect the audit strategy and procedures of auditors, and how the auditors could cope with the challenges brought about by these technologies. Technology is directing changes in the way clients run their businesses, changing their business models and processes. Auditors need to stay ahead of these changes in order to provide relevant advice and support services. In response to this, audit firms are both recruiting and partnering with a variety of technology experts. Audit firms need to invest in digital initiatives, including AI, blockchain, cyber security and developments in data capabilities. These initiatives across multiple technologies will equip them to expand their assurance services to deal with the new technology driven risks that their clients face and safeguard their digital assets. Khurram is very on point when he stated that, ‘Regulators, auditors and clients all have a role to play. The new talents required are all around programming, coding and leveraging the technology that is around us. Data security, AI development and robotics will all be transformational and blockchain is just unavoidable – we are living on a cusp of change. Regulators are working through this upheaval, whilst global professional services firms are aiming to be early adopters of this technology.’ SLIDE 27 Let’s firs look at Artificial Intelligence and how it will affect IS audit. Artificial intelligence (AI) AI refers to machines undertaking tasks which require some kind of ‘intelligence’, which typically refers to things such as learning, knowing, sensing, reasoning, creating, achieving goals and generating and understanding language. Recent progress in AI has been based on techniques such as machine learning and deep learning, whereby algorithms learn how to do things, such as classify objects or predict values, through statistical analysis of large amounts of data, rather than through explicit programming. It’s emerging impact on IS Audit AI enables the analysis of a full population of data and can identify outliers or exceptions. By creating sophisticated machine learning-based models, auditors can also improve fraud detection. The audit is set to be further transformed by deep learning, a form of AI that can analyze unstructured data such as emails, social media posts and conference call audio files. An example of how AI can be applied to the audit is in contract review. Machine learning tools allow humans to analyze a larger number of contracts, such as leases, in a much shorter timeframe than is possible with a traditional manual review. In a recent pilot, AI tools were able to accurately extract information from lease contracts using pre- selected criteria in the vast majority of cases – a higher level of precision than the average human reviewer is capable of. Definitely, aspects of judgement are becoming digitized and continually enhanced in the era of machine learning and artificial intelligence. Robotic process automation (RPA) is already being used in audit execution, particularly for repetitive tasks like revenue and payroll testing. This is already here. By making it possible for auditors to work better and smarter, AI will help them to optimize their time, enabling them to use their human judgment to analyze a broader and deeper set of data and documents. SLIDE 28 Blockchain Blockchain is a foundational change in how records are created, kept and updated. Rather than having one single owner, blockchain records are distributed among all their users. The success of the blockchain approach is in using a complex system of consensus and verification to ensure that, even with no central owner and with time lags between all the users, nevertheless a single, agreed-upon version of the truth propagates to all users as part of a permanent record. This creates a kind of ‘universal entry bookkeeping’, where a single entry is shared identically and permanently with every participant. Each participant in a blockchain (each “node”) keeps a copy of all the historical transactions that have been added to the ledger, and by comparing to the other nodes’ copies each record is kept synchronized. Unlike in a traditional ledger system, there is no node with special rights to edit or delete transactions, in fact there is no central party at all. One of the situation in which blockchains can be useful is when a trusted central party is either unavailable or too expensive. Recording a transaction in a blockchain may or may not provide sufficient appropriate audit evidence related to the nature of the transaction. In other words, a transaction recorded in a blockchain may still be: unauthorized, fraudulent or illegal executed between related parties linked to a side agreement that is “off-chain” incorrectly classified in the financial statements. Furthermore, many transactions recorded in the financial statements reflect estimated values that differ from historical cost. Auditors will still need to consider and perform audit procedures on management’s estimates, even if the underlying transactions are recorded in a blockchain. Widespread blockchain adoption may enable central locations to obtain audit data, and auditors may develop procedures to obtain audit evidence directly from blockchains. However, even for such transactions, the auditor needs to consider the risk that the information is inaccurate due to error or fraud. This will present new challenges because a blockchain likely would not be controlled by the entity being audited. It’s emerging impact on IS Audit Ultimately the technology a client uses will be audited by another set of quality assurance technology. In the future, regulators will require client technology models, composed of robotics and blockchain, to be audited by