Remarks as prepared for delivery
Auditors’ use of technology in various aspects of the audit continues to evolve. Whether it is through performing risk assessment procedures, obtaining evidence to address an assessed risk, or as part of the auditor’s overall review, firms’ use of technology-assisted analysis in conducting the audit is increasing. This use of technology is further encouraged by the vast amount of company-produced and third-party information in electronic form that facilitates such analysis and may serve as audit evidence.
PCAOB standards do not preclude auditors from using technology-assisted analysis to perform audit procedures. But they also do not provide auditors with specific guidance for how to use technology-assisted analysis. And while technology has evolved considerably in the past 13 years, the standards we are addressing today have not been substantially updated since 2010.
Audit quality would benefit if our standards included additional direction addressing specific aspects of designing and performing audit procedures that involve technology-assisted analysis of information in electronic form.
On the one hand, without our standards appropriately addressing technology-assisted analysis, there is a risk that when using technology-based tools to perform such analysis, auditors may not obtain sufficient appropriate audit evidence necessary to support their opinion on a company’s financial statements.
On the other hand, if our standards do not address certain scenarios encountered by the auditors when using technology-assisted analysis, auditors may choose not to perform procedures that involve technology-assisted analysis, even if performing such procedures would be a more effective or efficient way of obtaining audit evidence.
Therefore, as part of the Board’s goal in our strategic plan to modernize our standards,1 we are proposing amendments designed to improve audit quality and enhance investor protection by specifically addressing aspects of audit procedures that involve technology-assisted analysis.
Three key areas addressed by the proposed amendments are:
- Evaluating the relevance and reliability of information in electronic form,
- Performing procedures that address more than one purpose in the audit, and
- Designing and performing substantive procedures using technology-assisted analysis.
First, as I previously mentioned, there is a vast amount of company-produced and third-party information in electronic form. It is imperative that auditors perform sufficient procedures to evaluate the reliability of such information when it is used as audit evidence.
For company-produced information, the proposed amendments would emphasize the importance of testing a company’s information technology general controls and automated application controls as part of testing controls over the accuracy and completeness of that information.
For external information maintained by the company in electronic form, the proposal would provide direction on the procedures an auditor should perform in assessing the reliability of this information when it is used by the auditor as audit evidence. Existing standards do not specify procedures the auditor should perform when evaluating the reliability of external information maintained by the company in electronic form. An example of such information would be an invoice obtained by the company from a vendor. The proposal would require the auditor to obtain an understanding of the source of the external information and to test the company's controls over the information.
For both company-produced and external information, the proposal would emphasize that the relevance of audit evidence depends on the level of disaggregation or detail of information necessary to achieve the objective of an audit procedure.
Together, these proposed amendments will reduce the likelihood that an auditor who uses technology-assisted analysis will issue an opinion without having obtained relevant and reliable audit evidence.
Second, we have observed auditors may use information obtained from performing technology-assisted analysis as audit evidence for more than one purpose in conducting the audit. For example, such information could be used for both risk assessment procedures and substantive procedures in response to the auditor’s risk assessment.
Existing standards do not specifically address this situation, which creates a risk that an auditor may not design and perform procedures that would provide sufficient appropriate audit evidence to support the basis for the auditor’s opinion. The proposed amendments specify that when an auditor uses audit evidence from an audit procedure for more than one purpose, the procedure needs to be designed and performed to achieve each of the relevant objectives.
Third, some technology-assisted data analysis performed by auditors include analyzing all or part of a population comprising an account or class of transactions. For example, one type of analysis could compare items shipped with items invoiced for all shipments during the year. Due to the size of the population, there may be numerous discrepancies requiring investigation.
The proposed amendments would specify considerations for the auditor’s investigation of items that meet auditor-established criteria when designing or performing substantive procedures on all or part of a population. Such considerations would include whether an item identified for further investigation represents a misstatement or indicates a deficiency in the design or operating effectiveness of a control or indicates a need for the auditor to modify its risk assessment or planned audit procedures.
It is important to note that this proposal focuses on specific aspects related to the use of data and technology by auditors in conducting the audit. Our research project to further evaluate whether there is a need for guidance, other changes to PCAOB standards, or other regulatory actions considering the increased use of technology-based tools by auditors and preparers remains active. Insights from this research project may give rise to new standard-setting projects and may also inform the scope or nature of our other standard-setting and rulemaking projects.
I encourage all our stakeholders to read the proposal and provide your perspectives on our questions and other thoughts you may have as we further work to modernize our standards.
In closing, I would like to express my gratitude to those individuals that have significantly contributed to this proposal. Specifically, I would like to thank in the Office of the Chief Auditor, Barb Vanich, Dima Andriyenko, Donna Silknitter, Rob Kol, and Hunter Jones; in the Office of Economic and Risk Analysis, Mike Gurbutt, Nick Galunic, Carrie Von Bose, and John Cook; and in the Office of General Counsel, James Cappoli, Connor Raso, Vince Meehan, and Katherine Kelly.
I would also like to thank my fellow Board members and their staff for their contributions to this proposal. In addition, I would like to recognize the suggestions and support provided by staff from the Division of Registration and Inspections, the Division of Enforcement and Investigations, and the Office of Communications and Engagement.
Finally, I would like to thank the Securities and Exchange Commission’s (SEC) staff, including the staff of the SEC’s Office of the Chief Accountant for their support and assistance.