For most accountants, audit is something they are well aware of. They may have started their career as a junior auditor, be a sole practitioner, or worked with auditors in a corporate finance department. They will know that the fundamental principles behind audits have not changed – but they might not know that how auditors conduct their audits, and what is expected of them, have.
Adam Wong, Senior Audit Manager at EY, and his team used to face the dizzying task of analysing hundreds of contracts during an audit engagement, which took weeks to complete. But now, the job takes days. Using artificial intelligence (AI) software, Wong and his team analysed over 200 rental lease contracts during a recent engagement. “A single contract could be 20 or even a hundred pages, and it could take hours to go through each one – so a case like this could require reading through more than 20,000 pages,” says Wong, a Hong Kong Institute of CPAs member. By scanning and then uploading all the rental agreements, the application uses a combination of optical character recognition (OCR) and AI to scan through and locate key information such as lease terms in each contract and then compiles the data into a spreadsheet for the team to then verify.
Tools such as AI will continue to impact the way audits are done in the future. A 2018 study by the World Economic Forum predicts that 30 percent of all corporate audits will use AI in one way or another by 2025. Data analytics will also play a bigger role in audits. Already, almost a third of all audits employ the use of data analytics software, with 85 percent of the auditors surveyed deeming it crucial to audit coverage, according to a 2018 report by PwC.
Technological advancements are a driving force behind the evolution of audit, but other factors are also reshaping the role and work of auditors. New auditing standards reflect a greater expectation for transparency into the actions undertaken by auditors, while professional standards have also strengthened the required ethical foundations in auditors.
Meanwhile, organizations increasingly acknowledge that business success depends on transparency into the internal processes of their operations. With that, there is greater demand for auditors to be business partners, collaborating with management to achieve audit objectives, and having a good understanding of the business and industry issues. To continue building public confidence in global markets, auditors must stay ahead of rapid changes in business models and regulations, and equip themselves with a broader range skills. Audit is now more than just a once-yearly review.
Every company in Hong Kong needs an audit. This creates work for auditors of all sizes. The purpose of an audit is to form a view on whether the information presented in an organization’s financial report, taken as a whole, accurately reflects the financial position of the organization at a given date. Auditors meet with management to discuss the scope of the audit engagement and prepare an audit plan to determine the extent of audit procedures they will perform. They also review the company’s internal controls and financial information. Throughout the process, the auditors maintain their independence. Finally, they prepare an audit report for the organization’s owners, or for larger companies, their shareholders, setting out their opinion.
This special report looks at the various factors shaping the audit specialism. This includes the technologies and tools assisting auditors; the need to stay ahead of developing standards, added focus on audit reports and more stringent regulation; the new skills auditors need as the process continues to evolve; and why, even with all these developments, professional evaluation and judgement will remain pivotal in the future of audit.
Technologically improved efficiency
The use of more specialist tools is improving the efficiency and effectiveness of audits. “We are currently moving from traditional to more modern ways of performing audits, from the manual vouching of invoices to the use of data analytics and AI,” Wong says. But he adds that technology only assists with repetitive tasks and that auditors still need to rely on their analytical skills. “Right now, it’s still a combination of traditional and modern approaches. Technology helps us to see the bigger picture behind a company’s transactions and also highlight anomalies. But it’s our job to identify whether the audit evidence is appropriate for their business.”
Paul Lau, Partner, Head of Capital Markets at KPMG China and Chairman of the Institute’s Auditing and Assurance Standards Committee, agrees. “The audit profession is a very old one, but it is one that has evolved the most over the past decade. We’re adapting to the changes in the business model of our clients,” says Lau, who has been an auditor for over 30 years.
Lau has employed the use of data analytics to help with audit sampling, which involves examining a representative selection of items in a dataset, to gain reasonable assurance regarding the entire dataset. Auditors perform sampling when data population sizes are large, such as the items within an account balance or class of transactions, as examining the entire population would be inefficient.
“The audit profession is a very old one, but it is one that has evolved the most over the past decade.”
