Auditors are taking advantage of the remote auditing capabilities they used during the pandemic to do more types of audits and expand priorities like fraud detection and cybersecurity.
The COVID-19 pandemic has forced many audit firms and internal audit departments to operate remotely, but now as more parts of the country open up thanks to vaccines, more auditors will be returning to their offices this year. But that doesn’t mean they can’t leverage the technology and skills they learned from remote audits, and use audit talent from around the country or the world located in far-flung offices.
Finance departments operating remotely can also expose organizations to fraud and cybersecurity risks, such as the recent ransomware attack that shut down Colonial Pipeline. Auditors are increasingly being asked to do risk assessments of cybersecurity vulnerabilities and look for signs of fraud.
Firms like BDO USA are leveraging the remote audit technology they’ve been deploying over the past year and planning to expand it. “When you think about a firm like ours as opposed to the Big Four, and how this is really happening now, it’s really going to change the landscape significantly over the next few years,” said Bill Eisig, national managing partner and practice leader of BDO USA’s $800 million assurance practice.
He began working on automating the practice shortly before the outbreak of the pandemic. “In November a year and a half ago, I got to the technology piece of what we’re doing in the audit practice, and I realized we had to rewrite our entire technology plan, in the sense that we had to focus on automating our processes,” he recalled. “We had to answer four questions: How do professionals currently use technology in delivering services to clients, how do professionals use technology in working across business lines, how are professionals supported by technology in their internal workflow processes, and how do you automate the process at the engagement level?”
Last February, before COVID began shutting down offices at BDO, he asked the IT team to accompany audit teams in the field as they audited clients in various industries, including science, manufacturing and distribution. “I’m glad I did this in February before COVID hit in March, so we were able to get through quite a few engagements where we actually stopped and watched what the auditors did, interacting with them while they were doing the audits live,” said Eisig. “After they spent a lot of time in the month of February doing that, they came back to me with a shocking list at the time. They came back to me with 79 individual automations that they thought they could execute at the engagement level. It’s over 100 now. We’re a 5.2 million-hour audit practice, and they thought they could save 1.7 million hours at the time by eliminating the human element and incorporating technology. That’s like 30 to 35% of the time we spent on our engagements. My initial reaction was that seems like a lot, but even if they’re half right, or even a third right, if we can eliminate even 10%, that would be an astronomical savings. You could eliminate 500,000 hours, or 800,000 hours, from a 5.2 million hour practice by automating.”
BDO has now embarked on what Eisig considers to be phase 1 of the automation project for the audit and assurance practice, and he is expecting the firm will be able to take advantage of the efficiency even after auditors begin returning to their offices. “Prior to now our firm culture was such that you needed to be at a client or you needed to be in the office in order to service clients who were local, so there was some hesitancy, for example, for the San Francisco office to use resources in the Midwest because there was some concept that clients always expected you to be there,” he said. “One of the main lessons we learned in remote auditing is you could do a lot of this work, but you can’t do all of it. There are some things where you need to be in person, like if you’ve got to do an inventory count where you need to do the physical, but there are a lot of things you can do remotely. I think what we’ll see as we move forward is a hybrid. There are actually some best practices around capacity building and utilizing resources across the region to better service, maybe on an industry level, as opposed to a locality or geography. We now recognize we’ve got the technology set up at a firm like ours to do that, and if you have the skill sets in another area of the country, it can be done remotely. There are certain kinds of evidence gathering and certain types of clients where you’ll still need to be present, but I think we’ll take a hybrid method as we roll forward into the future.”
Deterring fraud
Audit firms will need to be careful in how they roll out such technology to avoid abuse and not trust automation to take care of the vital role of an experienced, skeptical auditor. Another major concern for audit firms is deterring fraud, especially after a series of high-profile international frauds in the past year at companies like Wirecard and Luckin Coffee.
“The accounting firms and audit firms absolutely need to embrace the fact that we continue to miss these massive frauds using outdated technologies and audit procedures,” said Brian Fox, founder of digital confirmation platform Confirmation, a division of Thomson Reuters. “It’s a travesty. The number one thing we need to change is our mindset as auditors. There are far too many auditors who believe that finding fraud is not part of their professional responsibility.”