another level of code. A script will come to audit a script. The IS auditor will need to extract the data from the blockchain and also consider whether it is reliable. This process may include considering general information technology controls (GITCs) related to the blockchain environment. It also may require the auditor to understand and assess the reliability of the “consensus protocol” for the specific blockchain. This assessment may need to include consideration of whether the protocol could be manipulated. As more and more organizations explore the use of private or public blockchains, auditors need to be aware of the potential impact this may have on their audits as a new source of information for the financial statements. They will also need to evaluate management’s accounting policies for digital assets and liabilities, which are currently not directly addressed in international financial reporting standards or in generally accepted accounting principles. They will need to consider how to tailor audit procedures to take advantage of blockchain benefits as well as address incremental risks. SLIDE 29 Despite these complexities, blockchain technology offers an opportunity to streamline financial reporting and audit processes. Today, account reconciliations, trial balances, journal entries, sub-ledger extracts, and supporting spreadsheet files are provided to an auditor in a variety of electronic and manual formats. Each audit begins with different information and schedules that require an auditor to invest significant time when planning an audit. In a blockchain world, the auditor could have near real-time data access via read-only nodes on blockchains. This may allow an auditor to obtain information required for the audit in a consistent, recurring format. As more and more entities and processes migrate to blockchain solutions, accessing information in the blockchain will likely become more efficient. For example, if a significant class of transactions for an industry is recorded in a blockchain, it might be possible for an auditor to develop software to continuously audit organizations using the blockchain. This could eliminate many of the manual data extraction and audit preparation activities that are labor intensive and time consuming for an entity’s management and staff. Speeding up audit preparation activities could help reduce the lag between the transaction and verification dates — one of the major criticisms of financial reporting. Reducing lag time could offer the opportunity to increase the efficiency and effectiveness of financial reporting and auditing by enabling management and auditors to focus on riskier and more complex transactions while conducting routine auditing in near real time. With blockchain-enabled digitization, auditors could deploy more automation, analytics and machine-learning capabilities such as automatically alerting relevant parties about unusual transactions on a near real-time basis. Supporting documentation, such as contracts, agreements, purchase orders, and invoices could be encrypted and securely stored or linked to a blockchain. By giving auditors access to unalterable audit evidence, the pace of financial reporting and auditing could be improved. While the audit process may become more continuous, auditors will still have to apply professional judgment when analyzing accounting estimates and other judgments made by management in the preparation of financial statements. In addition, for areas that become automated, they will also need to evaluate and test internal controls over the data integrity of all sources of relevant financial information. SLIDE 30 Opportunities for Future Roles of the CPA in the Blockchain Ecosystem As blockchain systems standardize transaction processing across many industries, a CPA, including auditors, may be able to help provide assurance to users of the technology. The CPA may be able to fill a potential future role because of their skill sets, independence, objectivity, and expertise. The following list of potential new roles for a CPA is illustrative only and not all-inclusive; significant regulatory and professional hurdles may remain before a CPA is able to take on these potential roles. 1 Auditor of Smart Contracts and Oracles As described above, smart contracts can be embedded in a blockchain to automate business processes. Contracting parties may want to engage an assurance provider to verify that smart contracts are implemented with the correct business logic. In addition, an auditor could verify the interface between smart contracts and external data sources that trigger business events. Without an independent evaluation, users of blockchain technologies face the risk of unidentified errors or vulnerabilities. To take on this new role, a CPA auditor may need a new skill set, including understanding technical programming language and the functions of a blockchain. This type of role also raises important questions for the auditing profession, including: What types of skill sets does the profession need to remain relevant? What factors would impact assurance engagement risk? What would an assurance provider’s ongoing responsibility entail once a smart contract is released into a blockchain? In the context of a financial statement audit, management will be responsible for establishing controls to verify whether the smart-contract source code is consistent with the intended business logic. An independent CPA auditing an entity with smart contracts/ blockchain is likely to consider management’s controls over the smart contract code. However, many companies may choose to reuse smart contracts built by other entities already active on a blockchain. Future auditing standards and auditing guidance may need to contemplate this technology and thereby bring clarity to the role of the CPA auditor in those scenarios. 