“We might pick and focus on a sample of 60 out of a million transactions, and analyse the nature and frequency of this population,” says Lau. “But data analytics opens up a new world for us. We can now look at entire populations of data. If you have the data of all our client’s transactions – this could be millions – you can then perform an analysis and then quickly define the outliers. Auditors could then zone in and figure out what’s happening. This saves a lot of time.”
Lau adds that auditors have also begun using AI to generate simple summary reports. One memorable banking audit saw his team using AI to scan through credit reports. “We have an AI-based tool which scans through thousands of credit reports in a matter of minutes to search for keywords, for example ‘default’ or ‘past due’ and then automatically generate a report. In the past, this was all done manually and would have taken almost a month.”
Dilys Cheng, China South Operations Leader and China South Transformation Leader at PwC, employs the use of OCR and AI during audit engagements. “Twenty years ago, many tasks had to be done manually, but nowadays, we rely on automated controls,” Cheng says. She adds how her firm developed a tool in 2019 that uses OCR technology to analyse bank confirmations. “Some banks give us electronic confirmations,” Cheng says. “One time, we had to process over 250 electronic bank confirmations. With the push of a button, all the information from those confirmations were summarized into a single spreadsheet.”
Matthew Li, Partner at NOVA CPA, says his firm has also been using OCR technology for the past two years. “As a small- and medium-sized practice (SMP), we are still doing audit work quite manually, but we are dealing with a lot more digital data than before,” Li says. “We use OCR with repetitive, routine processes, especially if we are dealing with a large volume of data that isn’t too complex.” He adds, however, that OCR technology hasn’t matured enough to keep up with physical documents written in Chinese or handwritten in English.
Li says his firm also employs the use of cloud accounting to deal with bank feeds, which are automatically created lists of the spent and received transactions in a bank account. “Cloud accounting is extremely important, especially for SMPs right now,” he says. “When our team has to deal with bank feeds during audits, all the banking data is transmitted directly to the cloud accounting systems. The software also uses AI to determine whether certain banking transactions are reconciled with our transactions,” he says. “This also eliminates the need to print individual statements.”
Even with the various new technologies available, auditors still face challenges such as dealing with tighter regulations, increasingly complex businesses and client and societal expectations. According to Lau at KPMG, it is an auditor’s role to stay ahead of developments in business, regulation and corporate governance. “We’re currently in an environment where there is more regulatory scrutiny and higher expectation of our audits from the regulators,” he says. “The consequences that come with having a bad inspection could be quite large in terms of reputational and monetary risks. This requires us to beef up our work.”
Auditors have to have a good understanding of their client’s business environment. “If you don’t know your client’s business or environment, you simply cannot do a good job assessing risk,” Lau says. “It’s our job to provide client service of the highest quality. Knowledge of the business and client allows auditors to sit down with the chief executive officer or chief financial officer and have a meaningful dialogue.”
As Cheng at PwC notes, it is an auditor’s responsibility to keep clients informed of changes to regulations. “Changes take place in business and regulations all the time and industry trends aren’t always easy to understand. Clients view us as interpreters or middlemen to advise or even coach them on the best approach.”
Rossana Ley, Technical Partner at Deloitte and an Institute member, agrees. “This is a key role of every auditor. It’s not just about keeping in compliance with all these rules as well, but also informing clients of what is required from these standards, and how this can benefit their business development,” she says.
With added complexities in audits, as well as in the companies being audited, regulators expect more transparency. For example, to communicate audit findings, auditors are now expected to produce more detailed and transparent audit reports. In 2016, a number of auditing standards were revised, affecting financial statements with year ends December 2016 onwards. This effectively changed the way auditors produced audit reports for listed entities and communicated key audit matters (KAMs), as investors and users of financial statements requested for a more informative auditor’s report and for auditors to provide more relevant information to users.
Since the revisions, audit reports are disclosing more KAMs. In 2018, two years after the revisions, the Institute reviewed 479 auditor’s reports from companies included in the Hang Seng Composite Index (HSCI) and the Growth Enterprise Market (GEM). It found that 96 percent of the HSCI companies and 94 percent of GEM companies’ auditor reports disclosed one to four KAMs, with the average being 2.4 for HSCI companies and 1.8 for GEM companies. Companies with the highest number of KAMs reported 8 KAMs for HSCI companies and 6 KAMs for GEM companies.
