Posted: August 3rd, 2022

565 Research Paper



References to other publications must be in Harvard style and carefully checked for completeness, accuracy and consistency. This is very important in an electronic environment because it enables your readers to exploit the Reference Linking facility on the database and link back to the works you have cited through CrossRef.
You should cite publications in the text: (Adams, 2006) using the first named author’s name or (Adams and Brown, 2006) citing both names of two, or (Adams et al., 2006), when there are three or more authors. At the end of the paper a reference list in alphabetical order should be supplied:

For books

Surname, Initials (year), Title of Book, Publisher, Place of publication.
e.g. Harrow, R. (2005), No Place to Hide, Simon & Schuster, New York, NY.

For book chapters

Surname, Initials (year), “Chapter title”, Editor’s Surname, Initials, Title of Book, Publisher, Place of publication, pages.
e.g. Calabrese, F.A. (2005), “The early pathways: theory to practice – a continuum”, in Stankosky, M. (Ed.), Creating the Discipline of Knowledge Management, Elsevier, New York, NY, pp. 15-20.

For journals

Surname, Initials (year), “Title of article”, Journal Name, volume issue, pages.
e.g. Capizzi, M.T. and Ferguson, R. (2005), “Loyalty trends for the twenty-first century”, Journal of Consumer Marketing, Vol. 22 No. 2, pp. 72-80.

For published 
conference proceedings

Surname, Initials (year of publication), “Title of paper”, in Surname, Initials (Ed.), Title of published proceeding which may include place and date(s) held, Publisher, Place of publication, Page numbers.
e.g. Jakkilinki, R., Georgievski, M. and Sharda, N. (2007), “Connecting destinations with an ontology-based e-tourism planner”, in Information and communication technologies in tourism 2007 proceedings of the international conference in Ljubljana, Slovenia, 2007, Springer-Verlag, Vienna, pp. 12-32.

For unpublished 
conference proceedings

Surname, Initials (year), “Title of paper”, paper presented at Name of Conference, date of conference, place of conference, available at: URL if freely available on the internet (accessed date).
e.g. Aumueller, D. (2005), “Semantic authoring and retrieval within a wiki”, paper presented at the European Semantic Web Conference (ESWC), 29 May-1 June, Heraklion, Crete, available at:  (accessed 20 February 2007).

For working papers

Surname, Initials (year), “Title of article”, working paper [number if available], Institution or organization, Place of organization, date.
e.g. Moizer, P. (2003), “How published academic research can inform policy decisions: the case of mandatory rotation of audit appointments”, working paper, Leeds University Business School, University of Leeds, Leeds, 28 March.

For encyclopedia entries 
(with no author or editor)

Title of Encyclopedia (year) “Title of entry”, volume, edition, Title of Encyclopedia, Publisher, Place of publication, pages.
e.g. Encyclopaedia Britannica (1926) “Psychology of culture contact”, Vol. 1, 13th ed., Encyclopaedia Britannica, London and New York, NY, pp. 765-71.
(For authored entries please refer to book chapter guidelines above)

For newspaper 
articles (authored)

Surname, Initials (year), “Article title”, Newspaper, date, pages.
e.g. Smith, A. (2008), “Money for old rope”, Daily News, 21 January, pp. 1, 3-4.

For newspaper 
articles (non-authored)

Newspaper (year), “Article title”, date, pages.
e.g. Daily News (2008), “Small change”, 2 February, p. 7.

For archival or other unpublished sources

Surname, Initials, (year), “Title of document”, Unpublished Manuscript, collection name, inventory record, name of archive, location of archive.
e.g. Litman, S. (1902), “Mechanism & Technique of Commerce”, Unpublished Manuscript, Simon Litman Papers, Record series 9/5/29 Box 3, University of Illinois Archives, Urbana-Champaign, IL.

For electronic sources

If available online, the full URL should be supplied at the end of the reference, as well as a date that the resource was accessed.
e.g. Castle, B. (2005), “Introduction to web services for remote portlets”, available at: (accessed 12 November 2007).
Standalone URLs, i.e. without an author or date, should be included either within parentheses within the main text, or preferably set as a note (roman numeral within square brackets within text followed by the full URL address at the end of the paper).

For data

Surname, Initials (year), Title of Data Set, Name of data repository, available at: Persistent URL 
e.g. Campbell, A. and Kahn, R.L. (1999), American National Election Study, 1948, ICPSR07218-v3, Inter-university Consortium for Political and Social Research (distributor), Ann Arbor, MI, available at:

Reflection Paper 

The purpose for this reflection paper is for students to gain experience in conducting research and to explore current auditing analytic related topics. This assignment will require students to apply concepts and tools presented in the chapter(s) covered each week. The paper must be a minimum 6 pages typed in Word, double-spaced using Times New Roman 12 pt. font, with one-inch margins all around (minimum 7 pages). Do not plagiarize – cite the textbook or any other sources using APA format. Please include the following statement on all assignment cover pages

CERTIFICATION OF AUTHORSHIP:I certify that I am the author of this work and that any assistance I have received in its preparation is fully acknowledged and disclosed. I have also cited any sources from which I used data, ideas or words, directly quoted or paraphrased. This work was prepared by me specifically for this course.

TOPIC: Database Management: Cleaning Accounting Data  

· Overview of Data Types 

· Structed Data and examples 

· Unstructured data and examples 

· Incorporating AI into database management.

I need help on the rest of the paper!

School of Business Undergraduate Core Curriculum Rubric

SLO # 1: Students will compose clear, concise forms of written communication to effectively convey ideas and information associated with business topics.











Organization is excellent and

exceeds expectations; clear and

well stated introduction; main

points are identified and argued,

with a structure that flows

logically from point to point;

clear summary and conclusion.

Organization is proficient and

meets expectations; introduction

and main points are identified,

even if some transitions are

somewhat sudden; summary and

conclusion are clear.

Attempts to create an

organized structure; abrupt

jumps; some of the main

points and conclusion are


Unable to demonstrate clear

organization with no main

points; unclear transition and

weak conclusion.


Grammar and spelling are

correct; conforms to prescribed

style and format; uses language,

terminology, graphics, or other

means of communication that is

sophisticated, accurate and

clear for the business


Grammar or spelling errors

minimal; prescribed style and

format is followed; uses

language and/or terminology that

satisfies all aspects of the

message requirements but does

not show mastery of business

language / terminology.

Several instances of improper

grammar, spelling and

punctuation; uses language /

terminology that is adequate

but sometimes vague and / or

inappropriate for the business


Writing is unclear; improper

use of grammar, spelling and

punctuation; unable to

incorporate business

terminology and is

inadequate for the business


Quality of


Articulates ideas clearly;

presented neatly and

professionally; demonstrates

mastery use of professional

style for the business


Articulates ideas; presented

neatly; uses a professional style

to satisfy requirements of the

message for the business


Ideas are somewhat unclear;

attempts to address the

message but occasionally

detracts from it; sometimes

vague and seemingly

inappropriate for the business

Ideas are not clear; unable to

identify and / or address the

message; does not meet

basic standards for the

business environment.




Demonstrates skillful use and

identification of various high-

quality, credible, relevant

sources; (primary, secondary

applied and scholarly research);

aligns findings directly to

message; where appropriate-

attributes sources completely.

Demonstrates consistent use and

reference of credible relevant

sources; (primary, secondary

applied and scholarly); links

findings to message; where

appropriate – attributes sources.

Demonstrates an attempt to

use credible sources; (primary,

secondary applied and

scholarly); alignment between

findings and general message

somewhat unclear; where

appropriate – inconsistencies

with attributing sources.

Demonstrates very little

attempt to use sources;

(primary, secondary applied

and scholarly); insufficient

findings to support message;

where appropriate – lacks

attributes to sources.

TOTAL MINIMUM SCORE of (12) required with a minimum score of (3) in each category

Varying Definitions of Online Communication and

Their Effects on Relationship Research

Elizabeth L. Angeli

State University

Author Note

Elizabeth L. Angeli, Department of Psychology, State University.

Elizabeth Angeli is now at Department of English, Purdue University.

This research was supported in part by a grant from the Sample Grant


Correspondence concerning this article should be addressed to Elizabeth

Angeli, Department of English, Purdue University, West Lafayette, IN 55555.


The running
head cannot
exceed 50
including spaces
The running
head’s title
should be in
capital letters.
The running
head should be
flush left, and
page numbers
should be flush
right. On the
title page, the
running head
should include
the words
“Running head.”
For pages
following the
title page,
repeat the
running head in
all caps without
“Running head.”

The title
should be
centered on
the page,
typed in 12-
point Times
New Roman
Font. It
should not be
underlined, or

The author’s
name and
should be
spaced and

The running
head is a
version of the
paper’s full title,
and it is used to
help readers
identify the
titles for
articles (even if
your paper is
not intended for
publication, your
paper should
still have a
running head).

The title
the paper’s
main idea and
identify the
and the

Green text boxes
contain explanations
of APA style

Blue boxes contain
directions for writing
and citing in APA


The author note should appear on printed articles and identifies each author’s
department and institution affiliation and any changes in affiliation, contains
acknowledgements and any financial support received, and provides contact
information. For more information, see the APA manual, 2.03, page 24-25.
Note: An author note is optional for students writing class papers, theses, and

An author note should appear as follows:
First paragraph: Complete departmental and institutional affiliation
Second paragraph: Changes in affiliation (if any)
Third paragraph: Acknowledgments, funding sources, special circumstances
Fourth paragraph: Contact information (mailing address and e-mail)




This paper explores four published articles that report on results from research conducted

on online (Internet) and offline (non-Internet) relationships and their relationship to

computer-mediated communication (CMC). The articles, however, vary in their

definitions and uses of CMC. Butler and Kraut (2002) suggest that face-to-face (FtF)

interactions are more effective than CMC, defined and used as “email,” in creating

feelings of closeness or intimacy. Other articles define CMC differently and, therefore,

offer different results. This paper examines Cummings, Butler, and Kraut’s (2002)

research in relation to three other research articles to suggest that all forms of CMC

should be studied in order to fully understand how CMC influences online and offline


Keywords: computer-mediated communication, face-to-face communication

should be
viations and
used in the
should be
defined in

abstract is
a brief
summary of
the paper,
readers to
review the
main points
purpose of
the paper.

The word
should be
and typed
in 12 point
Times New
Roman. Do
not indent
the first
line of the
All other
in the
should be



Varying Definitions of Online Communication and

Their Effects on Relationship Research

Numerous studies have been conducted on various facets of Internet relationships,

focusing on the levels of intimacy, closeness, different communication modalities, and

the frequency of use of computer-mediated communication (CMC). However,

contradictory results are suggested within this research because only certain aspects of

CMC are investigated, for example, email only. Cummings, Butler, and Kraut (2002)

suggest that face-to-face (FtF) interactions are more effective than CMC (read: email) in

creating feelings of closeness or intimacy, while other studies suggest the opposite. To

understand how both online (Internet) and offline (non-Internet) relationships are affected

by CMC, all forms of CMC should be studied. This paper examines Cummings et al.’s

research against other CMC research to propose that additional research be conducted to

better understand how online communication affects relationships.

Literature Review

In Cummings et al.’s (2002) summary article reviewing three empirical studies on

online social relationships, it was found that CMC, especially email, was less effective

than FtF contact in creating and maintaining close social relationships. Two of the three

reviewed studies focusing on communication in non-Internet and Internet relationships

mediated by FtF, phone, or email modalities found that the frequency of each modality’s

use was significantly linked to the strength of the particular relationship (Cummings et

al., 2002). The strength of the relationship was predicted best by FtF and phone

that are
include the
year, and
If you are
phrasing a
you to
2009, p.

If an article
has three
to five
write out all
of the
names the
first time
Then use
the first
last name
followed by
“et al.”

you to
include the
APA users
with the
date of the
article (the
current the

The title of
the paper is
and not

The introduc-
tion presents
the problem
that the
See the OWL
resources on

The title
should be
centered on
the page,
typed in 12-
point Times
New Roman
Font. It
should not be
underlined, or



communication, as participants rated email as an inferior means of maintaining personal

relationships as compared to FtF and phone contacts (Cummings et al., 2002).

Cummings et al. (2002) reviewed an additional study conducted in 1999 by the

HomeNet project (see Appendix A for more information on the HomeNet project). In

this project, Kraut, Mukhopadhyay, Szczypula, Kiesler, and Scherlis (1999) compared

the value of using CMC and non-CMC to maintain relationships with partners. They

found that participants corresponded less frequently with their Internet partner (5.2 times

per month) than with their non-Internet partner (7.2 times per month) (as cited in

Cummings et al., 2002). This difference does not seem significant, as it is only two times

less per month. However, in additional self-report surveys, participants responded

feeling more distant, or less intimate, towards their Internet partner than their non-

Internet partner. This finding may be attributed to participants’ beliefs that email is an

inferior mode of personal relationship communication.

Intimacy is necessary in the creation and maintenance of relationships, as it is

defined as the sharing of a person’s innermost being with another person, i.e., self-

disclosure (Hu, Wood, Smith, & Westbrook, 2004). Relationships are facilitated by the

reciprocal self-disclosing between partners, regardless of non-CMC or CMC. Cummings

et al.’s (2002) reviewed results contradict other studies that research the connection

between intimacy and relationships through CMC.

Hu et al. (2004) studied the relationship between the frequency of Instant

Messenger (IM) use and the degree of perceived intimacy among friends. The use of IM

instead of email as a CMC modality was studied because IM supports a non-professional

Use an
appendix to
s your
paper but is
not directly
related to
your text.

If you are
including an
refer to it
in the body
of your



environment favoring intimate exchanges (Hu et al., 2004). Their results suggest that a

positive relationship exists between the frequency of IM use and intimacy, demonstrating

that participants feel closer to their Internet partner as time progresses through this CMC


Similarly, Underwood and Findlay (2004) studied the effect of Internet

relationships on primary, specifically non-Internet relationships and the perceived

intimacy of both. In this study, self-disclosure, or intimacy, was measured in terms of

shared secrets through the discussion of personal problems. Participants reported a

significantly higher level of self-disclosure in their Internet relationship as compared to

their primary relationship. In contrast, the participants’ primary relationships were

reported as highly self-disclosed in the past, but the current level of disclosure was

perceived to be lower (Underwood & Findlay, 2004). This result suggests participants

turned to the Internet in order to fulfill the need for intimacy in their lives.

In further support of this finding, Tidwell and Walther (2002) hypothesized CMC

participants employ deeper self-disclosures than FtF participants in order to overcome the

limitations of CMC, e.g., the reliance on nonverbal cues. It was found that CMC partners

engaged in more frequent intimate questions and disclosures than FtF partners in order to

overcome the barriers of CMC. In their 2002 study, Tidwell and Walther measured the

perception of a relationship’s intimacy by the partner of each participant in both the CMC

and FtF conditions. The researchers found that the participants’ partners stated their

CMC partner was more effective in employing more intimate exchanges than their FtF



partner, and both participants and their partners rated their CMC relationship as more

intimate than their FtF relationship.


In 2002, Cummings et al. stated that the evidence from their research conflicted

with other data examining the effectiveness of online social relationships. This statement

is supported by the aforementioned discussion of other research. There may be a few

possible theoretical explanations for these discrepancies.

Limitations of These Studies

The discrepancies identified may result from a number of limitations found in the

materials reviewed by Cummings et al. These limitations can result from technological

constraints, demographic factors, or issues of modality. Each of these limitations will be

examined in further detail below.

Technological limitations. First, one reviewed study by Cummings et al. (2002)

examined only email correspondence for their CMC modality. Therefore, the study is

limited to only one mode of communication among other alternatives, e.g., IM as studied

by Hu et al. (2004). Because of its many personalized features, IM provides more

personal CMC. For example, it is in real time without delay, voice-chat and video

features are available for many IM programs, and text boxes can be personalized with the

user’s picture, favorite colors and text, and a wide variety of emoticons, e.g., :). These

options allow for both an increase in self-expression and the ability to overcompensate

for the barriers of CMC through customizable features, as stated in Tidwell and Walther

Because all
has its
it is
to discuss
of articles

A Level 2
should be
flush with
the left
bolded, and
title case.

A Level 1
should be
bolded, and
and lower
case (also
referred to
as title

A Level 3
0.5” from
the left
bolded, and
lower case
(except for
the first
word). Text
after. If you
use more
than three
levels of
section 3.02
of the APA
(6th ed.) or
the OWL
resource on



(2002). Self-disclosure and intimacy may result from IM’s individualized features,

which are not as personalized in email correspondence.

Demographic limitations. In addition to the limitations of email, Cummings et

al. (2002) reviewed studies that focused on international bank employees and college

students (see Appendix B for demographic information). It is possible the participants’

CMC through email was used primarily for business, professional, and school matters

and not for relationship creation or maintenance. In this case, personal self-disclosure

and intimacy levels are expected to be lower for non-relationship interactions, as this

communication is primarily between boss and employee or student and professor.

Intimacy is not required, or even desired, for these professional relationships.

Modality limitations. Instead of professional correspondence, however,

Cummings et al.’s (2002) review of the HomeNet project focused on already established

relationships and CMC’s effect on relationship maintenance. The HomeNet researchers’

sole dependence on email communication as CMC may have contributed to the lower

levels of intimacy and closeness among Internet relationships as compared to non-

Internet relationships (as cited in Cummings et al., 2002). The barriers of non-personal

communication in email could be a factor in this project, and this could lead to less

intimacy among these Internet partners. If alternate modalities of CMC were studied in

both already established and professional relationships, perhaps these results would have

resembled those of the previously mentioned research.



Conclusions and Future Study

In order to gain a complete understanding of CMC’s true effect on both online

and offline relationships, it is necessary to conduct a study that examines all aspects of

CMC. This includes, but is not limited to, email, IM, voice-chat, video-chat, online

journals and diaries, online social groups with message boards, and chat rooms. The

effects on relationships of each modality may be different, and this is demonstrated by

the discrepancies in intimacy between email and IM correspondence. As each mode of

communication becomes more prevalent in individuals’ lives, it is important to examine

the impact of all modes of CMC on online and offline relationship formation,

maintenance, and even termination.

the paper
and can
offer areas
for further
See the
resource on




Cummings, J. N., Butler, B., & Kraut, R. (2002). The quality of online social

relationships. Communications of the ACM, 45(7), 103-108.

Hu, Y., Wood, J. F., Smith, V., & Westbrook, N. (2004). Friendships through IM:

Examining the relationship between instant messaging and intimacy. Journal of

Computer-Mediated Communication, 10, 38-48.

Tidwell, L. C., & Walther, J. B. (2002). Computer-mediated communication effects on

disclosure, impressions, and interpersonal evaluations: Getting to know one

another a bit at a time. Human Communication Research, 28, 317-348.

Underwood, H., & Findlay, B. (2004). Internet relationships and their impact on primary

relationships. Behaviour Change, 21(2), 127-140.

Start the reference list on a new page, center the title “References,” and
alphabetize the entries. Do not underline or italicize the title. Double-space all
entries. Every source mentioned in the paper should have an entry.



Appendix A

The HomeNet Project

Started at Carnegie Mellon University in 1995, the HomeNet research project has

involved a number of studies intended to look at home Internet usage. Researchers began

this project because the Internet was originally designed as a tool for scientific and

corporate use. Home usage of the Internet was an unexpected phenomenon worthy of

extended study.

Each of HomeNet’s studies has explored a different facet of home Internet usage,

such as chatting, playing games, or reading the news. Within the past few years, the

explosion of social networking has also proven to be an area deserving of additional

research. Refer to Table A1 for a more detailed description of HomeNet studies.

Table A1

Description of HomeNet Studies by Year
  93 families in Pittsburgh involved in school

or community organizations
  25 families with home businesses
  151 Pittsburgh households
  National survey

Begin each
on a new
page., with
the word
appendix in
the top
center. Use
letter (e.g.,
Appendix B,
etc.) if you
have more
than one
appendix. If
you are
referring to
more than
appendix in
your text,
use the
(APA only).

The first
of the
should flush
with the
left margin.
should be

Label tables
and figures
in the
appendix as
you would
in the text
of your
using the
letter A
before the
number to
clarify that
the table or
belongs to



Appendix B
Demographic Information for Cummings et al. (2002)’s Review

If an
entirely of
a table or
figure, the
title of the
table or
serve as
the title of



/2020Data Governance in Digital Transformation – Strategic Finance 1/6



T E C H N O L O G Y |


September 1, 202



Data policies, corporate culture, organization structure,
technology infrastructure, and workforce development are the

foundations of data governance.

What does digital transformation mean to you? For many, it means the rapid

creation of personalized customer experiences. But digital transformation is also

driving a surge in data, requiring careful management and control with

heightened attention to the security and privacy of the customer information


9/10/2020 Data Governance in Digital Transformation – Strategic Finance 2/6

that enables it. The recent Harvard Business Review (HBR) research “A Blueprint

for Data Governance in the Age of Business Transformation” (

shows that corporate executives, senior and middle managers, and other cross-

functional stakeholders understand these constraints and view investments in

data governance as a way to enable data-driven decision making, enhance their

organization’s reputation, improve competitiveness by protecting intellectual

property (IP), and reduce the costs and fines associated with data breaches.

Creating trust by applying robust data governance also helps organizations retain

and attract customers while increasing revenues. How can organizations meet

the expectations of rolling out digital transformation and responding quickly to

customer needs while protecting corporate IP and customer information?

According to the HBR research, creating effective data governance rests on five

pillars: (1) data policies, (2) corporate culture, (3) organization structure, (4)

technology infrastructure, and (5) workforce development.


Before creating data policy, the first step is to define what data governance is

appropriate for your organization. Data governance is a data management system

that ensures that business objectives are supported by high-quality data and

controls across the complete life cycle of data. It supports data availability,

usability, consistency, integrity, and security by establishing accountability for

data quality and promoting accessibility and proper use of data across the


Experts agree that effective data governance is one of the first principles of

proper data management. Data governance identifies what data will be collected,

how it will be collected and protected, and how data compliance and

confidentiality requirements will be achieved. Creating effective data policies

9/10/2020 Data Governance in Digital Transformation – Strategic Finance 3/6

and systematically communicating them throughout the organization will ensure

that all employees are consistently aware and follow proper data security and

management protocols.

The next step is to define all valuable or potentially valuable organizational data,

including all customer data, and to perform a data policy gap analysis. The

analysis should include all business units and consider both internal policies and

external regulations. A risk-assessment heat map should be created to identify

and close the gaps.

Now create or update the policies based on the results of the findings, giving top

priority to areas with the highest ROI and potential impact. Finally, set up an

ongoing review process to continue updating the policies as needed, based on

business, legal, and regulatory compliance as well as changes in the economic



Corporate culture often requires significant changes for an organization to

become a data-driven enterprise. Why is creating a data-driven culture so

important? Gartner advises, “Culture and data literacy are the top two

roadblocks for data and analytics leaders” ( Overcoming these

roadblocks by creating a data-driven culture allows organizations to better serve

their customers and accelerate decision making.

Tableau advises that data-driven cultures require five common elements: trust,

commitment, talent, sharing, and mind-set. “Becoming truly data-driven

requires changing mindsets, attitudes, and habits—embedding data into the

identity of the organization. People have to want to use data and encourage

others to do the same. In a Data Culture, people ask the hard questions and

challenge ideas. They come together with a shared mission to improve the

9/10/2020 Data Governance in Digital Transformation – Strategic Finance 4/6

organization and themselves with data. Leaders inspire through action, basing

decisions on data, not intuition” ( For organizations to

successfully adopt these new cultural norms, leadership must choose and

systematically apply a change management methodology, including a strong

communication plan.


To bring sustainable change in establishing data-driven culture, the most

successful organizations have added the role of chief data officer (CDO).

NewVantage Partners’ Annual Big Data Executive Survey 2018 found that 62.5%

of senior Fortune 1000 business and technology decision makers said their

organization had appointed a CDO. The CDO’s primary purpose is to provide

leadership in treating data as an organizational asset, with robust and

comprehensive data governance. CDOs work with IT and business-unit leaders

to identify and communicate the business value of the data and then lead all

aspects of data strategy around data management, including governance.

Another prominent C-suite role with the specific focus on driving information

security initiatives and programs pertaining to internal and external threads is

that of chief information security officer (CISO). More than half of regulated

industry organizations surveyed by HBR agreed about the essential role of the


Having a CDO and CISO isn’t enough. Good data governance requires cross-

functional cooperation and leadership. Senior executives must understand the

importance and ROI of data as an asset and become its stewards and enthusiastic

supporters of data governance. CFOs can be instrumental in leading the charge,

due to their broad understanding of financial and organizational data. All

9/10/2020 Data Governance in Digital Transformation – Strategic Finance 5/6

business-unit leaders should align with the data governance strategy and follow

the correct policies and procedures. Good data governance will increase

customer trust and reduce the risk of its loss.


Investing in security infrastructure and data governance monitoring improves

governance maturity. Leading organizations pursue anti-malware, data-flow

tracking, e-discovery, and behavior-monitoring investments.

Understanding what data exists, which data is confidential, and how the data is

being used can be simplified using the correct technology tools. And applying

regular updates to infrastructure reduces the risk of breaches providing customer

reassurance, which is critical in maintaining both B2B and B2C customer



The weakest security link in most organizations is their workforce. Most

malware breaches occur because of employee mistakes. Organizations need

“soft” training (e.g., how to recognize phishing attacks, comply with

security/privacy policies, etc.) as well as training in any new tools.

Effective data governance rests on the five key pillars of data policies, corporate

culture, organization structure, technology infrastructure, and workforce

development. Although data governance is often behind digital transformation,

by focusing on these pillars, data governance can catch up and support digital

transformation innovations while protecting corporate IP and customer


9/10/2020 Data Governance in Digital Transformation – Strategic Finance 6/6

All views, thoughts, and opinions expressed belong solely to the authors, and not

to the authors’ employers.


No Comments

Rod Koch, CMA, CSCA, PMP, CSM, is a member of IMA’s Technology
Solutions and Practices Committee and the IMA Global Board of
Directors. He can be reached at

Tatyana Corban, CPA, is a member of IMA’s Technology Solutions
and Practices Committee, IMA’s Portland Chapter, and the Society
for Information Management, Portland Chapter, board of directors.
Follow her on LinkedIn at












© 2015 – 2020, Institute of Management

Accountants, Inc.

10 Paragon Drive, Suite 1, Montvale, NJ 07645-


(800) 638-4427 or +1 (201) 573-9000

Current Issue

Past Issues

Past Issues Archive

Persevering during the Pandemic

Gig Economy Slowly Catching On in Finance

A Revolutionary Brain Chip

About Strategic Finance and IMA

About Strategic Finance and IMA

SF Editorial Guidelines & Submissions

About Strategic Finance and IMA

SF Media Kit For Advertisers

IMA Cookie Policy

IMA Privacy Policy

IMA Terms and Conditions

tel:(800) 638-4427

tel:+1 (201) 573-9000

10/5/21, 5:15 PM

How CPAs can prepare for handling the big data world… 1/6


How CPAs can prepare for handling the big data world

Successfully analyzing major data sets may mean brushing up on current skills—and
learning some new ones, too

Home (/en) / News (/en/news) / Canada (/en/news/canada) /

How CPAs can prepare for handling the big data world

CPA Canada (/en)

10/5/21, 5:15 PM How CPAs can prepare for handling the big data world… 2/6

Using different skills to analyze big data, such as natural curiosity, will be advantageous to future
accountants (Getty Images/eclipse_images)

Digitization is affecting many facets of day-to-day living. According to a recent report, e role of
professional accountants in data (/en/foresight-initiative/data-governance/role-professional-
accountants-in-data), from CPA Canada and the International Federation of Accountants (IFAC),
digital data was estimated to be at 40 zettabytes (40 trillion gigabytes) in 2020, up from 1.2
zettabytes in 2010.

Maintaining relevancy in the digital age of AI-compiled data sets, as the report shows, means
accountants will have to learn new skills and competencies to succeed. One such strategy being
undertaken by the CPA profession is the dra of the new “Way Forward” Competency Map
(CM2.0 (/en/news/accounting/the-profession/2021-07-07-competency-map)), which was
developed to better align the needs of this changing world with the skills of an accountant. 

“e data sets are changing and getting bigger,” says FCPA Tim Jackson, chair of the Competency
Map Task Force (/en/become-a-cpa/why-become-a-cpa/the-cpa-certi�cation-program/the-cpa-
competency-map/competency-map-task-force) and CEO of Shad Canada, Canada’s premier
summer enrichment program for high school students focused on STEAM (science, technology,
engineering, arts and mathematics) and entrepreneurship. “But we also have access to more tools
that make it easier to select those datasets.” 

As Jackson points out, CPAs are already skilled at analyzing data and completing sample
selections. “In many ways,” he says, “I don’t think [the role] is changing, the information is


To remain successful in this changing digital landscape, Jackson says CPAs will have to continue
being lifelong learners. Upskilling through various courses (/en/foresight-initiative/data-
governance) and CPD credits will help accountants be in the know when it comes to digital
trends and data crunching. Much of this, he says, will need to happen both through training and
by organizations providing roles that allow employees to evolve—such as data scientist and data
controller, as the IFAC and CPA Canada report states (/en/foresight-initiative/data-

10/5/21, 5:15 PM How CPAs can prepare for handling the big data world… 3/6

“at’s an investment [employers] have to make,” he says. But he adds that the responsibility also
rests on employees, who must have an appetite for continued learning—whether through
training offered by employers or staying up to date on new information on their own accord. 

“is idea of being curious will be the key characteristic for new CPAs,” says Jackson. “If we bring
people into the profession who are curious, it implies they’re constantly trying to �gure out
what’s new, what’s coming. And, with that curiosity, comes knowledge.”


e upside to the shiing role, according to Jackson, is that it allows accountants to do more
analysis. “We still need to apply and validate and understand the historical data, but now it’s the
interpretation, saying ‘how do I then use our data moving forward to inform decision making,’”
he says.

Traditionally, the accounting profession has had a historical approach, looking back to
understand how things will look in the future. But, as Gigi Dawe, corporate oversight and
governance lead at CPA Canada explains, “Big data is bringing more unstructured and intangible
data (/en/foresight-initiative/data-governance/mastering-data/canadas-digital-economy-and-
the-cpa), and data that will help you to assess what’s going to happen versus telling you what did
happen, for measuring. at’s the biggest challenge that we’re facing—we don’t really have
experience in dealing with this unstructured or intangible data.”

While CPAs have the tools to handle an in�ux in digital information, Dawe explains that the
introduction of big data means accountants must now shi how they manage it. “We’ve really got
to start looking at what we do with that AI-enabled data and working with that,” she says, “and
learn those skills and ensure that we’re understanding and dealing with that.” 

To tackle this hurdle, CPA Michael Lionais, managing director, Technomics Canada—which
specializes in decision support—and consultant on CPA Canada’s Foresight (/en/foresight-
initiative) initiative, says accountants will have to learn a new data language, analyzing
unstructured data against the new ways it is processed, “so that [accountants] actually take the
data and get it into a format that they can then use,” he says. 


e most important skill Lionais foresees accountants needing? Learning to accept uncertainty.
“e accounting profession is all about precision and reconciliation,” he says. “What we’re going
to have to start learning is, how do we embrace uncertainty and learn how to re�ect that in the

10/5/21, 5:15 PM How CPAs can prepare for handling the big data world… 4/6

advice that we are giving?”

e other concern, he says, is whether or not CPAs have the mindset for this. “It’s not just, ‘can
you develop the skills to understand data and manipulate data,’” he says, but you must have the
inquisitiveness to appropriately manipulate the data, too. 

Lionais sees these changes as an opportunity for the profession to move into more integrated,
cross-functional roles. “It becomes a much more relevant, much more interesting, much more
dynamic profession,” he says. 


Expand your skills with CPA Canada’s data management cour (/en/career-and-professional-
systems/data-management-certi�cate)se and delve deeper into the roles professional accountants
can get involved in (/en/foresight-initiative/data-governance/role-professional-accountants-in-
data) to oversee and manage data.

Also, learn to capitalize on the bene�ts of the digital economy (/en/career-and-professional-
digital-transformation-with-dcam) and �nd out where the profession is headed in the future

About the Author

Michelle Singerman
Michelle is a Toronto-based writer and digital content creator who began her career in local news

reporting more than a decade ago. Michelle has been with CPA Canada since 2013.

10/5/21, 5:15 PM How CPAs can prepare for handling the big data world… 5/6

10/5/21, 5:15 PM How CPAs can prepare for handling the big data world… 6/6

Related Articles


4 things to consider before adopting a four-day work week (/en/news/canada/2021-10-01-four-day-

From tracking productivity to adjusting compensation, there are lots of logistics to weigh out before offering
up a three-day weekend


5 expert tips for managing money as a first-year student (/en/news/canada/2021-09-30-money-tips-

Use these practical pointers to develop smart spending and savings habits when attending university


Why you should teach kids about budgeting when they’re young (/en/news/canada/2021-09-20-kids-
9.20.2021 | DENISE DEVEAU

Experts share tips on how to introduce �nancial literacy lessons in stages

What do you think


0 Responses







0 Comments CPA Canada 🔒 Disqus’ Privacy Policy Login1

t Tweet f Share Sort by Best



Start the discussion…


Be the first to comment.


“Big data is NOT about the data.”

Gary King, Harvard University

“If you torture the data long enough, it will confess.”

Ronald Coase, economist

“Information is the oil of the 21st century, and analytics is the combustion engine.”

Peter Sondergaard, then Head of Research, Gartner Research

Data Analytics in Auditing

©McGraw-Hill Education


Learning Objectives
Identify situations in which audit data analytics can be used in gathering audit evidence.
Understand the steps that are taken in performing audit data analytics.
Understand the requirements for documentation of audit data analytics.
Identify some of the tools that can be used for performing audit data analytics.
Apply data analysis techniques to client financial statement data.
Analyze output from audit data analytic techniques.

©McGraw-Hill Education.

The Auditing Data and Analytics Cycle

©McGraw-Hill Education.
Advantages of data analytics in audit


Tailor the analytics solutions to support client needs (e.g. journal entry testing)

Ability to replicate processes across type of work and client engagements

Test Size
Provides ability to test entire population instead of a sample

Data Insight
Visualization and analytics tools allow for a better view of the data and pinpoints areas of interest for auditors

Performance of data analytics maximizes time spent structuring data into information

PwC | Applications of data analytics in auditing
©McGraw-Hill Education.


Common Uses of Audit Data Analytics
Risk Assessment Procedures
Trend analysis of inventory costs
Preliminary three-way match testing in the revenue cycle
Accounts receivable collection periods by region
Inventory aging and days inventory in stock by item
Tests of Controls
Proper approval of purchase transactions over a threshold
Employees and Suppliers with same address
Journal entry testing by employee entry amount limits
Substantive Analytical Procedures
Predictive model of interest expense
Aging of accounts receivable

©McGraw-Hill Education.

Heat Map of Fraud Risk Factors

©McGraw-Hill Education.

Common Uses of Audit Data Analytics (cont.)
4. Tests of Details
Comparing cash collections to sales invoices and discounts
Analysis of capital expenditures vs repairs and maintenance
Detailed recalculation of depreciation using entire database and exact purchase dates
5. Procedures to help form an overall conclusion
Gross profit percentage by class of revenue

©McGraw-Hill Education.

Visualization to Assess Control Environment

©McGraw-Hill Education.

Visualization of Word Cloud – Employee Morale

©McGraw-Hill Education.

Visualizations to Assess the Market’s Perception of a New Product

©McGraw-Hill Education.

Visualizations to Assess the Market’s Perception of a New Product

©McGraw-Hill Education.

Visualizations Depicting Uncertainty around a Line Graph of Price Increase

©McGraw-Hill Education.

Conducting Audit Data Analytics (AICPA)

©McGraw-Hill Education.

Step 1: Plan the ADA
Determine the significant financial statement accounts and relevant assertions that are being tested.
Specific relevant assertion about a significant account
Determine the nature, timing, and extent of the work that will be completed as part of the ADA.
Specify the exact purpose and specific objectives of the ADA.
Select the techniques and tools to be used.

©McGraw-Hill Education.

Step 1: Plan the ADA (cont.)
Determine the population to be analyzed or tested, including matters which may affect the relevance and reliability of the data.
Completeness and Accuracy
System Reliability
Select the ADA that is best suited for the purpose.

©McGraw-Hill Education.

Step 2: Access and Prepare the Data
Data must be assessable and in a usable format.
Clients may store data in a variety of formats and systems, e.g. Enterprise Resource Planning (ERP) and external data repository (cloud)
Many generalized audit software tools, such as IDEA, can import from a variety of sources.
No commonly used standardized format exists, although voluntary Audit Data Standards exist.
Auditor must ensure data security and integrity.
Management may be concerned that auditor access leads to data breaches or customer confidentiality concerns.
Auditor may need to subject their systems to reliability testing.

©McGraw-Hill Education.

Step 2: Access and Prepare the Data (cont.)
Cleansing of data
Some fields may be empty, which could lead to errors in analysis.
Date fields may have numbers or letters.
Data may be outside relevant date range.
Format of dates may vary (D-M-Y vs M-D-Y vs Y-M-D).
Country-specific differences, such as currency ($1.22 vs 1,22E)

©McGraw-Hill Education.

Step 3: Consider the Relevance and Reliability of the Data Used
The auditor must consider whether the data has a logical connection to the purpose of the audit procedure and the assertion being tested.
What data would be most relevant to performing the ADA?
Is the data considered most relevant available?
If not, are there alternative ways to obtain the data? Alternative data that could be used?
Similarly, auditors must evaluate the reliability of any data used in ADA.
Source reliability
Nature and relevance of information available
Internal controls over data preparation

©McGraw-Hill Education.

Step 3: Consider the Relevance and Reliability of the Data Used (cont.)
Completeness and Accuracy of data must be ensured.
Reliability of accounting systems and Information Technology General Controls (ITGCs) must be tested prior to using data from a client system.
To determine the reliability of data, the auditor may consider
Whether the ADA is a risk assessment procedure, a test of controls, etc.
The risk assessment associated with the account/assertion
The extent of other audit procedures
The nature and source of data (e.g. internal vs. external)
The process used to produce the data
Additional procedures to ensure data reliability

©McGraw-Hill Education.

Step 3: Consider the Relevance and Reliability of the Data Used (cont.)
Characteristics of data that may affect relevance and reliability
Nature (e.g. financial vs. non-financial, historic, time-sensitive, economic, etc.)
Source (controlled by accounting department, controlled internally but outside accounting department, external)
Format (numerical, text, fixed fields, unstructured)
Timing (point in time or period of time, rate of change)
Extent (volume and variety of subject matter/sources)
Level of Aggregation (account balance vs. transaction, annual vs. hourly, consolidated vs. segment)

©McGraw-Hill Education.

Characteristics of Data

©McGraw-Hill Education.

Step 4: Perform the ADA
Actual performance of the ADA varies greatly depending on the purpose of the ADA.
If initial results indicate ADA needs to be revised, consider revisions and reperformance.
If the ADA has been properly designed and performed, consider additional procedures on identified items that warrant further attention.

©McGraw-Hill Education.

Step 5: Evaluate the Results and Conclude
Have the objectives of the ADA been achieved?
If not, plan and perform different procedures.
Gather additional evidence to help reduce risk of material misstatement; design and perform procedures on notable items.
Duplicate items.
Missing items.
Items with higher assessed risk.
Address risk of material misstatement for remaining population items.
Consider whether risk of material misstatement exists in items not identified as notable.
It may be appropriate for auditor to conclude that no additional risk of material misstatement is present.
Document work performed.

©McGraw-Hill Education.

Documentation Requirements
AU-C 230 applies to ALL audit documentation, including ADA.
Documentation should be prepared to be sufficient such that an experienced auditor, with no prior connection with the engagement can understand:
Nature, timing and extent of procedures performed
Results of procedures and evidence obtained
Conclusions reached and significant judgments made
The auditor should record:
Identifying characteristics of specific items or matters tested
Who performed the work and date of performance
Who reviewed the work, date of review, and extent of review

©McGraw-Hill Education.
Documentation Requirements (cont.)
Auditor may record the scope of the procedure and population analyzed.
No requirement to include the data analyzed (generally impractical)
Possible documentation specific to ADA:
Objectives of the procedure
Risks of material misstatements addressed at the financial statement or assertion level
Sources of the data and how it was determined to be sufficient and appropriate (complete and accurate)
The nature of the ADA and the tools and techniques used
Tables or graphics used, including how they were generated
Steps taken to access data, including the system accessed and how the data were extracted and transformed
Evaluation of matters identified as a result of applying the ADA and actions taken
Identifying characteristics of specific items or matters tested
Preparer and reviewer information as required by AU-C 230

©McGraw-Hill Education.
Documentation Requirements (cont.)
Screenshots of graphics generated in performing an ADA may be included in documentation.
Only graphics necessary to support the auditor’s work and conclusions should be included.
The auditor need not document every matter considered or professional judgment made.
All misstatements identified other than those considered clearly trivial should be documented.

©McGraw-Hill Education.
Common Tools Used in ADA
Generalized Audit Software
Data Preparation and Statistical Analysis Tools
Visualization Tools
Microsoft Power BI
All-Purpose Tools

©McGraw-Hill Education.

Professional Skepticism in ADA
An auditor must plan and perform an audit with professional skepticism, and must exercise professional judgement.
Some areas where professional skepticism and judgment apply in ADA:
Assessing the completeness and accuracy of client data
Making assumptions in planning the procedures and evaluating the results
Considering unusual circumstances
Appropriately generalizing in drawing conclusions

©McGraw-Hill Education.

©McGraw-Hill Education

“Big data is NOT about the data.”
Gary King, Harvard University

“If you torture the data long enough, it will confess.”
Ronald Coase, economist

“Information is the oil of the 21st century, and analytics is the
combustion engine.”
Peter Sondergaard, then Head of Research, Gartner

Big Data and Auditing

• A collection of data sets that are too large or too
complex to analyze them with traditional databases and

• Standard descriptions usually include:
• Volume
• Variety
• Velocity
• Veracity

  • What is Big Data?
  • March 3, 2017

    16th Annual Accounting Educators Seminar – University of

    Missouri – Kansas City

    What is Big Data?
    March 3, 2017
    16th Annual Accounting Educators Seminar – University of

    Missouri – Kansas City

    • Accounting professionals need to know how to conduct
    data analytics regardless of whether it is “Big”.

    • Transactional Data can tell us what has happened, Big
    Data and data analytics can often help explain why.

    • We need to embrace both.

  • Data vs. Big Data
  • March 3, 2017
    16th Annual Accounting Educators Seminar – University of

    Missouri – Kansas City

    What is the Impact on the Accounting

    March 3, 2017
    16th Annual Accounting Educators Seminar – University of
    Missouri – Kansas City

    • Audit – Internal and External

    • Data driven audits

    • Better experience for the client

    • Better experience for the auditor

    • More valuable insights

    • Improving corporate compliance

    Implications for Accounting

    March 3, 2017
    16th Annual Accounting Educators Seminar – University of
    Missouri – Kansas City

    • Advisory Services

    • Identify questions

    • Use analytics to help business improve performance

    • Build analytical models

  • Implications for Accounting Professionals
  • March 3, 2017
    16th Annual Accounting Educators Seminar – University of
    Missouri – Kansas City

    • An employee with the following skills:

    • Ability to understand big data technology structures
    • Ability to construct experiments, gather and analyze data, make evidence-

    based decisions
    • Strong communication skills
    • Strong quantitative skills in statistical analysis, visual analytics, machine

    learning, and ability to analyze unstructured data
    • Business expertise – a good sense of where to apply analytics and big data

    16th Annual Accounting Educators Seminar – University of Missouri – Kansas City

  • What are employers looking for?…
  • March 3, 2017

    ©McGraw-Hill Education.

  • Data and Analytics
  • • Data are facts and statistics collected together for reference or analysis.

    – known or assumed as facts

    • Payroll register

    • Sales Journal

    – make the basis for reasoning or calculations

    • Analytics are the systematic computational analysis of data.

    – Research potential trends

    • Evaluate causes of increase in employee costs

    – Identify risks

    • Identify missing sales invoice numbers

    ©McGraw-Hill Education.

  • Social Media Text Analysis
  • Please Insert Exhibit G.1

    ©McGraw-Hill Education.

  • Data Chain
  • ©McGraw-Hill Education.

  • Analytics Chain
  • ©McGraw-Hill Education.

  • The Next Generation of Auditing
  • • Currently, auditors focus on client data, as do most companies.

    – Internal auditors have used big data to detect insurance and purchasing card fraud based on

    anomalous payments.

    – Target sends ads to women deemed “likely pregnant” based on specific non-baby-related purchases

    and upset a teenage girl’s father by sending advertisements for baby supplies based on her

    purchases. Turned out, Target knew before she did!

    • However, it is easy to see how auditors could improve risk assessments and analytical

    procedure expectations using external data.

    – Walmart: Hurricanes increased sales of not only flashlights and water, but Pop tarts by 7x the

    normal rate!

    – Using Google’s Profile of Mood States and 10 million tweets, researchers predicted stock price

    changes 3-4 days in advance.

    ©McGraw-Hill Education.

    PwC | Applications of data analytics in auditing

  • A taxonomy for analytics
  • ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing

    A taxonomy for analytics

    •Descriptive(and diagnostic) analytics–What is happening? Why it is happening?

    •Traditional business intelligence (BI) and visualizations (pie-charts, bar-charts, line-graphs, tables, or
    generated narratives).

    ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing
    A taxonomy for analytics

    •Predictive analytics–“What is going to happen?” (What is likely to happen?)

    •Regression analysis, forecasting, multivariate statistics, pattern matching, predictive modeling,
    and forecasting (among others).

    ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing
    A taxonomy for analytics

    •Prescriptive analytics–“What should be done?” (or What can we do to make something happen?)

    •Graph analysis, simulation, complex event processing, neural networks, recommendation engines,
    heuristics, and machine learning (among others).

    ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing

  • Examples of analytics in ITGC
  • 18


    New User Testing

    • Appropriate management needs to approve
    access to all new users

    • A brand new employee that is a telephone
    operator should not get access to edit
    financial data

    Revocation Testing
    • Appropriate management should revoke

    access to users who no longer require access
    to an application

    • If an employee leaves a company, he or she
    does not need access to any of the company’s


    Change Management

    • Controls are put in place to prevent the
    Segregation of Duties (SOD) risk, in which user
    roles are clearly distinguished to prevent an
    overlap of responsibilities.

    • Developers and deployers should not be the
    same person.

    • Users who have the ability to post financial
    data to systems should not have the ability to
    also approve the transactions.

    • Appropriate management needs to approve every
    change that is made to an application.

    • This ITGC is used to prevent unnecessary or
    harmful changes from being deployed to
    the application


    ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing

    Examples of analytics in key


    • Companies rely on certain key calculations to assist in financial

    • Procedure of testing key calcs entails understanding the
    underlying calculation, receiving and validating the input data, and
    reperforming the calculation.

    Key calculations

    Key reports testing

    • Key reports are systematically generated reports which show the
    results of the key controls in an application.

    • Companies test the completeness and accuracy of each
    key report.

    • Management makes critical business decisions based on the
    results of these reports.

    ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing

  • Big Data in the auditing field
  • •The pace of adoption of BD&A in statutory audit has been lower than in other fields (e.g.
    internal audit, marketing, strategic decision-making)

    •Using BD&A in auditing is about enhancing audit quality

    •BD&A is being approached in the auditing practice with the aim of improving the efficiency and
    effectiveness of audits

    •BD&A has the potential to represent the most significant shift in how audits are performed
    since the adoption of paper less audit tools and technologies

    ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing
    Big Data in the auditing field

    ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing

  • Big Data in the auditing field: what are the benefits?
  • •Auditors can test a (far) greater number of transactions, overcoming sample limits

    •Auditors can test a (far) greater number of transactions, overcoming sample limits

    •Audit quality can be increased by providing grater insights on auditee’s processes

    •Frauds will be easier to detect

    •Auditors can better plan the audit engagements

    ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing
    Big Data in the auditing field: what are the benefits?

    ©McGraw-Hill Education.
    PwC | Applications of data analytics in auditing

  • Challenges of Big Data in Auditing
  • •Focus of data analysis toward recognizing patterns within large amounts of data

    •Consequent to continuous auditing systems the numbers of identified exceptions and
    anomalies are expected to increase dramatically

    •Prioritization methodologies which incorporate the decision-support systems can greatly
    help alleviate the burden of processing information

    •Lack of the adequate training and required skills to analyze Big Data

    • Slide 1
    • What is Big Data?
      What is Big Data?
      Data vs. Big Data

    • What is the Impact on the Accounting Professional?
    • Implications for Accounting Professionals
      Implications for Accounting Professionals
      What are employers looking for?…
      Data and Analytics
      Social Media Text Analysis
      Data Chain
      Analytics Chain
      The Next Generation of Auditing
      A taxonomy for analytics
      A taxonomy for analytics
      A taxonomy for analytics
      A taxonomy for analytics
      Examples of analytics in ITGC

    • Examples of analytics in key calculations/reports
    • Big Data in the auditing field
      Big Data in the auditing field
      Big Data in the auditing field: what are the benefits?
      Big Data in the auditing field: what are the benefits?
      Challenges of Big Data in Auditing

    12/4/21, 9:38 AM Artificial Intelligence Adoption in Internal Audit Processes… 1/5

     Home / Resources / News and Trends / Newsletters / AtIsaca / 2021 / Volume 40 /
    Arti�cial Intelligence Adoption in Internal Audit Processes


    Arti�cial Intelligence Adoption in
    Internal Audit Processes

    Author: Bhushan Shinde, CISA, COBIT Foundation, CEH v9, COMPTIA+ Cloud Security, Manager,
    Audit and Compliance at WeSecureApp
    Date Published: 1 December 2021

    As arti�cial intelligence and automation technologies advance, they are being used in a variety
    of �elds to automate operations that were previously done manually. With every industry
    leveraging its bene�ts, let’s explore how AI may be used in the internal audit department.

    Internal audit, as the Third Line of Defense (LOD), is under tremendous pressure to meet
    stakeholders’ compliance and assurance requirements. Internal audit performance-based

    12/4/21, 9:38 AM Artificial Intelligence Adoption in Internal Audit Processes… 2/5

    assessments serve the goal of reporting to the audit committee and senior management on the
    state of their organization’s governance, processes, procedures, risks, controls, case reports
    and much more.

    With the large documentation volume and slow audit responses, there remains a challenge with
    internal audit to provide e�cient audit reports that can be well understood and accepted by the
    higher management. All the data visualization and reporting techniques developed by AI will
    present new opportunities for the transformation of corporate governance.