2 Service Auditor of Consortium Blockchains Prior to launching a new application on an existing blockchain platform or leveraging or subscribing to an existing blockchain product, users of the system may desire independent assurance as to the stability and robustness of its architecture. Instead of each participant performing their own due diligence, it may be more efficient to hire a CPA to achieve these objectives. In addition, critical blockchain elements (e.g., cryptographic key management) should be designed to include sophisticated GITCs that provide ongoing protection for sensitive information, as well as processing controls over security, availability, processing integrity, privacy and confidentiality. On an ongoing basis, a trusted and independent third party may be needed to provide assurance as to the effectiveness of controls over a private blockchain. This type of service raises important questions for the profession: When providing assurance across a blockchain, who is the client? How would a CPA auditor assess engagement risk for an autonomous system? How would independence rules apply to users of a blockchain? 3 Administrator Function Permissioned blockchain solutions may benefit from a trusted, independent and unbiased third party to perform the functions of a central access-granting administrator. This function could be responsible for verification of identity or a further vetting process to be completed by a participant before they are granted access to a blockchain. This central administrator could validate the enforcement and monitoring of the blockchain’s protocols. If this function is performed by a user/node of the blockchain, then an undue advantage could exist and trust among consortium members could be weakened. Since this role would be designed to create trust for the blockchain as a whole, due care will be needed when establishing both its function and its legal responsibilities. As a trusted professional, an independent CPA may be capable of carrying out this responsibility. However, this role would raise new questions for the profession: By taking on such a critical role, is the assurance provider independent from the blockchain participants? Could the CPA auditor conduct financial statement audits on those participants? 4 Arbitration Function Business arrangements can be complex and result in disputes between even the most well-intentioned parties. For a permissioned blockchain, an arbitration function might be needed in the future to settle disputes among the consortium-blockchain participants. This function is analogous to the executor of an estate, a role typically filled by various qualified professionals, including CPA auditors. Participants on the blockchain may require this type of function to enforce contract terms where the spirit of the smart contract departs from a legal document, contractual agreement or letter. Further considerations should be explored to determine whether an arbitration function is necessary. If CPAs want to take on this role, critical questions will need to be answered, such as: What legal framework would be used to settle disputes? What skill set would be required for a CPA auditor? Could this role create unintended threats to independence regarding attest clients? There are still many unknowns with respect to how blockchain will impact the audit and assurance profession, including the speed with which it will do so. Blockchain is already impacting auditors of those organizations using blockchain to record transactions and the rate of adoption is expected to continue to increase. However, in the immediate future, blockchain technology will not replace financial reporting and financial statement auditing. Audited financial statements are a cornerstone of business and play a key role in debt and equity financing, participation in capital markets, mergers and acquisitions, regulatory compliance, and the effective and efficient functioning of capital markets. Financial statements reflect management assertions, including estimates, many of which cannot be easily summarized or calculated in blockchains. SLIDE 31 The third emerging technology that we will discuss is the growing concerns over Cyber Security. While Cyber Security is not new to the IS Auditor, because it is part of the system of internal control of the IT infrastructure, specifically controls over the security and integrity of data, it has come to the fore and focus of concern because of the increasing cases of data breaches and re-use or commercialization of personal data. Cybercrime and threats to computer systems have become a major concern of businesses around the world. Our growing reliance on IT and the internet has also greatly increased the impact of hacking, security failures and the loss of systems. At the same time, cyber attackers have become more sophisticated and organized. Cyber security covers measures that protect networks, systems, devices and data from attack, unauthorized access or damage. Good practices in cyber security also cover a wider range of activities to monitor IT environments, detect intrusions or breaches and respond to security failures. Organizations face many challenges in building effective risk management around cyber security, including the spread of cyber risk across all organizational activities, the external nature of many of the threats, and the pace of change in the risk. The pandemic may have offered criminals extra opportunities to defraud their victims. For example, you might have not missed the news about many DepEd employees whose Landbank accounts have been defrauded