External auditors face new regulatory and enforcement pressure
Industry News: External auditors face new regulatory and enforcement pressure
Hold onto your calculator, auditors; 2023 is shaping up to be an unprecedented year. Since the pandemic, there has been a notable surge in the efforts of financial and accounting regulators to address audit quality. Moreover, they are actively pursuing the modernization of outdated auditing standards.
The proposed reforms are expected to come with increased levels of supervision and enforcement in the auditing profession, particularly due to the increasing concern among regulators regarding the escalating risk of fraud during economic uncertainty. The Public Company Accounting Oversight Board (PCAOB) issued a proposed set of amendments in June to its auditing standards to address the greater use of technology by auditors, especially when it comes to analyzing information in electronic format. The proposal includes updating aspects of AS 1105, Audit Evidence, and AS 2301, The Auditor's Responses to the Risks of Material Misstatement.
"The use of technology by auditors and financial statement preparers never stops evolving, and PCAOB standards must keep up to fulfill our mission to protect investors," said Chair Erica Williams. "Today's proposal is another key part of our strategic drive to modernize PCAOB standards."
Existing PCAOB standards relating to audit evidence and risk responses were issued in 2010, and the current board is pushing to update those older standards. Since its publication in 2010, many companies have undergone digital transformations and greatly expanded their use of information systems that maintain large volumes of data in electronic form. As a result, auditors have greater access to company and third-party electronic data that can serve as audit evidence creating the need for auditors to expand their use of data analysis tools.
The new proposal aims to improve audit quality by reducing the likelihood that an auditor using technology-assisted analysis will issue an opinion without obtaining appropriate audit evidence. In particular, the proposal would bring greater clarity to auditor responsibilities in the following areas:
- Technology-assisted analysis usually involves analyzing huge amounts of information in electronic format. The proposal would emphasize auditor responsibilities when evaluating the reliability of such information. For example, when auditors test a company's controls over electronic information, their testing should include controls over the company's information technology related to the data collected.
- Technology-assisted analysis can provide audit evidence for various purposes in an audit. For example, performing risk assessment procedures when planning an audit and performing substantive procedures in response to the auditor's risk assessment. The proposal would specify that if an auditor uses audit evidence from an audit procedure for more than one purpose, the auditor should design and perform the procedure to achieve each of the relevant objectives.
- Auditors can use technology-assisted analysis to identify transactions and balances that meet certain criteria and warrant further investigation when designing and performing substantive procedures. For example, auditors can identify all transactions within an account processed by a certain individual or exceeding a certain amount. The proposal would clarify the factors the auditor should consider as part of that investigation, including whether the identified items represent a misstatement, a control deficiency, or a need for the auditor to modify its risk assessment or planned procedures.
The motivation behind these updates is clear, and it's not difficult to understand why. Research by the PCAOB indicates a decline in audit quality. According to a December 2021 report, approximately one-third of the audits examined in 2021 exhibited deficiencies. All this begs the question, how can auditors keep up with the increasing pressure and scrutiny from the SEC and the PCAOB?
Here’s the top 5 audit analytics capabilities external auditors should consider when auditing digital platforms
Access to data
The number one challenge in auditing a digital platform is access to data. Sampling has always been in the auditor's toolkit. Sampling is a way to predict with a known level of probability whether the hypothesis that a control is effective can be asserted. Verifying every transaction by human effort is an expense rarely justifiable to shareholders.
However, Sampling is no longer practical. As the technology landscape expands and cloud adoption increases, auditors need new and improved ways to extract 100% of the data. Basing decisions on sampling methods is too big a risk. Auditors need a cloud-based solution that instantly provides full access to apply controls across a complete data set that's complete and accurate.
Dashboards
Many audits are still performed in tools like Excel. These tools are error-prone, and maintaining data integrity is nearly impossible. Auditors need access to data straight from the source to make informed decisions based on 100% of the data.
Advanced Analytics
Auditors require proactive and periodic data analysis to ensure organizations address growing threats to business applications and IT systems to support hybrid, agile, and hyper-automation business needs.
Traditional business intelligence and reporting tools cannot cross-link changes to complex security meta-data against the fragmented, de-centralized provisioning process. Effective analysis requires auditors to review privileges assigned to employees and third parties, service accounts, and BOTs to ensure compliance with access governance policies.
Advanced Analytics enables auditors to analyze volumes of data straight from the source to "find the needle in the haystack" by using discrete and fuzzy logic to filter historical data sets stored in an audit vault to perform "what-if analysis" to predict potential risks that would impact business applications and IT systems. Advanced data comparison options ensure that requested corrective actions to security are completed in a timely manner. Changes introduced by third-party application providers are detected, and alerts are routed to IT security personnel for examination and remediation. Auditors can ensure that access controls are operating effectively by analyzing ITSM request logs against the fulfillment records in business and IT systems. Application administrators can ensure that the user access to applications is terminated when employee jobs assignment are changed or terminated in HR systems to prevent orphaned or dormant access.
Collaboration
Ideally, the auditor and customer should work off the same data set and share reports within a secure platform, eliminating error-prone manual work and maintaining data integrity. For example, how do you prove that there are three purchase orders outside the purchasing limit? Doing this through work papers (papers that support the assertion) isn't effective.
Auditors need an online platform where the customer and auditor can collaborate and communicate using a complete audit trail.
Planning
A critical factor for auditors is completing the audit plan within scope and budget. Audit solutions can streamline the whole process - from beginning to end - from planning to execution and output.
The year ahead holds tremendous change for auditors as financial regulators escalate their endeavors to tackle audit quality and modernize antiquated auditing standards. By embracing emerging digital capabilities and adapting to the dynamic landscape, auditors will enhance their readiness to fulfill the rising expectations for audit quality and effectively maneuver through the ever-evolving regulatory landscape in 2023 and the future.
Recommended Reading
Tips to build an effective internal controls program
Having effective and targeted internal controls can protect your company's assets and intellectual property to prevent costly errors, reduce the risk of fraud, and decrease the chance of non-compliance. However, implementing internal controls is not enough. Internal controls should be continuously evaluated and tested to identify weaknesses and opportunities for improvement.
SOX compliance audit - everything you need to know
Some organizations are new to Sarbanes-Oxley (SOX) Act requirements, while others are seasoned professionals. No matter your GRC strategy or the maturity of your SOX program, it can likely be made more efficient and less painful. Read on to learn more about SOX compliance requirements and what you can do to improve your next SOX compliance audit.
What is a material weakness in SEC filings?
An effective control environment sets you up for success by regularly measuring and managing control design for operating effectiveness. Even well-designed control environments will have occasional control deficiencies. And because most material weaknesses start as control deficiencies, it is essential to catch and remediate them before they grow.