View
2
Download
0
Category
Preview:
Citation preview
Analyzing the role of IT in current and
future financial auditing methodologies Fons Verbeek
Tilburg University, School of Economics and Management, Department of Information
Management, The Netherlands
Student: ing. A.M.J. Verbeek
Registration number: 805649
Supervisor: prof. dr. ir. H.A.M. Daniels
Company: PricewaterhouseCoopers Accountants N.V.
Supervisor: drs. W. Roozendaal
Document: Master Thesis Information Management
Version: 1.0
Date of publication: April 27, 2012
Place of publication: Tilburg, The Netherlands
Analyzing the role of IT in current and future financial auditing methodologies 2
Abstract
This report addresses the issue of improving the performance of the current financial
audit methodology through the application of developments from the field of IT. The
current financial audit practice is described in detail and illustrated by four case studies
applying the audit methodology in practice. Four developments from the field of IT
including audit nets, process mining, continuous auditing and XBRL are described and
analyzed on their applicability. Conclusions following these efforts include a view at
the future of the financial auditing practice and a technology roadmap guiding future
audit methodology improvements.
Analyzing the role of IT in current and future financial auditing methodologies 3
Table of contents
Abstract ........................................................................................................................... 2
Table of contents ............................................................................................................. 3
1 Introduction .................................................................................................................. 5
1.1 Problem definition ................................................................................................. 5
1.2 Research questions ................................................................................................ 5
1.3 Research methods .................................................................................................. 6
1.4 Thesis outline ......................................................................................................... 7
2 Current state of the financial auditing practice ............................................................ 8
2.1 Institutions and actors ............................................................................................ 8
2.2 Legislation ........................................................................................................... 11
2.3 Regulations .......................................................................................................... 13
2.4 Methodology and methods .................................................................................. 15
2.4.1 The PwC methodology .................................................................................. 16
2.4.2 Tests of controls / System oriented methods ................................................. 20
2.4.3 Substantive tests / Data oriented methods ..................................................... 24
2.4.4 Tooling .......................................................................................................... 26
2.4.5 Limitations .................................................................................................... 31
2.4.6 Improvements ................................................................................................ 33
2.5 Summary .............................................................................................................. 34
3 The current financial auditing methodology in practice ............................................ 35
3.1 Case study design ................................................................................................ 35
3.2 The case of energy supplier A ............................................................................. 36
3.3 The case of energy supplier B ............................................................................. 38
3.4 The case of energy distributor C.......................................................................... 41
3.5 The case of water company D ............................................................................. 43
3.6 Analytical discussion of cases ............................................................................. 45
3.7 Summary .............................................................................................................. 46
4 Recent developments in the field of IT ...................................................................... 47
4.1 Audit Nets ............................................................................................................ 47
Analyzing the role of IT in current and future financial auditing methodologies 4
4.2 Process Mining .................................................................................................... 51
4.3 Continuous Auditing............................................................................................ 54
4.4 XBRL................................................................................................................... 58
4.5 Analytical discussion of IT developments ........................................................... 61
4.6 Summary .............................................................................................................. 65
5 Future directions for the financial auditing practice .................................................. 67
5.1 Identifying trends and themes defining the future of the financial auditing
practice ....................................................................................................................... 67
5.2 Proposing a Technology Roadmap guiding future audit methodology
improvements ............................................................................................................ 68
5.3 Summary .............................................................................................................. 68
6 Conclusions and recommendations............................................................................ 69
References ..................................................................................................................... 70
Analyzing the role of IT in current and future financial auditing methodologies 5
1 Introduction
The concept of the financial audit has been in existence for centuries, ever since its
origin practitioners have been searching for ways to improve both the effectiveness and
efficiency of the audit execution. Since the introduction of computerized accounting
and business information systems in the second half of the 20th century, methods to
analyze accounting and business information in an automated fashion have come into
view. To this date however, implementation of such methods in the financial audit
practice remains limited. The aim of this research is to investigate in which way
developments from the field of IT can contribute to the audit performance in terms of
effectiveness and efficiency and in which way these improvements can be
implemented in present financial auditing methodologies.
1.1 Problem definition
Increasing the performance of the financial audit is expected to result in several
significant effects. Firstly of all, increasing the effectiveness of the audit is expected to
result in a higher level of quality associated with the audit execution, increasing
confidence in the judgment of the auditor and the auditors opinion. Secondly,
increasing the efficiency of the audit is expected to result in a reduction of the costs
involved with the audit execution, improving its accessibility. In order to direct the
financial audit practice in moving towards these goals, this study aims to define how to
improve the performance of current financial auditing methodology through the
implementation of developments from the field of IT.
1.2 Research questions
In order to establish the ways in which the current financial audit approach can be
improved, the first goal is to provide a comprehensive overview of the financial audit
practice as it is established today, therefore the first research question is formulated as
listed under number 1.
1. What does the current state of the art in the financial auditing practice look
like?
Analyzing the role of IT in current and future financial auditing methodologies 6
Once a clear view at the current field of practice including its strengths and weaknesses
is obtained, the second goal is to identify the ways in which the current financial audit
performance can be improved though the implementation of developments from the
field of IT, this is covered by the second research question, which is listed under
number 2.
2. How can information technology improve traditional auditing methods in
terms of effectiveness and efficiency?
Following this identification of improvement possibilities, the next research question
concerns the possible implications the application of such improvements might have
and is listed under number 3.
3. What are the implications of these advancements in the field of information
technology for the financial auditing practice?
Once all expected implications for the current financial audit practice are listed, the
ultimate question that is attempted to be answered in this research is formulated as
listed under number 4.
4. What will the future of the financial auditing practice look like?
1.3 Research methods
Although the subject matter of this research is practical in nature, in order to establish a
solid theoretical foundation, this research itself will largely be based on a review of the
literature that is currently available. Interviews with domain experts will be conducted
in order to define the current state of the art in the financial auditing practice and to
serve as a starting point from where to look for relevant financial auditing related
legislation and regulations as well as academic literature from both the fields of
financial auditing and information technology. Additional research methods will be
utilized where applicable in order to support the developed theory, case studies will be
included in order to illustrate current financial auditing methodologies and structured
Analyzing the role of IT in current and future financial auditing methodologies 7
analysis will be applied in order to answer the research questions as formulated in
chapter 1.2.
1.4 Thesis outline
In order to provide a reading guide to this report, this section will discuss the contents
of each chapter briefly.
Chapter 2 will start by providing an overall picture of the current state of the financial
auditing practice, including a listing of the methods and methodologies that are
currently applied. This description is followed by an analysis of the current state,
which will result in the identification of both limitations and possibilities for
improvement.
In order to illustrate the current practice as described in chapter 2, four case studies
covering the PwC audit methodology applied in practice will be provided in chapter 3.
Further analysis of these case studies will result in a differentiation between the various
types of methods currently used and the frequency at which they are applied.
Chapter 4 will provide a description of four developments in the field of IT that are
potentially applicable to the financial auditing methodologies as described and
illustrated in chapters 2 and 3. These technologies will further be analyzed and
compared based on their applicability to the PwC audit methodology, availability of
tooling and expected implications for the financial audit performance. This comparison
will result in an indication for the future use potential of these technologies.
Based on the findings from chapters 2 - 4, chapter 5 aims to cast a view on the future
of the financial auditing practice, proposing a technology roadmap which is to serve as
a guide to future audit methodology improvements.
Chapter 6 will discuss the findings from this research and present the final conclusions
and recommendations.
Analyzing the role of IT in current and future financial auditing methodologies 8
2 Current state of the financial auditing practice
The current Dutch financial auditing practice is a highly regulated market. The aim of
this chapter is to provide an overview of all the relevant institutions, actors, legislation
and regulations that are operational in this field. In order to achieve a good overview of
this matter, a professional of PwC’s assurance practice was interviewed. This chapter
starts with an overview of the most important legislation and regulations and further
drills down to the material concerning auditing methodologies, methods and techniques
which is most relevant in the context of this thesis.
2.1 Institutions and actors
When investigating the Dutch financial auditing practice, five major institutions can be
identified that are each responsible for publishing regulations relevant in this context.
The main institutions that were identified include ‘the legislator’, ‘Nederlandse
Beroepsorganisatie van Accountants’ (NBA), ‘Autoriteit Financiele Markten’ (AFM),
‘Raad voor de Jaarverslaggeving’ (RJ) and ‘Monitoring Commissie Corporate
Governance Code’ (depicted in figure 1). Other actors that play a role in the financial
auditing practice include ‘audit firms’, ‘accountants’ and ‘auditees’. Each of these
entities will be described in more detail below.
Figure 1: Regulating institutions
The legislator
In The Netherlands, ‘the legislator’ is formed by a composition of three entities.
1. Government (Regering)
2. 2nd Chamber / Parliament (Tweede Kamer der Staten-Generaal)
3. 1st Chamber (Eerste Kamer der Staten-Generaal)
Analyzing the role of IT in current and future financial auditing methodologies 9
Together, these three entities are entitled to pass laws. The most significant laws that
are applicable to the financial auditing practice include the following.
‘Wet toezicht accountantsorganisaties’, Wta, issued 19-01-2006
‘Besluit toezicht accountantsorganisaties’, Bta, issued 16-08-2006
‘Wet op de Registeraccountants’, WRA, issued 28-06-1962
‘Wet op de Accountants-Administratieconsulenten’, WAA, issued 13-12-1972
These laws will be described in more detail in chapter 2.2.
Nederlandse Beroepsorganisatie van Accountants (NBA)
The NBA is the Dutch corporation of accountants. All accountants that are operational
in The Netherlands are recorded in a central register that is administered by the NBA.
In addition, the NBA is responsible for determining the requirements for new
applicants to become an accountant. To this end, the NBA has specified a great number
of regulations called ‘verordeningen’ (ordinances) and ‘nadere voorschriften’ (further
prescriptions). The most important regulations include the following.
‘Verordening accountantsorganisaties’, VAO, issued 08-12-2010, effective 01-
01-2011
‘Verordening gedragscode’, VGC, issued 16-12-2009, effective 01-01-2010
‘Nadere voorschriften Controle- en overige standaarden’, NV COS, issued 15-
01-2011, effective 15-06-2011
These regulations will be described in more detail in chapter 2.3.
Autoriteit Financiele Markten (AFM)
The AFM is the Dutch authority responsible for supervising the stock exchange
market. In addition, they perform an enforcing role regarding compliance with the laws
concerning financial institutions as well as financial audit firms. The AFM is also
responsible for granting permits to audit firms for statutory financial audits (audits that
are mandatory by law), they keep a register of all audit firms that are allowed to
execute statutory financial audits, the ‘Register accountantsorganisaties’. This register
contains general information about the audit firm as well as specific details about the
permit such as date of request, date of authorization, state of the permit and whether
the audit firm is allowed to audit organizations that are classified as ‘Organisatie van
Openbaar Belang’ (OOB).
