analyzing the role of it in current and future financial

Analyzing the role of IT in current and

future financial auditing methodologies Fons Verbeek

Tilburg University, School of Economics and Management, Department of Information

Management, The Netherlands

Student: ing. A.M.J. Verbeek

Registration number: 805649

Supervisor: prof. dr. ir. H.A.M. Daniels

Company: PricewaterhouseCoopers Accountants N.V.

Supervisor: drs. W. Roozendaal

Document: Master Thesis Information Management

Version: 1.0

Date of publication: April 27, 2012

Place of publication: Tilburg, The Netherlands

mailto:[email protected]




Analyzing the role of IT in current and future financial auditing methodologies 2

Abstract

This report addresses the issue of improving the performance of the current financial

audit methodology through the application of developments from the field of IT. The

current financial audit practice is described in detail and illustrated by four case studies

applying the audit methodology in practice. Four developments from the field of IT

including audit nets, process mining, continuous auditing and XBRL are described and

analyzed on their applicability. Conclusions following these efforts include a view at

the future of the financial auditing practice and a technology roadmap guiding future

audit methodology improvements.


Table of contents

Abstract ........................................................................................................................... 2

Table of contents ............................................................................................................. 3

1 Introduction .................................................................................................................. 5

1.1 Problem definition ................................................................................................. 5

1.2 Research questions ................................................................................................ 5

1.3 Research methods .................................................................................................. 6

1.4 Thesis outline ......................................................................................................... 7

2 Current state of the financial auditing practice ............................................................ 8

2.1 Institutions and actors ............................................................................................ 8

2.2 Legislation ........................................................................................................... 11

2.3 Regulations .......................................................................................................... 13

2.4 Methodology and methods .................................................................................. 15

2.4.1 The PwC methodology .................................................................................. 16

2.4.2 Tests of controls / System oriented methods ................................................. 20

2.4.3 Substantive tests / Data oriented methods ..................................................... 24

2.4.4 Tooling .......................................................................................................... 26

2.4.5 Limitations .................................................................................................... 31

2.4.6 Improvements ................................................................................................ 33

2.5 Summary .............................................................................................................. 34

3 The current financial auditing methodology in practice ............................................ 35

3.1 Case study design ................................................................................................ 35

3.2 The case of energy supplier A ............................................................................. 36

3.3 The case of energy supplier B ............................................................................. 38

3.4 The case of energy distributor C.......................................................................... 41

3.5 The case of water company D ............................................................................. 43

3.6 Analytical discussion of cases ............................................................................. 45

3.7 Summary .............................................................................................................. 46

4 Recent developments in the field of IT ...................................................................... 47

4.1 Audit Nets ............................................................................................................ 47


4.2 Process Mining .................................................................................................... 51

4.3 Continuous Auditing............................................................................................ 54

4.4 XBRL................................................................................................................... 58

4.5 Analytical discussion of IT developments ........................................................... 61

4.6 Summary .............................................................................................................. 65

5 Future directions for the financial auditing practice .................................................. 67

5.1 Identifying trends and themes defining the future of the financial auditing

practice ....................................................................................................................... 67

5.2 Proposing a Technology Roadmap guiding future audit methodology

improvements ............................................................................................................ 68

5.3 Summary .............................................................................................................. 68

6 Conclusions and recommendations............................................................................ 69

References ..................................................................................................................... 70


1 Introduction

The concept of the financial audit has been in existence for centuries, ever since its

origin practitioners have been searching for ways to improve both the effectiveness and

efficiency of the audit execution. Since the introduction of computerized accounting

and business information systems in the second half of the 20th century, methods to

analyze accounting and business information in an automated fashion have come into

view. To this date however, implementation of such methods in the financial audit

practice remains limited. The aim of this research is to investigate in which way

developments from the field of IT can contribute to the audit performance in terms of

effectiveness and efficiency and in which way these improvements can be

implemented in present financial auditing methodologies.

1.1 Problem definition

Increasing the performance of the financial audit is expected to result in several

significant effects. Firstly of all, increasing the effectiveness of the audit is expected to

result in a higher level of quality associated with the audit execution, increasing

confidence in the judgment of the auditor and the auditors opinion. Secondly,

increasing the efficiency of the audit is expected to result in a reduction of the costs

involved with the audit execution, improving its accessibility. In order to direct the

financial audit practice in moving towards these goals, this study aims to define how to

improve the performance of current financial auditing methodology through the

implementation of developments from the field of IT.

1.2 Research questions

In order to establish the ways in which the current financial audit approach can be

improved, the first goal is to provide a comprehensive overview of the financial audit

practice as it is established today, therefore the first research question is formulated as

listed under number 1.

1. What does the current state of the art in the financial auditing practice look

like?


Once a clear view at the current field of practice including its strengths and weaknesses

is obtained, the second goal is to identify the ways in which the current financial audit

performance can be improved though the implementation of developments from the

field of IT, this is covered by the second research question, which is listed under

number 2.

2. How can information technology improve traditional auditing methods in

terms of effectiveness and efficiency?

Following this identification of improvement possibilities, the next research question

concerns the possible implications the application of such improvements might have

and is listed under number 3.

3. What are the implications of these advancements in the field of information

technology for the financial auditing practice?

Once all expected implications for the current financial audit practice are listed, the

ultimate question that is attempted to be answered in this research is formulated as

listed under number 4.

4. What will the future of the financial auditing practice look like?

1.3 Research methods

Although the subject matter of this research is practical in nature, in order to establish a

solid theoretical foundation, this research itself will largely be based on a review of the

literature that is currently available. Interviews with domain experts will be conducted

in order to define the current state of the art in the financial auditing practice and to

serve as a starting point from where to look for relevant financial auditing related

legislation and regulations as well as academic literature from both the fields of

financial auditing and information technology. Additional research methods will be

utilized where applicable in order to support the developed theory, case studies will be

included in order to illustrate current financial auditing methodologies and structured


analysis will be applied in order to answer the research questions as formulated in

chapter 1.2.

1.4 Thesis outline

In order to provide a reading guide to this report, this section will discuss the contents

of each chapter briefly.

Chapter 2 will start by providing an overall picture of the current state of the financial

auditing practice, including a listing of the methods and methodologies that are

currently applied. This description is followed by an analysis of the current state,

which will result in the identification of both limitations and possibilities for

improvement.

In order to illustrate the current practice as described in chapter 2, four case studies

covering the PwC audit methodology applied in practice will be provided in chapter 3.

Further analysis of these case studies will result in a differentiation between the various

types of methods currently used and the frequency at which they are applied.

Chapter 4 will provide a description of four developments in the field of IT that are

potentially applicable to the financial auditing methodologies as described and

illustrated in chapters 2 and 3. These technologies will further be analyzed and

compared based on their applicability to the PwC audit methodology, availability of

tooling and expected implications for the financial audit performance. This comparison

will result in an indication for the future use potential of these technologies.

Based on the findings from chapters 2 - 4, chapter 5 aims to cast a view on the future

of the financial auditing practice, proposing a technology roadmap which is to serve as

a guide to future audit methodology improvements.

Chapter 6 will discuss the findings from this research and present the final conclusions

and recommendations.


2 Current state of the financial auditing practice

The current Dutch financial auditing practice is a highly regulated market. The aim of

this chapter is to provide an overview of all the relevant institutions, actors, legislation

and regulations that are operational in this field. In order to achieve a good overview of

this matter, a professional of PwC’s assurance practice was interviewed. This chapter

starts with an overview of the most important legislation and regulations and further

drills down to the material concerning auditing methodologies, methods and techniques

which is most relevant in the context of this thesis.

2.1 Institutions and actors

When investigating the Dutch financial auditing practice, five major institutions can be

identified that are each responsible for publishing regulations relevant in this context.

The main institutions that were identified include ‘the legislator’, ‘Nederlandse

Beroepsorganisatie van Accountants’ (NBA), ‘Autoriteit Financiele Markten’ (AFM),

‘Raad voor de Jaarverslaggeving’ (RJ) and ‘Monitoring Commissie Corporate

Governance Code’ (depicted in figure 1). Other actors that play a role in the financial

auditing practice include ‘audit firms’, ‘accountants’ and ‘auditees’. Each of these

entities will be described in more detail below.

Figure 1: Regulating institutions

The legislator

In The Netherlands, ‘the legislator’ is formed by a composition of three entities.

1. Government (Regering)

2. 2nd Chamber / Parliament (Tweede Kamer der Staten-Generaal)

3. 1st Chamber (Eerste Kamer der Staten-Generaal)


Together, these three entities are entitled to pass laws. The most significant laws that

are applicable to the financial auditing practice include the following.

‘Wet toezicht accountantsorganisaties’, Wta, issued 19-01-2006

‘Besluit toezicht accountantsorganisaties’, Bta, issued 16-08-2006

‘Wet op de Registeraccountants’, WRA, issued 28-06-1962

‘Wet op de Accountants-Administratieconsulenten’, WAA, issued 13-12-1972

These laws will be described in more detail in chapter 2.2.

Nederlandse Beroepsorganisatie van Accountants (NBA)

The NBA is the Dutch corporation of accountants. All accountants that are operational

in The Netherlands are recorded in a central register that is administered by the NBA.

In addition, the NBA is responsible for determining the requirements for new

applicants to become an accountant. To this end, the NBA has specified a great number

of regulations called ‘verordeningen’ (ordinances) and ‘nadere voorschriften’ (further

prescriptions). The most important regulations include the following.

‘Verordening accountantsorganisaties’, VAO, issued 08-12-2010, effective 01-

01-2011

‘Verordening gedragscode’, VGC, issued 16-12-2009, effective 01-01-2010

‘Nadere voorschriften Controle- en overige standaarden’, NV COS, issued 15-

01-2011, effective 15-06-2011

These regulations will be described in more detail in chapter 2.3.

Autoriteit Financiele Markten (AFM)

The AFM is the Dutch authority responsible for supervising the stock exchange

market. In addition, they perform an enforcing role regarding compliance with the laws

concerning financial institutions as well as financial audit firms. The AFM is also

responsible for granting permits to audit firms for statutory financial audits (audits that

are mandatory by law), they keep a register of all audit firms that are allowed to

execute statutory financial audits, the ‘Register accountantsorganisaties’. This register

contains general information about the audit firm as well as specific details about the

permit such as date of request, date of authorization, state of the permit and whether

the audit firm is allowed to audit organizations that are classified as ‘Organisatie van

Openbaar Belang’ (OOB).


