MODULE G- DATA AND ANALYTICS IN AUDITING
Audit Data Analytics (ADA)
"The science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing the audit."
Characteristics of Audits under ADA
Audits that use ADA exhibit the following characteristics: •continuous auditing and continuous monitoring •frequent usage of data analytics techniques and tools •testing the population, rather than subset or samples •highly automated audit procedures and processes •analytical and information technology competence •more emphasis on critical thinking and complex problem-solving abilities •utilizing technologies of blockchain, and smart contracts •using machine learning, and other AI techniques, in modules during the audit •applying robotic process automation as appropriate
The Next Generation of Auditing
The next generation of auditing seeks to take full advantage of emerging technologies in a way that will improve audit quality. The global economy has undergone vast change in the last several years, where an emphasis on big data and advanced analytical tools have created new opportunities for auditors. As innovation in technology possesses the capability to add efficiency to the audit process, a strong incentive exists for audit firms to employ new tools and methodologies on a large scale basis -external big data -artificial intelligence -distributed ledger technology
big data
consist of large datasets that are generally unstructured. At times, the datasets are so large that they cannot be processed by traditional analytical tools. Students should consider Big Data to be generated continuously from multiple sources.
Use process mining technique to test internal control over the purchase cycle - Conclusion
•Compared with traditional auditing techniques, process mining focuses on the path of transactions and not directly on validating the ending value of accounts balance or transactions; it uses the full population instead of a sample; •This field study suggests that process mining could be a valuable tool in auditing practice; •Further research is needed to find out whether process mining should function as a complement or substitute for existing analytical procedures.
Use process mining technique to test internal control over the purchase cycle - Role Analysis
•Role analysis exploits the presence of meta-data on activities and originators in the event log to examine the parts played by employees in the procurement; •The bank has three policies regarding separation of duties (SOD): Ø The Sign and Release activities for a given PO should be undertaken by two distinct individuals. (SOD 1) Ø The GR and IR activities for a given PO should be undertaken by two distinct individuals. (SOD 2) Ø The Release and GR activities for a given PO should be undertaken by two distinct individuals. (SOD 3) §Through role analysis, researchers could examine whether the role(s) played by each individual for each transaction violates any of the above policy on separation of duties;
(1) Risk Assessment Procedures
•Trend analysis of inventory costs. •Preliminary three-way match testing in the revenue cycle. •Accounts receivable collection periods by region. •Inventory aging and days inventory in stock by item. professional standards require auditors to conduct brainstorming sessions for their clients on each audit. During the session, auditors are expected to identify fraud risk factors that may exist on the audit being conducted. At present, some firms are considering the relationship of various fraud risk factors to each other as a way to assess the likelihood of fraud risks manifesting themselves in the audit. Consider the visualization shown in Exhibit G.4 , which illustrates the connections between various fraud risk factors in the accounts receivable account. Professional standards also require auditors to perform analytical procedures during the planning stages of the audit. The primary objective of such procedures is to identify unusual or unexpected relationships among the financial statement accounts that might indicate that a material misstatement may exist. In a sense, auditors use these preliminary analytical procedures to direct their attention to accounts with a greater chance of being misstated. When doing so, the auditor should consider all types of relevant data to help improve their understanding of risks of material misstatement on the audit. Importantly, professional standards specifically allow for the use of preliminary data and/or data that is aggregated at a much higher level of detail when completing analytical procedures at the planning stages. As a result, the increased use of data and analytical tools has the potential of improving the effectiveness of this type of risk assessment procedures. In fact, there is perhaps no better way to illustrate the potential usefulness of improved data analytic techniques than its use while completing analytical review procedures during the planning stages of the audit. An important example of the use of additional data involves the use by auditors of more predictive analytical tools that utilize third-party data to supplement their "traditional" analytical procedures. The additional data can help auditors refine their expectations and improve the results of preliminary analytical procedures that form initial beliefs about the nature, timing, and extent of audit evidence to be gathered at an audit client. While this type of access to increased volumes of data on the client has the potential to improve audit effectiveness, it also can have an initial negative impact on audit efficiency if audit professionals are unable to efficiently execute such additional procedures. Consider the auditor of a water theme park with access to weather data. The auditor expects that ticket revenues will be highly inversely correlated with rainfall and develops a predictable relationship using daily revenue data from the two prior audited years. The auditor then uses this relationship to identify specific days in the current year that do not follow the predicted pattern. For example, what if the auditor identified high revenue recorded by the client on a very rainy day? This type of testing enables the auditor to focus testing on abnormal and higher risk revenue patterns. When completing preliminary analytical procedures, the availability of largely all of the client's internal data can allow for more robust trend analysis (i.e., year over year) on a multitude of financial and nonfinancial data. For example, an auditor could conduct a trend analysis of inventory costs over time. Similarly, an auditor could assess the accounts receivable collection periods by region for the audit client. Or, another example would be for an auditor to assess the inventory aging and/or the number of days inventory is in stock on an item-by-item basis.