Analyzing the role of IT in current and future financial auditing methodologies 10
Raad voor de Jaarverslaggeving (RJ)
The RJ (Dutch Accounting Standards Board) is responsible for developing guidelines
and accounting standards to be used in The Netherlands. The result of these efforts is
the ‘Richtlijnen voor de jaarverslaggeving’ (RJ) also known as ‘Dutch Generally
Accepted Accounting Principles’ (Dutch GAAP). Since 2005, listed companies in The
Netherlands are required to publish their annual accounts following the International
Financial Reporting Standards (IFRS) developed by the International Accounting
Standards Board (IASB). All non-listed medium to large sized companies are free to
choose either the RJ / Dutch GAAP or IFRS standard. Small companies are not obliged
to publish annual accounts.
Monitoring Commissie Corporate Governance Code
The ‘Monitoring Commissie Corporate Governance Code’ is responsible for
maintaining the Dutch Corporate Governance Code (Dutch CGC) with regard to its
actuality and relevance as well as enforcing compliance of this code by listed
companies in The Netherlands. Each year, the monitoring commission issues a report
treating the extent to which Dutch companies comply with the latest corporate
governance code. The Dutch CGC provides a number of guidelines and best practices
regarding the government of listed companies. The contents of the Dutch CGC are
generally based on the principles of integrity, objectiveness, competence and
conscientiousness, confidentiality and professional behavior.
Audit firms
Two kinds of audit firms can be distinguished in The Netherlands. Those with a WTA
permit, which are authorized to execute statutory financial audits and are known as
‘accountantsorganisatie’ (accountant organization), and those without a WTA permit,
which are known as ‘accountantskantoor’ (accountant office). As the focus of this
thesis is on the legal entity ‘PricewaterhouseCoopers Accountants N.V.’ (which,
having a WTA permit, classifies as an accountant organization) it will focus on the
‘accountantsorganisatie’.
Analyzing the role of IT in current and future financial auditing methodologies 11
Accountants
In The Netherlands, there are two kinds of accountants. The accountants that are
authorized to execute statutory financial audits are known as ‘register accountants’
(RA) while all other accountants are known as ‘accountants-administratieconsulenten’
(AA). As most audits performed by PwC are statutory financial audits, the focus of this
thesis will be on the ‘register accountant’.
Auditees
The last actor to be included in this overview of the financial auditing practice is the
auditee, which can be described as any organization that is being audited by an audit
firm and its accountants. There are certain regulations that are specifically aimed at the
auditee in the context of the financial audit. More specifically, these regulations
include the ‘Richtlijnen voor de jaarverslaggeving’ (RJ) and IFRS as well as the Dutch
Corporate Governance Code.
2.2 Legislation
As indicated in the previous chapter, four acts in the Dutch law that are of relevance to
the financial auditing practice were identified. Here each act will be described shortly
and subsequently the relevance of them in the context of this thesis will be indicated.
Figure 2 provides an overview of the current system of legislation and regulations that
became effective in 2007.
Analyzing the role of IT in current and future financial auditing methodologies 12
Figure 2: Legislation and regulations
Wet toezicht accountantsorganisaties (Wta)
The WTA act was introduced in order to regulate the supervision of audit firms active
in The Netherlands. It designates the AFM as supervisor and introduces a permit that is
required for audit firms in order to be authorized to perform statutory financial audits.
The WTA specifies the requirements for an organization to obtain such a permit, these
requirements contain both aspects at the organizational and individual level.
Organizational aspects include items such as integrity, expertise and skills of the board
of directors, control structure, quality control system, independence, confidentiality
and safeguards for controlled and sound operations. Individual aspects include items
such as professional knowledge, independence, objectivity and integrity,
confidentiality, reporting of suspicion of material fraud, compliance with professional
regulations and reporting of disciplinary cases. In case of non-compliance of an
organization or individual with these requirements, the AFM has the option of
ordaining several penalties depending on the nature and severity of the error. These
penalties include the issuing of a warning, instruction or fine, imposing a cease and
desist, publication of the error or the issuing of a declaration to the public prosecutor.
Analyzing the role of IT in current and future financial auditing methodologies 13
Besluit toezicht accountantsorganisaties (Bta)
The BTA act comprises an elaboration on some of the requirements for audit firms that
are defined in the WTA act. These additional requirements that are part of the BTA
contain items such as permit requests, quality control systems and the compliance with
and implementation of statutory financial audits (i.e. the implementation of a quality
assurance mechanism and the appointment of a quality assessor). In addition, the BTA
contains definitions concerning independence, sound operations and fraud reporting, as
well as the obligation for audit firms to issue an annual report stating their compliance
with these requirements. The WTA and BTA acts combined form the basis of the
Dutch legislation on audit firms.
Wet op de Registeraccountants (WRA)
The WRA act was introduced in order to regulate the financial audit profession in The
Netherlands. It installs the ‘Koninklijk Nederlands Instituut van Registeraccountants’
(NIVRA), and regulates a number of topics. These topics, which are all focused on the
individual accountant, include items such as the registry, education, final terms and
disciplinary jurisdiction and procedures for ‘register accountants’ (RA).
Wet op de Accountants-Administratieconsulenten (WAA)
Like the WRA act, the WAA act was also introduced in order to regulate the financial
audit profession in The Netherlands. It installs the ‘Nederlandse Orde van
Accountants-Administratieconsulenten’ (NOvAA), and roughly regulates the same
topics as the WRA act, focusing on the individual accountant, but applying only to
‘accountants-administratieconsultenten’ (AA). The NIVRA and NOvAA, which are
mentioned above have recently merged and are now known as NBA. The WRA and
WAA acts combined form the basis of the Dutch legislation on the financial audit
profession.
2.3 Regulations
In this chapter, the various regulations that were issued by the NBA will be discussed.
As mentioned in the previous chapter, three regulations of interest in the context of this
thesis are identified, each regulation will be described shortly followed by an analysis
Analyzing the role of IT in current and future financial auditing methodologies 14
indicating the relevance and impact of it on the financial audit methods as referred to in
the introduction.
Verordening accountantsorganisaties (VAO)
The VAO provides audit firms that are listed in the AFM register with a more concrete
instantiation of the general rules and principles that are defined in the WTA and BTA
acts. The topics that are treated in the VAO again concern the system of quality
control, independence and sound operations of the audit firms. The aim of the VAO is
to ensure that in the complete body of rules and regulations consisting of WTA, BTA
and VAO there are no hiatuses and redundancies regarding norms.
Verordening gedragscode (VGC)
The VGC contains rules of conduct and norms for both RA and AA qualified
accountants. Unlike the VAO, which is aimed at audit firms, the VGC is aimed at the
individual accountant. Like the Dutch Corporate Governance Code, all topics treated in
the VGC are based on the five principles of integrity, objectiveness, competence and
conscientiousness, confidentiality and professional behavior.
Nadere voorschriften Controle- en overige standaarden (NV COS)
The NV COS are a set of further prescriptions that follow from article A-130.7 from
the VGC and are issued by the General Assembly of the NBA. The NV COS cover,
among others, the workflow of a generic financial audit trail and detail the standards
and norms for every step required to reach the auditors opinion. The global steps of the
financial audit process that are covered in the NV COS include the determination of
responsibilities, planning of the audit, assessment of risks, obtainment of audit
evidence, usage of work of other experts and reporting of conclusions. In the context of
this thesis, the obtainment of audit evidence step is the most interesting as it contains
details regarding the applicability of methods to numerical analyses. Numerical
analyses are defined as either comparisons of financial information between periods
(current, historical or prospective information) or between comparable sector specific
entities. Additionally, comparisons of normative relationships between elements of
financial information or between financial information and non-financial information
can also be classified as numerical analyses. Methods that can be used for these
analyses range from simple comparison and normative relationship verification to
Analyzing the role of IT in current and future financial auditing methodologies 15
advanced statistical techniques. In all cases it is up to the auditors professional
judgment to choose the methods and techniques with the highest expected
effectiveness and efficiency. All NV COS standards are generally derived from the
International Standards on Auditing (ISA).
Table 1 provides a summary of the relationships between the institutions, actors,
legislation and regulations that have been covered up until now.
Institutions Legislation and regulations Actors
Legislator Wet toezicht accountantsorganisaties
(Wta)
Audit firms (WTA)
Besluit toezicht
accountantsorganisaties (Bta)
Wet op de Registeraccountants (WRA) Accountants (RA)
Wet op de Accountants-
Administratieconsulenten (WAA)
Accountants (AA)
Nederlandse
Beroepsorganisatie van
Accountants (NBA)
Verordening accountantsorganisaties
(VAO)
Audit firms (WTA)
Verordening gedragscode (VGC) Accountants (RA and
AA) Nadere voorschriften Controle- en
overige standaarden (NV COS)
Autoriteit Financiele
Markten (AFM)
Register accountantsorganisaties Audit firms (WTA)
Raad voor de
Jaarverslaggeving (RJ)
Richtlijnen voor de jaarverslaggeving
(RJ)
Auditees
Monitoring Commissie
Corporate Governance
Code
Dutch Corporate Governance Code Auditees
Table 1: Institutions issuing laws and regulations affecting actors
2.4 Methodology and methods
In order to provide consistent high quality and risk management standards, audit firms
use standardized procedures that are documented in their audit methodology. Audit
Analyzing the role of IT in current and future financial auditing methodologies 16
methodologies provide the overview over the audit process and dictate in great detail
every step that has to be taken in order to be able to determine the auditors opinion. In
the context of this thesis the methods that the PwC audit methodology prescribes are of
particular interest. This section will first cover the PwC audit methodology, followed
by a description of both the audit methods and techniques currently used therein.
2.4.1 The PwC methodology
As mentioned in the introduction, the methodology forms the basis of a financial audit.
By analyzing the current audit methodology in use by PwC, much can be learned
concerning the procedure that is followed and the methods that are applied when
conducting a financial audit. The following description is taken from the PwC Audit
Guide (PwC Audit 101).
“The PwC audit methodology is called PwC Audit. This methodology is based on the
International Standards on Auditing (ISAs), with more specific PwC policy and
guidance provided where appropriate. The PwC Audit Guide explains PwC's
methodology and provides a common audit approach for PwC member firms to follow
in accordance with network standards, and so that each PwC member Firm
understands the approach taken by other PwC firms to an engagement. The Guide
along with PwC's technology-based audit support tools, templates and content support
engagement teams in conducting assurance and related services engagements.”
As noted in the description above, the PwC audit methodology relies on technology-
based audit support tools. Currently, there are two major tools in use within the PwC
assurance practice, these are MyClient and its successor Aura. Where the former is still
in use for different kinds of assurance assignments, the later is currently used for all
financial audits. For this reason, the PwC audit methodology supported by Aura will be
the focus of this thesis.
Analyzing the role of IT in current and future financial auditing methodologies 17
Figure 3: The PwC audit methodology supported by Aura
Analyzing the role of IT in current and future financial auditing methodologies 18
Following the process diagram depicted in figure 3, the PwC audit methodology
supported by Aura generally consists of 4 phases which will be described briefly in the
following section.
Planning
The planning phase of a financial audit starts with the acceptation of the audit
assignment, during this step the risks and reliability associated with the auditee are
assessed. Once the audit assignment is accepted, the terms of engagement are
determined and a team of auditors is mobilized. Next, the independence of the audit
team is assessed and further required planning procedures are executed.