Raad voor de Jaarverslaggeving (RJ)

The RJ (Dutch Accounting Standards Board) is responsible for developing guidelines

and accounting standards to be used in The Netherlands. The result of these efforts is

the ‘Richtlijnen voor de jaarverslaggeving’ (RJ) also known as ‘Dutch Generally

Accepted Accounting Principles’ (Dutch GAAP). Since 2005, listed companies in The

Netherlands are required to publish their annual accounts following the International

Financial Reporting Standards (IFRS) developed by the International Accounting

Standards Board (IASB). All non-listed medium to large sized companies are free to

choose either the RJ / Dutch GAAP or IFRS standard. Small companies are not obliged

to publish annual accounts.

Monitoring Commissie Corporate Governance Code

The ‘Monitoring Commissie Corporate Governance Code’ is responsible for

maintaining the Dutch Corporate Governance Code (Dutch CGC) with regard to its

actuality and relevance as well as enforcing compliance of this code by listed

companies in The Netherlands. Each year, the monitoring commission issues a report

treating the extent to which Dutch companies comply with the latest corporate

governance code. The Dutch CGC provides a number of guidelines and best practices

regarding the government of listed companies. The contents of the Dutch CGC are

generally based on the principles of integrity, objectiveness, competence and

conscientiousness, confidentiality and professional behavior.

Audit firms

Two kinds of audit firms can be distinguished in The Netherlands. Those with a WTA

permit, which are authorized to execute statutory financial audits and are known as

‘accountantsorganisatie’ (accountant organization), and those without a WTA permit,

which are known as ‘accountantskantoor’ (accountant office). As the focus of this

thesis is on the legal entity ‘PricewaterhouseCoopers Accountants N.V.’ (which,

having a WTA permit, classifies as an accountant organization) it will focus on the

‘accountantsorganisatie’.


Accountants

In The Netherlands, there are two kinds of accountants. The accountants that are

authorized to execute statutory financial audits are known as ‘register accountants’

(RA) while all other accountants are known as ‘accountants-administratieconsulenten’

(AA). As most audits performed by PwC are statutory financial audits, the focus of this

thesis will be on the ‘register accountant’.

Auditees

The last actor to be included in this overview of the financial auditing practice is the

auditee, which can be described as any organization that is being audited by an audit

firm and its accountants. There are certain regulations that are specifically aimed at the

auditee in the context of the financial audit. More specifically, these regulations

include the ‘Richtlijnen voor de jaarverslaggeving’ (RJ) and IFRS as well as the Dutch

Corporate Governance Code.

2.2 Legislation

As indicated in the previous chapter, four acts in the Dutch law that are of relevance to

the financial auditing practice were identified. Here each act will be described shortly

and subsequently the relevance of them in the context of this thesis will be indicated.

Figure 2 provides an overview of the current system of legislation and regulations that

became effective in 2007.


Figure 2: Legislation and regulations

Wet toezicht accountantsorganisaties (Wta)

The WTA act was introduced in order to regulate the supervision of audit firms active

in The Netherlands. It designates the AFM as supervisor and introduces a permit that is

required for audit firms in order to be authorized to perform statutory financial audits.

The WTA specifies the requirements for an organization to obtain such a permit, these

requirements contain both aspects at the organizational and individual level.

Organizational aspects include items such as integrity, expertise and skills of the board

of directors, control structure, quality control system, independence, confidentiality

and safeguards for controlled and sound operations. Individual aspects include items

such as professional knowledge, independence, objectivity and integrity,

confidentiality, reporting of suspicion of material fraud, compliance with professional

regulations and reporting of disciplinary cases. In case of non-compliance of an

organization or individual with these requirements, the AFM has the option of

ordaining several penalties depending on the nature and severity of the error. These

penalties include the issuing of a warning, instruction or fine, imposing a cease and

desist, publication of the error or the issuing of a declaration to the public prosecutor.


Besluit toezicht accountantsorganisaties (Bta)

The BTA act comprises an elaboration on some of the requirements for audit firms that

are defined in the WTA act. These additional requirements that are part of the BTA

contain items such as permit requests, quality control systems and the compliance with

and implementation of statutory financial audits (i.e. the implementation of a quality

assurance mechanism and the appointment of a quality assessor). In addition, the BTA

contains definitions concerning independence, sound operations and fraud reporting, as

well as the obligation for audit firms to issue an annual report stating their compliance

with these requirements. The WTA and BTA acts combined form the basis of the

Dutch legislation on audit firms.

Wet op de Registeraccountants (WRA)

The WRA act was introduced in order to regulate the financial audit profession in The

Netherlands. It installs the ‘Koninklijk Nederlands Instituut van Registeraccountants’

(NIVRA), and regulates a number of topics. These topics, which are all focused on the

individual accountant, include items such as the registry, education, final terms and

disciplinary jurisdiction and procedures for ‘register accountants’ (RA).

Wet op de Accountants-Administratieconsulenten (WAA)

Like the WRA act, the WAA act was also introduced in order to regulate the financial

audit profession in The Netherlands. It installs the ‘Nederlandse Orde van

Accountants-Administratieconsulenten’ (NOvAA), and roughly regulates the same

topics as the WRA act, focusing on the individual accountant, but applying only to

‘accountants-administratieconsultenten’ (AA). The NIVRA and NOvAA, which are

mentioned above have recently merged and are now known as NBA. The WRA and

WAA acts combined form the basis of the Dutch legislation on the financial audit

profession.

2.3 Regulations

In this chapter, the various regulations that were issued by the NBA will be discussed.

As mentioned in the previous chapter, three regulations of interest in the context of this

thesis are identified, each regulation will be described shortly followed by an analysis


indicating the relevance and impact of it on the financial audit methods as referred to in

the introduction.

Verordening accountantsorganisaties (VAO)

The VAO provides audit firms that are listed in the AFM register with a more concrete

instantiation of the general rules and principles that are defined in the WTA and BTA

acts. The topics that are treated in the VAO again concern the system of quality

control, independence and sound operations of the audit firms. The aim of the VAO is

to ensure that in the complete body of rules and regulations consisting of WTA, BTA

and VAO there are no hiatuses and redundancies regarding norms.

Verordening gedragscode (VGC)

The VGC contains rules of conduct and norms for both RA and AA qualified

accountants. Unlike the VAO, which is aimed at audit firms, the VGC is aimed at the

individual accountant. Like the Dutch Corporate Governance Code, all topics treated in

the VGC are based on the five principles of integrity, objectiveness, competence and

conscientiousness, confidentiality and professional behavior.

Nadere voorschriften Controle- en overige standaarden (NV COS)

The NV COS are a set of further prescriptions that follow from article A-130.7 from

the VGC and are issued by the General Assembly of the NBA. The NV COS cover,

among others, the workflow of a generic financial audit trail and detail the standards

and norms for every step required to reach the auditors opinion. The global steps of the

financial audit process that are covered in the NV COS include the determination of

responsibilities, planning of the audit, assessment of risks, obtainment of audit

evidence, usage of work of other experts and reporting of conclusions. In the context of

this thesis, the obtainment of audit evidence step is the most interesting as it contains

details regarding the applicability of methods to numerical analyses. Numerical

analyses are defined as either comparisons of financial information between periods

(current, historical or prospective information) or between comparable sector specific

entities. Additionally, comparisons of normative relationships between elements of

financial information or between financial information and non-financial information

can also be classified as numerical analyses. Methods that can be used for these

analyses range from simple comparison and normative relationship verification to


advanced statistical techniques. In all cases it is up to the auditors professional

judgment to choose the methods and techniques with the highest expected

effectiveness and efficiency. All NV COS standards are generally derived from the

International Standards on Auditing (ISA).

Table 1 provides a summary of the relationships between the institutions, actors,

legislation and regulations that have been covered up until now.

Institutions Legislation and regulations Actors

Legislator Wet toezicht accountantsorganisaties

(Wta)

Audit firms (WTA)

Besluit toezicht

accountantsorganisaties (Bta)

Wet op de Registeraccountants (WRA) Accountants (RA)

Wet op de Accountants-

Administratieconsulenten (WAA)

Accountants (AA)

Nederlandse

Beroepsorganisatie van

Accountants (NBA)

Verordening accountantsorganisaties

(VAO)

Audit firms (WTA)

Verordening gedragscode (VGC) Accountants (RA and

AA) Nadere voorschriften Controle- en

overige standaarden (NV COS)

Autoriteit Financiele

Markten (AFM)

Register accountantsorganisaties Audit firms (WTA)

Raad voor de

Jaarverslaggeving (RJ)

Richtlijnen voor de jaarverslaggeving

(RJ)

Auditees

Monitoring Commissie

Corporate Governance

Code

Dutch Corporate Governance Code Auditees

Table 1: Institutions issuing laws and regulations affecting actors

2.4 Methodology and methods

In order to provide consistent high quality and risk management standards, audit firms

use standardized procedures that are documented in their audit methodology. Audit


methodologies provide the overview over the audit process and dictate in great detail

every step that has to be taken in order to be able to determine the auditors opinion. In

the context of this thesis the methods that the PwC audit methodology prescribes are of

particular interest. This section will first cover the PwC audit methodology, followed

by a description of both the audit methods and techniques currently used therein.

2.4.1 The PwC methodology

As mentioned in the introduction, the methodology forms the basis of a financial audit.

By analyzing the current audit methodology in use by PwC, much can be learned

concerning the procedure that is followed and the methods that are applied when

conducting a financial audit. The following description is taken from the PwC Audit

Guide (PwC Audit 101).

“The PwC audit methodology is called PwC Audit. This methodology is based on the

International Standards on Auditing (ISAs), with more specific PwC policy and

guidance provided where appropriate. The PwC Audit Guide explains PwC's

methodology and provides a common audit approach for PwC member firms to follow

in accordance with network standards, and so that each PwC member Firm

understands the approach taken by other PwC firms to an engagement. The Guide

along with PwC's technology-based audit support tools, templates and content support

engagement teams in conducting assurance and related services engagements.”