Common Uses of Audit Data Analytics 1
(1) risk assessment procedures (2) tests of controls (3) substantive analytical procedures (4) tests of details (5) procedures to help form an overall conclusion
Data
-can best be thought of as facts and/or statistics that are collected together for some type of reference point or analysis, ultimately within a context. -As a general concept, the term data implies an elemental level of numbers and/or characters within an organization. -To be useful for decision makers, the data must be thought about within a meaningful context which would allow it to be understood. -For example, the numbers in a payroll register or a sales journal at an audit client do not mean much on their own. -However, when considering the data within a context of payroll for a month, quarter, or even a year, the data becomes more informative for a decision maker and might be thought about as information at that point. -This is the type of analysis that an auditor would complete as part of analytical procedures The next step in the data chain for auditors is comparing the information (i.e., data within a meaningful context) to other information in a way that leads to meaningful knowledge. For example, once auditors know the payroll expense for the quarter, they might be interested in comparing it to payroll expense for the previous quarter or even the same quarter in the previous year. Such a comparison may help the auditors to better assess the risk of material misstatement for payroll expense, which is much more valuable than merely analyzing the payroll information for just that quarter. The final step in the data chain for auditors is using the knowledge as wisdom for the financial statement audit, otherwise known as sufficient appropriate evidence related to a relevant assertion about a significant account or disclosure. In order for the knowledge to be useful as evidence, a determination must be made about its relevance towards mitigating the risk of material misstatement for the relevant assertion identified. In addition, a determination needs to be made about its reliability. For example, is the data from an external third-party source or is the data generated by the audit client's information system?
audit of the future
-seeks to take advantage of the full range of relevant data available for an audit client (i.e., big data), advanced analytical tools and other cutting-edge auditing technologies in a way that improves efficiency and ultimately improves audit quality. -Spurred primarily by advances in information technology, there is now more data available than could have been imagined just 10 years ago -data -analytics
Common Techniques for ADA
1. Visualization Techniques- It presents data in graphs, lines, charts, etc, and is a powerful tool to identify patterns and relationships among many variables and identify anomalies. 2. Classification/Regression Techniques Classification methods are used to predict group membership, such as detecting whether there is management fraud. Regression technique helps the auditor predict the future value based on characteristics of the client and environment. Example, the audit could predict the revenue of a hotel based on past revenue, the total number of tourists in the city, and the number of special events. 3. Text Mining Techniques It is the process of transforming unstructured text into a structured format to identify meaningful patterns and new insights. Example, auditor can analyze the tone of words in MD&A section of the annual report to predict misstatement risk 4. Process Mining Techniques It focuses on procedures and workflows by analyzing the entire population of event logs that record the company's business processes. An event log serves as an audit trail capturing every user's actions and every business process performed. Example, the auditor can use process mining to automate walkthroughs of transaction cycles or to replace the manual procedures of reperforming using the sampling method. 5. Computer-Assisted Audit Techniques (CAATs) Software packages that can standardize and streamline key audit analytics functions to improve audit efficiency and effectiveness. Example: IDEA, ACL. 6. Deep Neural Networks Techniques It is an information processing paradigm inspired by the way biological nerve systems (such as the brain) works. It is particularly beneficial when the underlying process is complex, and can be applied to conduct audit tasks such as predicting bankruptcy, assessing the financial position of the client, and estimating manipulation risks in financial statements 7. Blockchain and Smart Contracts Also known as Distributed Ledger Technology (DLT), it refers to the technological infrastructure and protocols that allows simultaneous access, validation, and record updating in an immutable manner across a network that's spread across multiple entities or locations. The auditor can use blockchain to perform many processes that are typically verified by conformations, such as bank confirmation and A/R confirmation. 8. Robotic Process Automation (RPA) It provides the tools to create software robots that can automate business processes. The robots can interact with any system or application in the same way a human does. The auditor can use RPA to perform time-consuming tasks such as logins, emails, analyses, report building, data entry, etc.