Understanding the Business, Assess Risk and Determine Audit Strategy
The second phase starts with the analysis of the auditee's organization resulting in the
understanding of the business including its internal control. Subsequently, it includes
the determination of the materiality and the assessment of the levels of inherent risks
associated with the auditee’s organization. This is followed by the establishment of the
audit strategy and identification and evaluation of the controls that mitigate the
assessed risks and ends at the start of the audit plan execution.
Respond to Risk and Gather Evidence
The third phase starts with the determination of both the expected reliance on the
auditee's internal controls and the planned substantive evidence followed by the
approval of the audit plan. Once the audit plan is approved, the auditor continues with
the execution of ‘evidence gathering activities’ (EGAs) consisting of tests of controls,
substantive analytical procedures and tests of detail. Depending on the level of controls
reliance, the focus of the EGAs will be either on tests of controls or on substantive
testing. The results of these EGA steps combined form the body of audit evidence on
which the auditor's opinion will ultimately rely. As a final step in this phase, the risk
assessment and audit plan are updated and other required procedures are performed.
Finalize the Audit
The finalizing phase of a financial audit starts with the performance of the relevant
audit completion procedures. This step is followed by referencing the financial
Analyzing the role of IT in current and future financial auditing methodologies 19
statements and issuing the reports. The final steps of the PwC audit methodology
comprise of debriefing the client, debriefing the audit team and assessing the audit
performance, this concludes the PwC audit trail.
Following this description of the PwC audit methodology, it can be concluded that the
methodology is largely based on a top-down approach where inherent organizational
risks are identified, mitigating controls are assessed and remaining risks are covered by
the application of substantive procedures. This combination of methods results in an
audit methodology based on several traditional audit approaches including the risk-
based approach, systems-based approach, and substantive procedures approach.
Following from interviews with several experts from PwC it is expected that from the
PwC audit methodology described above, some steps have a higher applicability of
assisting technology than others. The business understanding and risk assessment
phase as well as the steps involving evidence gathering activities are expected to have
the highest applicability of assisting technology. Therefore, the steps that were
identified as the most interesting ones in the context of this thesis include the
following.
‘Understand the business including its internal control’
‘Risk assessment analytics’
‘Perform tests of controls’
‘Perform substantive analytical procedures’
‘Perform tests of detail’
In the following sections the steps involving EGAs and the methods and techniques
used therein will be described briefly. Figure 4 provides a view at the way these steps
are interrelated. A distinction is made between tests of controls / system oriented
methods and substantive tests / data oriented methods.
Analyzing the role of IT in current and future financial auditing methodologies 20
Figure 4: The 3 steps from the PwC audit methodology involving EGAs
2.4.2 Tests of controls / System oriented methods
System oriented methods are aimed at providing comfort regarding the processes,
procedures and controls of the auditee’s organization. Within the PwC audit
methodology, system oriented methods are executed during the ‘Perform tests of
controls’ step of the audit cycle. This section will start with a short description of the
control framework which forms the basis of the controls testing methods included in
the PwC audit methodology, this will be followed by a summary of the various control
types that are derived from this control framework and finally, a description of the
methods and techniques that can be applied to test these controls will be provided.
Control framework
Within the PwC audit methodology, the ‘COSO Internal Control – Integrated
Framework’ (1992) is used to determine the quality of the auditee’s system of internal
controls. The COSO control framework consists of 5 control components that apply to
the organizational objectives including ‘Operations’ (concerning the effectiveness and
efficiency of business processes), ‘Financial reporting’ (concerning the reliability of
financial information), and ‘Compliance’ (with legislation and regulations), at each of
the organizational levels. The 5 control components that are covered in the model
include ‘Control environment’, ‘Risk assessment’, ‘Control activities’, ‘Information
and communication’ and ‘Monitoring’, each of which will be explained shortly in the
next section.
Analyzing the role of IT in current and future financial auditing methodologies 21
The ‘Control environment’ of an organization forms the basis of the system of
internal controls, it concerns the control awareness, integrity, ethical values and
competence of the people that are part of the organization.
‘Risk assessment’ concerns the process of assessing risks, both internal and
external to the organization, that pose a threat to achieving the organizational
objectives.
‘Control activities’ are policies and procedures that help ensure management
directives are effectuated and include measures such as approvals,
authorizations, verifications and segregation of duties.
‘Information and communication’ together form the binding factor in the
system of internal controls. The aim of this component is to ensure that relevant
information is identified, captured and communicated to people in a way that
enables them to perform their duties.
‘Monitoring’ concerns the process of evaluating the quality and performance of
the system of internal controls over time. Monitoring can be done on an
ongoing bases or by separate evaluations.
The COSO framework suggests that all 5 components must be in place in order to
ensure the system of internal controls is effective. In addition, this has to be the case
for each business objective at all organizational levels. A schematic representation of
the ‘COSO Internal Control – Integrated Framework’ is provided in figure 5.
Figure 5: The COSO Internal Control – Integrated Framework
Analyzing the role of IT in current and future financial auditing methodologies 22
Control types
Derived from the COSO internal control framework, the PwC audit methodology
defines 4 types of controls. Each control type can be related back to one or more
components of the COSO framework and affects its own distinct part of the
organization in question (e.g. the auditee’s organization). Figure 6 shows a graph
depicting the various constructs in relation to each other.
Figure 6: The 4 control types related to the 5 internal control components
Each of the 4 control types depicted above will be described in more detail below.
Descriptions are taken from the PwC Audit Guide (PwC Audit 6011).
Indirect Entity Level Control (Indirect ELC).
“Indirect ELCs are entity level controls that do not directly relate to any specific
FSLIs/business processes or assertions and, therefore, would not by themselves
prevent or detect on a timely basis material misstatements to assertion(s) at the FSLI
level. They may, however, contribute to the effectiveness of controls.”
Direct Entity Level Control (Direct ELC).
“Direct ELCs are controls that typically operate at least at the sub-process level, i.e.,
at a level higher than transaction level controls, and, when performed effectively, at a
sufficient level of precision to adequately prevent, or detect and correct on a timely
basis, material misstatements related to one or more relevant assertions for FSLIs/
business processes.”
Analyzing the role of IT in current and future financial auditing methodologies 23
Transaction Level Control.
“Transaction level controls are control activities over the initiation, recording,
processing and reporting of transactions designed to operate at a level of precision
that would prevent, or detect and correct on a timely basis, misstatements related to
one or more relevant assertions for a FSLI/business process. Transaction level
controls can be either detective or preventive in nature and they often include manual
application, automated application or IT Dependent Manual controls.”
Information Technology General Control (ITGC).
“ITGCs are policies and procedures that are used to manage the IT activities and
computer environment, relate to many applications and support the effective
functioning of application controls by helping to verify the continued proper operation
of information systems. This includes the basic IT areas that are relevant to internal
control: IT control environment, Program Development, Program Changes, Access to
Programs and Data and Computer Operations.”
Perform tests of controls
During the ‘Perform tests of controls’ step of the PwC audit methodology, the auditor’s
objective is to test whether the risks that were identified in the auditee’s organization
are mitigated in a satisfactory way by the implementation of effective internal controls.
When determining which controls to take into account, a top down approach is taken
where only controls that cover risks of material nature are considered. Controls tests
applied to this end can vary in their nature, timing and extent.
Figure 7: Types of control tests
Analyzing the role of IT in current and future financial auditing methodologies 24
Based on their nature, four categories of control tests are distinguished in the PwC
audit methodology as can be seen in figure 7. Listed following an ordinal scale, these
categories include ‘Inquiry’, ‘Observation’, ‘Inspection’ and ‘Reperformance’.
Regarding the extend of testing, control tests can further be classified based on their
frequency of application and sample sizes used therein.
As a final note regarding the testing of internal controls it is interesting to observe that
the total of controls testing consists of the ‘Management Response’ plus ‘Audit Effort’.
This implies that both the auditor and auditee have a responsibility in analyzing and
testing the internal controls of the organization in question. Furthermore the
observation is made that the more management response is provided, the less audit
effort is needed to reach the desired level of comfort as can be seen in figure 8 which
originates from the third Global Technology Audit Guide (GTAG) from the Institute of
Internal Auditors (IIA).
Figure 8: The monitoring of internal controls - management vs. audit
2.4.3 Substantive tests / Data oriented methods
Where system oriented methods are aimed at providing comfort regarding processes,
procedures and controls, data oriented methods are aimed at providing assurance on the
completeness, accuracy and validity of (financial) data directly. As mentioned in
chapter 2.4.1, substantive tests can either focus on substantive analytical procedures or
Analyzing the role of IT in current and future financial auditing methodologies 25
on tests of detail depending on the level of comfort obtained from the tests of controls
as described in the previous section. In case internal controls sufficiently mitigate
identified risks, the audit is continued by applying substantive analytical procedures
based on the auditee’s financial data. If the internal controls are insufficient, tests of
detail are required to ensure the financial data is correct. Both of these steps are
categorized as data oriented methods and will be described in more detail below.
Focus on substantive analytical procedures
Substantive analytical procedures consist of computational auditing methods that
analyze financial data at aggregate levels in comparison with for example data from
previous periods or other entities from the same market segment. When applying
substantive analytical procedures, in general a four step process is followed, regardless
of the method being used. The steps included in this process resemble a simplified
statistical hypothesis testing procedure as can be seen in the description below.
The 4 step process when using substantive analytical procedures (PwC Audit 7033).
1. ‘Develop an independent expectation’
2. ‘Define a significant difference or threshold’
3. ‘Compute difference’
4. ‘Investigate significant differences and draw conclusions’
In general many analytical procedures can be executed by the financial auditor using
tools like Microsoft Excel, however as the required analytical procedures increase in
complexity this approach will become both less effective and efficient. A data
assurance team can be called upon to perform advanced testing procedures using
specialized software tools that are fitted to execute elaborate queries on large data sets.
Focus on tests of detail
Tests of detail consist of specific auditing methods that analyze financial data at record
level, this implies that each individual account is verified and validated by using for
example reference checking procedures. In order to increase the efficiency of these
methods, sampling techniques are used to limit the number of records that are to be
analyzed. In order to provide assurance regarding a specific account, three types of
Analyzing the role of IT in current and future financial auditing methodologies 26
tests of detail can be utilized including ‘Targeted testing’, ‘Accept-reject testing’ and
‘Non-statistical sampling’.
Test of detail types (PwC Audit 7041).
‘Targeted testing’
‘Accept-reject testing’
‘Non-statistical sampling’
‘Targeted testing’ provides the greatest control over which records are to be tested, it
allows the auditor to select a specific segment of the population based on some
characteristic. Conclusions following this type of test only apply to the selected records
and are not projected to the untested items in the population.
In case of ‘Accept-reject testing’, the auditor gathers enough evidence to be able to
determine whether a specific attribute of an account must either be accepted or
rejected. This technique is only used in order to test characteristics of accounts, no
monetary information is analyzed using this method.
‘Non-statistical sampling’ is used in case the targeted testing method would require a
large amount of records to be tested, for example in case of a largely homogenous
population. In this case samples are drawn from the population based on non-statistical
sampling methods which are more efficient than formal statistical methods.
