Source: ACCA Report June, 2019.
Businesses
across almost every industry are experiencing at first hand the disruptive
changes that are also affecting their auditors. This chapter explores which
advanced technologies are impacting the audit profession, referring to both the
tools available to auditors and the systems that need to be audited.
In
April 2019, ACCA surveyed members and affiliates about their understanding of
terms such as artificial intelligence (AI), machine learning (ML), natural
language processing (NLP), data analytics and robotic process automation (RPA).
On average for any given term, 62% of respondents had not heard of it, or had
heard the term but did not know what it was, or had only a basic understanding.
On average, only 13% of respondents claimed a ‘high’ or ‘expert level’ of
understanding of these terms. There’s a need for greater awareness of what
these technologies are and their implication for the audit profession.
ARTIFICIAL
INTELLIGENCE (AI)
AI
is often described as ‘an evolving technology’ that is equipping computer
systems with something akin to human intelligence, but it is better seen as an
umbrella term for a group of technologies that can be combined in different
ways, whether for driving your car, controlling your central heating, or
managing your investment portfolio. It is also the subject of a large amount of
hype, with ‘human-like intelligence’ predicted to appear in 2029 (or whatever
the current date is plus ten years) and either drastically reducing the workforce
or destroying us all. According to Elon Musk: ‘with artificial intelligence
we’re summoning the demon’ (Finamore, E. and Dutta K 2014). It could be argued
that because of a lack of understanding of concepts such as ‘intuition’ and
‘thought,’ we do not even know what it is we are trying to emulate. Is
intelligence what is measured by an ‘Intelligence Quotient’ (IQ)? Or, in
developing AI, should we be trying to emulate other quotients, such as an
‘Emotional Quotient’ (EQ).
‘It
is clear that some tasks will no longer be done by the auditors. In the long
term, it is likely that the profession will see a shift in its focus with more
emotional intelligence expected from auditors rather focusing on data testing.’
Michal Stepan, Assurance Director, Deloitte Czech Republic
The
‘intelligence’ in AI often constitutes a combination of processing power and
access to data: for instance, a computer will play a game such as chess by analyzing all the possible outcomes of a move, using datasets from past games
and selecting the winning option. But
that fact alone makes AI highly useful to people: it enables the analysis of
entire populations of data to identify patterns or exceptions. Auditors are
freed from mundane tasks and can focus their time on deploying their skills, training
and judgement: although technology is making progress in areas such as speech
processing and sentiment analysis, professional judgement is much harder to
apply technology to.
ROBOTIC
PROCESS AUTOMATION (RPA)
RPA
is often mistakenly thought of as a form of AI but the ‘robots’ are software
routines that are more like very sophisticated Excel spreadsheet macros than
genuine AI.As highlighted in ACCA’s joint report with CA ANZ and KPMG Embracing
robotic automation during the evolution of finance, ‘RPA is software that can
be easily programmed or instructed by end users to perform high-volume,
repeatable, rules-based tasks in today’s world where multiple loosely
integrated systems are commonplace.’ (ACCA et al. 2018).
RPA
is commonly used when the output of one financial process needs to be input
into another, or where multiple sources of information need to be consulted. As
a result, it is sometimes referred to as ‘swivel chair automation’, conjuring
up the image of an employee swiveling their chair around as they consult
multiple systems and re-key and check information.
Such
work is repetitive, mundane, time consuming and, when done by individuals,
prone to error. It is also difficult to scale to cope with variations in
workload. A classic example would be processing timesheet information from
seasonally employed temporary staff. One solution is to deploy or lease a
‘robot’, a software routine that precisely mimics the actions of the chair-swiveling
person shifting between systems. Looking back to the timesheet example, the
robot would take the information gathered by optical character recognition
(OCR) from the paper records and feed it into the payroll system. Because it
mimics a process rather than analyzing data, RPA itself is not AI, which could be
used later to look for the anomalies that previously a human operator might
have had to spot. RPA offers many benefits: the robots work non-stop and are
faster, more accurate and scalable. Nonetheless, there are also questions about
accountability and ownership of the RPA process and security of the data that
passes through it. There is also the question of whether RPA simply perpetuates
inadequate processes that should have been overhauled. We can distinguish
between ‘good RPA’, which closes gaps and contributes to straight-through data
processing and ‘bad RPA’, which simply disguises the flaws in obsolescent or
badly implemented systems. In short, fix the process first before applying RPA.
