Technology continues to advance according to Moore’s law[1] and Metcalfe’s law[2], which tell us that the processing power of computers and the value of networks increase exponentially over time as more nodes are added to the network. The continuing fulfillment of these laws has now brought us the latest emerging technologies, which are big data[3]/data analytics,[4] artificial intelligence (AI),[5] machine learning (ML),[6] deep learning (DL),[7] robotic process automation (RPA),[8] and blockchain. The pundits, prognosticators, tech evangelists, true believers, hucksters, charlatans, and pump and dumpers tell us these six (6) new general-purpose technologies (GPTs),[9] which build on all those that came before them, will completely disrupt all industries and all businesses across the globe, rendering many jobs and business models totally obsolete, including auditors and auditing. The question, then, is: will these new GPTs consign IT auditors to the dustbin of history?
The current six (6) emerging and disruptive technologies are all related and, individually or in combination, may be used by businesses and their auditors to add value and reduce costs. Let’s first define the six technologies and the IT auditor’s role in their implementation and auditing of transactions initiated, recorded, processed, or reported by them.
Big data
Big Data are enormous amounts of data that cannot be stored on or processed by a single computer and require a very large array of networked computers for storage. Data analytics uses big data as input and likewise requires an equally large array of powerful processors to find meaningful and potentially useful relationships in data. Big data usually combines internal data (such as the records in the general ledger, the sales journal, or the payroll register) with internal and external non-financial data (such as timeclock data, machine counts, stored emails, voice recordings, video recordings, application audit logs, database logs, operating system logs, firewall logs; and external data such as tweets, social media posts, and Google search terms). The list of data types that can be fed into big data and used in data analytics is endless, and only limited by the imagination and creativity of the big data team members that design a specific big data application.
Data Analytics
Data analytics uses the big data as input to statistical routines to impute relationships and make inferences that may be useful to achieve a business or audit objective.
Big Data/Data Analytics
Big data/data analytics projects are most successful when developed by a cross-functional team that includes senior managers, project managers, data scientists, IT managers, accountants, privacy officers, general counsels, business managers, and IT auditors. An IT auditor’s training and experience are a perfect fit for the skills needed to add value to the big data project. However, internal auditors skilled only in non-IT compliance and financial transaction auditing may not have such skills. Big data/data analytics projects are often developed and implemented with DevOps,[10] a software development philosophy and set of practices that bridges the gap between development (Dev) and IT operations (Ops), and agile[11]/Scrum[12] rather than a Software Development Life Cycle (SDLC)[13] framework. One of the objectives of DevOps and agile/Scrum is to quickly bring a project to market, and it often does not create the artifacts that document how the solution was arrived at. Audits live and breathe on documentation, and with DevOps and agile/Scrum, there may be a scant evidence trail of what was done, other than code and emails between the team members. If IT audit is not part of the team and comes in after the project has been implemented, there may be nothing to audit except the results. When IT auditors are part of the big data/data analytics team, proper controls are more likely to be built into the system, rather than bolted on after the fact.
AI
AI builds code by incorporating automated decision-making rules into a system. The rules mimic human decisions and often, in an accounting and auditing context, are specified by the person who manually inspects data and reports, decides, and then proceeds to complete the task. IT auditors are generally not included in the development and implementation of AI. However, during an audit, if AI had been used in the processing of transactions that are material to the financial statements, then the auditor (according to AU-C-315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)[14] needs to understand the IT procedures by which those transactions are initiated, authorized, recorded, processed, corrected as necessary, transferred to the general ledger, and reported in the financial statements. In addition, AU-C-265, Communicating Internal Control Related Matters Identified in an Audit; AS 1305, Communications About Control Deficiencies in an Audit of Financial Statements;[15] and AS 2201.78-84, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements,[16] require the auditor to report a deficiency when “the person performing the control does not possess the necessary authority or competence to perform the control effectively.” It is conceivable that AI could perform all of these functions without human intervention. In that case, without an IT auditor on the engagement team, how would a non-IT auditor determine if the AI has the necessary authority or competence to process transactions?
ML
ML is a process used in conjunction with AI to teach computers to find anomalies and outliers in data by repetitive procedures. In an audit context, the data could be the general journal, accounts receivable ledger, accounts payable ledger, payroll register, trade blotter, or any other data table that includes financial accounting records. Records of transactions that AI seeks to identify for financial statement auditing are tagged by humans and are referred to as training sets. For example, in a prior audit, the auditor has identified a fraudulent transaction. Training sets are entered into the ML application so that AI can alert the auditor to records of transactions in the current audit with the same characteristics. Obtaining a sufficient number of records of fraudulent transactions is very difficult since the occurrence of fraud is extremely rare and most auditors only come across it a few times in their entire career. Detecting errors with AI is easier, since a schedule of proposed adjustments is generally prepared on every audit and can be used as a training set, hence the schedule from the prior audit can be used for input to ML. ML uses the training sets and records of transactions in the current year to identify transactions that match or are close to the characteristics of the training sets.