    Have we, as auditors, considered how these technologies can assist internal auditors?
    Internal auditors are constantly under pressure to provide value to traditional audit procedures,
    and these automation technologies assist them in enhancing the value they contribute to their
    auditing techniques. Arti�cial intelligence leveraging algorithms to identify and understand
    patterns and anomalies within data sets can help internal auditors more e�ciently identify risks
    and execute many other tasks more easily.

    In some organizations, IA departments have already begun their journey into the world of
    automation by expanding their use of traditional analytics to include predictive models, robotic
    process automation (RPA), and cognitive intelligence (CI). Audit quality, speed, and competition
    for e�ciency are drivers of arti�cial intelligence adoption.

    Bene�ts AI brings in the internal audit process
    There are many bene�ts from AI leveraging automation in each phase of the audit, starting with
    risk assessments, audit planning, �eldwork and reporting. With AI being implemented in these
    phases, there are below common bene�ts it brings to the table:

    1. Increased e�ciency and cost optimization: Automation helps in getting the audit tasks
    implemented round the clock at an accelerated pace. Reducing the manual tasks helps the
    internal audit teams to concentrate on more important things related to the audit �ndings
    and provide their results in a very e�cient way.

    2. Better resource utilization: As we minimize manual activities, this increases the capacity of
    management to better focus on the higher-value activities. This, in turn, allows an
    organization to keep pace with new technological risks and business challenges. AI also
    helps management to assign internal audit tasks.

    3. Increased business value: The data analysis techniques that are used by AI provide auditors
    with a holistic view of the samples that are analyzed, giving them increased assurance.

    Increased potential of internal audit with use of AI
    Arti�cial intelligence tools consider both internal and external information to an organization,

    12/4/21, 9:38 AM Artificial Intelligence Adoption in Internal Audit Processes… 3/5

    thus helping auditors recognize emerging threats and intelligence that they haven’t yet
    considered. AI would help auditors to determine �ndings from all the transactions that might
    otherwise go unnoticed due to the large chunks of data manually. Also, AI programs can reveal
    the presence of fraudulent transactions.

    AI data analytics techniques and batch processing can enable internal auditors to model data
    and quantify the �ndings. These analytic techniques also help internal auditors to generate the
    audit dashboard to showcase and track all the audit activities.

    With AI data aggregation and integration, internal audit teams can streamline processes and
    procedures. All the clear data related to audits and processes can help management have an
    overview of all the ine�cient procedures and �ndings in an illustrative manner.

    Amplifying audit’s expertise
    With AI applications, internal auditors have an opportunity to lend their expertise in auditing and
    examine more details of audit �ndings. Free from long burdened manual processes and tedious
    documentation tasks, IA department can now focus more on better development of audits and
    plan them e�ciently. Effectiveness and quality can also be increased through AI, helping
    auditors in their daily activities. Organizations should develop clear measures of AI success,
    including assessing how accurately the AI solution is identifying problems and automating

    Next Article




    ISACA Journal

    12/4/21, 9:38 AM Artificial Intelligence Adoption in Internal Audit Processes… 4/5

    Press Releases

    Resources FAQs

    Insights and Expertise

    Audit Programs and Tools


    White Papers

    Engage Online Community

    News & Trends

    @ ISACA

    Industry News

    ISACA Now Blog

    ISACA Podcasts


    Frameworks Standards and Models

    IT Audit

    IT Risk


    Call for Case Studies

    12/4/21, 9:38 AM Artificial Intelligence Adoption in Internal Audit Processes… 5/5

        

    Contact Us | Terms | Privacy | Cookie Notice | Fraud Reporting | Bug Reporting | COVID-19
    | ©2021 ISACA. All rights reserved.


    Master Thesis, 15 credits, for

    Master degree of Master of Science in Business Administration:

    Auditing and Control

    FE900A VT20 Master Thesis in Auditing and Control

    Spring 20


    Integration of Artificial Intelligence in Auditing:

    The Effect on Auditing Process


    Salim Ghanoum

    Folasade Modupe Alaba


    Elin Smith


    Timurs Umans




    Business growth comes with complexity in operations, leveraging on the use of technology-

    based decision tools are becoming prominent in today’s business world. Consequently, the


    profession is tuning into this change with the integration of artificial intelligence systems to

    stay abreast of the transformation.

    The study is a qualitative research. It adopted an abductive approach. Data used for the study

    was collected through a semi-structured interview conducted with auditors from auditing firms

    within Sweden that has adopted the use of AI-based tools in their audit process. As a result of

    exponentially increasing data, auditors need to enhance the processing capability while

    maintaining the effectiveness and reliability of the audit process. The study strongly agree that

    the use of AI systems enhances effectiveness in all stages of audit process as well as increases

    professionalism and compliance with standards. The study however favored the use of AI-

    enabled auditing systems as opposed to the use of traditional auditing


    Acquiring adequate skills in handling the AI tool and sound professional skepticism of

    auditors was seen to be an underlying factor that would further boost the interaction between

    AI tools

    and audit process. This prompted the need to modify the initially drawn research model

    to include skills in handling IT tools and audit professional competency. This which

    substantiated the abductive approach of the study.

    Keywords: Artificial Intelligence (AI), Audit Process, AI in Auditing, Audit Effectiveness



    Our profound gratitude goes to God almighty for the grace to focus despite the fear of

    uncertainties during this difficult time of Covid-19 pandemic in the world. We immensely

    appreciate our master’s thesis supervisor Elin Smith, for her commitment shown through

    tireless review of our work and her guide all through the study. Our appreciation also goes to

    the auditors that accepted our request, created time for the interviews and contributed by

    sharing their opinions and experiences on the phenomenon been studied. We also thank our

    fellow students for their constructive criticism of the work. It gives a good insight for improving

    the work. Lastly, we appreciate our friends and family for their support always.

    As a Swedish Institute scholarship holder, I would like to appreciate and acknowledge

    Swedish Institute for the opportunity and support for the master’s programme. My contribution

    to the study is part of my research work done during the scholarship period at Kristianstad

    University, which is funded by the Swedish Institute.

    Folasade Modupe Alaba

    ______________________________ _______________________________

    Salim Ghanoum Folasade Modupe Alaba

    Kristianstad, 03-06-2020 Kristianstad, 03-06-2020


    Table of Content

    Abstract …………………………………………………………………………………………………………………….. 2

    Acknowledgement ……………………………………………………………………………………………………… 3

    CHAPTER 1 ……………………………………………………………………………………………………………… 6

    1. INTRODUCTION ……………………………………………………………………………………………. 6

    1.2. Problematization……………………………………………………………………………………………. 8

    1.3. Purpose of the study …………………………………………………………………………………….. 11

    1.4. Research question ………………………………………………………………………………………… 12

    CHAPTER 2 ……………………………………………………………………………………………………………. 13

    2. Theoretical Framework ……………………………………………………………………………………. 13

    2.1. Theoretical Model ……………………………………………………………………………………….. 13

    2.1.1. The Agency Theory ………………………………………………………………………………. 13

    2.1.2. The stakeholder theory …………………………………………………………………………… 14

    2.1.3. The theory of inspired confidence …………………………………………………………… 15

    2.1.4. The credibility theory …………………………………………………………………………….. 16

    2.2. The process of auditing ………………………………………………………………………………… 16

    2.3. Artificial Intelligence …………………………………………………………………………………… 19

    2.4. AI in Auditing …………………………………………………………………………………………….. 19

    2.5. Audit Effectiveness ……………………………………………………………………………………… 20

    2.6. Audit Ethics ………………………………………………………………………………………………… 25

    2.7. Professional approach to the Adoption of AI …………………………………………………… 26

    2.8. Research Model …………………………………………………………………………………………… 29

    CHAPTER 3 ……………………………………………………………………………………………………………. 31

    3. Methodology ……………………………………………………………………………………………………… 31

    3.1. Epistemology position/ Interpretivism ……………………………………………………………. 31

    3.2. Ontology Position/ Constructionism ………………………………………………………………. 32

    3.3. Data Collection ……………………………………………………………………………………………. 32

    3.4. Sampling Method ………………………………………………………………………………………… 34

    3.5. Interview Process ………………………………………………………………………………………… 35

    3.6. Interview Guide …………………………………………………………………………………………… 36

    3.7. Interpreting the data: Structure used for the analyses ……………………………………….. 37

    3.8. Bias in data collection ………………………………………………………………………………….. 37

    3.9. Trustworthiness, Credibility and Authenticity of the Study ………………………………. 38

    CHAPTER FOUR …………………………………………………………………………………………………….. 39


    4. EMPIRICS, ANALYSIS AND DISCUSSION……………………………………… 39

    4.1. Demographic Information …………………………………………………………………………….. 39

    4.2 Competence in the use of IT tools ………………………………………………………………………. 42

    4.2. Personal views on the importance of automation of the auditing process for the audit

    profession …………………………………………………………………………………………………………….. 43

    4.3. Auditing Process …………………………………………………………………………………………. 46

    4.4. The role AI plays in the process of auditing ……………………………………………………. 50

    4.5. Scale rating …………………………………………………………………………………………………. 51

    4.6. Ethical concerns ………………………………………………………………………………………….. 52

    4.7. Challenges during the implementation of AI systems ………………………………………. 53

    4.8. Compliance to the international auditing standards ………………………………………….. 55

    CHAPTER FIVE ……………………………………………………………………………………………………… 58

    5. RESULT AND CONCLUSION …………………………………………………………………………… 59

    5.1. Theoretical and Practical Contribution …………………………………………………………… 60

    5.2. Limitation of the study …………………………………………………………………………………. 60

    5.3. Future Research Agenda ………………………………………………………………………………. 61

    References…..……………………………………………………………………………….. 62

    Appendix 1 …………………………………………………………………………………. 73

    Appendix 2………………………………………………………………………………….. 74




    1.1. Background to the Study

    Technological advancement is transforming the world at an ever-increasing pace. Business

    growth comes with complexity in operations, leveraging on the use of technology-based

    decision tools are becoming prominent in today’s business world. This means more data are

    being produced by companies (Gepp, Linnenluecke, O’Neill, & Smith, 2018, p. 23-34), as

    such; audit firms have the responsibility to stay abreast of this change with equal investment in

    advanced technology-based tools to effectively examine the high volume of data been

    generated for efficient analysis of a company’s businesses and its risks (KPMG, 2016).

    Consequently, the auditing profession is tuning into this change with the integration of artificial

    intelligence systems to stay abreast of the transformation.

    Artificial Intelligence (AI) is a term first coined by John McCarthy, a renowned computer

    scientist, in 1955-56 at the Logic Theorist program initiated by Allen Newell, Cliff Shaw, and

    Herbert Simon presented at the The Dartmouth College Artificial Intelligence Conference to

    showcase how machines can be made to mimic the problem solving skills of humans (Havard

    Business School, 2017). McCarthy defined AI as “the science and engineering of making

    intelligent machines”(Hernández-Orallo, 2017 p.397). Also, AI which stands for the use of

    computerized systems to complete tasks ordinarily completed by human intelligence, is quickly

    becoming a topic of interest (Sotoudeh et al., 2019 p. 45-50). The first AI-based project

    occurred over sixty years ago when scientists attempted to design software that could translate

    between the Russian and English languages (Ilachinski, 2017 p. 14-29). This project happened

    at the height of the cold war, with America acting the principal financier. Although the project

    was feasible, the progress was the only average due to the limited computer-capabilities

    of the

    day. Recent advancements such as IBM Watson, together with the AlphaGo programs, moved

    scientists closer to artificially intelligent systems. Although the globe is yet to design an AI

    system capable of replacing the natural human, the possibility of such an achievement is

    increasing (Ilachinski, 2017 p. 10-25). The upcoming overreliance on AI makes it difficult to

    imagine a sector that will not be affected by AI. AI is comparable to computers and

    spreadsheets. Initially, the inventions seemed to change a few industries. As time passed,

    technology became an integral part of all sectors. It is playing a significant and evolving role


    in how we understand and interact with the world around us. For instance, Deep Shift survey

    report on Technology Tipping Points and Societal Impact presented at the World Economic

    Forum 2015 indicated that 75% of the respondents (which are made up of 816 executives and

    experts from information technology and communication sector) agreed that a tipping point of

    30 percent of corporate audit performed by AI will be achieved by 2025 (World Economic

    Forum, 2015).

    The idea of artificial intelligent technology in auditing is not entirely new because it has

    been useful as a decision support tool for computer audit specialists in decades past (Hansen &

    Messier Jr., 1986, p. 10-17). However, due to continuous advancement in technology,

    availability of big data and processing power, there is reason to believe that it will continue to

    make a significant impact in auditing field now and in future years (Kokina & Davenport, 2017,

    p. 115-122). As a result of exponentially increasing data, auditors need to enhance the

    processing capability while maintaining the effectiveness and reliability of the audit


    One of the strategies of attaining this objective is the introduction of AI-based technology to

    automate tasks initially completed through manual input. As AI systems continue to grow

    mainstream, it is difficult to visualize an aspect of auditing that will not require AI-related

    assurance or AI-assisted advisory services (Kokina & Davenport, 2017, p. 115-122).

    Despite the technological evolution over the past years, the aim of the audit


    remains “providing independent third party opinion” on the truth and fairness of the financial

    statement of an organization and the compliance of this information with the applicable

    standards (Omoteso, 2012, p.84-90). Kokina & Davenport (2017, p. 115-122), posits that

    auditing is particularly suitable for applications of data analytics and artificial intelligence

    because it has become challenging to incorporate the vast volumes of structured and

    unstructured data to gain insight regarding financial and nonfinancial performance of

    companies. According to Zhang (2019,p. 69-88), audit procedures are processes involving the

    progression of activities to “transform inputs into output.” In this scenario, data stands for the

    input which is the information being audited while the output stands for the opinions

    of auditors

    (I.F.A.C., 2019). Along the same lines, automating audit tasks potentially speed up completion

    of audit assignments while maintaining the integrity of the data. One of the ways through which

    A.I. is transforming auditing is through automatic analysis of accounting entries (Baldwin,

    Brown, & Trinkle, 2006). The benefit of using A.I. to make automatic entries is the reduction

    of human error. Other than reducing human interference, A.I., in some cases, can also detect

    fraudulent intrusion and raise the alarm at the head office (Moffitt, Rozario, & Vasarh, 2018).


    This function is exceptionally high when companies apply deep learning (an A.I. expert tool)

    (Zhang, 2019).

    Deep learning is the part of machine learning that engages in the deep analysis of trends by

    learning the underlying frameworks as opposed to the “outer” behavior of systems (Zhang,

    2019). Once applied in auditing, deep learning requires machines to understand how and why

    transactions are entered in a particular way (Zhang, 2019, p. 14-16). Initially, the focus of the

    machines would be to understand the trends of transactions as opposed to the reasons for the

    transactions (Raji & Buolamwini, 2019, p. 20-98). For instance, AI systems can review

    contracts regularly to determine the progress or make recommendations. At the same time, AI

    systems pool and analyze information hence making it easy for auditors to identify important

    areas that require increased attention (CPA, 2017).

    1.2. Problematization

    The increasing pace of the use of information technology (IT) tools by modern businesses

    has changed the ways in which companies record and disclose financial information (Mansour,

    2016; Shaikh, 2005). Collation of transactions and disclosure of financial information are

    increasingly done with various technological tools to gather and preserve data electronically

    with less paper documentation (Arens, Elder, & Beasley, 2014; Foneca, 2003; Khemakhe,

    2001; Zhao, Yen, & Chang, 2004 in Mansour, 2016), this which comes with a lot of complexity

    increases the capabilities of auditing to add value (DeFond & Zhang, 2014). These

    development pose a challenge to auditors of these businesses, for in order to stay abreast of the

    technology, competition, and audit effectively in such highly technologically advanced

    business environment (Shaikh, 2005; Mahzan & Lymer 2014; Mansour, 2016), it is expedient

    auditors are equally informed and equipped with advanced technology that can guide in

    exploring and understanding how the entity’s financial transactions and other data has been

    collected, recorded, and processed (Mansour, 2016; Issa et al, 2016). In order to plan effectively

    and execute the audit assignment efficiently to form appropriate opinions on the entity’s

    financial statements (Messier Jr., 2014; Shaikh, 2005; Mansour, 2016). Implementing AI-

    based technology in auditing meets this challenge for auditors with the possibility of

    automation of auditing procedure from stage to stage (Moffitt, et al,. 2018). This is already

    being done by some leading auditing firms. For example; KPMG adoption of AI capabilities

    from IBM Watson, this is done with the broad agreement to apply Watson – which has a wide

    variety of “application program interfaces (APIs)”, to the firm’s various auditing processes


    (Lee 2016; Melendez 2016 in Kokina & Davenport, 2017). Another example of this is Halo

    developed by PricewaterhouseCoopers (PwC) – an analytics platform that serves as a pipeline

    to AI and augmented reality products (M2 Presswire, 2016). So also, is Argus for AI developed

    by Deloitte (Kokina & Davenport, 2017). These developments are in the bid to enh


    effectiveness of each stage of auditing processes.

    Understanding steps involved in the process of auditing makes it possible to understand the

    importance of integrating AI for the effectiveness of the tasks. There are structured and

    repetitive tasks to be performed all through each step of audit assignment which are labour

    intensive (Rapoport 2016; Kokina &Davenport, 2017). From pre-engagement to presenting

    opinion through an audit report, effectiveness is crucial to each of these stages (Kokina &

    Davenport, 2017). One of the components of the auditor’s work is to sample the data under

    analysis. Both random and non-random sampling introduces the risks of omission and

    commission (Bailey, Collins & Abbott, 2018, p.159-180). Traditionally, auditors were only

    capable of reducing risks as opposed to eliminating them. One of the ways of lowering auditing

    risks is to increase the sample size hence ensuring that all items have an equal chance of

    inclusion. Despite an increase in the size of the sample, auditors could not eliminate the risk of

    failing to detect material errors. Currently, auditors rely on CAATs, commonly referred to as

    Computer Assisted Auditing Techniques (Mansour, 2016). These tools enabled auditors to

    perform data analysis without the need to pull sample sizes. At the same time, tools such as

    Interactive Data Extraction and Analysis (IDEA) also introduce this capacity, but the ultimate

    data organization and processing still requires intensive human efforts. Another exhausting

    activity in auditing is the review of critical documents (Mansour, 2016). For instance, auditors

    must review all key contract documents to extract vital information such as pricing, discount

    rates, and timing of payments. The introduction of AI systems enables auditors to review

    records and obtain critical information in a short time (Omoteso, 2012).

    Despite the outstanding ability of AI systems in improving the quality and effectiveness of

    auditing, there is a list of challenges which is gradually being improved on as AI technology

    keeps evolving, with the adoption of deep learning and capacity for larger storage space and

    large data population (Issa, Sun, & Vasarhelyi , 2016). The first of these challenges is the lack

    of sound data management and governance. After the increase in the capture, processing, as

    well as storage of new data, organizations need to scrutinize the organization of company data.

    Other than ensuring proper organization and accessibility of data, the management also ensures


    maintaining integrity at all levels of the organization by proper adherence to control measures

    through audit automated systems that can scrutinize the data on an ongoing process(Cannon &

    Bedard, 2017; Knechel & Salterio, 2016). As part of auditing processes, risk assessment is

    done to be aware of the susceptibility of the entity to threats. Risk assessment according to

    (Ramamoorti, Bailey, & Traver, 1999) “is a systematic process for identifying and analyzing

    relevant risk or the identification and analysis of relevant risks threatening the achievement of

    an entity’s objectives, risk assessment is helpful for assessing and integrating


    judgments about probable adverse conditions and/or events”p.159. In audit planning, risk

    assessment has to do with “pattern recognition”, of which unanticipated deviation from such

    gives an indication of risk (Ramamoorti et al, 1999)p.160. AI technologies can be deployed to

    effectively automate this task by “identifying patterns within a large volume of transactions”

    to detect and flag any unexpected change in the pattern (ACCA GLOBAL, 2019). According

    to Raji and Buolamwini (2019), AI automates many auditing tasks such as data entries that

    previously required manual efforts. Unlike human auditors, AI systems can analyze 100% of

    data, create audit tests, and prepare scripts. The system used requires machines that have in-

    built algorithms that enable the machines to learn the incoming data. Risk assessment is a

    crucial task to carry out when planning an audit, as such, leveraging an AI-based system would

    aid the effectiveness and efficiency of the job.

    Some internal audit teams are already applying machine learning to the control of

    transactions and the completion of general auditing roles (Omoteso, 2012). In particular, the

    teams are using machine learning to some of the areas that are prone to fraud (Boillet, 2018).

    For instance, purchasing and manual system entries. This invention is proving to be helpful not

    only to auditors but also to other stakeholders who intend to oversee the transactions. In the

    end, the stakeholder finds it easy to visualize the trends and raise queries when anomalies arise

    (Moffitt, et al,. 2018). The use of machine learning is enabling machines to predict the trends

    in critical transactions (Boillet, 2018). The systems also provide insight into risk assessment,

    project scoping, issue identification, sub-population identification, and quantification. The

    internal audit teams can execute these AI systems with limited configuration using off the shelf

    configurations. Examples of these configurations include the decision tree, affinity analysis,

    and k-means clustering (Chiu, & Scott, 1994; Connell, 1987; Fanning, Cogger, & Srivastava.

    1995). NPL is enabling auditors to scan through large volumes of documents, which may

    consist of contracts, loans, and other types of unstructured data (Knechel & Salterio, 2016).

    According to Knechel and Salterio (2016), NPL is a programming language with the capability


    of pattern matching designs. The software can easily match and compare the pattern of

    accounting entries. The ability of A.I. systems to work with unstructured data and extract

    relevant data points is an essential advancement from the traditional models where automation

    was only for structured and clearly labeled data.

    As current and interesting the topic of AI in auditing appears to be, only limited study is

    available on the on-going transformational effect the emerging technology is having on the

    audit process most especially on the effectiveness it brings to audit processes. Some studies

    provide potential biases associated with the introduction and use of AI (Brown-Liburd &

    Vasarhelyi, 2015; Yoon, et al., 2015), it has been documented in some that big data can be used

    as more audit evidence (Alles and Gray, 2016 in Vasarhelyi, 2018) while others discuss the

    characteristics of Big Data analytics in auditing, which differentiate it from traditional auditing

    (Kokina & Davenport, 2017; Omoteso, 2012).

    The exhausting nature of auditing largely contributes to the lack of effective and efficient

    audit processes (Ransbotham et al., 2018, p. 76). As it has been documented in studies that

    when it comes to complex tasks that required pulling together excessive information from

    numerous sources, humans do not perform at their best (Kleinmuntz 1990; Iselin 1988;

    Benbasat and Taylor 1982 in Issa et al, 2016). The modern corporate world is facing serious

    corruption incidences hence the need for sophisticated, stealth, and automated auditing systems

    (Knechel & Salterio, 2016, p. 15-69; Siriwardane, Hoi Hu, & Low, 2014, p.193). The need to

    examine audit effectiveness and methods of improving it is further necessitated by the number

    of published cases in both financial and quality auditing from time to time (Beckmerhagen,

    Berg, Karapetrovic, & Willborn, 2004; Siriwarde et al, 2014). In view of this, this study aims

    to add to knowledge by exploring how this emerging technology – AI, is transforming the audit

    process. Particularly explore the interaction between AI-based systems and auditing


    and how this enhances effectiveness of the process from the perspectives of the users of the


    1.3. Purpose of the study

    The purpose of this study is to explore the effects of AI-based systems in enhancing

    effectiveness of auditing process by exploring the interaction of auditing process with AI tools.

    Since AI is still at the infancy stage, it is hoped that determining this benefits will contribute to

    knowledge in this emerging study area and equally spur corporate governors to advocate for


    the integration of AI systems with the consideration of Accounting and Auditing departments

    (Hussain, Rigoni & Orij, 2018)p.9-23. In the end, it is hoped that companies will enhance the

    quality of audits through effective audit processes improved by accurate AI systems. (Hussain

    et al., 2018).

    1.4. Research question

    ⮚ How is AI enhancing the effectiveness of audit processes?

    1.5 Structure

    The rest of the paper is structured as follows: the next chapter presents theoretical framework




    The purpose of this section is to review the existing literature regarding the role of AI in

    auditing and discuss in detail the applicable theories to our study. The chapter starts with the

    presentation of the theoretical model for the study. This is followed by the overall process of

    auditing, AI and the use of AI in auditing. Next to that is the discussion on audit effectiveness

    and the variety of ways in which the use of AI based tools are enhancing the effectiveness of

    audit process. Finally, the chapter ends with discussing the professional approach to auditing,

    and a comprehensive research model drawn up for the study, capturing how these are all


    2.1. Theoretical Model

    2.1.1. The

    Agency Theory

    One of the main auditing theories is the agency model, which translates the relationship

    between managers and investors. The agent is the manager or another person appointed to act

    on behalf of investors who represent the principal. The principal assigns assignments to the

    agent for compensation (Bosse & Phillips, 2016, p. 6-15). The managers must act in the best

    interest of the investors. Research shows that in some instances, the agents fail to act in the best

    interest of the investors. As a result, auditing is important since it assures the investors that the

    managers are upholding the interests of the investors (Commerford et al., 2019). The

    responsibility of auditors in such a case is to provide guidelines to investors while playing the

    oversight roles. At the same time, the audit reports guide investors in making a purchase, sell,

    or hold decisions (Shogren, Wehmeyer & Palmer, 2017). For example, the reports enable

    investors to determine the probability of a company’s bankruptcy. The inability of investors to

    access and use verified auditing results could result in excessive financial losses (Shogren et

    al., 2017, p. 89-99).

    The growth in the size of companies leads to a growth in the volume of data requiring to be

    audited. As a result, auditors must continue to provide timely and reliable information to

    investors. The provision of this information must continue to meet the reliability standards

    which require auditors to significantly peruse the financial reports (Blair & Stout, 2017, p. 23-

    37). Providing both timely and reliable auditing reports is an exhausting task. AI systems is


    expected to provide a strategic advantage in the attainment of these objectives. First, AI enables

    remoteness, which is the analysis of financial statements from different locations (Blair &

    Stout, 2017, p. 36-40). Usually, remoteness arises from the separation of the source of

    information and users. Since investors cannot travel to the company’s premises every time, AI

    systems will provide remote access and remotely assisted analysis.

    Another way through which AI is expected to facilitate the agency theory is by eliminating

    the effects of the complexity of handling financial information and reports. Since


    has become complex over the past years, users find it difficult to attain a high-value assurance

    of the quality of the financial reports at hand. Since the growth in company sizes increases the

    risk of errors, AI systems reduce the complexity of operations (Blair & Stout, 2017, p. 37-45).

    At the same time, AI supports agency theory by eliminating the conflict of interest. The release

    of financial reports resembles a situation where directors are reporting their performance (Blair

    et al., 2017, p. 45-56). The directors are, therefore, likely to report skewed performance. On

    the other hand, investors prefer to receive an accurate report reflecting the financial

    performance of the company. The use of AI systems will invariably facilitate the audit of

    financial reports, thus eliminating the conflict of interest.

    2.1.2. The stakeholder theory

    The stakeholder theory was started by Edward Freeman in 1984. It focuses on the

    organizational management of business ethics, addressing the values and morals of corporate

    management. Over the past years, the theory has become a focus of most studies with

    academicians integrating it into concepts such as corporate social responsibility (Jachi and

    Yona, 2019, p. 78-102). The theory stresses the interconnectedness of relationships between

    varying stakeholders. Examples include suppliers, employees, investors, and communities. The

    theory argues that rather than create value for investors alone, it should also create value for all

    stakeholders. The theory insists that corporate managers must select the best line of action

    (Noor, and Mansor, 2019, p. 24-35). In the industry of auditing, the appropriate line of action

    is the provision of verified and timely financial information. Since the volume of information

    is increasing, the integration of AI in auditing will enhance the value created for all


    Also, Jachi and Yona (2019) add that for pursuing the stakeholder theory, managers should

    also pursue the reliability of the information. In particular, the availability of an extensive


    amount of data and decreased room for errors will significantly enhance the reliability of the

    automated audit process. In auditing, safety is a result of producing quality work and sufficient

    information for clients. The use of artificial intelligence enhances effectiveness and quality,

    which will increase the reliability of audit reports by customers (Jachi and Yona, 2019, 14-20).

    According to the majority of auditors, automating auditing with AI reduces the room for human

    error, expanding the popularity and security among clients (Omoteso, 2016). Through AI,

    auditors can draw reliable conclusions rather than speculate on what could have gone wrong as

    in the conventional audit methods. Also, an automated audit process is efficient and dependable

    in data recovery as compared to traditional audit processes.

    2.1.3. The theory of inspired confidence

    The theory of inspired confidence was developed by Limberg, a Dutch Professor. The theory

    focuses on both the demand and supply of auditing services. The theory provides that the

    demand for audit services is a direct outcome of the engagement of a company’s external

    stakeholders. The stakeholders demand accountability from the management. Since the reports

    provided by managers may be biased, there emerges a sharp conflict of interest (Mathias &

    Kwasira, 2019, p. 90-102). As a result, the need to audit these financial reports arises. The

    theory adds that the overall purpose of audit should be to meet the expectations of an average

    interested party. As a result, auditors should strive to meet these expectations.

    A close analysis of the theory of inspired confidence shows that the integration of AI

    systems is a strategic step with long term positive advantages. Modern companies are

    increasingly having large operations and an enormous amount of data to be audited (Mathias

    & Kwasira, 2019, p. 90-102). Since human auditors are unable to cover that vast amount of

    information promptly, the entire auditing profession could gradually become a failure in that

    regard. The relationship between the theory of inspired confidence is available from Mathias

    and Kwasira (2019), who find that timely provision of information will enhance the quality of

    audits. The use of artificial intelligence in auditing saves time through a fast and accurate

    collection of data. Less time in data collection allows the auditor to embark on data analysis,

    quickly enhancing the timing of results. Automation of the auditing process improves the speed

    of audit since auditors can continue auditing in real-time. Artificial intelligence in auditing will

    enable the auditors to acquire accurate and up to date data whenever there is a need (Elewa &

    El-Haddad, 2019). An automated audit is essential since it allows the auditors to provide

    sufficient information to stakeholders and detect anomalies in time.


    2.1.4. The credibility theory

    The credibility theory provides that the primary function of auditing is to increase the

    credibility of financial statements. The financial statements are used by corporate managers to

    enhance the faith of the agents by reducing the asymmetry of information (Chen, Dong, & Yu,

    2018). Since the management desires to influence the decisions of investors, there arises a

    conflict of interest, which then decreases the credibility of financial statements from the

    perspective of investors (Al‐Shaer & Zaman, 2018, p. 78-85). In the end, it becomes necessary

    to hire independent auditors who can review the financial information and inspire confidence.

    The ability of auditors to conduct comprehensive and timely reviews of financial reports largely

    determines the level of credibility achievable. Since the integration of AI systems increases the

    speed and quality of auditing, it emerges as a necessary step.

    The relationship between AI in auditing and the credibility theory is also affirmed by Chen,

    Dong, and Yu (2018), who find that automation of audit process will primarily increase audit

    quality. The standardization of the auditing process and the data will reduce the capacity for

    human errors. It will be possible for auditors to view the exact level of data correctness, for

    instance, indicating 60% instead of indicating that the materiality is correct (Matonti, 2018, p.

    12-20). Besides, automation of the auditing process will improve the quality since instead of

    sampling, the auditors can view the entire population drawing practical conclusions based on

    the data available (Matonti, 2018, p. 12-27). Audit quality will increase with the automation of

    the auditing process to enhance its effectiveness and progress with continued technological

    innovations. As identified earlier, some firms are exploiting audit software, which has

    immensely increased the quality of recent audits and the effectiveness of the process. It is valid

    that the use of AI audit software might not immediately result in overall benefits because of

    the observed cons in the emerging technology, but the auditing process effectiveness and

    quality will increase as the program becomes more stable.

    2.2. The process of auditing

    Understanding the process of auditing makes it possible to understand the importance of

    integrating AI. Audit processes are the activities undertaken by auditors to obtain evidence to

    form appropriate opinions on the financial statement of an entity. No two audit processes are

    exactly the same because the procedures usually depend on the risk factors and effectiveness


    of the internal control system of the client (Kearney, 2013,p.142). AI is adaptable to enhancing

    effectiveness in each step of activities in audit process. It is likened to an assemblage in which

    an output of one step becomes the input of the next step to it (Issa et al, 2016; Kokina &

    Davenport, 2017).

    The main steps of auditing include pre-planning (Pre-engagement), planning, understanding

    the entity, risk assessment, documentation, completion, and reporting (Knechel & Salterio,

    2016). The first stage of auditing is the pre-engagement steps. The purpose of pre-engagement

    is to enable the auditors to decide whether it is appropriate to accept new clients in addition to

    the existing ones. For this purpose, the auditors check the internal procedures and policies of

    the company to decide whether the client should be accepted (Knechel & Salterio, 2016, p. 56-

    60). At this stage, the auditors review the extent to which the policies limit the integrity of

    accounting procedures. Also, the auditors check for the integrity of the company’s

    management, compliance, and the existing or potential threats (Cannon & Bedard, 2017, p. 24-

    30). Some of the reasons that cause auditors to decline incoming clients include lack of

    expertise, poor compliance, and overwhelming scope of work. It will be interesting to explore

    how AI influences this step of the process because this step has been known to mainly involve

    auditor to client, human-to-human interaction.

    The next step in the auditing process is planning. The purpose of planning is to develop the

    overall strategy to be applied by the auditor from the start to the end of the process. Although,

    unforeseen events may sometimes occur that may warrant changing the audit strategy

    (Kearney, 2013, p. 169). The outcome of the planning process is the auditing plan that defines

    the entire audit strategy, the extent, nature, and timing of work (Knechel & Salterio, 2016, p.

    57-60). Good planning is key as it helps in the determination of the appropriate audit strategy,

    scope and how to handle the risks factor timely to have an effective and efficient complete

    audit(Cannon, 2017, p. 90-91). Also, the planning process involves the outlining of the steps

    to be followed. Some of the measures include understanding the entity, internal controls, and

    the existing risk. Additionally, the planning also entails the definition of the scope of the

    auditing, timing, financial reporting framework, key dates, materiality, and the initial

    assessment (Kearns,Neel , Roth , & Wu, 2017, p. 45-60).

    Next to that step is the understanding of the entity’s control environment (Bailey, Collins &

    Abbott, 2018. p159-180). This is part of the execution phase. This understanding enables the

    auditor to foresee the risk of material errors. Auditors are expected to get a thorough view of


    the client and the industry it operates in (Cannon, 2017, p. 92). Some of the items considered

    at this stage include industrial, local, and international regulations (Collins & Quinlan, 2020,

    p. 13-16). Other key considerations include the nature of the organization, internal controls,

    and the history of the organization. This step is followed by the documentation and audit

    evidence. The purpose of this step is to gather evidence to support the audit opinion. At this

    stage, the auditor can perform the test of controls to test the system (Bailey et al., 2018).

    Adequate compliance test on procedures and substantive test is required to ascertain the

    effectiveness of the internal control in place. These tests enable the auditor to believe in the

    system’s credibility or to question it. At this stage, the auditor only concentrates on the critical

    control accounts or areas where weaknesses are common (Shen, Chen, Huang, & Susilo, 2017,

    p. 12-15). Also, the auditor can engage in substantive procedures. Examples include the

    assessment of each transaction and the balance of critical entries.

    The final step in the auditing process is closure (Żytniewski, 2017). This step requires the

    auditor to evaluate the appropriateness of the evidence gathered for the auditing process. The

    completion process requires the auditor to ensure that the entire process has been documented,

    and the evidence is appropriately organized (Sikka, Haslam, Cooper, Haslam, Christensen,

    Driver, & Willmott, 2018, p. 34-52). Some of the activities included in the completion


    include the analytical procedure, review of subsequent events, the going concern confirmation

    and reporting.

    Pre-planning Planning Execution


    figure 1



    Gathering background

    information about the


    Solicit input for the


    Do a risk assessment

    analysis of the entity

    Create audit program

    to be followed

    Reviewing of

    documentation and

    internal control


    Transactions and

    documentation test

    Interviewing staff to

    gather/verify more


    Exit meeting

    Discuss audit results

    Provide draft report for


    Discuss questions &


    Discuss corrective action


    Make final report available

    Audit process model


    2.3. Artificial Intelligence

    Artificial Intelligence (AI), also known as machine intelligence according to Ransbotham,

    Gerbert, Reeves, Kiron & Spira, (2018) stands for the integration of human-like intelligence in

    machines. The basic idea in AI is to understand the context and make intelligent decisions

    based on the information at hand. Kokina & Davenport, 2016 view AI as synonymous to

    cognitive technology or cognitive computing with the level of intelligence suitable to perform

    cognitive tasks. While O’Leary (1987, p. 123) defines AI as a broad term that includes various

    activities like pattern recognition by computers, expert systems, deep learning and reasoning

    by computers, natural language use by computers and the likes. AI is also described as a

    “computer program that can take balanced decisions, observe its environment and take actions

    that maximizes its chances of achieving a goal”(Issa et al, 2016). Lu, Li, Chen, Kim, and

    Serikawa (2018, p. 34-37) define AI as the umbrella of activities that enable machines to

    complete tasks ordinarily completed by natural humans. Examples include expert systems,

    recognition of patterns, learning as well as reasoning by computers. In comparison, Gunning

    (2017, p. 45-59) defines AI as a computer program capable of making balanced decisions based

    on the existing context. The overall outcome of using such a system is the enhancement of

    decision goals. For this attainment, the AI system must be capable of mimicking human actions

    such as image identification. Jackson (2019, p. 45-47) adds that the proper operation of an AI

    system requires high operation capacity and large volumes of data. Artificial intelligence for

    the audit area is described as “a hybrid set of technologies supplementing and changing the

    audit” (Issa et al, 2016). Gartner, 2017 in his study posits that AI is anticipated to be prevalent

    in almost all “new software products and related services by 2020” (Sulaiman, Yen, & Chris,

    2018)p.3. This is evident in the development of most software so far.

    2.4. AI in Auditing

    AI as described by Issa et al. (2016) is a computer program with the capability of taking

    balanced decisions, mimicking “cognitive” function associated with the human mind, and able

    to observe its environment and take actions that maximizes its chances of attaining a goal.

    Integrating AI in each step of auditing process will remove the repetitive tasks common in the

    process and make analysing large volumes of data to have an in-depth understanding of the

    business operation easier for auditors (Kokina & Davenport, 2017). Making it easier to

    concentrate on activities that will bring utmost value to the clients (Luo et al., 2018). As

    assessing the risk of material misstatement is a crucial part of the auditing. Auditors are


    expected to carry out tests on the transactions to make certain that there are no misstatements,

    for if financial impacts are not accurately recorded, financial statements are bound to be

    materially misstated. If unauthorized transactions and/or other irregularities are not detected in

    time, it may be challenging for auditors to capture such later (Shaikh, 2005, p. 16-20). AI-based

    tools in auditing makes detecting such high-risk transactions easy. This which manual auditing

    may sometimes not capture fully as a result of sample population testing unlike the AI

    technology that allows for full population testing.

    According to Oldhouser, (2016) in the implementation of technologies, auditing profession

    is seen to be lagging behind the business field (Issa et al, 2016). The field however is researched

    to be well suited for advanced technology and automation as a result of its “labor intensiveness

    and range of decision structures” (Issa et al, 2016)p.1. Rapport, (2016) equally posits that AI

    capabilities in audit is especially centered on “automation of labor-intensive tasks” (Kokina &

    Davenport, 2017. p.116). Baldwin, Brown, and Trinkle (2006) in their study recap prior uses

    of variety of AI-based systems in auditing to involve performance of analytical review

    procedures and risk assessment, assist with classification tasks (e.g., collectible debt or a bad

    debt), materiality assessments, internal control evaluations, and going concern judgments. As

    the advent of computers transformed the scope and methods of audit examination, the advent

    of analytics is also changing the timing of audit, making it more proactive than reactive and

    generally increasing the effectiveness and efficiency. The advent of AI brings in cognition into

    automation. Making possible adoption of tools that can mimic human-like activities in audit

    processes and perform the tasks much more effectively (Issa et al, 2016). Potentially enabling

    organizations to achieve set objectives of quality and effective audit assignment within a

    reasonable time frame and cost (Deloitte, 2015).

    2.5. Audit


    Audit effectiveness has different meanings to different people. While some judge audit

    effectiveness from the result of an audit assignment, others view it from their perception of the

    audit firm itself. The formal meaning revolves round “the quality, competence, procedures and

    independence of the audit firm” (Audit Committee Chair Forum ACCF, 2006). Audit

    effectiveness can formally be regarded “as a composite of competence, procedural

    arrangements, quality control and quality assurance. The procedural arrangements can be

    regarded as the tools used by firms and individuals to ensure that audits comply with technical

    standards, i.e. legal requirements, regulators’ requirements and auditing standards set by the


    APB [Auditing Practices Board], and taking into account the supplementary material in APB

    Practice Notes and Bulletins”(Audit Committee Chair Forum ACCF, 2006). Audit procedures

    can be seen as “direct consequence of available technologies” (Issa et al, 2016). ISO 9000

    (2000) defines effectiveness as the “extent to which planned activities are realized and planned

    results achieved” (Beckmerhagen, Berg, Karapetrovic, & Willborn, 2004). This invariably

    means comparing the audit process and its achieved outcomes with the set objectives.

    This study sees AI-based systems in auditing as those tools adopted in the

    auditing process

    for ease of the assignment and that still ensure compliance with all required standards thereby

    enhancing the effectiveness of such process.

    Audit effectiveness stands for the extent to which an audit accomplishes the primary

    objectives. On the other hand, audit efficiency stands for the extent to which an audit exercise

    delivers the highest possible value based on a fixed level of input. Examples of inputs include

    managerial time, training, and company funds (Noraini et al., 2018, p. 23-46). There are a

    variety of ways through which AI is introducing both audit effectiveness and efficiency.

    Commerford, Dennis, Joe, and Wang (2019, p. 56-62) opined that AI is maturing at the “right

    time”. These days, auditors must peruse a large pool of information and make sense over a

    short period. For instance, entering the accounting information in the auditing software can

    enable auditors to collect processed data in the background (Van Liempd et al., 2019). After

    receiving the outcome, the auditors must judge the outcomes of the research exercise

    professionally, applying the professional knowledge of auditing. At the same time, the auditors

    must continue to observe the professional requirements, such as sharing the auditing

    information through data-sharing platforms (Rezaee et al., 2018). The sharing of information

    will enable the auditors to receive and compare data with other auditors across the industry.

    Other than the methods classified above, Noor and Mansor (2019, p. 64), also finds that AI

    enhances auditing through the proper exchange of information between the auditors and the

    systems. The authors note that AI enhances the conversation between all stakeholders involved

    in the auditing process (Noor and Mansor, 2019, p. 64-65). In some embodiments, the AI

    systems use machine learning models to classify messages and increase the level of confidence

    for the auditors. If the threshold of the messages is low, the systems send the messages for

    further human analysis (Noor & Mansor, 2019, p. 64). This process is referred to as

    prioritization. In ordinary auditing methods, the same process is possible through the

    intervention of human auditors, albeit the slow classification process by a human. At the same


    time, the automated classification is effective because machines provide keywords that the

    auditors use to identify the priority areas.

    Another way through which AI is transforming auditing is the elimination of redundant

    tasks. For instance, blockchain technology will revolutionize bookkeeping by eliminating the

    double-entry bookkeeping method (Omoteso, 2016, p. 23-65). The records of transactions

    between creditors and debtors will be recorded in blockchain networks. Both the debtors and

    creditors will have private accounts in the blockchain networks. This change will change

    bookkeeping from a process to an instantaneous entry. Once the first entry occurs, it reflects

    across the financial books at an instant. This ability will enable auditors to transfer all book

    entries into the blockchain technology, thus removing the conflict of interests that could affect

    the network (Omoteso, 2016, p. 45-52). At the same time, the immutability of blockchain

    technology as a general ledger will increase the value of AI to auditors (Raschke et al., 2018,

    p. 36-41). Rather than store the information on a central database, the system will provide a

    quality trail of the flow of information. A proper example of the applicability of technology

    relates to regulatory compliance. Usually, regulatory compliance is a costly and inefficient

    requirement for most companies. For instance, Kira systems created software that can analyze

    contracts as well as other documents such as leasing and merger agreements. Another example

    is the H&R system introduced by IBM through the AI platform (Commerford, Dennis, Joe &

    Wang, 2019, p. 10-15). The use of these systems assists clients in complying by filing reports

    in an orderly and verifiable manner.

    Rather than foiling multiple documents for review, the regulators and firms can easily create

    data sharing points for easy exchange of information. The system takes care of factors that

    determine the compliance of the company in question. Examples include the date of filing,

    status, and ordinary income. IBM trained Watson by entering thousands of tax-related answers

    and questions. Through the use of this system, auditors can leverage the machine’s knowledge

    to analyze information about the client (Joe et al., 2019). Similarly, Accenture uses AI to

    enhance the chances of fraud detection. The software analyzes data generated from transactions

    on a real-time basis. As a result, auditors can detect fraud at the time of occurrence. After

    detection, auditors intercept the transactions and prevent fraudulent networks that have a

    pattern of fraud. AI thus brings proactiveness into the audit process.

    Another way through which AI is transforming auditing is the integration of real-time data

    analysis. Elliot (1994) studied the effects of AI on the auditing profession. The authors found


    that the integration of AI systems has both positive and negative effects on auditing. Initially,

    auditors focused on past information where auditors would verify the financial performance

    reported by managers. The introduction of AI in auditing systems changed the focus from past

    information to real-time data analysis (Elliot, 1994, p. 34-56). Modern investors prefer to make

    investment decisions based on real-time data as opposed to the past performance reports of

    companies. The appropriate approach to this requirement is continuous auditing, as opposed to

    auditing conducted after a fiscal period (Van Liempd et al., 2019). Rather than audit companies

    after the end of specific financial reports, companies should strive to provide relevant and

    timely information to investors. As companies record and conduct transactions, the AI systems

    would relay information to companies.

    AI also makes the concept of continuous auditing which has been widely researched in

    modern academia a lot more easy. For instance, Alles et al. (2008) investigated the adoption

    and use of continuous auditing at Siemens. The company is large and can integrate continuous

    auditing. The outcomes showed that for the system to operate smoothly, there was a need to

    automate and formalize some auditing functions. Equally, PwC (2006) investigated the extent

    of continuous auditing in the United States. The report found that the extent of adoption is low,

    but the rate of adoption is gathering speed. Rikharddson and Dull (2016) also completed a

    similar study regarding the implementation of continuous auditing in medium-sized companies

    located in Iceland. The results showed that most companies applied AI technology to ensure

    that the data was both relevant and reliable. In most medium-sized firms, continuous auditing

    was a function of the internal audit. The ideal method would be to use it as a function of both

    internal and external functions. Even for companies that used continuous auditing for internal

    functions, managers could use more reliable and recent data. In the end, there emerged high-

    value cost control, increased revenues, and strong managerial strategies.

    Another way through which AI is transforming the field of auditing is by enabling speedy

    and accurate collection of the audit evidence. According to Cascarino (2012, p. 37-103), audit

    evidence stands for the entire information collection that auditors collect to decide whether the

    financial reports presented by a company are honest presentations of the firm’s financial

    position. AI is transforming auditing by enhancing the collection of auditing evidence. Yoon

    et al. (2015, p. 431) defined audit evidence as “the entire set of information collected and

    evaluated by auditors when deciding whether a firm’s financial statements are stated following

    generally accepted accounting principles”. Auditors are not required to examine every


    transaction or activity. Instead, it is required that they must have sufficient and appropriate

    evidence to justify their audit opinion (Yoon et al., 2015, p. 431). Auditors gather evidence that

    they deem relevant and useful in forming an audit opinion using various techniques such as

    inquiry, observation, interview, and test.

    Over the past years, real-time accounting has been a challenge to auditing firms, and only a

    little progress has been made. However, the emergence of AI has given hope, and real-time

    accounting will cease to be a challenge (Cascarino, 2012, p. 37-103). Although the technology

    is new, auditors have confirmed that large companies have implemented the method on various

    transactions (Yoon et al., 2015, p. 431). Transactions with estimates and valuations cannot be

    processed in real-time due to the processing and recording, which require the assistance of an

    accountant. The first step after routine auditing is informing the management of the results and

    then the stakeholders. Real-time verification indicates a shift in the rational management of

    information since the accountants will report transactions to auditors directly as they happen

    (Cascarino, 2012, p. 37-103). In real-time auditing, the internal control system of a client needs

    to be continually monitored by the auditor to ensure the reliability of the information. In an

    efficient auditing environment, more focus will be to ensure the effectiveness and integrity of

    the internal controls (Shen et al., 2017). Through the real-time audit, the auditors can easily

    detect and identify errors and anomalies hence notifying the client in ample time. A real-time

    audit gives the auditors ability to monitor with the exception by setting a material level in the

    internal control system to uncover why anomalies and errors occur.

    The automation of the auditing process will have an impact on the audit evidence and

    continue to change the collection manner of audit evidence (Omoteso, 2016, p. 32-41).

    Similarly, a black box file will be created to create an audit trail listing the errors, anomalies,

    and the occurred exceptions (Sikka et al., 2018, 47-56). The data will also act as evidence that

    the audit process was carried out and was up to standard.

    The automation of auditing processes will enable companies to reduce the extent and

    frequency of human errors. Also, it will increase productivity, performance, and speed

    (Gunning, 2017, p. 89-92). Besides, the integration of AI systems will enable computers to

    complete tasks that require enhanced human cognitive abilities. Usually, people are reluctant

    to accept new technologies, especially when they disrupt the existing status quo (Commerford

    et al., 2019). One of the methods of disruption is the reduction in the number of jobs available.

    However, this cannot be proven as it is still a subject for further research.


    When handling corporate information, there are two categories- structured and unstructured

    information. On one hand, structured information stands for organized data and which is easy

    to handle (Commerford et al., 2019, p. 96-104). On the other hand, unstructured data stands for

    information with minimal organization and which is challenging to handle. Other than the two

    categories, there are also semi-structured data which stands for information with a limited


    of structures. According to Omoteso (2016), about 39% of the data audited is structured, 41%

    is semi-structured, while the remaining 20% is unstructured. Even though semi-structured tasks

    are higher than the other two categories, the structured tasks are especially susceptible to

    automation. This difference is because the semi-structured data also include substantive

    procedures as well as testing for internal controls. Elewa and El-Haddad (2019) believe that

    in the future, semi-structured data will become automated because the level of judgment

    required in handling this data is limited. Besides, the level of data employed in auditing is

    increasing over the recent past since auditors need AI and data analytics, thus meaning that

    structured tasks will be performed using AI technology as opposed to human auditors

    (Omoteso, 2016, p. 63-58).