2.4.4 Tooling
The auditing process, including the methods and techniques used therein, is
traditionally executed manually. In recent years however, the aid of computer software
tooling is used more frequently in order to reduce costs and thus increase the efficiency
of the audit. Over the last years, techniques assisted by computer software, which are
generally known as ‘Computer Assisted Audit Techniques’ (CAATs), have increased
in functionality and popularity. The following section covers the CAATs that are
currently applied within the PwC financial audit practice. An overview of the tools and
their suppliers is provided below.
Analyzing the role of IT in current and future financial auditing methodologies 27
CAATs currently applied in the PwC financial audit practice.
‘Aura’ from ‘PriceWaterhouse Coopers Applications B.V.’
‘Excel’, ‘Access’ and ‘SQL Server’ from ‘Microsoft Corporation’
‘AccountAnalyser’ from ‘UNIT4 N.V.’
‘Synaxion Business Process Analyzer’ from ‘Synaxion B.V.’
Aura
Aura is a specialized workflow management system tailored to assist the PwC audit
methodology. Functionalities provided by the tool include electronic documentation
and archiving of the audit trail, built-in definitions for EGAs employed in financial
audits and support for group collaboration within the audit team. The aim of the
software is to streamline the audit process and enable a paperless way of working.
The main functionality of Aura is supporting the financial audit workflow of the PwC
audit methodology as described in chapter 2.4.1 through keeping an electronic record
of each step executed. In addition, supporting functionalities provided by the
application include aiding risk analysis activities through providing support for
documenting the relations between financial statement line items and supporting audit
evidence, supporting the decision making process regarding the audit strategy, and
supporting group collaboration and quality assurance aspects of the audit. Each of
these functionalities will be described in more detail below.
The reason for documenting the connections between financial statement line items
and supporting evidence follows from the core objective of the financial audit, which is
to provide assurance regarding the financial statements of the auditee. In order to
achieve this objective risks are assessed regarding each financial statement line item
and subsequently, mitigating controls are identified and assessed for each risk.
Following this assessment, for each control, one or more evidence gathering activities
are defined which ultimately result in evidence supporting the auditor’s opinion. In
order to facilitate this process, Aura supports the documentation of the relations
between “Financial Statement Line Items”, “Risks”, “Controls”, “Evidence Gathering
Activities” and “Evidence”.
Analyzing the role of IT in current and future financial auditing methodologies 28
In order to facilitate the decision making process regarding the audit strategy, Aura
supports the automated indication of significant general ledger accounts based on their
materiality. In addition, the evidence gathering activity strategy can either “Focus on
Substantive Analytical Procedures” or “Focus on Tests of Detail” depending on the
level of “Expected Controls Reliance”, this decision making process is also supported
in an integrated fashion.
Finally, the group collaboration functionality integrated in Aura supports the
delegation of tasks among team members and records which team members prepared
and reviewed documented evidence gathering activities in order to follow quality
assurance procedures.
Excel, Access, SQL Server
Microsoft Excel, Access and SQL Server are generic spreadsheet and database tools
being employed in financial audits for their flexible calculating and querying
functionality. The tools allow auditors to perform manual operations on large sets of
data resulting in a reduction of time required to process them. Because of the generic
nature of the tools in question, they are flexible in use and therefore have a broad
applicability. As documentation of the tools covered in this section is ubiquitous, no
further description of the functionalities provided by them is included here.
AccountAnalyser
AccountAnalyser is a tool being employed in financial audits for executing substantive
analytical procedures. The tool is specialized in the analysis of financial accounting
information such as general ledger accounts and journal entries. The advantage of
using AccountAnalyser in financial audits is its ability to quickly generate views of the
financial statements being audited through the flexible composition of queries,
resulting in a quick understanding of the business and its risks.
The core functionality of AccountAnalyser is provided through a library of 130
standardized analyses and corresponding queries and reports. Examples of analyses
incorporated in the AccountAnalyser library include tests for financial liquidity and
solvability, tests regarding debtors and creditors and tests regarding fraud analysis.
Analyzing the role of IT in current and future financial auditing methodologies 29
Further examples detailing the analysis capabilities of AccountAnalyser include the
following 5 reports (out of 130 reports available) which are based on general ledger
mutations.
Expenses per creditor.
Number of creditors per general ledger account.
Deviating journal entries per general ledger account.
Missing journal entries.
General ledger accounts.
The AccountAnalyser process flow, like any data analysis project starts with the
extract transform and load phase (ETL) where the general ledger information is
extracted from the source information system, transformed into the desired format and
loaded into the AccountAnalyser database. Once all financial information is stored in
the database, the data is ready to be analyzed using the predefined analyses as
described above or by performing custom analyses using cross tables, pivot tables or
grids.
Synaxion
Synaxion is another tool which is employed in financial audits for executing
substantive analytical procedures. Instead of focusing on financial accounting
information, the tool uses data from the clients business information systems (for
example the ERP system) in order to allow the auditor to perform a wide range of data
analyses. This functionality again results in a quick understanding of the business and
its risks as well as a more streamlined way of gathering evidence through the execution
of standardized data analyses.
As is the case with AccountAnalyser, Synaxion contains a library of standardized
analyses consisting of queries and reports. Examples of analyses that are included in
this library include tests regarding the purchase to pay, order to cash, and finance to
report cycles. One analysis that is of particular interest is that of the 3-way match, the
aim of which is to match invoices with good receipts with orders, as part of the
purchase to pay cycle, this analysis is used regularly in practice.
Analyzing the role of IT in current and future financial auditing methodologies 30
The Synaxion process flow, like any data analysis project starts with the extract
transform and load phase (ETL) where the business information is extracted from the
source information system, transformed into the desired format and loaded into the
Synaxion database. Once all business information is stored in the database, the data is
ready to be analyzed using the predefined analyses as described above or by
performing custom analyses using SQL.
Following the description of the CAATs currently applied in the PwC financial audit
practice as described above, the table below summarizes the areas of application at
which they are currently employed. The stages of the financial audit identified in
chapter 2.4 are included and for each stage it is indicated which tooling is currently
used in which way.
CAAT
Area of application
Understand the Business,
Assess Risk and Determine
Audit Strategy
Respond to Risk and Gather Evidence
Understand
the Business
including its
Internal
Control
Risk
Assessment
Analytics
Perform
Tests of
Controls
Perform
Substantive
Analytical
Procedures
Perform
Tests of
Detail
Aura As a workflow management system, Aura supports the entire audit process.
Excel, Access,
SQL Server
- - Testing of
controls can
be supported
by data
oriented
analyses.
Substantive
analytical
procedures
are often
executed
using
flexible
tooling.
Tests of
detail are
often
executed
using
flexible
tooling.
Account
Analyser
By analyzing
information
from the
Analyzing
data from the
accounting
- Substantive
analytical
procedures
-
Analyzing the role of IT in current and future financial auditing methodologies 31
accounting
information
system, a
better
understanding
of the
business can
be obtained.
information
system can
aid in
determining
materiality.
can be
executed
based on
information
from the
accounting
information
system.
Synaxion By analyzing
information
from the
business
information
system, a
better
understanding
of the
business can
be obtained.
Analyzing
data from the
business
information
system can
aid in
determining
high and low
risk areas of
the business.
Testing of
controls can
be supported
by data
oriented
analyses.
Substantive
analytical
procedures
can be
executed
based on
information
from the
business
information
system.
By analyzing
data from the
business
information
system, the
entire
population
can be tested
instead of a
sample.
Table 2: Current application of CAATs in the PwC audit methodology
2.4.5 Limitations
While the financial auditing methodology including its methods currently in use by
PwC is able to provide a reasonable level of assurance regarding the accuracy of
financial statements, there are some inherent limitations associated with the methods
presently applied. This section will briefly point out which limitations are relevant in
the context of this thesis and suggest how these limitations can potentially be removed.
Internal control
Because the current methodology is to a certain extent reliant on the correct
functioning of properly implemented internal controls, the inherent limitations of
internal controls themselves prove a threat to the quality of the audit evidence.
Limitations of internal controls include items such as human error in design or
execution of internal controls and interpretation of control results, collusion of two or
Analyzing the role of IT in current and future financial auditing methodologies 32
more people and inappropriate management override of internal controls. A way to
reduce the level of risk associated with this type of limitation is to reduce the level of
dependence on internal controls altogether, for example by placing more emphasis on
(automated) substantive testing.
Professional judgment
Throughout the audit methodology there are numerous points at which the auditor’s
professional judgment is called upon. Because professional judgment is subjective in
nature, decisions made in this context are susceptible to deviations which may result in
reduced audit quality. A way to reduce the risks associated with these deviations is to
provide even more guidance to auditors on procedures for specific situations. This
solution may not be desirable however, because of the loss of flexibility in the audit
procedure. A better solution might be to automate key parts of the audit procedure
where appropriate through application of standardized computer routines.
Audit evidence
During the evidence gathering activities which are part of every audit, evidence is
gathered in order to reduce audit risk to a minimum. In the PwC audit guide, ‘audit
risk’ is defined as follows (PwC Audit 1053).
“The risk that the auditor expresses an inappropriate audit opinion when the financial
statements are materially misstated. Audit risk is a function of the risks of material
misstatement and detection risk.”
Because by using current auditing methods it is impractible to reduce audit risk to zero,
auditors are expected to reach a persuasive auditor’s opinion rather than a conclusive
one. The question that rises here is whether the application of new technology based
audit methods may change this premise and allow the auditor to gain sufficient
appropriate audit evidence in order to be able to provide a conclusive auditor’s
opinion, for example by testing all transactions instead of testing samples.
Analyzing the role of IT in current and future financial auditing methodologies 33
2.4.6 Improvements
The aim of this study is to investigate in which way the current financial audit
methodology as described earlier in this chapter can be improved by the application of
developments from the field of IT. When considering opportunities for improvement in
the current methodology, three key dimensions can be identified. The primary goal of
improving the PwC audit performance is to improve the quality of the financial audit
while decreasing costs and simultaneously adding value to the client. These factors
together result in the research model as depicted in figure 9. This model will later be
extended in order to reflect the effects of the use of new methods and techniques on the
audit performance. A description of each construct is provided below.
Quality
Added value
Costs PwC Audit Performance
+
-
+
Figure 9: PwC audit improvement research model
Independent constructs
‘Quality’ can be described as the extent to which the financial audit
requirements as defined in the Dutch legislation and regulations are met by the
PwC audit methodology, it measures the audit effectiveness and positively
affects the PwC audit performance.
‘Costs’ can be described as the average euro amount for which the PwC audit
methodology is able to deliver a financial audit, it measures the audit efficiency
and negatively affects the PwC audit performance.
Analyzing the role of IT in current and future financial auditing methodologies 34
‘Added value’ can be described as the value that the PwC audit methodology is
able to create on top of the financial audit requirements as defined in the Dutch
legislation and regulations, it measures the extra features that go beyond the
standard expectations and positively affects the PwC audit performance.
Dependent constructs
‘PwC Audit Performance’ can be described as the overall performance
delivered by the PwC audit methodology, it is affected by and measured in
terms of ‘Quality’, ‘Costs’ and ‘Added value’.