The study found improvements in reporting format, but noted that the language used in the auditor’s reports did not provide sufficient insight into the reported KAMs and the nature of work performed.
“This was something completely new for auditors at all firms,” says Lau at KPMG. “I grew up with auditing standards stating that the audit report should not deviate in order to provide an unmodified opinion – this was very important. If you start writing a report without these guidelines, people might get confused and question whether it’s a qualified audit report. So this was a big change.” He adds how it was initially a challenge for him and his team to adjust to the new guidelines. “We now need to provide our readers with more in terms of how we consider and address KAMs through the audit procedure. We’re now in the fourth year of adoption and we’re much more familiar with the level of details to include.”
Cheng adds the revisions do not increase the workload but promote greater transparency. “We want the public to know how we looked at the audit risks and the work we have done to address them,” she says. “We also have more open discussions with our clients to state how we are going to look at the audit and disclose it to the public. This is important.”
Ley at Deloitte adds: “We also report to shareholders how we executed the audit, the critical areas for each particular client, and the procedures used in addressing the KAMs. We also make disclosures including going concern issues and management representation.”
Wong at EY says he familiarized himself with the new requirements by studying resources provided by the Institute and attending training provided by his firm. He adds the revisions changed the way auditors planned reports, and also led to more communication. “We became more proactive in discussing audit matters within the firm. The process of determining KAMs involves not only the engagement team but also professionals from our technical and risk management teams. The revised auditing standards require auditors to provide key audit insights and discuss how their audit opinions are justified. As a result, our audit reports are much more transparent now,” he says.
Auditors are also expected to maintain a strict code of ethics in working with clients and conducting audits. The Institute’s Code of Ethics for Professional Accountants was revised in 2018, based on the International Code of Ethics for Professional Accountants (including International Independence Standards) issued by the International Ethics Standards Board for Accountants that same year. The revised Code of Ethics brings together key ethics advances over the past four years and includes Non-Compliance with Laws and Regulations and Long Association provisions. Auditors note that the biggest impact is the revision requiring stronger independence regarding long associations of personnel with audit clients.
Firms that are auditors of listed companies for seven years must now allow a cooling-off period of five years, instead of the previous two years, for individual auditors. “Auditors who have a long and close relationship with clients would create familiarity threats and increase the possibility of having audit deficiencies,” Wong notes. “So it’s important for auditors to maintain independence and exercise professional scepticism not only during the audit but also in day-to-day interactions with clients.”
For SMPs like Moore, the revisions needed time adjusting to. “During the five-year cooling-off period, we aren’t allowed any engagement or contact with that particular client in order to maintain independence, so the client may choose to leave the firm,” explains Helen Tang, Managing Director at Moore and an Institute member. “It’s slightly challenging now. The longer cooling-off period is an issue for smaller firms if they do not have enough partners for the rotation.”
“The revised Code of Ethics provides clearer and more specific guidance to auditors on how to apply those fundamental principles in practice.”
To ensure auditor independence, Wong adds that his firm has been maintaining awareness of the new measures through regular training and questionnaires to test auditors’ knowledge. “We also urge team members to meet with their engagement executives prior to the start of each engagement to discuss how they can reduce familiarity threats,” he says. “We also rotate audit team members as part of our programme so each team member looks at our client’s audit issues with a fresh and unbiased mindset.”
Lau welcomes the changes and adds how it will further strengthen the fundamental notion of ethics in every auditor. “Ethics is the foundation in which we auditors make judgement and perform our duties,” he says. “The revised Code of Ethics provides clearer and more specific guidance to auditors on how to apply those fundamental principles in practice. It was also make it easier for auditors to not rationalize questionable behaviour.”
Less complex audits
Much of the focus on audits has been on those of listed entities, but changes are also being considered for the audits of less complex entities (LCEs), e.g. those with few owners, simple transations or few products. With existing requirements in the International Standards on Auditing (ISAs) developed from the public interest perspective, local SMPs may be required to perform procedures and documentation which may be unnecessary in the audits of LCEs.