As noted in the description above, the PwC audit methodology relies on technology-

based audit support tools. Currently, there are two major tools in use within the PwC

assurance practice, these are MyClient and its successor Aura. Where the former is still

in use for different kinds of assurance assignments, the later is currently used for all

financial audits. For this reason, the PwC audit methodology supported by Aura will be

the focus of this thesis.


Figure 3: The PwC audit methodology supported by Aura


Following the process diagram depicted in figure 3, the PwC audit methodology

supported by Aura generally consists of 4 phases which will be described briefly in the

following section.

Planning

The planning phase of a financial audit starts with the acceptation of the audit

assignment, during this step the risks and reliability associated with the auditee are

assessed. Once the audit assignment is accepted, the terms of engagement are

determined and a team of auditors is mobilized. Next, the independence of the audit

team is assessed and further required planning procedures are executed.

Understanding the Business, Assess Risk and Determine Audit Strategy

The second phase starts with the analysis of the auditee's organization resulting in the

understanding of the business including its internal control. Subsequently, it includes

the determination of the materiality and the assessment of the levels of inherent risks

associated with the auditee’s organization. This is followed by the establishment of the

audit strategy and identification and evaluation of the controls that mitigate the

assessed risks and ends at the start of the audit plan execution.

Respond to Risk and Gather Evidence

The third phase starts with the determination of both the expected reliance on the

auditee's internal controls and the planned substantive evidence followed by the

approval of the audit plan. Once the audit plan is approved, the auditor continues with

the execution of ‘evidence gathering activities’ (EGAs) consisting of tests of controls,

substantive analytical procedures and tests of detail. Depending on the level of controls

reliance, the focus of the EGAs will be either on tests of controls or on substantive

testing. The results of these EGA steps combined form the body of audit evidence on

which the auditor's opinion will ultimately rely. As a final step in this phase, the risk

assessment and audit plan are updated and other required procedures are performed.

Finalize the Audit

The finalizing phase of a financial audit starts with the performance of the relevant

audit completion procedures. This step is followed by referencing the financial


statements and issuing the reports. The final steps of the PwC audit methodology

comprise of debriefing the client, debriefing the audit team and assessing the audit

performance, this concludes the PwC audit trail.

Following this description of the PwC audit methodology, it can be concluded that the

methodology is largely based on a top-down approach where inherent organizational

risks are identified, mitigating controls are assessed and remaining risks are covered by

the application of substantive procedures. This combination of methods results in an

audit methodology based on several traditional audit approaches including the risk-

based approach, systems-based approach, and substantive procedures approach.

Following from interviews with several experts from PwC it is expected that from the

PwC audit methodology described above, some steps have a higher applicability of

assisting technology than others. The business understanding and risk assessment

phase as well as the steps involving evidence gathering activities are expected to have

the highest applicability of assisting technology. Therefore, the steps that were

identified as the most interesting ones in the context of this thesis include the

following.

‘Understand the business including its internal control’

‘Risk assessment analytics’

‘Perform tests of controls’

‘Perform substantive analytical procedures’

‘Perform tests of detail’

In the following sections the steps involving EGAs and the methods and techniques

used therein will be described briefly. Figure 4 provides a view at the way these steps

are interrelated. A distinction is made between tests of controls / system oriented

methods and substantive tests / data oriented methods.


Figure 4: The 3 steps from the PwC audit methodology involving EGAs

2.4.2 Tests of controls / System oriented methods

System oriented methods are aimed at providing comfort regarding the processes,

procedures and controls of the auditee’s organization. Within the PwC audit

methodology, system oriented methods are executed during the ‘Perform tests of

controls’ step of the audit cycle. This section will start with a short description of the

control framework which forms the basis of the controls testing methods included in

the PwC audit methodology, this will be followed by a summary of the various control

types that are derived from this control framework and finally, a description of the

methods and techniques that can be applied to test these controls will be provided.

Control framework

Within the PwC audit methodology, the ‘COSO Internal Control – Integrated

Framework’ (1992) is used to determine the quality of the auditee’s system of internal

controls. The COSO control framework consists of 5 control components that apply to

the organizational objectives including ‘Operations’ (concerning the effectiveness and

efficiency of business processes), ‘Financial reporting’ (concerning the reliability of

financial information), and ‘Compliance’ (with legislation and regulations), at each of

the organizational levels. The 5 control components that are covered in the model

include ‘Control environment’, ‘Risk assessment’, ‘Control activities’, ‘Information

and communication’ and ‘Monitoring’, each of which will be explained shortly in the

next section.


The ‘Control environment’ of an organization forms the basis of the system of

internal controls, it concerns the control awareness, integrity, ethical values and

competence of the people that are part of the organization.

‘Risk assessment’ concerns the process of assessing risks, both internal and

external to the organization, that pose a threat to achieving the organizational

objectives.

‘Control activities’ are policies and procedures that help ensure management

directives are effectuated and include measures such as approvals,

authorizations, verifications and segregation of duties.

‘Information and communication’ together form the binding factor in the

system of internal controls. The aim of this component is to ensure that relevant

information is identified, captured and communicated to people in a way that

enables them to perform their duties.

‘Monitoring’ concerns the process of evaluating the quality and performance of

the system of internal controls over time. Monitoring can be done on an

ongoing bases or by separate evaluations.

The COSO framework suggests that all 5 components must be in place in order to

ensure the system of internal controls is effective. In addition, this has to be the case

for each business objective at all organizational levels. A schematic representation of

the ‘COSO Internal Control – Integrated Framework’ is provided in figure 5.

Figure 5: The COSO Internal Control – Integrated Framework


Control types

Derived from the COSO internal control framework, the PwC audit methodology

defines 4 types of controls. Each control type can be related back to one or more

components of the COSO framework and affects its own distinct part of the

organization in question (e.g. the auditee’s organization). Figure 6 shows a graph

depicting the various constructs in relation to each other.

Figure 6: The 4 control types related to the 5 internal control components

Each of the 4 control types depicted above will be described in more detail below.

Descriptions are taken from the PwC Audit Guide (PwC Audit 6011).

Indirect Entity Level Control (Indirect ELC).

“Indirect ELCs are entity level controls that do not directly relate to any specific

FSLIs/business processes or assertions and, therefore, would not by themselves

prevent or detect on a timely basis material misstatements to assertion(s) at the FSLI

level. They may, however, contribute to the effectiveness of controls.”

Direct Entity Level Control (Direct ELC).

“Direct ELCs are controls that typically operate at least at the sub-process level, i.e.,

at a level higher than transaction level controls, and, when performed effectively, at a

sufficient level of precision to adequately prevent, or detect and correct on a timely

basis, material misstatements related to one or more relevant assertions for FSLIs/

business processes.”


Transaction Level Control.

“Transaction level controls are control activities over the initiation, recording,

processing and reporting of transactions designed to operate at a level of precision

that would prevent, or detect and correct on a timely basis, misstatements related to

one or more relevant assertions for a FSLI/business process. Transaction level

controls can be either detective or preventive in nature and they often include manual

application, automated application or IT Dependent Manual controls.”

Information Technology General Control (ITGC).

“ITGCs are policies and procedures that are used to manage the IT activities and

computer environment, relate to many applications and support the effective

functioning of application controls by helping to verify the continued proper operation

of information systems. This includes the basic IT areas that are relevant to internal

control: IT control environment, Program Development, Program Changes, Access to

Programs and Data and Computer Operations.”

Perform tests of controls

During the ‘Perform tests of controls’ step of the PwC audit methodology, the auditor’s

objective is to test whether the risks that were identified in the auditee’s organization

are mitigated in a satisfactory way by the implementation of effective internal controls.

When determining which controls to take into account, a top down approach is taken

where only controls that cover risks of material nature are considered. Controls tests

applied to this end can vary in their nature, timing and extent.

Figure 7: Types of control tests


Based on their nature, four categories of control tests are distinguished in the PwC

audit methodology as can be seen in figure 7. Listed following an ordinal scale, these

categories include ‘Inquiry’, ‘Observation’, ‘Inspection’ and ‘Reperformance’.

Regarding the extend of testing, control tests can further be classified based on their

frequency of application and sample sizes used therein.

As a final note regarding the testing of internal controls it is interesting to observe that

the total of controls testing consists of the ‘Management Response’ plus ‘Audit Effort’.

This implies that both the auditor and auditee have a responsibility in analyzing and

testing the internal controls of the organization in question. Furthermore the

observation is made that the more management response is provided, the less audit

effort is needed to reach the desired level of comfort as can be seen in figure 8 which

originates from the third Global Technology Audit Guide (GTAG) from the Institute of

Internal Auditors (IIA).

Figure 8: The monitoring of internal controls - management vs. audit

2.4.3 Substantive tests / Data oriented methods

Where system oriented methods are aimed at providing comfort regarding processes,

procedures and controls, data oriented methods are aimed at providing assurance on the

completeness, accuracy and validity of (financial) data directly. As mentioned in

chapter 2.4.1, substantive tests can either focus on substantive analytical procedures or


on tests of detail depending on the level of comfort obtained from the tests of controls

as described in the previous section. In case internal controls sufficiently mitigate

identified risks, the audit is continued by applying substantive analytical procedures

based on the auditee’s financial data. If the internal controls are insufficient, tests of

detail are required to ensure the financial data is correct. Both of these steps are

categorized as data oriented methods and will be described in more detail below.

Focus on substantive analytical procedures

Substantive analytical procedures consist of computational auditing methods that

analyze financial data at aggregate levels in comparison with for example data from

previous periods or other entities from the same market segment. When applying

substantive analytical procedures, in general a four step process is followed, regardless

of the method being used. The steps included in this process resemble a simplified

statistical hypothesis testing procedure as can be seen in the description below.

The 4 step process when using substantive analytical procedures (PwC Audit 7033).

1. ‘Develop an independent expectation’

2. ‘Define a significant difference or threshold’

3. ‘Compute difference’

4. ‘Investigate significant differences and draw conclusions’

In general many analytical procedures can be executed by the financial auditor using

tools like Microsoft Excel, however as the required analytical procedures increase in

complexity this approach will become both less effective and efficient. A data

assurance team can be called upon to perform advanced testing procedures using

specialized software tools that are fitted to execute elaborate queries on large data sets.

Focus on tests of detail

Tests of detail consist of specific auditing methods that analyze financial data at record

level, this implies that each individual account is verified and validated by using for

example reference checking procedures. In order to increase the efficiency of these

methods, sampling techniques are used to limit the number of records that are to be

analyzed. In order to provide assurance regarding a specific account, three types of


tests of detail can be utilized including ‘Targeted testing’, ‘Accept-reject testing’ and

‘Non-statistical sampling’.