DATA
ANALYTICS
Analytical
tools have long been applied to the data derived from accounting and
operational systems. Some firms are already using data analytics as part of
their transactions testing, gradually moving away from traditional sampling
techniques. Data analytics allow auditors to use 100% of a population’s transactions
when performing their tests. ‘Using D&A we make the analysis of the past
more insightful. Rather than sampling transactions data to test a snapshot of
activities, we can now analyze all transactions processed, allowing us to
identify anomalies and drill down on the items that show the greatest potential
of being high risk. Our systems automate this process, increasing its ability
to produce high quality audit evidence.’ (KPMG 2015).
‘I
expect that my auditors will no longer test a sample of transactions, for
example 100 items, and consider this to be sufficient evidence to form a
conclusion for the entire population, when in fact we have tens of thousands of
transactions coming in and out on a daily basis.’ Juraj Striezenec, CFO,
Kiwi.com
However,
the UK Financial Reporting Council (FRC) has found that ‘the use of data
analytics in the audit is not as prevalent as the market might expect’ (FRC
2017) and it is not yet used consistently across the entire ledger. Even where
it is used – such as in journal entry testing, auditors will still need to
consider the issue of completeness, as well as the increasing amount of
corporate reporting that does not derive from transactions in the ledger.
‘Being able to test 100% of a population does not imply that the auditor is
able to provide something more than reasonable assurance opinion or that the
meaning of “reasonable assurance” changes.’ (IAASB 2016).
The
next step for auditors and finance is to apply AI and ML algorithms to improve
the quality of analysis and forecasting, and increase the rate of fraud
detection. The business ‘data warehouse’ is increasingly being supplemented by
information drawn from a variety of public and/or proprietary sources, often
using cloud-based applications combined with desktop analytical tools.
Augmenting these tools with DL and NLP increases the range of data that can be
handled, from written text speech or even images. The ability to analyse data
across and outside corporate data silos promises to enhance the ability of organisations
to spot opportunities, head off threats, make better decisions and enable this
process to be ‘democratized’ throughout the organisation. Auditors can use
‘data mining software’ to drill down and identify anomalies – possibly aided by
AI – focusing resources on identifying risks in addition to monitoring
‘business as usual’ activities.
MACHINE
LEARNING (ML)
A
major challenge to the audit profession has been the extreme proliferation of
data, accompanied by a less extreme but nonetheless rapidly expanding volume of
regulation. According to ACCA’s report Machine Learning: More Science than
Fiction: ‘The rapid growth in the volume of financial transactions, if not
properly managed, could pose a threat to the work of accountants. For auditors,
this may relate to the sample they need and its ability to be representative of
the population, enabling them to form conclusions that can be generalised
beyond the sample’ (ACCA 2019b).‘In fact, technology like machine learning
could go beyond that with the possibility for reviewing entire populations to
assist the auditor to test for items that are outside the norm’ (ACCA 2019b).
ML uses statistical analyses to generate predictions or make decisions from the
analysis of a large historical dataset. A classic example would be credit
scoring decisions for loans. The accounting software company Xero has
implemented ML to make coding decisions for invoices. ML can achieve surprising
levels of accuracy quite quickly: in the case of Xero’s software, the system
achieves 80% accuracy after learning from just four invoices.ML ‘predictions’
can be both backward and forward-looking. It has clear applications in risk
management and the detection of fraud and inaccuracy by comparing historical
data sets with current data, which can help with risk assessment. Or it can
look forward, predicting, for example, the likely future value of an asset. In
practice, the usefulness of ML is crucially dependent on the data it ‘learns’
from. This means the possibility of bias is ever present. Examples have come to
light where ML has introduced bias into areas such as credit-scoring and CV
assessment.