Documentation Requirements
AU-C 230 applies to ALL audit documentation, including ADA. Documentation should be prepared to be sufficient such that an experienced auditor, with no prior connection with the engagement can understand: •Nature, timing and extent of procedures performed. •Results of procedures and evidence obtained. •Conclusions reached and significant judgments made. The auditor should record: •Identifying characteristics of specific items or matters tested. •Who performed the work and date of performance. •Who reviewed the work, date of review, and extent of review. Possible documentation specific to A D A: •Objectives of the procedure. •Risks of material misstatements addressed at the financial statement or assertion level. •Sources of the data and how it was determined to be sufficient and appropriate (complete and accurate). •The nature of the A D A and the tools and techniques used. •Tables or graphics used, including how they were generated. •Steps taken to access data, including the system accessed and how the data were extracted and transformed. •Evaluation of matters identified as a result of applying the ADA and actions taken. •Identifying characteristics of specific items or matters tested. •Preparer and reviewer information as required by AU-C 230. •Auditor may record the scope of the procedure and population analyzed. •No requirement to include the data analyzed (generally impractical). •Screenshots of graphics generated in performing an A D A may be included in documentation. •Only graphics necessary to support the auditor's work and conclusions should be included. •The auditor need not document every matter considered or professional judgment made. •All misstatements identified other than those considered clearly trivial should be documented.
Professional Skepticism in A D A
An auditor must plan and perform an audit with professional skepticism, and must exercise professional judgement. Some areas where professional skepticism and judgment apply in ADA: •Assessing the completeness and accuracy of client data. •Making assumptions in planning the procedures and evaluating the results. •Considering unusual circumstances. •Appropriately generalizing in drawing conclusions. (when fully considering any unusual circumstances that might be revealed as a result of the ADA)
Data and Analytics
Data are facts and statistics collected together for reference or analysis. •known or assumed as facts. •Payroll register. •Sales Journal. •Make the basis for reasoning or calculations. Analytics are the systematic computational analysis of data. •Research potential trends. •Evaluate causes of increase in employee costs. •Identify risks. •Identify missing sales invoice numbers.
Common Tools Used in ADA
Generalized Audit Software: •IDEA. •ACL. Data Preparation and Statistical Analysis Tools: •Alteryx. •R. •SAS. •Stata •Python. Visualization Tools: •Tableau. •Microsoft Power BI. All-Purpose / spreadsheet Tools: •Excel. Beyond these tools, some clients and even audit firms are beginning to use robotic process automation, often called RPA, to standardize routine processes. Tools such as UIPath and Automation Anywhere enable an auditor to select, process, and send confirmations with a click of a button after building a standardized process. Tools such as these may allow auditors to focus on more difficult areas with high levels of professional judgment.
distributed ledger technology (DLT)
Introduced in 2009, the original intent of distributed ledger technology (DLT) was to assist in the safeguarding of financial transactions for the virtual currency Bitcoin. However, the technology behind DLT allows for low-cost tracking and dissemination of information through a network of interconnected peer-to-peer ledger systems sharing identical accounts and balances in real-time. As a result, there is potential to actually eliminate intermediaries in the transaction process. Someday, it is believed that DLT will provide auditors with more efficient and effective methodologies for providing assurance due to greatly improved audit trails, automated audit procedures, and permanent recordkeeping. Of all emerging technologies, DLT is likely to have the most far-reaching impact on future accounting and assurance practices.
