Tim Steketee (30) has been working at De Beer for a year and a half and will soon be moving into his new house in Hilvarenbeek, which he is currently
In a recent publication ‘Exploring the growing use of technology in the audit, with a focus on data analytics’, The International Auditing and Assurance Standards Board (IAASB) describes the opportunities and challenges regarding the use of data analysis in the audit of the annual reports. With their publication, it seems like the IAASB wants to trigger the discussion about data-analytics in connection with the current auditing standards. This is crucial, since the possibilities for the use of data-analysis might be very promising, but it is still a question how well they fit into the current auditing standards.
The motivation for writing this column is the increased attention towards advanced data analytics in academic literature and in the accounting profession. Data analysis is not discussed as such in the “Nadere Voorschriften Controle en Overige Standaarden” (hereafter: ‘NV COS’), the Dutch Standards on Auditing. The NV COS seems to be outdated in her expression about electronic data (Snoei and Van Amerongen, 2015). However, the current auditing standards provide space for collecting sufficient and appropriate control-information using data analysis (Eimers and Van Leeuwen, 2015).
In this column, we explain how data analysis fits in the current auditing standards. The additional integration of data analysis in the domain of the NV COS can be considered as a digitalized form of substantive analytical procedures in combination with test of details (NV COS 520). Substantive analytical procedures combined with a test of detail is considered as a substantive audit procedure to detect deviations on the level of assertions. The applications of data analysis as input for risk assessments will not be covered in this column.
NV COS 520 about Analytical procedures
From this assumption, we can apply the principles according to NV COS 520 in the context of substantive analytical procedures related to advanced data analytics. The substantive analytical procedures consists of four phases (standard 520.15):
1.The pre-development of an expectation;
2.The pre-determination of a threshold for deviations;
3.The comparison of the expectations and the reality; and
4.The evaluation of the explanations for potential deviations through source documentation detail control, keeping the materiality concept in mind.
An important aspect of the substantive digits is the determination of the appropriate aggregation level of the analysis. In other words, the analysis which gives the best insight to detect material deviations.
“Merely gathering information will not provide sufficient audit information to ensure that no material deviations exist.”
The application of analytical analysis in the context of substantive analytical procedures offers important support for an audit, where the client database which contains all the transactions of the organization, is used as much as possible. Although applying the data analysis in the audit of the annual report provides great insights in the business processes, an isolated application without follow-up does not provide sufficient audit evidence (NV COS 500). In other words, merely gathering information will not provide sufficient audit information to ensure that no material deviations exist.
NV COS 530 about Sampling
Since merely gathering information from management is not sufficient as audit evidence, we have to perform additional substantive procedures. The NV COS 530 provides some information on sampling that we can apply to the deviations concerned. Note that NV COS is talking about ‘stratifying’ here: dividing the population into subpopulations.
The NV COS 520 requires the auditor to determine a threshold for the deviations, before he draws the sample. To determine the deviations the auditor can use hypotheses to define what type of deviations should be applied to the identified deviations and determine what type of audit information excludes the hypotheses.
The sample size has to be determined after the possible deviations are identified. The formula that is used for audit risk has endured some critique, since it is not a real formula, but it gives an indication how large the sample should be. The formula: ACR = IR x ICR x CR x SR, where SR is sampling risk.
Assuming that we want to reduce the audit risk to 5% and we already know the inherent risk (IR), the internal control risk (ICR) and the analytical analysis risk (indicated with CR) for the subpopulation, we can calculate how large the sample risk is allowed to be and use this as a basis to determine the size of the sample.
The NV COS states that with an audit on the subpopulation, only an opinion about this subpopulation can be formed and that it is not allowed to make a judgement about the general population. Composing a sample of the subpopulation allows us to form a statement about mistakes in the subpopulation, but it cannot be used to form an opinion about the complete population. Very important to mention is that we can never claim that the untested subpopulation does not contain mistakes. An option for us to create an acceptable level of audit control risk (ACR) for the population is to adjust the analytical analysis risk (CR) to a lower amount and combine this with the inherent risk and the internal control risk for the (still) untested subpopulation. However, maybe we need to execute another sample, of which the size will be a lot smaller than for the subpopulation, because of the stratified deviations.
Professional Skepticism
However, the professional skepticism of the auditor still remains the most important aspect to verify and document the data in a trustworthy manner. The NV COS 500 requires us to establish the reliability (completeness and accuracy) of our data before we use this information in our audit by focusing on the quality of the internal control. We have to determine the reliability based on detail control when the internal control is not sufficient to guarantee the reliability of the obtained information.
Arnold Westgeest and Marc Buijs are one of the pioneers in the use of data analysis in the audits control. From our practice, there is a wide range of appealing examples of completed audits, where data analysis techniques have been used successfully.
About the authors
Arnold Westgeest finished his post graduate studies as IT auditor at the ‘Vrije Universiteit Amsterdam’ and is professor at the ‘Haagse Hogeschool’. He is also the founder of A.J. Westgeest audit & consultancy.
Marc Buijs is Manager Audit & Assurance at Grant Thornton. He finished his postgraduate studies as Registeraccountant at Tilburg University and is an alumni member of Asset | Accounting & Finance. His clientele primarily consists of mid-sized and large private family businesses that operate internationally.
Literature:
- Data Analytics Working Group International Auditing and Assurance Standards Board – ‘Exploring the growing use of technology in the audit, with a focus on data analytics’, september 2016.
- Eimers, P., Leeuwen, O. van (2015). De typologie als basis voor een effectieve en efficiënte data-analyse. Maandblad voor accountancy en bedrijfseconomie, 89e jaargang, oktober 2015.
- Snoei, W. , Nieuw Amerongen, N. van (2015). Toepassing van (big) data-analyse in de MKB-jaarrekeningcontrole in een relatief eenvoudige omgeving. Maandblad voor accountancy en bedrijfseconomie, 89e jaargang, oktober 2015.