Test of detail types (PwC Audit 7041).

‘Targeted testing’

‘Accept-reject testing’

‘Non-statistical sampling’

‘Targeted testing’ provides the greatest control over which records are to be tested, it

allows the auditor to select a specific segment of the population based on some

characteristic. Conclusions following this type of test only apply to the selected records

and are not projected to the untested items in the population.

In case of ‘Accept-reject testing’, the auditor gathers enough evidence to be able to

determine whether a specific attribute of an account must either be accepted or

rejected. This technique is only used in order to test characteristics of accounts, no

monetary information is analyzed using this method.

‘Non-statistical sampling’ is used in case the targeted testing method would require a

large amount of records to be tested, for example in case of a largely homogenous

population. In this case samples are drawn from the population based on non-statistical

sampling methods which are more efficient than formal statistical methods.

2.4.4 Tooling

The auditing process, including the methods and techniques used therein, is

traditionally executed manually. In recent years however, the aid of computer software

tooling is used more frequently in order to reduce costs and thus increase the efficiency

of the audit. Over the last years, techniques assisted by computer software, which are

generally known as ‘Computer Assisted Audit Techniques’ (CAATs), have increased

in functionality and popularity. The following section covers the CAATs that are

currently applied within the PwC financial audit practice. An overview of the tools and

their suppliers is provided below.


CAATs currently applied in the PwC financial audit practice.

‘Aura’ from ‘PriceWaterhouse Coopers Applications B.V.’

‘Excel’, ‘Access’ and ‘SQL Server’ from ‘Microsoft Corporation’

‘AccountAnalyser’ from ‘UNIT4 N.V.’

‘Synaxion Business Process Analyzer’ from ‘Synaxion B.V.’

Aura

Aura is a specialized workflow management system tailored to assist the PwC audit

methodology. Functionalities provided by the tool include electronic documentation

and archiving of the audit trail, built-in definitions for EGAs employed in financial

audits and support for group collaboration within the audit team. The aim of the

software is to streamline the audit process and enable a paperless way of working.

The main functionality of Aura is supporting the financial audit workflow of the PwC

audit methodology as described in chapter 2.4.1 through keeping an electronic record

of each step executed. In addition, supporting functionalities provided by the

application include aiding risk analysis activities through providing support for

documenting the relations between financial statement line items and supporting audit

evidence, supporting the decision making process regarding the audit strategy, and

supporting group collaboration and quality assurance aspects of the audit. Each of

these functionalities will be described in more detail below.

The reason for documenting the connections between financial statement line items

and supporting evidence follows from the core objective of the financial audit, which is

to provide assurance regarding the financial statements of the auditee. In order to

achieve this objective risks are assessed regarding each financial statement line item

and subsequently, mitigating controls are identified and assessed for each risk.

Following this assessment, for each control, one or more evidence gathering activities

are defined which ultimately result in evidence supporting the auditor’s opinion. In

order to facilitate this process, Aura supports the documentation of the relations

between “Financial Statement Line Items”, “Risks”, “Controls”, “Evidence Gathering

Activities” and “Evidence”.


In order to facilitate the decision making process regarding the audit strategy, Aura

supports the automated indication of significant general ledger accounts based on their

materiality. In addition, the evidence gathering activity strategy can either “Focus on

Substantive Analytical Procedures” or “Focus on Tests of Detail” depending on the

level of “Expected Controls Reliance”, this decision making process is also supported

in an integrated fashion.

Finally, the group collaboration functionality integrated in Aura supports the

delegation of tasks among team members and records which team members prepared

and reviewed documented evidence gathering activities in order to follow quality

assurance procedures.

Excel, Access, SQL Server

Microsoft Excel, Access and SQL Server are generic spreadsheet and database tools

being employed in financial audits for their flexible calculating and querying

functionality. The tools allow auditors to perform manual operations on large sets of

data resulting in a reduction of time required to process them. Because of the generic

nature of the tools in question, they are flexible in use and therefore have a broad

applicability. As documentation of the tools covered in this section is ubiquitous, no

further description of the functionalities provided by them is included here.

AccountAnalyser

AccountAnalyser is a tool being employed in financial audits for executing substantive

analytical procedures. The tool is specialized in the analysis of financial accounting

information such as general ledger accounts and journal entries. The advantage of

using AccountAnalyser in financial audits is its ability to quickly generate views of the

financial statements being audited through the flexible composition of queries,

resulting in a quick understanding of the business and its risks.

The core functionality of AccountAnalyser is provided through a library of 130

standardized analyses and corresponding queries and reports. Examples of analyses

incorporated in the AccountAnalyser library include tests for financial liquidity and

solvability, tests regarding debtors and creditors and tests regarding fraud analysis.


Further examples detailing the analysis capabilities of AccountAnalyser include the

following 5 reports (out of 130 reports available) which are based on general ledger

mutations.

Expenses per creditor.

Number of creditors per general ledger account.

Deviating journal entries per general ledger account.

Missing journal entries.

General ledger accounts.

The AccountAnalyser process flow, like any data analysis project starts with the

extract transform and load phase (ETL) where the general ledger information is

extracted from the source information system, transformed into the desired format and

loaded into the AccountAnalyser database. Once all financial information is stored in

the database, the data is ready to be analyzed using the predefined analyses as

described above or by performing custom analyses using cross tables, pivot tables or

grids.

Synaxion

Synaxion is another tool which is employed in financial audits for executing

substantive analytical procedures. Instead of focusing on financial accounting

information, the tool uses data from the clients business information systems (for

example the ERP system) in order to allow the auditor to perform a wide range of data

analyses. This functionality again results in a quick understanding of the business and

its risks as well as a more streamlined way of gathering evidence through the execution

of standardized data analyses.

As is the case with AccountAnalyser, Synaxion contains a library of standardized

analyses consisting of queries and reports. Examples of analyses that are included in

this library include tests regarding the purchase to pay, order to cash, and finance to

report cycles. One analysis that is of particular interest is that of the 3-way match, the

aim of which is to match invoices with good receipts with orders, as part of the

purchase to pay cycle, this analysis is used regularly in practice.


The Synaxion process flow, like any data analysis project starts with the extract

transform and load phase (ETL) where the business information is extracted from the

source information system, transformed into the desired format and loaded into the

Synaxion database. Once all business information is stored in the database, the data is

ready to be analyzed using the predefined analyses as described above or by

performing custom analyses using SQL.

Following the description of the CAATs currently applied in the PwC financial audit

practice as described above, the table below summarizes the areas of application at

which they are currently employed. The stages of the financial audit identified in

chapter 2.4 are included and for each stage it is indicated which tooling is currently

used in which way.

CAAT

Area of application

Understand the Business,

Assess Risk and Determine

Audit Strategy


Understand

the Business

including its

Internal

Control

Risk

Assessment

Analytics

Perform

Tests of

Controls

Perform

Substantive

Analytical

Procedures

Perform

Tests of

Detail

Aura As a workflow management system, Aura supports the entire audit process.

Excel, Access,

SQL Server

- - Testing of

controls can

be supported

by data

oriented

analyses.

Substantive

analytical

procedures

are often

executed

using

flexible

tooling.

Tests of

detail are

often

executed

using

flexible

tooling.

Account

Analyser

By analyzing

information

from the

Analyzing

data from the

accounting

- Substantive

analytical

procedures

-


accounting

information

system, a

better

understanding

of the

business can

be obtained.

information

system can

aid in

determining

materiality.

can be

executed

based on

information

from the

accounting

information

system.

Synaxion By analyzing

information

from the

business

information

system, a

better

understanding

of the

business can

be obtained.

Analyzing

data from the

business

information

system can

aid in

determining

high and low

risk areas of

the business.

Testing of

controls can

be supported

by data

oriented

analyses.

Substantive

analytical

procedures

can be

executed

based on

information

from the

business

information

system.

By analyzing

data from the

business

information

system, the

entire

population

can be tested

instead of a

sample.

Table 2: Current application of CAATs in the PwC audit methodology

2.4.5 Limitations

While the financial auditing methodology including its methods currently in use by

PwC is able to provide a reasonable level of assurance regarding the accuracy of

financial statements, there are some inherent limitations associated with the methods

presently applied. This section will briefly point out which limitations are relevant in

the context of this thesis and suggest how these limitations can potentially be removed.

Internal control

Because the current methodology is to a certain extent reliant on the correct

functioning of properly implemented internal controls, the inherent limitations of

internal controls themselves prove a threat to the quality of the audit evidence.

Limitations of internal controls include items such as human error in design or

execution of internal controls and interpretation of control results, collusion of two or


more people and inappropriate management override of internal controls. A way to

reduce the level of risk associated with this type of limitation is to reduce the level of

dependence on internal controls altogether, for example by placing more emphasis on

(automated) substantive testing.

Professional judgment

Throughout the audit methodology there are numerous points at which the auditor’s

professional judgment is called upon. Because professional judgment is subjective in

nature, decisions made in this context are susceptible to deviations which may result in

reduced audit quality. A way to reduce the risks associated with these deviations is to

provide even more guidance to auditors on procedures for specific situations. This

solution may not be desirable however, because of the loss of flexibility in the audit

procedure. A better solution might be to automate key parts of the audit procedure

where appropriate through application of standardized computer routines.

Audit evidence

During the evidence gathering activities which are part of every audit, evidence is

gathered in order to reduce audit risk to a minimum. In the PwC audit guide, ‘audit

risk’ is defined as follows (PwC Audit 1053).

“The risk that the auditor expresses an inappropriate audit opinion when the financial

statements are materially misstated. Audit risk is a function of the risks of material

misstatement and detection risk.”

Because by using current auditing methods it is impractible to reduce audit risk to zero,

auditors are expected to reach a persuasive auditor’s opinion rather than a conclusive

one. The question that rises here is whether the application of new technology based

audit methods may change this premise and allow the auditor to gain sufficient

appropriate audit evidence in order to be able to provide a conclusive auditor’s

opinion, for example by testing all transactions instead of testing samples.