Analytics
While the availability of big data undoubtedly provides the basis for changes in the financial statement audit process, to maximize its usefulness, the audit of the future will have to employ analytics in a robust and meaningful way that will maximize the usefulness of "big data" on the financial statement audit. At a basic level, analytics are the systematic computational analysis of data in a manner that yields insight in the audit process. For example, an auditor may conduct research about trends in employee turnover to evaluate causes of increase in employee costs. Yet another example would be to use an analytical tool to identify missing sales invoice numbers as a way to assess risk. deliberate and systematic analysis of data in a manner that are designed to yield insights in the financial statement audit process. However, it is essential for auditors to understand the nature of the data that is available, and make sure it is properly "cleansed" for use on the audit. Once it is ready for use, the auditor must still consider how to model and ultimately evaluate the data that will be used before its deployment on the audit. understanding --> cleansing --> modeling --> evaluation --> development (audit plan)
Use process mining technique to test internal control over the purchase cycle - Attribute Analysis
•An attribute contains characteristics of the executed activity or characteristics of the process instance itself (here the PO). •Researchers compare references on each payment to corresponding reference on invoice to check whether each payment is accompanied by an invoice. •They identified 265 payments without accompanying invoices processed by 17 employees •Further investigation reveals that these payments are based on a special type of document (called Subsequent Debit) that does not require the invoice; •This may indicate a deficiency in the design of internal control over procurement cycle. •In another attribute analysis, researchers investigate all incidences where a payment was made without the receipts of goods (GR) detected in Process Discovery. •Based on bank policy, payment can be made without GR if service is purchased. In that case, the GR indicator should be turned off to indicate the procurement of service instead of goods. •Researchers identified three cases where a payment was made without GR but the GR indicator was not turned off (suggesting that either the purchase was made for goods or that the employee forgot to turn off the GR indicator).
(4) tests of details
•Comparing cash collections to sales invoices and discounts. •Analysis of capital expenditures vs repairs and maintenance. •Detailed recalculation of depreciation using entire database and exact purchase dates. ADA also has the potential to assist auditors when completing substantive tests of details. Let's consider innovative tests of the revenue account. If an auditor wanted to test the revenue account balance for understatement, one way to gather evidence might be to determine the number of new customers secured by the client in the year under audit. If this information was obtained from the sales and marketing department, and the information produced by the entity was tested for completeness and accuracy, it could be traced to the revenue account on the income statement to ensure that all revenue from the new clients was being properly recorded. There are a number of other examples of how ADA could be used in substantive tests of details. First, an auditor could compare actual cash collections to sales invoices and discounts. Or the auditor could conduct a detailed analysis of capital expenditures for repairs and maintenance. Yet another example would be the auditor's detailed recalculations of depreciation expense using the entire database and exact purchase dates to improve the precision of the testing. Of course, when using ADA, an auditor must make sure to consider the professional standards related to audit evidence. That is, the evidence must be relevant (i.e., its relationship to the assertion and financial statement account being tested) and reliable (i.e., the nature and source of the evidence and the circumstances under which it is obtained). Finally, the use of ADA may be particularly helpful when an auditor tests estimates used in financial statement accounts. By their very nature, estimates are a risky matter for auditors due primarily to the inherent estimation uncertainty. As a direct result, the risk of material misstatement for significant accounts that rely on estimates is often high. One way that an auditor can assess the amount of estimation uncertainty is through the use of visualizations.
(5) Procedures to help form an overall conclusion:
•Gross profit percentage by class of revenue.
(3) Substantive Analytical Procedures
•Predictive model of interest expense. •Aging of accounts receivable. Perhaps one of the most exciting opportunities for improved audit testing using ADA relates to substantive analytical procedures. Recall that when conducting substantive testing procedures, auditors may choose between tests of detail and analytical procedures. Of course, the professional standards point out that an auditor can rely on substantive evidence from either tests of details, analytical procedures, or a combination of both types of tests. The final decision made by the auditor in regards to the types of tests to be used is a matter of professional judgment. There are a number of examples where ADA can facilitate the performance of substantive analytical procedures. For example, an auditor could use a predictive model of interest expense to gain assurance over the interest expense balance. In addition, an auditor could review the aging of accounts receivable to evaluate the adequacy of the allowance for doubtful accounts. When an auditor chooses among different ways to use ADA to conduct substantive analytical procedures, the professional standards state that more predictable relationships among the data allows the auditor to take much more substantive comfort from the test. Thus, when designing a test, auditors need to think carefully about predictability when finalizing the audit plan. Perhaps one of the most important ways that ADA can be used to improve substantive analytical procedures is when testing the revenue account at an audit client. Let's consider an example of an audit client AbsoluteTech, which has just launched a new product. In such a situation, it can be quite difficult for an auditor to predict revenue from a new product because there is no historical track record. Let's continue with an example of how the auditor might use ADA in an attempt to develop an expectation of recorded revenue. Due to the lack of sales history for a new product, this can be difficult. In today's environment, the auditor might consider an analysis of social media posts about the client's new product as compared to its competitors. Overall, the visualizations, taken together, reveal a positive impression of the new product which may be helpful when the auditor develops expectations about recorded revenue. Of course, the analyses would not be enough and the auditor would have to conduct tests of details as well on recorded revenue.
