Technology leverage has been all the rage in recent times as businesses, and even entire industries, seek to fend off disruptors and/or chase growth. For the audit industry, data analytics has been touted as a potential game-changer as the profession seeks to innovate its way to more effective audits in the face of mounting expectations, business complexity and volume of transactions.
Despite having been around for a few years now, the use of data analytics, while on the rise, is not as yet a standard feature in audit engagements. While the benefits and potential of the application of data analytics in audits of financial statements are well-documented, so are some of the roadblocks.
In the International Auditing and Assurance Standards Board (IAASB)’s Feedback Statement, Exploring the Growing Use of Technology in the Audit, with a Focus on Data Analytics, which was issued in January 2018, the IAASB noted, among others:
(a) Concerns over how audit evidence provided by data analytics is demonstrated within the existing audit model;
(b) Feedback on the need to exercise professional scepticism when using data analytics – to understand the benefit and limitations of data analytics in view of its intended use in the audit;
(c) The importance of the source and quality of the data used and challenges in considering the relevance and reliability of both internal and external data.
IAASB also found that, while most respondents believe that the principles in the auditing standards are still appropriate and can accommodate the use of data analytics, there is overwhelming request for practical non-authoritative guidance on the use of data analytics technology. This is with recognition that any changes to the auditing standards will have to undergo thorough due process to ensure that the standards remain principles-based and flexible enough to accommodate the rapid pace of technological change.
Against this backdrop, ISCA, through its Auditing and Assurance Standards Committee (AASC) and the AASC Data Analytics Sub-Committee, embarked on the development of an Audit Guidance Statement (AGS) to guide auditors on the key principles of applying data analytics in the audit of financial statements, with practical examples on how data analytics may be applied in different phases of an audit.
For the purpose of this article, data analytics, when used to obtain audit evidence in a financial statement audit, is defined as the science and art of discovering and analysing patterns, deviations and inconsistencies, and extracting other useful information in the data underlying or related to the subject matter of an audit through analysis, modelling and visualisation, for the purpose of planning or performing the audit.
Data analytics can be used in performing risk assessment procedures and further audit procedures such as test of controls and substantive procedures. In general, the types of data analytics that are widely used in audits of financial statements include:
descriptive analytics an examination of data to answer the question, “What happened?”, and is often characterised by traditional business intelligence and visualisations such as pie charts, bar charts, line graphs, tables, or generated narratives, and
diagnostic analytics a form of advanced analytics which examines data or content to answer the question, “Why did it happen?”, and is characterised by techniques such as drill-down, data discovery, data mining and correlations.
When deciding which type of analytics would be more relevant, the auditor should consider the objective of the analytics and which phase of the audit the data analytics is being applied to. For example, descriptive analytics is commonly used when performing a risk assessment procedure to aid auditors in understanding what has transpired during the period in order to identify and assess risks of material misstatements.
It should be noted that the inappropriate use of technological resources may increase the risk of over-reliance on the information produced for decision purposes, or may create threats to complying with relevant ethical requirements. Accordingly, policies and procedures have to be in place to ensure that such technological resources are used appropriately.
At the firm level, when implementing an IT application, there should be policies and procedures in place to determine if the IT application operates and is used appropriately. Some factors that should be considered include whether there is internal review conducted to ensure that the IT application is operating as designed and achieves the purpose for which it is intended, and whether there are guidelines on how engagement teams should use the IT application and related backend support.
When data analytics is employed, it is natural for audited entities to have concerns over data security breaches which may result in loss of confidentiality (or for some types of data, privacy) when auditors have imported the entities’ data into the auditor’s systems. Audited entities need to have confidence that their data will be held and processed securely, so that they can fulfil their own legal and regulatory obligations by making the data available to auditors. The implementation of appropriate policies and procedures in relation to data security is therefore imperative to the effective deployment of data analytics in financial statement audit.
There is currently a perceived skills gap in data analytics among auditors and a possible way to address this is to have skilled, centralised resources supporting the engagement teams. In the meantime, time and investment in training should focus on changing the auditor’s mindset from solely relying on conventional auditing procedures to incorporating the use of data analytics techniques in obtaining quality audit evidence.