He pointed to a statement by Grant Thornton UK CEO David Dunckley, who defended the role of auditors after the collapse of the bakery chain Patisserie Valerie in 2019, telling members of Parliament, according to the
“He said we’re not looking for fraud,” said Fox. “It’s not our job, it’s not our responsibility to find fraud. And many others have come out since, the CEO of Ernst & Young and the CEO of PricewaterhouseCoopers have both come out and said, no, it is our job to find fraud, and our firms are committed to doing a better job. But I think collectively we’re doing a pretty poor job. When you look at the Association of Certified Fraud Examiners’ most recent
The U.K. and the European Union have proposed the concept of creating audit-only firms, but Fox is skeptical that would work in the long run, pointing to the breakup of the consulting practices at firms after the accounting scandals of the early 2000s in the U.S. as firms like Arthur Andersen went under, thanks to clients like Enron and WorldCom.
“I do think we should look at separating those to avoid the natural obvious conflicts of interest, but isn’t that deja vu,” said Fox. “It wasn’t that long ago where all the Big Four were forced to separate their consulting firms, which led up to Accenture and Capgemini. Remember, all the Big Four spun out their consulting firms at that time, yet effectively we’re almost back at the same spot. Ultimately I don’t think conflict of interest is the driving force of missing the frauds. I think the driving force of missing the frauds is the lack of focus on finding material fraud within the financial statements.”
He pointed to the recent fraud at Wirecard in Germany. “That’s a technique where the exact same fraud took place with the Parmalat fraud in 2003 and the McKesson & Robbins fraud in the 1920s and 1930s,” said Fox. “They just provided fake mailing addresses. It was as simple as that, and nobody checked the mailing address. We’re really not looking at historical frauds, how they happened, and altering our audit procedures in response to those.”
The fault doesn’t lie with the standard-setters, he believes. “I really think the standards are clear,” said Fox. “I think the standards spell out the auditor’s responsibility. Whether it’s the [AICPA’s] Auditing Standards Board, the IAASB, or the PCAOB, all state that it’s the auditor’s responsibility to identify material misstatements due to error or fraud, and in fact it’s always been our responsibility to find material misstatements. More recently the standard-setters have added ‘regardless of whether it’s due to error or fraud.’ It always said our audits were to find material misstatements. Any misstatement that would change the user’s decision, or could potentially change the user’s decision, we as the audit firm were supposed to identify. That doesn’t mean it’s our responsibility to find everybody who stole $100 out of the petty cash drawer, because that wouldn’t materially change the user’s decision. Those types of petty theft happen. What the standard-setters are talking about is the profession’s responsibility to find material misstatement due to error or fraud, and specifically fraud. I have yet to hear of a multibillion-dollar error. I hear about multibillion-dollar frauds all the time.”
Cybersecurity risks
Auditors need to keep an eye out for cybersecurity risks with the move to remote audits. The recent ransomware attack on Colonial Pipeline made the public more aware of the increasing threat of ransomware attacks on infrastructure.
"The Colonial Pipeline breach and other recent cybersecurity incidents have again made clear that the nation's vital infrastructure is highly vulnerable, and it’s likely we have yet to see the worst,” said Richard Chambers, senior internal audit advisor at AuditBoard and the former president and CEO of the Institute of Internal Auditors. “There are actors out there almost certainly planning even more ambitious attacks, which makes it more critical than ever that public and private utilities have plans to prevent cyber attacks and to respond quickly and effectively when they do happen.”
According to a recent
“We’re really embarking on maybe the next level of how businesses and finance, accounting and audit professionals serve the stakeholders,” said Brian Christensen, executive vice president of global internal audit at Protiviti. “I think the pandemic has been an accelerant for us to bring forward the governance, methodologies and technologies for really serving all those stakeholders, whether it’s boards of directors, the C suite and others on the journey, particularly the opportunities that some internal audit functions are having, and where they can go in the future.”
He has seen an increase in use of more advanced audit technology during the pandemic. “The future is now,” said Christensen. “Everyone gets enamored with the technology, and from the digital standpoint, it’s really incumbent on internal audit executives to transform their capabilities to meet those needs. Part of that begins with thinking differently and delivering on that innovation. We've all talked about the use of analytics and the vast capabilities around machine learning and artificial intelligence. What we can see is there are currently early digital adopters who are doing this and it’s being well received, to bring those tools and techniques to bear to provide greater insights for organizations to respond to things. Most of us in the last year have continued to be in an at-home environment. How do we work, and how do we stay in the forefront? Embedding technology is a great example, where auditors would test large data sets. Now we can embed those through robotic process automation into the cloud, and really begin looking at that in a different sense. I think these are exciting times, and what our survey says is digital leaders that have applied that have been well received and really empowered themselves to be a critical contributor within an organization.”