Introduction

New technologies such as artificial intelligence (AI), robotic process automation, and block chain are changing the operations of many businesses and auditors too must adapt to this in order to transform their own businesses.  This article looks at the technology risks, what auditors should focus on when it comes to the impact of emerging technologies on business and evaluation by auditors on whether management is properly assessing the impact of emerging technologies on internal control over financial reporting.

Technology risks and what the auditor should consider

Emerging technologies can bring up many risks that include the following;

           

  1. Unauthorized or erroneous changes to data in master files.
  2. Unauthorized changes to systems or programs.
  3. The possibility of information technology personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby leading to insufficient segregation of duties.
  4. Reliance on systems or programs that are inaccurately processing data, processing inaccurate data, or both.
  5. Unauthorized access to data that might result in the destruction of data or improper changes to data, including the recording of unauthorized or non-existent transactions or inaccurate recording of transactions (specific risks might arise when multiple users access a common database).
  6. Failure to make necessary or appropriate changes to systems or programs.
  7. Risks introduced when using third-party service providers.
  8. Potential loss of data or inability to access data as required.
  9. Inappropriate manual intervention.
  10. A core strength of the auditing profession is the assessment of risks and controls. As they address the challenge of assessing technology risk, auditors should focus on the following;
  11. Auditors should gain a holistic understanding of changes in the industry and the information technology environment to effectively evaluate management’s process for initiating, processing, and recording transactions and then design appropriate auditing procedures.
  12. This understanding includes, but is not limited to, understanding likely sources of potential misstatements and identifying risks and controls within information technology.
  13. Auditors should consider risks resulting from the implementation of new technologies and how those risks may differ from those that arise from more traditional, legacy systems.  Auditors should be aware that risks can arise due to program or application specific circumstances for example resources, rapid tool development, and use of third parties that could differ from traditional IT implementations. Understanding the system development lifecycle risks introduced by emerging technologies will help auditors develop an appropriate audit response tailored to an organization’s circumstances.
  14. Auditors should consider whether specialized skills are necessary to determine the impact of new technologies and to assist in the risk assessment and understanding of the design, implementation, and operating effectiveness of controls. If specialized skills are considered appropriate, auditors may seek the involvement of an expert. Auditors should also obtain a sufficient understanding of the expert’s field of expertise to evaluate the adequacy of the work for that auditor’s purposes.
  15. New technologies and internal controls over financial reporting

 

To obtain this understanding, auditors may inquire of management about the following areas:

  1. The impact the new technology has on the organization’s identification and assessment of risks relevant to the achievement of control objectives.
  2. The impact the new technology has had or should have had on the entity’s internal controls over financial reporting.
  3. The sufficiency of the design of information technology general controls to address the identified risks.
  4. Management’s risk assessment process and whether it considers all applicable information technology systems where control activities are occurring, including, but not limited to upstream/downstream data interfaces and systems used by outsourced service providers
  5. Whether indirect effects of new technology have been appropriately considered and addressed for example staffing levels, competency of internal personnel, access to appropriate resources, cybersecurity risks as applicable to the audit.
  6. Whether the nature of the technology impacts the fraud risk assessment, including the risks of material misstatement to the financial statements due to fraud and the risk of misappropriation of assets (both monetary and non- monetary.

In summary, auditors should consider the following steps in a dynamic technology environment:

  1. Maintain sufficient professional scepticism when reviewing management’s risk assessment for new systems.
  2. Understand how the technologies impact the flow of transactions, assess the completeness of the in-scope internal control financial reporting systems, and design a sufficient and appropriate audit response.
  3. Understand the direct and indirect effects of new technology and determine how its use by the entity impacts the auditor’s overall risk assessment.
  4. Assess the appropriateness of management’s processes for selecting, developing, operating, and maintaining controls related to the organization’s technology based on the extent the technology is used.

Dangers to auditors if they do not upscale to new technologies

a) Loss of business; the auditors who do not change with the changing technology are at a risk of losing their clients especially when their clients are changing their systems and other controls in line with the emerging technologies.

b) Delayed completion of audits; This arises when the auditors are using manual systems instead of the new auditing software which can make auditing work easy and less time consuming.

c) Exposure to audit failures; this arises when the auditors fail to effectively carry out risk assessment procedures to identify the key risks involved in the clients’ IT systems.

d) Limited access to information; Auditors with no IT skills may find it difficult to access audit information from their client IT systems which may lead to the issue of wrong audit opinions.

e) Increased costs; the increased costs arise when an audit firm hires external IT specialists with the skills to perform IT audits. This impacts on the profitability of the firm.

f) In conclusion, while new technologies can bring about great opportunities and efficiencies for a business, they also bring with them new challenges. An understanding of these new technologies and an awareness of the benefits and risks they present to financial reporting is essential for auditors and management to discharge their respective responsibilities.

 

Download Here: Auditing in the Digital World