(2) test of controls
•Proper approval of purchase transactions over a threshold. •Employees and Suppliers with same address. •Journal entry testing by employee entry amount limits. In today's auditing environment, an auditor now has far more data available to be used for testing the operating effectiveness of internal controls. Recall that after gaining an understanding of internal controls, if the auditor intends to assess control risk as low and rely on a control activity, the auditor needs to gather evidence to verify that the control activity has been designed and has operated effectively during the entire period of control reliance. In today's auditing environment, it is critical that audit professionals learn how to make the best use of internal client data when designing and completing the tests of controls needed to support the conclusion that a control activity has been designed and has operated effectively during the period of reliance. when auditing an issuer, auditors are required to test both entity-level controls and transaction-level controls in order to express an opinion on the effectiveness of internal controls over financial reporting. For certain entity-level controls, such as those related to the control environment, it can be difficult for auditors to identify persuasive evidence that the controls are operating effectively. Nevertheless, auditors are still required to test the control environment on each audit of an issuer. In today's audit environment there are a number of innovative ways to gather evidence to test the control environment. Of course, the auditor also has to test transaction level controls. Data and analytics (DA) has had a major impact on this type of control testing as well. The professional standards make clear that when designing tests of controls, the auditor needs to consider the means of selecting items for testing. For tests of internal controls, there are two approaches that are commonly used: (1) testing all items in a population; and (2) testing a sample from a population. The decision of which approach to use depends on the nature of the control that is being tested, along with the availability of data. Using audit data analytics (ADA), a control activity that is entirely automated might best be tested by an automated audit procedure that can be efficiently and effectively applied to the entire population of occurrences of that control activity. With ADA, there has been a dramatic increase in the number of tests of controls that are able to be effectively applied to the entire population of control occurrences in an efficient manner. One way to test all items in a population of occurrences for a particular control activity is to use exception testing. Exception testing is designed to identify a violation of a particular control activity through the use of an automated test procedure designed to test all items in a population. Consider an entirely automated control activity that is designed to compare a customer's credit limit to the sum of (1) a potential sales transaction; and (2) that customer's outstanding credit balance before approval of that sales transaction. If the control activity operated effectively throughout the year, a customer's outstanding credit balance would not exceed its credit limit. Using data analytics, an auditor can analyze all transaction data from the year to identify instances in which a customers, balance exceeded its credit limit (i.e. an exception). Such a testing strategy would not have been possible (at least economically) in previous years. However, due to the emergence of ADA, such testing is now possible. There are a number of other examples of tests of controls that can be conducted using ADA. For example, auditors might seek to investigate whether proper approval of purchase transactions over a predetermined threshold was obtained. Or, auditors could see if any employees at the client had the same address as an approved vendor. Each of these could be tested using the entire population of data with exception testing.
Use process mining technique to test internal control over the purchase cycle
•Researchers use process mining to extract audit-relevant information from event logs created from the bank's ERP system. An event log is a chronological record of computer system activities which are saved to a file on the system. •An event log records : Ø the activity taking place during the event (for example, sign, authorize, pay); Ø the process instance of the event (for example, an invoice, a receipt, a purchase order); Ø the originator, or party responsible for the event; and Ø the timestamp of the event. •Process Discovery: Used to determine how the process actually operates in the company and identify if there is any deviation from designed process; •Role Analysis: used to determine the role played by each individual for each transaction process; •Attributes Analysis: used to determine whether inconsistency between the actual process and designed process is due to violation of internal control or just reflects flexibility in the control structure; •Social Network Analysis: describe the connectedness among individuals in the company