2.4.6 Improvements

The aim of this study is to investigate in which way the current financial audit

methodology as described earlier in this chapter can be improved by the application of

developments from the field of IT. When considering opportunities for improvement in

the current methodology, three key dimensions can be identified. The primary goal of

improving the PwC audit performance is to improve the quality of the financial audit

while decreasing costs and simultaneously adding value to the client. These factors

together result in the research model as depicted in figure 9. This model will later be

extended in order to reflect the effects of the use of new methods and techniques on the

audit performance. A description of each construct is provided below.

Quality

Added value

Costs PwC Audit Performance

+

-

+

Figure 9: PwC audit improvement research model

Independent constructs

‘Quality’ can be described as the extent to which the financial audit

requirements as defined in the Dutch legislation and regulations are met by the

PwC audit methodology, it measures the audit effectiveness and positively

affects the PwC audit performance.

‘Costs’ can be described as the average euro amount for which the PwC audit

methodology is able to deliver a financial audit, it measures the audit efficiency

and negatively affects the PwC audit performance.


‘Added value’ can be described as the value that the PwC audit methodology is

able to create on top of the financial audit requirements as defined in the Dutch

legislation and regulations, it measures the extra features that go beyond the

standard expectations and positively affects the PwC audit performance.

Dependent constructs

‘PwC Audit Performance’ can be described as the overall performance

delivered by the PwC audit methodology, it is affected by and measured in

terms of ‘Quality’, ‘Costs’ and ‘Added value’.

2.5 Summary

This chapter provided an overview of the current state of the Dutch financial auditing

practice including a description of the relevant institutions and actors, legislation and

regulations and methodology and methods. The Dutch legislation and regulations

prescribe a specific minimum quality level for financial audits but leave the choice of

methods and techniques during the execution of the audit up to the professional

judgment of the auditor. The PwC audit methodology provides more detailed guidance

on the types of methods and techniques that are suitable for the different steps in the

audit methodology but does not oblige the use of any specific method or technique

either. The steps from the PwC audit methodology that were identified as the most

relevant ones in the context of this thesis include ‘Understand the business including its

internal control’ and ‘Risk assessment analytics’ as well as the steps in which evidence

gathering activities are executed including ‘Perform tests of controls’, ‘Perform

substantive analytical procedures’ and ‘Perform tests of detail’. The usage of methods

and techniques in the current auditing practice was found to be mainly by means of

manual execution supported by computer software tooling for more complex assurance

problems. Three limiting factors in the current financial auditing methodology were

identified including ‘internal control’, ‘professional judgment’ and ‘audit evidence’,

which form a potential for improvement. Finally, a research model was proposed

which serves to stimulate such improvement through the indication of three factors

influencing the financial audit performance.


3 The current financial auditing methodology in practice

In order to illustrate the execution of the current financial auditing methodology in

practice, several case studies will be considered. Data has been acquired from four

financial audits executed at firms from the energy and utilities sector in financial year

2010. Cases to be considered include energy suppliers A and B, energy distributor C,

and water company D, focus will be on the methodology used and types of methods

applied. The chapter will conclude with an analytical discussion and summary of the

cases described.

3.1 Case study design

The cases to be considered in this chapter will be analyzed following a descriptive

approach. Data regarding these four distinct cases has been acquired from the Aura

audit documentation system forming a snapshot for the financial year 2010. Case

selection was based on available local knowledge from the PwC assurance practice,

more particularly the energy and utilities market segment.

As described in section 2.4, the PwC audit methodology generally considers six types

of Evidence Gathering Activities. For each case considered in this chapter, these EGA

types will be analyzed and compared. The various types of EGAs that are distinguished

in the PwC audit methodology include the following.

Tests of Controls

o Inquiry

o Observation

o Inspection

o Reperformance

Substantive Tests

o Substantive Analytics

o Tests of Details


Following the analysis of evidence gathering activity types listed above, a description

of the data analysis methods applied and supporting tooling utilized is provided for the

cases where applicable. This will provide further insight into the methods and types of

analyses that are currently applied in practice.

3.2 The case of energy supplier A

The case under consideration here is the financial audit of energy supplier A from

2010. Energy supplier A is one of the energy production and supplying companies

active on the Dutch energy market. In the context of this thesis, the interesting aspects

of this case are the methodology and methods used in the execution of the audit. An

analysis of the energy supplier A audit 2010 archive acquired from Aura results in the

EGA counts for each type as shown in table 3.

Test type Number of occurrences Percentage

Inquiry 92 5,21%

Observation 187 10,59%

Inspection 361 20,44%

Reperformance 50 2,83%

Other controls tests 87 4,93%

Substantive Analytics 184 10,42%

Tests of Details 805 45,58%

Total Tests of Controls 777 44,00%

Total Substantive Tests 989 56,00%

Total 1766 100,00%

Table 3: EGA counts for energy supplier A 2010


Following the EGA counts from table 3, the distribution of the types of EGAs can be

depicted in the form of a pie chart as shown in figure 10.

Figure 10: EGA distribution for energy supplier A 2010

Increasing the abstraction level of EGA types to the differentiation between system

oriented and data oriented EGAs results in the pie chart as shown in figure 11.

Figure 11: System vs. Data orientation for energy supplier A 2010

Inquiry

Observation

Inspection

Reperformance

Other controls tests

Substantive Analytics

Tests of Details

Tests of Controls

Substantive Tests


From the data depicted above, it can be concluded that in the financial audit energy

supplier A 2010 a relatively large part of the Evidence Gathering Activities constitutes

of Tests of Details. Furthermore, the balance between system oriented and data

oriented methods seems to be slightly skewed towards the substantive data oriented

side given the ratio of 44 to 56.

Additional inquiry with managers involved in the performance of the audit in question

resulted in the indication of the following data analysis activities.

AccountAnalyser was applied in order to perform generic analyses on the

organization’s general ledger as well as more specific analyses regarding

journal entries from the purchase to pay cycle.

Excel and Access were applied in order to perform a fraud analysis following

the ISA 240 standard (The auditor’s responsibility relating to fraud in an audit

of financial statements).

3.3 The case of energy supplier B

The case under consideration here is the financial audit of energy supplier B from

2010. Energy supplier B is one of the energy production and supplying companies

active on the Dutch energy market. In the context of this thesis, the interesting aspects

of this case are the methodology and methods used in the execution of the audit. An

analysis of the energy supplier B audit 2010 archive acquired from Aura results in the

EGA counts for each type as shown in table 4. Note that for this case it was not

possible to distinguish between the various types of controls tests.


Tests of Controls 871 42,24%






Total 2062 100,00%

Table 4: EGA counts for energy supplier B 2010



Figure 12: EGA distribution for energy supplier B 2010



Tests of Controls


Tests of Details


Figure 13: System vs. Data orientation for energy supplier B 2010


supplier B 2010 a relatively large part of the Evidence Gathering Activities constitutes

of Tests of Details. Furthermore, the proportions of system oriented and data oriented

methods seem to be slightly skewed towards the substantive data oriented side given

the ratio of 42 to 58.



AccountAnalyser was applied in order to perform generic analyses on the

organization’s general ledger. However, due to errors in the data extraction

phase the intended analyses could not be performed.

SQL Server was applied in order to perform a fraud analysis following the ISA

240 standard (The auditor’s responsibility relating to fraud in an audit of

financial statements).

The PwC SAP ACE (Automated Controls Evaluator) tool was applied in order

to test the segregation of duties.

Tests of Controls

Substantive Tests


3.4 The case of energy distributor C

The case under consideration here is the financial audit of energy distributor C from

2010. Energy distributor C is one of the energy distributors active on the Dutch energy

market. An analysis of the energy distributor C audit 2010 archive acquired from Aura

results in the EGA counts for each type as shown in table 5.


Inquiry 23 1,32%




Other controls tests 171 9,79%





Total 1747 100,00%

Table 5: EGA counts for energy distributor C 2010




Figure 14: EGA distribution for energy distributor C 2010



Figure 15: System vs. Data orientation for energy distributor C 2010


distributor C 2010 a relatively large part of the Evidence Gathering Activities

Inquiry

Observation

Inspection

Reperformance

Other controls tests


Tests of Details

Tests of Controls

Substantive Tests


constitutes of Test of Details. Furthermore, the proportions of system oriented and data

oriented methods seem to be well balanced given the ratio of 49 to 51.



Account Analyser was applied in order to perform generic analyses on the

organization’s general ledger.

The PwC SAP ACE (Automated Controls Evaluator) tool was applied in order

to test the segregation of duties.

3.5 The case of water company D

The case under consideration here is the financial audit of water company D from

2010. Water company D is one of the water supplying companies active on the Dutch

market. An analysis of the water company D audit 2010 archive acquired from Aura

results in the EGA counts for each type as shown in table 6.


Inquiry 0 0,00%








Total 239 100,00%

Table 6: EGA counts for water company D 2010




Figure 16: EGA distribution for water company D 2010



Figure 17: System vs. Data orientation for water company D 2010

Inquiry

Observation

Inspection

Reperformance


Tests of Details

Tests of Controls

Substantive Tests


From the data depicted above, it can be concluded that in the financial audit water

company D 2010 a very large part of the Evidence Gathering Activities constitutes of

Tests of Details. Furthermore, the proportions of system oriented and data oriented

methods seem to be quite unbalanced given the ratio of 26 to 74.



Account Analyser was applied in order to perform generic analyses on the

organization’s general ledger.

3.6 Analytical discussion of cases

When comparing and analyzing the cases described in this chapter, several conclusions

can be made. First of all, the assertion made in chapter 2.4.1 implying that the PwC

audit methodology is based on both system oriented and data oriented methods can be

confirmed as both types of methods were encountered in the audit archives under

consideration. Secondly in all cases considered, the number of data oriented tests

exceeded the number of system oriented tests suggesting that the PwC audit

methodology has a tendency towards the execution of Substantive Analytics and Tests

of Details over controls based methods. Quantifying this tendency results in an average

preference of substantive tests over tests of controls of 63,6% within the cases

considered, based on a total number of 5814 executed EGAs. It must be noted that the

numbers included in this analysis only concern numbers of tests performed, the actual

time spent per test activity could not be retrieved from the audit documentation.

Following the descriptions of data analysis methods performed, it can be concluded

that analyses are currently primarily aimed at financial information (general ledger and

journal entries). Other analyses currently performed in practice include procedures

following the ISA 240 fraud analysis standard as well as tests regarding segregation of

duties.


