The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
FRC response to the IAASB's consultation on Exploring the Growing Use of Technology in the Audit, wi
Financial Reporting Council
Prof Arnold Schilder Chairman International Auditing and Assurance Standards Board 529 Fifth Avenue New York 10017 USA
30 January 2017
Dear Professor Schilder,
Exploring the Growing Use of Technology in the Audit, with a Focus on Data Analytics
The Financial Reporting Council (FRC) welcomes the opportunity to comment on the IAASB's Request for Input 'Exploring the Growing Use of Technology in the Audit, with a Focus on Data Analytics' ('the paper'). The FRC is the UK's Competent Authority for Audit, and regulates in the public interest. We are responsible for setting auditing and ethical standards in the UK, undertaking audit oversight and monitoring and taking enforcement action where necessary. Through our work, we seek to underpin public confidence in the value of audit in the UK, and to support the auditing profession in the delivery of high quality audit.
We commend the IAASB Data Analytics Working Group (DAWG) on the publication of an insightful summary of the current audit data analytics landscape. Our comments below indicate areas where we would place particular emphasis or can provide additional information.
The FRC shares the IAASB's interest in the challenges and opportunities that technology, and in particular data analytics, pose for audit. In particular, the FRC recently undertook a thematic review on the Use of Data Analytics in the Audit of Financial Statements. We anticipate publishing our report in the near future. The objective of this review was to inform our understanding of the practical use of data analytics within the UK market, with a focus on the audit of entities within the FRC inspection scope. During our thematic review we observed that the use of data analytic techniques is pervasive in the UK for journal entry testing in response to the requirements of ISA 240. The other techniques we observed most frequently were the use of data analytics to facilitate the focus of audit testing on the areas of highest risk through stratification of large populations and bespoke analytics in response to specific audit requirements. We observed limited use of analytics in support of substantive analytic procedures or tests of controls.
Our responses to each of the questions are set out in detail overleaf.
(a): Have we considered all circumstances and factors that exist in the current business environment that impact the use of data analytics in a financial statement audit?
Individual audit teams, unused to the techniques and aware of the market concern around the applicability of standards, have told us that they are sometimes reluctant to rely on data analytics as a primary source of audit evidence. The IAASB should seek to understand, therefore, whether its standards could help to overcome that reluctance by seeking to understand what gives rise to it. Our recent thematic review on the use of data analytics by UK audit firms, indicated that the uptake of data analytic techniques is increased when the technique is embedded into the firm's audit methodology. For example, the most widely used analytic that we observed, other than journal entry testing, was deployed to engagement teams along with guidance about the balances and assertions on which the analytics could be applied and what other testing and evidence would be necessary. This highlights that there is an important role for audit firms' technical teams to provide guidance and support for audit teams adopting the techniques.
We are aware of developments in the UK audit market that may make more sophisticated data analytic techniques available to small and mid-sized audit firms, largely through automating data capture and transformation. This is not a sector we have previously looked at in any detail through our work, however, encouragingly, there are now a number of well-established third party providers who offer off-the-shelf data analytics packages. More recently, we have observed the emergence of new start-ups providing data analytics packages who have been actively engaging with some of the UK accountancy professional bodies as a way of taking the debate about the value of data analytics to a much wider audience of small and medium-sized practitioner firms. However, small and medium sized firms may not have the dedicated technical resources to consider the wider implications of deploying data analytic techniques and to respond accordingly. Therefore, further thought may be needed as to how this might be addressed for those embedding data analytic tools into their methodology for the first time.
We have observed data analytics being deployed in group audits and offering advantages in terms of efficiency through, say, standardisation of approach, and the ability of the group engagement team to provide oversight and direction in respect of the audit work of component teams. For example, where audit firms deploy tools internationally, group engagement teams can direct component auditors to use specific audit data analytics (ADA) techniques. Furthermore, if the entity uses a global accounting system, the group engagement team can use data analytic techniques centrally over multiple components. However, in some circumstances component auditors are not performing all their own testing in relation to their local statutory audits, and consideration needs to be given to the implications of component auditors relying on the work of the group engagement team for such purposes, something that could be addressed in the Quality Control project.