    2.6. Audit Ethics

    An increase in automation will change the focus of auditing, as well as the roles and

    involvement levels of auditors. Despite these changes, the responsibility of auditors will remain

    unchanged. AI promises to enable the review of unstructured data while also enabling the

    review of information in real-time. These benefits apply to dispersed data as opposed to

    centralized information, thus widening the scope of accessing data (Samsonova-Taddei &

    Siddiqui, 2016, p. 23-44).

    Despite the above-said advantages, auditors are supposed to use professional judgment

    while also maintaining professional skepticism. The benefit of skepticism is to ensure that

    auditors verify data before adopting it as the honest representation of a company’s financial

    position (Raschke et al., 2018). The balance of professionalism and skepticism is a sensitive

    requirement which needs deep cognitive abilities. Although technology can mimic human

    abilities, it is unclear whether AI systems can maintain a high standard balance of the two

    functions. Besides, auditors are required to perform the concrete fraud risk assessment.

    According to Arfaoui, Damak-Ayadi, Ghram, and Bouchekoua (2016), the ability to conduct

    these assessments is important to the quality of auditing. Both entry-level auditors and AI

    systems may lack the capacity to conduct reliable risk assessment. Lombardi and Dull (2016)


    studied the benefits of implementing AudEx, another expert AI system meant to assess fraud

    risk factors. The system was for entry-level auditors or auditors with just an average experience.

    Lombardi and Dull (2016) discovered that using expert systems enabled entry-level auditors to

    make better findings in fraud risk assessment. Also, Lombardi and Dull (2016) found that the

    AudEx trained auditors to make better judgments in subsequent audits.

    Another ethical implication facing auditors is the materiality concept. The concept provides

    that information is material if omitting, misstating, or obscuring it from the financial statements

    causes significant effects on the decision of investors (Arfaoui et al., 2016, p. 78-89). Before

    starting an audit, auditors must separate material from non-material information. Usually,

    materiality relates to misstatements that affect the entire financial statements. In some

    instances, materiality can arise from the accumulation of multiple immaterial errors (Arfaoui

    et al., 2016, p. 80-98). The integration of automated AI systems introduces minor errors that

    risks that can accumulate to cause material errors.

    2.7. Professional approach to the Adoption of AI

    A look at the professional angle to the adoption of AI in auditing profession is also

    expedient. Information technology advancement and availability of capable systems is not

    only changing how businesses are done but also transforming professions and professional

    work (Susskind & Susskind, 2015). This in a way will have a resemblance of how

    industrialization transformed the traditional craftsmanship according to Susskind & Susskind,

    2015. Auditing is a knowledge intensive profession, knowledge of business law, accounting,

    corporate governance, taxation and principle of auditing are part of the training in the

    professional qualifications required of an auditor. Including other great personal qualities like

    integrity, objectivity, independence, ability to express and communicate and make good

    judgement are also qualities expected of an auditor in order to excel in the audit profession

    (Saxena & Srinivas, 2010). There is a guideline published in International Organization for

    Standardization (ISO), ISO 19011:2011, for auditing management systems which includes

    auditor competence requirements. Outlined in the guideline is an extensive list of competence

    requirements to ensure auditors and an audit teams have adequate skills to achieve audit

    objectives (International Organization for Standardization ISO, 2011). Using professional

    judgement and maintaining professional skepticism all through an audit process is required of

    an auditor (Eilifsen, Messier, Glover, & Prawitt, 2014).


    “What one needs to know also depends in part on what others expect one to know” (Wilson,

    1983: p. 150 in Olof & Jenny, 2005) as quoted from “cognitive authority” developed by Patrick

    Wilson on his study on that which relates to theory of professions. This is interpreted to mean

    “that both the status assigned to information as well as the kind of professional solutions that

    are considered socially appropriate, are negotiated by experts in different professional

    domains”(Olof & Jenny, 2005). Apart from the competence and skills required of professionals

    in their field, when making technology acceptance decisions, professionals can also be

    influenced by various factors such as personal inclinations to try out new technologies, social

    network interaction and/or cognitive resources “required for its effective utilization” (Yi,

    Jackson, Park, & Probst, 2006).

    Away from the previous electronic systems that replaced paper-based systems in auditing,

    audit firms are increasingly adopting sophisticated, high-tech audit support systems to enhance

    effectiveness and efficiency of audit procedures(Dowling and Leech 2007; Banker, Chang, and

    Kao 2002). Which potentially gives firms competitive advantages above their peers (Carson &

    Dowling, 2012; Banker, Chang, and Kao 2002) by signifying the innovation and

    “sophistication of the firm’s audit process”(Dowling & Leech, 2014). As can be seen from the

    leading audit firms’ (the Big 4) adoption of AI-based systems in their auditing process. The

    models of future auditing must be different from the current ones due to the increased rates of

    transformation in technology. Examples of technologies transforming the industry of auditing

    include big data analytics, machine learning, and AI. Auditors slowly realize that the adoption

    of these technologies is increasing the efficiency of auditing.

    Marcello et al. (2017) conducted a round table discussion on how the audit profession

    changed over the past years. One of the main discussions in the meeting was the use of

    technology in auditing. One participant was skeptical about the use of technology hence the

    belief that humans are better than machines. The underlying argument is that humans can

    independently analyze a context (Adler et al., 2018). This ability is widespread even in cases

    where humans lack previous exposure to such a scenario in the past. In comparison, AI systems

    can only handle a context after previous exposure to similar scenarios. Other participants in the

    meeting believed that machines could collect, analyze, and classify large volumes of data. This

    level of performance is difficult for humans. Other than that, Marcello et al. (2017) believe that

    in addition to learning patterns, machines will also learn to reason like humans.


    The argument by Marcello et al. (2017) is valid since there are companies that have already

    adopted AI technologies in auditing. An example of these companies is PwC, a company that

    recently started to integrate AI systems into auditing. The technology is known as “Halo,”

    facilitates the scanning of massive information, which then enables auditors to make reliable

    risk assessments (Marcello et al., 2017). Furthermore, the technology can investigate and test

    accounting entries. After that, the system can identify high-risk transactions and align them for

    further analysis. Another example of AI systems is IBM Watson, a creation of both KPMG and

    IBM (PwC, 2016). The system enables companies to meet leasing requirements as stipulated

    in the IFRS 16. IBM Watson extracts data from lease documents and presents it for analysis.

    This ability ensures that the transactions involved in the agreement are accounted for in the

    right manner.

    Although there may not be a radical change yet, the role of auditors will continue to change

    over time. This can be attributed to the technological side where developments are continuously

    evolving. Momodu et al., (2018) posits that various parts of the auditing process will be

    automated soon, while the full functioning technical integration will take a while to be realized

    (Momodu et al., 2018). Automation of the auditing process will bring changes in the normal

    auditing process, such as time spent in auditing. It will be an advantage to all the stakeholders

    in the industry since automation is not believed to reduce employment in the audit sector

    (Momodu et al., 2018). According to the responses in Momodu et al., 2018, auditors and AI

    can complement each other efficiently. Artificial intelligence would be focused on data

    extraction while the auditors concentrate on analyzing data and making decisions. Auditors can

    direct more time to consult with clients offering them more value for money and time. Studies

    given students in auditing should enhance their capacity to handle future technological

    developments in the auditing sector (Momodu et al., 2018). Research has indicated that

    universities have been slow in the adoption of curricula that match the technological changes

    in the auditing field.


    2.8. Research Model

    figure 2 Research Model

    This depicts the graphical presentation of the theories and how it determines the interaction

    between the other key concepts of the study. From the relationship between the theories to its

    reflection on the interaction between AI tools and each step of the auditing process.

    Starting from the agency theory which ensures assurance of protection of investors right to

    the stakeholders’ theory that addresses interconnectedness of relationship between varying

    stakeholders to a business and that value for all stakeholders is upheld through the integration

    of AI in the auditing process of the entity, all through to the theory of inspired confidence that

    reiterates that the overall purpose of audit is to meet the expectation of an average interested

    party in the company’s financial statement to the credibility theory which stresses the primary

    Auditing Process







    AI-based tools

    facilitates optimal

    performance in

    each step of the

    auditing process

    of the


    Agency Theory

    Stakeholders Theory

    Theory of Inspired

    Credibility Theory


    function of audit is to increase credibility of financial statements to enhance the faith of

    principals and other stakeholders in the financial report. The application of each of the theories

    determine the interaction between AI tools and the auditing process. AI based tools facilitate

    optimal performance in each step of the process. The two-way interaction between AI and

    auditing process is presumed to leads to an enhanced effectiveness of the process for the benefit

    of all stakeholders. This would be further authenticated/verified as the study progresses.




    Research methodology refers to research strategy that explains the principle of epistemology

    and ontology into guidelines that denote how research is to be conducted (Sarantakos, 2005 in

    Tuli , 2010), and procedures, principles, and practices that guides research (Kazdin, 1992,

    2003a cited in Marczyk , DeMatteo and Festinger, 2005 cited in Tuli, 2010). While

    quantitative research methodologies search for “regularities and principles” that are lawlike

    and are meant to give the same result every time it is tested in all given situations. Qualitative

    research seeks to “understand the complexities of the world through participants’ experiences.

    Knowledge through this lens is constructed through social interactions” (Tuli, 2010)p.103. The

    method to be used for this study is qualitative. As qualitative methodologies are usually known

    to be discovery and process oriented, with “high validity”, more particular about deeper

    understanding of the research problem in its “unique context” , and are less concerned with

    “generalizability” (Ulin, Robinson and Tolley, 2004 in Tuli, 2010)p.103 . This paradigm sees

    reality as human construct (Mutch, 2005). The answer to the research question “How is AI

    enhancing the effectiveness of audit processes” is shown at the end of the study after exploring

    and gathering empirical data from the auditors in the auditing firms that are already using AI

    technology for their audit process and were able to give detail analysis from their experience

    and reality of the difference AI makes in the effectiveness of audit process compare with

    traditional auditing or other previous technology they may have been using before the

    implementation of AI. This study follows an abductive approach. Abductive approach to

    research is the mixture of both inductive and deductive approach that allows researchers engage

    in a movement between theory and data back and forth so as to modify the existing

    theory/model or come up with a new one (Reichertz, 2004; Awuzie & McDermott, 2017). As

    posited by Malterud that “knowledge never emerges from data alone, but from the relation

    between empirical substance and theoretical models and notions” (Malterud, 2001p.486)

    3.1. Epistemology position/ Interpretivism

    The main epistemological debate in conducting social science research is “whether the social

    world” can be studied in accordance with “the same principles as the natural sciences” or not

    (Bryman, 2001 in Tuli, 2010)p.99. There are two broad worldviews to this epistemology

    positions; the positivism and the interpretivism-constructivism worldview. The positivists are

    of the opinion that the purpose of research is scientific explanation, this belief evolved largely


    from a nineteenth-century philosophical approach. The positivists explanation of social reality

    is that: empirical facts exist separately from personal thoughts or ideas; “they are governed by

    laws of cause and effect; patterns of social reality are stable and knowledge of them is additive”

    (Crotty, 1998; Neuman, 2003; Marczyk, DeMatteo and Festinger, 2005 in Tuli, 2010)p.100.

    As posited by Ulin, Robinson and Tolley (2004), the main assumption for this positivist

    paradigm is that science has the goal to come up with “the most objective methods possible to

    get the closest approximation of reality” (Tuli, 2010)p.100. Emphasis on closest approximation

    to reality not reality. Invariably, this paradigm separate people from their reality, with the

    position that knowledge is “objective and quantifiable” (Antwi & Hamza, 2015). Quantitative

    research mainly falls within this school of thought for it is basically “concerned with

    investigating things which could be observed and measured in some way” (Antwi & Hamza,

    2015, p.1). While the interpretivist-constructivist view the world “as constructed, interpreted,

    and experienced by people” in how they interactions with one another and with social systems

    in general (Maxwell, 2006; Bogdan & Biklen, 1992 in Tuli, 2010, p.100). The nature of inquiry

    in this paradigm is “interpretive and the purpose of inquiry is to understand a particular

    phenomenon, not to generalize to a population” (Farzanfar, 2005). This is where most

    qualitative researchers draw inferences from. Interpretivism is the epistemology position

    employed for this study.

    3.2. Ontology Position/ Constructionism

    Objectivism and constructionism are the two broad contrasting positions of the ontology

    perspective; While objectivism posits that reality is independent of social processes, it is

    constructionism assumption that reality is the product of social processes (Neuman, 2003).

    Constructionism is chosen as the ontology position for this study because all participants in

    this research are social actors that have their individual reality and are constantly influenced by

    social processes.

    3.3. Data Collection

    Data collection is noted to be a crucial process in research, because the data is meant to

    contribute to a better understanding of a theoretical framework. As such it is important to select

    the method of data collection that will indicate such data is obtained with sound judgement, as

    no amount of analysis can make up for “improperly collected data” (Etikan, Musa , &

    Alkassim, 2016). Since interpretive researchers put great emphasis on how the world can be


    understood better through personal experiences, “truthful reporting and quotations of actual

    conversation from insiders perspectives” (Merriam, 1998 in Tuli, 2010,p.100) rather than just

    testing the laws of human behavior (Bryman, 2001; Farzanfar, 2005), methods of data

    gathering that denote sensitivity to context and enable the rich and detailed description of the

    social phenomena under study are being employed (Neuman, 2003; Tuli, 2010), where

    participants are encouraged to speak freely and understand the researcher’s quest for insight

    into the phenomenon that the participant has experienced (Tuli , 2010). The method decided

    for data collection in this study is interview of auditors in different firms where A.I. has been

    implemented for their audit processes to get their in-depth perspectives from the experience of

    the phenomenon being studied. Nine auditors from various firms were interviewed. Seven male

    and two female. Two of whom are from the Big 4 audit firm. Interview session analysis with

    the dates of the interviews, positions of the auditors at the firm, gender, means through which

    the interview was conducted and length of the interview is presented in table 1 below to lend

    credence to the data for trustworthiness of the study. Names of the firms were omitted to keep

    to the assurance of anonymity promised the interviewees. All the interview sessions were

    conducted through social network medium as a result of the current situation of covid-19

    pandemic ongoing in the world, which ruled out going to their offices for physical meeting as

    a result of the social distancing measures in place. However, the interviews were conducted

    through video means that made it possible to still see the participants and have a cordial

    interaction. The interviews were conducted in English language, the sessions were audio

    recorded and later transcribed into word file for ease of analysis and reliability purpose.



    Participants Position at

    the Firm

    Gender Interview


    Length of


    6 may Auditor 1 Middle level


    Male Skype 44 mins

    7 may Auditor 2 Senior auditor Female Zoom 48 mins

    7 may Auditor 3

    Entry level


    Male Zoom 40 mins


    8 may Auditor 4 Middle level


    Male Skype 49mins

    11 may Auditor 5 Independent

    Senior auditor

    Male Skype 55 mins

    14 may Auditor 6 Entry level


    Male Skype 40 mins

    15 may Auditor 7 Middle level


    Female Skype 45 mins

    18 May Auditor 8 Entry level


    Male Zoom 44 mins

    15 May Auditor 9 Entry Level


    Male Google



    Table 1 Interview session analysis

    3.4. Sampling Method

    There are several sampling methods to choose from when conducting research. In the case

    of this study with the goal which is to explore the role of A.I. in auditing. It involved

    interviewing auditors to obtain their expert opinion on the topic under study. The targeted

    respondents are from Sweden’s s top-rated auditing and consulting firms. Sampling methods

    are generally split into the probability methods and non-probability methods. Non-probability

    sampling is said to have limitations due to the subjective nature in choosing the sample,

    however, it is quite useful when the researchers has limited resources and time and does not

    aim to generalize result to entire population (Etikan, Musa , & Alkassim, 2016). As is the case

    in this study. Purposive sampling method which is grouped under non-probability sampling

    method is used for this study. “The purposive sampling also called judgement sampling is

    defined as the deliberate choice of a participant due to the qualities the participant

    possesses”(Etikan et al, 2016).

    It is suitable for use in this study because the researchers have a purpose in mind which is

    to get knowledge on the experience of auditors on the implementation of AI in audit process

    and how it is contributing to the effectiveness of the process. As such the target was on auditors

    from audit firms within Sweden that has adopted the use of AI in their audit process. Interview


    request letters were initially sent to the selected firms’ general email, when no response was

    forthcoming after three days, internet search was done to get contacts of office managers in the

    various audit firms in different locations within Sweden. Office managers were chosen because

    they coordinate affairs of the office, as such they can act as the contact persons in the firm and

    are in the best position to disseminate the information making it easy to reach those who will

    show interest in partaking in the study. Interview request letters were sent out to 18 official

    email addresses of the managers made available in the company profile online. The direct

    message yielded result as feedbacks came after 24hours and we got promises for participation.

    A manager was contacted through linkedin but no response came back. The request contained

    a brief overview of what the research is about, why their participation will be appreciated,

    ethical concerns they may have with assurance of anonymity, freedom to withdraw from

    participation at any time, and maximum amount of time the interview is expected to last (see

    the attached appendix 1 for the interview request letter). Out of the eighteen requests sent out,

    nine positive responses came back, and the time for interviews were fixed with the individuals

    separately. While two of the remaining nine requests declined participation as a result of busy

    schedules in their reply email, the remaining seven did not respond to the request for the

    interview atall.

    3.5. Interview Process

    Interviews for research are usually divided into structured format, unstructured format or

    the semi-structured format. Structured interviews are noted to be rigid in nature, will not help

    uncover all the information required about the role of A.I. in auditing because they offer very

    limited scope for follow-up questions to explore responses requiring deeper and exhaustive

    perceptions. An unstructured interview is the other interview method which is described as a

    conversation with an objective but often time without a set of predetermined questions because

    it is designed to allow the interviewee to discuss at length whatever questions asked by the

    interviewer(Saunders et al., 2009, p. 321). It is a method of the interview that has been

    described as shared experiences where those interviewed, and the interviewer come together in

    developing a background of personal familiarity where respondents are open to sharing their

    tales. It seems to be an oddly private method and a bit ill-suited for a professional environment,

    where the researchers are interested in seeking the opinion of auditors within a reasonable time

    frame not to waste too much of their time. Because of the drawbacks of both structured and

    unstructured interview methods, the semi-structured method is the method of choice for this

    study because it combines the benefits of the other two. It is described as a flexible technique


    that gives the interviewee a fair degree of freedom in expressing further opinion on a question

    asked (Drever, 1995). Its limitation been that it is not particularly suitable for studies involving

    a large number of participants. It fits well for the study because of the small sample size.

    3.6. Interview Guide

    To have questions that will delve deep into the experiences of the interviewees and gain rich

    data from the interview, the researchers in this study searched for inspiration and ideas to

    prepare the interview questions guide from systematic review of some literature such as; Daniel

    W. Turner III’s Qualitative Interview Design (Turner, III, 2010), John W Creswell’s

    Qualitative Inquiry & Research Design (Creswell, 2007), Kokina Davenport’s The emergence

    of Artificial Intelligence: How Automation is Changing Auditing, Creswell (2003; 2007). And

    also from a few prior theses on audit process and automation that is available from online

    google search: Keskinen & Tarwireyi, 2019; Kostić & Tang, 2017. Although there are limited

    studies on AI in audit to get more ideas from mainly because the phenomenon is a new research

    topic area that is just evolving. The questions were then formed based on examining the

    interaction of AI on each stage of the audit process to gain knowledge from the experience of

    the participating auditors in order to achieve the aim of the study. (see the attached appendix 2

    for the interview guide questions).

    First section of the questions was on background information of the interviewees, these were

    asked to get ideas on their position at the firm, years of audit experience, professional

    certification and their main duties. The next section touched on the competence of the auditors

    in the use of IT tools (how well they use IT tools) this is deemed necessary to know their level

    of comfortability and familiarity with the general usage of IT tools both for work and personal

    use. While the next two consecutive sections of the interview guide focussed on the auditors’

    perspectives on how AI influences each stage of audit process. A particular question under this

    section, asked the auditors to rate the effectiveness of audit process with the adoption of AI

    tools on the scale of 1 to 10, this is a bit of an interesting twist in interview question style

    because it has a semblance of questionnaire used for survey, however, it is introduced to get

    their individual personal opinion on how they would rate AI influence on the process as first

    hand users of the tools in auditing. The last section of the interview was on ethical concerns of

    AI. It was asked to check their opinion of AI compliance to required audit/accounting standards

    and their opinion on if AI promotes or impairs professional judgement of auditors. A brief


    question was equally asked on the pros and cons of implementing AI in audit process and the

    challenges they have encountered in the use so far.

    3.7. Interpreting the data: Structure used for the analyses

    Making sense out of the data collected is another important and quite tasking part of the

    study. As a qualitative research, the data has to be structured in such a way that will follow a

    pattern and give an easy understanding to the readers of the work. Segmenting the data

    according to sections or groups of information, otherwise called themes or codes (Creswell,

    2007 in Daniel W. Tuner III, 2010). The themes or codes are common phrases, expressions, or

    ideas that were common among interviewees (Kvale, 2007 in Tuner, 2010). For this study,

    the data were structured into sections according to the interview guide which also follow the

    pattern of the research model drawn up at the beginning of the study (in chapter two). The

    participants are referred to as interviewee, auditor, and informants interchangeably. The

    background information which is important to get the foundational knowledge were analysed

    first while other sections that followed which were check of competence in the use of IT tools,

    interaction of AI on the audit process and ethical concerns surrounding AI were analysed

    according to each stage of the process. Sample of interviewee responses are quoted, so they

    are seen to be presenting their own viewpoints themselves. The underlying assumption of this

    strategy is so that the data is treated as fact, that speaks for itself (Wolcott, H. F., 1994b)p.10

    for reliability purpose. Discussion is done after each section to show the interpretation drawn

    from the common theme in the responses. As researchers maintained healthy skepticism so as

    to include every bit of important information gathered from the data that is different from the

    earlier preconceived framework (or may add to it) in order to build on the framework to

    buttress the abductive approach the study employed. Linking all relevant parts of the analysis

    with the theories that it supports the most.

    3.8. Bias in data collection

    Bias refers to the tendency that inhibits the unprejudiced reflection of a question, and in

    research, bias may occur at several phases of the process such as; data collection, planning,

    during analysis, and when the results are published. According to Pannucci and Wilkins (2010),

    bias should not be considered a dichotomous variable, and hence the interpretation of bias

    cannot be restricted to a simple inquisition and that which seeks to know whether it was present

    or not. Instead, Pannucci and Wilkins (2010, pp. 8-12) suggest that the reviewers of research


    data collection must evaluate the degree to which the bias was controlled by proper study

    design. As some level of bias is always present in every research, reviewers must consider the

    bias influence on the results and conclusions. Selection bias might occur during identification

    of the population to be interviewed/investigated. In the case of this study, it is obvious that

    there was a selection bias in data collection. This is because the study aims for a perfect

    population that can achieve the aim of the study. The population which is auditors that are

    already using AI in their audit processes and not auditors generally. The perfect population is

    one that is clearly defined and is reliable and accessible (Creswell,2007).

    3.9. Trustworthiness, Credibility and Authenticity of the Study

    Two important measures are proposed by Guba and Lincoln (1994) for assessing qualitative

    research. First of this is trustworthiness then authenticity. The trustworthiness in this regard

    talks about credibility and transferability of the data. Credibility here refers to if the researchers

    got the contributions of the interviewees correctly without bias. i.e “If the data can be attested

    to again by triangulation” (Smallbone & Quinton, 2004)p.156. The interviews for the study

    were audio recorded and transcribed word for word for credible analysis, voices of the

    interviewees are made heard by quoting their words and both researchers were involved in the

    interview as well as the analysis of the data. This is done to increase the credibility of the data

    without assumption or bias. As well noted by Gill, Stewart, Treasure & Chadwick that to guide

    against bias and presents evidence as it is expressed or not, is best done by transcribing

    interview in the same way they are recorded (Gill, Stewart, Treasure & Chadwick, 2008 p.

    292). While the main test for the transferability is to check if the research data is enough to

    enable possible transference for research in other contexts by other researchers. According to

    Malterud Kirsti, producing information that is sharable and applicable beyond the study

    settings is the primary aim of research. However, there is no study, no matter the method

    employed that can provide findings that are transferrable universally (Malterud, 2001). It

    usually depends on the research question and what additional fact is required to effectively

    answer the research question in the context it is being applied (Malterud, 2001). For the

    authenticity of the study, which is about the wider context of the study, this involved

    confirming if all viewpoints in a certain setting is well represented (Smallbone & Quinton,

    2004). The population represented in our research represents basically all levels of auditors

    involved in auditing process. This denotes fairness in representation.




    The purpose of this chapter is to display and analyse the data collected. The research is

    concentrated on Sweden, one of the least corrupt countries in the world (from 2019 Corruption

    Perceptions Index). The previous chapter discussed the process by which primary data was

    collected from nine interviewees, all of whom are auditors from firms in the country. The

    interviews comprised of six key sections. The analysis is structured according to these sections

    as contained in the interview guide.

    Analysis is explained as consisting of three simultaneous flow of activities which are reduction

    of text from the data collected, data display or exploration of the data and conclusion drawn

    from the data (Miles & Huberman, 1994; Attride-Stirling, 2001). All these streams of activities

    with interpretation at each stage, are interwoven and combined to make up the principle used

    for this analysis phase of the study.

    4.1. Demographic Information

    The first section of the interview comprised general questions. The purpose of these

    questions was to establish the background information of the interviewees. The first question

    is to establish the role and title of the interviewees at the auditing firms. The three levels

    included entry or junior, middle-level and senior/managerial levels. And there are three

    interviewees represented in each of the levels. These shows a good representation of audit team

    in the participants interviewed. “An audit is usually conducted by an audit team, which is

    characterized by a hierarchical structure and division of labor” (Bamber, 1983)p.396. The size

    and complexity of the audit determine the number of people that will be at each hierarchical

    level (Muczyk, Smith, & Davis , 1986).

    In the same section of the interview, the interviewees were asked if they were part of the

    audit team at their various organization. Since the interview only adopted participants with

    experience regarding the AI based system, all of the interviewees replied “yes” to this question.

    Using teams with diverse skills boost audit effectiveness, as team members bring together their

    “knowledge and expertise” (Owhoso, Messier Jr., & Lynch Jr., 2002), while distributing the

    work by allocating audit sections to each team members (Vera-Muñoz et al., 2006 cited in

    Udeh, 2015).


    Also, in this section, interviewees were asked about their years of experience in auditing

    profession. Their experience ranges between two to fifteen years in this field. For example, the

    second and fifth interviewee have 15 years of experience and work as senior auditors in the

    managerial position. While the sixth interviewee has 10 years of experience and also works as

    a senior auditor. The experience of the rest of the interviewees ranges between two to six years,

    and they work in the junior and middle-level position. The need for audit firms’ managements

    to leverage their resources, by forming teams based on audit staff knowledge, experiences and

    expertise” to achieve quality audit is re-iterated by Gardner et al., 2012 cited

    in Udeh, 2015

    Table 2 Background Information of the participants

    Auditor 1 is a middle level auditor with five years of experience in auditing and


    certification. His duties are… “implementing the audit schedule as outlined by the senior

    auditors while adhering to the existing accounting standards”.

    Auditor 2 is a senior auditor at the managerial level with 15 years of experience in auditing

    field and CPA certification. His role is to make audit policy for the firm and oversee audit


    Auditor 3 is an entry level auditor with 2 years audit experience on the job. CPA certified.

    Duties involved assisting other middle level and senior auditors in audit process.

    Auditor 4 is a middle level auditor with six years of experience and has CPA certification.

    His duties are to partake in audit process outlined according to the instructions of the senior

    auditor and use AI systems to complete substantive tests.

    Auditor 5 is a senior auditor with 15 years professional experience in auditing and CPA

    certified. His responsibility is to supervise the entire audit process.

    Participants Auditor 1 Auditor 2 Auditor 3 Auditor 4 Auditor 5 Auditor 6 Auditor 7 Auditor 8 Auditor 9

    Role at the







    Entry Level Middle



    agerial level

    agerial level



    Entry level



    Years of


    5 years 15 years 2 years 6 years 15 years 10years 3 years 2.5 years 4 years





    Make audit

    policies and




    Assist middle-

    level and

    auditors in

    audit schedule





    Assist in

    Assist in


    ng audit


    in entire

    process as

    outline by

    the senior






    CPA certified CPA


    – CPA






    Accounting Economics Economic

    Economics Accounting Business Accounting Accounting

    Gender Male Male Male Female Female Male Male Male Male


    Auditor 6 is a senior auditor at the managerial level with 10 years of experience on the job

    and CPA certified. He oversees and give guidance to other subordinates in the entire audit


    Auditor 7 is another entry level auditor with 3 years of experience on the job. He works at

    one of the big four auditing firm and gave no response on CPA certification. His duties are to

    assist the senior auditors in audit process and uses AI to “roll forward documents from

    previous year”.

    Auditor 8 is also an entry level auditor with two and half years of experience on auditing job,

    CPA certified. His duties are to assist in implementing audit programs

    Auditor 9 is a middle-level auditor with 4 years of experience and he is CPA certified. His

    duties involve Participate in entire audit process as outline by the senior auditor.

    The section also sought to establish whether the interviewees are CPA certified. Usually,

    CPA certified auditors are seen as much more professional and competent in the field than their

    counterparts who lack this accreditation of certification. All interviewees but one answered this

    question in the affirmative, thus implying that majority of the informants are CPA certified.

    Also, the section sought to determine the role of each interviewee in the respective organization

    and audit team. The leading roles ranged from providing supportive services, following or

    giving directions related to auditing. For instance, the 1st interviewee cited that the primary role

    was to organize the entire audit team and supervise the remaining team members. The

    interviewee qualifies for this role due to the qualification as a senior auditor (Altındağ &

    Kösedağı, 2015, p. 12).

    In comparison, the 8th interviewee mentioned his professional role as implementing the

    audit program developed by the team, providing advice and working with colleagues to

    generate favourable results. This interviewee works at the entry-level with an experience of 2.5

    years. The observation is that experienced auditors have managerial roles while entry-level

    auditors assume supportive roles (Ax & Greve, 2017, P. 34). The end of this section sought to

    establish the educational background of interviewees. The main categories included

    accounting, economics, and business. The outcome for this section is as follows: two

    interviewees have business educational background, three have economic educational

    background and four interviewees have accounting educational background. As a result, the

    accounting has the highest number of interviewees followed by economics before the final

    category of business which has only two interviewees. The reason for this distribution is that

    accounting has the highest relationship with auditing (Bathc, 2017, p. 45).


    4.2 Competence in the use of IT tools

    The second section of the interview sought to determine the competence of interviewees’

    while using IT tools. The first question that was asked in this section read as- “how tech-savvy

    are you?” The responses ranged from “moderately good” to “extremely good.” Worth to note,

    that none of the informants was “extremely poor” or “poor”. Only two interviewees emerged

    as having entry-level knowledge of technology. The interviewees also agreed to be comfortable

    with IT tools both for personal use and office use. The other question asked whether the

    informants are familiar with the software used for accounting processes. The reason for this

    question is to determine how informed the auditors are about the softwares used for accounting

    purposes. As mentioned in the literature review at the opening chapter, collation of transactions

    and disclosure of financial information are increasingly done with various technological tools

    to gather, analyse and preserve accounting data electronically with less paper documentation

    (Arens, Elder, & Beasley, 2014; Foneca, 2003; Khemakhe, 2001; Zhao, Yen, & Chang, 2004

    in Mansour, 2016), this which comes with a lot of complexity increases the capabilities of

    auditing to add value when auditing these accounts(DeFond & Zhang, 2014). The auditors’

    familiarity with various accounting software is evident in their responses. For instance, the 8th

    informant admitted familiarity with Sage, Xero, Pably, and Wave software. In comparison, the

    1st informant indicated familiarity with Sage, Quickbooks, and Odoo. These responses are

    similar to the one made by the 3rd informant who quoted familiarity with Sage. Although the

    3rd informant only listed one accounting software, the trend is that all informants are familiar

    with at least one accounting software.

    Another significant trend seen in this is that Sage is the most popular accounting software

    known among this group of auditors. All of the 3rd, 8th, and 1st informants, the Sage software

    was common. Besides, the 9th informant quoted that “The software I understand most is the

    Sage Accounting software. My company used it for over seven years. Recent changes have

    however rendered the software less useful since it requires intensive human efforts. This fact

    made it necessary to adopt the upcoming AI software such as Apace Mahout”. At this juncture,

    the observation is that most ordinary accounting software is losing grip of the market. As a

    result, there is a need for industry stakeholders to focus on new and innovative software even

    for accounting purposes. AI seem a good example of this software from this interviewee


    In the same way, the 4th informant indicated familiarity with the Raken accounting software.

    The information cited for this section reads as “Yes, I am especially familiar with Raken, which


    is a cloud-based announcing arrangement intended for the development business. It assists

    with monitoring development extends and gives clients site refreshes continuously. It permits

    venture supervisors to keep up every day work logs, plan and allot occupations to

    representatives, send updates to handle operators, create and share depictions of a task’s

    advancement. The arrangement additionally assists organizations with monitoring

    subcontractor hours. Combinations with Procore, Prolog, Egnyte and Box are accessible”.

    The information provided by this informant is not only precise but also shows outstanding

    confidence regarding the usefulness of the accounting software. The information regarding the

    software indicates that the existing accounting software is necessary but not sufficient tools for

    audit reliance (Bondarenko et al., 2017). It is important that auditors are equally equipped with

    advanced technology that can guide in exploring and understanding how the entity’s financial

    transactions and other data has been collected, recorded, and processed (Mansour, 2016).

    Which is where AI tools for auditing comes in. As over-reliance on accounting software only

    will reduce the quality of audit, thus violating one of the primary principles of the auditing

    theories, which is to provide assurance that the company’s accounts are accurate and represent

    a true and fair view of the financial position of the organization.

    4.2. Personal views on the importance of automation of the auditing process for the audit

    This first question in this section sought to determine the understanding of audit automation.

    Although the descriptions varied amongst interviewees, the general observation is that

    automation entails the use of software to automate auditing processes as opposed to the

    traditional method. For instance, the 3rd interviewee stated that audit automation is the use of

    automatic systems to audit financial reports as opposed to the use of traditional methods. In the

    same line, the 2nd interviewee defined audit automation as the use of automatic audit software

    as opposed to the conventional approach to auditing where natural humans complete the tasks.

    The 9th interviewee responded that “Automation is about the use of non-manned or barely manned

    accounting software to overcome the challenges of using heavily manned software. An example of

    manned software is Sage while an example of non-manned software is the DeepLearning4J software”

    Although the interviewees used different wording, the general theme is that audit automation

    entails the revolutionary integration of automatic audit software to reduce the limits attached

    to the use of traditional method or ordinary audit software that require intensive human



    Another question sought to establish the familiarity of these auditors with AI tools and

    whether they use the AI tools for their auditing work. They answered with affirmation and gave

    names of AI software used in each of their firms. The reason for this identification was to check

    for a fact that the auditors have sufficient exposure to AI software to give credence to their

    opinion on the phenomenon.

    The 6th interviewee responded “Yes, I am familiar with the AI tools. The main ones we use

    include AI-one, DeepLearning4J and Apache Mahout. Yes. The firm relies on auditing in

    nearly all instances. Unless the scope required is narrow, the use of AI is mostly


    Interviewee 9th also noted his familiarity with AI tools “Yes, I am familiar. The tools acquire

    intelligence about accounting systems as companies based on the financial context of the

    organization. My company used these software for the past five years. When I joined the

    company, the software was just new and the auditing team was just learning to use it. Up to

    now, the company has learned about the software by a large margin”.

    At the same level of responses, the 1st interviewee answered “Yes. I am familiar with them.

    They are software trained by auditors to complete tasks previously completed by natural

    humans. Yes, we use the MindBridge AI software”. These same response is common to the

    rest of the interviewees.

    The opinions provided by the majority these interviewees indicates that auditing in this context

    is dependent on the existing AI for the implementation of the existing frameworks of applying

    the critical auditing theories. This is in line with the agency theory in the case of auditing,

    which requires stakeholders such as auditors to act in the best interests of investors (Blair et

    al., 2017, p. 45-56). This requirement needs auditors to ensure professional and widespread

    auditing of financial reports.

    Other than the responses from the experienced and middle-level auditors showing that they

    had widespread knowledge about the AI software used in auditing, other responses show that

    the interviewees who are junior level auditors also have knowledge about the software used in

    auditing and accounting. For example, the 3rd interviewee indicated familiarity with just two

    auditing software. The response read as “I am only familiar with a few tools- IBM Watson and

    Cygna Audit, Engati. Yes, the firm uses these tools but I am new and still learning. Software such as

    Engati is used to create chatboxes that enhance the interactions between the audit team and corporate

    accountants”. This response shows that even entry-level auditors have significant exposure to

    modern accounting and auditing software.


    The above question closely resembled with another asking the informants whether the

    respective firms use AI software for auditing. The trend for this question is that the firms are

    increasingly adopting AI systems. For instance, the 6th interviewee responded that “the firm

    relies on auditing software in nearly all instances. Unless the scope required is narrow, the use

    of AI is mostly guaranteed”. The words used by the interviewee in this instance shows that the

    use of AI is becoming a significant source of competitive advantage for the company that uses

    it. Shows their interest and commitment to improve their processes and turn out quality audit

    which is one of the main purpose ad expectation required of an audit process. One of the important

    models is the confidence model which requires auditors to increase the confidence in AI

    software through proper perusal (Naser & Al Shobaki, 2016, p. 90-97). The 1st interviewee

    confirms this argument by showing that there is widespread exposure to modern auditing

    software. The interviewee provided that “Yes. I am familiar with them. They are software trained

    by auditors to complete tasks previously completed by natural humans”. Yes, we use the MindBridge

    AI software.

    Another key observation about these interviewees is their response to the question about

    their comfortability to using these systems. While some expressed that they are extremely

    comfortable (interviewee 5,1,2,8, 7) others noted that they are only “moderately comfortable”

    with the use of AI auditing software (interviewee 4, 6, 9). Some of the reasons given for this

    is that:

    interviewee 6 “I am moderately comfortable. The reason is that the system is new and it is in

    its “infancy.” The company needs to learn the software while the software must also learn

    the organization”.

    Interviewee 9 “I am just comfortable, but I would prefer to be extremely comfortable. The

    reason is that I only have a few years of experience and the company has only used the

    software for a short time. As years continue to pass, I believe that I will extremely


    While interviewee 3 says “I am not comfortable. The reason is that I am new to the field and

    auditing software require a lot of skills”.

    The observation at this juncture is that although companies may adopt AI-enabled auditing

    software, there is a need for additional training. In chapter 2, the literature review indicated that

    one of the challenges facing modern auditing companies is the lack of proper training for

    auditors and accountants (Noraini et al., 2018; Gonzalez-Padron, 2016, p. 89-92). As skills in

    using technological tools, ability to adapt to new technology as well as an understanding of

    how technology can affect the environment are all part of the competencies necessary for entry-


    level accountants and CPA professionals to thrive in the field as detailed in AICPA (American

    Institute of Certified Public Accountants) functional competencies (AICPA, 2018). “Due to

    the rapidly changing accounting profession, the framework focuses on critical skills instead of

    traditional subject-content areas or accounting services. Although knowledge requirements will

    change with time, the core set of competencies the framework identifies will have long-term

    value and will support a variety of career opportunities for future CPAs” (AICPA, 2018).

    4.3. Auditing Process

    This section sought to establish the role of AI in enhancing the process of auditing based on

    each of the stages.


    This stage of the process is where the auditors review the extent to which the policies of the

    firm limit the integrity of accounting procedures. And also check for the integrity of the

    company’s management, compliance, and the existing or potential threats (Cannon & Bedard,

    2017, p. 24-30).

    Majority of the participants agreed that AI is quite useful for the pre-engagement stage of

    audit process. With only one exception, a participant that says his firm does not presently use

    AI for this stage of the process. The common theme here is client evaluation.

    “AI has extensive roles in this stage with its capability to check and analyze historical

    information and make predictions of in all likelihood of risks and activities” Interviewee 3

    “AI acts as the link between auditors and financial documents as well as the financial framework

    of the organization” Interviewee 4

    “AI has tremendous role in the pre-engagement stage. The purpose of this stage is to determine

    whether to accept or reject a client. As such, auditors need to verify the financial framework of the

    organization to determine the risk of financial fraud. Also, the stage enables the determination of the

    scope of work. AI systems review the trends in financial data without the need for extensive human

    engagement” Interviewee 9

    “AI helps with the important preliminary work at this stage with speed and accuracy which

    relieves auditors of the need to identify areas that need further scrutiny. As a result, the

    auditors have additional time to interact with corporate officers such as accountants”.

    Interviewee 2.


    These examples of the common responses from the auditors, re-affirms that client’s

    evaluation is a common procedure for audit firms in order to decide if to accept a prospective

    client or not as noted by Eilifsen, Messier, Glover, & Prawitt (2014). Although the auditors

    acknowledged the role of AI in the entire audit process, there was a particular emphasis on the

    pre-engagement stage. Pre-engagement activities take place before the acceptance of an audit

    assignment and the stage has been noted as involving a lot of repetitive tasks and back & forth

    with exchange of documents between the potential client and the auditors for accurate

    evaluation of the client-to-be. This AI technology designs towards automating or streamlining

    the recruitment workflow parts, especially the parts that are repetitive or voluminous (Rahimi

    and Gunlu, 2016, p. 34-41).

    However, AI interaction with the pre-engagement stage enhances the process with the speed

    at which it peruses the company’s information and the accuracy it brings to the predictions

    without the need for extensive human engagement. As such freeing up time for auditors to

    make quick decisions on acceptance and move to attend next other important tasks geared

    towards having a complete and quality audit that would inspire confidence in all stakeholders’

    to the financial statement in accordance with the theory of inspired confidence.

    Planning Stage

    All the auditors agreed that AI helps greatly with this stage. With the speed at which it

    checks through multiple files to flag questionable documents for further analysis. The general

    theme from the responses is that AI helps with classifying materiality and in pattern identity.

    Here are some of the responses;

    “AI can pass through multiple files in an instant. classifying files that show minimal

    variation as “less materials.” those with a high variability, AI classifies them as ‘highly

    material’” Interviewee 6

    “the focus is on checking the patterns of transactions so that sudden changes can qualify

    for further analysis” Interviewee 4

    “AI peruse documents and compare the trends to “raise red warnings” in cases of sudden

    changes” Interviewee 5


    The overarching theme here is that AI helps with classifying materiality and in pattern

    identity. In audit planning, risk assessment has to do with “pattern recognition”, of which

    unanticipated deviation from such gives an indication of risk (Ramamoorti et al, 1999.p.160).

    Materiality judgement is a very cogent ingredient to accurate decision making. For auditors

    setting a materiality threshold that is higher than that of the users, may warrant useful

    information being omitted from the financial statement which will make the audit exercise

    results in an inefficient means of controlling agency cost (Kinney & Burgstahler, 1990). In the

    same vein, if auditors’ materiality threshold is set to be lower than that of the users, audit cost

    may end up being greater than the value of the information the audit exercise has provided

    (Chewning, Wheeler & Chan , 1998). Thus, balanced materiality classification and pattern

    identity is crucial as it enhances the process and brings effectiveness to this stage of the process.

    Good planning is noted as key as it helps in the determination of the appropriate audit strategy,

    scope and how to handle the risks factor timely to have an effective and efficient complete

    audit (Cannon, 2017, p. 90-91).

    Execution Stage

    With the intensity of tasks this stage of the process entails, it is general agreed by all

    participating auditors that AI reduces the burden of the tasks while enhancing the effectiveness

    “AI allows auditors to conduct substantive tasks in a “sweeping exercise”. rather than audit

    one level of financial entries and proceed to the next one, the systems can review multiple

    stages in an instant” Interviewee 4

    “Uses AI to detect errors of omission, commission or fraud. An example of the activities

    undertaken by the company AI is re-calculating the values”. Interviewee 5

    “AI plays a key role in carrying out internal control tests more so observation, inspection

    and recalculation. enabled systems to adapt to changes in the accounting framework and

    approach thus giving firm that use it far-reaching advantages over competitors”Interviewee 6

    The overarching theme in the responses here is that AI brings swiftness, effectiveness and

    ease to the test of controls for auditors. Adequate compliance test on procedures and substantive

    test is required to ascertain the effectiveness of the internal control in place. These tests enable

    the auditor to believe in the system’s credibility or to question it. With the swiftness with which

    AI goes through all the population to be tested instead of a sample that is usually tested with


    manual process, the auditor can fully concentrates on the critical control accounts or areas

    where weaknesses are common (Shen, Chen, Huang, & Susilo, 2017, p. 12-15). This agrees

    with literature on using machine learning models to classify messages and increase the level of

    confidence for the auditors. If the threshold of the messages is low, the systems send the

    messages for further human analysis (Noor & Mansor, 2019, p. 64).

    Reporting Stage

    This stage of the process depends on the outcomes of the previous stages. The information

    gathered at this stage finally determines the quality of reports generated by AI systems. The

    stage requires discussing with clients on discoveries made during the process that could not be

    made conclusions on yet, using professional judgement, as well as generate reports expressing

    their opinion on the true and fair view or otherwise of the account statements that stakeholders’

    are looking forward to.

    Majority of the participants agreed that AI plays an important role in this stage too with an

    exception of one participant who noted that his firm does not use much of AI in this stage yet.

    “Yes. The information gathered at this stage finally determines the quality of reports generated by

    AI systems” Interviewee 6

    “Yes, AI joins the outcomes of the initial stages of auditing. Without the integration of AI

    systems, it would be difficult to manoeuvre the concluding stage” Interviewee 5

    “The benefit of AI to the last stage of auditing depends on two main fronts- the accuracy

    and timeliness of the other stages. For instance, the proper collection of auditing documents

    followed by automated analysis makes it easy for auditors to make verifiable conclusions”

    Interviewee 2

    The combination of the initially proposed theories (Agency theory, Stakeholders’ theory,

    Inspired confidence theory and Credibility theory) shows that the ideal procedure of reporting

    requires companies to increase the verifiability of financial reports. This type of verifiability

    requires auditors to access, organize, peruse, and verify the credibility of a wide variety of

    financial data. The audit of these levels of data requires auditors to access and analyze

    comprehensive data over a short period. This which AI brings to the process with the speed

    and accuracy with which it peruses files and generate reports for ease and enhanced

    effectiveness of the process. AI tools brought a difference in speed and accuracy in the

    execution of the auditing process (Altındağ & Kösedağı, 2015, p. 63). This fact buttresses the


    data obtained from the auditors in their interaction with the AI system as reliable. This which

    enhances effectiveness in the process of executing auditing tasks.

    4.4. The role AI plays in the process of auditing

    In addition to the sections discussed above, the study sought to determine the difference the

    adoption of AI tools in audit process makes from the previous method used based on the auditors’

    opinion from their experience. This is deemed necessary to ascertain the extent to which AI

    facilitates or improves the process of auditing. Previously, the literature review showed that

    auditing has four main steps, namely pre-engagement, planning, execution,

    reporting/conclusion (Rahimi and Gunlu, 2016, p. 34-37). The first three steps form the basis

    for a reasonable conclusion . The implication for this observation is that the advantages of AI

    to the auditing profession spread across the entire auditing process. Interviewee 5 commented

    that “AI is a perfect tool that allows auditors to analyses a full data set for the identification

    of outliers and exceptions. AI tools are also useful in the extraction of lease contracts using

    given selected criteria. It, therefore, leads to high levels of precision than using manual

    methods. Furthermore, AI can be used to analyze unstructured data from emails media post

    and audio files, a feature that cannot be easily done by human”.

    According to Interviewee 6 “The main difference is the reduction of human reliance.

    Initially, the process required intensive human efforts. The introduction of AI systems reduces

    the need for supervision, manual analysis of transactions and contracts”

    Interviewee 9 “An artificial intelligence system reads data files and extracts what the

    auditors need. The system applies the risk indicators to massive datasets detecting risk that

    could have remained unnoticed. AI can analyze and categorize expenses, read texts and expose

    unauthorized claims. Also, the AI systems are used in indication of fraud by reviewing invoice

    pattern changes which is more effective than in ordinary auditing. Additionally AI systems have

    made idea of continuous auditing possible which was mere dream in ordinary auditing”

    Another auditor indicated that the AI system promotes the judgment of auditors by ensuring

    the efficiency of the auditing process. In each step of the auditing process, the AI system

    ensures that there is accuracy implemented in the execution of the processes involved. In the

    same way, the AI, therefore, leads to high precision as opposed to the use of other software or

    traditional methods (Altındağ & Kösedağı, 2015, p. 63-67).


    The statements quoted from these three interviewees provide evidence that the use of AI for

    auditing is superior to manual or the use of traditional auditing tools (Altındağ & Kösedağı,

    2015, p. 67-70).

    In the same vein, the question asked on whether or not AI increases the quality of auditing,

    the 7th interviewee response confirmed the findings gathered from the literature review and the

    preceding three informants. In particular, the 7th interviewee noted that the integration of AI is

    more effective because it has benchmark tools that are useful in analyzing the transactions in

    the general ledger. The transactions will then classify where there is conformity to the level of

    risk. Therefore, AI is useful because it shows where the risks are, and that will be the area of

    attention. In manual auditing, random sampling was used for analysis and therefore was less

    effective. The 2nd interviewee supports this argument by indicating that modern organizations

    are grasping and actualizing innovations to smooth out their business tasks. One of the activities

    with the highest priority on their rundown is bookkeeping. That is because AI is giving positive

    outcomes, for example, expanded profitability, improved precision, and decreased expense.

    With such a significant number of advantages, AI is utilized progressively for regulatory

    errands and bookkeeping, bringing about different auxiliary changes. In the same way, the last

    respondent supported these arguments by citing that AI enhances both the efficiency and

    effectiveness of auditing.