Following a discussion paper issued in April 2019, the International Auditing and Assurance Standards Board (IAASB) issued a feedback statement in December 2019 which included views and comments submitted by the Institute’s Auditing and Assurance Standards Committee in August 2019. It found that respondents welcome a combination of the three approaches – revising the ISAs, developing a separate standard, and guidance. Respondents also noted the need for a timely and global solution to the issue.
A survey conducted by the International Federation of Accountants (IFAC) at the same time the IAASB discussion paper was out for consultation found the three most significant issues that currently make ISAs challenging to apply include: (i) requirements resulting in certain procedures being performed solely to comply with ISA requirements with no additional assurance or measurable increase in audit quality; (ii) extensive and onerous documentation requirements; and (iii) a lack of separate implementation of support or guidance in respect of the application of ISAs to the audit of LCEs.
Lau at KPMG explains how new standards would eliminate some unnecessary work for auditors. “When we perform risk assessments, we are required to document it – but for many of these LCEs, it really isn’t that difficult to assess risk. So auditors face a burden when it comes to documenting and writing up why a particular LCE isn’t risky.” As LCEs are generally smaller in scale, Wong at EY adds how separate standards would save time. “In general, an LCE has fewer members of management, with each member in charge of a wider range of duties and that they also perform less complex transactions, have fewer products within their business line and fewer internal controls,” he says. “Separate auditing standards for LCEs would reduce unnecessary documentation and allow auditors to increase audit efficiency.”
As Cheng at PwC notes, audits for larger companies include additional responsibilities. “During an audit of a listed company, we have to be responsible for the major as well as minor shareholders, so the level of scrutiny is very different,” she says. “For privately owned companies, the key person is the owner. That owner may want auditors to verify the accuracy of books and records to ensure they make sense, so the risk level isn’t the same.”
Tang at Moore believes separate auditing standards for LCEs would also cut down on costs. “When we first adopted these international auditing standards back in 2005, we were honestly quite surprised they would apply to companies of any size – with no shortcuts or workarounds,” she says. “A practice like ours is mid-sized so we have a mixture of big, medium and small clients and have to look after them across the board. With smaller clients, we still need to go through the same audit procedures we would for a big client. It’s even embedded in our audit programme and software. It isn’t cost-effective to go through the procedures that do not apply as much to an owner-managed company. This is a challenge we are facing.”
She adds that the benefits will also extend to clients. “This would cut down auditor fees for LCEs. Since every company has to be audited, many companies consider auditing fees to be a burden. We hope new standards will lessen the burden for smaller clients and for auditors – who will also have less documentations to deal with,” Tang says.
Ley at Deloitte welcomes revisions to the standards or separate standards altogether. “The current standards generate large compliance costs for SMPs,” she says. “Separate standards would directly address this issue and is likely to not affect the quality of auditors’ work.”
Society is increasingly concerned with how businesses operate. This has led to demands for more insights into operations through detailed environmental, social and governance reports. For auditors, this has increased the scope of assurance services they are asked to provide to non-financial data. Integrated reporting (<IR>) is one of the widest-used of these extended external reporting (EER) frameworks.
Developed by the International Integrated Reporting Council (IIRC), The <IR> Framework, aims to transform existing modes of corporate reporting into more holistic forms by addressing current limitations and developing long-term business strategies. The purpose of an integrated report is to explain to investors and society how an organization creates value over time. It does so through a combination of quantitative and qualitative information in the form of six capitals – financial; manufactured; intellectual; human; social and relationship; and natural. The framework, released in December 2013, is being updated this year.
According to Ley, in staying ahead of this shift, auditors need to develop a firm understanding of <IR> in order to provide the right assurance. “Auditors need to know how to carefully analyse information on integrated reports and determine whether readers of the report require any assurance,” she says. “As auditors, we are in the assurance business, so we need to determine whether the information is accurate and consistent and not just a report the company has put out to improve its image.”
Wong at EY explains how auditors can make the most out of integrated reports in audits. “Integrated reporting paints a broader picture of a company’s governance, strategy and how changes in resources and environment is affecting the company,” he says, adding how this information is not easily measured using traditional financial reporting. “This provides auditors with additional corporate information, which can be used as audit evidence to support an audit opinion.”