3.7 Summary

This chapter provided a descriptive analysis of four concrete instantiations of the PwC

audit methodology from the energy and utilities market sector illustrating the theory

covered in chapter 2. For each case, several analyses were performed including EGA

counts, EGA distributions and system vs. data orientation. Also, a description of the

data analysis methods and tools applied was provided. The main conclusion that can be

made based on these analyses include the identification of a bias in the PwC audit

methodology towards the execution of data oriented methods.


4 Recent developments in the field of IT

This chapter covers four recent developments from the field of IT that have a high

potential applicability in the financial auditing practice. In order to identify these four

developments, a literature scan has been conducted which produced a list of

technologies that have been associated with the financial auditing practice in prior

research. The four IT developments that are included in this chapter were indicated as

having the highest interest among the financial- and IT- audit professionals that were

interviewed in the course of this research, they include Audit Nets, Process Mining,

Continuous Auditing and XBRL. A description of each technology will be given,

followed by an indication of its applicability to the PwC audit methodology, a short

view at the currently available tooling, and ending with a vision at the expected

implications the implementation will have on the current financial audit practice. The

chapter will be concluded by an analytical discussion, comparison and summary of the

various developments that have been described.

4.1 Audit Nets

The concept of audit nets was first proposed by Philip Elsas in his 1996 PhD

dissertation “Computational Auditing”. Building on classic petri net theory from Carl

Petri 1962, audit nets provide additional functionality which enables them to be applied

in the context of the financial audit.

Description

Classic petri nets are graphs consisting of places containing tokens, and transitions

transferring tokens between places. Places and transitions are connected by arrows. A

petri net typically represents a specific state of a process where the location of the

tokens determine the state. When applying this theory to the value cycle (supercycle)

of an organization as described by Starreveld, a petri net can be used to model a

complete value cycle including value depots (e.g. accounts) represented by places, and

transactions (e.g. journal entries) represented by transitions. A limitation of classic

petri nets however is the inability to model the so called value jump, which occurs in

value cycles for commercial organizations and represents the profit margin. In

addition, classic petri nets are limited in their support for mapping actors and


authorizations to transactions, which is an important feature in the context of the

financial audit, this application will be described in more detail in chapter 4.1.2. An

example of a value cycle modeled as a classic petri net is provided in figure 18.

Figure 18: Value cycle modeling using classic petri nets

In order to resolve the issues described above, Elsas introduced the audit net which

extends the classic petri net in providing support for the concepts of value jump, actor

and authorization. The audit net formalism supports the generation of authorization

matrices from audit nets providing an overview of which actor is authorized to execute

which transaction. Furthermore, by applying deontic logic, it provides support for

analyzing these matrices on the correct application of segregation of duties as

described by Starreveld.

Applicability

Audit nets can be applied during several steps of the audit procedure. First of all,

during the controls testing step, audit nets can be used to apply automated

authorization scans in order to assess the correctness of the implementation of the

segregation of duties principle as mentioned in the previous section. By applying the

analysis algorithm, a list of exceptions is produced of all possible solo fraud scenarios

under the given authorization levels, this list can then be used to identify the weak


spots in the system of internal controls concerning segregation of duties. During the

execution of substantive analytical procedures, audit nets can assist by analyzing the

reachability of the end state of the audit net (closing balance) given the begin state

(prior year closing balance). The result of this analysis will indicate whether the

amounts in the closing balance are possible given the documented value cycle in the

specified begin state. In addition, audit nets can be employed for reperformance and

simulation purposes. To this end, the audit net is used to find deviations from

normative relations between expected values and documented values as well as

verification of the financial data with the BETA formula from Starreveld (Begin – Eind

+ Toename – Afname = 0). These applications are all examples of substantive

analytical procedures supported by audit nets.

Tooling

As is the case with any conceptual development, practical usability of it is to a large

extent dependent on the availability of tooling that is off the shelf and ready to use. As

audit nets are a relatively new development, there is currently little offering of tooling

implementing the concept other than scientific proof of concept installations. Due to

this limited availability of tooling, wide spread application of the development among

financial auditors is not expected on the short term.

Implications

The implementation of the use of audit nets in the PwC audit methodology is expected

to have multiple implications. An extension of the research model as introduced in

chapter 2.4.6 visualizing an overview of all estimated effects of such implementation is

provided in figure 19. This section is concluded by a further description of the

constructs and effects extending the research model.


Audit Nets

Quality

Added value


+

-

+

+

+

+/-

Figure 19: Implications of the implementation of audit nets on the PwC audit performance

Extending constructs

‘Audit Nets’ represents the implementation of the concept of audit nets, as

described in chapter 4.1 of this writing, in the PwC audit methodology. It is

determined by the fact whether audit nets are implemented in the PwC audit

methodology and is expected to affect ‘Quality’, ‘Costs’ as well as ‘Added

value’.

Extending effects

‘Quality’ is expected to be affected positively by the implementation of audit

nets as the development supports the achievement of the financial audit

requirements as described in the Dutch legislation and regulations through the

introduction of an exhaustive method for the testing of conflicts in the

segregation of duties.

‘Costs’ is expected to be affected both positively and negatively by the

implementation of audit nets as an initial investment will be required in terms

of tooling procurement and training, followed by an expected costs reduction

resulting from reduced time spent on getting an understanding of the business,

risk assessment, controls testing, and substantive analytical procedures.

‘Added value’ is expected to be affected positively by the implementation of

audit nets as on top of the expected audit results, additional insight is provided


in the organizational value cycle providing the auditee with valuable business

analytics.

4.2 Process Mining

The concept of process mining was first proposed by Wil van der Aalst and is covered

in the 2011 publication “Process Mining: Discovery, Conformance and Enhancement

of Business Processes”. As a variation on classic data mining, process mining focuses

specifically on the mining of business process models from information system event

logs.

Description

Event logs contain detailed information on all transactions that are executed within an

information system. As mentioned in the introduction, process mining uses data from

event logs of business information systems such as Enterprise Resource Planning

(ERP), Supply Chain Management (SCM) and Workflow Management Systems

(WMS) in order to reconstruct the underlying process model in the form of a petri net.

This concept is depicted in figure 20. The constructed process model subsequently

provides a view at the run-time functioning of the process in contrast to the design-

time process model and therefore provides a better understanding of the actual

functioning of the business process in question. A comparison of the design-time

model with the run-time model can point out anomalies in the execution of the

business process as well as violations of controls, this procedure is called conformance

checking. Finally, performance analyses can be applied on the generated model by

analyzing the time consumption of each step in the business process and consequently

identifying bottlenecks. In order to be able to mine the event logs of an information

system, they must comply with some criteria. More specifically, an identification of the

actor and the date and time of the transaction must be included. In addition, some

preparation may be required in order to merge data from different sources to one

location containing the complete event log.


Figure 20: The concept of process mining

Applicability

Process mining can be applied during various stages of the financial audit, identified

possibilities of application include the following. During the ‘Understand the Business,

Assess Risk and Determine Audit Strategy’ phase, process mining can assist in getting

a good understanding of the systems and processes of the auditee’s organization by

analyzing the event logs and generating a process model. This way, auditors are able to

get a good understanding of the business faster and assess the relevant risks more

efficiently. Subsequently, during the execution of evidence gathering activities, the

effectiveness of the internal controls can be assessed by performing a conformance

check comparing the generated “IST” process model with the normative “SOLL”

process model and thereby verifying the functioning of the controls that are in place. In

addition to these applications, the performance analysis functionality made possible by

process mining can add value to the financial audit by suggesting performance

improvements to the auditee’s business processes.

Tooling

Process mining is a broad development that has been applied in a wide area of practice

for several years. Because of this, over the last years the technology has increased in

popularity and found its way to a variety of software packages. The tooling in question

however is generic in nature and possibly does not support all the features making the

technology interesting for the financial auditing practice as described above. For this

reason it is expected that in time, when process mining technology is implemented in

specialized financial auditing tooling, the development will be utilized by the financial

auditing practice on a broad scale.


Implications

The implementation of the use of process mining in the PwC audit methodology is

expected to have multiple implications. An extension of the research model as

introduced in chapter 2.4.6 visualizing an overview of all estimated effects of such

implementation is provided in figure 21. This section is concluded by a further

description of the constructs and effects extending the research model.

Process Mining

Quality

Added value


+

-

+

+

+

+/-

Figure 21: Implications of the implementation of process mining on the PwC audit performance


‘Process Mining’ represents the implementation of the concept of process

mining, as described in chapter 4.2 of this writing, in the PwC audit

methodology. It is determined by the fact whether process mining is

implemented in the PwC audit methodology and is expected to affect ‘Quality’,

‘Costs’ as well as ‘Added value’.

Extending effects

‘Quality’ is expected to be affected positively by the implementation of process

mining as the development supports the achievement of the financial audit

requirements as described in the Dutch legislation and regulations through

facilitating a better understanding of the auditee’s systems and processes


resulting in a better risk assessment and through providing new persuasive audit

evidence resulting from conformance checking.


implementation of process mining as an initial investment will be required in

terms of tooling procurement and training, followed by an expected costs

reduction resulting from reduced time spent on getting an understanding of the

business, risk assessment, and controls testing.


process mining as on top of the expected audit results, additional insight is

provided in the auditee’s systems and processes as well as their performance.

4.3 Continuous Auditing

The concept of continuous auditing is one that has been in existence in literature for

over 2 decades. Rather than providing assurance on financial statements once every

period as traditional auditing methodology prescribes, continuous auditing promises to

deliver an increased level of assurance by executing evidence gathering activities at a

higher frequency while reducing audit costs at the same time.