    4.5. Scale rating

    Another critical question in this section asked respondents to determine the effectiveness of

    AI in the auditing process. The interviewees were asked to rate the systems on a scale of 1-10

    where 10 is the highest score. The observable trend for this section is that the systems have a

    minimum score of seven out of ten. For instance, the 5th interviewee buttress his rating by citing

    that Artificial intelligence plays a tremendous role in today’s finance department. In particular,

    the systems ease the financial audit, which requires a lot of time, has lots of workload in

    perusing financial statements also in giving accurate and efficient services. However, it still

    needs more research for its adoption. In the scale of ten, the interviewee awarded a score of

    seven. All of the remaining interviewees awarded a score of at least seven points. The average

    score for the section is 7.80, which indicates that AI strongly enhances both the effectiveness

    and efficiency of auditing.



    6. Ethical concerns

    The last section of the interview sought to determine the ethical concern of using auditing

    software. Usually, the ethical principles of auditing require auditors to act in the best interests

    of investors. Failing to act in this manner becomes a severe violation of the roles of auditors

    (Bieberstein et al., 2005, p. 78-82). The first question asked about the pros and cons of the

    auditing process. For this section, the interviewees showed similar trends in the list of pros and

    cons listed. On the advantages side, the informants stated that AI increases the accuracy of

    auditing. The said accuracy occurs at multi-levels which starts with the perusal of the primary

    documents. For instance, the 7th interviewee cited that Artificial intelligence would have a low

    blunder rate in contrast with human, whenever coded appropriately. They would have

    unbelievable exactness, precision, and speed. They will not be influenced by antagonistic

    situations, in this manner ready to finish

    risky assignments.

    Regarding the disadvantages of AI, most interviewees indicated that AI is capital and skills

    intensive. For instance, the 7th interviewee indicated that “AI software is expensive and skill

    intensive. These challenges may force companies to skim necessary steps, thus failing to meet

    the regulatory standards.” The argument by this informant corresponds with the outcomes of

    the literature review where AI emerged as an expensive alternative to accounting and auditing.

    At the same time, the 4th interviewee added to the arguments by providing that one of the

    benefits is increased innovation.

    The same interviewee also indicates that AI has a list of adverse outcomes. He goes further,

    saying the installation of AI software requires intensive managerial efforts. Artificial

    intelligence can rework most enterprises. However, one of the essential demanding situations

    of artificial intelligence is the shortage of a transparent implementation approach. To be

    successful, a strategic approach desires to be established even as enforcing AI. This includes

    identifying regions that need development, putting goals within reality described blessings, and

    making sure a non-stop system improvement remarks loop (Bourne et al., 2007, p. 12-15). The

    informant further added that to compound the issue, managers will want to have a strong

    understanding of modern AI technologies, their possibilities and obstacles, in addition to

    maintaining updates at the cutting-edge demanding situations with AI. This step will allow

    companies to discover areas that may advance through AI.

    The 2nd interviewee goes further that the advantage of the use of AI in auditing is that the

    AI system has the capability of learning the methodology of execution of its processes leading

    to the elimination of human error. However, the disadvantage of the system is that it cannot


    replicate the intricate human intelligence in the auditing process. The arguments by this

    informant also compare with the 5th interviewee who says that the pros of AI are digital

    assistance in everyday duties, rational decision-maker, and overcoming the human limitation

    of getting exhausting. The cons include; high costs, cannot be boosted through experiences

    since it keeps doing the same thing and lack of human replication in terms of emotions and

    moral values. Also, they lack improvement in the course of the time, therefore not reliable in a

    dynamic environment as per nature the demands in the contemporary market.

    Equally, the 6th interviewee provided that AI systems in the auditing process provide highly

    accurate results that are beyond human efforts. As artificial intelligence develops, it improves

    human effort through error elimination. Besides, artificial intelligence systems can optimize

    and automate accounting tasks. Additionally, AI enhances the processing of large volumes of

    data. However, AI has various shortcomings which include the large amount of data required

    for the learning process. Besides, since the models specified in terms of data, it is hard to

    determine the extent of machine learning.

    4.7. Challenges during the implementation of AI systems

    Another relevant section in the interview was about the challenges facing the implementation

    of AI systems. The pattern of this question was about the complexity of the systems. During

    the literature review, the primary outcomes showed that bias is a common challenge

    associated with the use of AI systems. Literature review further showed that bias reduces the

    professionalism of AI systems since they limit the engagement of human auditors. The

    international accounting standards require auditors to verify financial reports as verifiable

    after reviewing the financial reports to a satiable level. The use of AI systems largely reduces

    the engagement of auditors, thus eliminating the ability of auditors to examine the financial

    reports widely. The 8th interviewee confirms this argument by providing that bias is one in all

    the most critical challenges facing AI systems in the auditing departments. “Bias is one in all

    the most important challenges going through AI. Try as we’d to have information that is an

    absolute fact, there is inevitable bias when you explore the depths to which AI might be used.

    Forbes India explains the inherent bias in information, “An inherent trouble with AI systems

    is that they may be handiest as top – or as terrible – as the statistics they may be educated on.

    Bad information is frequently laced with racial, gender, communal or ethnic biases.

    Proprietary algorithms are used to decide who’s known as for a job interview, who’s granted

    bail, or whose loan is sanctioned. If the unfairness lurking within the algorithms that make

    essential decisions is going unrecognized, it is able to result in unethical and unfair


    effects…In the future, such biases will probable be greater accentuated, as many AI

    recruiting structures will continue to be skilled the use of terrible facts. Hence, the need of

    the hour is to train those structures with unbiased statistics and broaden algorithms that may

    be without difficulty defined. Microsoft is growing a device which could routinely pick out

    bias in a series of AI algorithms.”

    Interviewee 6 also said“Because of bias, the systems requires a lot of training data and staff

    training. Secondly, the system is expensive and is not as flexible as natural human beings”.

    “With the end goal for AI to carry out its responsibility, models should be prepared on

    information. Be that as it may, information carries many deterrents to the table. ‘The most

    inescapable constraint to AI reception is information. Artificial intelligence needs

    information to figure out how to play out its capacity,’ said Purcell. Shockingly, I’ve yet to

    address an organization that has its information house totally all together. In many

    organizations, information is normally sealed and once in a while reliably recorded and

    administered. Without great, significant preparing information, an organization will discover

    it very difficult to begin with AI.” Interviewee 5

    “Integration of AI with the existing auditing system is challenging. This challenge is because

    it requires more funds and training time. Additionally, data loss due in various processes is

    another issue facing AI usage as confidential data can be a lot through system

    inconsistencies”. Interviewee 1

    The AI system utilized in auditing processes face the challenge of collecting and using

    relevant data associated with the process of implementation of its tasks. As a result of this

    fact, the data that has been obtained from the system in some cases have been ascertained to

    be biased. Interviewee 2

    Therefore, the overall outcome of this section is that AI faces the challenges of possible

    complexity in algorithm and skills gap. Also, AI struggles from the lack of adequate training

    for auditors. The training gap listed in the section spreads across auditors of all levels including

    entry, middle and senior levels. This observation implies that firms must not assume that

    auditors are capable of applying AI systems without proper training. Instead, auditing firms

    must prepare to invest in enhancing the skills of employees.

    Another interesting observation from these responses is the fact that the challenges

    encountered in the use of AI in auditing so far are dynamic. An interviewee noted that the


    challenges depend on the extent and context of the organization. He argued that the everyday

    challenges witnessed in the use of AI in auditing depend on the degree of maturity for

    auditing applications. “Artificial intelligence would have a low blunder rate contrasted with

    people, whenever coded appropriately. They would have unbelievable exactness, precision,

    and speed. They won’t be influenced by antagonistic situations, in this manner ready to finish

    risky assignments.

    On the negative side, the software is expensive and skill intensive. These challenges may

    force companies to skim important steps thus failing to meet the regulatory standards”.

    To the question on the challenges encountered so far, he goes “The common challenges

    witnessed in the use of AI in auditing depends on the degree of maturity for auditing

    applications. Therefore, the implication is that there is an abnormally long time seen in the

    normalization of data. The use of AI for auditing has no standards and an inherent lack of

    transparency. There is also a shortage of skilled accountants that can use this technology.

    Once these challenges come together, they reduce the ability of auditors to make professional

    judgments, which is a fundamental requirement in the auditing processs”. Interviewee 4

    4.8. Compliance to the international auditing standards

    Another critical question was whether AI enables auditors to satisfy the international

    standards of accounting cum auditing. The purpose of this question was to ensure alignment of

    AI to the overall auditing and accounting standards, which form the primary verification

    criteria. The interviewees largely agreed that AI enables the attainment of international

    accounting standards (Bustinza et al., 2015, p. 34-42). They also agreed that compared to the

    traditional tools of accounting, AI provided superior solutions. For this question, the 6th

    interviewee responded that Artificial intelligence gives companies the capacity to improve their

    efficiency and effectiveness to operations and compliance through continuous analysis of data

    and model transformation. However, artificial intelligence also has the existing regulation and

    compliance challenges that the management should address up front. The most outstanding

    observation in this response is that AI systems fail to meet compliance in some perspectives

    (Bustinza et al., 2015, p. 34-42). Although the respondent failed to identify specific

    international requirements that AI fails to meet, it gives an indication for management the needs

    to investigate the loopholes and identify immediate solutions.

    The same interviewee further noted that although AI in auditing reduces human errors,

    professional judgment remains vital and auditors need to improve their technological skills to

    coexist with the system. Artificial intelligence allows auditors to perform better diligently and


    make decisions appropriately. Also, AI system continually updates data which improves the

    auditor’s efficiency. In the same way, the 7th interviewee noted that the evolution of technology

    is sharply accelerating in modern times. The rapid growth in a way has left many corporations

    using AI technologies for the auditing process without clear standards for compliance. The AI

    comes with infused features that have a lot of data to analyze before making professional

    judgments. Adequate analysis indicates that AI systems are compliant to the auditing standards

    lack of which would indicate otherwise. If anything, professional judgment is a critical standard

    in auditing. The same informant further notes that even though adequate standards of auditing

    may not have been met fully, AI promotes professional judgment of auditing through

    augmentation of existing business models, giving them a better way of accuracy. It also

    provides a better ground unto which due diligence will be attainable while also ensuring the

    success of many deals. Comparatively, the 2nd informant indicated that even though AI leads

    to remarkable improvements in the auditing process, the indication for full compliance to the

    auditing standards is not certain. This argument occurs because AI systems may fail to

    incorporate human intelligence completely throughout the process. This point however cannot

    be further substantiated because AI is programmed to imitate human cognitive reasoning ‘not

    incorporating human intelligence’ may denote programming failure in some AI systems. In the

    same line, the informant cited that AI system promotes the judgment of auditors by ensuring

    the efficiency of the auditing process…. “in each step of the auditing process, the AI system

    ensures that there is accuracy implemented in the execution of the processes involved”. This

    shows a bit of a contradiction from the interviewee, which makes his earlier statement on

    ethical concern not fully substantiated.

    The most conspicuous response for this section was from the 5th interviewee. the auditor

    argued that AI has expansive roles in enabling the professional judgement of auditors. The

    respondent further added that a unique example of the way synthetic intelligence algorithms

    enable the detection of fabric misstatements is the use of “unsupervised learning.” These

    strategies leverage the science of figuring out what is standard as opposed to unusual to record

    on outliers in ledger information without bias or records, letting the statistics talk for itself.

    K·Coe Isom, a leading consulting and accounting firm for the meals and agriculture enterprise,

    makes use of AI to offer unique insights and a complete view on financial fitness for customers.

    Brittany Ferguson, the Senior Associate at K·Coe, explains, “We used AI-based analysis for

    materiality limits and extracted medium and high-danger gadgets to run samples on for the

    duration of our starting stage. This risk evaluation diagnosed two transactions that could now

    not occur beneath general testing conditions. The locating, although immaterial, was a value-


    brought education possibility that we have been able to offer to the client.” AI warrants a re-

    assessment of how audit making plans and testing becomes achievable. Historically, the most

    straightforward feasible approach for substantively testing significant portions of statistics

    turned into to sample transactions statistically or non-statistically, preceding the attempt

    essential to look at the entire dataset. This step frequently required widespread backward and

    forward time with the client to reap the considered necessary data no longer obtained at some

    stage in fieldwork.

    It is noted that acquiring adequate skills in handling the AI tool and sound professional

    skepticism of auditors came to play all through the interview as the underlying factor that would

    further boost the interaction between AI tools and audit process, this discovery necessitates the

    need to modify the initially drawn research model to include skills in handling IT tools and

    audit professional competency as shown below:

    Figure 3: Modified Research Model

    Auditing Process


    AI-based tools
    facilitates optimal
    performance in
    each step of the
    auditing process

    Effectiveness of

    the process

    Agency Theory
    Stakeholders Theory
    Theory of Inspired
    Credibility Theory

    Competence and Skills

    of auditors

    Both in audit


    skepticism and use of

    AI tools


    As earlier noted in the initially drawn model, the application of each of the theories

    determine the interaction between AI tools and the auditing process. However, in modification,

    this interaction coupled with the professional competence and skills both in IT tools proficiency

    and professional skepticism applied by the auditors on the tasks facilitate AI optimal

    performance in each step of the process. The two-way interaction between AI and auditing

    process and the competence with which the assignment is handled eventually leads to an

    enhanced effectiveness of the process for the benefit of all stakeholders.




    The overall purpose of this research was to explore the role of AI in enhancing effectiveness

    in auditing process. The analysis of the responses gathered from the nine professional Swedish

    auditors provide evidence that AI has a widespread positive effect on the overall quality of

    audits. AI enhances the quality of auditing by facilitating and enhancing effectiveness in the

    four main steps involved in the process of auditing. The area which this study explored


    It is deduced from the study that the main link between AI and effectiveness of audit process

    is the reduction in errors which formerly cause auditors to repeat the work. For instance, AI

    systems can collect and peruse financial records, coherently, and effectively. AI reduces the

    time needed for classification and comparison of transactions more so the first entries in the

    journal. Auditors using manual methods often fail to cover these transactions. In all,

    interviewees agreed that the use of AI reduces exhausting human labour which increases the

    risk of error, manipulation, and omission. At the level of the literature review, the outcome was

    that AI is useful because it has benchmark tools that are useful in the analysis of the transactions

    in the general ledger. Therefore, AI is useful because it shows where the risks are, and that will

    be the area of attention. In manual auditing, random sampling was used for analysis and

    therefore was less effective. All these findings satisfactorily answered the research question of

    how AI enhances effectiveness of auditing process.

    Also, the respondents strongly agreed that the use of AI systems increases professionalism

    and compliance with international standards. As a result, the study uniformly agrees that the

    use of AI systems will continuously increase the effectiveness of auditing. The respondents,

    therefore, favored the use of AI-based auditing systems as opposed to the use of traditional

    auditing tools.

    As a result of the emphasis on the importance of acquiring adequate skills in handling the

    AI tool and sound professional skepticism of auditors that came to play all through the

    interview as the underlying factor that would further boost the interaction between AI tools and

    audit process, this prompted the need to modify the initially drawn research model to include

    skills in handling IT tools and audit professional competency.

    Some of the cons associated with the implementation of AI is that it is expensive to adopt

    and quite skill intensive. Also, the possibility of bias associated with the AI programming


    which could reduce the professionalism of AI systems since they limit extensive human

    engagement. For wrong information in algorithm frequently has with it racial, gender,

    communal or ethnic biases (The Brookings Institution, 2019). If this kind of unfairness is left

    to lurk within the algorithms that make essential decisions undetected, it can result in unethical

    and unfair effect which could potentially reduce the reliance and credibility of the AI system.

    If this is not immediately paid attention to, such biases will probably become heightened, as

    many AI recruiting structures will continue to be skilled in the use of terrible facts. Hence, the

    need of the hour is to train those structures with unbiased statistics and broaden algorithms that

    may be without difficulty defined. However, the pros identified with system outweighed the

    cons. Apart from the general agreement on the speed, accuracy and enhanced effectiveness

    mentioned as pros to the adoption of AI in audit process, increased innovation is another

    interesting pro identified in the study. Deriving cost from AI can simply be achieved with the

    right funding, competencies and by developing a subculture that is open to innovation.

    Ultimately, innovation is about taking new risks and challenging conventions. To turn in

    sustainable audit satisfactorily and improve confidence inside the capital markets, for the

    benefit of all stakeholders, the focal point on AI and the audit will long keep.

    5.1. Theoretical and Practical Contribution

    AI in auditing is an emerging study area that has not been extensively researched as there

    are few prior studies available in this area. As theoretical contribution, this study contributes

    to knowledge in this emerging study area by filling the gap in literature on the research area.

    For the practical contribution, the study gives insights to auditors and corporate governors on

    the advantages the adoption of AI brings to each stage of audit process. By extensively

    exploring the implementation of AI in auditing and how the interaction of AI on audit process

    enhances effectiveness of the process. Giving detail information from the point of view of

    auditors that are already using the system. Which is hoped to spur more implementation of the

    technology in order to enhance the overall quality of audit for the benefits of all stakeholders.

    5.2. Limitation of the study

    Even though the primary aim of this study was fully achieved, there are challenges

    encountered during the study which add up to the limitations of the study. One of these

    limitations is the short timeframe of the study, this potentially gave the researchers a lot of rush

    in gathering data as thus enough time could not be given to the auditors that may have wanted

    to partake in the interview but could not because of their busy schedule within the time frame


    given in our interview request letter. Slow, no response and low responses to the request sent

    out is also another limiting factor to the study. This could be noted as part of the responsible

    factors for the small sample size the study had. Another limitation to the study is the ongoing

    situation of covid-19 pandemic around the world that warranted social distancing measures

    which ruled out conducting the interviews at the office premises of the auditors as is expected

    of a qualitative researcher. However, the study leveraged on IT tools and still got credible data

    through video interview sessions on various social media mediums which allowed for online

    face to face interactions for good rapport. Non-availability of adequate studies on AI in auditing

    to draw wider insights from is another limitation that gave a bit of a challenge during the study.

    5.3. Future Research Agenda

    The main aim of this study is to explore how AI enhances effectiveness in audit process. As

    suggestion for future research, further studies within the area of AI in auditing is essential to

    continuously research how accurate the AI algorithm becomes gradually as the software

    develops. This is essential in order to reduce the challenges associated with possible bias that

    may be lurking within the algorithm if gone undetected. Which could potentially reduce the

    professionalism and continual reliability of AI as unbiased.

    Also, this same study could be conducted quantitatively within the same context or in

    another context to compare if the results will remain the same.



    ACCA GLOBAL. (2019). Machine learning: More science than fiction. London: The

    Adelphi .

    Retrieved from


    Adeleke, A. Q., Windapo, A. O., Khan, M. W. A., Bamgbade, J. A., Salimon, M. G., &

    Nawanir, G. (2018) Validating the influence of effective communication, team

    competency, and skills, active leadership on construction risk management practices

    of Nigerian construction companies. The Journal of Social Sciences Research, 460-


    Adler, P., Falk, C., Friedler, S., Nix, T., Rybeck, G., Scheidegger, C., & Smith, B. a. (2018).

    Auditing black-box models for indirect influence. . Knowledge and Information

    Systems, 95-122.

    Al‐Shaer, H., & Zaman, M. (2018). Credibility of sustainability reports. The contribution of

    audit committees. Business strategy and the environment, 973-986.

    Alkan, A., Canbay, K., Akman, G., & Aladağ, Z. (2019) Researching Usage of Globe Culture

    Dimensions In Organizational Management By Using Dematel Method. Sakarya

    Üniversitesi Fen Bilimleri Enstitüsü Dergisi, 23(2), 282-290.

    Altındağ, E. and Kösedağı, Y., (2015) The relationship between emotional intelligence of

    managers, innovative corporate culture and employee performance.

    Antwi, S. K., & Hamza, K. (2015). Qualitative and Quantitative Research Paradigms in

    Business Research: A Philosophical Reflection. European Journal of Business and

    Management, 7(3), 217-225.

    Arfaoui, F., Damak-Ayadi, S., Ghram, R., & Bouchekoua, A. (2016). Ethics education and

    accounting students’ level of moral development: Experimental design in Tunisian

    audit context. Journal of business ethics, 161-17


    Audit Committee Chair Forum (A.C.C.F.). (2006). What is an effective audit and how can

    you tell? C.B.I., (pp. 1-19). U.K.

    Ax, C., & Greve, J. (2017) Adoption of management accounting innovations: Organizational

    culture compatibility and perceived outcomes. Management Accounting Research, 34,


    Bach, N. L. (2017) ODC Team Management in Action (Doctoral dissertation, FPTU Hà Nội).

    Bailey, C., Collins, D., & Abbott, L. (2018). The impact of enterprise risk management on the

    audit process: Evidence from audit fees and audit delay. . Auditing: A Journal of

    Practice & Theory, 2-69.


    Baldwin, A. A., Brown, C. E., & Trinkle, B. S. (2006). Opportunities for Artificial

    Intelligence development in the accounting domain: The case for auditing. Journal of

    intelligent systems in accounting, finance and management, 14, 77-86.

    Bamber, M. E. (1983). Expert Judgment in the Audit Team: A Source Reliability Approach.

    Journal of Accounting Research, 21(2), 396-412.

    Beckmerhagen, I. A., Berg, H. P., Karapetrovic, S. V., & Willborn, W. O. (2004). On the

    effectiveness of quality management system audits. 16(1), 14-25.

    Bell, E., Bryman, A., & Harley, B. (2018) Business research methods. Oxford university


    Bieberstein, N., Bose, S., Walker, L. and Lynch, A., (2005) Impact of service-oriented

    architecture on enterprise systems, organizational structures, and individuals. IBM

    systems journal, 44(4), pp.691-708.

    Bird, R., Hall, A.D., Momentè, F. and Reggiani, F., (2007) What corporate social

    responsibility activities are valued by the market?. Journal of business ethics, 76(2),


    Blair, M., & Stout, L. (2017). A team production theory of corporate law. In Corporate

    Governance, 169-250.

    Blankenship, L.V. and Miles, R.E., (1968) Organizational structure and managerial decision

    behavior. Administrative Science Quarterly, pp.106-120.

    Boillet, J (2018). How artificial intelligence will transform the audit. Retrieved from


    Bondarenko, T. G., Isaeva, E. A., Orekhov, S. A., & Soltakhanov, A. U. (2017) Optimization

    of the company strategic management system in the context of economic instability.

    Bourne, M., Melnyk, S., Faull, N., Franco‐Santos, M., Kennerley, M., Micheli, P., Martinez,

    V., Mason, S., Marr, B., Gray, D. and Neely, A., (2007) Towards a definition of a

    business performance measurement system. International Journal of Operations &

    Production Management.

    Bosse, D., & Phillips, R. (2016). Agency theory and bounded self-interest. Academy of

    Management Review, 276-369.


    Brown-Liburd, H., Issa, H., & Lombardi, D. (2015). Behavioral Implication of Big Data’s

    Impact on Audit Judgement and Decision Making and Future Research Directions.

    Accounting Horizons, 451-471.

    Bryman, A. (2001). “Social Research Methods”. Oxford: Oxford University Press.

    Burke, P. (2017) Walmart’s Exit from Germany. Abingdon: Routledge.

    Bustinza, O.F., Bigdeli, A.Z., Baines, T. and Elliot, C., (2015) Servitization and competitive

    advantage: the importance of organizational structure and value chain position.

    Research-Technology Management, 58(5), pp.53-60.

    Cannon, N.H. and Bedard, J.C., 2017. Auditing challenging fair value measurements:

    Evidence from the field. The Accounting Review, 92(4), pp.81-114.

    Carson, E., & Dowling, C. (2012). The Competitive Advantage of Audit Support Systems:

    The Relationship between Extent of Structure and Audit Pricing. Journal of

    Information Systems, 26(1), 35-49.

    Cascarino, R. E. (2012). Auditor’s Guide to I.T. Auditing. 2nd edition. . New Jersey: John

    Wiley & Sons Inc. E-book.

    Chan, S. W., Ip, S., Wan, C.F.C., & Yiu, H. F. D. (2018). How would the emerging

    technology affect the future of auditing? (Outstanding Academic Papers by Students

    (O.A.P.S.), City University of Hong Kong.

    Chen, T., Dong, X., & Yu, Y. (2018). Audit Market Competition and Audit Quality:

    Evidence from the Entry of Big 4 into City-Level Audit Markets in the U.S. Audit

    market competition and audit quality. Abingdon: Routledge .

    Chiu CT, Scott R. 1994. An intelligent forecasting support system in auditing: expert system

    and neural network approach. System Sciences, 3, 272–280.


    Among Five Approaches. USA: Sage Publications, Inc.

    Collins, C.M.T. and Quinlan, M.M., 2020. Auditing Preparedness for Vector Control Field

    Studies. The American Journal of Tropical Medicine and Hygiene, 102(4), pp.707-


    Commerford, B., Joe, J., Dennis, S., & Wang, J. (2019). COMPLEX ESTIMATES AND



    Connell N.A.D. 1987. Expert systems in accountancy: a review of some recent application.

    Accounting and Business Research, 17, 221–233.

    C.P.A. (2017). Deep Learning and the Future of Auditing: How an Evolving Technology

    Could Transform Analysis and Improve Judgment. C.P.A. Journal, 87(6), 24-29.

    Eilifsen, A., Messier, W. F., Glover, S. M., & Prawitt, D. F. (2014). Auditing and Assurance

    Services (3rd edition ed.). New York: McGraw-Hill.

    Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of

    information technology. M.I.S. Quarterly, 13(3), 319-339.

    Davis, F. D., Bagozzi, R. P., & Warshaw, P. R. (1989). User acceptance of computer

    technology: a comparison of two theoretical models. Management Science, 35(8),


    Delaney, T. (2017) Social Conflict. The Wiley‐Blackwell Encyclopedia of Social Theory, 1-


    DeFond, M., & Zhang, J. (2014). A review of archival auditing research. Journal of

    Accounting and Economics, 58(2-3), 275-326.

    Deloitte. (2015). Cognitive technologies: The real opportunities for business. Deloitte

    Review, 16, pp. 113-129.

    Dhir, S. (2019) The changing nature of work, leadership, and organizational culture in future-

    ready organizations. Corporate culture, Management, Leadership, Job redesign,

    Organizational Behavior, Innovation, Change Management, Human Resources,


    Dowlig, C., & Leech, S. A. (2014). A Big 4 Firm’s Use of Information Technology to Control

    the Audit Process: How an Audit Support System is Changing Auditor Behavior.

    Contemporary Accounting Research, 31(1), 230-252.

    Du Plessis, J. J., Hargovan, A., & Harris, J. (2018). Principles of contemporary corporate

    governance. Cambridge University Press.

    Elewa, M. a.-H. (2019). The Effect of Audit Quality on Firm Performance: A Panel Data

    Approach. International Journal of Accounting and Financial Reporting, 299-244.

    EU UNION LAW. (2014, April 16). EUR-Lex. Retrieved April 2020, from E.U.R.O.P.A.:

    Fanning K, Cogger K, Srivastava R. 1995. Detection of management fraud: a neural network

    approach. Intelligent Systems in Accounting, Finance and Management 4: 113–126.


    Farzanfar, R. (2005). “Using Qualitative Research Methods to Evaluate Automated Health

    Promotion/Disease Prevention Technologies: A Procedure’s Manual”. Boston

    University. Robert Wood Johnson Foundation.

    Ferreira, T. S. (2017) Motivational factors in sales team management and their influence on

    individual performance. Tourism & Management Studies, 13(1), 60-65.

    Geoffrey, M., DeMatteo, D., & Festinger, D. (2005). Essentials of research design and

    methodology. Essentials of behavioral science series. John Wiley & Sons Inc.

    Gepp, A., Linnenluecke, M. K., O’Neill, T. J., & Smith, T. (2018). Big data techniques in

    auditing research and practice: Current trends and future opportunities. Journal of

    Accounting Literature, 40, 102-115.

    Gill, P., Stewart, K., Treasure, E. & Chadwick, B. (2008). Methods of Data Collection in

    qualitative Research: Interviews and Focus Groups. Retrieved from:

    Gonzalez-Padron, T. (2016). Ethics in the supply chain: Follow-up processes to audit results.

    Journal of Marketing Channels, 22-36.

    Groce, J. E., Farrelly, M. A., Jorgensen, B. S., & Cook, C. N. (2019) Using social‐network

    research to improve outcomes in natural resource management. Conservation biology,

    33(1), 53-65.

    Groomer, S., & Murthy, U. (2018). Continuous auditing of database applications: An

    embedded audit module approach. . Continuous Auditing, 105-124.

    Guba, EG and Lincoln, YS (1994) ‘Competing Paradigms in Qualitative Research’ in

    Denzin, NK and Lincoln, YS (eds) Handbook of Qualitative Research Sage:

    Thousand Oaks

    Guiso, L., Sapienza, P. and Zingales, L., (2015) The value of corporate culture. Journal of

    Financial Economics, 117(1), pp.60-76.

    Gunning, D., 2017. Explainable artificial intelligence (xai). Defense Advanced Research

    Projects Agency (DARPA), nd Web, 2.

    Gulua, E. (2018) Organizational culture management challenges. European Journal of

    Interdisciplinary Studies, 4(1), 67-79.

    Hansen, J. V., & Messier Jr., W. F. (1986). A knowledge-based expert system for auditing

    advanced computer systems. European Journal of Operational Research, 26(3), 371-


    Hernández-Orallo, J. (2017). Evaluation in artificial intelligence: from task-oriented to

    ability-oriented measurement. Journal of Artificial Intelligence Review , 48, 397–447.


    Hartnell, C. A., Ou, A. Y., Kinicki, A. J., Choi, D., & Karam, E. P. (2019) A meta-analytic

    test of organizational culture’s association with elements of an organization’s system

    and its relative predictive validity on organizational outcomes. Journal of Applied

    Psychology, 104(6), 832.

    Havard Business School. (2017, AUGUST 28). Category: Special Edition on Artificial

    Intelligence. Science In The News S.I.T.N. Retrieved from

    He, Q., & Gerber, T. P. (2020) Origin-Country Culture, Migration Sequencing, and Female

    Employment: Variations among Immigrant Women in the United States. International

    migration review, 54(1), 233-261.

    Herbert, D. (2018) Perspectives: theorizing mediatized civic settings and cultural conflict.

    Hickman, C. R., & Silva, M. A. (2018) Creating excellence: Managing corporate culture,

    strategy, and change in the new age. Abingdon: Routledge.

    Hussain, N., Rigoni, U., & Orij, R. P. (2018). Corporate governance and sustainability

    performance: Analysis of triple bottom line performance. Journal of Business

    Ethics, 149(2), 411-432

    IFAC. (2019, April 1). Examining Automation in Audit. Retrieved from International

    Federation of Accountants:


    I.F.A.C. Denmark. (2016). Legal and Regulatory Environment. Retrieved from

    Ilachinski, A. (2017). A.I., Robots, and Swarms. Abingdon: Routledge .

    Issa, H., Sun, T., & Vasarhelyi , M. A. (2016). Research Ideas for Artificial Intelligence in

    Auditing: The Formalization of Audit and Workforce Supplementation. Journal of

    Emerging Technologies in Accounting, 13(2), 1-20.

    Ilie, D. (2019) The Impact of Organizational Culture on Managing Conflicts and Stresses in

    the Economic Entities from the Republic of Moldova. Sustainable development.

    Izzo, M.F., di Donato, F., (2012) The relation between corporate social responsibility and

    stock prices: An analysis of the Italian listed companies. SSRN Working Paper Series,

    pp. 1–36.

    Jachi, M., & Yona, L. (2019). The Impact of Independence of Internal Audit Function on

    Transparency and Accountability Case of Zimbabwe Local Authorities. Research

    Journal of Finance and Accounting, 64-77.

    Jackson, P.C., 2019. Introduction to artificial intelligence. Courier Dover Publications.


    Johansen, T., & Christoffersen, J. (2017). Evaluation foci and dysfunctional behaviour.

    International Journal of Auditing. Performance evaluations in audit firms, 24-37.

    Kearney, E. F. (2013). Wiley Federal Government Auditing: Laws, Regulations, Standards,

    Practices, & Sarbanes-Oxley. 2nd edition. New Jersey: Wiley. E-book.

    Kearns, M., Neel, S., Roth, A. and Wu, Z.S., 2017. Preventing fairness gerrymandering:

    Auditing and learning for subgroup fairness. arXiv preprint arXiv:1711.05144.

    Kostić, N., & Tang, X. (2017). The future of audit: Examining the opportunities and

    challenges stemming from the use of Big Data Analytics and Blockchain technology

    in audit practice. Master’s Thesis. Lund, Sweden.

    Keskinen, M., & Tarwireyi, R. C. (2019). AUTOMATION AND THE

    TRANSFORMATION OF THE AUDIT PROCESS. Master’s Thesis. Umea, Sweden.

    Knechel, W., & Salterio, S. (2016). Auditing: Assurance and risk. Abingdon: Taylor &


    Kokina, J., & Davenport, T. H, (2017). The Emergence of Artificial Intelligence: How

    Automation is Changing Auditing. JOURNAL OF EMERGING TECHNOLOGIES IN

    ACCOUNTING, 14(1), 115-122.

    K.P.M.G. (2016, November 23). How Technology Is Transforming the Audit. Forbes.

    Retrieved from


    Kumar, G., Kumar , K., & Sachdeva, M. (2010). The use of artificial intelligence based

    techniques: A review. Artificial Intelligence Review, 34, 369–387.

    Lee, J. C., Shiue, Y. C., & Chen, C. Y. (2016) Examining the impacts of organizational

    culture and top management support of knowledge sharing on the success of software

    process improvement. Computers in Human Behavior, 54, 462-474.

    Lu, H., Li, Y., Chen, M., Kim, H. and Serikawa, S., 2018. Brain intelligence: go beyond

    artificial intelligence. Mobile Networks and Applications, 23(2), pp.368-375.

    Mansour, E. (2016). Factors affecting the adoption of computer assisted audit techniques in

    audit process. Findings from Jordan. Business and Economic Research, 200-269.

    Malterud, K. (2001). Qualitative research: standards, challenges, and guidelines.


    Mathias, J., & Kwasira, J. (2019). Inventory audit and performance of procurement function

    in selected public universities in Western Kenya. The Strategic Journal of Business &

    Change Management, 2379-2384.


    COMPANIES. Abingdon: Routledge.

    Maxwell, J. A. (2006). Qualitative Research Design: An Interactive Approach ( 2nd ed.).

    Thousand Islands: Sage.


    Merriam, S. (1998), “Qualitative Research and Case Study Applications in Education” (2nd

    ed.). San Francisco: Jossey-Bass.

    Messier Jr., W. F. (2014). An approach to learning risk-based auditing. Joural of Accounting

    Education, 32(3), 276-287.

    Miles, M. B., & Huberman, M. A. (1994). Qualitative Data Analysis: An Expanded

    Sourcebook. USA: Sage Publications.

    Milne, R. (. (2019, 4 4). Sweden’s S.E.B. faces sanctions threat in money-laundering probe.

    Retrieved from S.W.E.D.E.N.:


    Moffitt, K. C., Rozario, A. M., & Vasarh, M. C. (2018). Robotic process automation for

    auditing. Journal of Emerging Technologies in Accounting, 15(1), 1-10.

    Momodu, A., Joshua, O., & Nma, M. (2018). Audit Fees and Audit Quality: A Study of

    Listed Companies in the Downstream Sector of Nigerian Petroleum Industry.

    Humanities, 59-73.

    Muczyk, J. P., Smith, E. P., & Davis , G. (1986, November – December). Holding

    Accountants Accountable: Why Audits Fail, How they can Succeed. Business

    Horizons, pp. 22-28.

    Mutch, C. (2005) Doing Educational Research: A Practitioner’s Guide to Getting Started.

    Wellington: N.Z.C.E.R. Press.

    Neuman, W.L. (2003), “Social Research Methods: Qualitative and Quantitative Approaches”

    (5th ed.). Boston: Allyn and Bacon.

    Naser, S. S. A., & Al Shobaki, M. J. (2016) The Impact of Management Requirements and

    Operations of Computerized Management Information Systems to Improve

    Performance (Practical Study on the employees of the company of Gaza Electricity


    Nilakant, V. (2016) Managing responsibly: Alternative approaches to corporate management

    and governance. Routledge.

    Naranjo-Valencia, J. C., Jiménez-Jiménez, D., & Sanz-Valle, R. (2019)

    Organizational culture effect on innovative orientation. Management Decision, 49(1),


    Noor, N.R.A.M., & Mansor, N. (2019). Exploring the Adaptation of Artificial Intelligence in

    Whistleblowing Practice of the Internal Auditors in Malaysia. Procedia Computer

    Science, 434-439.

    Noraini, S., Zaini, J., Mustaffha, N., & Norhanizah, J. (2018). Internal Audit Effectiveness in

    Zakat Institutions from the Perspective of the Auditee. . Management & Accounting

    Review, 14-25.

    Olof, S., & Jenny, H. (2005). Theories of information behavior: a researcher’s quide.

    Information Today.


    Omoteso, K. (2012). The application of Artificial Intelligence in Auditing: Looking back to

    the Future. Expert Systems With Applications, 39, 8490-8495.

    Owhoso, V. E., Messier Jr., W. F., & Lynch Jr., J. G. (2002). Error Detection by Industry-

    Specialized Teams during Sequential Audit Review. Journal of Accounting Research,

    40(3), 883-900.

    O’Reilly III, C.A., Caldwell, D.F., Chatman, J.A. and Doerr, B., (2014) The promise and

    problems of organizational culture: CEO personality, culture, and firm performance.

    Group & Organization Management, 39(6), pp.595-625.

    Pannucci, C. J., & Wilkins, E. G. (2010). Identifying and avoiding bias in research. Plastic

    and reconstructive surgery, 126(2), 619.

    PwC. (2016, 4 12). PricewaterhouseCoopers 2006 State of the Internal Audit Profession

    Study Shows that Continuous Auditing and Monitoring is Today’s Growing Business

    Trend. . Retrieved from PwC:


    Rahimi, R., & Gunlu, E. (2016) Implementing Customer Relationship Management (CRM) in

    hotel industry from organizational culture perspective. International Journal of

    Contemporary Hospitality Management.

    Raji, I. D., & Buolamwini, J. (2019). Actionable auditing: Investigating the impact of

    publicly naming biased performance results of commercial ai products. In

    Proceedings of the 2019 AAAI/ACM Conference on A.I., Ethics, and Society, 2-600.

    Ramamoorti, S., Bailey, A. D., & Traver, R. O. (1999). Risk Assessment in Internal

    Auditing: A Neural Network Approach. International Journal of Intelligent Systems

    in Accounting, Finance & Management, 159–180.

    Ransbotham, S., Gerbert, P., Reeves, M., Kiron, D., & Spira, M. (2018). Artificial

    intelligence in business gets real. M.I.T. sloan management review, 60280, 36-96.

    Raschke, R., Saiewitz, A., Kachroo, P., & Lennard, J. (2018). AI-enhanced audit inquiry: A

    research note. . Journal of Emerging Technologies in Accounting, 111-116.

    Rezaee, Z., Sharbatoghlie, A., Elam, R., & McMickle, P. (2018). Continuous Auditing:

    Building Automated Auditing Capability. Continuous Auditing Theory and

    Application, 169-185.

    Rogers, E. M. (1985). Diffusion of Innovations. New York.

    Samsonova-Taddei, A., & Siddiqui, J. (2016). Regulation and the promotion of audit ethics:

    Analysis of the content of the E.U.’s policy. Journal of Business Ethics, 12-36.

    Saxena, G. R., & Srinivas, K. (2010). Auditing and Business Communications. Mumbai:

    Himalaya Publishing House. E-book.

    Shaikh, J. M. (2005). E‐commerce impact: emerging technology – electronic auditing.

    Managerial Accounting Journal, 20(4), 408-421.


    Shen, J., Chen, X., Huang, X. and Susilo, W., 2017. An efficient public auditing protocol

    with novel dynamic structure for cloud data. IEEE Transactions on Information

    Forensics and Security, 12(10), pp.2402-2415.

    Shogren, K., Wehmeyer, M., & Palmer, S. (2017). Causal agency theory. In Development of

    self-determination through the life-course. Springer : Dordrecht.

    Sikka, P., Haslam, C., Cooper, C., Haslam, J., Christensen, J., Driver, D.G. and Willmott, H.,

    2018. Reforming the auditing industry. Report commissioned by the Shadow

    Chancellor of the Exchequer, John McDonnell MP.

    Smallbone , T., & Quinton, S. (2004). Increasing business students’ Confidence in

    Questioning the Validity and Reliability of their Research. Electronic Journal of

    Business Research Methods, 2(2), 153-162 .

    Sulaiman, A., Yen, C., & Chris, M. (2018). Artificial Intelligence Adoption: AI-readiness at

    Firm-Level. PACIS 2018 Proceedings. Japan. Retrieved from

    Susskind, R. E., & Susskind, D. (2015). The Future of the Professions: How Technology Will

    Transform the Work of Human Experts. United Kingdom: Oxford University Press.

    The Brookings Institution. (2019). Algorithmic bias detection and mitigation: Best practices

    and policies to reduce consumer harms. Washington DC. Retrieved from


    Tiberius, V., & Hirth, S. (2019). Impacts of digitization on auditing: A Delphi study for

    Germany. Journal of Accounting, Auditing and Taxation, 37, 1-14.

    Transparency International. (2019). Corruption Perceptions Index. Retrieved from

    Tuli , F. (2010). The Basis of Distinction Between Qualitative and Quantitative Research in

    Social Science: Reflection on Ontological, Epistemological and Methodological

    Perspectives. Ethiopean Journal of Education and Science, 6(1), 97-108.

    Turner III, D.W. (2010). Qualitative interview design: A practical guide for novice

    investigators. The qualitative report, 15(3), pp.754-760.

    Udeh, I. A. (2015). Audit team formation. Journal of Finance and Accountancy, 19, 1-6.

    Van Liempd, D., Quick, R., & Warming‐Rasmussen, B. (2019). Auditor‐provided nonaudit

    services: Post‐EU‐regulation evidence from Denmark. International Journal of

    Auditing, 23(1), 1-14.

    Vasarhelyi, M. A. (2018). Embracing Textual Data Analytics in Auditing with Deep

    Learning. The International Journal of Digital Accounting Research, 18, 49-67.


    Wahyuni, D. (2012). The research design maze: Understanding paradigms, cases, methods

    and methodologies. Journal of applied management accounting research, 10(1),


    World Economic Forum. (2015). Deep Shift: Technology Tipping Points and Societal Impact.

    Retrieved from


    Yi, M. Y., Jackson, J. D., Park, J. S., & Probst, J. C. (2006). Understanding information

    technology acceptance by individual: Toward an integrative view. Information &

    Management, 43, 350-363.

    Yoon, K., Hoogduin, L., & Zhang, L. (2015). Big Data as Complementary Audit Evidence. .

    Accounting Horizons, 29 (2), 431-438.

    Zhang, C. A. (2019). Intelligent Process Automation in Audit. JOURNAL OF EMERGING


    Żytniewski, M. (2017). Ongoing Research and Development. Use of a Business Process

    Oriented Autopoietic Knowledge Management Support System in the Process of

    Auditing an Organisation’s Personal Data Protection. In Information Technology for

    Management. 2-36.




    I and my colleague (Salim) are graduate students of Auditing and Control at Kristianstad

    University, Kristianstad Sweden. Our research for master’s thesis is based on Artificial

    intelligence in auditing. How AI is transforming auditing process. As it is well known that

    technology advancement has brought a lot of changes to the ways in which businesses record

    transactions, stores data and disclose financial information, this which gives audit profession

    the challenge to keep to the pace by adopting equally advanced technology-based tools like AI

    for ease of auditing and to stay abreast of this change. Our study is particularly examining how

    AI enhances effectiveness of each step of auditing process from pre-engagement to the

    reporting stage.

    We hope to get a chance to interview auditors from prestigious firms like yours that has adopted

    the use of artificial intelligence tools in their internal auditing process, in order to gather

    necessary data for our study. As a result of the present situation of covid-19 pandemic and

    social distancing measures in place, we hope to conduct the interview online either via Zoom

    or Skype whichever channel is convenient for you (so, it is not location restricted. The context

    is Sweden as a whole). The interview is expected to last approximately 30mins – 45mins. It

    will be conducted in English Language.

    We are quite aware of the busy schedule of auditors; however, we hope the interview can be

    scheduled within the 2nd week of May because of the time restriction for our thesis.

    Ethical concerns: The interview will be audio recorded for ease of transcribing later for analysis

    and could be made available to our supervisor for the purpose of the study only. Participation

    is voluntary and anonymity of the interviewee and that of the firm will be maintained as

    required. Consent for participation can be withdrawn by email at any time and the decision will

    be respected. The interview guide questions will be sent some days ahead of the interview date

    as soon as we get a feedback on the scheduled date.

    Your contribution to our research will be highly appreciated because not only will it help our

    thesis, but it will also advance knowledge on the transformational change AI brings to each

    phase of auditing process. We look forward to hearing from you. We can be reached for further

    clarification if there is any through our email addresses.

    Thank you.

    Warm regards,

    Salim Ghanaoum:

    Folasade Alaba:

    Supervisor: Elin Smith



    Interview Guide Questions

    1. General Questions

    What is your title/role at the firm?

    How many years of experience as an auditor do you have (as part of an audit team)?

    What is/are your responsibilities on the team during the audit


    What is your educational background? (is it in accounting, economics, business etc)

    Are you CPA certified?

    2. Competence in the use of IT tools

    How tech savvy are you? (how well do you use Information technology tools)

    Are you familiar with software used for accounting processes?

    How comfortable are you with using technology tools either for personal purposes

    and/or for work?

    3. Personal views on importance of automation of auditing process for audit


    What do you understand by automating audit process?

    Are you familiar with what artificial intelligence tools are?

    Do you use AI-based tool/tools at your firm for auditing process?

    How comfortable are you with the use of these tools for your work? if not

    comfortable, why?

    Will you say AI based tools are a threat to continuous availability of jobs for auditors?

    If yes, how is it so?

    4. Auditing Process

    What role does AI based tools play in the planning stage of your audit process?

    System audit for internal auditing requires soliciting input (document) for the

    assignment, risk assessment and materiality determination, what role does AI play in

    this step of the process?

    With the internal control tests, substantive tests and other verifications required at the

    execution stage, how does AI tools transform this stage of the process from what it

    used to be?

    For the concluding stage, which is reporting, does the AI based tools have

    significance on this stage? How

    Overall, how does AI enable you to complete a high-quality audit?


    5. The role AI plays in the process

    Before the adoption of AI tools, what method do you use for the auditing process? (is

    it manual or another expert tool)

    From your experience on the job, what role does AI play in each step of the process?

    What difference does the adoption of AI tools in auditing process make from the

    previous method used?

    Do you think adopting AI in auditing enhances effectiveness of the auditing process?

    In what ways

    How would you rate the effectiveness of auditing process with the adoption of AI

    tools on the scale of 1 to 10?

    6. Ethical concerns

    From your professional opinion, what are the pro & cons of using AI in auditing


    What are the challenges encountered so far in the use of AI for auditing from your


    Does AI functionality ensure compliance to required auditing Standards?

    Will you say the use of AI impairs or promotes professional judgement of auditors? If

    yes, in what ways

    Auditing (with) Artificial







    Van der Valk Hotel Utrecht

    Mona de Boer, PwC

    Who had a customer service interaction
    in the past month?


    Who is 100% sure the customer service
    interaction was with a human?



    Exponential Growth and Advanced Technologies




    50 2000 21001


    601790 2030

    Book printing InternetPersonal computerSteam machine Rise of AI No one knows?!

    “AI will become
    more powerful
    than a human


    Open source machine learning

    Algorithms improve rapidly by collaboration and joint development

    Affordable high performance computing
    High-performance computers today are thousand times more powerful than they were


    years ago

    Big data
    Since 2006, the worldwide data volume has increased tenfold

    *Ray Kurzweil, Google

    Robotic Process Automation – The Next Big Thing


    Extension to classical RPA approach by using Artificial Intelligence (AI)

    Classic rule based robots excel at AI excels at









    Business process
    automation platforms

    Robotic Process
    Automation (RPA)

    Natural Language
    Processing (NLP)

    AI / Cognitive

    Algorithmic business Human work


    Almost half of all processes
    can be automated by

    Classic RPA…

    …but most of these automated processes have to
    stop at human interaction. They can be

    unleashed by using Cognitive Automation

    Robotic Process Automation – Developing the Robo Auditor


    Algorithmic Business

    ▪ Industrialized use of complex
    mathematical algorithms to
    drive improved business decisions or
    process automation for competitive

    Robotic Process
    Automation (RPA)

    Alias: Robotic Desktop Automation

    ▪ Automating labor-intensive,
    repetitive activities across
    multiple systems and interfaces
    by training and/or programming
    third-party software to replicate a
    user’s workflow

    ▪ Operates at the presentation layer
    without the need to change existing

    ▪ Users intervene to handle exceptions
    as they arise

    Business Process
    Automation (BPA)

    ▪ Reengineering existing
    business processes by using
    software, integrating systems, and
    restructuring labor to optimize
    workflows and minimize costs

    Intelligent Process
    Automation (IPA)

    Aliases: Cognitive Computing, Smart

    ▪ Combining RPA with artificial
    intelligence technologies to
    identify patterns, learn over time,
    and optimize workflows

    ▪ Through “supervised” and
    “unsupervised” learning, algorithms
    make predictions and provide
    insights on recognized patterns

    ▪ With IPA, robots can replace manual
    clicks (RPA), interpret text-heavy
    communications (natural language
    processing), make rule-based
    decisions that don’t have to be pre-
    programmed (machine learning),
    and offer customers suggestions
    (cognitive agents)

    Today Future

    How do RPA and IPA

    RPA directly mimics human behavior

    IPA learns how to become more efficient






    improve systems simple manual activities and learn complex activities
    automate automate



    Journal entry testing

    Soon to be…

    Identifying risks at a level that humans can’t


    The power of combining exploratory and confirmative analytics





    Big Data




    Finding outliers in
    A/R listing today…

    A/R listing anomaly detection
    through Machine Learning


    Reviewing MD&A

    MD&A review on steroids
    with Natural Language

    Analysis & Classification

    Visual/Image Recognition – a different view on stock count?


    Digital Auditing Assistant: Auditing Support through Voice Recognition


    Blurred lines: Who ‘owns’ the algorithms?



    Who audits the algorithms?