The machine correctly sees that a previously excluded group had not
completed many successful loan transactions or risen very high in management
and wrongly concluded that the defining characteristics of those groups, such
as gender, were predictors of poor future performance. An example using ML in
audit can be found in PwC’s report Confidence in the future: Human and machine
collaboration in the audit report. As per this example ‘company A was way out
of line with the peer group benchmarks on a particular point. This data is then
shared with the audit team, who can decide whether that variance is really an
anomaly and if so, what caused it. The team’s decision about the anomaly and
its cause is then fed back to the machine, which is ‘taught’ how to respond to
similar relationships in future. And the more this exercise is carried out, the
better the machine will get at spotting real anomalies — meaning we’ll be
better able to identify unusual patterns and anomalies in huge amounts of data
in an instant.’ (PwC 2017).
The self-instructing nature of ML means that
decision-making can often be a ‘black box’, with no one able to say precisely
how decisions have been arrived at. There is also the danger that during the
learning stage – when ML is shadowing human auditors – it will pick up any
human errors and repeat them eternally. ML
therefore needs to be validated in some way: it is a risk as well as a tool. This
raises the possibility that the challenging and testing of internal algorithms
may become part of the external auditor’s role, with a much wider remit than
assessing accuracy: as the Harvard Business Review comments: ‘the auditor’s
task should be the more routine one of ensuring that AI systems conform to the
conventions deliberated and established at the societal and governmental level’
(Guszcza et al. 2018).
NATURAL
LANGUAGE PROCESSING (NLP)
NLP
refers to the ability of the computer to recognize and understand human speech.
The most immediate impact is speed: NLP has been shown to achieve orders of
magnitude improvements in due diligence exercises involving very large numbers
of documents. In 2017 Forbes reported that Deloitte’s use of NLP took contract
review from a task keeping ‘dozens’ of employees occupied for half a year to
one which six to eight members could complete in less than a month (Zhou
2017). Deloitte’s Audit of the Future Survey found that 70% of audit committee
members and other stakeholders believed that auditors should not only use
advanced data analytics but consider information beyond traditional financial
statements (Deloitte 2016). This data could be anything from recordings of phone
calls to board minutes or postings on social media, which are unstructured and
therefore require an understanding of natural language.
DEEP
LEARNING (DL)
DL
is a subset of ML; it more closely mimics human learning through the use of
artificial neural networks to perform more complex tasks such as visual object recognition.
Its best known example is Google’s AlphaGo, which mastered Go, a game which
exceeds chess in intellectual complexity and where it was thought that
computers could never match the best human players. Unlike previous programs,
which learned winning strategies from databases of previous games, AlphaGo
taught itself and not only defeated its human opponent but also used highly
inventive winning moves, which – according to Demis Hassabis, CEO of the Google
subsidiary DeepMind, which created AlphaGo ‘were so surprising they overturned
hundreds of years of received wisdom’ (Hassabis 2017).
DL systems are
commercially available and have already been deployed by the Big Four
accountancy firms: KPMG uses IBM’s Watson to analyze commercial mortgage loan
portfolios, while Deloitte works with Canadian-based legal AI company, Kira
Systems to ‘read’ thousands of complex documents, such as contracts, leases and
invoices, extracting and structuring textual information such as key words or
phrases. In the era of Big Data, the structured information accessible to
auditors is only a fragment or an abstraction of the much wider universe of
data. But this ‘dark matter’ exists in unstructured formats: the ability of DL
to analyze a range of internal and external sources means that Big Data can
potentially supply complementary audit evidence and feed into the narrative
requirements of audit.