Audit committees are increasingly interested in their auditors' data analytical capabilities and the potential insights they offer into the business. Technological developments that have the potential to improve the quality of communications with those charged with governance are to be welcomed. However, auditors need to be clear about the relative value of improved communications and the value of enhanced audit effectiveness. We believe that the potential enhanced communications value should be considered secondary to the potential value of data analytics in driving improvements to audit quality.
(b): Is our list of standard setting challenges complete and accurate?
We have observed data analytics being deployed at different stages in the audit process. We have no reason to believe that this will not continue to be the case for the foreseeable future as the use of data analytics is expanded and as new technologies are introduced across the UK audit market. It is important, therefore, that standards are both future proof, but also adaptable to different circumstances, i.e. keeping to principles, rather than specifics tied to current technological practice.
Paragraph (19(e)) of the paper discusses whether, in an audit using data analytics, the difference between risk assessment procedures, tests of controls and substantive procedures is relevant. We believe that it is. In particular, test of controls is one area where we perceive it to be more difficult to apply data analytics. For example, although a data analytic can demonstrate that a three way match exists throughout populations of invoices, orders and good receipts notes, it does not necessarily provide evidence that a control operated, because the match might have existed in the absence of the control. While some assurance might be inferred as to the strength of the overall control environment, it may be difficult to derive assurance as to the operating effectiveness of specific controls without testing the operation of the controls themselves. In this example, this might involve evaluating whether the programming is appropriate and whether general IT controls were effective or could involve using data analytics to identify transactions that should have failed the matching process and to validate whether those transactions were appropriately dealt with at the time by reference to transaction logs.
Paragraph 19(i) highlights challenges in applying the documentation requirements when using data analytics, and notes this as an area that may require the development of further guidance. We would agree. Our thematic review indicated that insufficient evidence has been retained on audit files in relation to the application of data analytics in the engagement. Where 'traditional' audit techniques are used, audit documentation retained on an archived file, together with source accounting information required by statute to be retained by the entity, would theoretically enable an audit test to be re-performed at a point during the file retention period to obtain the same results. We believe this may not always be the case with data analytics, as auditors do not keep the captured data throughout the archived period and entities may not keep the accounting information in a format that could be recaptured in the same way. As such the data may not be available at a later stage from any source. We believe, therefore, that detailed information regarding the methods used, including the scripts used to extract data, should be retained on the archived audit file. The same observations also apply to the significant judgements made in the audit data analytics provides good information to support high quality risk assessment procedures which in turn supports the judgements the auditor makes when identifying and assessing risks and evidence of this should be retained on the audit file.
The paper notes the importance of auditors establishing quality control processes over the development of data analytics technology and tools (19(j)). We believe that, when using centrally developed tools or centrally selected third party tools audit firms need to provide audit teams with assurance that these tools have been subject to internal quality control processes. Additionally, such processes need to be open to regulatory scrutiny as audit inspectors need to be satisfied as to the integrity of the tools in use. Complexity is added as tools may be global in nature and hence the execution of the quality control processes may take place outside of our geographic jurisdiction. Hence we believe that a consistent approach to regulatory oversight of such quality control processes should be arrived at collaboratively with other independent audit regulators.
(c): To assist the DAWG in its ongoing work, what are your views on possible solutions to the standard-setting challenges?
Global and international firms are rolling out data analytics tools and techniques on an international basis. As noted above, some firms are looking at third party products, which again may have international reach. We believe, therefore, that, as far as possible, a consistent, international approach should be taken to revising the standards. Indeed, we stated in our response to the IAASB's recent ITC that:
"We agree that the past decade has seen tremendous change in the economic, technological and regulatory aspects of the capital markets in which audit firms operate. The audit profession plays an essential role in the functioning of the global capital markets by building public trust and confidence in the financial reporting process and stakeholders expect the audit profession to adapt and overcome these multiple and complex challenges, whilst remaining committed to delivering consistently high quality audits. It is therefore essential that as a global standard setter, the IAASB promulgate standards that are sufficiently adaptable for auditors to address the evolving challenges they face and remain committed to delivering consistently high quality audits."
Given the level of investment audit firms are making in analytical tools and technologies, we believe that standards currently under revision or consideration for revision should envisage the possibility that data analytics might be used. While our thematic review indicates that the use of audit data analytics is not as prevalent as the UK market might expect, we do expect this use to grow.