    • Every company will become an
    IT / analytics firm

    • In the short term we will be
    utilizing algorithms in auditing

    • In the long run we will be
    auditing algorithms

    Opening AI’s black box



    Bye bye black box…

    Researchers teach AI
    to explain itself



    Be open-minded about
    your future colleagues…


    Artificial Intelligence in Auditing


    ©McGraw-Hill Education

    learning objectives
    Define machine learning and artificial intelligence
    Introduce the common use of artificial intelligence
    Illustrate Robotic Process Automation
    Demonstrate artificial intelligence in auditing

    PwC | Statistical Programming I


    Data analysis cycle

    Acquire data
    Analyze data
    Present findings
    Ask a question
    Transform data

    PwC | Statistical Programming I


    What is data science?
    Adapted from

    Computer Science
    Domain Knowledge
    Data Science
    Danger Zone!
    Traditional Research
    Machine Learning

    PwC | Statistical Programming I


    What have you heard about…
    Predictive analytics
    Machine learning
    Artificial intelligence
    What are some examples that use these techniques?
    Consumer products
    Business solutions

    PwC | Statistical Programming I


    Common contributions to machine learning:
    Updating e-mail spam filter rules.
    Telling newsfeeds (e.g. Flipboard) your preferred content.
    Using Google maps and Google translate.
    & recommendations based on previous picks.
    Alexa, Google Home, Bixby = AI assistants

    Data and analytics in industry

    Trade surveillance
    Predictive maintenance
    Performance management
    Spam filtering
    Sentiment analysis
    Document classification
    Facial recognition
    Education outcomes
    Video search
    Recommendation engines
    Customer retention
    Text auto-completion
    Regulatory compliance
    Customer service
    Fraud detection
    Self-driving cars

    PwC | Statistical Programming I


    What is predictive analytics?
    Predictive analytics is the systematic computational analysis of historical data to predict unknown values or states of the world
    A predictive model is a description of the relationship between one or more variables (X) and another variable (y) that enables us to:
    Quantify and determine the significance of effects of X on y
    Predict new values of y given new values of X
    Assess the quality of the model and resulting predictions
    Predictive models fall into two general categories:
    Regression models predict values
    Classification models predict states
    y X
    Dependent Independent
    Predicted Predictor
    Response Control
    Explained Explanatory

    PwC | Statistical Programming I


    What is machine learning?
    Machine learning is a field of computer science relating to algorithms that can recognize patterns and make predictions on data
    Unsupervised learning
    There is no single dependent variable
    The algorithm is used to identify patterns and anomalies according to similarities and differences among observations
    Supervised learning
    supervised learning ≈ predictive analytics
    There is a dependent variable and at least one independent variable
    The algorithm is trained on historical observations with known values or states and used to make predictions about new observations

    PwC | Statistical Programming I


    Machine learning and AI
    In traditional programming, the computer consumes data and generates an output according to a given set of instructions
    A machine learning algorithm takes input data and known outputs to learn the program (a statistical model) that should be applied to new inputs

    Artificial intelligence (AI) is a field of computer science relating to computer systems that can perform tasks typically requiring human interaction
    Machine learning algorithms and very large training data sets often provide the predictive power behind an AI system
    Traditional Programming:
    Machine Learning:
    Input + Program Output
    Input + Output Program

    PwC | Statistical Programming I


    How AI terms are related:

    A subset of AI that includes abstruse statistical techniques that enable machines to improve at tasks with experience. The category includes deep learning.
    The subset of machine learning composed of algorithms that permit software to train itself to perform tasks, like speech and image recognition, by exposing multilayered neural networks to vast amounts of data.
    Any technique that enables computers to mimic human intelligence, using logic, if-then rules, decision trees, and machine learning (including deep learning)
    Machine Learning
    Artificial Intelligence
    Deep Learning
    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    Why use AI?
    Potential advantages of AI:
    Rapid response times
    Analysis of large quantities of data
    Reduced labor costs
    Reserve use of human judgement for hard problems
    Lack of bias?

    Potential challenges of AI
    AI does not have “common sense”
    May not respond optimally to new and unusual events
    High up front costs
    Legal and ethical questions
    Inherent bias?

    PwC | Statistical Programming I


    Artificial Intelligence is a productivity tool
    Accountants have used tools to support their roles for centuries.

    Artificial Intelligence = software automation like an Excel macro.
    You provide instructions and the software follows through.
    Leverage AI as you would a calculator.

    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    When will AI affect accountants?
    Planned: Bigger, public companies with many transactions have the financial resources and the best case for ROI in regards to automating accounting tasks.
    There needs to be good documentation and standardization to base workflows that can translate well to automation.
    Unplanned: You may be pushed into using AI in the form of risk management.
    Example: AI anti-virus will be used to defend against
    AI driven cyber attacks.

    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    Introduction to RPA
    Robotic Process Automation (RPA): the use of a software robot or “bot” that replicates the actions of a human to execute tasks across multiple computer systems.

    A minute of work for a robot is equal to about 15 minutes of work for a human. – (Deloitte)
    Robotics is predicted to automate or eliminate up to 40 percent of transactional accounting work by 2020.
    – (2015 Accenture report)
    Dave Sackett, Get Ready For Artificial Intelligence, CFO University


    What can be automated with RPA?
    Document Capture Data Entry
    3-Way Matching
    GL Coding
    Vendor Interactions
    Document Review & Approvals
    Process Management & Controls
    Exception Processing
    And more…
    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    What can Robotic Assistants do?
    Control processes
    Enforce rules
    Automate communications
    Provide reminders
    Manage resources and escalates
    Perform data entry
    Collect and present data and documentation
    Ask for your expert input for review or approval
    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    What can Robotic Assistants do?
    Control processes
    Enforce rules
    Automate communications
    Provide reminders
    Manage resources and escalates
    Perform data entry
    Collect and present data and documentation
    Ask for your expert input for review or approval
    Dave Sackett, Get Ready For Artificial Intelligence, CFO University


    Automated Data Entry
    Purchase Requests
    Purchase Orders
    WEB Docs/E-mail
    Eliminate Double Entry
    Key-Process Docs
    Special Transactions
    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    You can start RPA anywhere…
    Accounts Payable
    Accounts Receivables
    Order Entry
    Human Resources
    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    Benefits of Accounting Automation
    More Efficient Process Less Labor Fewer Mistakes
    Ensure Accountability &
    Satisfied Users Do More
    With Less
    Dave Sackett, Get Ready For Artificial Intelligence, CFO University


    Why prepare for AI?
    The benefits of AI are expected to outweigh the cons. AI will continue to grow in nearly all aspects of our lives.
    AI is a designed to be a problem solving technology.
    The world economy is expected to gain billions in GDP through utilizing AI.
    Your career will be impacted by this coming change in AI and other related technologies.

    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    How to prepare for AI?
    Learn the difference between what AI can do easily and what will be difficult for AI to do.
    Develop new skills that will benefit from AI driven data.

    Be vigilant to keep your data accurate.
    Expect routine, rule-based manual tasks to be the first activities to be automated.

    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    Examples of AI related to Accounting & Finance
    Risk management
    Compliance and reporting
    Forecasting and analytics
    Dave Sackett, Get Ready For Artificial Intelligence, CFO University

    Example using AI
    Today’s Automation with an ERP System
    Automation through rules-based work flows by user-defined fields
    Automatic sub-ledger reconciliations , like AP Trade
    Automatic job-costing
    Automatic reporting
    FIFO inventory by purchase order for automatic proper COGS posting
    Application Programming Interface (API) ready for RPA integration
    API ready to connect to other databases to push and pull information

    Dave Sackett, Get Ready For Artificial Intelligence, CFO University




    Statement on
    Management Accounting



    Executive Summary …………………………………………………………………………………………………………………………………… 4

    Introduction ………………………………………………………………………………………………………………………………………………


    RPA Technology ………………………………………………………………………………………………………………………………………..


    The Capability ……………………………………………………………………………………………………………………………….. 6

    The Software …………………………………………………………………………………………………………………………………. 6

    Impact of RPA on the Finance and Accounting Function ………………………………………………………………………………


    RPA at Scale ……………………………………………………………………………………………………………………………………………


    Filling the Hopper with Ideas …………………………………………………………………………………………………………


    Selecting and Prioritizing Automation Opportunities ……………………………………………………………………….. 1


    F&A Professionals as RPA Enablers ………………………………………………………………………………………………………….


    RPA Role Overview ………………………………………………………………………………………………………………………. 19

    Next Steps ………………………………………………………………………………………………………………………………….. 2


    Conclusion ……………………………………………………………………………………………………………………………………………… 2




    Loreal Jiles is director of research—digital technology and finance transformation at IMA
    and a member of IMA’s Inland Empire Chapter. She has 15 years of experience in finance,
    accounting, and technology roles, including leading an RPA implementation in a finance
    organization. She can be reached at

    IMA® (Institute of Management Accountants) is a

    global professional association focused exclusively on

    advancing the management accounting profession.

    © July 2020 // Institute of Management Accountants, 10 Paragon Drive, Suite 1, Montvale, NJ 07645

    For more information, please visit

    on Management

    SMAs present IMA’s position

    on best practices in management

    accounting. These authoritative

    monographs cover the broad

    range of issues encoun-

    tered in practice.


    s CFOs implement plans to prepare
    their teams for the future, finance and
    accounting professionals are under

    pressure to enhance their value offering, reduce
    costs, and acquire new skills. Emerging digital
    technologies provide the finance and accounting
    function with a path to fulfilling these objectives
    while meeting business demand for advanced
    analytics, efficient operations, and strategic
    decision support. Robotic process automation
    (RPA), specifically, presents a clear and sustainable
    avenue to transforming the finance function.

    Organizations that have successfully
    implemented RPA at scale have seen exponential
    operational efficiency, elimination of undesirable
    manual work, and millions of dollars in financial
    savings. Businesses that have incorporated finance
    and accounting professionals into the RPA program
    have seen more robust automation solutions, less
    costly implementations, and improved employee
    satisfaction. Finance and accounting functions
    in these organizations find themselves far ahead
    of their peers as they are now equipped with
    business professionals who are cross-functionally
    trained and have more time to focus on higher
    value-added tasks.

    The historical nature of the finance and
    accounting function’s role dictates that many of its
    processes are repetitive and rule-based—two of
    the most important criteria in identifying good RPA
    candidates. Therefore, it is not surprising that most
    RPA implementations begin in the finance and
    accounting department. As RPA is an emerging
    technology with one of the lowest barriers to entry,
    the impact of RPA on the finance and accounting
    function is twofold: Finance and accounting
    processes will be automated with RPA, and finance
    and accounting professionals can upskill with RPA.

    The necessary revolutionary transformation
    of the finance and accounting function is upon
    us, and RPA technology, a feasible option for
    organizations of any size, can facilitate this journey
    by increasing the speed with which financial data
    is made available to the business, pairing with

    other digital technologies to deliver higher-quality
    analysis, improving the accuracy of transactional
    processing, strengthening the control and
    compliance landscape, dramatically reducing
    functional cost, creating new jobs for finance and
    accounting professionals, and so much more. •




    n 2019, the IBM Institute for Business Value
    published the report The enterprise guide to
    closing the skills gap in which it indicated a

    staggering “120 million workers in the world’s
    12 largest economies may need to be retrained/
    reskilled in the next 3 years as a result of
    intelligent/AI-enabled automation.”1 Perhaps more
    astonishing is how ill-prepared executives believe
    their countries and businesses are to offer the
    development that millions of workers will require.

    Businesses are demanding more. Emerging
    technology is maturing. Consumers and markets
    across the globe expect a faster pace of
    delivery. Teams are overworked. Agility is now a
    requirement. In response, the role of finance and
    accounting is evolving.

    As CFOs implement plans to prepare their
    teams for the future, finance and accounting
    professionals are under pressure to enhance
    their value offering, reduce costs, and acquire
    new skills. Emerging digital technologies provide
    the finance and accounting function with a path
    toward fulfilling these objectives while meeting
    business demand for advanced analytics, efficient

    operations, and strategic decision support.
    Robotic process automation (RPA), specifically,
    presents a clear and sustainable avenue toward a
    transformed finance function.

    In a joint survey of finance and accounting
    professionals conducted by IMA® (Institute
    of Management Accountants) and Deloitte
    examining the workforce of the future and how
    it will be shaped by technology, talent, and
    automation, nearly 76% of respondents felt
    their accounting processes were less than 75%
    automated. When asked how they are expecting
    the type of work within finance to change, more
    than 90% of respondents indicated they feel
    the level of transactional processing will either
    somewhat or significantly decrease and become
    more analytical over the next five years.2 Finance
    and accounting professionals are still spending
    more time on manual processes than drawing
    insights from high-quality, automatically generated
    financial data. But there is acknowledgement—
    now more than ever—that this way of working is
    not sustainable and will not persist over the next
    five years. RPA releases finance and accounting
    staff from dependence on the information
    technology (IT) function for low- to medium-
    complexity processes and enables them to take
    the power of automation into their own hands.

    This IMA® Statement on Management
    Accounting (SMA) aims to supply finance and
    accounting professionals with enough information
    about RPA to empower them to play critical roles
    in, or in partnership with, RPA programs in their
    respective organizations. This empowerment will
    come by way of an overview of RPA technology,
    shedding light on the impact of RPA on the
    finance and accounting function, offering keys to a
    successful RPA implementation, and demonstrating
    how finance and accounting professionals can
    serve as enablers to RPA value delivery. •

    1 Annette LaPrade, Janet Mertens, Tanya Moore, and Amy Wright, The enterprise guide to closing the skills gap: Strategies for building and
    maintaining a skilled workforce, IBM Institute for Business Value, 2019,
    2 From Mirage to Reality: Bringing Finance into Focus in a Digital World, IMA and Deloitte, upcoming 2020.


    isconceptions about RPA technology
    cross several extremes—from “It will
    automate all of our jobs” and “Only

    IT can implement it” to “RPA couldn’t possibly
    do what I do” and “RPA has no applicability
    to finance and accounting processes.” Each of
    these misconceptions can be dispelled through
    knowledge of what RPA is and the actual capability
    of the technology.

    RPA is technology that enables a robot—
    the digital worker or ’bot’—to execute

    processes by emulating human interaction with
    computer applications” through the user interface.3

    The Capability
    Mimicking the clicks and keystrokes of a human
    user while leveraging documented process
    steps, bots can log into and perform tasks in
    accounting and operational desktop and cloud-
    based applications, access and retrieve data
    from websites, perform data entry through Citrix-
    and non-Citrix-based applications, generate
    reports, read PDF documents, send emails,
    and so much more. What macros can do for
    Microsoft Excel, RPA can do for any application
    accessible by an end user. RPA can also access
    the back end of applications (the component
    not typically visible to an end user) by executing
    application programming interface (API) calls
    and leveraging various programming languages
    and custom algorithms for more complex use
    cases. With the capacity to execute processes 24
    hours a day, seven days a week, and 52 weeks
    a year, the potential productivity of a single
    bot is considerably higher than that of a human
    (often one bot can absorb the work of three to
    five humans)—provided utilization of the bot is

    maximized (if multiple processes are assigned to
    the same robot machine).

    Among leading RPA software vendors, advanced
    native solutions and integrating technologies
    enhance RPA’s stand-alone capability.4 Whereas
    traditional RPA technology required processes
    to be completely rule-based and requiring no
    judgment, intelligent RPA—a sophisticated pairing
    of artificial intelligence (AI) and RPA—enables the
    virtual robot to monitor transactional processing,
    making notes where indicated, and preparing
    conclusions or even refining its approach to
    process execution based on learnings, just as a
    human would.

    Thus, revisiting the misconceptions introduced
    earlier, RPA has applicability to a host of finance
    and accounting processes and can consequently
    perform many of the tasks finance and accounting
    professionals perform today. The other two
    misconceptions will be addressed later as we
    explore the software and the impact of RPA on
    finance and accounting jobs.

    The Software
    “Most RPA software is made up of three primary
    components: the bots, a bot manager, and a
    workflow design module. The bots perform
    processes; the bot manager enables scheduling
    and allocation of developed processes; and the
    workflow design module is where processes are
    developed.”5 Although it is tempting to say—and
    is widely said—during an RPA implementation,
    people do not develop bots. They develop
    processes that bots will perform.

    The bots. Robots are assigned user IDs and
    passwords for the organization’s network and
    for individual applications it needs to access just

    RPA Technology

    3 Loreal Jiles, “Govern Your Bots!” Strategic Finance, January 2020, pp. 24-31,
    4 Forrester, The Forrester Wave: Robotic Process Automation, Q4 2019, October 2019,
    5 Jiles, 2020.


    as humans are. They are granted certain access
    rights to those respective applications that align
    with the tasks—or processes—they are permitted
    to perform, and that access should adhere to
    segregation of duties policies defined for the
    virtual workforce, which may or may not mirror
    those defined for humans.

    There are two types of robots: attended and
    unattended. Attended robots are virtual execution
    engines that sit on a computer with specific
    processes assigned to it. They require a human
    to trigger them (selecting one of the assigned
    processes and telling the robot—through a series
    of clicks—to execute that process). Generally,
    when attended robots are executing processes,
    the human’s machine is not available for them to
    perform any other tasks; but recent advancements
    in the technology of some RPA vendors allows
    processes to run in the background. Attended
    robots are useful for short processes or those
    that require humans to make a decision in real
    time during the process (for example, the bot can
    generate a report, prompt the human to review it,
    and, once the human clicks a button confirming
    the review is complete, the robot continues
    executing the next step in the process).

    Unattended robots are virtual execution engines
    that do not require a human to manually kick
    off processes. Unattended robots commence
    execution of a process according to a schedule
    or by monitoring for the right prerequisite set of
    conditions, then begin the process automatically.
    An example of those conditions could be
    monitoring an electronic mailbox for emails
    that have specific words in the subject line or
    periodically accessing a shared drive to search for
    a file with a specific file name or extension. For
    added flexibility, unattended robots can also be
    launched manually or on an ad hoc basis outside
    the schedule.

    The bot manager. The bot manager, although it
    has different names across each RPA tool, serves
    the same fundamental purposes. In leading tools,
    the bot manager typically has an encrypted vault
    for storing bot credentials that would not be

    visible to anyone once input into the vault and
    serves as the central assignment and scheduling
    hub for all bots and processes. Processes are
    assigned to specific robots: More than one process
    can be assigned to a single robot and more than
    one robot can be assigned to one, usually high-
    volume, transactional process. Both schedules for
    the process runs for unattended bots and logs of
    the details of each process execution for all bots
    are stored in the bot manager. These logs are
    critical for audits of processes executed, or of the
    RPA program holistically, just as confirmation of
    completion of certain stages of critical processes
    are captured and subsequently furnished to
    auditors. Also captured are the success and failure
    statistics on individual transactions processed,
    transaction counts, and process execution
    duration. This web-based component of the
    software is where the humans managing the RPA
    program spend most of their time.

    The workflow design module. The workflow
    design module, again with different names
    across RPA tools, is where RPA developers
    spend most of their time. This component
    of the software is where processes that bots
    will perform are developed. For finance and
    accounting professionals learning to perform a
    critical business process, typically a desk manual
    or a step-by-step desk procedure is provided so
    the team member will not miss important steps.
    Through the development process, the workflow
    design module acts as a platform that allows a
    human (the developer) to document the process at
    a meticulous level of detail (configure the workflow
    by developing a sequence of activities)—equipped
    with screenshots and personalized instructions at
    the keystroke level—in a way that the robot can
    read and deliver. This RPA software component
    enables RPA development.

    The workflow design module is what makes RPA
    a lower barrier-to-entry technology than many
    other emerging digital technologies that will also
    impact the finance and accounting profession.
    Rather than learning a programming language
    and writing scripts, automating with RPA transpires



    using a host of drag-and-drop activities that are
    stored within the tool. Boasting activity names
    such as “click” and “type into,” the user-friendly
    nature of this technology makes familiarity with the
    detailed business process a more valuable asset
    than a computer science background. This feature
    is also the component that dispels another of the
    misconceptions referenced earlier as it confirms
    business professionals and IT experts alike can
    implement automation solutions with RPA. It is
    worth noting that complex use cases do require
    specialized expertise for implementation.

    Integrating technologies. Leading RPA
    vendors have invested heavily in developing
    native solutions—available within their workflow

    design modules—and partnering with other
    leading technology companies to offer a host of
    integrating technologies that raise the level of
    complexity of processes that can be automated
    with RPA while enhancing the comprehensive
    value RPA is able to deliver. For example, some
    existing manual processes require reading an email
    or low-quality scanned PDF document and taking
    specific actions based on content or populating
    extracted data into a data visualization tool and
    performing analytics. These instances may require
    use of natural language processing, intelligent
    optical character recognition, or data analytics and
    visualization tools, all of which are available either
    natively or through integrating drag-and-drop
    activities or library components. •


    utomation is having a wide-reaching
    impact on the workforce. Bloomberg has
    developed a tool simulating the chances of

    jobs across a host of professions being impacted
    by automation. It combines wage and education
    requirements data from the U.S. Bureau of Labor
    Statistics with data on probability of automation
    from “The Future of Employment: How Susceptible
    Are Jobs to Computerisation?” by Carl Frey and
    Michael Osborne.6 With Bloomberg’s simulation,
    accountant and auditor jobs are 94% likely to be
    impacted by automation. Another noteworthy
    observation from this report is that accountant and
    auditor jobs are among fewer than 10 professions
    requiring a bachelor’s degree that are more than
    90% likely of being impacted by automation.7

    Although there are several digital tools that can
    be leveraged to automate finance and accounting
    processes (for example, data science, traditional
    automation using programming languages and
    scripting, better-leveraging native automation
    solutions within the enterprise resource planning
    system, AI, and so on), RPA is currently recognized

    as one of few emerging technologies most capable
    of automating a significant amount of finance and
    accounting end-to-end processes. In a recent RPA
    webinar hosted by IMA with nearly 1,500 attendees
    globally, 34% of attendees indicated RPA will be
    the emerging technology with the greatest impact
    on the finance and accounting profession in the
    next three years (see Table 1). Additionally, more
    than 75% of attendees believed their organization’s
    finance and accounting processes could benefit
    moderately to significantly from RPA (see Table 2).

    McKinsey & Company conducted a detailed
    analysis of finance and accounting processes
    and automation software capability. It found that
    the capability of automation tools that existed in
    2018 could “fully automate 42 percent of
    finance activities and mostly automate a further
    19 percent.”8 A summary of finance and
    accounting tasks evaluated in this study is
    combined with other common finance and
    accounting activities to present the relative
    complexity of the process areas and their relative
    likelihood of being automated in Figure 1.

    Impact of RPA on the
    Finance and Accounting Function

    6 Carl Frey and Michael Osbourne, “The Future of Employment: How Susceptible Are Jobs to Computerisation?” Technological Forecasting and Social
    Change, January 2017, pp. 254-280.
    7 Mark Whitehouse and Mira Rojanasakul, “Find Out If Your Job Will Be Automated,” Bloomberg, July 2017,
    8 Frank Plaschke, Ishaan Seth, and Rob Whiteman, “Bots, algorithms, and the future of the finance function,” McKinsey & Company, January 2018,

    a. Significantly! I believe greater than 50% of our finance and accounting
    processes can benefit from RPA. 28.4%

    b. Moderately; I believe between 16% and 50% of our finance and accounting
    processes can benefit from RPA. 46.8%

    c. Somewhat; I believe between 1% and 15% of our finance and accounting
    processes can benefit from RPA 20.4%

    d. Not at all; I do not believe our finance and accounting processes can
    benefit from RPA. 4.5%

    TABLE 2: How much do you believe your organization’s finance and accounting
    processes can benefit from RPA?

    TABLE 1: What emerging technology do you believe will have the greatest
    impact on the finance and accounting profession in the next three years?

    a. Robotic process automation 34.4%

    b. Data science 14.1%

    c. Artificial intelligence 22.7%

    d. Data visualization 5.8%

    e. Blockchain 6.6%

    f. Budgeting, planning, and forecasting tools 12.1%

    g. Something else 0.9%

    h. Not sure 3.5%





    strategic decision

    risk management

    20% or less of these
    roles are fully or
    highly automatable

    Internal audit
    and tax

    controlling and

    external reporting

    Accounts payable
    and accounts


    PayrollJournal entries and
    financial close

    Cash disbursement

    Account and bank

    Financial planning
    and analysis

    General Accounting Operations

    Between 50% and
    70% fully or highly

    Greater than
    70% fully















    Less likely to

    e auto


    re likely to

    e auto


    FIGURE 1:
    Finance and

    Accounting Process
    Complexity and


    McKinsey’s findings underscore what has
    been seen in implementations of organizations
    commencing RPA journeys over the past few
    years. Leading RPA software vendors have
    transparently shared that most enterprises,
    regardless of industry, begin their RPA journeys
    in the finance and accounting department. Of
    greatest impact are tasks performed by entry-
    level finance and accounting staff and finance

    and accounting shared service centers. Other
    examples of finance and accounting processes not
    listed in Figure 1 that typically make good RPA
    candidates include:
    • Bookkeeping
    • Payroll
    • Data migration and data entry
    • Daily profit and loss reporting
    • Control testing

    a. Significantly! I believe greater than 50% of our finance and accounting
    processes can benefit from RPA. 28.4%
    b. Moderately; I believe between 16% and 50% of our finance and accounting
    processes can benefit from RPA. 46.8%
    c. Somewhat; I believe between 1% and 15% of our finance and accounting
    processes can benefit from RPA 20.4%
    d. Not at all; I do not believe our finance and accounting processes can
    benefit from RPA. 4.5%

    TABLE 2: How much do you believe your organization’s finance and accounting
    processes can benefit from RPA?

    TABLE 1: What emerging technology do you believe will have the greatest
    impact on the finance and accounting profession in the next three years?
    a. Robotic process automation 34.4%
    b. Data science 14.1%
    c. Artificial intelligence 22.7%
    d. Data visualization 5.8%
    e. Blockchain 6.6%
    f. Budgeting, planning, and forecasting tools 12.1%
    g. Something else 0.9%
    h. Not sure 3.5%



    These process areas are particularly attractive
    from an RPA perspective because they each have
    a rule-based and repetitive component. They also
    traditionally have standard input or output report
    formats and detailed documentation in place.
    Thus, the reach of RPA capability across finance
    and accounting processes is quite expansive
    and likely impacts, at a minimum, a few of the
    processes performed or touched by every finance
    and accounting professional across the globe.
    Good RPA candidates are highly manual and
    repetitive. Many ideal candidates also have low
    exception rates, standard and readable inputs, and
    predefined or definable criteria.

    Finance and accounting professionals working
    in organizations who have made progress along
    the RPA journey operate in an environment with
    human and digital coworkers. They receive data
    from and supply inputs for processes performed
    by bots. Digital team members log into the
    financial system during the early morning hours
    of critical close workdays and pull data to refresh
    the financial statements, then create a report
    with variances highlighted for human teammates
    to review at the start of their day. A bot reads
    PDF statements and translates the data captured
    into financial journal entries. When internal (or
    external) auditors test financial documents, they
    no longer need to request samples because a
    robot will leverage RPA and data analytics to test
    all financial data in scope for the audit period and
    produce a report of findings for the internal audit
    team to examine. This is a different world, and the
    technology to make this a reality already exists and
    is currently in place in many enterprises.

    “The bright side is that accountants should
    be skilling upwards to negate the risks of
    obsolescence,” remarked Eva Nagarajah in the
    Accountants Today article “Hi, Robot: What does
    automation mean for the accounting profession?”
    She continued with a reference to guidance
    given by recruitment firm Ranstad Singapore:
    “…transactional roles like general ledger, accounts

    receivable and payable may be endangered, but
    other higher-skill roles like financial planning and
    analysis or business controlling would still be in high
    demand.”9 Additionally, finance and accounting
    professionals can focus on timeless roles in the
    areas of accounting policy, strategy, financial
    investment analysis, and business and financial
    project management, along with a host of others.

    Beyond higher value-added finance and
    accounting-specific activities, the maturation of
    digital technology opens new doors. IT—where
    many emerging technology implementations sit
    within organizations—requires a host of the same
    skills and capabilities finance and accounting
    professionals have amassed during schooling and
    career experience. Relevant transferrable skills that
    finance and accounting professionals likely already
    possess are being methodical and computer-savvy
    as well as strong in mathematics and analytics.
    Their knack for risk mitigation, detail-oriented
    nature, continuous improvement mind-set,
    adaptability, and critical-thinking skills can all be
    combined with business process knowledge to
    elevate the value delivered by the RPA program
    (or finance and accounting team implementing
    RPA) to the organization. Specific opportunities for
    finance and accounting professionals within the
    RPA space will be covered as we explore finance
    and accounting professionals as enablers of the
    RPA program.

    This allows yet another misconception—that
    RPA will automate all finance and accounting
    jobs—to be combatted. This is far from
    true. Although RPA is undoubtedly a viable
    automation solution for several finance and
    accounting tasks that people historically thought
    were “untouchable,” RPA and other digital
    technologies create new opportunities that, when
    paired with higher-end finance and accounting
    activities, produce a more valuable service for
    the organization and result in an employee base
    that is agile, digitally equipped, and overseeing a
    strengthened control environment. •

    9 Eva Nagarajah, “Hi, Robot: What does automation mean for the accounting profession?” Accountants Today, July/August 2016, pp. 34-37,
    com/my/en/assets/press/1608-accountants-today-automation-impact-on-accounting-profession .


    any enterprises have already embarked
    upon their RPA journeys—with significant
    impact in the shared services department

    of the organization and a decisive shift away from
    business process outsourcing to automation first.
    Deloitte conducted a study on RPA, attracting
    responses from more than 400 organizations
    globally. Fifty-three percent of respondents
    had already begun their RPA journeys and 19%
    intended to begin within the next two years. Yet
    only 3% of these organizations had actually “scaled
    their digital workforce” beyond 50 robots.10

    This low scaling rate exists despite the wide-
    reaching applicability of RPA technology,
    affordability of licenses, and low barrier to entry for
    implementation. When reporting on predictions
    in the RPA market, Gartner found “organizations
    often underestimate the complexity of RPA
    initiatives.” Although the software itself is user-
    friendly and training is free and readily available
    from many vendors, “there is a large variety of
    business processes—ranging from simple, well-
    defined rote examples to complex, subject matter
    expert (SME)-intensive, exception-heavy areas.”11
    These process areas require more attention,
    governance, and coordination than a single team
    member automating processes on behalf of other
    team members or teams. RPA program leaders
    (generally in the absence of an actual program
    team in the earlier days) often suffer from one or
    more of the following barriers to scaling:
    • Lack of executive sponsorship needed to

    promote wide-scale adoption across teams.
    • Misalignment of RPA program goals to company

    or department strategic goals.
    • Absence of IT buy-in needed to build

    appropriate infrastructure and application
    integration support.

    • Underestimating the complexity or disparate
    nature of existing processes.

    • Inadequate development and/or training

    • Insufficient financial or human resources.
    • Wrong business stakeholders engaged for

    process selection and solution design.
    • No documented governance for the RPA

    • Automating fragmented processes (automating

    individual components rather than end-to-end
    process where applicable).

    RPA at scale—or fully-leveraged—could be a
    perfect solution for a small or midsized business
    with overworked finance and accounting teams
    needing relief and leaders seeking to elevate the
    department’s offering. It could equally serve as
    a monumentally transformational initiative in a
    larger enterprise that shines light on opportunities
    in other parts of the organization that can also
    benefit. Specific to finance and accounting
    departments, team members who learn of this
    technology, proactively train staff on RPA, and/or
    lead RPA programs tend to see much more benefit,
    professionally and organizationally, than those on
    the receiving end of the automation solutions.

    In any scenario, businesses need to take the
    following three actions to successfully scale RPA.

    Establish governance. The single most important
    prerequisite to a successful RPA program is
    governance. An RPA team can have a multimillion-
    dollar budget and the best developers on the
    globe but without governance, failure is the
    most likely scenario. RPA program failure can
    resemble anything from stalling because there
    are not enough quality processes to automate or

    RPA at Scale

    10 Deloitte, The robots are ready. Are you? Untapped advantage in your digital workforce, 2017,
    11 Stephanie Stoudt-Hansen, Frances Karamouzis, Arthur Villa, Saikat Ray, Rob Dunie, Nicole Sturgill, Laurie Shotton, Derek Miers, and Fabrizio Biscotti,
    “Predicts 2020: RPA Renaissance Driven by Morphing Offerings and Zeal for Operational Excellence,” Gartner, December 2019,



    compromising the control environment because no
    RPA coding standards were followed to regulatory
    violations, inaccurate payment processing, and
    material financial misstatements due to missing
    process steps or lack of SME engagement.

    Governance mitigates risk. According to
    Patrick Hauck, head of RPA Practice at Novatio
    Solutions, governance, “a framework for

    identifying, assessing, and managing risk,” is
    about “delivering business value to stakeholders
    in a transparent, compliant, and sustainable
    manner.”12 In late 2018, five key risk areas for
    RPA implementations were identified by Deloitte:
    operational, financial, regulatory, organizational,
    and technology. Examples of risks in each of these
    areas can be found in Table 3.

    To mitigate the risks that an RPA implementation
    introduces, governing new digital teammates
    is a must. This governance takes place in much
    the same way as policies are written to govern
    processes executed by humans. Further, in
    addition to governing bots, governance must
    be established for the humans involved in
    RPA implementation. “Bots [and their human
    counterparts] should be governed through written
    procedures that define how automation candidates
    will be selected, how data will be secured, who

    will carry out implementation, what standards
    development will be held to, and how benefits will
    be realized.”13 Prior to establishing governance,
    the following prerequisites should be met:
    1. Identify key stakeholders and proactively seek

    their input.
    2. Determine the RPA operating model.
    3. Conduct an RPA proof of concept (POC) and

    select the RPA tool.
    4. Perform process discovery.
    5. Prepare a business case.

    12 Jiles, 2020.
    13 Ibid.


    OPERATIONAL Insufficient exception handling in process workflows or inefficient operational delivery from poor bot
    resource management (e.g., allocating too many time-sensitive processes to a single bot)

    FINANCIAL Poorly defined requirements leading to financial misstatements or inaccurate payments; allowing a human
    to direct the inputs of multiple bots, potentially leading to segregation of duties violations; automating
    processes that lead to financial loss for the company (negative net present value)

    REGULATORY Humans directing bot activities in a fraudulent manner for government reporting (e.g., manipulating the
    inputs to the process a bot performs to direct a fraudulent output); immaturity of laws regulating standards
    for automation

    ORGANIZATIONAL Inadequate change management, documentation, or business continuity planning (as resources are
    reallocated to do other work) or failure to retain enough expertise within the team after automation

    TECHNOLOGY Instability of integrating applications and the effect that may have on bot performance; cyber risks:
    attackers leveraging privileged access accounts or retrieving data stored in RPA program databases;
    bot developers not encrypting sensitive data as part of bot design


    Source: Loreal Jiles, “Govern Your Bots!” Strategic Finance, January 2020, pp. 24-31,



    Once the prerequisites are met, governance
    documentation can be prepared. The format of
    governance documentation can be as short as an
    executive brief for each major section or as long
    as a 100-page manual. It can take the format of a
    slide deck, document, or quick reference guide.
    Regardless of length or style, the governance
    documentation should be easily accessible by
    all persons within and interacting with the group
    leading RPA implementation and should be
    clear, detailed, and comprehensive. Following a
    review of governance guidelines from multiple

    RPA vendors and development partners, seven
    key components of RPA governance have been
    identified in “Govern Your Bots!” which appeared
    in the January 2020 issue of Strategic Finance.14

    These key components are:
    1. Governing bodies
    2. Organizational construct
    3. Operational life cycle
    4. Internal controls
    5. Technology governance
    6. Performance management
    7. Vendor management

    14 Jiles, 2020.























    A federated model
    places the power of

    governance, infrastructure,
    and implementation in the

    hands of individual teams or


    It is never too late to establish governance.
    Ideally, establishing governance is an up-front
    investment of time prior to making architecture
    decisions or developing any processes. Yet if
    implementation is already under way when the
    team realizes some of the seven components
    have not taken place, the best path forward is
    to press pause and begin relevant stakeholder
    engagement to mitigate the risks that may exist.
    For a deep dive into RPA governance, including
    steps to conducting a POC and an overview of
    all RPA governance components, see “Govern
    Your Bots!”15

    Do not compromise on resource quality. There
    is irony in IBM’s research that called attention to
    the inevitable substantial shortage of workers
    prepared to perform tasks in completely new areas
    as a result of intelligent automation: Intelligent
    automation cannot scale without qualified workers
    to implement the technology.16 Many enterprises
    in the midst of RPA journeys have struggled to find
    capable, high-quality RPA development resources.
    A host of RPA development firms have surfaced in
    recent years as RPA adoption in the United States
    began to increase. Unfortunately, few have enough
    resources with enough expertise to deliver robust

    automation solutions of varying complexity for
    enterprises eager to expedite the pace of delivery.

    Furthermore, organizations choosing to invest
    in their own staff to progress implementation will
    still need to allow adequate time for development
    of their teams (without rushing them into
    tangible delivery) and will need to have a quality
    control process in place (code, peer, control,
    business, and digital security reviews) to prevent
    poorly developed workflows from introducing
    unmitigated risk into operational processes.

    The operating model decision covered in the
    prerequisites to establishing governance is a key
    driver that shapes the nature of the investment
    in resource quality. There are three primary RPA
    operating models: centralized, decentralized,
    and federated. An overview of each of these
    operating models can be found in Figure 2. The
    fundamental differences between the operating
    models are whether there will be a central team
    leading governance and implementation, a
    central hub focused on governance with various
    spokes in different parts of the organization
    leading implementation for their respective
    areas, or all governance and implementation
    sitting within respective business units,
    departments, or teams.

    15 Jiles, 2020.
    16 La Prade, et al., 2019.

    A decentralized model
    involves a central team

    focused primarily on governance
    and infrastructure, with hubs

    deployed within various
    business teams leading

    implementation for their
    respective areas.

    A centralized model
    typically has a robotics

    operations center (or center of
    expertise) that oversees and is

    responsible for RPA governance
    and infrastructure while leading

    process development for
    the entire company.


    Once the operating model is chosen, the
    organization will know if it will be allowing
    business staff to develop processes or if it will
    be led by the IT organization, if development
    will take place in-house, or if a third-party
    development partner will be identified to progress
    implementation. These decisions inform whether
    the organization will need to develop a capability
    development plan for its staff or a vetting process
    to assess the qualifications of resources provided
    by a third party. Without enough capable
    resources to prepare and develop automation
    solutions, the process backlog can be very long
    with strong business cases and still deliver little to
    no value.

    Automate the right processes. Despite the
    breadth of process areas with RPA applicability, all
    processes are not created equal. Consequently, all
    finance and accounting processes are not strong
    RPA candidates. Choosing the wrong automation
    candidates can result in wasted budget, negative
    returns on process implementations, dissatisfied
    employees, reputational harm to the RPA program,
    or even issues with internal or external auditors
    and financial misstatements.

    While good RPA candidates should be mature,
    well-defined, and well-documented, it is worth
    noting that processes that do not check all of these
    boxes may still be great candidates; they may
    simply require more prep work (documentation
    and standardization) prior to automating. When
    automation teams begin playing the role of
    process optimization teams, it can dilute the
    quick implementation metric expected of RPA.
    The automation itself is generally quick; it is the
    understanding, definition, and agreement of the
    process steps that often lengthens the timeline.
    Teams should take care to define and clearly
    communicate their scope along the continuum of
    automation and optimization up front.

    In the earlier days of an RPA program, processes
    automated should be simple, deliver value, and
    not expose risk to critical assets, external financial
    statements, or regulatory compliance. Teams
    are advised to get the program operational first

    with lower risk opportunities, then, as it matures,
    progress to a candidate pool that includes higher-
    risk, high-return processes when it is easier to
    add the necessary layers of governance for their

    Filling the Hopper with Ideas
    To automate the right processes, organizations
    should first identify how they will source
    automation opportunities. The RPA process
    hopper or backlog can be filled from the bottom-
    up (from staff in the organization), the top-down
    (leadership guidance), and inspired by problems
    or audit and analytical findings. There are three
    common ways to source automation opportunities:
    1. Bottom-up: Ideation sessions can be held or

    access to a central repository can be provided
    to staff at the grassroots level to learn what
    manual processes are most important to staff
    to be automated.

    2. Top-down: Leadership identifies strategic
    initiatives for specific processes requiring
    automation. Although this is a common
    sourcing approach, best practice informs
    failure is nearly certain if this method is used
    exclusively or without adequately valuing the
    input of the RPA team for candidate feasibility
    assessments. Often, process problems
    identified by leadership can be resolved by
    RPA but will require too much maintenance
    or exceed the capability or bandwidth of
    the existing program team. Mandates to
    move forward with candidates fitting this
    description can topple an RPA program.
    To mitigate this risk, leadership should be
    trained to develop a firm understanding of
    what makes a process a good RPA candidate,
    and the RPA steering committee, with heavy
    input from the RPA program leader (RPA
    product owner), should have ultimate veto
    power or, at a minimum, the ability to set
    the timelines and priority of automation to
    match the capability and bandwidth of the
    development team. See Table 4 on p. 20
    for more information on the role of the RPA
    steering committee and RPA product owner.



    3. Inspired by problems or audit and analytical
    findings: Problems like audit gaps, financial
    misstatements, or inaccurate government
    reporting can expose errors resulting from manual
    processes that might not exist if the process were
    automated. Process analysis can be performed
    manually or by any of a host of process mining
    tools available in the market to identify deviations
    from standard operating procedures, revealing
    potential automation opportunities. Further, RPA
    vendors on the leading end of AI integration
    have empowered bots to monitor human
    activities, detect patterns in repetitive behavior,
    prioritize opportunities, and even draft workflows
    for automation solutions.

    Selecting and Prioritizing Automation
    Two fundamental questions should be answered
    prior to moving forward with automating a process.
    The first: Can we automate? In expanded form:
    From a technical perspective, can RPA technology
    be used to automate this process and in a
    sustainable way? Feasibility assessments should
    be conducted to understand if the applications the
    robot will need to interact with are stable and if all
    criteria for the in-scope process components are
    in fact rule-based and definable at the keystroke
    level. Figure 3 shows the characteristics of ideal RPA
    automation candidates.

    Even if the process is an ideal RPA candidate
    from a technical perspective, there is a possibility it
    still should not be automated. Value is maximized
    through RPA implementations when automating
    processes that span multiple applications or
    workloads across multiple persons to automate end-
    to-end processes rather than automating as a siloed
    component. Therefore, the second critical question
    that should be answered is: Should we automate?
    In expanded form: Do the business benefits (or
    business case) support automation? A business case
    should be prepared for each individual automation

    opportunity, and the right stakeholders should be
    engaged to review the automation opportunity to
    ensure it meets established criteria. Stakeholders
    should also ask important questions: Is another
    team already working on this automation with
    a different technology? Should this process be
    eliminated? Should this process be standardized or
    reengineered prior to implementation?

    After asking some of these fundamental
    questions, decision makers should shift their focus
    to the business case, which should provide a
    summary of the opportunity, the proposed solution,
    and, most importantly, a list of the benefits. The
    types of benefits reaped from RPA can be broadly
    categorized into three buckets: efficiency and cost,
    effectiveness and quality, and risk and compliance.17


    17 Timothy Driscoll, “Value through Robotic Process Automation,” Strategic Finance, March 2018, pp. 70-71,

    n Highly manual
    n Highly repetitive
    n Rule-based
    n Exception rate low
    n Standard and readable electronic inputs
    n Mature and stable
    n Specialty level low
    n Definable criteria

    CAN WE




    Efficiency and cost. This is the category of benefits
    that is most widely promoted when discussing RPA
    value. Efficiency and cost summarizes the time
    savings of having a robot perform tasks rather than
    humans, reallocation of the human resources to
    other tasks or roles, and the financialization of those
    time savings (how much money the organization
    is saving as a result of efficiencies gained). While
    benefits in the areas of efficiency and cost can be
    quantified using data such as number of man hours
    saved, average salary of employees performing
    the job manually, and implementation cost along
    with calculations like net present value, return on
    investment, and payback period, benefits in the other
    categories are not often apparent value targets.

    Effectiveness and quality. Although humans
    are more experienced in performing automated
    processes, they make mistakes. It is inevitable.
    That is part of the underlying reason for the control
    function within finance and accounting. Robots do
    not make mistakes. Therefore, if SMEs are properly
    engaged in designing the automated process, the
    process executed by the robots will be performed
    with greater accuracy than humans. Improved
    accuracy leads to greater effectiveness and higher-
    quality process delivery. Thus, the automated
    process is likely to result in cycle-time reduction
    and increased client satisfaction—also known as
    effectiveness and quality.

    Risk and compliance. In many instances, an
    automation solution may not deliver material
    efficiencies or cost reduction. Some automation
    opportunities are implemented because the
    organization may need to deliver a new report
    for regulatory purposes, submit data through a
    new electronic portal, or perform control checks
    for other manual or automated processes being
    performed. These solutions mitigate operational
    risk and strengthen the control environment, adding
    significant value to the organization because this
    type of risk mitigation and compliance assurance
    can impact an organization’s license to operate in
    its respective industry or the safety of its employees
    and customers. Alternatively, automating processes

    that require real-time policy interpretation and
    application or that send data out directly to
    regulatory agencies without adequate controls
    can weaken the control environment and lead to
    detrimental results for the organization.

    Figure 4 contains examples of factors that should
    be considered while evaluating whether a process
    should be automated. These factors would need
    to be weighed against each other based on the
    priorities of the organization and the RPA program.

    Impact of automating the process on the control
    and regulatory environment

    Susceptibility of manual process to errors

    Impact to the organization of errors and delays

    Volume of process transactions

    Process robot is performing generates
    financial value

    Time required to complete each transaction

    Full-time equivalents required to support
    the process •





    t is imperative that finance
    and accounting professionals
    begin reskilling in preparation

    for the future. Change is no
    longer imminent; it is under way.
    Advances in digital technology
    make it increasingly more
    feasible to automate finance and
    accounting processes of varying
    complexity for organizations
    of any size. In addition to
    upskilling by deepening finance
    and accounting and business
    knowledge (performing processes
    on the higher end of the finance
    and accounting process pyramid;
    see Figure 1) and learning other
    digital technologies such as
    data analytics, data visualization,
    or AI, finance and accounting
    professionals should embrace RPA.

    Finance and accounting
    professionals are already well-
    positioned to play some of the
    roles in an RPA program. For
    decades, finance and accounting
    professionals have been relied
    upon for investment valuation,
    project management, process
    documentation, providing
    assurance, and assessing,
    defining, and implementing
    controls. All of these, plus
    many more, are critical to the
    successful implementation of an
    RPA program.

    RPA Role Overview
    Regardless of the chosen
    operating model, there are
    traditionally three primary groups
    of RPA roles: governing bodies,
    the RPA program team, and

    stakeholders (a host of extended
    team members within the broader
    organization). The groups may
    be called different names, the
    segregation of the groups may
    vary, and individuals may wear
    multiple hats depending on the
    operating model, but the tasks
    carried out by each individual role
    should still be performed in an
    RPA program of any size.

    Figure 5 shows an overview
    of the typical roles of persons
    working with and within an RPA
    program team. Roles illustrated

    in yellow are traditionally held by
    IT professionals given the deep
    IT expertise required to mitigate
    technological risks in the areas
    of architecture and infrastructure,
    cybersecurity risks, application
    integration, database and
    platform maintenance, and so on.
    All other roles lend themselves
    to business or IT professionals
    interchangeably. Table 4 provides
    an overview of the roles within
    and around the RPA program
    that are suitable for finance and
    accounting professionals.

    F&A Professionals as RPA Enablers


    Governing Board


    Steering Committee

    IT and Digital/Cybersecurity


    Internal and
    External Audit

    Process Owner



    Product Owner

    Scrum Master


    Lead Architect

    RPA Solution







    Typically Full-Time Jobs within RPA program

    Leader of the
    RPA program and
    accountable for
    overall value delivery,
    operational execution,
    and maintenance of
    automation solutions
    as well as realizing
    associated benefits
    and managing risk.

    • Leadership
    • RPA technology


    • Business process

    • Agile methodology
    and scrum framework

    • Basic data analytics
    (to analyze the work
    of the robots and
    translate that into
    greater output)

    Facilitates agile
    development for
    the team. The scrum
    master assists the
    team in achieving
    goals by removing
    ensuring clarity on
    the definition of
    done for individual
    components of
    delivery, and leading
    scrum sessions—
    which are cross-
    functional working
    sessions that require
    delivery of specific
    deliverables by the
    end of the session.

    • Project

    • Agile methodology
    and scrum

    • Introductory-level
    RPA knowledge

    • Business process

    • Can become a
    Certified Scrum
    Master and use
    it for much more
    than RPA

    Assesses the technical
    feasibility of opportunities
    being considered for
    automation by the
    program and ultimately
    leads or supports the
    technical design of the
    solution along with
    the RPA developer.
    The solution architect
    recommends efficiencies
    or changes to the manual
    process to minimize the
    chance that there are
    technical challenges with
    the actual implementation.
    This role is typically an IT
    resource but could be a
    business resource with
    the right amount of RPA

    • Advanced RPA
    technology knowledge

    • IT experience—
    understanding of
    application landscape
    and infrastructure

    • Agile methodology
    and scrum framework
    • Business process

    Works hand in hand
    with the process SME
    (who likely currently
    performs the process)
    to understand and
    document the process
    (creating a process
    definition document),
    participating in solution
    design sessions with the
    developer and architect,
    leading testing efforts,
    and liaising between
    the business and the
    development team.
    Also, generally prepares
    business cases, supports
    process selection and
    prioritization, and tracks
    data against the key
    performance indicators

    • Meticulously
    detail-oriented and

    • Business process
    familiarity (high)

    • Performance

    • RPA technology
    (introductory to
    intermediate level)

    • Agile methodology
    and scrum framework

    Accountable for design,
    development, testing,
    and maintenance of
    RPA solutions. The
    developer is required
    to investigate, analyze,
    and set up automated
    processes using RPA
    software. The developer
    partners with the RPA
    business analyst, architect,
    and SME as needed to
    design and deliver robust
    automation solutions.
    Can be a business or IT
    professional. Advantages
    to both business and IT
    professionals playing
    this role—business
    professionals know the
    processes, and IT people
    have more technical
    background to get
    more creative with and
    handle more complex

    • Advanced knowledge
    of RPA software

    • Some programming
    language or experience
    would be a plus but is
    not mandatory

    • Agile methodology
    and scrum framework

    • Detail-oriented and

    • Business process
    familiarity (level varies)

    • Can become a
    certified RPA developer
    through RPA software
    companies at no cost










    Typically Roles Outside the RPA Program—Part-Time Involvement because of the Nature of Their Full-Time Job

    The governance board
    is generally made of a
    program or executive
    sponsor in the business
    area where RPA is being
    implemented along with
    other senior leaders in
    that part of the business
    and senior IT leaders. The
    governance board’s role is
    to ultimately approve the
    overall program budget,
    sometimes set delivery
    targets for the RPA
    program, and certainly to
    set strategic direction. The
    governance board also
    typically agrees on what
    prioritization principles
    should be applied as
    the members within the
    delivery team accept and
    implement opportunities.