Description

Continuous auditing was first documented in the case study of AT&T Bell

Laboratories in 1989 by Vasarhelyi and Halper. The authors propose a “Continuous

Process Auditing System” (CPAS) providing measurement, monitoring and analysis of

AT&Ts billing information. The system specified in this case further introduced the

concepts of metrics, analytics and alarms in relation to financial information. While the

case referenced here forms the foundation for the concept of continuous auditing, over

time additions were made by various authors. An important amendment includes the

specification of the conceptual model for continuous auditing, monitoring and

assurance as depicted in figure 22 by The Institute of Internal Auditors (IIA) in its

Global Technology Audit Guide 3 (GTAG 3). This model specifies the relationship

between the concepts of continuous auditing (CA) and continuous monitoring (CM),

who is responsible for them and how they can contribute to reaching continuous

assurance. From a technological perspective, the concepts of CA and CM are identical,

both rely on the correct implementation of processes for continuous controls


monitoring and continuous data assurance. Continuous controls monitoring is achieved

by specifying a set of business rules following from the system of internal control and

subsequently checking for all individual transactions whether they comply with this set

where exceptions are handled based on their nature and materiality. Continuous data

assurance is achieved by recording all transaction data and analyzing periodically using

BI techniques looking for cases where combinations of transactions violate the system

of internal control. Prerequisites for a successful implementation of these processes

include well specified business processes, near time registration of transactions, usage

of ERP systems, data warehouses and available computing capacity.

Figure 22: Conceptual model for continuous auditing, monitoring and assurance

Applicability

The applicability of continuous auditing to the PwC audit methodology is highly

dependent on the auditee’s systems and processes. As noted in the description above,

the prerequisites for continuous auditing place a high demand on the auditee. In cases

where requirements are met, CA can be implemented following the model depicted in

figure 22 where the role of PwC is auditing both the auditee’s CM process as well as

auditing its business systems and processes directly in case the CM process does not

provide the required level of audit comfort. This way of working effectively adds a

third layer of audit evidence to the PwC audit methodology where the financial audit

will primarily focuses on the auditee’s CM process with the possibility of falling back


on traditional controls based / system oriented and ultimately substantive / data

oriented audit methods. Advantages to be gained from this new audit approach include

an increased level of assurance through more timely and effective detection of business

risks as they occur as well as added value to the client though a better control position

regarding their governance, risk and compliance (GRC).

Tooling

As the CM process for every organization is likely to be different, a single off the shelf

tooling product to support them seems not to be a viable solution. However, any

tooling supporting financial audit automation can be seen as an aid towards the

continuous assurance concept. In this light, basic tooling supporting CA/CM is

currently readily available and will advance over time towards a more comprehensive

solution. It is likely however that CA/CM tooling will remain a matter of selection and

customization of components in contrast to implementing a single off the shelf solution

for the time being.

Implications

The implementation of the use of continuous auditing in the PwC audit methodology is

expected to have multiple implications. An extension of the research model as

introduced in chapter 2.4.6 visualizing an overview of all estimated effects of such

implementation is provided in figure 23. This section is concluded by a further

description of the constructs and effects extending the research model.


Continuous Auditing

Quality

Added value


+

-

+

+

+

+/-

Figure 23: Implications of the implementation of continuous auditing on the PwC audit performance


‘Continuous Auditing’ represents the implementation of the concept of

continuous auditing, as described in chapter 4.3 of this writing, in the PwC

audit methodology. It is determined by the fact whether continuous auditing is

implemented in the PwC audit methodology and is expected to affect ‘Quality’,

‘Costs’ as well as ‘Added value’.

Extending effects

‘Quality’ is expected to be affected positively by the implementation of

continuous auditing as the development supports the achievement of the

financial audit requirements as described in the Dutch legislation and

regulations through adding a third layer of audit evidence resulting in more

timely and effective detection, prevention, and correction of business risks.


implementation of continuous auditing as an initial investment will be required

in terms of tooling procurement, system implementation and training, followed

by an expected costs reduction resulting from reduced time spent on controls

testing and substantive analytical procedures which are largely replaced by the

audit testing of the CM process.


continuous auditing as on top of the expected audit results, additional insight is


provided regarding the organization’s governance risk and compliance (GRC)

control position.

4.4 XBRL

The eXtensible Business Reporting Language (XBRL) is a standard for storing,

exchanging and reporting business information following a standardized format. The

standard is based on the Extensible Markup Language (XML) and was conceived in

1998 by the XBRL International Consortium. Where XML was designed to be used

with generic data, XBRL is especially suitable for the formatting of business

information through the use of specialized taxonomies.

Description

The main aim of XBRL is to provide an open standard for standardizing the formatting

of business information on both the syntactic and semantic level. On the syntactic

level, standardization is achieved by utilizing the open XML standard, which allows

data to be tagged, resulting in an instance document containing both the data and their

definitions. On the semantic level, XBRL standardizes the data definitions by

providing support for so called taxonomies which define all possible data elements

within corresponding XBRL instance documents. Elements contained in XBRL

taxonomies are defined by dimensions such as description, calculation, presentation,

data type and the relations to other elements. Relevant taxonomies to the field of

financial auditing include those describing the IFRS and US GAAP standards as well

as the Standard Business Reporting (SBR) taxonomy which is being developed by the

Dutch government. SBR aims to provide a standardized format for the communication

and reporting of business information between firms and governmental bodies in The

Netherlands which is expected to result in a substantive reduction of effort required on

both sides. Ultimately, it is the combination of XBRL and SBR that is expected to have

the greatest impact on the Dutch financial auditing practice. An example of data stored

in XBRL format is provided in figure 24.


Figure 24: Example of data stored in XBRL format

Applicability

When looking at the XBRL and SBR developments in the context of the financial

auditing practice, several applications can be distinguished. First of all, as XBRL and

SBR facilitate the standardization of business information, they can be utilized during

the financial audit process in places where substantive data analysis procedures are

executed. In these cases, data aggregation and conversion efforts can be minimized by

utilizing the XBRL and SBR standards for data storage and exchange; while in the

current practice up to 50% of the time spent on data analysis is used for data

conversion, the effect of the introduction of XBRL in conjunction with the SBR

taxonomy is expected to be significant. A related application of XBRL to the financial

auditing practice is the concept of financial statement reporting by means of digital

XBRL instance documents. In this scenario, in addition to the regular audit of financial

statements, the contents of the XBRL instance document are verified by matching them

with the contents of the financial statement report and subsequently a separate auditors

opinion is stated on the digital object. Digital reporting can be seen as a first step

towards the concept of continuous reporting where financial statement information is

published in XBRL format on a continuous basis with improved information symmetry

on the capital market being the ultimate goal. Much like continuous auditing, XBRL

puts a high demand on the auditee’s organization. Information system prerequisites for

a successful implementation of XBRL in the auditee’s systems and processes include a

mature environment for both organizational internal controls and IT general controls as

well as the availability of reliable data stored in an unambiguous format. Once these


prerequisites are met, the implementation of XBRL is expected to be a straight forward

exercise as it concerns a non-proprietary, open and well-documented standard.

Tooling

Since XBRL is in use at many organizations today, tooling supporting the standard is

readily available. The challenge for organizations will be to adapt their legacy systems

and processes to support this new standard. In order to reach this compatibility, both

technical and semantical support must be achieved. As most information systems

comprise of licensed technology, technical compatibility of legacy systems will largely

rely on support from the concerning information systems supplier. Semantical support

is mainly a matter of standardizing and documenting business data and mapping it to

the appropriate taxonomy which effectively comes down to a one time investment for

the auditee.

Implications

The implementation of the use of XBRL in the PwC audit methodology is expected to

have multiple implications. An extension of the research model as introduced in

chapter 2.4.6 visualizing an overview of all estimated effects of such implementation is

provided in figure 25. This section is concluded by a further description of the

constructs and effects extending the research model.

XBRL

Quality

Added value


+

-

+

+

+

+/-

Figure 25: Implications of the implementation of XBRL on the PwC audit performance



‘XBRL’ represents the implementation of the concept of XBRL, as described in

chapter 4.4 of this writing, in the PwC audit methodology. It is determined by

the fact whether XBRL is implemented in the PwC audit methodology and is

expected to affect ‘Quality’, ‘Costs’ as well as ‘Added value’.

Extending effects

‘Quality’ is expected to be affected positively by the implementation of XBRL

as the development supports the achievement of the financial audit

requirements as described in the Dutch legislation and regulations through

supporting the standardization and exchange of data resulting in the

applicability of new substantive analytical procedures.


implementation of XBRL as an initial investment will be required in terms of

tooling procurement, system implementation and training, followed by an

expected costs reduction resulting from reduced time spent on data conversion

and substantive analytical procedures.


XBRL as on top of the expected audit results, organizational maturity with

regard to data standardization is improved and additional insight is provided

through comparing business information with industry and regional

performance indicators and metrics enabled by XBRL data standardization.

4.5 Analytical discussion of IT developments

Having described four aspects (including the description, applicability, tooling and

implications) of four developments from the field of IT (including audit nets, process

mining, continuous auditing and XBRL), this section will continue with the analysis

and comparison of these developments based on the findings noted thus far. The focus

of these analyses will be on the applicability to the PwC audit methodology, the

feasibility of implementation in the current audit practice and the identification of the

parties responsible for the implementation.

Applicability


The aim of this analysis is to specify the applicability of the IT developments as

described in this chapter to the PwC audit methodology by defining the areas of the

audit process at which the applicability of these developments is expected to be the

greatest. This aim is realized by repeating table 2 from chapter 2.4.4 where the use of

CAATs in the current methodology was mapped to the various areas of application in

the PwC audit methodology and repeating the exercise for the IT developments as

described in this chapter. Following from the results of this analysis it is proposed here

that the IT developments should be implemented at the corresponding areas of

application as described in table 7.

Developme

nt

Area of application

Understand the

Business, Assess Risk

and Determine Audit

Strategy


Understand

the

Business

including

its Internal

Control

Risk

Assessme

nt

Analytics

*Audit

testing

of CM

Perform

Tests of

Controls

Perform

Substantive

Analytical

Procedures

Perform

Tests of

Detail

Audit Nets Audit net

analysis will

provide a

better

understandi

ng of the

business.

Audit net

analysis

will aid in

determinin

g high and

low risk

areas of

the

business.

- Audit net

analysis

will aid in

the testing

for

segregation

of duties.

- -

Process

Mining

Analyzing a

mined

process

model will

provide a

Analyzing

a mined

process

model will

aid in

- Comparing

a mined

process

model with

the process

- -


better

understandi

ng of the

business.

determinin

g high and

low risk

areas of

the

business.

design will

aid in

analyzing

the

operational

effectivene

ss of

controls.

Continuous

Auditing

- - Part of

the CA

approac

h is to

test the

CM

effort of

the

auditee.

Testing

controls on

a

continuous

basis will

increase

their

reliability.

Performing

substantive

analytical

procedures

on a

continuous

basis will

increase their

reliability.