During our research for our thematic review, some UK audit firms noted that they were identifying challenges when working with data analytics in the context of the current audit standards. The views expressed were largely consistent with the challenges raised in the paper and the standards impacted were consistent with those noted in paragraph 41. It will be important for the IAASB to better understand the nature of these challenges and to carefully consider how they should be addressed under the existing standards and whether any change in the current requirements would be appropriate. However, the IAASB should be cautious about changing well-established existing requirements without a comprehensive conceptual analysis and without considering the implications for audits where data analytics are not being applied. In addition, our view, it is neither practicable nor desirable to revise all impacted standards at once, not least because there are other areas that also require IAASB consideration as set out in the 2015-2019 strategy. However, we suggest it would be helpful if the IAASB were to articulate a high level plan as to the areas that will be considered over the medium term. Audit firms have choices as to the nature of analytics they develop and implement and some sort of road map may helpfully inform their decision making.
The IAASB might also consider the use of IAPNs as a means to deliver appropriate guidance, such as 'special considerations when using data analytics'. This would allow guidance to be revised more easily as technology evolves, whilst still echoing the core principles in the IAASB auditing standards.
(d): Is the DAWG's planned involvement in the IAASB projects currently underway appropriate?
Based on the information currently available to us, we believe the DAWG's planned involvement in current IAASB projects is appropriate. In particular, we believe that it is important that any revisions to ISA 315 consider the potential use of data analytic techniques.
(e): Beyond this initiatives noted in the 'Additional Resources' section of this publication, are there other initiatives of which we are not currently aware of that could further inform the DAWG's work?
As noted earlier, the FRC recently undertook a thematic review on the Use of Data Analytics in the Audit of Financial Statements. The objective of this review was to inform our understanding of the practical use of data analytics within the UK market, with a focus on the audit of entities that fall within the FRC inspection scope. The report is available via the FRC website at: https://www.frc.org.uk/Our-Work/Publications/Audit-Quality-Review/Audit-Quality-Thematic-Review-The-Use-of-Data-Ana.pdf
(f): In your view, what should the IAASB's and DAWG's next steps be? For example, actions the IAASB and DAWG are currently considering include:
- Focussing attention on revisions, where appropriate, to ISAs affected by the IAASB's current projects;
- Exploring revisions to ISA 520;
- Hosting one or more conferences with interested stakeholders to collectively explore issues and possible solutions to the identified challenges; and
- Continuing with outreach and exploration of the issues associated with the use of data analytics in a financial statement audit, with a view towards a formal Discussion Paper consultation in advance of any formal standard-setting activities.
In respect of the proposed actions set out in the question above, we believe that:
- Action (i) is most important to ensure that current ISA revisions are relevant to the market and 'futureproof' as far as practicable.
- Action (ii) is attractive as one would think that data analytics could assist in improving the rigour of substantive analytical procedures, yet we observe minimal usage in practice.
- Action (iii) at this stage, although we are very supportive about the value of ongoing discussion, this action alone is unlikely to result in anything other than minimal useful output; and
- Action (iv) which proposes continuing with outreach and exploration is important as this is an area of 'rapid evolution'. However, revising standards in the light of changes in technology needs to become 'business as usual', and hence having a formal discussion paper consultation with no proposed examples under consideration may not be productive.
We believe it is important that consideration be given to the concerns surrounding evidence and documentation as set out in (b) above, as this impacts all usage of data analytics and as regulators we are observing deficiencies in this area through our inspection work. If there is not a generally accepted understanding of the documentation standards, regulators may raise findings against audits. This may discourage uptake of techniques that have the potential to improve audit quality. Firms are already asking the FRC for clarity in this area.
If you require further information or would like to discuss our comments in more detail, then please contact Julia Walsh, IT Audit Inspector on [email protected] or +44-20-7492-2469.
Yours sincerely,
Melanie McLaren Executive Director, Audit and Actuarial Regulation
8th Floor, 125 London Wall, London EC2Y 5AS Tel: +44 (0)20 7492 2300 Fax: +44 (0)20 7492 2301 www.frc.org.uk The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered office: as above.