    • Skills needed for
    traditional finance and
    accounting role

    • Introductory-level
    knowledge of RPA

    Steering committee
    members are typically
    broad-reaching SMEs in
    middle management
    or other nonexecutive
    leadership positions
    within the area of the
    business where RPA is
    being implemented.
    A representative from
    this body typically
    reviews and approves
    automation of
    processes—as aligned
    with their respective
    areas of expertise (all
    steering committee
    members do not need
    to provide approval for
    all processes; typically
    one committee member
    approves a specific
    process in his or her
    area). Knowledge of
    business processes is
    particularly important
    in this role to ensure
    the program is not
    automating processes
    that another part of the
    organization is working
    on or that just should
    not be automated for
    any number of reasons.

    • Skills needed for
    traditional finance and
    accounting role
    • Introductory-level
    knowledge of RPA

    SMEs are one of the most
    important roles in RPA
    implementation. There is
    typically a different SME
    for each individual process
    being automated (unless
    there are several processes
    being automated in
    a given team). The
    RPA implementation
    team— specifically an
    RPA business analyst—
    partners with the SME to
    shadow the SME while
    performing the current
    manual process, validate
    the process definition
    document, sign-off on the
    solution design document
    that is ultimately prepared
    by the RPA team,
    support development
    of and execute the user
    acceptance testing plan,
    provide feedback during
    demos of progress made,
    and, once development
    and testing are complete,
    give sign off that the
    process can be used in
    production (used for live
    transactions rather than
    test transactions).

    • Skills needed for
    traditional finance and
    accounting role
    • Introductory-level
    knowledge of RPA


    The business process
    owner is often the line
    manager of the SME or
    someone who has a bit
    of a wider reach across
    certain process types
    or business areas,
    depending on the size
    of the organization.
    This person only has to
    review work the SME
    has done—enough
    to be comfortable
    and, ultimately,
    provide approval
    for the feasibility of
    the business case
    assumptions, solution
    design, testing
    scenarios, and go-live

    • Skills needed for
    traditional finance and
    accounting role
    • Introductory-level
    knowledge of RPA

    Internal groups are
    engaged for reviews of
    processes the program
    team intends to automate
    to ensure there are no
    violations of any existing
    policies, soundness of the
    control environment post-
    implementation, and to
    grant approval to proceed
    to development and
    ultimately to production.

    External audit will audit
    individual processes
    depending on their
    criticality and sometimes
    the entire RPA program.

    • Skills needed for
    traditional finance and
    accounting role
    • Introductory-level
    knowledge of RPA



    RPA fundamentals. All persons involved in and
    interacting with the RPA program should take
    introductory-level training courses to ensure a
    foundational understanding of RPA software and
    capability. The Forrester Wave RPA report released
    in the fourth quarter of 2019 reported UiPath,
    Automation Anywhere, and Blue Prism as the top
    leading RPA vendors in the market.18 Each of these
    vendors offers this type of training online and at
    no cost.

    Available training is not limited to that of
    RPA developer but expands to include RPA
    business analyst roles—the roles that most
    easily translate from business positions to
    digital implementation. The closer to actual
    RPA development a role is, the more RPA
    training is needed.

    How RPA is delivered. Implementation of
    RPA opportunities is generally best delivered
    through agile methodology, which is a software
    development life cycle model. It is an approach
    to project management for software development
    that focuses on the use of incremental, iterative
    work sequences to deliver planned outcomes.19
    Most organizations take agile methodology a step
    further and center execution around scrum—an
    agile “framework for developing, delivering, and
    sustaining complex products” in which the iterative
    work sequences are known as sprints.20 In this
    approach, the stakeholder or end user (business
    team member in RPA implementation) receives
    regular demos of development progress as it
    is made, minimizing the likelihood that the end
    product does not meet business requirements.
    This differs from the historically popular waterfall
    approach that focuses more on linear project
    management, during which business requirements
    are gathered at the beginning of the project,
    a sequential project plan is developed and

    executed, then the business user is reengaged
    upon project completion—presenting greater
    risk that the automation solution does not meet
    business requirements and compromising the
    expected quick implementation timeline.21

    As agile methodology and the scrum
    framework are widely used not only across RPA
    implementations but also across many digital
    technology programs, finance and accounting
    professionals should gain an introductory
    knowledge of this project management approach.
    All RPA program team members would have to
    deliver work in accordance with this method if it is
    chosen for the program.

    Who delivers RPA? The RPA program team is
    comprised of persons who work full-time on RPA
    and are accountable for sizable components of
    the delivery of RPA initiatives. To add value to an
    RPA program, specific capabilities required expand
    beyond RPA technical skills and agile methodology
    awareness to a host of soft skills. In the IBM
    Institute for Business Value report on the skills gap,
    executives reported the two skills most critical for
    employees “were behavioral skills—willingness to
    be flexible, agile, and adaptable to change and
    time management skills and ability to prioritize.”
    IBM also found a “culture of continuous learning” a
    necessary ingredient for success “in the era of AI.”22

    In addition to the roles within the RPA
    program that are directly accountable for
    delivery of automation initiatives, there are other
    roles that allow for involvement with the RPA
    program while delivering traditional finance
    and accounting accountabilities. Engagement
    typically transpires because of the nature of the
    employee’s specific job, but some organizations
    allow business professionals to volunteer
    as citizen developers or business analysts,
    preparing processes for automation.

    18 Forrester, 2019.
    19 “A Beginner’s Guide to the Agile Method & Scrums,” Linchpin SEO, June 2020,
    20 Ken Schwaber and Jeff Sutherland, “The Scrum Guide,” November 2017,
    21 “Waterfall Methodology in Project Management,”,
    22 “IBM Study: The Skills Gap is Not a Myth, But Can Be Addressed with Real Solutions,” 2019,



    Next Steps
    Finance and accounting professionals who want
    to get involved with RPA have several actions
    available to them.

    • Find out if there is already an RPA program
    under way and ask which RPA tool is in use to
    avoid beginning initial training in another tool.
    If the organization has not yet begun its RPA
    journey, choose one of the leading tools to
    get started for ease of accessibility.

    • Engage leadership and/or IT representatives
    to learn if there is appetite to explore the
    technology if the organization has not
    explored RPA at all. As finance and accounting
    professionals learn more about the technology
    through RPA software vendor training available
    online, they should identify a few processes
    within the organization or a specific team that
    might make good RPA candidates. Take the
    IMA RPA Value Creation course (available at to view steps to creating a
    one-page business case for each opportunity.
    Use this business case to present your ideas
    to leadership to learn if your organization’s

    leaders are willing to explore piloting the

    • Engage a few RPA vendors to request quotes
    and learn about the piloting or POC process.
    RPA is much more affordable than many
    organizations (especially small and midsized
    businesses) realize.

    • Deepen RPA expertise as much as interest
    leads. Certificates of completion are available
    in the RPA business analyst area, and RPA
    software vendors offer certified RPA developer
    designations—all online.

    • Consider learning more about agile
    methodology and the scrum framework. If it is
    intriguing enough, a finance and accounting
    professional may consider becoming certified
    as a Professional Scrum Master.

    • Proactively seek opportunities to develop
    behavioral skills: being adaptable to change,
    time management and prioritization,
    leadership, and so on.

    • Identify ways to focus more energy on tasks at
    the higher end of the finance and accounting
    process pyramid rather than the lower, more
    automatable end. •

    utomation is here to stay. Although
    widespread democratization of RPA, the
    concept of a bot for every employee, may

    still be far off, digital teammates are already on the
    payroll and leadership is assigning them finance
    and accounting tasks. As RPA vendors strengthen
    their native offerings and progress with integrating
    technology partnerships, the complexity of the
    processes digital teammates can perform with
    intelligent RPA will undoubtedly increase.

    To become more efficient, eliminate mundane
    tasks, and holistically transform the finance and
    accounting function, many CFOs are already
    looking to RPA as a solution that also exposes
    staff to digital tools, reduces cost, and paves
    the way for other technologies. To add to these
    benefits, with proper governance and appropriate
    engagement of SMEs, scaling RPA results in a
    strengthened control environment and sustainable
    automation solutions that enable staff, willing to
    reskill, to further invest in analytics, strategy, and
    business decision support. As businesses demand
    more, CFOs who do not act will find themselves
    leading overpriced, overworked teams without
    the bandwidth or skill set to operate in an agile
    manner or deliver elevated analytics supporting
    real-time business decisions.

    To avoid risk of becoming obsolete or
    competing for roles they are ill-prepared for,
    finance and accounting professionals must, too,
    take action to transform. RPA is a low barrier-
    to-entry technology with free online training
    available, providing an easily accessible path to
    upskilling and adding value within an individual
    team or across a department. The skills gained
    through RPA are transferrable and, at a minimum,
    foundational to other technologies—opening
    the door to future opportunities. For those who
    do not desire to learn development or business
    analyst skill sets, they can get an introductory

    understanding of the technology to support
    process identification, governance, or review
    exercises. In any of these scenarios, finance and
    accounting professionals will find themselves more
    valuable and, subsequently, more marketable from
    the experience.

    Now equipped with the information provided,
    those who have not yet embraced RPA are
    prepared, encouraged, and, hopefully, motivated,
    to proceed. As the profession embarks upon
    a bright yet different future alongside digital
    teammates, the business world should brace
    itself as the power of the transformed finance and
    accounting function is unleashed. •




    For more information, please visit


  • Introduction

    ● Introduction to IT auditing
    ● Purpose and rationale for this book
    ● Intended use
    ● Key audiences
    ● Structure and content of the book
    ● Summary descriptions of each chapter

    Introduction to IT auditing
    An audit is a systematic, objective examination of one or more aspects of an
    organization that compares what the organization does to a defined set of crite-
    ria or requirements. Information technology (IT) auditing examines processes,
    IT assets, and controls at multiple levels within an organization to determine the
    extent to which the organization adheres to applicable standards or requirements.
    Virtually, all organizations use IT to support their operations and the achievement
    of their mission and business objectives. This gives organizations a vested interest
    in ensuring that their use of IT is effective, that IT systems and processes operate as
    intended, and that IT assets and other resources are efficiently allocated and appro-
    priately protected. IT auditing helps organizations understand, assess, and improve
    their use of controls to safeguard IT, measure and correct performance, and achieve
    objectives and intended outcomes. IT auditing consists of the use of formal audit
    methodologies to examine IT-specific processes, capabilities, and assets and their
    role in enabling an organization’s business processes. IT auditing also addresses IT
    components or capabilities that support other domains subject to auditing, such as
    financial management and accounting, operational performance, quality assurance,
    and governance, risk management, and compliance (GRC).

    IT audits are performed both by internal auditors working for the organization
    subject to audit and external auditors hired by the organization. The processes and
    procedures followed in internal and external auditing are often quite similar, but the
    roles of the audited organization and its personnel are markedly different. The audit
    criteria—the standards or requirements against which an organization is compared
    during an audit—also vary between internal and external audits and for audits of
    different types or conducted for different purposes. Organizations often engage in
    IT audits to satisfy legal or regulatory requirements, assess the operational effec-
    tiveness of business processes, achieve certification against specific standards,
    demonstrate compliance with policies, rules, or standards, and identify opportuni-
    ties for improvement in the quality of business processes, products, and services.
    Organizations have different sources of motivation for each type of audit and

    xxii CHAPTER Introduction

    different goals, objectives, and expected outcomes. This book explains all of these
    aspects of IT auditing, describes the establishment of organizational audit programs
    and the process of conducting audits, and identifies the most relevant standards,
    methodologies, frameworks, and sources of guidance for IT auditing.

    Purpose and rationale
    The use of IT auditing is increasingly common in many organizations, to validate
    the effective use of controls to protect IT assets and information or as an element of
    GRC programs. IT auditing is a specialized discipline not only in its own right, with
    corresponding standards, methodologies, and professional certifications and experi-
    ence requirements, but it also intersects significantly with other IT management and
    operational practices. The subject matter overlap between IT auditing and network
    monitoring, systems administration, service management, technical support, and
    information security makes familiarity with IT audit policies, practices, and stand-
    ards essential for IT personnel and managers of IT operations and the business areas
    that IT supports. This book provides information about many aspects of IT audits
    in order to give readers a solid foundation in auditing concepts to help develop an
    understanding of the important role IT auditing plays in contributing to the achieve-
    ment of organizational objectives. Many organizations undergo a variety of IT audits,
    performed by both internal and external auditors, and each often accompanied by
    different procedures, methods, and criteria. This book tries to highlight the common-
    alities among audit types while identifying the IT perspectives and characteristics
    that distinguish financial, operational, compliance, certification, and quality audits.

    Intended use
    This book describes the practice of IT auditing, including why organizations con-
    duct or are subject to IT audits, different types of audits commonly performed in
    different organizations, and ways internal and external auditors approach IT audits.
    It explains many fundamental characteristics of IT audits, the auditors who perform
    them, and the standards, methodologies, frameworks, and sources of guidance that
    inform the practice of auditing. This is not a handbook for conducting IT audits
    nor does it provide detailed instructions for performing any of the audit activities
    mentioned in the book. Auditors or other readers seeking prescriptive guidance on
    auditing will find references to many useful sources in this book, but should look
    elsewhere—potentially including the sources referenced below—for audit check-
    lists, protocols, or procedural guidance on different types of IT audits. This book
    is intended to give organizations and their employees an understanding of what to
    expect when undergoing IT audits and to explain some key points to consider that
    help ensure their audit engagements meet their objectives. By covering all major
    types of IT auditing and describing the primary drivers and contexts for IT audits
    in most organizations, this book complements more detailed but narrowly focused

    xxiiiPurpose and Rationale

    texts intended to guide or instruct auditors in the step-by-step procedural execution
    of audits. The following are among recently published books especially relevant to
    IT auditing:

    ● IT Auditing: Using Controls to Protect Information Assets (2nd edition) by
    Chris Davis and Mike Schiller emphasizes auditing practices applicable to
    different types of technologies and system components.

    ● Auditor’s Guide to IT Auditing (2nd edition) by Richard Cascarino provides broad
    coverage of IT audit concepts and practices applicable to information systems,
    organized and presented in the context of major IT management disciplines.

    ● IT Audit, Control, and Security by Robert Moeller highlights requirements,
    expectations, and considerations for auditors of IT systems stemming from
    prominent laws, frameworks, and standards.

    ● Information Technology Control and Audit (4th edition) by Sandra Senft,
    Frederick Gallegos, and Aleksandra Davis approaches IT auditing drawing
    largely on practice guidance and governance frameworks defined by ISACA,
    particularly including COBIT.

    ● The Operational Auditing Handbook: Auditing Business and IT Processes by
    Andrew Chambers and Graham Rand focuses on operational auditing and
    uses a process-based approach to describe auditing practices for different
    organizational functions.

    ● The ASQ Auditing Handbook (4th edition) edited by J.P. Russell offers
    prescriptive guidance for quality auditors, particularly those following the
    quality auditor body of knowledge defined by the American Society for Quality
    (ASQ) and its Certified Quality Auditor Certification Program.

    Key audiences
    This book provides a treatment of IT auditing that emphasizes breadth rather than
    depth. Audit professionals engaged in performing IT audits have a variety of stand-
    ards, guidance, and prescriptive procedures for thoroughly and effectively con-
    ducting various types of IT audits. Auditors and other consulting or professional
    services practitioners who regularly conduct audits may find the information in this
    book useful as a point of reference, but will likely rely on more detailed, purpose-
    specific sources to assist them in their work. Auditors are important stakeholders
    in IT auditing, but only one of many groups involved in IT auditing or affected by
    how it is carried out. The material in this book is intended primarily to help develop
    an understanding of auditing purposes and practices to nonauditor groups such as
    operational and administrative personnel, managers, and IT program and project
    staff, all of whom may be required to furnish information to or otherwise support
    external or internal audits in their organizations. It also provides an explanation of
    IT auditing suitable for practitioners focused on other aspects of IT management or
    on the performance of functions supported by IT audits such as GRC, quality man-
    agement, continuous improvement, or information assurance.

    xxiv CHAPTER Introduction

    Structure and content
    This book could not hope to provide, and is not intended to be, a substitute for for-
    mal standards, protocols, and practice guidance relevant to IT auditing. What it
    does offer is a thorough introduction to many aspects of IT auditing and the role
    of IT audits within the broader context of other major forms of audits. The book is
    structured in a way that should be equally helpful to readers looking for informa-
    tion on a specific audit-related subject or for those interested in developing a more
    general understanding of the IT audit discipline. The material in the early chap-
    ters focuses on describing why organizations undergo different types of audits and
    what characteristics distinguish those types of audits from each other. References
    provided in each chapter, in addition to the information in the last two chapters in
    the book, should help direct readers to authoritative sources of guidance on vari-
    ous aspects of auditing and to the major standards organizations and professional
    associations shaping the evolution of the field. This book does not recommend a
    particular approach or methodology, but instead highlights the similarities among
    many of the most prominent frameworks, methodologies, processes, and standards
    in the hope that readers will recognize the basic aspects of IT auditing in any real-
    world context.

    A brief summary of each chapter follows.

    Chapter 1: IT Audit Fundamentals
    Chapter 1 establishes a foundation for the rest of the material in the book by defin-
    ing auditing and related key terms and concepts and explaining the nature and
    rationale for IT auditing in different organizations, differentiating internal from
    external audits in terms of the reasons and requirements associated with each per-
    spective. It also identifies organizations and contexts that serve as the subject of IT
    audit activities and describes the individuals and organizations that perform audits.

    Chapter 2: Auditing in Context
    Chapter 2 emphasizes the practical reality that IT auditing often occurs as a compo-
    nent of a wider-scope audit not limited to IT concerns alone, or a means to support
    other organizational processes or functions such as GRC, certification, and quality
    assurance. Audits performed in the context of these broader programs have different
    purposes and areas of focus than stand-alone IT-centric audits, and offer different
    benefits and expected outcomes to organizations.

    Chapter 3: Internal Auditing
    Chapter  3 focuses on internal IT auditing, meaning audits conducted under the
    direction of an organization’s own audit program and typically using auditors who
    are employees of the organization under examination. This chapter highlights the

    xxvStructure and Content

    primary reasons why organizations undergo internal audits, including drivers of
    mandatory and voluntary audit activities. It also describes some of the benefits and
    challenges associated with internal auditing and characterizes the role, experience,
    and career path of internal IT audit personnel.

    Chapter 4: External Auditing
    Chapter  4 provides a direct contrast to Chapter  3 by addressing external auditing,
    which bears many similarities to internal auditing but is, by definition, conducted
    by auditors and audit firms wholly separate from the organization being audited.
    This chapter identifies the key drivers for external audits, explains the role of inter-
    nal staff in preparing for and supporting external audits, and describes benefits
    and challenges often encountered by organizations subject to such audits. Because
    audited organizations often have to choose their external auditors, the chapter also
    discusses the process of selecting an auditor, the registration requirements applica-
    ble to auditors in many countries, and key auditor qualifications.

    Chapter 5: Types of Audits
    Chapter  5 offers an overview of the major types of audits organizations undergo,
    including financial, operational, certification, compliance, and quality audits in
    addition to IT-specific audits. For each type of audit, the chapter explains charac-
    teristics such as audit rationale, areas of focus, suitability for internal and external
    auditing approaches, applicable standards and guidance, and anticipated outcomes.

    Chapter 6: IT Audit Components
    The IT domain is too broad to easily address as a whole, whether the topic is audit-
    ing, governance, operations, or any other key functions that organizations manage
    about their IT resources. Chapter 6 breaks down IT and associated controls into dif-
    ferent categories—reflecting decomposition approaches commonly used in IT audit
    methodologies and standards—to differentiate among IT audit activities focused on
    different IT components. The material in this chapter addresses technical as well as
    nontechnical categories, describing different technologies and architectural layers,
    key processes and functions, and aspects of IT programs and projects that are also
    often subject to audits.

    Chapter 7: IT Audit Drivers
    Chapter 7 describes key types of external and internal drivers influencing organiza-
    tions’ approaches to IT auditing, including major legal and regulatory requirements
    as well as motivating factors such as certification, quality assurance, and opera-
    tional effectiveness. This chapter summarizes the audit-related provisions of major
    U.S. and international laws governing publicly traded firms and organizations in

    xxvi CHAPTER Introduction

    regulated industries such as financial services, health care, energy, and the public
    sector. It also explains the motivation provided by internally developed strategies,
    management objectives, and initiatives on the ways organizations structure their
    internal audit programs and external audit activities.

    Chapter 8: IT Audit Process
    The IT audit process description provided in Chapter 8 explains in detail the steps
    organizations and auditors follow when performing audits. Although there is no
    single accepted standard process applicable in all contexts, most methodologies,
    frameworks, standards, and authoritative guidance on auditing share many common
    activities and process attributes, often traceable to the familiar plan-do-check-act
    (PDCA) model originally developed for quality improvement purposes. Chapter  8
    focuses on the activities falling within the generic process areas of audit plan-
    ning, audit evidence collection and review, analysis and reporting of findings, and
    responding to findings by taking corrective action or capitalizing on opportunities
    for improvement.

    Chapter 9: Methodologies and Frameworks
    Although the high-level process of auditing is very similar across organizations,
    industries, audit purposes, and geographies, there is a wide variety of methodolo-
    gies and control and process frameworks available for organizations and individual
    auditors to apply when performing audits. Almost all external auditors follow one
    or more of these approaches and many organizations choose to adopt established
    methodologies and frameworks as an alternative to developing their own. Chapter 9
    presents the best-known and most widely adopted methodologies and frameworks,
    including those focused explicitly on auditing as well as those intended to support
    IT governance, IT management, information security, and control assessment.

    Chapter 10: Audit-Related Organizations, Standards, and
    There are many standards development bodies and other types of organizations that
    produce and promote standards relevant to IT auditing and that offer professional
    certifications for individuals engaged in auditing or related disciplines. Chapter 10
    identifies the most prominent organizations and summarizes their contributions to
    available standards and certifications.

      Information in this chapter:
      Introduction to IT auditing
      Purpose and rationale
      Intended use
      Key audiences
      Structure and content
      Chapter 1: IT Audit Fundamentals
      Chapter 2: Auditing in Context
      Chapter 3: Internal Auditing
      Chapter 4: External Auditing
      Chapter 5: Types of Audits
      Chapter 6: IT Audit Components
      Chapter 7: IT Audit Drivers
      Chapter 8: IT Audit Process
      Chapter 9: Methodologies and Frameworks
      Chapter 10: Audit-Related Organizations, Standards, and Certifications

    InformationTechnology Auditing

    A common mistake people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.

    Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy

    To err is human, but to really foul things up you need a computer.

    Attributed to Paul R. Ehrlich, American biologist, author, and technology commentator


    ©McGraw-Hill Education


    Module H Learning Objectives
    Identify how the use of an automated transaction processing system affects the audit examination.
    Understand the steps that are taken to determine whether an audit team can rely on IT controls.
    Provide examples of general controls and understand how these controls relate to transaction processing in an accounting information system.
    Provide examples of automated application controls and understand how these controls relate to transaction processing in an accounting information system.
    Describe how the audit team assesses control risk in an IT environment.


    ©McGraw-Hill Education.

    Illustration of Automated Processing of Sales Transactions


    ©McGraw-Hill Education.


    Issues Introduced In IT Environments
    Input errors
    Systematic vs. random processing errors
    Lack of an audit trail
    Inappropriate access to computer files and programs
    Reduced human involvement in processing transactions


    ©McGraw-Hill Education.


    Reliance on IT Controls
    Three major phases to determine reliability of controls
    Determining the scope of the IT testing plan by carefully identifying each of the IT dependencies
    Understanding the IT controls and processes that need to be tested for each IT dependency
    Testing the IT controls

    ©McGraw-Hill Education.


    Types of IT Control Activities
    General Controls
    Apply to all applications of an automated accounting information system
    Seen as pervasive across the entire technological infrastructure at an audit client
    Automated Application Controls
    Applied to specific business activities within an accounting information system
    Address relevant assertions about significant accounts in the financial statements


    ©McGraw-Hill Education.

    Categories of General Controls
    Access to programs and data controls
    Program change controls
    Computer operations controls
    Program development controls


    ©McGraw-Hill Education.


    Access to Programs and Data Controls
    Provides reasonable assurance that access to programs and data is granted only to authorized users
    Automatic terminal logoff
    Review access rights and compare to usage (through logs)
    Report and communicate security breaches


    ©McGraw-Hill Education.


    Timeline of the massive Equifax breach

    ©McGraw-Hill Education.


    Program Change Controls
    Implemented by the entity to provide reasonable assurance that requests for modifications to existing programs
    Are properly authorized and conducted in accordance with policies
    Involve appropriate users participate in process
    Are tested and validated prior to use
    Have appropriate documentation
    Two additional controls: related to “emergency” change requests and the migration of new programs into operations


    ©McGraw-Hill Education.


    Computer Operations Controls
    Concerned with providing reasonable assurance that
    The processing of transactions is in accordance with the entity’s objectives
    Processing failures are resolved on a timely basis
    Actions are taken to facilitate the backup and recovery of important data


    ©McGraw-Hill Education.


    Examples of Computer Operations Controls
    Important roles in an IT environment
    Systems analysts, programmers, computer operators, data conversion operators, librarians, control group
    Important general control: separation of the duties performed by the
    Systems analysts
    Computer operators


    ©McGraw-Hill Education.


    Computer Operations Controls: Files and Data
    Three major objectives for files and data used in processing
    The files used in automated processing are appropriate
    The files are appropriately secured and protected from loss
    Files can be reconstructed from earlier versions of information used in processing

    ©McGraw-Hill Education.


    Program Development Controls
    Provide reasonable assurance that
    Acquisition and development of new programs is properly authorized and conducted in accordance with policies
    Appropriate users participate in process
    Programs and software are tested and validated prior to use
    Programs and software have appropriate documentation


    ©McGraw-Hill Education.
    Testing General IT Controls

    ©McGraw-Hill Education.


    General Controls and Assertions


    ©McGraw-Hill Education.


    General Controls: Category, Examples, and Objectives


    ©McGraw-Hill Education.
    Automated Application Controls
    Controls applied to specific business activities within an accounting information system to mitigate the risk of material misstatement
    Specific to each cycle (revenue and collection, acquisition and expenditure)
    Organized into 3 Categories
    Input controls
    Processing controls
    Output controls

    ©McGraw-Hill Education.


    Input Controls
    Designed to provide reasonable assurance that data received for processing by the computer department have been
    Properly authorized
    Accurately entered or converted for processing


    ©McGraw-Hill Education.


    Processing Controls
    Provide reasonable assurance that
    Data processing has been performed accurately without any omission or duplicate processing of transactions
    Test processing accuracy of programs
    File and operator controls
    Run-to-run totals
    Control total reports
    Limit and reasonableness tests
    Error correction and resubmission procedures


    ©McGraw-Hill Education.


    Output Controls
    Provide reasonable assurance that
    Output reflects accurate processing
    Only authorized persons receive output or have access to files generated from processing
    Review of output for reasonableness
    Control total reports
    Master file changes
    Output distribution limited to appropriate person(s)


    ©McGraw-Hill Education.


    Automated Application Controls


    ©McGraw-Hill Education.


    Assessing Control Risk in an IT Environment
    Identify specific types of misstatement that could occur
    Identify points in the flow of transactions where misstatements could occur
    Identify control procedures designed to prevent or detect misstatements
    General controls and automated application controls
    Evaluate design of control procedures
    Are tests of controls cost-effective?
    Does the design suggest a low control risk?


    ©McGraw-Hill Education.


    Points of Potential Misstatement in an IT Environment


    ©McGraw-Hill Education.


    Examples of Controls to Mitigate Risk of Material Misstatement

    ©McGraw-Hill Education.


    Testing Controls in an IT Environment
    Testing controls
    Inspection of documentation
    Characteristics auditors must consider when evaluating
    Possibility of temporary transaction trails
    Uniform processing of transactions
    Potential for errors and frauds
    Potential for increased management supervision
    Initiation or subsequent execution of transactions by computer
    Use of cloud computing applications


    ©McGraw-Hill Education.


    Methods of Testing General Controls


    ©McGraw-Hill Education.


    Methods of Testing Automated Application Controls


    ©McGraw-Hill Education.
    Test Data Approach
    Test data: Simulated transactions containing known errors to test the client’s controls

    The Test of One
    Only one type of each kind of transaction error needs to be tested
    Because a client’s IT system processes transactions in the same manner every time, once the audit team is satisfied based on testing performed that an automated internal control activity operates effectively, there is no need to test the control activity again


    ©McGraw-Hill Education.


    Test Approach Data – Test of One

    ©McGraw-Hill Education.
    End-User Computing and other Environments
    Control issues
    Lack of separation of duties
    Lack of physical security
    Lack of program documentation and testing
    Limited computer knowledge of personnel


    ©McGraw-Hill Education.


    End-User Computing Control Considerations
    Computer Operations Controls
    Data Entry Controls
    restricted access, standard screens and computer prompting, online editing and sight verification
    Processing Controls
    transaction logs, control totals, data comparisons, audit trail
    System Development and Modification Controls


    ©McGraw-Hill Education.


    End-User Computing in Service Organizations
    Service Organizations
    Limit concentration of functions and increase supervision
    Access to program and data controls are critical

    ©McGraw-Hill Education.


    Computer Abuse and Computer Fraud
    The use of computer technology by perpetrator to achieve gains at the expense of a victim
    Preventative: Stop fraud from entering system
    Detective: Identify fraud when it enters system
    Damage-limiting: Designed to limit the damage if a fraud does occur
    Levels of Controls
    Administrative controls
    Physical controls
    Technical controls


    ©McGraw-Hill Education.


    Protecting the Computer from Fraud
    (Selected Controls)


    ©McGraw-Hill Education.


    Information Technology

    Risk and Contro


    2nd Editio


    IPPF – Practice Guide

    120366 PRO-GTAG_1_COVER.indd 1 3/28/12 2:18 PM

    Copyright © 2012 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 2119-ARC-TM-GTAG-AD 12/15/1


    As the world’s leading audit management software, TeamMate
    has revolutionized the audit industry, empowering audit
    departments of all sizes to do more with less. Introduced in
    1994, TeamMate has a long standing commitment to advancing
    the audit profession. From consistently innovative product
    updates, to hosted solutions, and now mobile apps, we are
    dedicated to leveraging the latest technology for our clients.
    TeamMate’s outreach extends beyond our customers to support
    and enrich the professional community through research
    projects, educational programs and initiatives such as our Open
    Audit Innovation Contest.

    To learn about TeamMate, visit us on the web at or call 1.888.830.5559.

    Don’t take our word for it…
    Check out what our
    customers are saying at

    Building on Experience, Shaping the Future of Audit Technology

    120366 PRO-GTAG_1_COVER.indd 2 3/28/12 2:18 PM

    Global Technology Audit Guide (GTAG®) 1
    Information Technology

    Risk and Contr


    2nd Edition

    March 2012

    120366 PRO-GTAG_1_TEXT.indd 1 3/28/12 2:17 PM

    120366 PRO-GTAG_1_TEXT.indd 2 3/28/12 2:17 PM


    GTAG — Table of Contents

    ExEcutivE Summary ………………………………………………………………………………………………………………………..2

    1. introduction ………………………………………………………………………………………………………………………………


    2. introduction to thE BaSiS of it-rElatEd BuSinESS riSkS and controlS ………………………


    3. intErnal StakEholdErS and it rESponSiBilitiES …………………………………………………………………8

    4. analyzing riSkS ………………………………………………………………………………………………………………………….10

    5. aSSESSing it — an ovErviEw …………………………………………………………………………………………………….


    6. undErStanding thE importancE of it controlS ………………………………………………………………1


    7. it audit compEtEnciES and SkillS …………………………………………………………………………………………


    8. uSE of control framEwork …………………………………………………………………………………………………….


    9. concluSion …………………………………………………………………………………………………………………………………


    10. authorS & rEviEwErS ……………………………………………………………………………………………………………..


    11. appEndix: it control framEwork chEckliSt ……………………………………………………………………2


    120366 PRO-GTAG_1_TEXT.indd 1 3/28/12 2:17 PM


    GTAG —

    Executive Summary

    Executive Summary

    This GTAG helps chief auditing executives (CAEs) and
    internal auditors keep pace with the ever-changing and
    sometimes complex world of IT by providing resources
    written for business executives — not IT executives. Both
    management and the Board have an expectation that the
    internal audit activity provides assurance around all-impor-
    tant risks, including those introduced or enabled by the
    implementation of IT. The GTAG series helps the CAE
    and internal auditors become more knowledgeable of the
    risk, control, and governance issues surrounding technology.
    The goal of this GTAG is to help internal auditors become
    more comfortable with general IT controls so they can talk
    with their Board and exchange risk and control ideas with
    the chief information officer (CIO) and IT management.
    This GTAG describes how members of governing bodies,
    executives, IT professionals, and internal auditors address
    significant IT-related risk and control issues as well as pres-
    ents relevant frameworks for assessing IT risk and controls.
    Moreover, it sets the stage for other GTAGs that cover in
    greater detail specific IT topics and associated business roles
    and responsibilities.

    This guide is the second edition of the first installment in
    the GTAG series — GTAG 1: Information Technology
    Controls — which was published in March 2005. Its goal
    was, and is, to provide an overview of the topic of IT-related
    risks and controls.

    120366 PRO-GTAG_1_TEXT.indd 2 3/28/12 2:17 PM


    GTAG — Introduction

    1. Introduction

    The purpose of this GTAG is to explain IT risks and controls
    in a format that allows CAEs and internal auditors to under-
    stand and communicate the need for strong IT controls. It is
    organized to enable the reader to move through the frame-
    work for assessing IT controls and to address specific topics
    based on need. This GTAG provides an overview of the
    key components of IT control assessment with an emphasis
    on the roles and responsibilities of key constituents within
    the organization who can drive governance of IT resources.
    Some readers already may be familiar with some aspects of
    this GTAG, but some segments will provide new perspectives
    on how to approach IT risks and controls. One goal of this
    GTAG, and others in the series, is that IT control assess-
    ment components can be used to educate others about what
    IT risk and controls are and why management and internal
    audit should ensure proper attention is paid to fundamental
    IT risks and controls to enable and sustain an effective IT
    control environment.

    Although technology provides opportunities for growth and
    development, it also represents threats, such as disruption,
    deception, theft, and fraud. Research shows that outside
    attackers threaten organizations, yet trusted insiders are a
    far greater threat. Fortunately, technology also can provide
    protection from threats, as this guide will demonstrate.
    Executives should know the right questions to ask and what
    the answers mean. For example:

    • Why should I understand IT risks and controls?
    Two words: assurance and reliability. Executives
    play a key role in assuring information reliability.
    Assurance comes primarily from an interdependent
    set of business controls as well as from evidence that
    controls are continuous and sufficient. Management
    must weigh the evidence provided by controls and
    audits and conclude that it provides reasonable

    • What is to be protected? Trust should be protected
    because it ensures business and efficiency. Controls
    provide the basis for trust, although they often
    are unseen. Technology provides the foundation
    for many — perhaps most — business controls.
    Reliability of financial information and processes —
    now mandated for many organizations— is all about

    • Where are IT controls applied? Everywhere. IT
    includes technology components, processes, people,
    organization, and architecture, as well as the infor-
    mation itself. Many IT controls are technical in
    nature, and IT supplies the tools for many business

    • Who is responsible? Everyone. However, control
    ownership and responsibilities must be defined and
    disseminated by management. Otherwise, no one is
    responsible, and results could be quite severe.

    • When should IT risks and controls be assessed?
    Always. IT is a rapidly changing environment that
    promotes process and organizational change. New
    risks emerge at a rapid pace. Controls must present
    continuous evidence of their effectiveness, and that
    evidence must be assessed and evaluated constantly.

    • How much control is enough? Management must
    decide based on risk appetite, tolerance and manda-
    tory regulations. Controls are not the objective;
    controls exist to help meet business objectives.
    Controls are a cost of doing business and can
    be expensive, but not nearly as expensive as the
    possible consequences of inadequate controls.

    IT controls are essential to protect assets, customers, part-
    ners, and sensitive information; demonstrate safe, efficient,
    and ethical behavior; and preserve brand, reputation, and
    trust. In today’s global market and regulatory environment,
    these things are too easy to lose. A CAE can use this guide
    as a foundation to assess an organization’s framework and
    internal audit practices for IT risk and control, compliance,
    and assurance. It also can be used to meet the challenges
    of constant change, increasing complexity, rapidly evolving
    threats, and the need to improve efficiency.

    IT controls do not exist in isolation. They form an inter-
    dependent continuum of protection, but they also may be
    subject to compromise due to weak links. IT controls are
    subject to error and management override, range from
    simple to highly technical, and exist in a dynamic envi-
    ronment. IT controls have two significant elements: the
    automation of business controls (which support business
    management and governance) and control of the IT envi-
    ronment and operations (which support the IT applications
    and infrastructures). The CAE needs to consider and assess
    both elements. The CAE may view the automated busi-
    ness controls as those controls where both business and IT
    audit skills work together in an integrated audit capacity.
    The CAE may want to separate the general IT controls or
    general computer controls (GCCs) based on the technical
    skills and competencies necessary to assess more technical
    applications, infrastructure, and operations. For example,
    an enterprise resource planning (ERP) application requires
    more technical knowledge to understand and assess controls
    over the ERP database structures, user access, system config-
    uration, and financial reporting. The CAE will find that
    assessing infrastructure, such as networks, routers, firewalls,
    and wireless and mobile devices requires specialized skills
    and experience. The internal auditor’s role in IT controls

    120366 PRO-GTAG_1_TEXT.indd 3 3/28/12 2:17 PM



    GTAG — Introduction

    begins with a sound conceptual understanding and culmi-
    nates in providing the results of risk and control assessments.
    Internal auditing involves significant interaction with the
    people in positions of responsibility for controls and requires
    continuous learning and reassessment as new technologies
    emerge and as the organization’s opportunities, uses, depen-
    dencies, strategies, risks, and requirements change.

    IT controls provide for assurance related to the reliability
    of information and information services. IT controls help
    mitigate the risks associated with an organization’s use of
    technology. They range from corporate policies to their phys-
    ical implementation within coded instructions; from physical
    access protection through the ability to trace actions and
    transactions to responsible individuals; and from automatic
    edits to reasonability analyses for large bodies of data.

    The following are examples of key control concepts:
    • Assurance is provided by the IT controls within the

    system of internal controls. This assurance should be
    continuous and provide a reliable trail of evidence.

    • The internal auditor’s assurance is an independent
    and objective assessment that the IT-related controls
    are operating as intended. This assurance is based
    on understanding, examining, and assessing the
    key controls related to the risks they manage and
    performing sufficient testing to ensure the controls
    are designed appropriately and functioning effec-
    tively and continuously.

    Many frameworks exist for categorizing IT controls and their
    objectives. This guide recommends that each organization
    use the applicable components of existing frameworks to
    categorize and assess IT risks and controls.

    120366 PRO-GTAG_1_TEXT.indd 4 3/28/12 2:17 PM


    GTAG — Introduction to the Basis of IT-related
    Business Risks and Controls

    2. Introduction to the Basis
    of IT-related Business
    Risks and Controls
    2.1 Key Concepts

    Organizations continue to leverage the ever-changing
    capabilities of technology to advance their offerings and
    services in ways that challenge the internal audit profes-
    sion. The IIA’s International Standards for the Professional
    Practice of Internal Auditing (Standards) specifically notes
    that internal auditors must assess and evaluate the risks and
    controls for information systems that operate within the
    organization. The IIA has provided further perspective on
    assessing IT risks and controls through additional GTAGs.
    GTAG 4: Management of IT Auditing discusses IT risks and
    the resulting IT risk universe, and GTAG 11: Developing
    the IT Audit Plan helps internal auditors assess the business
    environment that the technology supports and the poten-
    tial aspects of the IT audit universe. Additionally, GTAG 8:
    Auditing Application Controls covers the specific auditing
    aspects of application controls and the approach internal
    auditors can take when assessing the controls.

    The term board is used in this GTAG as defined in the
    Standards glossary: “a board is an organization’s governing
    body, such as a board of directors, supervisory board, head of
    an agency or legislative body, board of governors or trustees
    of a nonprofit organization, or any other designated body of
    the organization, including the audit committee to whom the
    chief audit executive may functionally report.”

    As this GTAG will explore further, the assessment of IT
    risks and controls in place to address them must be associ-
    ated with the established business process environment and
    the specific organization objectives that need to be met as
    outlined by organization executives and the Board. IT risks
    are just one piece of the overall complex interconnectivity of
    people, processes, infrastructure, and enterprise risk environ-
    ment that exists and should be managed as a whole by the

    Internal auditors need to understand the range of controls
    available for mitigating IT risks. The controls can be thought
    of as existing within a hierarchy that relies on the oper-
    ating effectiveness interconnectivity of the controls as well
    as the realization that failure of a set of controls can lead
    to increased reliance and necessary examination of other
    control groups. Within this document, IT controls will be
    referred to in terms such as governance, management, tech-
    nical, and application based on who in the organization
    implements and maintains them.

    Another view of IT controls is in terms of general and appli-
    cation controls. General IT controls are typically pervasive
    in nature and are addressed through various audit avenues.
    Examples include IT operations, application development
    and maintenance, user management, change management,
    and backup and recovery. Application controls provide
    another category of controls and include controls within an
    application around input, processing, and output.

    This GTAG also will explore the use of controls for managing
    and governing the infrastructure, processes, and personnel
    supporting the business through technology. IT governance
    continues to evolve within organizations because of the
    continued use of IT as well as increased oversight by manage-
    ment and the Board.

    2.2 IT


    When addressing the topic of IT controls, an important
    consideration is IT governance, which provides the frame-
    work to ensure that IT can support the organization’s overall
    business needs. It is important for IT management to possess a
    strong understanding of the organization’s business processes
    used to meet its objectives and achieve the goals outlined by
    executive management and the Board. IT governance is not
    only composed of the controls needed to address identified
    risks but also is an integrated structure of IT practices and
    personnel that must be aligned closely with — and enable
    achievement of — the organization’s overall strategies and

    A CAE needs to be able to evaluate the IT governance struc-
    ture and its ability to deliver results for the organization and
    improve the efficiencies of the IT activity. Research efforts
    have indicated that IT governance does lead to improved
    business performance as well as better alignment of IT with
    the business in achieving strategic objectives.

    IT governance consists of the leadership, organizational
    structures, and processes that ensure that the organization’s
    IT sustains and supports the organization’s strategies and

    With the requirement of IIA Standard 2110.A2 stating
    that the internal audit activity must assess whether the IT
    governance of the organization supports the organization’s
    strategies and objectives, CAEs need to be prepared to eval-
    uate this key aspect of the overall IT landscape.

    Proper application of IT governance principles has the ability
    to influence and impact the entire organization and how IT
    interacts with the business.

    • identification and management of it risks and
    enablement of improved it operations: IT gover-
    nance helps ensure close linkage to an organization’s

    120366 PRO-GTAG_1_TEXT.indd 5 3/28/12 2:17 PM


    GTAG — Introduction to the Basis of IT-related
    Business Risks and Controls

    risk management activities, including enterprise risk
    management (ERM). IT governance needs to be an
    integral part of the overall corporate risk manage-
    ment efforts so that appropriate techniques can be
    incorporated into IT activities, including communi-
    cation of risk status to key stakeholders, throughout
    the organization. A CAE should review the risk
    management activities being used by the overall
    organization and make sure linkage exists from IT
    risk management efforts to corporate risk activities
    and that appropriate attention is being placed on the
    IT risk profile.

    • Enhancing the relationship between the busi-
    ness and it: IT governance provides a mechanism
    to link the use of IT to an organization’s overall
    strategies and goals. The relationship between the
    business and IT will make sure that IT resources are
    focused on doing the right things at the right time.
    The communication between IT and the business
    should be free flowing and informative, providing
    insight into what IT is delivering as well as the
    status of those efforts. A CAE should review the
    alignment and ensure that strong portfolio manage-
    ment processes exist, allowing the business and IT
    organizations to collaborate on resource priorities
    and initiatives and overall investment decisions.

    • visibility into it management’s ability to achieve
    its objectives: IT organizations will define their
    strategies to support the business, part of which
    is making sure the day-to-day IT operations are
    being delivered efficiently and without compromise.
    Metrics and goals are established not only to help
    IT execute on a tactical basis but also to guide the
    activities of the personnel to improve maturity of
    practices. The results will enable IT to execute its
    strategy and achieve its objectives established with
    the approval of organization leaders. A CAE should
    assess whether the linkage of IT metrics and objec-
    tives align with the organization’s goals and become
    a measurement of the progress being made on
    approved initiatives. Additionally, the CAE can help
    validate that metrics are being measured effectively
    and represent realistic views of the IT operations
    and governance on a tactical and strategic basis.

    • management of risks and identification of contin-
    uous improvement opportunities for business and
    it outcomes: Risk management is a key component
    of an effective IT governance structure within an
    organization. The identification and management of
    IT risks will enable the IT activity to run the busi-
    ness of IT more effectively while also identifying
    potential opportunities to improve its practices. IT
    risks should have defined owners who methodically

    communicate the status of the risk management
    efforts to all levels of management. The CAE
    provides a valuable role in validating the consistency
    of the IT risk universe and will use the information
    to help define the internal audit universe for inde-
    pendent risk assessment and audit planning efforts.
    The Risk IT Practitioner Guide developed by the IT
    Governance Institute (ITGI) and ISACA provides
    a framework for identifying and assessing IT risks
    while also providing a direct link to the Control
    Objectives for Information and Related Technology
    (COBIT) framework.

    • it governance improving adaptability of it to
    changing business and it environments: IT gover-
    nance provides a foundation for IT to better manage
    its responsibilities and support of the business
    through defined processes and roles and responsibili-
    ties of IT personnel. By having such formality in
    place, IT has the ability to better identify potential
    anomalies on a daily and trending basis, leading to
    root cause identification of situations and issues.
    Additionally, IT has the ability to adapt more flex-
    ibly to ad hoc requests for new or enhanced business
    capabilities. Today’s CAE can assess such data
    sources (e.g., help desk and problem management
    tickets) to evaluate how IT is addressing unknown
    issues. The CAE also can review IT portfolio
    management processes to understand how needs are
    prioritized and whether flexibility exists to repri-
    oritize needs based on the organization’s changing

    As internal audit activities assess the organizations’ IT gover-
    nance structure and practices, several key components that
    lead to effective IT governance can be evaluated, including:

    • leadership. Evaluate the relationship between IT
    objectives and the organization’s current/strategic
    needs. Assess the involvement of IT leaders in the
    development and ongoing execution of the orga-
    nization’s strategic goals. Review how roles and
    responsibilities are assigned within the IT activity
    and whether personnel perform them as designed.
    Also, review the role of senior management and the
    Board in helping establish and maintain strong IT

    • organization structures. Review how the business
    and IT personnel are interacting and communi-
    cating current and future needs through the existing
    organizational structure. This should include the
    existence of necessary roles and reporting relation-
    ships to allow IT to adequately meet the needs of the
    business while giving the business the opportunity
    to have its requirements addressed through formal
    evaluation and prioritization.

    120366 PRO-GTAG_1_TEXT.indd 6 3/28/12 2:17 PM

    GTAG — Introduction to the Basis of IT-related
    Business Risks and Controls

    • it processes. Evaluate IT process activities and
    controls in place to manage the needs of the busi-
    ness while providing the necessary assurance over
    business processes and underlying systems. The IT
    activity uses the processes to support the IT environ-
    ment and help with consistent delivery of expected
    services. Determine how IT will be measured in
    helping the organization achieve these goals.

    • risk management. Review the IT actvity’s processes
    to identify, assess, and monitor/mitigate risks within
    the IT environment. Additionally, determine the
    accountability personnel have within the risk
    management process and how well these expecta-
    tions are being met. Understand what events have
    occurred and impacted the IT activity to determine
    whether appropriate risk management practices
    are in place and whether risk demographics (e.g.,
    risk frequency, impact, mitigation techniques) were
    appropriately documented and, if needed, updated
    after the event.

    • control activities. Assess the IT-defined key control
    activities to manage its business and the support
    of the overall organization. Internal audit should
    review ownership, documentation, and self-valida-
    tion aspects. Additionally, the control set should be
    robust enough to address the identified risks.

    120366 PRO-GTAG_1_TEXT.indd 7 3/28/12 2:17 PM


    GTAG — Internal Stakeholders and IT


    3. Internal Stakeholders and IT Responsibilities

    An organization must understand and manage its IT environment. Furthermore, it must understand and recognize the business
    processes’ dependence on IT and the need to conform to regulatory compliance demands.
    Business opportunities are exploited or lost as a consequence of success or failure in managing and using IT. Effective IT
    governance increases the likelihood that IT enables the business to meet its goals and that resources are prudently managed.
    The following table1 outlines a set of possible oversight functions and responsibilities with links to the Board, executive manage-
    ment, senior management, and internal auditors from an IT governance point of view.

    Role Responsibilities

    The Board The Board should:

    • Understand the strategic value of the IT function.

    • Become informed of role and impact of IT on the enterprise.

    • Set strategic direction and expect return.

    • Consider how management assigns responsibilities.

    • Oversee how transformation happens.

    • Understand constraints within which management operates.

    • Oversee enterprise alignment.

    • Direct management to deliver measurable value through IT.

    • Oversee enterprise risk.

    • Support learning, growth, and management of resources.

    • Oversee how performance is measured.

    • Obtain assurance.


    Executive management should:

    • Become informed of role and impact of IT on the enterprise.

    • Cascade strategy, policies, and goals down into the enterprise, and align the IT organization with
    the enterprise goals.

    • Determine required capabilities and investments.

    • Assign accountability.

    • Sustain current operations.

    • Provide needed organizational structures and resources.

    • Embed clear accountabilities for risk management and control over IT.

    • Measure performance.

    • Focus on core business competencies IT must support.

    • Focus on important IT processes that improve business value.

    • Create a flexible and adaptive enterprise that leverages information and knowledge.

    • Strengthen value delivery.

    • Develop strategies to optimize IT costs.

    • Have clear external sourcing strategies.