using the “phishing “ method of scamming people. Levels of fraud in the UK were already on the up. According to the most recent Annual Fraud Indicator, compiled by Portsmouth University’s Centre for Counter Fraud Studies, fraud is costing the UK economy £130bn each year, with losses rising by 56% in the past decade. The prevalence of fraud in cyber space has already gave birth to a new form of audit: Cyber Security Audit. However, this type of audit is not new to IS audit, since audit of data security over the cyber space is already covered by existing audit procedures to evaluate controls over security and integrity of data. The term is also used by many organizations to indicate the practice of IS Audit itself in general. A key challenge for corporates is managing the risk of data loss, and as a result there is a huge demand for cyber security services. Professional services firms need to recognize that client risks are changing and need to continually provide evolving solutions and services to meet those needs. Cybersecurity has rapidly become a significant risk to businesses as breaches of information may result in financial and reputational damage, diminished investor confidence, and exposure to potential regulatory fines. The topic has captured the attention of Congress as well as regulatory agencies and is becoming an increasing point of focus for company boards in their oversight of risk management. In response to increasing concerns around cybersecurity risk management, the Center for Audit Quality recently issued Member Alert #2014- 3: Cybersecurity and the External Audit to summarize the responsibilities of the independent external auditor with respect to cybersecurity matters. While this alert is focused on issues facing public companies and their external auditors, these issues would similarly apply to non-public entities. It’s emerging impact on IS Audit The responsibility of the independent auditor relates to the audit of the financial statements and, when applicable, the audit of internal control over financial reporting (ICFR). With respect to cybersecurity, the financial reporting-related information technology (IT) systems and data that may be in scope for the external audit usually are a subset of the aggregate systems and data used by companies to support their overall business operations and may be separately managed or controlled. Accordingly, the financial statement and ICFR audit responsibilities do not encompass an evaluation of cybersecurity risks across a company’s entire IT platform. However, the auditor would be responsible for evaluating the risk of material misstatement to a company’s financial statements resulting from unauthorized access to financial reporting related IT systems and data. The auditor is also responsible for evaluating a company’s accounting for cybersecurity-related losses and for assessing the impact on a company’s financial statements and disclosures, including items such as contingent liabilities or claims, as they relate to the audit of the financial statements taken as a whole and the impact on the internal control over financial reporting (ICFR). The auditor’s primary focus is on the controls and systems that are in closest proximity to the application data of interest to the audit (e.g., Enterprise Resource Planning (ERP) systems, fixed asset systems or connected systems that house financial statement related data). Cyber breaches usually occur initially through perimeter and internal network layers. Audit procedures may include testing access controls at the application layer, and at the database and operating systems layers; while other broader elements of security around the perimeter and network layers generally tend not to be within the scope of the financial statement and ICFR audits. Though likely sources of potential financial statement misstatement are more normally associated with transaction level access through application, audit procedures are developed based on the company’s business and its IT environment. As such, audit procedures performed around the internal network and perimeter network layers may vary from company to company and auditor discussions with management and the audit committee and those charged with governance are to be tailored accordingly. A company may determine it is necessary to disclose cybersecurity risks within various places throughout its annual report including risk factors, Management Discussion & Analysis (a section within a company's annual report or quarterly filing where executives analyze the company's performance), legal proceedings, business description and financial statements. The auditor’s responsibilities with regard to these matters depend on where the disclosure is included within the annual report. As a reminder, the auditor’s responsibilities for information contained in the financial statements is different from other information presented within the annual report outside of the financial statements. The auditor is required to read such other information and consider whether such information, or the manner of its presentation, is materially consistent with information appearing in the financial statements. National Institute of Standards and Technology (NISTY) Framework for Improving Critical Infrastructure Cybersecurity In February 2014, the National Institute of Standards and Technology’s (NIST) “Framework for Improving Critical Infrastructure Cybersecurity,” in the United States, was released, as a collaborative effort between the government and private sector, to provide a set of industry standards and best practices to help organizations manage cybersecurity risks. The use of such a framework is voluntary and the framework is considered a living