Performin

g tests of

detail on

a

continuou

s basis

will

increase

their

reliability.

XBRL - - - - The use of

XBRL will

facilitate the

comparison

of financial

and business

data using

benchmarkin

g.

The use

of XBRL

will

facilitate

the ETL

phase of

analyzing

the data.

Table 7: Mapping of IT developments to areas of application in the PwC audit methodology

* The “Audit testing of CM” step is included as an additional phase in the audit

methodology in order to facilitate the aspect of Continous Auditing where the audit

testing of continous monitoring is executed. As this evidence gathering activity is

suggested to be executed prior to the “Perform Tests of Controls” step, it is defined as

an additional step in the audit methodology, the timing of this step is further specified

in figure 26.


Figure 26: Place of the ‘Audit testing of CM’ step in the PwC audit methodology

Feasibility

Following the determination of the applicability, the aim of this analysis is to define

the feasibility of the implementation of the IT developments as described in this

chapter to the PwC audit practice. In the case under consideration, feasibility is

primarily determined by the business case for implementation of the development in

question, i.e. the consideration of the costs versus the benefits. While not quantified in

this research, the expected increase of quality, reduction of costs as well as increase of

added value following from the extensions to the research model as proposed in

chapter 2.4.6 all add to the business cases for implementation of the corresponding

developments. As this is the case for all four developments covered, it is proposed here

that all four business cases are expected to be positive and that consequently the

implementation of all four developments is feasible.

Responsibility

Having determined the areas of applicability and the feasibility of the IT developments

described in this chapter, the aim of this final analysis is to identify the parties that are


responsible for the ultimate decision whether to implement these developments. To this

end, two parties are considered including both the Auditor and the Auditee. On the one

hand implementation is suggested on the side of the Auditor where improvements are

expected to add functionality to their existing set of methods and tools as discussed in

chaper 2.4. On the other hand implementation is suggested on the side of the Auditee

where functionality is added to their existing systems and processes.

Employing this distinction to the developments as covered in this chapter, it is

suggested that audit nets and process mining are to be classified as developments

requiring investments on the side of the Auditor while continuous auditing and XBRL

are to be classified as developments that are dependent on investments in the systems

and processes of the Auditee. Following this suggested distinction in investment

requirements, it is proposed here that implementation of audit nets and process mining

in the audit methodology is the responsibility of the Auditor while the implementation

of continuous auditing and XBRL is the responsibility of the Auditee.

Conclusion

Following from the analyses presented in this section, it is concluded here that in order

to meet the target of improving the PwC audit performance, the following actions are

suggested.

1. The Auditor should be persuaded to implement audit nets and process mining

technology in their audit methodology at the places as indicated in table 7.

2. The Auditee should be persuaded to implement continuous auditing and XBRL

in their systems and processes.

4.6 Summary

Four recent developments from the field of IT including audit nets, process mining,

continuous auditing and XBRL were described and analyzed on their applicability to

the PwC audit methodology. Conclusions that can be made based on the findings from

this chapter include the indication that all described developments are expected to

positively affect the PwC audit performance. In addition, possibilities regarding the

area of application in the PwC audit methodology have been identified for each


development resulting in a tabulated overview summarizing the combinations of

developments and applicable places. Finally, a distinction was identified diverging

developments to be implemented on the auditor side and developments to be

implemented on the auditee side resulting in a clear view at which technology should

be adopted by which party.


5 Future directions for the financial auditing practice

Having described the current state of the financial auditing practice, the ways in which

the application of new developments from the field of IT can improve the methodology

currently in use and the implications the implementation of these developments is

expected to have on the current financial auditing practice, the aim of this chapter is to

provide an answer to the final research question which concerns the future directions

for the financial auditing practice. Based on the results from chapters 2 - 4, trends and

themes defining the future of the financial auditing practice are indentified and a

technology roadmap guiding future audit methodology improvements is proposed.

5.1 Identifying trends and themes defining the future of the financial auditing

practice

Following the findings from the previous chapters, some significant trends in the

evolution of the financial auditing practice can be deduced. Resulting from an

increased need for efficiency in the audit execution associated with an increase in

competition in the financial audit market, the following developments in the employed

audit methodology are distinguished.

A transition from an emphasis on system oriented methods to a balanced mix of

system oriented methods and data oriented methods.

An increased use of data analysis methods.

An increased use of computer assisted audit techniques.

While further identifying themes that are expected to play an important role in the

future development of the financial auditing practice, the following statements are

proposed here.

On the short term, Data Analysis is expected to play an important role in the

development of the financial auditing practice.

On the long term, Continuous Auditing is expected to play an increasingly

important role in the development of the financial auditing practice.


5.2 Proposing a Technology Roadmap guiding future audit methodology

improvements

In order to guide future audit methodology improvements, a technology roadmap is

proposed here that aims to provide a single view at the suggested timing of- and the

expected gain in audit performance resulting from- the implementation of the various

developments covered in this study. As noted in the previous section, the short term

goal for improving the financial audit performance concerns the further development

and implementation of data analysis methods in the audit methodology where the

ultimate long term goal concerns the full implementation of continuous auditing. These

propositions are reflected by the technology roadmap, which is included in figure 27.

Figure 27: PwC audit Technology Roadmap

5.3 Summary

This chapter provided a view at the future of the financial auditing practice through the

identification of several trends and the proposition of several themes that are expected

to play an important role in its future development and furthermore proposing a

technology roadmap guiding future audit methodology improvements.

PwC

aud

it pe

rfor

man

ce

Present Future

Data Analysis

Process Mining

Audit Nets

XBRL

Continuous Auditing


6 Conclusions and recommendations

An elaborate analysis of the current state of the financial auditing practice was

provided resulting in an indication of its limitations and the possibilities for

improvement. Four case studies were described illustrating the current financial audit

methodology in practice. Four developments from the field of IT including audit nets,

process mining, continuous auditing and XBRL were described and analyzed on their

applicability to the current financial audit methodology. Based on these analyses a

view at the future of the financial auditing practice was proposed through the

identification of several trends and the proposition of several themes that are expected

to play an important role in its future development and furthermore proposing a

technology roadmap guiding future audit methodology improvements.

Following these findings, it can be concluded that the performance of the financial

audit methodology currently applied in practice still has room for improvement and

that this improvement is suggested to be obtained through the implementation of

developments from the field of IT. On the short term, improvements are expected from

the further development and implementation of data analysis methods where on the

long term continuous auditing is expected to provide the greatest increase in

performance.

Concluding this report, several recommendations can be made. In order for the

financial audit practice to obtain its goals of improving the performance of their

financial audit methodology, practitioners are encouraged to follow the improvements

suggested in this study. Further empirical research is recommended to be conducted

regarding the operational effectiveness of the financial audit methodology

improvements proposed here.


References

Petri, C.A., "Kommunikation mit Automaten, PhD Thesis, University of

Bonn, 1962

Elsas, P.I., "Computational Auditing", PhD Thesis, Vrije Universiteit, Delloitte

& Touche, 1996

Elsas, P.I., "X-raying Segregation of Duties: Support to illuminate an

enterprise's immunity to solo-fraud", International Journal of Accounting

Information Systems 9, 2008, 82-93

Elsas, P.I., van de Riet, R.P. and van Leeuwen, J.J., "Knowledge-based Audit

Support"

Van der Aalst, W.M.P., “Process Mining: Discovery, Conformance and

Enhancement of Business Processes”, Springer Verlag, 2011

Van der Aalst, W.M.P. and de Medeiros, A.K.A., “Process Mining and

Security: Detecting Anomalous Process Executions and Checking Process

Conformance”, Electronic Notes in Theoretical Computer Science, 121, 2005,

3-21

Van Dongen, B.F., de Medeiros, A.K.A., Verbeek, H.M.W., Weijters,

A.J.M.M. and van der Aalst, W.M.P., “The ProM Framework: A New Era in

Process Mining Tool Support”, 2005

Van der Aalst, W., van Hee, K., van der Werf, J.M., Kumar, A. and Verdonk,

M., “Conceptual model for online auditing”, Decision Support Systems, 50,

2011, 636-647

Bezverhaya-Haasnoot, M., Caron, E., Goeyenbier, P., “Naar een

softwarematige analyse van bedrijfsprocessen voor auditing - Process mining

als gereedschap voor (IT-)auditors”, de EDP-Auditor, 2, 2009

Kuhn, J.R. and Sutton, S.G., "Continuous Auditing in ERP System

Environments: The Current State and Future Directions", Journal of

Information Systems 24, 2010, 91-112


Coderre, D., "Continuous Auditing: Implications for Assurance, Monitoring,

and Risk Assessment", The Institute of Internal Auditors Global Technology

Audit Guide 3 (IIA GTAG 3), 9

COSO, "COSO Internal Control - Integrated Framework", 1992

Starreveld, R.W., "Leer van de administratieve organisatie Deel 1: Algemene

grondslagen", Samsom, 1962

Starreveld, R.W., "Leer van de administratieve organisatie Deel 2: Typologie

der toepassingen", Samsom, 1962

Vaassen, E., "Basisboek informatie & control", Wolters-Noordhoff, 2005

Fijneman, R. and Topliss, J., "IT auditing", Academic Service, 2008

Garcia, M.L. and Bray, O.H., “Fundamentals of Technology Roadmapping”,

1997

Wet toezicht accountantsorganisaties, 19-01-2006

Besluit toezicht accountantsorganisaties, 16-08-2006

Wet op de Registeraccountants, 28-06-1962

Wet op de Accountants-administratieconsulenten, 13-12-1972

Verordening accountantsorganisaties, 08-12-2010, effective from 01-01-2011

Verordening gedragscode, 16-12-2009, effective from 01-01-2010

Nadere voorschriften controle- en overige standaarden, 15-01-2011, effective

from 15-06-2011

PwC Audit Guide 2010

http://www.nba.nl/

http://www.nivra.nl/

http://www.novaa.nl/

http://www.norea.nl/

http://www.afm.nl/

http://www.rjnet.nl/

http://www.commissiecorporategovernance.nl/


http://www.coso.org/

http://www.unit4.com/

http://www.synaxion.com/

http://www.computationalauditing.com/

http://www.processmining.org/

http://www.theiia.org/

http://www.xbrl.org/

http://www.sbr.nl/

analyzing the role of it in current and future financial

Documents