Auditors will also require basic understanding of IT (such as understanding of databases, table structure and data types) to be able to come up with relevant and effective audit procedures using data analytics.
Engagement teams should ascertain at an early stage whether the quality of the data that the entity’s management can provide is sufficient to support the envisaged analytics. One of the challenges that management and auditors face is obtaining accurate data in a usable format following a repeatable process. Globally, while there are ongoing efforts to standardise the format for fields and files commonly requested for audit, such standards are voluntary at the moment, and until such time when these standards are mandated, auditors will need to undertake the process of transforming the data from various systems to a usable format in a scalable way.
Examples of situations which may warrant certain data transformation include where the date format from different systems in an organisation varies, for example “yyyy-mm-dd” versus “dd-mm-yyyy”, or where leading and trailing zeroes of an inventory item code may need to be removed to ensure proper comparison to another data source that may not have such leading and trailing zeroes.
With the limitless possibilities around data analytics, the relevance of data in relation to the audit procedure responding to the assertion is an important consideration. One example where relevance is in question is where the data analytics provide interesting insights to management but produces no audit evidence.
The majority of data utilised in data analytics is information produced by the entity (IPE), and when using IPE, the auditor is required to evaluate whether the information is sufficiently reliable for the auditor’s purposes, including obtaining audit evidence about the accuracy and completeness of the information and evaluating whether the information is sufficiently precise and detailed for the auditor’s purposes. This can be achieved through a direct testing approach (selecting samples to test) or testing the controls over the accuracy and completeness of the information.
Data analytics techniques may be used to perform risk assessment procedures or further audit procedures if they are able to provide sufficient appropriate audit evidence that a risk of material misstatement has been addressed. The factors to consider in making the determination of whether data analytics may be used to perform risk assessment procedures or further audit procedures may include:
The purpose of the procedure whether data analytics is directly responsive to the identified risk of material misstatement, and
The level of precision in the procedure, for example, whether the expectation is sufficiently precise to identify a misstatement.
One of the main benefits of employing data analytics in an audit is that it enables auditors to focus on outliers and exceptions, identifying the riskiest areas of the audit. Using data analytics techniques, entire populations of transactions can be analysed, as opposed to the conventional audit approach where auditors’ coverage might be limited to a sample of these populations.
Although data analytics techniques may not entirely substitute the conventional audit procedures and techniques, they can be powerful enablers which allow auditors to perform procedures and analysis which were not traditionally possible.
A case in point is the three-way match, which is one of the most basic concepts in audit. Traditionally, auditors perform this procedure by way of sample testing as it is typically not realistic nor expected for auditors to vouch all transaction documents. Data analytics techniques now provide auditors the ability to analyse all the transactions which have been recorded. For example, auditors can potentially filter and identify a specific class of transactions with unmatched items. Data analytics tools can also allow auditors to trace revenue transactions to debtors and the subsequent cash received.
It should be noted, however, that the ability to test or analyse 100% of a population through data analytics does not imply that the auditor is able to provide something more than a reasonable assurance opinion or that the meaning of “reasonable assurance” changes. It is also important to understand that even where the auditor tests or analyses 100% of transactions in a specific area through data analytics, the data might not be 100% correct.
As with traditional audit procedures, it is imperative for auditors to clearly set out the objective of the data analytics techniques employed and understand what they can achieve and what they cannot do, and exercise professional scepticism throughout the audit.
The use of data analytics in performing substantive procedures may result in the identification of a large number of exceptions. Where applicable, the auditor can group and filter the exceptions into sub-populations. Further analysis and additional procedures should then be performed to determine if these exceptions are:
(a) False positives;
(b) Possible misstatements that are clearly inconsequential for which no further investigation is required, or
(c) Possible misstatements that are not clearly inconsequential for which further investigation is required.
ISCA’s Exposure Draft of the AGS on Data Analytics in a Financial Statement Audit is expected to be issued for public consultation in the coming months and we welcome comments and feedback.
Lim Ju May is Deputy Director, Terence Lam is Senior Manager and Wang Zhumei is Manager, Technical, Institute of Singapore Chartered Accountants.
This article was first published by ISCA Journal.