‘For instance, content analysis of social media postings
and news articles could inform auditors of potential litigation risk, business risk,
internal control risk, or risk of management fraud...auditors may identify
troublesome products or services by analyzing customers’ reviews...sentiment
scores of the Q&A section of earnings conference calls can help the auditor
predict internal control material weakness’ (Sun and Vasarhelyi 2018).Used in
audit, DL potentially goes beyond merely extracting set words or phrases or
even what has been explicitly said:‘auditors interview management, internal
auditors, employees, predecessor auditors, bankers, legal counsel,
underwriters, analysts, or other stake-holders. The language that subjects use
and how they respond to questions over the course of the interview can be just
as important as the answers themselves, because they may indicate deception. For
example, the use of terms that suggest uncertainty, such as “kind of,” “maybe,”
or “sort of,” as well as response latency, could be signs of concealment or
falsification’ (Sun and Vasarhelyi 2017).
DRONE
TECHNOLOGY, INTERNET OF THINGS AND SENSOR TECHNOLOGIES
Unmanned
drones are used in a variety of commercial projects, such as power line
inspection, and the Big Four accountancy firms have spotted the potential for
their use in inventory inspection, particularly where physical scale or
distribution is an issue. For example, PwC recently announced its first stock
count audit – of an open cast mine – using drone technology (PwC 2019).Drones
are the aerial component of the Internet of Things, the constantly growing
number of devices and sensors connected via IP (internet protocol). An example
of a sector that is ripe for the adoption of such technologies in audit and
assurance is agriculture.
DISTRIBUTED
LEDGER TECHNOLOGY (DLT)
DLT,
a family of technologies that includes blockchain, is of great interest to both
auditors and businesses. According to ACCA’s report Divided we Fall,
Distributed we Stand, DLT ensures that ‘in a distributed ledger all
participants are looking at a common view of the records.’ (ACCA 2017a), which
are validated without the need for a central authority for this purpose. ‘So if
the majority of participants agree that an update has been correctly validated,
that becomes the basis for the updated entry to be added to the ledger.’ (ACCA
2017a).
For businesses, the attraction of DLT is that it greatly enhances
performance in areas where inefficiencies are introduced by the so-called
‘efficiency visibility’ and ‘trust’ deficits. Examples include the
inefficiencies and delays involved in setting up trade finance, the need to
establish trust via ‘know your customer’/‘customer due diligence’ (KYC/CDD)
requirements in finance and banking or the lack of visibility in the global
garment supply chain are all key areas for distributed ledger applications. For
the auditor, distributed ledgers become a sort of universal bookkeeping
service, removing the need to reconcile multiple databases of records and
providing a perfect audit trail. A key principle of DLT is immutability:
historical entries cannot be changed, only corrected with a balancing entry. While
this may help auditors to test audit assertions such as occurrence and cut-off,
it does not remove the need for higher-level auditor judgements.
Transactions
may exist outside the ledger and, while those recorded are unlikely to be
false, they still may not be legitimate. The auditor therefore needs to combine
the ledger information with judgements based on accounting principles and an
understanding of the nuances applicable to ownership and valuation. For
auditors, DLT offers the possibility of generating exception reports that are
based on all transactions rather than on using sampling techniques – a return
to the roots of auditing. Today’s audit cycles could potentially be replaced by
more frequent or even continuous, real-time, audit. This is likely to release
resources and provide the material for a deeper and more contextual
understanding of the business, as required for the production of extended audit
reports. However, this is also likely to increase resources with specialized
skills in DLT, at least in the short-term. While DLT may be supported by standardization and automation of data collection – possibly via
‘accounting-as-a-service’ platforms – the removal of mundane tasks will bring
the contribution of the auditor’s judgement into stronger focus.
The
report concludes: ‘The auditor role may pivot towards non
transaction-management elements requiring human judgement, business context and
knowledge of technical accounting policy and of the outputs created by the
application of these elements to specific questions within the audit, for
example the fair value of assets’ (ACCA 2017a).