To support auditors, the IAASB’s EER assurance project is developing guidance, scheduled to be released by the end of 2020, on using the existing standards to handle EER.
The right talent
Another challenge facing the audit profession, especially within SMPs, is securing the right talent. As Li at NOVA notes, firms are now looking to hire accounting professionals who know how to utilize new technologies. “Accounting skills are only a standard skill set nowadays,” he says. “There are thousands of fresh graduates with accounting degrees and even more accountants with a few years of experience. But whether they have the knowledge or experience in IT is another question and they need these skills to really stand out.” Li adds that professionals with knowledge of emerging technologies bring added value to firms. “We are working with companies that use cryptocurrencies or software as a service platforms. We are also looking for better ways of auditing them,” he says. “Knowledge in this area will help auditors to understand the business risks involved and help them to ask the right questions during audits.”
Ley at Deloitte agrees. “We need to be able to advise clients on the sorts of technologies available and how they will help their business,” she says. “Of course, if they have the skills in data analytics and AI software, that’s even better. This is something firms look for nowadays.”
With auditors expected to work closely with clients, stakeholders and their own engagement team, excellent communication skills are a must in today’s audit profession. “Audit is a procedure which involves careful communication and an exchange of ideas with clients, especially when we provide advisory,” Li says.
“If they have the skills in data analytics and AI software, that’s even better. This is something firms look for nowadays.”
Tang at Moore says auditors who hone their communication skills and ask the right questions will have a better understanding of what clients want and the issues they are facing. “Fresh graduates, in particular need to be effective communicators – not just verbally, but also in writing. They should be tenacious and flexible at the same time to adapt the ever changing auditing environment,” she says, adding how auditors ought to engage in self-learning and dedicate time whenever possible. “I understand auditors are very busy during peak season, but during low season they can try to attend seminars at the Institute or at their firm.”
Cheng at PwC encourages auditors to think outside the box and challenge conventional ways of working. “If you just stick to the status quo, this won’t help. We encourage our staff to bring new ideas and suggest new ways of doing things during the audit,” she says. “Auditors must be open to change. They must be able to think on their feet and ask themselves ‘how can I do this differently?’ or ‘how can I increase efficiency?’”
Wong at EY stresses the importance of staying updated. “Both junior and senior auditors should keep themselves updated on the development of accounting and auditing standards,” he says. In addition to having critical and analytical skills, Lau at KPMG says auditors need to be forward-thinking and also think about their own growth. “You need to start thinking about how you will grow over the next 10 or 20 years. You need to show your commitment to the profession,” he says.
Auditors should also work to find a balance between having a sceptical and suspicious mindset. In the December 2019 report Assess, Assure and Inform: Improving Audit Quality and Effectiveness by Sir Donald Brydon, Chairman of Sage Group and former chairman of the London Stock Exchange, a high-quality audit is one which involves the application of professional scepticism throughout and professional suspicion where appropriate. It also recommends auditors to make judgements based on tested information and that remain appropriate in the light of subsequent events that were reasonably predictable.
The audit profession is set to evolve further, spearheaded by developments in technology and tighter regulation. Ley says auditors must make use of the technologies available going forward. “These audit tools help us not just with the quantity, but also the quality of audits. At the end of the day, we put quality as our top priority,” she says. “In the next five years, we’ll see changes in the tools being used, the businesses we are auditing, and the scope of our work.”
But as Tang notes, SMPs might require more time in transitioning to using new technologies. “Though I believe it’s essential for all auditors to have a firm grasp of these new tools, it can be challenging to firms with two to three partners to adopt them – they might think it isn’t cost effective,” she says. “It also depends on the sorts of clients they are working with and whether technology will help speed up the job. Small practices still rely on software such as Microsoft Excel and Word.” She says it is a matter of time before emerging technologies are seen in firms of all sizes. “We are waiting for these tool to reach a mature stage. By then, we envision even one-partner-practices to benefit from them too.”
Despite the various technological developments, it is up to auditors to rely on their own experience and judgement. “We still need human accountants,” says Ley. “In fact, the increasing use of technology requires us to be more analytical and sensitive to figure out how to tailor our audit response to address certain issues.” Lau at KPMG agrees, noting that auditors have to focus on applying more professional judgement to manage risks and provide value-added business insights to clients. Wong says: “Technology can assist in handling repetitive tasks, but when it comes to complex issues requiring professional judgement, human accountants still play a key role in understanding and evaluating situations to determine if they comply with rules and regulations.