When ML is used in financial auditing, the auditor needs to understand the characteristics of the training sets, the sources of the data used in the training sets, the competence and experience of the humans that developed the training sets, if the training sets are free from bias, and if the training sets are reasonably complete for their intended purpose. The auditor also needs to understand how transactions analyzed by ML are input, processed, and the corresponding results reported. This is exactly the same understanding the auditor needs to have of a client’s system that processes financial information. In more complex accounting systems, IT auditors are often used to gain and document this understanding. Since IT auditors already have the necessary skills and expertise, they can document how ML is used in the audit. By interviewing the ML trainer, they may be able to determine if the trainer’s bias was incorporated in the code. By inspecting documentation of the ML, they can determine if the data used for training was appropriate for the intended audit purpose.
By performing tried and true procedures, IT auditors can determine if controls over data used for ML are sufficiently designed and operating effectively that they can be relied upon. IT auditors can perform CAAT analysis on the data used for input to ML to determine if it includes unexpected or entirely new types of transactions, is incomplete, or has inconsistent or unreasonable weighting of variables used in the analysis. If so, ML results may be invalid. If the data passes inspection, then IT auditors will need to work with data scientists on the audit team to understand how the ML system identifies potential fraud and errors.
This concludes “IT Auditors in a Brave New World: Part 1.”
This article is Part 1 of a two-part series. The original paper consisting of the full text has been broken into two parts to conform with the publisher’s word limit and to respect the reader’s time. Part 2 will discuss DL, RPA, Blockchain, Smart Contracts, and GIGO, and then offer a conclusion. It will be published in a future edition of CPA Publisher.
Bruce Nearon, CPA is the Managing Partner at B.H. Nearon, CPA.
References
[1] Fulai Zhu, Peiyu Xu, and Jiahao Zong, “Moore’s Law: The potential, limits, and breakthroughs,” Applied and Computational Engineering 10(2023), https://doi.org/10.54254/2755-2721/10/20230038.
[2] António Madureira, Frank den Hartog, and Harry Bouwman, “Empirical validation of Metcalfe’s law: How Internet usage patterns have changed over time,” Information Economics and Policy 25, no. 4 (2013): 246–56, https://www.sciencedirect.com/science/article/abs/pii/S0167624513000310.
[3] D. Tosi, R. Kokaj, and M. Roccetti, “15 years of Big Data: a systematic literature review,” Journal of Big Data 11, no. 73 (2024), https://doi.org/10.1186/s40537-024-00914-9.
[4] Farooq Aziz, “Data analytics impacts in the field of accounting,” World Journal of Advanced Research and Reviews 18, no. 2 (2023): 946–51, https://wjarr.com/sites/default/files/WJARR-2023-0863.pdf.
[5] Nur Syahmina Afiqah Zamai and Ulaganathan Subramanian, “The Impact of Artificial Intelligence in the Accounting Profession,” Procedia Computer Science 238 (2024): 849–56, https://www.sciencedirect.com/science/article/pii/S1877050924013383.
[6] E. Liaras, M. Nerantzidis, and A. Alexandridis, “Machine learning in accounting and finance research: a literature review,” Review of Quantitative Finance and Accounting 63 (2024): 1431–71, https://doi.org/10.1007/s11156-024-01306-z.
[7] V. B. Kovač, D. Ø. Nome, A. R. Jensen, and L. Lj. Skreland, “The why, what and how of deep learning: critical analysis and additional concerns,” Education Inquiry 16, no. 2 (2023): 237–53, https://doi.org/10.1080/20004508.2023.2194502.
[8] Benjamin Samson Ayinla et al., “The Role of Robotic Process Automation (Rpa) In Modern Accounting: A Review – Investigating How Automation Tools Are Transforming Traditional Accounting Practices,” Engineering Science & Technology Journal 5, no. 2 (2024): 427–47, https://doi.org/10.51594/estj.v5i2.804.
[9] Pattharaporn Wipatkrut and Hsin-Ning Su, “Exploring the impact of technological convergence on General-Purpose Technologies: A multi-level generality perspective,” Technology in Society 82 (2025): 102933, https://www.sciencedirect.com/science/article/abs/pii/S0160791X2500123X.
[10] Amitkumar V. Jha et al., “From theory to practice: Understanding DevOps culture and mindset,” Cogent Engineering 10, no. 1 (2023), https://www.tandfonline.com/doi/full/10.1080/23311916.2023.2251758.
[11] Mansuraliet Al Anifa, “Systematic Review of Literature on Agile Approach,” NMIMS Management Review 32, no. 2 (2024), https://journals.sagepub.com/doi/full/10.1177/09711023241272294.
[12] Christiaan Verwijs and Daniel Russo, “A Theory of Scrum Team Effectiveness,” ACM Transactions on Software Engineering and Methodology 32, no. 3, article 74 (2023): 1–51, https://dl.acm.org/doi/10.1145/3571849.
[13] Liu Yuge and Tuyatsetseg Badarch, “Research on Contemporary Software Development Life Cycle Models,” American Journal of Computer Science and Technology 6, no. 1 (2023), https://sciencepublishinggroup.com/article/10.11648/j.ajcst.20230601.11.
[14] Auditing Standards Board, AICPA, https://www.aicpa-cima.com/resources/download/aicpa-statements-on-auditing-standards-currently-effective.
[15] Ibid.
[16] PCAOB, https://pcaobus.org/oversight/standards/auditing-standards/details/AS2201.