2.5 Summary
This chapter provided an overview of the current state of the Dutch financial auditing
practice including a description of the relevant institutions and actors, legislation and
regulations and methodology and methods. The Dutch legislation and regulations
prescribe a specific minimum quality level for financial audits but leave the choice of
methods and techniques during the execution of the audit up to the professional
judgment of the auditor. The PwC audit methodology provides more detailed guidance
on the types of methods and techniques that are suitable for the different steps in the
audit methodology but does not oblige the use of any specific method or technique
either. The steps from the PwC audit methodology that were identified as the most
relevant ones in the context of this thesis include ‘Understand the business including its
internal control’ and ‘Risk assessment analytics’ as well as the steps in which evidence
gathering activities are executed including ‘Perform tests of controls’, ‘Perform
substantive analytical procedures’ and ‘Perform tests of detail’. The usage of methods
and techniques in the current auditing practice was found to be mainly by means of
manual execution supported by computer software tooling for more complex assurance
problems. Three limiting factors in the current financial auditing methodology were
identified including ‘internal control’, ‘professional judgment’ and ‘audit evidence’,
which form a potential for improvement. Finally, a research model was proposed
which serves to stimulate such improvement through the indication of three factors
influencing the financial audit performance.
Analyzing the role of IT in current and future financial auditing methodologies 35
3 The current financial auditing methodology in practice
In order to illustrate the execution of the current financial auditing methodology in
practice, several case studies will be considered. Data has been acquired from four
financial audits executed at firms from the energy and utilities sector in financial year
2010. Cases to be considered include energy suppliers A and B, energy distributor C,
and water company D, focus will be on the methodology used and types of methods
applied. The chapter will conclude with an analytical discussion and summary of the
cases described.
3.1 Case study design
The cases to be considered in this chapter will be analyzed following a descriptive
approach. Data regarding these four distinct cases has been acquired from the Aura
audit documentation system forming a snapshot for the financial year 2010. Case
selection was based on available local knowledge from the PwC assurance practice,
more particularly the energy and utilities market segment.
As described in section 2.4, the PwC audit methodology generally considers six types
of Evidence Gathering Activities. For each case considered in this chapter, these EGA
types will be analyzed and compared. The various types of EGAs that are distinguished
in the PwC audit methodology include the following.
Tests of Controls
o Inquiry
o Observation
o Inspection
o Reperformance
Substantive Tests
o Substantive Analytics
o Tests of Details
Analyzing the role of IT in current and future financial auditing methodologies 36
Following the analysis of evidence gathering activity types listed above, a description
of the data analysis methods applied and supporting tooling utilized is provided for the
cases where applicable. This will provide further insight into the methods and types of
analyses that are currently applied in practice.
3.2 The case of energy supplier A
The case under consideration here is the financial audit of energy supplier A from
2010. Energy supplier A is one of the energy production and supplying companies
active on the Dutch energy market. In the context of this thesis, the interesting aspects
of this case are the methodology and methods used in the execution of the audit. An
analysis of the energy supplier A audit 2010 archive acquired from Aura results in the
EGA counts for each type as shown in table 3.
Test type Number of occurrences Percentage
Inquiry 92 5,21%
Observation 187 10,59%
Inspection 361 20,44%
Reperformance 50 2,83%
Other controls tests 87 4,93%
Substantive Analytics 184 10,42%
Tests of Details 805 45,58%
Total Tests of Controls 777 44,00%
Total Substantive Tests 989 56,00%
Total 1766 100,00%
Table 3: EGA counts for energy supplier A 2010
Analyzing the role of IT in current and future financial auditing methodologies 37
Following the EGA counts from table 3, the distribution of the types of EGAs can be
depicted in the form of a pie chart as shown in figure 10.
Figure 10: EGA distribution for energy supplier A 2010
Increasing the abstraction level of EGA types to the differentiation between system
oriented and data oriented EGAs results in the pie chart as shown in figure 11.
Figure 11: System vs. Data orientation for energy supplier A 2010
Inquiry
Observation
Inspection
Reperformance
Other controls tests
Substantive Analytics
Tests of Details
Tests of Controls
Substantive Tests
Analyzing the role of IT in current and future financial auditing methodologies 38
From the data depicted above, it can be concluded that in the financial audit energy
supplier A 2010 a relatively large part of the Evidence Gathering Activities constitutes
of Tests of Details. Furthermore, the balance between system oriented and data
oriented methods seems to be slightly skewed towards the substantive data oriented
side given the ratio of 44 to 56.
Additional inquiry with managers involved in the performance of the audit in question
resulted in the indication of the following data analysis activities.
AccountAnalyser was applied in order to perform generic analyses on the
organization’s general ledger as well as more specific analyses regarding
journal entries from the purchase to pay cycle.
Excel and Access were applied in order to perform a fraud analysis following
the ISA 240 standard (The auditor’s responsibility relating to fraud in an audit
of financial statements).
3.3 The case of energy supplier B
The case under consideration here is the financial audit of energy supplier B from
2010. Energy supplier B is one of the energy production and supplying companies
active on the Dutch energy market. In the context of this thesis, the interesting aspects
of this case are the methodology and methods used in the execution of the audit. An
analysis of the energy supplier B audit 2010 archive acquired from Aura results in the
EGA counts for each type as shown in table 4. Note that for this case it was not
possible to distinguish between the various types of controls tests.
Test type Number of occurrences Percentage
Tests of Controls 871 42,24%
Substantive Analytics 242 11,74%
Tests of Details 949 46,02%
Total Tests of Controls 871 42,24%
Analyzing the role of IT in current and future financial auditing methodologies 39
Total Substantive Tests 1191 57,76%
Total 2062 100,00%
Table 4: EGA counts for energy supplier B 2010
Following the EGA counts from table 4, the distribution of the types of EGAs can be
depicted in the form of a pie chart as shown in figure 12.
Figure 12: EGA distribution for energy supplier B 2010
Increasing the abstraction level of EGA types to the differentiation between system
oriented and data oriented EGAs results in the pie chart as shown in figure 13.
Tests of Controls
Substantive Analytics
Tests of Details
Analyzing the role of IT in current and future financial auditing methodologies 40
Figure 13: System vs. Data orientation for energy supplier B 2010
From the data depicted above, it can be concluded that in the financial audit energy
supplier B 2010 a relatively large part of the Evidence Gathering Activities constitutes
of Tests of Details. Furthermore, the proportions of system oriented and data oriented
methods seem to be slightly skewed towards the substantive data oriented side given
the ratio of 42 to 58.
Additional inquiry with managers involved in the performance of the audit in question
resulted in the indication of the following data analysis activities.
AccountAnalyser was applied in order to perform generic analyses on the
organization’s general ledger. However, due to errors in the data extraction
phase the intended analyses could not be performed.
SQL Server was applied in order to perform a fraud analysis following the ISA
240 standard (The auditor’s responsibility relating to fraud in an audit of
financial statements).
The PwC SAP ACE (Automated Controls Evaluator) tool was applied in order
to test the segregation of duties.
Tests of Controls
Substantive Tests
Analyzing the role of IT in current and future financial auditing methodologies 41
3.4 The case of energy distributor C
The case under consideration here is the financial audit of energy distributor C from
2010. Energy distributor C is one of the energy distributors active on the Dutch energy
market. An analysis of the energy distributor C audit 2010 archive acquired from Aura
results in the EGA counts for each type as shown in table 5.
Test type Number of occurrences Percentage
Inquiry 23 1,32%
Observation 146 8,36%
Inspection 433 24,79%
Reperformance 80 4,58%
Other controls tests 171 9,79%
Substantive Analytics 88 5,04%
Tests of Details 806 46,14%
Total Tests of Controls 853 48,83%
Total Substantive Tests 894 51,17%
Total 1747 100,00%
Table 5: EGA counts for energy distributor C 2010
Following the EGA counts from table 5, the distribution of the types of EGAs can be
depicted in the form of a pie chart as shown in figure 14.
Analyzing the role of IT in current and future financial auditing methodologies 42
Figure 14: EGA distribution for energy distributor C 2010
Increasing the abstraction level of EGA types to the differentiation between system
oriented and data oriented EGAs results in the pie chart as shown in figure 15.
Figure 15: System vs. Data orientation for energy distributor C 2010
From the data depicted above, it can be concluded that in the financial audit energy
distributor C 2010 a relatively large part of the Evidence Gathering Activities
Inquiry
Observation
Inspection
Reperformance
Other controls tests
Substantive Analytics
Tests of Details
Tests of Controls
Substantive Tests
Analyzing the role of IT in current and future financial auditing methodologies 43
constitutes of Test of Details. Furthermore, the proportions of system oriented and data
oriented methods seem to be well balanced given the ratio of 49 to 51.
Additional inquiry with managers involved in the performance of the audit in question
resulted in the indication of the following data analysis activities.
Account Analyser was applied in order to perform generic analyses on the
organization’s general ledger.
The PwC SAP ACE (Automated Controls Evaluator) tool was applied in order
to test the segregation of duties.
3.5 The case of water company D
The case under consideration here is the financial audit of water company D from
2010. Water company D is one of the water supplying companies active on the Dutch
market. An analysis of the water company D audit 2010 archive acquired from Aura
results in the EGA counts for each type as shown in table 6.
Test type Number of occurrences Percentage
Inquiry 0 0,00%
Observation 22 9,21%
Inspection 40 16,74%
Reperformance 0 0,00%
Substantive Analytics 36 15,06%
Tests of Details 141 59,00%
Total Tests of Controls 62 25,94%
Total Substantive Tests 177 74,06%
Total 239 100,00%
Table 6: EGA counts for water company D 2010
Analyzing the role of IT in current and future financial auditing methodologies 44
Following the EGA counts from table 6, the distribution of the types of EGAs can be
depicted in the form of a pie chart as shown in figure 16.
Figure 16: EGA distribution for water company D 2010
Increasing the abstraction level of EGA types to the differentiation between system
oriented and data oriented EGAs results in the pie chart as shown in figure 17.
Figure 17: System vs. Data orientation for water company D 2010
Inquiry
Observation
Inspection
Reperformance
Substantive Analytics
Tests of Details
Tests of Controls
Substantive Tests
Analyzing the role of IT in current and future financial auditing methodologies 45
From the data depicted above, it can be concluded that in the financial audit water
company D 2010 a very large part of the Evidence Gathering Activities constitutes of
Tests of Details. Furthermore, the proportions of system oriented and data oriented
methods seem to be quite unbalanced given the ratio of 26 to 74.
Additional inquiry with managers involved in the performance of the audit in question
resulted in the indication of the following data analysis activities.
Account Analyser was applied in order to perform generic analyses on the
organization’s general ledger.
3.6 Analytical discussion of cases
When comparing and analyzing the cases described in this chapter, several conclusions
can be made. First of all, the assertion made in chapter 2.4.1 implying that the PwC
audit methodology is based on both system oriented and data oriented methods can be
confirmed as both types of methods were encountered in the audit archives under
consideration. Secondly in all cases considered, the number of data oriented tests
exceeded the number of system oriented tests suggesting that the PwC audit
methodology has a tendency towards the execution of Substantive Analytics and Tests
of Details over controls based methods. Quantifying this tendency results in an average
preference of substantive tests over tests of controls of 63,6% within the cases
considered, based on a total number of 5814 executed EGAs. It must be noted that the
numbers included in this analysis only concern numbers of tests performed, the actual
time spent per test activity could not be retrieved from the audit documentation.