    1 This table contains portions of the ITGI’s Board Briefing on IT
    Governance, 2nd Edition, used with permission from ITGI and
    ISACA. ©2003 ITGI. All rights reserved

    120366 PRO-GTAG_1_TEXT.indd 8 3/28/12 2:17 PM


    GTAG — Internal Stakeholders and IT Responsibilities



    Senior management should:

    • Manage business and executive expectations relative to IT.

    • Drive IT strategy development and execute against it.

    • Link IT budgets to strategic aims and objectives.

    • Ensure measurable value is delivered on time and budget.

    • Implement IT standards, policies and control framework as needed.

    • Inform and educate executives on IT issues.

    • Look into ways of increasing IT value contribution.

    • Ensure good management over IT projects.

    • Provide IT infrastructures that facilitate cost-efficient creation and sharing of business intelli-

    • Ensure the availability of suitable IT resources, skills, and infrastructure to meet objectives and
    create value.

    • Assess risks, mitigate efficiently, and make risks transparent to the stakeholders.

    • Ensure that roles critical for managing IT risks are appropriately defined and staffed.

    • Ensure the day-to-day management and verification of IT processes and controls.

    • Implement performance measures directly and demonstrably linked to the strategy.

    • Focus on core IT competencies.

    The Internal
    Audit Activity

    The internal audit activity should:

    • Ensure a sufficient baseline level of IT audit expertise in the department.

    • Include evaluation of IT in its planning process.

    • Assess whether IT governance in the organization sustains and supports strategies and objec-

    • Identify and assess the risk exposures relating to the organization’s information systems.

    • Assess controls responding to risks within the organization’s information systems.

    • Ensure that the audit department has the IT expertise to fulfil its engagements.

    • Consider use technology-based audit techniques as appropriate.

    In addition to internal stakeholders, it is also important to take into consideration external parties, such as the external
    auditor, national authorities, public expectations, and international organizations for standardization.

    120366 PRO-GTAG_1_TEXT.indd 9 3/28/12 2:17 PM


    GTAG — Analyzing Risks

    4. Analyzing Risks

    IT controls are selected and implemented on the basis of the
    risks they are designed to manage. As risks are identified,
    suitable risk responses are determined and range from doing
    nothing and accepting the risk as a cost of doing business
    to applying a wide scope of specific controls. This section
    explains the concepts of when to apply IT controls.

    It would be a relatively straightforward task to create a list of
    recommended IT controls that must be implemented within
    each organization. However, each control has a specific
    cost that may not be justified in terms of cost effectiveness
    when considering the type of organization and industry.
    Furthermore, no list of controls is universally applicable
    across all types of organizations. Although there is a lot of
    good advice available on the choice of suitable controls,
    strong judgment must be used. Controls must be appropriate
    for the level of risk the organization faces. The CAE should
    be able to advise the audit committee that the internal
    control framework is reliable and provides a level of assur-
    ance appropriate to the organization’s risk appetite. In this
    respect, the Committee of Sponsoring Organizations of the
    Treadway Commission (COSO)2 defines risk appetite as:

    “… the degree of risk, on a broad-based level, that a company or other
    organization is willing to accept in pursuit of its goals. Management
    considers the organization’s risk appetite first in evaluating strategic
    alternatives, then in the setting of objectives aligned with the selected
    strategy, and in developing mechanisms to manage the related risks.”

    In addition to risk appetite, the CAE should consider risk
    tolerance. COSO defines risk tolerance as:

    “… the acceptable level of variation relative to the achievement of
    objectives. In setting specific risk tolerances, management considers
    the relative importance of related objectives and aligns risk tolerances
    with its risk appetite.”

    Therefore, the CAE should consider whether:
    • The organization’s IT environment is consistent

    with the organization’s risk appetite.

    • The internal control framework is adequate to
    ensure the organization’s performance remains
    within the stated risk tolerances.

    4.1 Risk Considerations in Determining
    the Adequacy of

    IT Controls

    Risk management applies to the entire spectrum of activity
    within an organization — not just to the application of IT. IT
    cannot be considered in isolation. Rather, IT must be treated
    as an integral part of all business processes. Choosing IT
    controls is not a matter of implementing those recommended
    as best practices; controls must add value to the organiza-
    tion by reducing risk efficiently and increasing effectiveness.
    When considering the adequacy of IT controls within the
    organization’s internal control framework, the CAE should
    consider the processes established by management to

    • The use, value, and criticality of information.

    • The organization’s risk appetite and tolerance for
    each business function and process.

    • IT risks faced by the organization and quality of
    service provided to its users.

    • The complexity of the IT infrastructure.

    • The appropriate IT controls and the benefits they

    The frequency of risk analysis is important and is influenced
    greatly by both internal and external changes. The speed of
    technological change will impact each organization differ-
    ently. Some organizations will need to respond to the risks
    associated with technology changes rapidly while others may
    decide to respond at a more measured pace.

    4.1.1 The IT Environment

    Analyzing and assessing risk in relation to IT can be complex.
    The IT infrastructure comprises hardware, software, commu-
    nications, applications, protocols (i.e., rules), and data, as
    well as their implementation within physical space, within
    the organizational structure, and between the organization
    and its external environment. Infrastructure also includes
    the people interacting with the physical and logical elements
    of systems.

    Other areas to consider include project-related and provider
    risks. For example, project-related risk includes insufficient
    budget, resources, project management, and technical skills.
    For third-party provider and vendor risks, the IT auditor
    should analyze issues such as stability, financial strength,
    review of IT controls, and audit rights.

    The inventory of IT infrastructure components reveals
    basic information about the environment’s vulnerabilities.
    For example, business systems and networks connected
    to the Internet are exposed to threats that do not exist
    for self-contained systems and networks. Because Internet
    connectivity is an essential element of most business systems

    2 The Committee of Sponsoring Organizations of the Treadway
    Commission, “Committee of Sponsoring Organizations for the
    Commission on Fraudulent Financial Reporting.”

    120366 PRO-GTAG_1_TEXT.indd 10 3/28/12 2:17 PM


    GTAG — Analyzing Risks

    and networks, organizations must make certain that their
    systems and network architectures include fundamental
    controls that ensure basic security.

    The complete inventory of the organization’s IT hardware,
    software, network, and data components forms the foundation
    for assessing the vulnerabilities within the IT infrastructure.
    Systems architecture schematics reveal the implementation
    of infrastructure components and how they interconnect
    with other components inside and outside the organiza-
    tion. To the information security expert, the inventory and
    architecture of IT infrastructure components, including
    the placement of security controls and technologies, reveal
    potential vulnerabilities. Unfortunately, information about a
    system or network also can reveal vulnerabilities to a poten-
    tial attacker, so access to such information must be restricted
    to only those people who need it. A properly configured
    system and network environment will minimize the amount
    of information it provides to would-be attackers, and an envi-
    ronment that appears secure presents a less attractive target
    to attackers.

    4.1.2 IT Risks Faced by the Organization

    The CAE discusses IT risk issues with the CIO and process
    owners to assess whether all related parties have an appro-
    priate awareness and understanding of the technical risks the
    organization faces through the use of IT as well as their roles
    in applying and maintaining effective controls.

    4.1.3 Risk Appetite and Tolerance

    Armed with the knowledge of IT risks, the auditor can
    validate the existence of effective controls to meet the orga-
    nization’s established risk appetite and its risk tolerance in
    relation to IT. The auditor’s assessment will involve discus-
    sions with many members of management and —potentially
    — the Board. The level of detail of these discussions can be
    determined with input from the CIO, the chief information
    security officer (CISO), and process owners.

    An organization’s use of ERM must include IT risks as part of
    this process. ERM includes methods and processes to manage
    risks and seize opportunities in achieving the organization’s
    objectives. It typically starts with identifying particular
    events or circumstances relevant to the organization’s objec-
    tives (e.g., the risks of data breaches), assessing them in terms
    of likelihood and magnitude of impact (e.g., the inherent risk
    of a data breach is rated high, and the impact also is rated
    as high), determining a response (e.g., new policies to better
    secure the organization’s data), and monitoring progress on
    the implementation of responses (e.g., the IT activity’s imple-
    mentation of new security measures to avoid data breaches).
    By identifying and proactively addressing risks and oppor-
    tunities, organizations will be better suited to protect and
    create value for stakeholders. In this way, ERM assists the

    CAE in understanding the significant risks for the entire
    organization. Then, the CAE can use this perspective to set
    audit priorities, determine audit project activities, and estab-
    lish risk appetite and tolerance.3

    4.1.4 Performing a Risk Analysis

    A risk analysis should be performed with involvement from
    various roles and departments within an organization,
    including the chief risk officer (CRO), CAE, IT activity, and
    business representatives.

    Basic questions associated with the risk assessment process

    • Which IT assets (this includes both tangible and
    intangible IT assets, such as information or repu-
    tation) are at risk, and what is the value of their
    confidentiality, integrity, and availability?

    • What could happen to adversely affect that infor-
    mation’s asset value (threat event)? Implicit to this
    question is the vulnerability analysis and mapping
    of vulnerabilities to threats and potentially impacted
    information assets.

    • If a threat event happened, how bad could its impact

    • How often might the event be expected to occur
    (frequency of occurrence)?

    • How certain are the answers to the first four ques-
    tions (uncertainty analysis)?

    • What can be done to reduce the risk?

    • How much will it cost?

    • Is it cost-efficient?

    Determining the value of the information processed and
    stored is not an easy task due to the multidimensional nature
    of value. The CAE will find it helpful to work with the CRO
    to coordinate and align the IT-related risks. Depending on
    the organization’s size and risks, the CAE and CRO may
    want to share how they prioritize risk areas, risk coverage, or
    leverage resources.

    3 COSO, Strengthening Enterprise Risk Management for Strategic
    Advantage, Nov. 4, 2009.

    120366 PRO-GTAG_1_TEXT.indd 11 3/28/12 2:17 PM


    GTAG — Elaboration on Key Technology Concepts

    4.2 Risk Mitigation Strategies

    When risks are identified and analyzed, it is not always appro-
    priate to implement controls to counter them. Some risks
    may have minor impact if they occur or may be extremely
    unlikely to occur, and it may not be cost-effective to imple-
    ment expensive control processes.

    In general, there are several ways to treat risks.
    • accept the risk. One of management’s primary

    functions is managing risk. Some risks are minor
    because their impact and probability of occurrence
    is low. In this case, consciously accepting the risk
    as a cost of doing business is appropriate as well as
    periodically reviewing the risk to ensure its impact
    remains low.

    • Eliminate the risk. It is possible for a risk to be
    associated with the use of a particular technology,
    supplier, or vendor. The risk can be eliminated by
    replacing the technology with more robust products
    and by seeking more capable suppliers and vendors.

    • Share the risk. Risk mitigation approaches can be
    shared with trading partners and suppliers. A good
    example is outsourcing infrastructure management.
    In such a case, the supplier mitigates the risks associ-
    ated with managing the IT infrastructure by being
    more capable and having access to more highly
    skilled staff than the primary organization. Risk
    also may be mitigated by transferring the risk to an
    insurance provider.

    • control/mitigate the risk. Instead of — or in
    combination with — other options, controls may
    be devised and implemented to prevent the risk
    from manifesting itself to limit the likelihood of this
    manifestation or to minimize its effects.

    120366 PRO-GTAG_1_TEXT.indd 12 3/28/12 2:17 PM


    5. Assessing IT — An Overview

    IT controls applied when controlling or mitigating the risks
    is the best option. While IT controls should be applied with
    due regard to the relevant risks, there is a basic set of controls
    that should be in place to provide a fundamental level of IT

    IT controls should be part of major IT processes related to
    planning, organization, acquisitions, changes, delivery of
    IT services, and IT support and monitoring. IT controls
    supporting a wide range of these IT processes typically
    would be the IT infrastructure controls that cover areas
    such as network controls, database controls, operating
    system controls, and hardware controls, for example. IT
    controls that cover applications and, in many cases, impor-
    tant business areas could include input edit controls, process
    completion or reconciliation controls, and exception report
    controls. The CAE should gain an overview of the important
    controls and what business processes they support as a first
    step in understanding IT risks and controls. Process descrip-
    tions and organization charts are some of the tools that can
    be used to gain an overview. Additionally, the CAE should
    obtain an understanding of key IT initiatives to comprehend
    how the IT infrastructure and applications may be changing
    during a defined period of time. This information will enable
    the CAE to perform an initial risk assessment that allows for
    a deeper analysis.
    Some questions can be considered when evaluating the
    control environment and selecting a suitable set of controls.

    • Do IT policies — including IT controls — exist?

    • Have responsibilities for IT and IT controls been
    defined, assigned, and accepted?

    • Is the control designed effectively?

    • Is the control operating effectively?

    • Does the control achieve the desired result?

    • Is the mix of preventive, detective, and corrective
    controls effective?

    • Do the controls provide evidence when control
    parameters are exceeded or when controls fail? How
    is management alerted to failures, and which steps
    are expected to be taken?

    • Is evidence retained (e.g., through an audit trail)?

    • Are the IT infrastructure equipment and tools logi-
    cally and physically secured?

    • Are access and authentication control mechanisms

    • Are controls in place to protect the operating envi-
    ronment and data from viruses and other malicious

    GTAG — Assessing IT — An Overview

    • Are firewall-related controls implemented?

    • Do firewall polices exist?

    • Are external and internal vulnerability assess-
    ments completed, and have risks been identified and
    resolved appropriately?

    • Are change and configuration management and
    quality assurance processes in place?

    • Are structured monitoring and service measurement
    processes in place?

    • Have the risks of outsourced services been taken
    into consideration? (For details on this, refer to
    GTAG 7: IT Outsourcing.)

    The payment card industry publishes one of the more
    widely and broadly used data security standards — PCI Data
    Security Standards (PCI DSS). Launched in 2006, the PCI
    Security Standards Council represents an open, global forum
    that is responsible for the development, management, educa-
    tion, and awareness of the PCI Security Standards, including
    the PCI DSS, the Payment Application Data Security
    Standard (PA-DSS), and PIN Transaction Security (PTS)

    The CAE can use the PCI DSS at a high level to determine
    whether certain security activities should be considered
    for the organization (see the following PCI Data Security
    Standards High Level Overview).

    120366 PRO-GTAG_1_TEXT.indd 13 3/28/12 2:17 PM


    Introduction and PCI Data Security Standard Overview

    The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data
    security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical
    and operational requirements designed to protect cardholder data. PCI DSS applies to all entities involved in payment card
    processing —including merchants, processors, acquirers, issuers, and service providers, as well as all other entities which store,
    process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholders data, and
    may be enhanced by additional controls and practices to further mitigate risks. Below is a high-level overview of the 12 PCI
    DSS requirements

    PCI Data Security Standard – High Level Overview

    Build and maintain a Secure Network
    1. Install and maintain a firewall configuration to protect cardholder data
    2. Do not use vendor-supplied defaults for system passwords and other

    security parameters

    Protect Cardholder Data
    3. Protect stored cardholder data
    4. Encrypt transmission of cardholder data across open public networks

    Maintain a Vulnerability Management

    5. Use and regularly update anti-virus software or programs
    6. Develop and maintain secure systems and applications.

    Implement Strong Access Control

    7. Restrict access to cardholder data by business need to know
    8. Assign a unique ID to each person with computer access
    9. Restrict physical access to =cardholder data

    Regularly Monitor and Test Networks
    10. Track and monitor all access to network resources and cardholder data
    11. Regularly test security systems and processes.

    Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel


    Assessing IT controls is a continuous process. Business
    procedures constantly change as technology continues to
    evolve, and threats emerge as new vulnerabilities are discov-
    ered. Audit methods improve as internal auditors adopt an
    approach where IT control issues in support of the business
    objectives are a top priority. Management provides IT control
    metrics and reporting, and auditors attest to their validity
    and opine on their value. The internal auditor should liaise
    with management at all levels to agree on the validity and
    effectiveness of the metrics and assurances for reporting.

    GTAG — Assessing IT — An Overview

    4 PCI DSS Requirements and Security Assessment Procedures,
    V2.0, Copyright 2010 PCI Security Standards Council LLC

    The internal audit process provides a formal structure for
    addressing IT controls within the overall system of internal
    controls. Figure 1 – The Structure of IT Auditing, divides the
    assessment into a logical series of steps.

    120366 PRO-GTAG_1_TEXT.indd 14 3/28/12 2:17 PM


    GTAG — Assessing IT — An Overview

    Figure 1 – The Structure of IT Auditing









    IT Controls

    Governence – Management – Technical

    General Application

    Prevention, Detection, Correction

    Information – Security

    Importance of

    IT Controls

    Reliability and Effectiveness

    Competitive Advantage

    Legislation and Regulation

    Roles and



    Based on Risk

    Risk Analysis

    Risk Response

    Baseline Controls

    Monitoring and


    Control Framework



    Audit Committee Interface

    The internal auditor’s role in IT controls begins with a sound conceptual understanding and culminates in providing the
    results of risk and control assessments. The CAE should oversee the pursuit of continuous learning and reassessment as new
    technologies emerge and as dependencies, strategies, risks, and requirements change.

    120366 PRO-GTAG_1_TEXT.indd 15 3/28/12 2:17 PM


    GTAG — Understanding the Importance of IT Controls

    6. Understanding the
    Importance of IT Controls

    Although this GTAG deals exclusively with IT risks and
    controls, the control environment within IT (e.g. tone at
    the top from the CIO, the ethical climate, management
    philosophy, and operating style) is critically important and
    should be evaluated. The IIA’s Practice Guide, Auditing
    the Control Environment, should be consulted in addition
    to this GTAG when considering the control environment
    within IT.

    COSO defines internal control as: “A process, effected
    by an entity’s board of directors, management, and other
    personnel. This process is designed to provide reasonable
    assurance regarding the achievement of objectives in:

    • Effectiveness and efficiency of operations.

    • Reliability of financial reporting.

    • Compliance with applicable laws and regulations.”

    IT controls encompass those processes that provide assur-
    ance for information and information services and help
    control or mitigate the risks associated with an organiza-
    tion’s use of technology. These controls range from written
    corporate policies to their implementation within coded
    instructions; from physical access protection to the ability
    to trace actions and transactions to the individuals who
    are responsible for them; and from automatic edits to
    reasonability analyses for large bodies of data.

    It is not necessary for the CAE to know everything
    about IT controls, including the full continuum or all
    the technical intricacies. Many of these controls are the
    domain of specialists who manage specific risks associated
    with individual components of the systems and network

    6.1 IT General and Application Controls

    Controls may be classified to help understand their purposes
    and where they fit into the overall system of internal
    controls (see Figure 2 – Some Control Classifications). By
    understanding these classifications, the control analyst and
    auditor are better able to establish their positions in the
    control framework and answer key questions such as: Are
    the detective controls adequate to identify errors that may
    get past the preventive controls? Are corrective controls
    sufficient to fix the errors once detected? A common clas-
    sification of IT controls is general versus application. For
    further definition of IT related controls, refer to GTAG 8:
    Auditing Application Controls.





















    Governance Controls

    Management Controls

    Technical Controls






    Figure 2 – Some Control Classifications

    6.1.1 IT General Controls

    General controls apply to all systems components, processes,
    and data for a given organization or systems environ-
    ment. General controls include, but are not limited to, IT
    governance, risk management, resource management, IT
    operations, application development and maintenance,
    user management, logical security, physical security, change
    management, backup and recovery, and business continuity.
    Some general controls are business-related (e.g., segregation
    of duties or governance arrangements), whereas others are
    very technical (e.g., system software controls and network
    software controls) and relate to the underlying infrastruc-
    ture. General controls are reviewed by internal audit because
    they form the basis of the IT control environment. If the
    general controls are weak and unreliable (e.g., change and
    access control) and cannot be relied on, the auditor may
    need to alter the testing approach for those areas impacted.

    6.1.2 Application Controls

    Application controls5 pertain to the scope of individual busi-
    ness processes or application systems and include controls
    within an application around input, processing, and output.
    Application controls also can include data edits, segrega-
    tion of business functions (e.g., transaction initiation versus
    authorization), balancing of processing totals, transaction
    logging, and error reporting.

    5 PCI Security Standards Council LLC, Payment Card Industry
    (PCI) Data Security Standard Requirements and Security Assessment
    Procedures, Version 2.0., Oct. 2010.

    120366 PRO-GTAG_1_TEXT.indd 16 3/28/12 2:17 PM


    GTAG — Understanding the Importance of IT Controls

    The function of a control is highly relevant to the assessment
    of its design and effectiveness. Controls usually are classified
    as preventive, detective, or corrective. Preventive controls
    prevent errors, omissions, or security incidents from occur-
    ring. Examples include simple data entry edits that block
    alphabetic characters from being entered into numeric fields;
    access controls that protect sensitive data or system resources
    from unauthorized people; and complex and dynamic tech-
    nical controls such as antivirus software, firewalls, and
    intrusion prevention systems.

    Detective controls detect errors or incidents that elude
    preventive controls. For example, a detective control may
    identify account numbers of inactive accounts or accounts
    that have been flagged for monitoring of suspicious activities.
    Detective controls also can include monitoring and anal-
    ysis to uncover activities or events that exceed authorized
    limits or violate known patterns in data that may indicate
    improper manipulation. For sensitive electronic communica-
    tions, detective controls can indicate that a message has been
    corrupted or that the sender cannot be authenticated.

    Corrective controls correct errors, omissions, or incidents
    once they have been detected. They vary from simple
    correction of data entry errors to identifying and removing
    unauthorized users or software from systems or networks to
    recovery from incidents, disruptions, or disasters.

    Generally, it is most efficient to prevent errors or detect them
    as soon as possible to simplify correction.

    Many other control classifications described in this document
    may be useful in assessing their effectiveness. For example,
    automated controls tend to be more reliable than manual
    controls, and nondiscretionary controls are more likely to
    be applied consistently than discretionary controls. Other
    control classifications may exist such as mandatory, volun-
    tary, complementary, compensating, redundant, continuous,
    on-demand, and event-driven.

    6.2 IT Governance, Management,
    and Technical Controls

    Another common classification of controls is by the group
    responsible for ensuring they are implemented and main-
    tained properly. For the purpose of assessing roles and
    responsibilities, this guide primarily categorizes IT controls
    as governance, management, technical, and application.

    The first two levels — governance and management — are
    the most applicable to the scope of this guide. However, it
    also may be useful to understand how higher-level controls
    specifically are established within the technical and applica-
    tion IT infrastructures. Technical controls and application

    controls are the subject of GTAG 8: Auditing Application

    6.2.1 IT Governance Controls

    The primary responsibility for internal control oversight
    resides with the Board in its role as keeper of the governance
    framework. IT control at the governance level involves
    overseeing effective information management, principles,
    policies, and processes and ensuring that they are in place
    and performing correctly. These controls are linked with the
    concepts of governance, which are driven both by organi-
    zational goals and strategies and by outside bodies, such as

    6.2.2 Management Controls

    Management responsibility for internal controls typically
    involves reaching into all areas of the organization with
    special attention to critical assets, sensitive information, and
    operational functions. Management must make sure the IT
    controls needed to achieve the organization’s established
    objectives are applied and ensure reliable and continuous
    processing. These controls are deployed as a result of delib-
    erate actions by management in response to risks to the
    organization, its processes, and assets.

    6.2.3 Technical Controls

    Technical controls often form the backbone of management’s
    control framework. Therefore, if the technical controls are
    weak, the impact affects the entire control framework. For
    example, by protecting against unauthorized access and
    intrusion, technical controls provide the basis for reliance
    on the integrity of information — including evidence of all
    changes and their authenticity. These controls are specific
    to the technologies in use within the organization’s IT infra-
    structures. Examples of technical controls are operating
    system controls, database controls, encryption, and logging.

    6.2.4 Application Controls

    As already established, application controls pertain to the
    scope of individual business processes or application systems.
    They may be technical in nature but are also nontechnical
    depending on the area of control. They include controls of
    input, processing, and output. Section 6.3.7 of this document
    discusses application controls in more depth.

    6.3 IT Controls — What to Expect

    Individual controls within an organization can be classified
    within the hierarchy of IT controls — from the overall high-
    level policy statements issued by management and endorsed
    by the Board down to the specific control mechanisms incor-
    porated into application systems.

    120366 PRO-GTAG_1_TEXT.indd 17 3/28/12 2:17 PM


    GTAG — Understanding the Importance of IT Controls

    Figure 3 – Hierarchy of IT Controls represents a logical
    “top-down” approach both when considering controls to
    implement and when determining areas on which to focus
    internal audit resources during reviews of the entire IT oper-
    ating environment. The different elements of the hierarchy
    are not mutually exclusive; they connect with each other
    and often overlap and intermingle. Each of the control types
    within the hierarchy are described below.






    and Management
    Physical and

    Environmental Controls
    Systems Software Controls

    Systems Development Controls
    Application-based Controls

    Figure 3 – Hierarchy of IT Controls

    6.3.1 Policies

    All organizations need to define their goals and objectives
    through strategic plans and policy statements. Without clear
    statements of policy and standards for direction, organiza-
    tions can become disoriented and perform ineffectively.

    Because technology is vital to virtually all organizations,
    clear policy statements regarding all aspects of IT should
    be devised and approved by management, endorsed by the
    Board, and communicated to staff. Many different policy
    statements can be required depending on the organiza-
    tion’s size and the extent to which it deploys IT. For smaller
    organizations, a single policy statement may be sufficient —
    provided it covers all relevant areas. Larger organizations
    often will require more detailed and specific policies.

    For example, IT policy statements may include, but are not
    restricted to:

    • A general policy on the level of security and privacy
    throughout the organization. This policy should be
    consistent with relevant national and international
    legislation and should specify the level of control
    and security required depending on the sensitivity of
    the system and data processed.

    • A statement on the classification of information
    and the rights of access at each level. The policy
    also should define any limitations on the use of this
    information by those approved for access.

    • A definition of the concepts of data and systems
    ownership, as well as the authority necessary to
    originate, modify, or delete information. This should
    be a general policy that defines the extent to which
    users can create their own applications.

    • Personnel policies that define and enforce condi-
    tions for staff in sensitive areas. This includes the
    positive vetting of new staff prior to joining the
    organization and requiring employees to sign agree-
    ments accepting responsibility for the required
    levels of control, security, and confidentiality. This
    policy typically would also detail related disciplinary

    • Definitions of overall business continuity planning
    requirements. These policies should ensure that
    all aspects of the business are considered when an
    unexpected event or disaster happens.

    6.3.2 Standards

    The organization should have an IT blueprint that supports
    its overall strategy and sets the tone for the resultant IT poli-
    cies and standards.6

    The standards define ways of working to achieve the objec-
    tives of the organization. Adopting and enforcing standards
    promotes efficiency and ensures consistency in the IT oper-
    ating environment.

    Large organizations with significant resources are in a posi-
    tion to devise their own standards, but smaller organizations
    may not have sufficient resources. There are many sources of
    information on standards and best practice. For example, IT
    management should consider:

    • Systems development processes: When organiza-
    tions develop their own applications, standards
    apply to the processes for designing, developing,
    testing, implementing, and maintaining systems
    and programs. If organizations outsource applica-
    tion development or acquire systems from vendors,
    the CAE should ascertain that agreements require
    the providers to apply standards consistent with the
    organization’s standards or are acceptable to the

    • Systems software configuration: Because systems
    software provides a large element of control in the

    6 The Institute of Internal Auditors International Standards for the
    Professional Practice of Internal Auditing ensures that the internal
    audit activity examines the IT strategy. IIA Standard 2110.A2
    states: “The internal audit activity must assess whether the infor-
    mation technology governance of the organization sustains and
    supports the organization’s strategies and objectives.”

    120366 PRO-GTAG_1_TEXT.indd 18 3/28/12 2:17 PM


    GTAG — Understanding the Importance of IT Controls

    IT environment, standards related to secure system
    configurations are beginning to gain wide accep-
    tance by leading organizations and technology
    providers. The way products — such as operating
    systems, networking software, and database manage-
    ment systems — are configured can either enhance
    security or create weaknesses that can be exploited.

    • application controls: All applications that support
    business activities need to be controlled. Standards
    are necessary for all applications the organization
    develops or purchases, and the standards should
    define the types of controls that must be present
    across the whole range of business activities as well
    as the specific controls that should apply to sensitive
    processes and information.

    • data structures: Having consistent data definitions
    across the full range of applications ensures that
    disparate systems can access data seamlessly and
    security controls for private and other sensitive data
    can be applied uniformly.

    • documentation: Standards should specify the
    minimum level of documentation required for each
    application system or IT installation, as well as
    for different classes of applications, processes, and
    processing centers.

    As with policies, written standards should be approved by
    management and made available to everyone who imple-
    ments them.

    6.3.3 Organization and Management

    Organization and management play a major role in the whole
    system of IT control in addition to every aspect of an orga-
    nization’s operations. An appropriate organization structure
    allows lines of reporting and responsibility to be defined
    and effective control systems to be implemented. Important
    controls typically could include segregation of incompatible
    duties, financial controls, and change management. Segregation of Duties

    Segregation of duties is a vital element of many controls. An
    organization’s structure should not allow responsibility for all
    aspects of processing data to rest with one individual. The
    functions of initiating, authorizing, inputting, processing,
    and checking data should be separated to ensure no indi-
    vidual can create an error, omission, or other irregularity
    and authorize it and/or obscure the evidence. Segregation-
    of-duties controls for application systems are implemented
    by granting access privileges in accordance with job require-
    ments for processing functions and accessing information.

    Traditional segregation of duties within the IT environment
    is divided between systems development and IT operations.

    IT operations should be responsible for running production
    systems — except for change deployment — and should
    have little or no responsibility with the development process.
    This control includes restrictions preventing operators from
    accessing or modifying production programs, systems, or
    data. Similarly, systems development personnel should have
    little contact with production systems. By assigning specific
    roles during implementation and other change processes,
    segregation of duties can be enforced. In large organizations,
    many functions should be considered to ensure appropriate
    segregation of duties. Financial Controls

    Because organizations make considerable investments in
    IT, budgetary and other financial controls are necessary to
    ensure the technology yields the projected return on invest-
    ment or proposed savings. Management processes should
    be in place to collect, analyze, and report on these issues.
    Unfortunately, new IT developments often suffer massive
    cost overruns and fail to deliver the expected cost savings or
    income because of wrong estimates or insufficient planning. Change Management

    Change management7 processes ensure that changes to
    the IT environment, systems software, application systems,
    and data are applied in a manner that enforces appropriate
    segregation of duties; ensures that changes work and are
    implemented as required; and prevents changes from being
    exploited for fraudulent purposes. A lack of change manage-
    ment can seriously impact system and service availability.

    6.3.4 Physical and Environmental Controls

    IT equipment represents a considerable investment for many
    organizations. It must be protected from accidental or delib-
    erate damage or loss. Physical and environmental controls,
    originally developed for large data centers that house main-
    frame computers, are equally important in distributed
    client-server and Web-based systems. Although the equip-
    ment commonly used today is designed for ease of use in
    a normal office environment, its value to the business and
    the cost and sensitivity of applications running business
    processes can be significant.

    All equipment must be protected, including the servers and
    workstations that allow staff access to the applications. Some
    typical physical and environmental controls include:

    • Locating servers in locked rooms to which access is

    • Restricting server access to specific individuals.

    7 Refer to The IIA’s GTAG 2: Change and Patch Management
    Controls: Critical for Organizational Success.

    120366 PRO-GTAG_1_TEXT.indd 19 3/28/12 2:17 PM


    • Providing fire detection and suppression equipment.

    • Housing sensitive equipment, applications, and data
    away from environmental hazards, such as low-lying
    flood plains, flight paths, or flammable liquid stores.

    When considering physical and environmental security, it is
    also appropriate to consider contingency planning8. What
    will the organization do if there is a fire or flood or if any other
    threat manifests itself? How will the organization continue
    its operations? This type of planning goes beyond merely
    providing for alternative IT processing power to be avail-
    able and routine backup of production data; it must consider
    the logistics and coordination needed for the full scope of
    business activity. Finally, history consistently demonstrates
    that business continuity planning that has not been tested
    successfully in a realistic simulation is not reliable.

    6.3.5 Systems Software Controls

    Systems software products enable the IT equipment to
    be used by the application systems and users. These prod-
    ucts include operating systems (e.g., Windows and UNIX),
    network and communications software, firewalls, antivirus
    products, and database management systems (DBMS) (e.g.,
    Oracle and DB2).

    IT audit specialists should assess controls in this area.
    Small organizations are unlikely to have the resources to
    employ such specialists and should consider using external
    resources. Whether IT auditors are employed or outsourced,
    they require a highly specific set of knowledge. Much of this
    knowledge can come from experience, but such knowledge
    must be updated constantly to remain current and useful.

    Systems software can be highly complex and can apply to
    components and appliances within the systems and network
    environment. Software may be configured to accommodate
    highly specialized needs and normally requires a high degree
    of specialization to securely maintain it. Configuration tech-
    niques can control logical access to the applications, although
    some application systems contain their own access controls
    and may provide an opening for unauthorized users to break
    into a system. Configuration techniques also provide the
    means to enforce segregation of duties, generate specialized
    audit trails, and apply data integrity controls through access
    control lists, filters, and activity logs.
    Some key technical controls to be expected in a well-
    managed IT environment include:

    • Access rights allocated and controlled according to
    the organization’s stated policy.

    • Division of duties enforced through systems software
    and other configuration controls.

    • Intrusion and vulnerability assessment9, prevention,
    and detection in place and continuously monitored.

    • Intrusion testing performed on a regular basis.

    • Encryption services applied where confidentiality is
    a stated requirement.

    • Change management processes — including
    patch management — in place to ensure a tightly
    controlled process for applying all changes and
    patches to software, systems, network components,
    and data.10

    6.3.6 Systems Development and Acquisition Controls

    Organizations rarely adopt a single methodology for all
    system acquisitions or development. Methodologies are
    chosen to suit the particular circumstances. The IT auditor
    should assess whether the organization uses a controlled
    method to develop or acquire application systems and
    whether it delivers effective controls over and within the
    applications and data they process. By examining application
    development procedures, the auditor can gain assurance that
    application controls are adequate. Some basic control issues
    should be addressed in all systems development and acquisi-
    tion work. For example:

    • User requirements should be documented, and their
    achievement should be measured.

    • Systems design should follow a formal process to
    ensure that user requirements and controls are
    designed into the system.

    • Systems development should be conducted in a
    structured manner to ensure that requirements and
    approved design features are incorporated into the
    finished product.

    • Testing should ensure that individual system
    elements work as required, system interfaces
    operate as expected, and that the system owner has
    confirmed that the intended functionality has been

    • Application maintenance processes should ensure
    that changes in application systems follow a consis-
    tent pattern of control. Change management
    should be subject to structured assurance validation

    Where systems development is outsourced, the outsourcer
    or provider contracts should require similar controls. Project
    management techniques and controls should be part of

    8 Refer to The IIA’s GTAG 10: Business Continuity Management.
    9 Refer to The IIA’s GTAG 6: Managing and Auditing IT
    10 Refer to The IIA’s GTAG 2: Change and Patch Management
    Controls: Critical for Organizational Success.

    GTAG — Understanding the Importance of IT Controls

    120366 PRO-GTAG_1_TEXT.indd 20 3/28/12 2:17 PM


    the development process — whether developments are
    performed in-house or are outsourced. Management should
    know whether projects are on time and within budget and
    that resources are used efficiently. Reporting processes should
    ensure that management understands the current status of
    development projects and does not receive any surprises when
    the end product is delivered.11 The IIA’s GTAG 12: Auditing
    IT Projects also should be considered when assessing devel-
    opment or acquisition projects.

    6.3.7 Application Controls12

    The objective of controls over application systems is to
    ensure that:

    • All input data is accurate, complete, authorized, and

    • All data is processed as intended.

    • All data stored is accurate and complete.

    • All output is accurate and complete.

    • A record is maintained to track the process of data
    from input to storage and to the eventual output.

    Reviewing application controls traditionally has been the
    realm of the specialist IT auditor. However, because appli-
    cation controls now represent a large percentage of business
    controls, they should be a key concern of every internal

    There are several types of generic controls that should exist
    in any application.

    • input controls: These controls are used mainly to
    check the integrity of data entered into a business
    application, whether the source is input directly by
    staff, remotely by a business partner, or through a
    Web-enabled application. Input is checked to ensure
    that it remains within specified parameters.

    • processing controls: These controls provide auto-
    mated means to ensure processing is complete,
    accurate, and authorized.

    • output controls: These controls address what is
    done with the data. They should compare results
    with the intended result and check them against the

    • integrity controls: These controls can monitor
    data in process and/or storage to ensure that data
    remains consistent and correct.

    • management trail: Processing history controls,
    often referred to as an audit trail, enable manage-
    ment to track transactions from the source to the
    ultimate result and to trace backward from results
    to identify the transactions and events they record.
    These controls should be adequate to monitor the

    effectiveness of overall controls and identify errors as
    close as possible to their sources.

    6.4 Information Security

    Information security13 is an integral part of IT controls.
    Information security applies to both infrastructure and data
    and is the foundation for the reliability of most other IT
    controls. The exceptions are controls relating to the finan-
    cial aspects of IT (e.g., ROI and budgetary controls) and
    some project management controls. The generally accepted
    elements of information security are:

    • confidentiality: Confidential information must be
    divulged only as appropriate and must be protected
    from unauthorized disclosure or interception.
    Confidentiality includes privacy considerations.

    • integrity: Information integrity refers to the state of
    data as being correct and complete. This specifically
    includes the reliability of financial processing and

    • availability: Information must be available to the
    business, its customers, and partners when, where,
    and in the manner needed. Availability includes the
    ability to recover from losses, disruption, or corrup-
    tion of data and IT services, as well as from a major
    disaster where the information was located.

    6.5 IT Controls Framework

    For the more than 50 years that organizations have used IT,
    controls have not always been the default condition of new
    systems hardware or software. The development and imple-
    mentation of controls typically lag behind the recognition of
    emerging risks in systems and the threats that exploit such
    vulnerabilities. Furthermore, IT controls are not defined in
    any universally recognized standard applicable to all systems
    or to the organizations that use them.

    A control framework is a structured way of categorizing and
    identifying controls to adequately secure an IT environ-
    ment. The framework can be informal or formal. A formal
    approach will more readily satisfy the various regulatory or
    statutory requirements for organizations subject to them.
    The process of choosing or constructing a control framework
    should involve all concerned parties, including the business
    process owners and the parties responsible for performing the
    controls. The control framework should apply to, and be used
    by, the whole organization.

    11 Refer to The IIA’s GTAG 14: Auditing User-developed
    12 Refer to The IIA’s GTAG 8: Auditing Application Controls.
    13 Refer to The IIA’s GTAG 15: Information Security Governance.

    GTAG — Understanding the Importance of IT Controls

    120366 PRO-GTAG_1_TEXT.indd 21 3/28/12 2:17 PM


    7. IT Audit Competencies and Skills

    According to the IPPF, internal auditors are expected to apply and uphold four principles: integrity, objectivity, confidenti-
    ality, and competency. The principle of competency requires internal auditors to engage only in those services for which they
    have the necessary knowledge, skills, and experience. Furthermore, IIA Attribute Standard 1210: Proficiency states: “Internal
    auditors must possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The
    internal audit activity collectively must possess or obtain the knowledge, skills, and other competencies needed to perform its

    The CAE must obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competen-
    cies needed to perform all or part of the engagement. The IIA provides an Integrated Competency Framework to help identify
    the necessary competencies to maintain in the internal audit activity. This approach links the identified business risks to the
    related IT processes. Hence, the CAE should know what kind and level of IT skills and competencies are required for auditing
    the effectiveness of the controls over the identified business risks. The following table shows a few examples for mapping busi-
    ness risks and required IT controls as well as the skills/competencies needed to perform the audit.

    Business Risk IT Controls IT Skills and Competencies

    Information security management
    A sound, logical security

    Security administration; access controls at network,
    operating system, database, and application levels

    Critical business disruption
    Ensuring availability of criti-
    cal business applications

    Business continuity and disaster recovery planning
    for the IT facilities (including network infrastructure,
    operating systems, databases, and applications)

    Inaccurate and incomplete finan-
    cial and management reporting

    Securing data confidentiality
    and availability

    Application controls, change controls, and system
    development life cycle (SDLC) controls

    If the required IT skills and competencies are not available within the internal audit activity, the CAE may seek an external
    service provider to support or complement the internal staff (i.e., out-sourcing or co-sourcing).14

    14 Refer to IIA Practice Advisory 1210.A1-1: Obtaining External
    Service Providers to Support or Complement the Internal Audit

    GTAG — IT Audit Competencies and Skills

    120366 PRO-GTAG_1_TEXT.indd 22 3/28/12 2:17 PM


    8. Use of Control Framework

    Each organization should examine existing control frame-
    works to determine which of them — or which parts — most
    closely fit its needs. The process of choosing or constructing
    a control framework should involve all people in the orga-
    nization with direct responsibility for controls. The internal
    audit activity will assess the framework’s adequacy and use
    it as a context for planning and performing internal audit

    The CAE needs an overall knowledge of IT risk issues to
    assess the effectiveness and appropriateness of IT controls.
    The CAE will base the internal audit plan and allocate
    resources on the IT areas and issues that merit attention due
    to their inherent levels of risk. Risk analysis and assessment
    cannot be viewed as a one-time process, especially when
    applied to IT. Technology changes constantly and rapidly as
    do the associated risks and threats. Categorizing IT controls
    according to their organizational placement, purpose, and
    functionality is useful in assessing their value and adequacy,
    as well as the adequacy of the system of internal controls.
    Knowledge of the range of available IT controls, the driving
    forces for controls, and organizational roles and responsibili-
    ties allows for comprehensive risk analyses and assessments.
    In assessing control effectiveness, it also is useful to under-
    stand whether the controls are mandated or voluntary,
    discretionary or nondiscretionary, manual or automated,
    primary or secondary, and subject to management override.

    Finally, the assessment of IT controls involves selecting key
    controls for testing, evaluating test results, and determining
    whether evidence indicates any significant control weak-
    nesses. The checklist included in the appendix can help
    ensure all relevant issues have been considered when plan-
    ning and directing internal audit assessments of IT controls.
    Several existing frameworks and approaches can assist the
    CAE and other managers when determining IT control
    requirements. However, organizations should investigate
    enough frameworks to determine which one best fits their
    own needs and culture.

    8.1 Computer Aided Audit Techniques
    and the Use of Data Analysis

    CAEs should consider the use of computer aided audit
    techniques — especially data analysis tools — to obtain a
    more real-time perspective of the IT risk landscape and to
    potentially identify anomalies. In an environment where
    organizations and internal audit activities need to do more
    with less, data analysis provides an opportunity for the CAE
    to leverage information available throughout the organiza-
    tion and identify potential areas of focus for risk assessment
    or audit activities. Data analysis also can offer the CAE an
    approach to constantly assess the operating effectiveness of
    internal controls and review indicators of emerging risks.
    Available data analysis tools provide increased functionality
    for auditing the information and for efficiently processing
    larger amounts of data. However, there are key challenges:
    the CAE needs to obtain the technical skills, access the data
    analysis tools, leverage the reporting/extract tools, access
    the data sources, and develop a strategy that focuses on the
    highest organizational risks.
    Continuous auditing is similar to continuous monitoring,
    as data is continually analyzed or assessed by the internal
    auditor. Continuous monitoring represents a management
    responsibility and function. Internal audit may test, review,
    or leverage the use of continuous monitoring. For more
    information, refer to The IIA’s GTAG 3: Continuous Auditing:
    Implications for Assurance, Monitoring, and Risk Assessment.

    8.2 Using Automated Risk Assessment

    The CAE may find that strengthening his or her risk assess-
    ment requires numeric scoring or detailed risk assessment.
    Certain tools are available for automating the risk analysis
    process. These tools allow for risk scoring, annotating impact,
    and rating likelihood, among other factors. Automating the
    risk assessment allows for comparing and prioritizing risks.
    Collecting inherent and residual risk factors allows the CAE
    to provide summary information, such as heat maps or risk
    profiles that meet the organization’s risk profile. The auto-
    mation of internal audit management is a major topic in its

    GTAG — Use of Control Framework

    How Auditing Contributes to IT Controls
    During the last few decades, there have been periods of reflection when management and auditors agreed the
    auditors could add value to the organization by contributing their controls expertise to development processes
    to ensure appropriate controls were incorporated into new systems, rather than adding controls after an audit
    revealed a deficiency. These activities coincided with the developments in control and risk self-assessment in the
    mainstream audit world. Audit consulting and risk-based auditing became widespread. The 1990s and beyond
    also saw dramatic increases in attention to information security management as cyberattacks increased in number
    and severity. These events have helped shape the role of the IT auditor as well as the businesses world’s recogni-
    tion of the importance of effective information security management.

    120366 PRO-GTAG_1_TEXT.indd 23 3/28/12 2:17 PM


    own right, and one area of opportunity is automating the risk
    assessment process (e.g., using voting tools to allow manage-
    ment to record risk ratings).

    8.3 Reporting on IT Controls

    CAEs need to communicate to key stakeholders — such
    as the audit committee, executive management, regulators,
    external auditors, or the CIO — on the results of the assur-
    ance engagements. CAEs can use a number of report formats,
    and approaches can range from updates to balanced score-
    cards or to private executive session presentations.
    One approach is to begin with simple updates on the assess-
    ment. The CAE should first determine the inherent level of
    risk over certain key IT processes. For example, the CAE can
    provide and verify with the CIO or key IT stakeholders the
    inherent risk over development, operations, business conti-
    nuity planning, network, information security, and change
    management. Often, the inherent risk depends on the IT
    strategy and organization. Some IT organizations may be
    outsourced, centralized, or decentralized. The updates may
    take the form of audit projects in various functional IT
    areas. The update may include significant findings or issues.
    Progress on audit recommendations also might be part of the
    IT update.

    Another approach is to report in a balanced scorecard.
    This may align with the CIO’s reporting of IT strategy or
    operations using an IT balanced scorecard. The Balanced
    Scorecard Institute provides one template that views the
    IT activity from four perspectives: financial, internal busi-
    ness process, learning and growing, and customer. When
    the CAE reports on IT as part of the regular audit report
    to the Board, audit committee, or management, the report
    typically would include issues related to information security
    incidents, change management exceptions, project develop-
    ment status, operation incident reporting, capital spending,
    or other metrics that measure key IT risks and controls. Such
    an approach should provide an integrated and comprehen-
    sive approach of all risks and controls — from business to
    IT — in one format.

    Sometimes the CAE may need to hold a private or executive
    session. This type of reporting generally covers significant
    issues. For example, it may include the internal audit team not
    being able to access requested data after repeated attempts,
    key IT individuals not providing complete or full disclosure,
    or IT leaders leaving the internal auditor out of key steering
    committee discussions (i.e., not having a seat at the table).
    Another challenging issue for a private session might be the
    lack of support by the CIO. This “tone at the top” may set the
    wrong culture and even block risk remediation or allow key
    IT controls to go unmonitored.

    GTAG — Use of Control Framework

    120366 PRO-GTAG_1_TEXT.indd 24 3/28/12 2:17 PM


    9. Conclusion

    Assessing IT risks and controls represents — for both new
    and experienced CAEs — one of the first steps in gaining an
    understanding of the IT environment and its significance in
    business risk management. Reading and applying this GTAG
    provides guidance for CAEs and internal auditors to suffi-
    ciently understand IT risks and applicable controls. The CAE
    will then be able to guide IT risk and control discussions with
    key stakeholders.

    The next step, assessing and understanding IT governance,
    permits the CAE to identify who is accountable for what
    in IT and how IT leadership, in cooperation with business
    leaders, deploys the IT strategy. In this context, CAEs should
    keep in mind that IIA Standard 2110.A2 calls for “assessing
    IT governance.” Section 3 (Internal Stakeholders and IT
    Responsibilities) in this document provides a useful summary
    of key roles and responsibilities.

    Once the CAE assesses IT governance, analyzing IT risks
    is a logical next step in the process. Unfortunately, there is
    no universal checklist for analyzing IT risks. Each organiza-
    tion — driven by the requirements of its nature and size of
    business — operates different technology infrastructure,
    applications, interfaces, and uses different policies to achieve
    IT strategy. The CAE should perform risk analysis by using a
    structured methodology, such as that outlined in ISO 31000
    Risk Management Standardization, and leveraging knowledge
    from key IT leaders (e.g., the CIO and other executives) in
    the context of the overall enterprise risks. Developing solid
    and trusted relationships will allow for transparency when
    analyzing inherent and residual risks.

    There are many models and approaches to analyzing IT risks,
    and the CAE should select the models that best fit his or her
    organization. Several key IT roles and functions are detailed
    in Section 6 (Understanding the Importance of IT Controls)
    in this document. The CAE rates the IT risk levels and deter-
    mines what will be included in the overall audit plan.
    The CAE must identify and assess what technical skills and
    competencies are required based on the overall audit plan. The
    CAE may consider The IIA’s GAIT Methodology in using a
    top-down, risk-based approach. Some specializations, however,
    may not always be cost-effective to deploy on a full-time basis.
    CAEs can use internally developed technical skills, hired
    skills, or external providers. Co-sourcing provides an oppor-
    tunity for organizations of all sizes to use outside expertise and
    gain perspective on the latest IT trends and risk impact.

    Assessing the IT risks and controls requires a thoughtful and
    organized plan. CAEs should plan sufficient time and skilled
    resources to do a professional job and create a sustainable
    process for ongoing analysis.

    GTAG — Conclusion

    120366 PRO-GTAG_1_TEXT.indd 25 3/28/12 2:17 PM


    GTAG — Authors & Reviewers

    10. Authors & Reviewers


    Steve Mar, CFSA, CISA
    Rune Johannessen, CIA, CCSA, CISA
    Stephen Coates, CIA, CGAP, CISA
    Karine Wegrzynowicz, CIA
    Thomas Andreesen, CISA, CRISC


    Steve Hunt, CIA
    Steve Jameson, CIA, CCSA, CFSA, CRMA

    Other Contributors:

    Dragon Tai, CIA, CCSA

    120366 PRO-GTAG_1_TEXT.indd 26 3/28/12 2:17 PM


    11. Appendix: IT Control Framework Checklist

    CAEs can use this checklist to examine their IT control framework to ensure the organization has addressed all control
    elements. The checklist can help the CAE understand the issues and plan for full internal audit coverage of the control areas.


    1. Identify the IT control environment of the
    organization, including:

    a. Values.

    b. Philosophy.

    c. Management style.

    d. IT awareness.

    e. Organization.

    f. Policies.

    g. Standards.

