The auditing landscape involves months-long labor-intensive processes that focus on risk mitigation. Traditional methods, involving manual testing over small sample sizes, often delay identifying potential issues and other inefficiencies.
However, control test automation (CTA) could redefine control testing and shift the focus from risk management to value protection and real-time efficacy. CTA fits within the conversation of how to harness emerging technologies to move the profession forward, as explored in the paper Control test automation: From manual testing to use of technology, co-produced by Grant Thornton and AICPA® & CIMA®.
“Now that the technology is here, how do we move something that is a point-in-time assessment to continuous monitoring?” asked Ethan Rojhani, Principal, Risk Advisory Services, Grant Thornton Advisors LLC. “[The paper] opens the conversation for how to migrate to more efficient testing by using automation and other advanced technologies.”
Expanded population testing leads to more accurate results
Moving beyond sample-based testing, control test automation can be used for assessing the full population to identify deviations. Then, CTA can evaluate those known deviations against an acceptable failure rate.
What’s more, full-population control testing enhances the integrity, quality and reliability of financial reporting and can portray a more accurate picture of an entity’s internal control over financial reporting — compared to a sample-based approach that analyzes a much smaller sample size less frequently.
“A sample-based approach is very backward-looking when compared to CTA, which enables you to watch things as they move through the system and test them as they’re moving,” said Rojhani.
“When you know what’s happening for every single transaction, that’s a lot more knowledge you have as an auditor than in a traditional sample-based approach,” said Maria Manasses, Partner, Deputy Chief Auditor, Grant Thornton LLP and Principal, Grant Thornton Advisors LLC.
Added Manasses, control test automation is not just related to internal control over financial reporting (ICFR) or audits of ICFR. It can also cover controls over operations and help companies track compliance efforts with laws and regulations.
There’s so much involved in control testing that Rojhani and Manasses also led a session on the topic at the recent ENGAGE 24 conference in Las Vegas. They detailed how CTA can be implemented and tested — and how to decide which types of controls to automate.
Moreover, Rojhani discussed how the shift toward continuous monitoring facilitates immediate issue resolution, significantly reducing the time and resources previously allocated to manual auditing tasks.
“[CTA] takes away a lot of the minutiae of auditing that people do not enjoy,” added Rojhani. “Organizations that have implemented this approach have very low turnover and very high employee satisfaction because they spend their time focusing on problems as opposed to documenting the problem.”
One limitation regarding what can be tested, said Rojhani, is access to the data itself.
The shifting role of the external auditor
External auditors will have to adapt their role as automation gains traction.
Rojhani pointed to several questions external auditors must ask themselves to embrace these changes. For example: “Are they willing to look at and use the work of others as part of their audit, and, if so, are they able to understand what’s being done? Are they comfortable with what’s being done and how it’s being addressed? Do they trust what was designed by the internal auditors?”
For most control testing, an external auditor would use the same approach they’d typically use for IT general controls, said Manasses, but there will be additional control testing considerations.
“What’s going to differ is first determining what that acceptable failure rate is, whether that acceptable failure rate is appropriate, and what the audit client did to make sure that acceptable failure rate was appropriate,” she added. “Then you’ll need to evaluate the results from that perspective, because you are now analyzing the full population and no longer using that historical sample-based approach,” added Manasses.
In the long term, the job of the external auditor could change tremendously. Said Rojhani: “If they are willing to request continuous data streams from their clients, can they take that data and shift their mindset from a point-in-time judgment to looking at things as they change throughout the year?”
External auditors must determine if they’re comfortable with the idea “of seeing everything all the time and make a judgment on it at any given time.” That’s the challenging question, said Rojhani, and the paper is meant to help facilitate that discussion.
Adaptable auditors adopt automation
Automation promises to reshape the auditing profession — where adaptability will be paramount.
“We’re in an ever-changing environment where automation is real and how auditors may need to approach auditing differs,” said Manasses. “As clients and entities adopt control test automation, auditors need to be able to adapt to that approach and understand how to audit that data within the bounds of professional standards. At the same time, they can’t say, ‘I still have to do it the traditional or my way.’”
To explore whether automation is right for you and your organization, access Control test automation: From manual testing to the use of technology, which Grant Thornton and AICPA & CIMA coproduced.
“For those looking to implement automated control testing, [the paper] gives you various considerations and the approach for how to assess your results based on an acceptable failure rate,” said Rojhani. “For those that are auditing control test automation, [the paper] provides the opening conversation and potential methodology for how to test CTA and use those results.”