Following the descriptions of data analysis methods performed, it can be concluded
that analyses are currently primarily aimed at financial information (general ledger and
journal entries). Other analyses currently performed in practice include procedures
following the ISA 240 fraud analysis standard as well as tests regarding segregation of
duties.
Analyzing the role of IT in current and future financial auditing methodologies 46
3.7 Summary
This chapter provided a descriptive analysis of four concrete instantiations of the PwC
audit methodology from the energy and utilities market sector illustrating the theory
covered in chapter 2. For each case, several analyses were performed including EGA
counts, EGA distributions and system vs. data orientation. Also, a description of the
data analysis methods and tools applied was provided. The main conclusion that can be
made based on these analyses include the identification of a bias in the PwC audit
methodology towards the execution of data oriented methods.
Analyzing the role of IT in current and future financial auditing methodologies 47
4 Recent developments in the field of IT
This chapter covers four recent developments from the field of IT that have a high
potential applicability in the financial auditing practice. In order to identify these four
developments, a literature scan has been conducted which produced a list of
technologies that have been associated with the financial auditing practice in prior
research. The four IT developments that are included in this chapter were indicated as
having the highest interest among the financial- and IT- audit professionals that were
interviewed in the course of this research, they include Audit Nets, Process Mining,
Continuous Auditing and XBRL. A description of each technology will be given,
followed by an indication of its applicability to the PwC audit methodology, a short
view at the currently available tooling, and ending with a vision at the expected
implications the implementation will have on the current financial audit practice. The
chapter will be concluded by an analytical discussion, comparison and summary of the
various developments that have been described.
4.1 Audit Nets
The concept of audit nets was first proposed by Philip Elsas in his 1996 PhD
dissertation “Computational Auditing”. Building on classic petri net theory from Carl
Petri 1962, audit nets provide additional functionality which enables them to be applied
in the context of the financial audit.
Description
Classic petri nets are graphs consisting of places containing tokens, and transitions
transferring tokens between places. Places and transitions are connected by arrows. A
petri net typically represents a specific state of a process where the location of the
tokens determine the state. When applying this theory to the value cycle (supercycle)
of an organization as described by Starreveld, a petri net can be used to model a
complete value cycle including value depots (e.g. accounts) represented by places, and
transactions (e.g. journal entries) represented by transitions. A limitation of classic
petri nets however is the inability to model the so called value jump, which occurs in
value cycles for commercial organizations and represents the profit margin. In
addition, classic petri nets are limited in their support for mapping actors and
Analyzing the role of IT in current and future financial auditing methodologies 48
authorizations to transactions, which is an important feature in the context of the
financial audit, this application will be described in more detail in chapter 4.1.2. An
example of a value cycle modeled as a classic petri net is provided in figure 18.
Figure 18: Value cycle modeling using classic petri nets
In order to resolve the issues described above, Elsas introduced the audit net which
extends the classic petri net in providing support for the concepts of value jump, actor
and authorization. The audit net formalism supports the generation of authorization
matrices from audit nets providing an overview of which actor is authorized to execute
which transaction. Furthermore, by applying deontic logic, it provides support for
analyzing these matrices on the correct application of segregation of duties as
described by Starreveld.
Applicability
Audit nets can be applied during several steps of the audit procedure. First of all,
during the controls testing step, audit nets can be used to apply automated
authorization scans in order to assess the correctness of the implementation of the
segregation of duties principle as mentioned in the previous section. By applying the
analysis algorithm, a list of exceptions is produced of all possible solo fraud scenarios
under the given authorization levels, this list can then be used to identify the weak
Analyzing the role of IT in current and future financial auditing methodologies 49
spots in the system of internal controls concerning segregation of duties. During the
execution of substantive analytical procedures, audit nets can assist by analyzing the
reachability of the end state of the audit net (closing balance) given the begin state
(prior year closing balance). The result of this analysis will indicate whether the
amounts in the closing balance are possible given the documented value cycle in the
specified begin state. In addition, audit nets can be employed for reperformance and
simulation purposes. To this end, the audit net is used to find deviations from
normative relations between expected values and documented values as well as
verification of the financial data with the BETA formula from Starreveld (Begin – Eind
+ Toename – Afname = 0). These applications are all examples of substantive
analytical procedures supported by audit nets.
Tooling
As is the case with any conceptual development, practical usability of it is to a large
extent dependent on the availability of tooling that is off the shelf and ready to use. As
audit nets are a relatively new development, there is currently little offering of tooling
implementing the concept other than scientific proof of concept installations. Due to
this limited availability of tooling, wide spread application of the development among
financial auditors is not expected on the short term.
Implications
The implementation of the use of audit nets in the PwC audit methodology is expected
to have multiple implications. An extension of the research model as introduced in
chapter 2.4.6 visualizing an overview of all estimated effects of such implementation is
provided in figure 19. This section is concluded by a further description of the
constructs and effects extending the research model.
Analyzing the role of IT in current and future financial auditing methodologies 50
Audit Nets
Quality
Added value
Costs PwC Audit Performance
+
-
+
+
+
+/-
Figure 19: Implications of the implementation of audit nets on the PwC audit performance
Extending constructs
‘Audit Nets’ represents the implementation of the concept of audit nets, as
described in chapter 4.1 of this writing, in the PwC audit methodology. It is
determined by the fact whether audit nets are implemented in the PwC audit
methodology and is expected to affect ‘Quality’, ‘Costs’ as well as ‘Added
value’.
Extending effects
‘Quality’ is expected to be affected positively by the implementation of audit
nets as the development supports the achievement of the financial audit
requirements as described in the Dutch legislation and regulations through the
introduction of an exhaustive method for the testing of conflicts in the
segregation of duties.
‘Costs’ is expected to be affected both positively and negatively by the
implementation of audit nets as an initial investment will be required in terms
of tooling procurement and training, followed by an expected costs reduction
resulting from reduced time spent on getting an understanding of the business,
risk assessment, controls testing, and substantive analytical procedures.
‘Added value’ is expected to be affected positively by the implementation of
audit nets as on top of the expected audit results, additional insight is provided
Analyzing the role of IT in current and future financial auditing methodologies 51
in the organizational value cycle providing the auditee with valuable business
analytics.
4.2 Process Mining
The concept of process mining was first proposed by Wil van der Aalst and is covered
in the 2011 publication “Process Mining: Discovery, Conformance and Enhancement
of Business Processes”. As a variation on classic data mining, process mining focuses
specifically on the mining of business process models from information system event
logs.
Description
Event logs contain detailed information on all transactions that are executed within an
information system. As mentioned in the introduction, process mining uses data from
event logs of business information systems such as Enterprise Resource Planning
(ERP), Supply Chain Management (SCM) and Workflow Management Systems
(WMS) in order to reconstruct the underlying process model in the form of a petri net.
This concept is depicted in figure 20. The constructed process model subsequently
provides a view at the run-time functioning of the process in contrast to the design-
time process model and therefore provides a better understanding of the actual
functioning of the business process in question. A comparison of the design-time
model with the run-time model can point out anomalies in the execution of the
business process as well as violations of controls, this procedure is called conformance
checking. Finally, performance analyses can be applied on the generated model by
analyzing the time consumption of each step in the business process and consequently
identifying bottlenecks. In order to be able to mine the event logs of an information
system, they must comply with some criteria. More specifically, an identification of the
actor and the date and time of the transaction must be included. In addition, some
preparation may be required in order to merge data from different sources to one
location containing the complete event log.
Analyzing the role of IT in current and future financial auditing methodologies 52
Figure 20: The concept of process mining
Applicability
Process mining can be applied during various stages of the financial audit, identified
possibilities of application include the following. During the ‘Understand the Business,
Assess Risk and Determine Audit Strategy’ phase, process mining can assist in getting
a good understanding of the systems and processes of the auditee’s organization by
analyzing the event logs and generating a process model. This way, auditors are able to
get a good understanding of the business faster and assess the relevant risks more
efficiently. Subsequently, during the execution of evidence gathering activities, the
effectiveness of the internal controls can be assessed by performing a conformance
check comparing the generated “IST” process model with the normative “SOLL”
process model and thereby verifying the functioning of the controls that are in place. In
addition to these applications, the performance analysis functionality made possible by
process mining can add value to the financial audit by suggesting performance
improvements to the auditee’s business processes.
Tooling
Process mining is a broad development that has been applied in a wide area of practice
for several years. Because of this, over the last years the technology has increased in
popularity and found its way to a variety of software packages. The tooling in question
however is generic in nature and possibly does not support all the features making the
technology interesting for the financial auditing practice as described above. For this
reason it is expected that in time, when process mining technology is implemented in
specialized financial auditing tooling, the development will be utilized by the financial
auditing practice on a broad scale.
Analyzing the role of IT in current and future financial auditing methodologies 53
Implications
The implementation of the use of process mining in the PwC audit methodology is
expected to have multiple implications. An extension of the research model as
introduced in chapter 2.4.6 visualizing an overview of all estimated effects of such
implementation is provided in figure 21. This section is concluded by a further
description of the constructs and effects extending the research model.
Process Mining
Quality
Added value
Costs PwC Audit Performance
+
-
+
+
+
+/-
Figure 21: Implications of the implementation of process mining on the PwC audit performance
Extending constructs
‘Process Mining’ represents the implementation of the concept of process
mining, as described in chapter 4.2 of this writing, in the PwC audit
methodology. It is determined by the fact whether process mining is
implemented in the PwC audit methodology and is expected to affect ‘Quality’,
‘Costs’ as well as ‘Added value’.
Extending effects
‘Quality’ is expected to be affected positively by the implementation of process
mining as the development supports the achievement of the financial audit
requirements as described in the Dutch legislation and regulations through
facilitating a better understanding of the auditee’s systems and processes
Analyzing the role of IT in current and future financial auditing methodologies 54
resulting in a better risk assessment and through providing new persuasive audit
evidence resulting from conformance checking.
‘Costs’ is expected to be affected both positively and negatively by the
implementation of process mining as an initial investment will be required in
terms of tooling procurement and training, followed by an expected costs
reduction resulting from reduced time spent on getting an understanding of the
business, risk assessment, and controls testing.
‘Added value’ is expected to be affected positively by the implementation of
process mining as on top of the expected audit results, additional insight is
provided in the auditee’s systems and processes as well as their performance.
4.3 Continuous Auditing
The concept of continuous auditing is one that has been in existence in literature for
over 2 decades. Rather than providing assurance on financial statements once every
period as traditional auditing methodology prescribes, continuous auditing promises to
deliver an increased level of assurance by executing evidence gathering activities at a
higher frequency while reducing audit costs at the same time.
