In a poll from our recent webinar “Verified Analytics: Towards 100% Testing?, we asked about the average sample size for revenue testing. The results were eye-opening: 60% voted for a sample size of 15-30 and 40% voted for a sample size of 50-100. 0% voted for a size of 100+.
Sample sizes remain small across audit firms, raising concerns as to whether these samples are representative of the entire population of transactions. The FRC is increasingly encouraging the use of technology to improve audit quality, including data analytics, to look at the entire set of transactions across areas such as revenue.
So what does this mean for the future of testing in audit? How will tools like the new Circit product Verified Analytics make their mark?
Trends in audit testing
At Circit, we are focussed on bringing audit participants together in one platform to fulfil a single mission: to put trust in every business transaction for auditors, their clients and evidence providers.
One of the ways we keep pushing this forward is in conversations with our customer base and other participants in the audit industry. In these discussions, we have been hearing about five trends that help frame where the industry is going when it comes to enhancing testing within audit.
The first trend is around practical challenges: team and clients. Within teams, the main challenge is retention of existing talent by ensuring technology is available to alleviate mundane tasks, ensuring that skills can be applied to tasks that drive efficiency.
On the client side this means educating clients on using technology and ensuring they see the benefits.
The second trend is increased guidance around key topics related to audit testing, specifically ISA 500, and ISQM 1. The guidance is around the technology itself and the language is changing from the regulatory side on how to take into account the use of technology, particularly in using open banking.
The third trend is about General Ledger, bank data and transactional data. How does the data get into the GL? Where is it coming from? How can associated risks be assessed? How can this data be brought into systems to be matched? How is transactional data collected?
The collection of transactional data has traditionally had its specific issues around security, completeness and standardisation, with many opportunities for improvement. A product like Verified Transactions can help with the collection of transactional data and Verified Analytics, our newest product, can help with matching the GL to data obtained this way.
The fourth trend is that methodology changes are happening, in particular to ISA 315 and real-time confirmations. A platform like Circit can pull third party data from source in real-time to look at balances in clients’ accounts. The methodology change there is helping every audit firm determine if they should adopt new practices and how this would help the team.
The last trend is about audit quality and efficiency. Auditors are facing challenges around obtaining and analysing data, improving collaboration with clients and educating team members. The right technologies can provide an outcome and solution to all these challenges.
A former auditor’s perspective on technology and testing
Dudley: “A lot of audit testing is quite manual, but it doesn’t need to be. Auditors spend a lot of time looking at bank statements, and those statements come in a variety of formats: papers, excels, pdfs.
With Circit’s direct connections to the banks, we can obtain this data in a streamlined and standardised format for every bank account. There is a lot of opportunity to remove some of the outdated, manual practices in audit, and that’s where it started: the pile of bank statements, the pile of invoices and other piles of paper, having to type it all in manually.”
“How does technology come into audit testing?”
Dudley: “Auditors will be doing mainly substantive testing with sample sizes between 15 and 30, sometimes a bit higher. There is a lot of pressure for sample sizes to go up and there is a lot of questioning on if the (smaller) sample sizes provide enough audit evidence.
Circit’s Verified Analytics comes into it in two places.
On the one hand there is: ‘Let’s stick to our sampling practices, and start by trying to digitalise the process. A lot of that substantive testing will involve tracing items to the bank, whether that is income sample, expenditure sample, debtors, creditors and so on. Cash plays a role throughout the entire audit. Auditors are spending a lot of time currently manually checking if those payments have been made or received but now that we have a secure data stream directly from the source, not only do we know that that data is complete and accurate, we can take that data and automatically match it to our samples.
The other piece that it enables when digital workflow is in place is that firms can move on from sampling and look at the entire data set. This is something that larger firms have been doing for a while now, but this technology means it can also easily be applied to mid-tier firms.”
“We see one of the main challenges is obtaining transactional data. What are ways to alleviate this?”
Dudley: “Circit is an AISP, and as such we are regulated by the Central Bank. That allows us to build these integrations directly with the bank with no intermediaries, meaning the data comes straight from the source. The client still has to authorise the connection, but Circit has banking level security which allows us to retrieve and display transactional data.
The fact it’s straight from the source is very important, especially with ISQM 1 in mind. ISQM 1 is about quality management: how do we know that the data we’re working with is high enough quality, complete and accurate? In this case the answer is: because it comes from the banks.
A key piece for the audit use case is the payee and IBAN end point information. We are working with the banks to help them build out these additional, premium end points. IBAN is a very powerful one for audit as it can be cross checked against supplier data and payroll data.”
“What are the other challenges in getting to 100% testing?”
Dudley: “There is a lot of pressure from regulators on firms to remove outdated sample size caps and to increase sample sizes. The main pressure point in that case is resources: they don’t have the team size or capabilities to increase the sample size, let alone double it. The other issue is: how do auditors get to 100%? In other words, the tools, the inside knowledge. Especially mid-size or smaller firms can’t afford to build out a team of specialists. They need tools that auditors can get to grips and up and running with in a short amount of time.
“What guidelines are there around 100% testing?”
Dudley: “Guidance is the final challenge. It’s asking, “How?”. Even if firms have the tools and resources, it’s quite a big shift in methodology and auditors are looking for guidance from the methodology providers, the ISAs, which is slowly coming but not quite there yet.
There is more guidance coming around embracing technology but there is a lot more that can be done and a lot more that is coming. So far, we have the updates to ISA 315 and ISA 240. They are the first ISAs that make reference to automated tools and techniques. They don’t just mention automated tools and techniques but data analytics specifically. This is a big sign of what the FRC will be looking for in upcoming file inspections and the shift in how audits are conducted.
What is missing are guidelines not so much on the tools and techniques, but on how they should be implemented.”
“What about the client side to 100% testing?”
For this question, we enlisted the help of Sarah “Brodie” Broderick, Head of Customer Marketing at Circit.
Brodie: “One of the biggest concerns for Circit’s customers is about the client.
How do you communicate to the client, what is the client experience? Every step along the way should be clean and easy. That’s why we have our Confirmation Requests product, where LOAs are created and signed in platform and sent out in platform to providers.
With the verification side and analytics component, it takes that next step where the client only has to go to one place to provide access to their accounts to provide additional evidence. It creates a single client experience that’s clean, recognisable and easy for them to get used to. Adding in authorisations to retrieve transactional data and tools for 100% testing is an extension of that.”
“Any closing remarks or words of advice?”
Dudley: “I think it’s important for teams to pick the right starting point. Don’t try to do everything at once. If you’re still obtaining excel and pdf statements, start with streamlining your data collection by obtaining them digitally. There will be immediate quality improvements and time savings benefits there. Don’t go too deep too quickly, but also don’t do nothing.”
Brodie: “Incremental changes are the quickest way to the biggest wins. It’s about identifying where to begin and how to grow. How can you do that with members of your team that have an interest? Start with early adopters to learn how to grow usage.”