document that will continue to be updated and improved based on industry feedback on implementation. Such standards may become mandatory in the future. SLIDE 32 The last evolving technology we will discuss is the Advances to Data Capabilities. Data is at the heart of all economic activity, including the accountancy profession. Recent technology-driven improvements to data capabilities include the ability to access very large amounts of data; new sources of data, particularly unstructured data such as text and images; and greater emphasis on speed and real-time data. Different uses of data and associated analytics tools highlight different aspects of these characteristics. The ability to process large volumes of data enables analysis of entire datasets, rather than just samples, or examination of more granular data. Linking together data from different systems, or new data from third parties, can provide fresh insights. Technology now allows access to vast amounts of data which, if analyzed appropriately, can offer an extraordinary view of the organization. It is also changing the way business is conducted and data is analyzed. There is an increasing focus on data management. Moreover, the advent of cloud computing and cloud storage has opened up the possibilities of collecting and analyzing data on a previously unimaginable scale. Impact on IS Audit Going beyond the confines of company data allows auditors to collect and analyze broader industry data sets that were previously inaccessible. This enables auditors to better identify informational outliers, and increases their ability to generate business insights and focus on business and financial reporting risk. The evolution of technology challenges the current value proposition of the audit. Moving to offshoring allowed audit firms to cut costs, and now automation will enable firms to cut the time required to complete an audit. Within a decade, an audit will be completed within a fraction of the time, given access to real-time data. Audit fees have typically been charged based on the time taken to conduct the audit, but audit firms will no longer be ‘selling time’. Hisham suggested that ‘The audit profession will need a new value model that clients can understand. With the use of technology, fees will be based on knowledge, connecting that knowledge to strategy, mitigating the specific risks of the organization and becoming the advisory driving force for the organization’s board and stakeholders.’ SLIDE 33 Opportunities in Data Analytics. This is our 4th topic. Data Analytics is not in the curriculum of BS Accountancy in the University. Yet, as early as 2007, in a seminar I attended, a Board of Accoutancy member expressed apprehension that Big Data Analytics will overshadow much of the function of Management Advisory Services. With its broader range of data than MAS, coupled with data analytics tools, managers can have a better view of the organizations operations and discover more insights hidden in big data. Even hidden insights that have the potential to propel the entity to industry leadership. SLIDE 34 When asked the question: “What opportunities in recent evolutions does data analytics bring to auditors?”, here are their insightful comments of the four resource experts who attended the aforementioned breakfast meeting in DFSA. Against the backdrop of recent evolutions in technology, Steven Drake proposed we initially consider the concept of ‘what is an audit now?’ and ‘what will be the audit of the future?’ Typically, an audit has looked at historical financial statements and provided an opinion. Steven commented that ‘data analytics is doing more than just change the way we will do an audit. It will change what an audit of the future will look like.’ As clients adopt new technology they will be looking to wider assurance services to mitigate risks in their business, beyond the focus on historical information. SLIDE 35 Technology is disrupting the audit process by increasing automation to drive efficiencies. Khurram highlighted key areas of change. ‘Traditionally the audit approach was a combined risk assessment using substantive sample testing and assessment of controls. Now with technology enabling us to test the full population of entries and not only a sample, we move away from asking ‘what could go wrong?’ to ‘what has gone wrong?’ We have more certainty and precision with regards the transactions, and more transactional evidence of control weaknesses. Furthermore, aspects of judgment are becoming digitized and continually enhanced in the era of machine learning and artificial intelligence.’ SLIDE 36 Hisham commented that the professional services firms continue to respond to increased use of technology by their clients. This evolution started as clients moved to using accounting software and ERP solutions, and now another phase begins, where the profession is beginning to connect to those client systems. ‘We are now not only analyzing data, because clients have greater connectivity and accessibility of data, but through machine learning the quality of the data we are able to extract is far better, enhancing both the efficiency and rigor of the audit process.’ SLIDE 37 From a CFO perspective, Marcus commented that, ‘The ability of technology to allow the testing of entire populations shifts the perspective on the value of an audit. Data analytics allows the auditors to provide both a helicopter view of the financials and a detailed and complete view of the accounting records, and as a result more insight. There is now more pressure for an audit to focus on detecting fraudulent transactions, as technology now exists to highlight any journal entries that are deviating from the standard process and other anomalies.’ SLIDE 38 Marcus cautioned however, that, ‘In a matter of time all the global audit firms will be able to offer similar technological solutions and since the technology itself is not proprietary there appear to be limited barriers to entry, and so nothing stopping smaller technology savvy players entering this market to offer these same technological solutions. Data analytics can also support a CFO in maintaining the internal control environment. So, what is stopping corporates from investing in audit technologies themselves to mitigate the need for external audits? Both these factors could see the audit being commoditized.’ (Commoditization, in business literature, is defined as the process by which goods that have economic value and are distinguishable in terms of attributes end up becoming simple commodities in the eyes of the market or consumers.) Marcus acknowledged that currently corporates leverage the audit partner relationship as a source of valuable business advice, but this may become less important as machine learning tools provide more detailed analysis of the red line issues in the business and offer potential solutions. ‘There is a real risk of disintermediation of the audit profession. Perhaps even judgement can be commoditized.’ From a finance department perspective, the benefits of automation and machine learning are already being felt as businesses replace clerical headcount with machines. Although, Marcus commented that, ‘What is still required in the near term is better qualified accounting personnel who know how to think, can apply judgement and can analyze and draw insights from data.’ SLIDE 39 After discussing the new disruptive technologies and the emerging or evolving ones, we can now summarize the significant impact of IT on audit. SLIDE 40 In summary, what these experts are telling us that disruptive and emerging technologies will do in the foreseeable future is: 1 Technology will allow auditors to check every single journal entry; 2 Technology will continue to eliminate the requirement for human clerical and vouching procedures with human intervention still required to filter the data and to communicate and advise clients; 3 Technology will reduce the size of the audit team to a smaller technology conversant teams; 4 Technology will give rise to a wider range of assurance services that the clients will ask auditors to provide, while reducing the demand for traditional historical FS audit services; 5 Technology will move IS Audit from Continuous Control Monitoring (CCM) to continuous transaction monitoring (CTM), which happens on the client site, in real-time, with a copy created for the auditors; 6 Technology will encourage regulators to mandate that an audit include value-adding services, such as respects fraud detection, since auditors will be able to check every single journal entry; and 7 Technology will level the playing field in favor of small audit firms. SLIDE 41 Given the speed of technological and digital advances, it is imperative that those in the audit and finance profession invest in understanding and developing these technologies to benefit their respective sectors. This is a huge challenge, particularly in audit, where the pace of technological change, specifically the move from sample testing to 100% populations testing, and from historic testing to real-time testing, is spearheading the need to revisit the audit approach in an unprecedented manner. Technology will drive down the time taken to conduct an audit, as testing becomes more automated and conducted on a real-time basis. Views were expressed around the need to develop new methods for calculating audit fees based on the technological resources used in the process and the value added by audit teams who derive insight from the data. There will be opportunities for the firms to develop more forward-looking assurance services, helping clients to manage risk and drive growth. Technological advances which could lead to the commoditization of the audit, and even the disintermediation of audit firms by other technology players, were considered potential threats of which audit firms need to remain vigilant. SLIDE 43 Advances in technology open up a debate on the skill sets that are relevant to the industry now and in the future. While it is clear that lower level accounting and auditing skills can be replaced easily by technology, human business acumen and communication skills remain crucial. The required combination rests in a blend of human capital resources, incorporating specialist technology and digital skills, technical accounting and audit skills and professional skills such as communication, leadership and business acumen. While we are clearly on the cusp of a changing professional landscape, it remains unclear exactly where the digital revolution is heading and regulators are grappling with how best to regulate these markets. In the interim the professional membership bodies, professional services firms and corporates need to engage with technological developments and respond to the benefits, risks and opportunities they bring. END SLIDE There it is! Chapter 02 The Impact of IT on IS Audit. For comments and questions, please visit our FB group and post a comment on the post related to this video presentation, or you can send me a personal message. I discourage commenting on the Youtube post as I don’t normally look at the comments to my videos. Also, be sure to check out and watch the supplementary learning materials, including the supplemental videos, accessible from the FB post. Thanks for listening and stay safe always!

PR108 Information Systems Audit Ch02 - The Impact of IT on Audit PDF

Document Details

Tags

Related

Summary

Full Transcript