Description
Continuous auditing was first documented in the case study of AT&T Bell
Laboratories in 1989 by Vasarhelyi and Halper. The authors propose a “Continuous
Process Auditing System” (CPAS) providing measurement, monitoring and analysis of
AT&Ts billing information. The system specified in this case further introduced the
concepts of metrics, analytics and alarms in relation to financial information. While the
case referenced here forms the foundation for the concept of continuous auditing, over
time additions were made by various authors. An important amendment includes the
specification of the conceptual model for continuous auditing, monitoring and
assurance as depicted in figure 22 by The Institute of Internal Auditors (IIA) in its
Global Technology Audit Guide 3 (GTAG 3). This model specifies the relationship
between the concepts of continuous auditing (CA) and continuous monitoring (CM),
who is responsible for them and how they can contribute to reaching continuous
assurance. From a technological perspective, the concepts of CA and CM are identical,
both rely on the correct implementation of processes for continuous controls
Analyzing the role of IT in current and future financial auditing methodologies 55
monitoring and continuous data assurance. Continuous controls monitoring is achieved
by specifying a set of business rules following from the system of internal control and
subsequently checking for all individual transactions whether they comply with this set
where exceptions are handled based on their nature and materiality. Continuous data
assurance is achieved by recording all transaction data and analyzing periodically using
BI techniques looking for cases where combinations of transactions violate the system
of internal control. Prerequisites for a successful implementation of these processes
include well specified business processes, near time registration of transactions, usage
of ERP systems, data warehouses and available computing capacity.
Figure 22: Conceptual model for continuous auditing, monitoring and assurance
Applicability
The applicability of continuous auditing to the PwC audit methodology is highly
dependent on the auditee’s systems and processes. As noted in the description above,
the prerequisites for continuous auditing place a high demand on the auditee. In cases
where requirements are met, CA can be implemented following the model depicted in
figure 22 where the role of PwC is auditing both the auditee’s CM process as well as
auditing its business systems and processes directly in case the CM process does not
provide the required level of audit comfort. This way of working effectively adds a
third layer of audit evidence to the PwC audit methodology where the financial audit
will primarily focuses on the auditee’s CM process with the possibility of falling back
Analyzing the role of IT in current and future financial auditing methodologies 56
on traditional controls based / system oriented and ultimately substantive / data
oriented audit methods. Advantages to be gained from this new audit approach include
an increased level of assurance through more timely and effective detection of business
risks as they occur as well as added value to the client though a better control position
regarding their governance, risk and compliance (GRC).
Tooling
As the CM process for every organization is likely to be different, a single off the shelf
tooling product to support them seems not to be a viable solution. However, any
tooling supporting financial audit automation can be seen as an aid towards the
continuous assurance concept. In this light, basic tooling supporting CA/CM is
currently readily available and will advance over time towards a more comprehensive
solution. It is likely however that CA/CM tooling will remain a matter of selection and
customization of components in contrast to implementing a single off the shelf solution
for the time being.
Implications
The implementation of the use of continuous auditing in the PwC audit methodology is
expected to have multiple implications. An extension of the research model as
introduced in chapter 2.4.6 visualizing an overview of all estimated effects of such
implementation is provided in figure 23. This section is concluded by a further
description of the constructs and effects extending the research model.
Analyzing the role of IT in current and future financial auditing methodologies 57
Continuous Auditing
Quality
Added value
Costs PwC Audit Performance
+
-
+
+
+
+/-
Figure 23: Implications of the implementation of continuous auditing on the PwC audit performance
Extending constructs
‘Continuous Auditing’ represents the implementation of the concept of
continuous auditing, as described in chapter 4.3 of this writing, in the PwC
audit methodology. It is determined by the fact whether continuous auditing is
implemented in the PwC audit methodology and is expected to affect ‘Quality’,
‘Costs’ as well as ‘Added value’.
Extending effects
‘Quality’ is expected to be affected positively by the implementation of
continuous auditing as the development supports the achievement of the
financial audit requirements as described in the Dutch legislation and
regulations through adding a third layer of audit evidence resulting in more
timely and effective detection, prevention, and correction of business risks.
‘Costs’ is expected to be affected both positively and negatively by the
implementation of continuous auditing as an initial investment will be required
in terms of tooling procurement, system implementation and training, followed
by an expected costs reduction resulting from reduced time spent on controls
testing and substantive analytical procedures which are largely replaced by the
audit testing of the CM process.
‘Added value’ is expected to be affected positively by the implementation of
continuous auditing as on top of the expected audit results, additional insight is
Analyzing the role of IT in current and future financial auditing methodologies 58
provided regarding the organization’s governance risk and compliance (GRC)
control position.
4.4 XBRL
The eXtensible Business Reporting Language (XBRL) is a standard for storing,
exchanging and reporting business information following a standardized format. The
standard is based on the Extensible Markup Language (XML) and was conceived in
1998 by the XBRL International Consortium. Where XML was designed to be used
with generic data, XBRL is especially suitable for the formatting of business
information through the use of specialized taxonomies.
Description
The main aim of XBRL is to provide an open standard for standardizing the formatting
of business information on both the syntactic and semantic level. On the syntactic
level, standardization is achieved by utilizing the open XML standard, which allows
data to be tagged, resulting in an instance document containing both the data and their
definitions. On the semantic level, XBRL standardizes the data definitions by
providing support for so called taxonomies which define all possible data elements
within corresponding XBRL instance documents. Elements contained in XBRL
taxonomies are defined by dimensions such as description, calculation, presentation,
data type and the relations to other elements. Relevant taxonomies to the field of
financial auditing include those describing the IFRS and US GAAP standards as well
as the Standard Business Reporting (SBR) taxonomy which is being developed by the
Dutch government. SBR aims to provide a standardized format for the communication
and reporting of business information between firms and governmental bodies in The
Netherlands which is expected to result in a substantive reduction of effort required on
both sides. Ultimately, it is the combination of XBRL and SBR that is expected to have
the greatest impact on the Dutch financial auditing practice. An example of data stored
in XBRL format is provided in figure 24.
Analyzing the role of IT in current and future financial auditing methodologies 59
Figure 24: Example of data stored in XBRL format
Applicability
When looking at the XBRL and SBR developments in the context of the financial
auditing practice, several applications can be distinguished. First of all, as XBRL and
SBR facilitate the standardization of business information, they can be utilized during
the financial audit process in places where substantive data analysis procedures are
executed. In these cases, data aggregation and conversion efforts can be minimized by
utilizing the XBRL and SBR standards for data storage and exchange; while in the
current practice up to 50% of the time spent on data analysis is used for data
conversion, the effect of the introduction of XBRL in conjunction with the SBR
taxonomy is expected to be significant. A related application of XBRL to the financial
auditing practice is the concept of financial statement reporting by means of digital
XBRL instance documents. In this scenario, in addition to the regular audit of financial
statements, the contents of the XBRL instance document are verified by matching them
with the contents of the financial statement report and subsequently a separate auditors
opinion is stated on the digital object. Digital reporting can be seen as a first step
towards the concept of continuous reporting where financial statement information is
published in XBRL format on a continuous basis with improved information symmetry
on the capital market being the ultimate goal. Much like continuous auditing, XBRL
puts a high demand on the auditee’s organization. Information system prerequisites for
a successful implementation of XBRL in the auditee’s systems and processes include a
mature environment for both organizational internal controls and IT general controls as
well as the availability of reliable data stored in an unambiguous format. Once these
Analyzing the role of IT in current and future financial auditing methodologies 60
prerequisites are met, the implementation of XBRL is expected to be a straight forward
exercise as it concerns a non-proprietary, open and well-documented standard.
Tooling
Since XBRL is in use at many organizations today, tooling supporting the standard is
readily available. The challenge for organizations will be to adapt their legacy systems
and processes to support this new standard. In order to reach this compatibility, both
technical and semantical support must be achieved. As most information systems
comprise of licensed technology, technical compatibility of legacy systems will largely
rely on support from the concerning information systems supplier. Semantical support
is mainly a matter of standardizing and documenting business data and mapping it to
the appropriate taxonomy which effectively comes down to a one time investment for
the auditee.
Implications
The implementation of the use of XBRL in the PwC audit methodology is expected to
have multiple implications. An extension of the research model as introduced in
chapter 2.4.6 visualizing an overview of all estimated effects of such implementation is
provided in figure 25. This section is concluded by a further description of the
constructs and effects extending the research model.
XBRL
Quality
Added value
Costs PwC Audit Performance
+
-
+
+
+
+/-
Figure 25: Implications of the implementation of XBRL on the PwC audit performance
Analyzing the role of IT in current and future financial auditing methodologies 61
Extending constructs
‘XBRL’ represents the implementation of the concept of XBRL, as described in
chapter 4.4 of this writing, in the PwC audit methodology. It is determined by
the fact whether XBRL is implemented in the PwC audit methodology and is
expected to affect ‘Quality’, ‘Costs’ as well as ‘Added value’.
Extending effects
‘Quality’ is expected to be affected positively by the implementation of XBRL
as the development supports the achievement of the financial audit
requirements as described in the Dutch legislation and regulations through
supporting the standardization and exchange of data resulting in the
applicability of new substantive analytical procedures.
‘Costs’ is expected to be affected both positively and negatively by the
implementation of XBRL as an initial investment will be required in terms of
tooling procurement, system implementation and training, followed by an
expected costs reduction resulting from reduced time spent on data conversion
and substantive analytical procedures.
‘Added value’ is expected to be affected positively by the implementation of
XBRL as on top of the expected audit results, organizational maturity with
regard to data standardization is improved and additional insight is provided
through comparing business information with industry and regional
performance indicators and metrics enabled by XBRL data standardization.
4.5 Analytical discussion of IT developments
Having described four aspects (including the description, applicability, tooling and
implications) of four developments from the field of IT (including audit nets, process
mining, continuous auditing and XBRL), this section will continue with the analysis
and comparison of these developments based on the findings noted thus far. The focus
of these analyses will be on the applicability to the PwC audit methodology, the
feasibility of implementation in the current audit practice and the identification of the
parties responsible for the implementation.
Applicability
Analyzing the role of IT in current and future financial auditing methodologies 62
The aim of this analysis is to specify the applicability of the IT developments as
described in this chapter to the PwC audit methodology by defining the areas of the
audit process at which the applicability of these developments is expected to be the
greatest. This aim is realized by repeating table 2 from chapter 2.4.4 where the use of
CAATs in the current methodology was mapped to the various areas of application in
the PwC audit methodology and repeating the exercise for the IT developments as
described in this chapter. Following from the results of this analysis it is proposed here
that the IT developments should be implemented at the corresponding areas of
application as described in table 7.
Developme
nt
Area of application
Understand the
Business, Assess Risk
and Determine Audit
Strategy
Respond to Risk and Gather Evidence
Understand
the
Business
including
its Internal
Control
Risk
Assessme
nt
Analytics
*Audit
testing
of CM
Perform
Tests of
Controls
Perform
Substantive
Analytical
Procedures
Perform
Tests of
Detail
Audit Nets Audit net
analysis will
provide a
better
understandi
ng of the
business.
Audit net
analysis
will aid in
determinin
g high and
low risk
areas of
the
business.
- Audit net
analysis
will aid in
the testing
for
segregation
of duties.
- -
Process
Mining
Analyzing a
mined
process
model will
provide a
Analyzing
a mined
process
model will
aid in
- Comparing
a mined
process
model with
the process
- -
Analyzing the role of IT in current and future financial auditing methodologies 63
better
understandi
ng of the
business.
determinin
g high and
low risk
areas of
the
business.
design will
aid in
analyzing
the
operational
effectivene
ss of
controls.