Preparing for the audit is the best way to ensure it goes smoothly and efficiently for both the client and audit engagement team. Companies should aim to do their part long before the auditors arrive at the office.
Months before the audit date, businesses could set a pre-planning meeting with the auditors to discuss client deliverables, timeline and expectations. Some companies schedule these meetings as far back as six months, while many will have met their auditors by three months before the onsite audit.
To avoid any issues during the audit, companies should set aside adequate time to fully prepare accounts. “Clients must prepare all required financial information and supporting documents for an auditor’s inspection to ensure a smooth audit,” says Adam Wong, Senior Audit Manager at EY.
Companies should aim to have all accounts reconciled, including cash, accounts receivable, inventory, accounts payable, and accrued expenses. Ideally, this should be done quarterly or even monthly to avoid any reconciliation issues during the audit. Matthew Li, Partner at NOVA CPA, also advises companies to provide documentation detailing their internal control procedures. “Include details of your sales cycle, inventory management cycle and human resources procedures. This information can help auditors to better understand the flow of a company’s operations and controlling procedures.”
While these steps do involve disclosure of a large amount of sensitive information, Dilys Cheng, China South Operations Leader and China South Transformation Leader at PwC, says clients need to put trust in their auditors. “Trust is essential,” she says. “Clients need to trust us and provide the necessary information for us to carry out the audit. They also need to trust the technology that we will use.” If the client has an electronic version of their entire ledger, that must also be made available to the auditor, adds Wong. “Since our audit approach uses more data analytics nowadays, clients are advised to arrange their dataset in advance.”
Communication should not be limited to the financial reporting team, notes Rossana Ley, Technical Partner at Deloitte, “but should take place with the top management and different business units. Timely and good communication on key activities, changes in business can help auditors to identify issues earlier and to plan the appropriate audit plans and work much earlier.”
To make the most of the audit towards the end of the engagement, clients are encouraged to ask more questions. “Clients should seek advice from auditors on how to improve in the coming year,” advises Li. “We may have a better understanding of your business situation and weaknesses, and problems related to the books and internal control systems. Our advice will help to improve efficiency in the long run.”
“Clients should seek advice from auditors on how to improve in the coming year.”
A day in the life
The tasks of an auditor are diverse. A typical day can revolve around team and client meetings, in-depth research on a company’s financial history, making sure audit working papers are accurate, attending training, and of course, work on the actual audit itself.
Adam Wong, Senior Audit Manager at EY, says his typical day comprises of duties ranging from supervising engagement teams, to formulating audit plans to be communicated with clients. He also reviews audit working papers to ensure they are in compliance with the latest accounting and auditing standards. During audit engagements, Wong says he spends time evaluating how the latest accounting standards will impact his clients financially and enjoys suggesting ways to improve his client’s internal controls.
Auditors work in teams on engagements throughout the year and gain different experiences through each one, which requires them to be team players as well as effective communicators. To achieve this, Matthew Li, Partner at NOVA CPA, ensures frequent communications with his team to track progress and address any problems at the onset. “This involves meetings with our management team to discuss issues concerning customer services, sales, or human resources management, for example,” he says. His day also consists of meeting new and existing clients to discuss industry updates, which he says, is an effective way of helping both parties updated on all developments. “I also meet with our relationship manager to keep track of their progress and understand their problems in meeting with clients.”
As Managing Director at Moore, Helen Tang’s role involves less audit field work now, so she’s responsible with looking after her firm’s accounting, company secretarial, advisory and tax departments. This means starting most days with internal meetings to discuss updates, followed by conference calls with the global network, or treasury management. Her day might also include external meetings with clients or service providers, and staff training, which Tang says is crucial to development of a firm and maintaining staff integrity. “I have to make sure our audit staff working on the frontline are well trained and know what they are doing and facing, especially when it comes to dealing with regulators.”
“I have to make sure our audit staff working on the frontline are well trained.”