he strong technological changes of the last decades are having serious consequences in the field of auditing. Auditors must continue to assume that IT issues will become increasingly important in the future. The role of the IT audit within the audit of annual financial statements is subject to constant change. This is due to waves of technological change on the client side. A look at history shows firstly that there is a model for this process, and secondly, that there is a recurring pattern of core competencies. These are necessary in order to successfully integrate new technologies into the audit.
The success factors are:
- A comprehensive understanding of the process
- The ability to familiarize oneself with unknown technologies
- Knowledge of the regulatory environment
- The ability to grasp and communicate relevant findings
The most recent development is characterized by a departure from hardware-related topics and the increasing digitalization and automation of processes within audit. In the recent past, three waves of this long-lasting trend can be distinguished. The following brief history of the IT audit is intended to provide a better assessment of current and future developments and to assess the significance of the IT audit for the future.
A brief history of IT auditing
MRP wave: early 1970s to mid-1980s
From the beginning of the 1970s, material requirements planning became increasingly automated – theses systems were referred to as “MRP systems”. The manufacturer IBM is inextricably linked to this time. Its mainframes, most of which were related to production, were at the heart of the technological change of the time. All mainframes had one thing in common: the running programs were highly adapted to the conditions of local production. The company’s main task was to standardize program processes. The main task of the IT auditor was to act as a translator between technology and business processes. They had to explain how the machine controller generated its output values. For this purpose, the processes were made “visible” in the course of the audit, always remaining close to the program code. The most important tools for this were pen, paper and the ubiquitous process templates, the manual predecessors of today’s process modeling languages. Today’s digital IT audit is therefore based on a legacy that is all too analog.
“Today, the integrated #IT audit and the associated processes are completely #digital. But a look into the past reveals its analog origins.“Twittern WhatsApp
ERP wave: early 1980s to mid-2000s
From the mid-1970s onwards, enormous performance gains were achieved in the mainframe area. At the beginning of the 1980s, these paved the way for the integration of processes, especially internal and external accounting. The result was increased standardization of program processes. The focus of the IT audit now shifted from an understanding of often similar software packages to the control of the process free of improper interventions. The focus of attention was above all on the data centers with their administrator terminals, which are now often located away from production, and subsequently generalized audit programs were developed. The aim was to provide adequate control security across all risk areas for the audit of the financial statements.
An important aspect was therefore monitoring the reliability of the hardware. It was also good form to have appropriate fire protection measures. This was often demonstrated by one or more fire extinguishers in the immediate vicinity of the mainframe computer. Similar to the standardized process for the program functions and the ideal-typical structure of the data centers, general audit programs were subsequently developed. The aim was to map control security across all risk areas that was appropriate for the final audit.
From mid-2000s onwards: the cloud wave
From the mid-2000s, more powerful Internet connections increasingly enabled hardware operations to be outsourced to so-called cloud providers. In gradations such as “Infrastructure as a Service”, “Platform as a Service” or “Software as a Service”, they enabled the operation of highly standardized software packages. The data center, the administrator terminals and the ubiquitous fire extinguishers, which earned the IT auditor the reputation of merely checking the inventory of operational extinguishing agents, disappeared from the focus of the IT audit. At the same time, as part of this technological change, the concept of risk orientation also found its way into IT auditing. In addition to general IT controls, audit approaches for IT-based business process controls were developed and implemented. The actual risks in the business processes were thus addressed and have since been the focus of a risk-oriented IT audit.
Current challenges using data analytics and machine learning as examples
The question regarding the role of the IT auditor, as well as their significance and competencies, will also have to be answered in future technological change. Can these tasks be automated using new technologies? Will manual processing of the task field perhaps even become obsolete? This can be answered by looking at the effect of two technological trends of recent years:
The amount of data that can be evaluated during an IT audit has increased significantly in recent years. One of the drivers of this development is, amongst other things, the significant increase in the performance of conventional hardware, which makes it possible for auditors to process data independently of dedicated data centers. A pre-evaluation can take place up to a point at which the human judgement of the auditor is required. Is the situation appropriate taking into account all relevant factors? Are there discrepancies between the test object in the system and the accompanying process documentation? Questions such as these cannot yet be solved by machines. Despite the increasing automation of simply structured tasks and clear decision-making situations, data analytics usually results in a higher workload for IT auditors.
So far, it has not yet been possible to illustrate how machines will be able to deal with this issue of judgement raised in the last paragraph. However, the question remains as to whether the emergence of self-learning systems, i.e. machine learning, can help. The current state of affairs is that decision-making systems often achieve inadequate results in two basic cases. On the one hand, when results cannot be defined in a clear-cut manner. This refers to clear results such as “right”, “wrong”, “appropriate” or “proper”. On the other hand, inputs from non-commensurable data sources are problematic. That is, if data does not originate from similarly structured data in word, image and writing. Especially the IT audit, which comprises a strongly unstructured input of regulatory, process representation, verbal inputs from client interviews and technical as well as commercial system data, is not suitable as a use case with the current state of technology for the foreseeable future.
Nevertheless, machine learning is increasingly becoming an IT auditor’s test item, for example whenever a machine compares basic, similar incoming payments with open items, or always systemically books similarly structured leasing contracts.
“A look into the past and present of the #IT audit shows us the path for its #future as well as the new role and significance of the IT auditor.“Twittern WhatsApp
The future of IT auditing
When it comes to the future of machine learning and data analytics in IT auditing, the innovative power of IT auditors is called for. Are these routines comparatively easy to understand? Does decision-making remain in a black box? Is it possible to establish a set of rules that prescribe the basics of good decision making? Or do we have to break new ground and treat machines like human colleagues, the “AI colleagues “? Here, in the evaluation of innovative use cases, the increasing importance of the role of the IT auditor in the final audit becomes apparent.
A brief look at the past and present of IT auditing reveals one thing above all: the increasing speed of technical innovation cycles as well as their significance and disruptive effect. This development requires a constant reorientation of the audit of the annual financial statements within the scope of the prevailing technological conditions. This changes the role and significance of IT auditors. They become the auditor’s guides in the field of new technologies. Their impact on financial accounting will increase sharply in the coming years as digitalization progresses. Although IT auditing will be supported in the near future by the use of intelligent systems, the IT auditor will not be replaced in the long term, but will generally speaking play an even more important role in auditing.