Continuous
Auditing
- - Part of
the CA
approac
h is to
test the
CM
effort of
the
auditee.
Testing
controls on
a
continuous
basis will
increase
their
reliability.
Performing
substantive
analytical
procedures
on a
continuous
basis will
increase their
reliability.
Performin
g tests of
detail on
a
continuou
s basis
will
increase
their
reliability.
XBRL - - - - The use of
XBRL will
facilitate the
comparison
of financial
and business
data using
benchmarkin
g.
The use
of XBRL
will
facilitate
the ETL
phase of
analyzing
the data.
Table 7: Mapping of IT developments to areas of application in the PwC audit methodology
* The “Audit testing of CM” step is included as an additional phase in the audit
methodology in order to facilitate the aspect of Continous Auditing where the audit
testing of continous monitoring is executed. As this evidence gathering activity is
suggested to be executed prior to the “Perform Tests of Controls” step, it is defined as
an additional step in the audit methodology, the timing of this step is further specified
in figure 26.
Analyzing the role of IT in current and future financial auditing methodologies 64
Figure 26: Place of the ‘Audit testing of CM’ step in the PwC audit methodology
Feasibility
Following the determination of the applicability, the aim of this analysis is to define
the feasibility of the implementation of the IT developments as described in this
chapter to the PwC audit practice. In the case under consideration, feasibility is
primarily determined by the business case for implementation of the development in
question, i.e. the consideration of the costs versus the benefits. While not quantified in
this research, the expected increase of quality, reduction of costs as well as increase of
added value following from the extensions to the research model as proposed in
chapter 2.4.6 all add to the business cases for implementation of the corresponding
developments. As this is the case for all four developments covered, it is proposed here
that all four business cases are expected to be positive and that consequently the
implementation of all four developments is feasible.
Responsibility
Having determined the areas of applicability and the feasibility of the IT developments
described in this chapter, the aim of this final analysis is to identify the parties that are
Analyzing the role of IT in current and future financial auditing methodologies 65
responsible for the ultimate decision whether to implement these developments. To this
end, two parties are considered including both the Auditor and the Auditee. On the one
hand implementation is suggested on the side of the Auditor where improvements are
expected to add functionality to their existing set of methods and tools as discussed in
chaper 2.4. On the other hand implementation is suggested on the side of the Auditee
where functionality is added to their existing systems and processes.
Employing this distinction to the developments as covered in this chapter, it is
suggested that audit nets and process mining are to be classified as developments
requiring investments on the side of the Auditor while continuous auditing and XBRL
are to be classified as developments that are dependent on investments in the systems
and processes of the Auditee. Following this suggested distinction in investment
requirements, it is proposed here that implementation of audit nets and process mining
in the audit methodology is the responsibility of the Auditor while the implementation
of continuous auditing and XBRL is the responsibility of the Auditee.
Conclusion
Following from the analyses presented in this section, it is concluded here that in order
to meet the target of improving the PwC audit performance, the following actions are
suggested.
1. The Auditor should be persuaded to implement audit nets and process mining
technology in their audit methodology at the places as indicated in table 7.
2. The Auditee should be persuaded to implement continuous auditing and XBRL
in their systems and processes.
4.6 Summary
Four recent developments from the field of IT including audit nets, process mining,
continuous auditing and XBRL were described and analyzed on their applicability to
the PwC audit methodology. Conclusions that can be made based on the findings from
this chapter include the indication that all described developments are expected to
positively affect the PwC audit performance. In addition, possibilities regarding the
area of application in the PwC audit methodology have been identified for each
Analyzing the role of IT in current and future financial auditing methodologies 66
development resulting in a tabulated overview summarizing the combinations of
developments and applicable places. Finally, a distinction was identified diverging
developments to be implemented on the auditor side and developments to be
implemented on the auditee side resulting in a clear view at which technology should
be adopted by which party.
Analyzing the role of IT in current and future financial auditing methodologies 67
5 Future directions for the financial auditing practice
Having described the current state of the financial auditing practice, the ways in which
the application of new developments from the field of IT can improve the methodology
currently in use and the implications the implementation of these developments is
expected to have on the current financial auditing practice, the aim of this chapter is to
provide an answer to the final research question which concerns the future directions
for the financial auditing practice. Based on the results from chapters 2 - 4, trends and
themes defining the future of the financial auditing practice are indentified and a
technology roadmap guiding future audit methodology improvements is proposed.
5.1 Identifying trends and themes defining the future of the financial auditing
practice
Following the findings from the previous chapters, some significant trends in the
evolution of the financial auditing practice can be deduced. Resulting from an
increased need for efficiency in the audit execution associated with an increase in
competition in the financial audit market, the following developments in the employed
audit methodology are distinguished.
A transition from an emphasis on system oriented methods to a balanced mix of
system oriented methods and data oriented methods.
An increased use of data analysis methods.
An increased use of computer assisted audit techniques.
While further identifying themes that are expected to play an important role in the
future development of the financial auditing practice, the following statements are
proposed here.
On the short term, Data Analysis is expected to play an important role in the
development of the financial auditing practice.
On the long term, Continuous Auditing is expected to play an increasingly
important role in the development of the financial auditing practice.
Analyzing the role of IT in current and future financial auditing methodologies 68
5.2 Proposing a Technology Roadmap guiding future audit methodology
improvements
In order to guide future audit methodology improvements, a technology roadmap is
proposed here that aims to provide a single view at the suggested timing of- and the
expected gain in audit performance resulting from- the implementation of the various
developments covered in this study. As noted in the previous section, the short term
goal for improving the financial audit performance concerns the further development
and implementation of data analysis methods in the audit methodology where the
ultimate long term goal concerns the full implementation of continuous auditing. These
propositions are reflected by the technology roadmap, which is included in figure 27.
Figure 27: PwC audit Technology Roadmap
5.3 Summary
This chapter provided a view at the future of the financial auditing practice through the
identification of several trends and the proposition of several themes that are expected
to play an important role in its future development and furthermore proposing a
technology roadmap guiding future audit methodology improvements.
PwC
aud
it pe
rfor
man
ce
Present Future
Data Analysis
Process Mining
Audit Nets
XBRL
Continuous Auditing
Analyzing the role of IT in current and future financial auditing methodologies 69
6 Conclusions and recommendations
An elaborate analysis of the current state of the financial auditing practice was
provided resulting in an indication of its limitations and the possibilities for
improvement. Four case studies were described illustrating the current financial audit
methodology in practice. Four developments from the field of IT including audit nets,
process mining, continuous auditing and XBRL were described and analyzed on their
applicability to the current financial audit methodology. Based on these analyses a
view at the future of the financial auditing practice was proposed through the
identification of several trends and the proposition of several themes that are expected
to play an important role in its future development and furthermore proposing a
technology roadmap guiding future audit methodology improvements.
Following these findings, it can be concluded that the performance of the financial
audit methodology currently applied in practice still has room for improvement and
that this improvement is suggested to be obtained through the implementation of
developments from the field of IT. On the short term, improvements are expected from
the further development and implementation of data analysis methods where on the
long term continuous auditing is expected to provide the greatest increase in
performance.
Concluding this report, several recommendations can be made. In order for the
financial audit practice to obtain its goals of improving the performance of their
financial audit methodology, practitioners are encouraged to follow the improvements
suggested in this study. Further empirical research is recommended to be conducted
regarding the operational effectiveness of the financial audit methodology
improvements proposed here.
Analyzing the role of IT in current and future financial auditing methodologies 70
References
Petri, C.A., "Kommunikation mit Automaten, PhD Thesis, University of
Bonn, 1962
Elsas, P.I., "Computational Auditing", PhD Thesis, Vrije Universiteit, Delloitte
& Touche, 1996
Elsas, P.I., "X-raying Segregation of Duties: Support to illuminate an
enterprise's immunity to solo-fraud", International Journal of Accounting
Information Systems 9, 2008, 82-93
Elsas, P.I., van de Riet, R.P. and van Leeuwen, J.J., "Knowledge-based Audit
Support"
Van der Aalst, W.M.P., “Process Mining: Discovery, Conformance and
Enhancement of Business Processes”, Springer Verlag, 2011
Van der Aalst, W.M.P. and de Medeiros, A.K.A., “Process Mining and
Security: Detecting Anomalous Process Executions and Checking Process
Conformance”, Electronic Notes in Theoretical Computer Science, 121, 2005,
3-21
Van Dongen, B.F., de Medeiros, A.K.A., Verbeek, H.M.W., Weijters,
A.J.M.M. and van der Aalst, W.M.P., “The ProM Framework: A New Era in
Process Mining Tool Support”, 2005
Van der Aalst, W., van Hee, K., van der Werf, J.M., Kumar, A. and Verdonk,
M., “Conceptual model for online auditing”, Decision Support Systems, 50,
2011, 636-647
Bezverhaya-Haasnoot, M., Caron, E., Goeyenbier, P., “Naar een
softwarematige analyse van bedrijfsprocessen voor auditing - Process mining
als gereedschap voor (IT-)auditors”, de EDP-Auditor, 2, 2009
Kuhn, J.R. and Sutton, S.G., "Continuous Auditing in ERP System
Environments: The Current State and Future Directions", Journal of
Information Systems 24, 2010, 91-112
Analyzing the role of IT in current and future financial auditing methodologies 71
Coderre, D., "Continuous Auditing: Implications for Assurance, Monitoring,
and Risk Assessment", The Institute of Internal Auditors Global Technology
Audit Guide 3 (IIA GTAG 3), 9
COSO, "COSO Internal Control - Integrated Framework", 1992
Starreveld, R.W., "Leer van de administratieve organisatie Deel 1: Algemene
grondslagen", Samsom, 1962
Starreveld, R.W., "Leer van de administratieve organisatie Deel 2: Typologie
der toepassingen", Samsom, 1962
Vaassen, E., "Basisboek informatie & control", Wolters-Noordhoff, 2005
Fijneman, R. and Topliss, J., "IT auditing", Academic Service, 2008
Garcia, M.L. and Bray, O.H., “Fundamentals of Technology Roadmapping”,
1997
Wet toezicht accountantsorganisaties, 19-01-2006
Besluit toezicht accountantsorganisaties, 16-08-2006
Wet op de Registeraccountants, 28-06-1962
Wet op de Accountants-administratieconsulenten, 13-12-1972
Verordening accountantsorganisaties, 08-12-2010, effective from 01-01-2011
Verordening gedragscode, 16-12-2009, effective from 01-01-2010
Nadere voorschriften controle- en overige standaarden, 15-01-2011, effective
from 15-06-2011
PwC Audit Guide 2010
http://www.nba.nl/
http://www.nivra.nl/
http://www.novaa.nl/
http://www.norea.nl/
http://www.afm.nl/
http://www.rjnet.nl/
http://www.commissiecorporategovernance.nl/
Analyzing the role of IT in current and future financial auditing methodologies 72
http://www.coso.org/
http://www.unit4.com/
http://www.synaxion.com/
http://www.computationalauditing.com/
http://www.processmining.org/
http://www.theiia.org/
http://www.xbrl.org/
http://www.sbr.nl/
Recommended