When most people think about the audit of the future they think about robots. Now, I don’t know about you but when I think about robots and the future I think about people wearing white jumpsuits driving flying cars. In my mind, I see a mix of something like the Jetsons meets Tomorrow Land in Walt Disney World. Unfortunately, while all of this is very exciting, it’s not exactly what the audit of the future is going to look like. Instead, the audit of the future is going to look technical at first (so, there will be some robots), and then it will take a fast 180° and feel a lot more fluid than technical. Today, I want to talk about the first half of the audit of the future, the technical piece, and then next week dive into the less concrete, client relationship piece.
The technical piece of the audit of the future is probably going to involve the following four areas:
- Process automation
- Process efficiency (data analytics)
- Expected accuracy
- Increased cyber risk
Process automation and efficiency start at the beginning of the information process. When data enters a system (whether it is financial, personal health, strategic information, etc.), it must be processed to be used for a specific purpose (processing, analyzing, reporting, etc.). This is where the famous data analytics comes onto the field (que baseball walk-on music). I know, you’ve probably heard more than you ever cared to hear about data analytics and, if you’re anything like me, even after reading and listening, you may be trying to figure out exactly how it works. Data analytics comes in as the cleanup spot in the lineup and, mysteriously, always hits a homerun and no one in the stands is sure how. Everyone just cheers in awe and hopes they aren’t called on to explain how it just happened.
At the risk of mixing analogies here, let me just say that we are going to pay attention to the man behind the curtain. Understanding data analytics is critical as it will be a huge piece of the audit of the future.
Data analytics is split into four types, each answering a question: descriptive (what happened?), diagnostic (why did it happen?), predictive (what will happen?), and prescriptive (what should I do?). The first two questions are ones auditors are used to answering in current audits, as procedures look over an audit period and want to know what happened. As auditors, it is our job to then analyze and find out why. Then there might be a conversation about predictions for the future but rarely are there conversations with clients about the decisions that should be made because auditors are, typically, so focused on the past. Well, with the audit of the future, to put it simply, we will have data analytic tools that answer the first two, and even three questions so well that we can focus on helping clients answer the last questions in ways that robots will not be able to.
This is exciting news! It means audits will become more efficient as technology will perform a lot of the detailed work, and it means we can focus on analyzing reasons and communicating future decisions with clients. However, there are some areas to keep an eye on.
Two things to note as a result of data analytics:
- 100% accuracy will be expected
- Increased levels of risk
When a tool can perform data analytics at the speeds at which they are predicted to in the very near future, auditors will be expected to perform audits that test 100% of the population with 100% accuracy every time. That is a lot of pressure. This expected accuracy will require a lot of planning and careful setup in the beginning of projects to make sure we are utilizing those tools to be as effective and efficient as possible. Especially because even with 100% accuracy, clients will expect audits to be even more efficient than before.
INCREASED CYBER RISK
Secondly, risk management is going to become an even more significant part of our jobs. This means as auditors, we will have to become very used to doing the following with clients:
- Identifying risk
- Classifying risk
- Mitigating risk
The risk management process will involve a lot of time face to face with clients discussing the risks they are facing in relation to advanced technology. This could be anything from technology, audit, fraud, information security, or anything else that is posing a threat to their business. Auditors then classify the identified risk(s) by determining the likelihood that the risk(s) would occur and how impactful it could be to the company. This allows everyone involved to have a clear picture of where the company’s risk posture is, especially in relation to newly identified risks resulting from advanced technology.
Lastly, auditors will work with clients to find out how to mitigate the identified risk(s). We will collaborate with the client regarding any processes in place at the company to prevent those threats from damaging the organization. At this point, we would discuss how these controls could protect the confidentiality, integrity and availability of data as the threats specifically relate to information and cybersecurity. But more on that another time. This will conveniently begin conversations with clients and lead auditors in to having deeper conversations about threats, mitigating controls and, eventually, strategies.
Come back next week and we will talk about the softer side of the audit of the future and how auditors will have to sharpen an entire set of skills to be anticipatory and embrace a growth mindset.