    • Do corporate policies and standards that describe the need
    for IT controls exist?

    2. Identify relevant legislation and regulation impacting
    IT control, such as:

    a. Governance.

    b. Reporting.

    c. Data protection.

    d. Compliance.

    • What legislation exists that impacts the need for IT controls?

    • Has management taken steps to ensure compliance with this

    3. Identify the roles and responsibilities for IT control in
    relation to:

    a. Board of directors.

    i. Audit committee.

    ii. Risk committee.

    iii. Governance committee.

    iv. Finance committee.

    b. Management.

    i. CEO.

    ii. CFO and controller.

    iii. CIO.

    iv. Chief Security Officer (CSO).

    v. CISO.

    vi. CRO.

    c. Audit.

    i. Internal audit.

    ii. External audit.

    • Have all relevant responsibilities for IT controls been allo-
    cated to individual roles?

    • Is the allocation of responsibilities compatible with the need
    to apply division of duties?

    • Are IT responsibilities documented?

    • Are IT control responsibilities communicated to the whole

    • Do individuals clearly understand their responsibilities in
    relation to IT controls?

    • What evidence is there of individuals exercising their respon-

    • Does internal audit employ sufficient IT audit specialists to
    address the IT control issues?

    GTAG — Appendix: IT Control Framework Checklist

    120366 PRO-GTAG_1_TEXT.indd 27 3/28/12 2:17 PM



    4. Identify the risk assessment process.
    Does it address:

    a. Risk appetite?

    b. Risk tolerance?

    c. Risk analysis?

    d. Matching risks to IT controls?

    • How is the organization’s risk appetite and tolerance deter-

    • Is the organization’s risk appetite and tolerance authorized at
    board level?

    • Are risk appetite and tolerance clearly understood by all
    those with a responsibility for IT control?

    • Does the organization use a formal risk analysis process?

    • Is the process understood by everyone responsible for IT

    • Is the process used consistently throughout the organiza-

    5. Identify all monitoring processes, including:

    a. Regulatory.

    b. Normal in-house.

    c. Other than internal auditing.

    • What processes exist to monitor compliance with all relevant
    legislation plus internal policies and standards?

    • Does management carry out monitoring processes outside
    internal audit?

    6. Identify information and communication
    mechanisms, such as:

    a. Control information.

    b. Control failures.

    • What metrics are provided to the Board, its committees, and
    management in relation to IT security?

    • What additional reports are provided regularly to the Board
    and management?

    • Is management always provided with reports when IT con-
    trol failures occur?

    • Do the Board and its committees receive similar reports of IT
    control failures?

    GTAG — Appendix: IT Control Framework Checklist

    120366 PRO-GTAG_1_TEXT.indd 28 3/28/12 2:17 PM

    About IPPF
    The International Professional Practices Framework (IPPF) is the conceptual framework that organizes authoritative guidance
    promulgated by The Institute of Internal Auditors. IPPF guidance includes:

    Mandatory Guidance

    Conformance with the principles set forth in mandatory guidance is required and essential for the professional practice of internal
    auditing. Mandatory guidance is developed following an established due diligence process, which includes a period of public expo-
    sure for stakeholder input. The three mandatory elements of the IPPF are the Definition of Internal Auditing, the Code of Ethics,
    and the International Standards for the Professional Practice of Internal Auditing (Standards).

    Element Definition

    Definition The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal

    Code of Ethics The Code of Ethics states the principles and expectations governing behavior of individuals and
    organizations in the conduct of internal auditing. It describes the minimum requirements for
    conduct, and behavioral expectations rather than specific activities.

    International Standards Standards are principle-focused and provide a framework for performing and promoting internal
    auditing. The Standards are mandatory requirements consisting of:

    • Statements of basic requirements for the professional practice of internal auditing and for
    evaluating the effectiveness of its performance. The requirements are internationally appli-
    cable at organizational and individual levels.

    • Interpretations, which clarify terms or concepts within the statements.

    It is necessary to consider both the statements and their interpretations to understand and apply the
    Standards correctly. The Standards employ terms that have been given specific meanings that are
    included in the Glossary.

    Strongly Recommended Guidance

    Strongly recommended guidance is endorsed by The IIA through a formal approval processes. It describes practices for effec-
    tive implementation of The IIA’s Definition of Internal Auditing, Code of Ethics, and Standards. The three strongly recommended
    elements of the IPPF are Position Papers, Practice Advisories, and Practice Guides.

    Element Definition

    Position Papers Position Papers assist a wide range of interested parties, including those not in the internal audit
    profession, in understanding significant governance, risk, or control issues and delineating related
    roles and responsibilities of internal auditing.

    Practice Advisories Practice Advisories assist internal auditors in applying the Definition of Internal Auditing, the Code
    of Ethics, and the Standards and promoting good practices. Practice Advisories address internal
    auditing’s approach, methodologies, and consideration, but not detail processes or procedures. They
    include practices relating to: international, country, or industry-specific issues; specific types of
    engagements; and legal or regulatory issues.

    Practice Guides Practice Guides provide detailed guidance for conducting internal audit activities. They include
    detailed processes and procedures, such as tools and techniques, programs, and step-by-step
    approaches, as well as examples of deliverables.

    This GTAG is a Practice Guide under IPPF.

    For other authoritative guidance materials, please visit

    120366 PRO-GTAG_1_TEXT.indd 29 3/28/12 2:17 PM

    120366 PRO-GTAG_1_TEXT.indd 30 3/28/12 2:17 PM

    Copyright © 2012 Wolters Kluwer Financial Services, Inc. All Rights Reserved. 2119-ARC-TM-GTAG-AD 12/15/11

    As the world’s leading audit management software, TeamMate
    has revolutionized the audit industry, empowering audit
    departments of all sizes to do more with less. Introduced in
    1994, TeamMate has a long standing commitment to advancing
    the audit profession. From consistently innovative product
    updates, to hosted solutions, and now mobile apps, we are
    dedicated to leveraging the latest technology for our clients.
    TeamMate’s outreach extends beyond our customers to support
    and enrich the professional community through research
    projects, educational programs and initiatives such as our Open
    Audit Innovation Contest.
    To learn about TeamMate, visit us on the web at or call 1.888.830.5559.
    Don’t take our word for it…
    Check out what our
    customers are saying at
    Building on Experience, Shaping the Future of Audit Technology

    120366 PRO-GTAG_1_COVER.indd 3 3/28/12 2:18 PM

    About the Institute

    Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with
    global headquarters in Altamonte Springs, Fla., USA. The IIA is the internal audit profession’s global voice,
    recognized authority, acknowledged leader, chief advocate, and principal educator.

    About Practice Guides

    Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed
    processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well as
    examples of deliverables. Practice Guides are part of The IIA’s IPPF. As part of the Strongly Recommended
    category of guidance, compliance is not mandatory, but it is strongly recommended, and the guidance is
    endorsed by The IIA through formal review and approval processes.

    A Global Technologies Audit Guide (GTAG) is a type of Practice Guide that is written in straightforward
    business language to address a timely issue related to information technology management, control, or

    For other authoritative guidance materials provided by The IIA, please visit our website at


    The IIA publishes this document for informational and educational purposes. This guidance material is not
    intended to provide definitive answers to specific individual circumstances and as such is only intended to be
    used as a guide. The IIA recommends that you always seek independent expert advice relating directly to any
    specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance.


    Copyright ® 2012 The Institute of Internal Auditors.
    For permission to reproduce, please contact The IIA at

    120366 PRO-GTAG_1_COVER.indd 4 3/28/12 2:18 PM

    • 120366_GTAG1_TEXT_FNL-Hi
    • 120366_GTAG1-Cover-FNL-Hi

    APRIL 2018





    1Center for Audit Quality • April 2018

    Companies are facing not only increasing cyber threats
    but also new laws and regulations for managing and
    reporting on data security and cybersecurity risks. Boards
    of directors face an enormous challenge: to oversee how
    their companies manage cybersecurity risk. As boards
    tackle this oversight challenge, they have a valuable
    resource in Certified Public Accountants (CPAs) and in the
    public company auditing profession.

    CPAs bring to bear core values—including independence,
    objectivity, and skepticism—as well as deep expertise
    in providing independent assurance services in both the
    financial statement audit and a variety of other subject
    matters. CPA firms have played a role in assisting
    companies with information security for decades. In
    fact, four of the leading 13 information security and
    cybersecurity consultants are public accounting firms.1

    This tool provides questions board members charged with
    cybersecurity risk oversight can use as they engage in
    discussions about cybersecurity risks and disclosures with
    management and CPA firms.

    The questions are grouped under four key areas:

    I. Understanding how the financial statement auditor
    considers cybersecurity risk

    II. Understanding the role of management and
    responsibilities of the financial statement auditor
    related to cybersecurity disclosures

    III. Understanding management’s approach to
    cybersecurity risk management

    IV. Understanding how CPA firms can assist boards
    of directors in their oversight of cybersecurity risk

    This publication is not meant to provide an all-inclusive
    list of questions or to be seen as a checklist; rather,
    it provides examples of the types of questions board
    members may ask of management and the financial
    statement auditor. The dialogue that these questions
    spark can help clarify the financial statement auditor’s
    responsibility for cybersecurity risk considerations in the
    context of the financial statement audit and, if applicable,
    the audit of internal control over financial reporting (ICFR).
    This dialogue can be a way to help board members
    develop their understanding of how the company is
    managing its cybersecurity risks.

    Additionally, this tool may help board members with
    cybersecurity risk oversight learn more about other
    incremental offerings from CPA firms. One example is
    the cybersecurity risk management reporting framework
    developed by the American Institute of CPAs (AICPA).2
    The framework enables CPAs to examine and report on
    management-prepared cybersecurity information, thereby
    boosting the confidence that stakeholders place on a
    company’s initiatives. With this voluntary, market-driven
    framework, companies can also communicate pertinent
    information regarding their cybersecurity risk management
    efforts and educate stakeholders about the systems,
    processes, and controls that are in place to detect,
    prevent, and respond to breaches.

    This tool provides questions
    board members charged with

    cybersecurity risk oversight can use
    as they discuss cybersecurity risks
    and disclosures with management

    and CPA firms.

    1 See Martin Whitworth, “Information Security Consulting Services, Q1 2016,” The Forrester Wave (January 2016).

    2 See AICPA, “SOC for Cybersecurity” web page.


    2Center for Audit Quality • April 2018

    I. Understanding How the
    Financial Statement Auditor
    Considers Cybersecurity Risk

    The Sarbanes-Oxley Act of 2002 (SOX) added a
    requirement, applicable to most public companies, that
    management annually assess the effectiveness of the
    company’s ICFR and report the results to the public. In
    addition, SOX requires the audit committees of most large
    public companies to engage independent auditors to audit
    the effectiveness of their company’s ICFR.

    This tool will outline how the financial statement auditor
    considers cybersecurity in two key contexts: (1) the audits
    of financial statements and, if applicable, ICFR; and (2)
    other disclosures. The following are questions that board
    members with cybersecurity risk oversight may use when
    discussing roles and responsibilities of the financial
    statement auditor related to cybersecurity risks.


    1. How does the financial statement auditor’s approach to
    identifying and assessing risks of material misstatement
    for the financial statement and ICFR audits consider
    certain cybersecurity risks?

    2. If, as part of understanding how the company uses
    information technology (IT) in the context of its financial
    statements and ICFR, the financial statement auditor
    identifies a cybersecurity risk, how does that risk get
    addressed in the audit process?

    3. Why don’t the financial statement auditor’s procedures
    on an ICFR audit address all of the company’s
    enterprise-wide cybersecurity risks and controls?

    4. What impact does a cybersecurity breach have on the
    financial statement auditor’s assessment of ICFR?

    5. In the event of a cybersecurity breach that results in
    a potential need for a contingent liability that could be
    material, what is the audit response of the financial
    statement auditor?

    II. Understanding the
    Role of Management and
    Responsibilities of the Financial
    Statement Auditor Related to
    Cybersecurity Disclosures

    In September 2017, Securities and Exchange Commission
    (SEC) Chairman Jay Clayton stated, “I recognize that
    even the most diligent cybersecurity efforts will not
    address all cyber risks that enterprises face. That stark
    reality makes adequate disclosure no less important.”3

    The SEC is focused on ensuring the adequacy of public
    company disclosures of cybersecurity risks and how those
    risks are managed. Investor groups have also asked
    company boards to strive for transparency in reporting
    efforts to prevent and mitigate cyber threats.4

    In 2011, the SEC’s Division of Corporation Finance
    (Division) issued disclosure guidance. Under that
    guidance, a company may determine it is necessary to
    disclose cybersecurity risks in various places throughout
    its Form 10-K (e.g., risk factors, management’s discussion
    and analysis [MD&A], legal proceedings, business
    description, and/or financial statements).5 While the 2011
    SEC staff guidance remains applicable, in February
    2018, the SEC updated its disclosure guidance to
    reinforce and expand on the 2011 guidance. The new
    guidance addresses two topics not developed in 2011
    guidance—namely, the importance of cybersecurity

    3. See SEC Chairman Jay Clayton, “Statement on Cybersecurity,” (SEC, Washington DC, September 20, 2017).

    4. Council of Institutional Investors, “Prioritizing Cybersecurity: Five Investor Questions for Portfolio Company Boards” (April 2016).

    5. See “CF Disclosure Guidance: Topic No. 2” (SEC, Washington DC, October 13, 2011).

    The financial statement auditor
    considers cybersecurity in two key
    contexts: (1) the audits of financial

    statements and, if applicable, ICFR;
    and (2) other disclosures. Prioritizing Cybersecurity


    3Center for Audit Quality • April 2018

    policies and procedures and the application of insider
    trading prohibitions in the cybersecurity context.6 In the
    2018 guidance the SEC emphasized the importance of
    ensuring that periodic reports such as the Form 10-Q
    continue to provide timely and ongoing information on
    material cybersecurity risks and incidents. The SEC also
    emphasized that companies must maintain disclosure
    controls and procedures, and management must evaluate
    their effectiveness.

    The SEC staff has communicated publicly that it intends
    to focus more on companies’ disclosures about cyber
    incidents and their cybersecurity programs. The following
    are questions that board members with cybersecurity
    risk oversight may use to clarify management’s role and
    the auditor’s responsibilities related to cybersecurity


    The Role of Management

    1. In complying with the current SEC guidance, how has
    management considered cybersecurity risks in its
    ability to record, process, summarize, and report on
    information required to be disclosed in its SEC filings?

    2. What disclosure controls and procedures are in place
    to help ensure that the disclosures comply with the
    SEC’s guidance regarding the importance of a company
    being able to make accurate and timely disclosures of
    material cyber events?7

    3. Have the design and operating effectiveness of the
    disclosure controls and procedures been evaluated to
    ensure they appropriately record, process, summarize,
    and report on information required to be disclosed in
    the company’s SEC filings?

    4. How is management considering the current SEC
    guidance with respect to cybersecurity on risk factors,
    MD&A, and financial statement disclosures?

    5. In the event of a cybersecurity breach, what processes
    and controls are in place to help ensure that appropriate
    levels of management and board members with
    cybersecurity risk oversight are involved in the review of
    the related disclosures, if appropriate?

    6. Has the company considered its insider trading
    policies in the event of a material cyber incident?
    Are appropriate policies and procedures in place to
    guard against company executives and other insiders
    taking advantage of the period between the company’s
    discovery of a cybersecurity incident and public


    The Role of the Financial Statement Auditor

    1. What does the financial statement auditor consider
    related to cybersecurity disclosures included in the
    Form 10-K or other documents that include the audited
    financial statements?

    2. How do those considerations differ when cybersecurity
    related information is included in another company
    document (e.g., a press release)?

    6. See “Commission Statement and Guidance on Public Company Cybersecurity Disclosures” (SEC, Washington DC, February 20, 2018).

    7. See SEC, “Commission Statement,” 10-11: “In determining their disclosure obligations regarding cybersecurity risks and incidents, companies generally weigh, among
    other things, the potential materiality of any identified risk and, in the case of incidents, the importance of any compromised information and of the impact of the incident
    on the company’s operations. The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to
    any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm
    that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of
    litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities.”

    “I recognize that even the most
    diligent cybersecurity efforts will

    not address all cyber risks that
    enterprises face. That stark reality

    makes adequate disclosure no less

    SEC Chairman Jay Clayton
    September 2017


    4Center for Audit Quality • April 2018

    3. If the company had a material contingent liability for an
    actual cyber incident, what is the financial statement
    auditor’s responsibility with respect to the company’s
    assessment of any related financial statement

    4. What is the financial statement auditor’s responsibility
    if a cyber incident material to the financial statements
    is discovered after the balance sheet date but before
    the auditor’s report on the financial statements is

    III. Understanding
    Management’s Approach to
    Cybersecurity Risk Management

    A company’s overall IT environment includes systems,
    networks, and related data that address not only financial
    reporting needs but also operational and compliance
    needs, all of which are susceptible to a cyber event.
    Consequently, C-suite executives and board members
    in a cybersecurity risk oversight role are increasing their
    oversight of management’s development, implementation
    and monitoring of a comprehensive enterprise-wide
    cybersecurity risk management program.

    The SEC has stated that disclosures regarding a
    company’s cybersecurity risk management program and
    how the board of directors engages with management
    on cybersecurity issues allow investors to assess how
    a board of directors is discharging its risk oversight

    The following are broader cybersecurity-related questions
    (i.e., not specific to financial reporting) that board members
    in their oversight roles can use to better understand a
    company’s cybersecurity risk management program.


    1. What framework, if any, does management use in
    designing a cybersecurity risk management program
    (e.g., NIST, ISO/IEC 27001/27002, SEC cybersecurity
    guidelines, AICPA Trust Services Criteria)?

    2. What framework, if any, does management use
    in communicating pertinent information about its
    cybersecurity management program?

    3. What processes and programs are in place
    to periodically evaluate the cybersecurity risk
    management program and related controls?

    4. What cybersecurity policies, processes, and controls
    are in place to detect, respond to, mitigate, and recover

    In 2017, the National Association of Corporate
    Directors (NACD) updated its NACD Director’s
    Handbook on Cyber-Risk Oversight. The publication
    recommends strategies for bringing perspectives on
    cybersecurity matters into the boardroom, including
    “leveraging the board’s existing independent
    advisors, such as external auditors and outside
    counsel.” It also includes additional questions about
    cybersecurity (see appendix A) for the board to ask
    management, and it identifies five principles that
    boards should consider as they seek to enhance
    their oversight of cyber risks.8

    1. Directors need to understand and approach
    cybersecurity as an enterprise-wide risk
    management issue, not just an IT issue.

    2. Directors should understand the legal
    implications of cyber risk as they relate to their
    company’s specific circumstances.

    3. Boards should have adequate access to
    cybersecurity expertise, and discussions about
    cyber-risk management should be given regular
    and adequate time on board meeting agendas.

    4. Directors should set the expectation that
    management will establish an enterprise-
    wide cyber-risk management framework with
    adequate staffing and budget.

    5. Board-management discussions about cyber
    risk should include identification of which risks
    to avoid, which to accept, and which to mitigate
    or transfer through insurance, as well as specific
    plans associated with each approach.

    8. See NACD, Director’s Handbook on Cyber-Risk Oversight, 2017 ed. (Washington, DC: NACD, 2017), 4. Used with permission from NACD.


    5Center for Audit Quality • April 2018

    from—on a timely basis—cybersecurity events that are
    not prevented?

    5. In the event of a cybersecurity breach, what controls
    are in place to help ensure that the IT department
    and appropriate senior management (including board
    members charged with governance) are informed and
    engaged on a timely basis—and that other appropriate
    responses and communications take place?

    6. What policies, processes and controls are in place to
    address the impact to the company of a cybersecurity
    breach at significant/relevant vendors and business
    partners with whom the company shares sensitive
    information? Do those policies include risk identification
    and mitigation procedures?

    7. Has the company conducted a cyber event simulation
    as part of its approach to enterprise risk management?

    8. Has the company considered cost mitigation/risk
    transfer options in the form of cyber insurance coverage
    in the event of a cybersecurity breach?

    9. Does the company have adequate staff with appropriate
    skills to design and operate an effective cybersecurity
    risk management program?

    IV. Understanding How CPA
    Firms Can Assist Boards of
    Directors in Their Oversight of
    Cybersecurity Risk Management

    The issues and challenges of cybersecurity are evolving
    rapidly. Although cybersecurity risk management practices
    are typically beyond the scope of a typical financial
    statement audit, CPAs are in a strong position to play
    an important role in informing the advancement of these
    practices. The CPA profession’s commitment to continuous
    improvement, public service, and increased investor
    confidence has resulted in a greater focus on this area.

    The questions below aim to foster a dialogue between
    auditors and those board members in a cybersecurity risk
    oversight role about identifying incremental offerings that
    CPA firms may provide to companies.


    1. Since the financial statement auditor’s focus is
    on IT risks that affect financial reporting, including
    disclosures and ICFR, what additional offerings can
    CPA firms with cybersecurity expertise provide to assist
    board members in executing their broader oversight
    responsibilities related to cybersecurity risks?

    2. The AICPA recently issued a cybersecurity risk
    management reporting framework. How can this
    framework be used as a self-assessment tool to
    help management or the auditor (via a readiness
    engagement) identify opportunities for improvement in
    the company’s cybersecurity risk management program?

    3. How is the AICPA cybersecurity risk management
    reporting framework used by auditors as part of
    an attestation service to evaluate management’s
    description of its cybersecurity risk management
    program and to determine whether controls within
    the program were effective to achieve the company’s
    cybersecurity objectives?

    4. What technical expertise do CPA firms possess that
    qualify them to perform a readiness engagement and/
    or an examination to validate effectiveness of controls
    specific to a company’s cybersecurity risk management

    5. The SOC for Cybersecurity examination (see sidebar
    on page 6) cannot prevent or detect a cybersecurity
    threat or breach. Accordingly, what is the goal of the
    cybersecurity examination?

    6. What factors should be considered by the company and
    the CPA firm prior to engaging its financial statement

    CPAs are in a strong position to play
    an important role in informing the
    advancement of cybersecurity risk

    management practices.


    6Center for Audit Quality • April 2018

    auditors to perform the readiness assessment or
    examination for entities subject to SEC independence

    7. What is the audit profession doing to help address
    cybersecurity risks from third party vendors or service

    8. What other types of engagements are available to help
    board members with cybersecurity risk oversight?

    With the increased focus by regulators and investors on
    cybersecurity risk management and disclosures, company
    management and board members in their oversight roles
    are making enterprise-wide cybersecurity risk management
    a priority. While not an exhaustive list, the questions in
    this tool can help foster dialogue among board members
    responsible for cybersecurity risk oversight, company
    management, and auditors; they can also help clarify
    roles and responsibilities as well as actions that may be
    considered. This tool also aims to provide information about
    how those charged with cybersecurity risk oversight can
    leverage existing independent advisors—such as CPA
    firms—to help fulfill their fiduciary responsibilities.

    Distinguishing Between SOC 2 Examinations
    and SOC for Cybersecurity Examinations

    The term system and organization controls
    (SOC), as defined by the AICPA, refers to the suite
    of services CPA practitioners may provide that
    relate to assurance over system-level controls
    of a service organization and system- or entity-
    level controls of other organizations. The AICPA’s
    cybersecurity risk management examination
    discussed in this tool is also known as SOC for

    A SOC 2 – SOC for Service Organizations
    examination is a separate and distinct offering.
    It may be used, for example, to report on the
    effectiveness of controls within a specific system
    occurring at an organization that provides
    outsourcing services to user entities.

    To learn more about the difference between
    these two services, see the AICPA’s 2017
    whitepaper: SOC 2® Examinations and SOC for
    Cybersecurity Examinations: Understanding the
    Key Distinctions.9

    9. The white paper is available at the AICPA website.



    So that we can provide resources that
    are informative and best address the
    needs of our stakeholders, we would
    appreciate your response to three,
    short questions.


    Survey URL:


    7Center for Audit Quality • April 2018


    1. Were we told of cyberattacks that have already
    occurred and how severe they were?

    2. What are the company’s cybersecurity risks, and how
    is the company managing these risks?

    3. How will we know if we have been hacked or
    breached, and what makes us certain we will find out?

    4. Who are our likely adversaries?

    5. In management’s opinion, what is the most serious
    vulnerability related to cybersecurity (including within
    our IT systems, personnel, or processes)?

    6. If an adversary wanted to inflict the most damage on
    our company, how would they go about it?

    7. Has the company assessed the insider threat?

    8. When was the last time we conducted a penetration
    test or an independent external assessment of our
    cyber defenses? What were the key findings, and how
    are we addressing them? What is our maturity level?

    9. Does our external auditor indicate we have
    cybersecurity-related deficiencies in the company’s
    internal controls over financial reporting? If so, what
    are they, and what are we doing to remedy these


    1. What are the leading practices for cybersecurity, and
    where do our practices differ?

    2. Do we have appropriately differentiated strategies for
    general cybersecurity and for protecting our mission-
    critical assets?

    3. Do we have an enterprise-wide, independently
    budgeted cyber-risk management team? Is the
    budget adequate? How is it integrated with the overall
    enterprise risk management process?

    4. Do we have a systematic framework, such as the
    NIST Cybersecurity Framework, in place to address
    cybersecurity and to assure adequate cybersecurity

    5. Where do management and our IT team disagree on

    6. Do the company’s outsourced providers and
    contractors have cybersecurity controls and policies
    in place? Are those controls monitored? Do those
    policies align with our company’s expectations?

    7. Does the company have cyber insurance? If so, is it

    8. Is there an ongoing, company-wide awareness and
    training program established around cybersecurity?

    9. What is our strategy to address cloud, BYOD, and
    supply-chain threats?

    10. How are we addressing the security vulnerabilities
    presented by an increasingly mobile workforce?


    1. What are the leading practices for combating insider
    threats, and how do ours differ?

    2. How do key functions (IT, HR, Legal, and
    Compliance) work together and with business
    units to establish a culture of cyber-risk awareness
    and personal responsibility for cybersecurity?
    Considerations include the following:

    Appendix A
    Questions for the Board to Ask Management About Cybersecurity

    The following questions are reprinted with permission from NACD, Director’s Handbook on Cyber-Risk Oversight, 2017
    ed. (Washington, DC: NACD, 2017), 21-23.


    8Center for Audit Quality • April 2018

    a. Written policies which cover data, systems, and
    mobile devices should be required and should
    be required for all employees.

    b. Establishment of a safe environment for
    reporting cyber incidents (including self-
    reporting of accidental issues).

    c. Regular training on how to implement company
    cybersecurity policies and recognize threats.

    3. How have we adapted our personnel policies,
    such as background checks, new employee
    orientation, training related to department/role
    changes, employee exits, and the like, to incorporate

    4. How do our operational controls, including access
    restrictions, encryption, data backups, monitoring
    of network traffic, etc., help protect against insider

    5. Do we have an insider-incident activity plan that
    spells out how and when to contact counsel, law
    enforcement and/or other authorities, and explore
    legal remedies?


    1. How do we balance the financial opportunities (lower
    costs, higher efficiency, etc.) created by greater
    supply-chain flexibility with potentially higher cyber

    2. How much visibility do we currently have across
    our supply chain regarding cyber-risk exposure and
    controls? Which departments/business units are

    3. What will need to be done to fully include
    cybersecurity in current supply-chain risk

    4. How are cybersecurity requirements built into
    contracts and service-level agreements? How
    are they enforced? Contracts and service-level
    agreements can be written to include requirements
    for the following:

    a. Written cybersecurity policies

    b. Personnel policies, such as background
    checks, training, etc.

    c. Access controls

    d. Encryption, backup, and recovery policies

    e. Secondary access to data

    f. Countries where data will be stored

    g. Notification of data breaches or other cyber

    h. Incident-response plans

    i. Audits of cybersecurity practices and/or regular
    certifications of compliance

    5. How difficult/costly will it be to establish and maintain
    a viable cyber-vulnerability and penetration-testing
    system for our supply chain?

    6. How difficult/costly will it be to enhance monitoring of
    access points in the supplier networks?

    7. Do our vendor agreements bring new legal risks or
    generate additional compliance requirements (e.g.,
    FTC, HIPAA, etc.)?

    8. Are we indemnified against security incidents on the
    part of our suppliers/vendors?


    1. How will management respond to a cyberattack?
    Does the company have a validated incident-
    response plan? Under what circumstances will law
    enforcement and other relevant government entities
    be notified?

    2. For significant breaches, is our communication
    adequate as information is obtained regarding the
    nature and type of breach, the data impacted, and the
    ramifications to the company and the response plan?

    3. Are we adequately exercising our cyber-
    preparedness and response plan?

    4. What constitutes a material cybersecurity breach?
    How will such events be disclosed to investors?


    9Center for Audit Quality • April 2018


    1. How did we learn about the incident? Were we
    notified by an outside agency, or was the incident
    discovered internally?

    2. What do we believe was stolen?

    3. What has been affected by the incident?

    4. Have any of our operations been compromised?

    5. Is our cyber-incident response plan in action, and is it
    working as planned?

    6. Whom must we notify about this incident (materiality),
    whom should we notify, and is our legal team
    prepared for such notifications?

    7. What is the response team doing to ensure that the
    incident is under control and that the hacker no longer
    has access to our internal network?

    8. Do we believe the hacker was an internal or an
    external actor?

    9. What were the weaknesses in our system that
    allowed the incident to occur (and why)?

    10. What steps can we take to make sure this type of
    event does not happen again?

    11. What can we do to mitigate any losses caused by the


    In addition to external counsel, boards and
    management teams should consider whether to notify
    the following:

    ► Independent forensic investigators

    ► The company’s insurance provider

    ► The company’s external audit firm

    ► Crisis communications advisors

    ► Law enforcement agencies (e.g., the Federal Bureau
    of Investigation, Department of Homeland Security, US
    Secret Service)

    ► Regulatory agencies

    ► US Computer Emergency Response Team (US-


    10Center for Audit Quality • April 2018

    Appendix B
    Additional Resources

    ► AICPA: Cybersecurity Resource Center

    ► AICPA: SOC for Cybersecurity web page

    ► AICPA: SOC 2® Examinations and SOC for Cybersecurity Examinations: Understanding the Key Distinctions
    (December 2017)

    ► CAQ: Cybersecurity Resource web page

    ► CAQ: The CPA’s Role in Addressing Cybersecurity Risk (May 2017)

    ► Council of Institutional Investors, Prioritizing Cybersecurity: Five Investor Questions for Portfolio Company Boards
    (April 2016)

    ► NACD: Director’s Handbook on Cyber-Risk Oversight (January 2017)

    ► SEC: Commission Statement and Guidance on Public Company Cybersecurity Disclosures (February 2018)

    ► SEC: CF Disclosure Guidance: Topic No. 2 (October 2011)

    ► SEC: Office of Compliance Inspections and Examinations 2018 Examination Priorities

    About the Center for Audit Quality
    The CAQ is an autonomous public policy organization dedicated to enhancing investor confidence and public trust
    in the global capital markets. The CAQ fosters high-quality performance by public company auditors; convenes and
    collaborates with other stakeholders to advance the discussion of critical issues that require action and intervention; and
    advocates policies and standards that promote public company auditors’ objectivity, effectiveness, and responsiveness
    to dynamic market conditions. Based in Washington, DC, the CAQ is affiliated with the American Institute of CPAs.

    The CPA’s Role in Addressing Cybersecurity Risk Prioritizing Cybersecurity


    WE WELCOME YOUR FEEDBACK | Please send comments or questions to

    Please note that this publication is intended as general i nformation and should not be relied upon as being definitive or all-inclusive. As with all other
    CAQ resources, this is not authoritative and readers are urged to refer to relevant rules and standards. If legal advice or other expert assistance is required,
    the services of a competent professional should be sought. The CAQ makes no representations, warranties, or guarantees about, and assumes no
    responsibility for, the content or application of the material contained herein and expressly disclaims all liability for any damages arising out of the use of,
    reference to, or reliance on such material. This publication does not represent an official position of the CAQ, its board or its members.

    7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal 1/8

     Latest Articles (/articles/)







    Home ( / CPA Journal Content ( / Auditing for Cybersecurity Risk

    Auditing for Cybersecurity Risk


     Featured (, Columns (, June 2019 Issue

    ( |  June 2019

     Get Copyright Permission (�ed%20Public%20Accountants)

    Around the globe, cybercrime cost society over $3 trillion in 2018, and this cost is forecast to rise to $6 trillion by 2021 (“Cybercrime Damages $6 Trillion by 2020,”

    Cybersecurity Ventures, Dec. 7, 2018, (; that translates to a 43% year-over-year increase for each of the next three

    years. At $6 trillion, cybercrime will represent approximately 7% of worldwide GDP and will be the third largest component of the world economy, just behind the

    GDPs of the United States and China. U.S. ransomware costs have grown from $25 million in 2014 to over $8 billion in 2018 and are showing no signs of stopping

    (“Global Ransomware Damage Costs Predicted To Exceed $8 Billion In 2018,” Cybersecurity Ventures, June 28, 2018,

    By  Steven Wertheim (

    Hedges of Unrecognized Foreign Currency–Denominated Firm Commitments


    Successful Remote Work Arrangements for Finance Teams


    The CPA Journal;ID=165519;size=970×90;setID=228992

    The CPA Journal

    What to Do About Estate Planning Now

    Hedges of Unrecognized Foreign Currency–Denominated Firm Commitments

    Successful Remote Work Arrangements for Finance Teams

    7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal 2/8

    ( Ginni Rommety, IBM’s chairperson, CEO, and president, has stated that “cybercrime represents the greatest threat to every company in the

    world” (Steve Morgan, “IBM’s CEO On Hackers: ‘Cyber Crime Is The Greatest Threat To Every Company In The World,’” (, Nov. 24,

    2015, (

    ( )

    Yet society continues to ignore the issue or pass the buck, saying that cybercrime is a complex technology problem. In reality, cybersecurity is everyone’s responsibility,

    as 89% of all cyberattacks come from inside organizations via malfeasance or nonfeasance (“The Primary Factors Motivating Insider Threats,” ObserveIT, May 21,

    2018, (

    The Scope of the Problem
    According to a GAO audit released in September 2018, government agencies, including the federal government, are failing to adequately address cybersecurity risks,

    jeopardizing not only the operations of federal government and state governments, but also the personal information of U.S. citizens (Urgent Actions Needed to

    Address Cybersecurity Challenges Facing the Nation, ( The report notes that, of the more than 3,000

    recommendations the agency has issued since 2010, 1,000 have not been implemented as of August 2018. In addition, 31 of the 35 highest priority recommendations

    have not been addressed, including the following:

    Develop and execute a more comprehensive federal strategy for national cybersecurity and global cyberspace

    Improve implementation of government-wide cybersecurity initiatives

    Strengthen the federal government’s role in protecting the cybersecurity of critical infrastructure (e.g., the electric grid and telecommunications networks).

    No venture intends to fail, so why are companies failing so badly? Consider the following three examples:

    7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal 3/8

    Equifax suffered a major breach in March 2017, but the company did not discover it until July 2017. It neglected to report the breach to the public and did so only after

    an SEC insider trading investigation into several executives uncovered that the executives knew about the breach. It was �nally reported to the public in September

    2017, yet Equifax was ill prepared to determine the actual number of breached individuals and failed to provide accurate information to the third-party remediation

    �rm. The U.S. Senate report on the breach ( ( castigated Equifax for—

    not following its own patch policy (8,500 known vulnerabilities, including 1,000 critical vulnerabilities, were identi�ed by a 2015 audit. Equifax failed to do any

    follow-up audits or patch its systems. Equifax’s patching policy mandated the company’s IT department patch critical vulnerabilities within 48 hours.)

    deliberately choosing to save personally identi�able information (PII), including usernames and passwords, in unencrypted �le shares accessible by Equifax

    employees, and not having basic tools in place to detect and identify changes to �les.

    On May 22, 2019, Moody’s downgraded Equifax’s rating to “negative,” saying, “Higher cybersecurity costs will continue to hurt the company’s pro�t and free cash �ow

    for the forseeable future.” While this is the �rst downgrade as the direct result of a cyberattack, it will not be the last.

    Starwood suffered a signi�cant data breach of approximately 500 million customers’ information. Included in the theft were over 327 million records with PII and over

    5 million unencrypted passport numbers. The breach dated back to 2014, but was not detected until September 2018. For more than 1,300 days, Starwood data

    integrity had been compromised and no one, including Marriot, which acquired Starwood in November 2015, knew about the breach. Of note, the FBI Electronic

    Crimes division estimates that for every 100 days between a breach and the discovery of the breach, the cost of the breach doubles. This suggests that the ultimate

    cost of the Starwood breach will be 8,192 times the “original” cost had it been discovered immediately. A comprehensive security assessment at any time over the

    1,300-day period would have found the breach.

    On April 29, 2019, Citrix sent a letter to the attorney general of California con�rming that a breach had occurred on October 13, 2018, 196 days earlier. In the letter,

    Citrix con�rmed that it was advised of the breach by the FBI on March 9, but waited seven additional weeks to inform the public (

    ( It also advised the public to utilize monitoring services from Equifax.

    In none of the cases above were technology and tools the root causes of the severity of the attack. All too frequently, the cause of a breach lies in the actions of human


    What Are the Compelling Issues?

    Lack of business focus.
    When a cyber-crime event occurs, the information security (IS) team or information technology (IT) team immediately begins attacking the problem with all of its

    resources. Too often, however, these efforts remain siloed from the rest of the business. At the same time, business units are experiencing critical systems failures and

    “pinging” the IT and IS teams to �nd out what is happening, and executives are dealing with the public reaction to the incident and its potential market implications.

    This only adds to the chaos, exacerbating the cost of the breach and signi�cantly increasing the likelihood that the business will fail.

    Auditors are tasked with documenting and categorizing risk; if they do not know where the critical data reside,
    how can they effectively measure and report on the client’s risk?

    Inadequate resourcing and training.
    Companies too often view incident response as a sunk cost that has no bene�t to the bottom line. Executives express concern that incident response costs are taking

    money, time, and people away from driving revenue. Moreover, when organizations conduct cybersecurity training, the focus is usually on the IT and IS teams, as

    opposed to the entire business. Even when companies do company-wide training, the message often does not stick. As a result, too many companies inadequately

    prepare themselves for an attack that, sooner or later, will occur.

    Inadequate understanding of the risks.

    7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal 4/8

    How many organizations really understand the level of cybersecurity risk? How often do companies perform a cybersecurity framework risk assessment? When

    speaking to risk executives, the most frequent response to “What keeps you up at night?” is “I have no idea where my most critical data reside.” Auditors are tasked

    with documenting and categorizing risk; if they do not know where the critical data reside, how can they effectively measure and report on the client’s risk, especially

    in the case of small and medium-sized businesses?

    In 2016, a clothing manufacturer contracted for a social engineering pen test at a secure site, accessible only via card-key locked doors. The testing team successfully

    penetrated the most secure systems in the company, including its mainframe, in less than two hours without using a single technology tool. In another example, a large

    Wall Street �nancial services company recently discussed how it repeatedly tests employee adherence to corporate email standards. One key policy is that employees

    never open e-mail attachments from an unknown source; during its last test, however, 65% of employees opened the attachments on the test phishing e-mail.

    Inadequate monitoring.
    Uni�ed training as to why cybersecurity tools provide critical support, which parts of the data infrastructure represent the greatest risk to the business, and how to

    mitigate those risks, is sorely lacking at many companies. There is a fundamental lack of risk analysis and assessment. Consider the examples above: Equifax, Starwood,

    and Citrix all possessed and used best-in-class, comprehensive security information and event management (SIEM) monitoring tools. Yet in each case, the tools were

    being directed at the wrong areas. Starwood’s breach was not noticed for over 1,300 days. Equifax’s monitoring was so bad that when Mandiant came in after the

    breach, it was given inaccurate information. The Citrix incident is still so fresh that it will be several months before observers know what happened. Consider also

    MyHeritage, which only found out about a breach of 93 million customer records when a university researcher sent a �le he found on the dark web, entitled

    “MyHeritage �les”, to the MyHeritage chief information security of�cer (CISO) asking, “Is this yours?”

    Lack of an incident response plan (IRP).
    This is primarily a problem in small and medium-sized companies. A company’s size does not obviate its risk, however; in the United States, FEMA reports that only

    70% of cyberattacks are aimed at small and medium-sized companies, covering only 50% of the business landscape. According to FEMA and the National Cyber

    Security Alliance, as much as 60% of small and medium-sized companies that are attacked go out of business after six months. In the United States in 2018, there were

    approximately 217,000 businesses between $10 and $500 million of annual revenue; that means more than 65,000 businesses can be expected to fail due to economic

    fallout from a cyberattack. Any time a business fails, there are ripple effects. For example, insurers have to pay out on claims, service companies lose clients, and real

    estate companies lose rental income.

    Lack of updating and testing of the IRP.
    Once organizations have an IRP, they tend to check off the compliance box, put the plan on a shelf, and don’t bother looking at it again until an incident occurs. This

    leaves them with IRPs that do not re�ect the current business environment, responsibilities, regulatory requirements, or staff. Too often, companies end up with

    multiple points of failure within their plans; by not testing their plans on a regular basis, organizations have no way to validate their ef�cacy or remediate their

    weaknesses. Some businesses rely on cyberinsurance to mitigate the risk, but most cyberinsurance policies for small and medium-sized companies have a $250,000

    coverage limit, while the median cost to a small company (25 employees or less) to recover from a cyberattack is $690,000. The median cost for a 100-employee

    company is $1.1 million, and the costs rise geometrically from there.

    The human factor underpins so much of the risk that enables cyberattacks and allows them to succeed, and it
    does so on both sides.

    Lack of third-party support.
    The chief information/chief security of�cer of a large New York–based credit union once shared his nightmare experience with the author, describing the helpless

    panic he felt in negotiating a deal with a world-class response vendor for the �rst 72 hours after a major data breach. He talked about his lack of leverage in negotiating

    anything with the third party, all while his credit union was front-page news. It was the worst 72 hours of his career.

    The reason for third-party support is to get an unbiased view of the problem. The biggest challenge an organization has during an incident is that too many staff

    members operate under assumptions because they know the business and take logical shortcuts. Assumptions almost never match up to the reality, however,

    exacerbating the impact of the incident. The third party does not know the business and therefore must follow the documentation and the de�ned processes.

    Lack of audit involvement.
    Auditing is a key component in risk assessment and prevention. Without an independent set of eyes looking at the processes, policies, and governance issues, how can

    an organization ever have a clear picture of the risk? How can auditors ever certify the overall business health of the client—a critical part of 10-Ks and annual reports

    —without that understanding?

    If this were primarily a technology problem, the big �nancial service �rms and technology �rms would never be hit, but they are. If this were only a technology problem,

    cybercrime would not be growing as fast as it is. The human factor underpins so much of the risk that enables cyberattacks and allows them to succeed, and it does so

    on both sides. Both the breachers and the company insiders whose mistakes enable successful breaches are human. There is an af�rmative obligation for everyone

    responsible for cybersecurity (i.e., everyone) to recognize that ignoring the problem does not solve anything.

    Companies must learn to live with cyberattacks as a normal part of daily business. That said, they can signi�cantly reduce the impact of these attacks and protect the

    digital assets that have more value to businesses than cash in the bank. 

    7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal 5/8

    Focus on the business.
    Incident response is a vital requirement for corporate health. It is a function that should report to the CEO or the board and be treated as a primary �duciary

    responsibility by the board and executive team. Cybersecurity should be viewed as a business issue, not a technology issue, and every part of the business should be on

    the same page. Auditors need to call this out.

    Understand the risks.
    Auditors should ask clients, “Where is your most critical data?” If management is not able to answer that question simply, that’s a problem. In addition, auditors should

    ask about the IRP, password controls, regulatory impacts, and cybersecurity framework assessments such as National Institute of Standards and Technology (NIST) SP

    800-53 or NIST SP 800-171. Auditors should understand the entire governance framework in use and assist by bringing in the right third-party resources to do the


    Audit to ensure adequate resourcing.
    An incident response team, when properly constructed, serves the needs of the business. To do that, the team must have stakeholders and representatives from all

    parts of the business. In addition, there should never be a single point of failure in any aspect of incident response. The only way to get organizations to understand the

    impact of these risks is to provide training.

    Update understanding of the risks.
    Assess the risk of the client’s environment on a regular basis. Identify the risks and look closely at which risks are most critical. An easy decision is to get rid of

    passwords; as currently constructed, password controls are a failure. Bill Burr, a manager at the NIST who wrote the password primer in 2003 that recommended

    many of the rules now in use, concedes that he was wrong and that the current paradigm actually increases risk. Instead, some form of multifactor authentication

    should be mandatory, such as a gold-chip ID card (e.g., PIV, PIVI, or RapidGate) tied to a registered device, such as the user’s cellphone.

    Patch security flaws in a timely fashion.
    Yes, there is much regression testing that needs to be done, and one patch can sometimes break production applications. But consider that the

    NonPetya/WannaCry(pt) day-zero patch was released in March 2017, and companies waited between 3 and 18 months to patch for it, at a cost of over $10 billion

    worldwide. The more than $348 million lost at Reckitt-Benckiser alone is far greater than the cost of a short-term production failure.

    Implement more active and effective monitoring.
    Once an organization understands the risks, it can effectively deploy the tools to better monitor risk areas. Furthermore, best practices dictate that an organization

    should have a prede�ned plan for periodic security framework assessments. This means using the best third-party tools available to do a deep scan of the entire

    enterprise. Whether done annually, biannually, quarterly, or continuously, know the timeframes. With a cross-industry average of approximately 220 days between a

    breach and its discovery, make an informed decision on how long the company can afford to leave an incident undiscovered.

    There should never be a single point of failure in any aspect of incident response.

    Audit the IRP.
    If one does not exist, raise it as an audit exception. Ensure that the IRP is fully cross-functional, with multiple resources from each of the following:

    The executive suite



    Business side

    Customer service

    IT and IS

    Service desk

    Security incident response team (SIRT)

    Marketing and communications

    Make sure to include links to shareholders, the board, and investors. Empower the plan to get in front of bad news, as opposed to responding to the �urry of media

    requests. A key goal of the IRP is to make sure all parts of the organization are speaking with a single voice. Do not devolve into a blame game; work the problem


    Update and test the IRP regularly.
    Businesses are not static, and the IRP should always re�ect the business. Build in the appropriate collaboration tools to support updates to the plan at least once a

    year. When testing the plan, try to make it fail—far more can be learned from plan failures than from a smooth, no-issue test. The goal is not to assign blame; the goal is

    to �nd any embedded weaknesses and remediate them quickly. When the real event occurs, a tested and updated plan will always assist in recovering faster and at a

    far lower cost than otherwise.

    Perform a physical audit.
    The number of password violations in any organization is staggering. Flag them.

    Obtain proper third-party support.

    7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal 6/8

    Establish a retainer agreement with one or more forensic or incident response consultants. Having an independent, objective view is a critical element in developing a

    complete picture of the incident. Work with the third-party vendor to conduct an annual security audit.

    Cybersecurity must be part of the fabric of any business, and auditing can facilitate this. Ultimately, effective cybersecurity is about taking �duciary responsibility.

    Steven Wertheim is president of SonMax Consultants Inc., Marlboro, N.J.



    TAGS: cybersecurity ( risk (

    cybercrime ( security (

    cyber attack (

























    Family Office Resources

    Machine Learning in Auditing

    Hedges of Unrecognized Foreign Currency–Denominated Firm Commitments

    Hedges of Unrecognized Foreign Currency–Denominated Firm Commitments

    Successful Remote Work Arrangements for Finance Teams

    Successful Remote Work Arrangements for Finance Teams

    CPAJ News Briefs: FASB, AICPA, IASB

    CPAJ News Briefs: FASB, AICPA, IASB

    ICYMI | When Will We Be Able to Breathe in Accounting?

    ICYMI | When Will We Be Able to Breathe in Accounting?

    Conducting Single Audits During COVID-19

    Conducting Single Audits During COVID-19

    The Exodus from New York due to COVID-19

    The Exodus from New York due to COVID-19

    7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal 7/8


    About The CPA Journal
    The CPA Journal is a publication of the New York State Society of CPAs (, and is

    internationally recognized as an outstanding, technical-refereed publication for accounting practitioners, educators, and other �nancial professionals all over the

    globe. Edited by CPAs for CPAs, it aims to provide accounting and other �nancial professionals with the information and analysis they need to succeed in today’s

    business environment.

    The CPA Journal

    14 Wall St. 19th Floor

    New York, NY 10005 (

    Thomson Reuters Checkpoint (

    SmartBrief (

    Subscribe to The CPA Journal’s Free Newsletter
    Email Address*

    Subscribe ;ID=165519;size=728×90;setID=228991

    7/1/2021 Auditing for Cybersecurity Risk – The CPA Journal 8/8

    View the NYSSCPA privacy policy (

    © 2019 The New York State Society of CPAs. All rights reserved.


    The State of
    Cyber-Risk Disclosures
    of Public Companies

    March 2021



    The U.S. Securities and Exchange Commission (the “SEC,” or the “Commission”) has in recent
    years demanded greater transparency from public companies in how they identify, measure,
    and manage cyber-risk. Too often, cyber-related disclosure language is boilerplate in a way that
    could not assist an investor in assessing a company’s cyber-risk profile or management of those

    In the wake of SolarWinds and the increased supply-chain security scrutiny in Washington DC,
    companies should be explaining to investors the specific risks they face from cybersecurity
    threats, including, among others, operational disruption, intellectual property theft, loss of
    sensitive client data, and fraud caused by business email compromises. Companies should also
    be explaining the categories of both technologies and processes they employ to mitigate those
    risks. Failure to do so is increasingly costly and is described by former SEC Commissioner
    Robert J. Jackson Jr. as “the most pressing issue in corporate governance today.”

    In practice, businesses are slowly but unmistakably moving in the direction of increased
    transparency. This trend must continue for investors to begin deriving actionable value from
    cyber-risk disclosures. For example, certain companies are beginning to identify the specific
    technologies they are using in their program through their cyber-risk disclosures; others have
    started noting the materiality of their vendor risk exposure, to which regulators are paying
    particular attention in the aftermath of the 2020 SolarWinds attack. The next logical step is for
    these evolutions to converge.

    An increasing number of tools are available to help companies evaluate their own security
    posture and that of their partners and vendors. For example, security ratings, as recently
    recommended by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), can
    create objective metrics to cover, amongst others, leading cyber hygiene indicators like
    Domain Name System (DNS) health, web application security, network security, leaked
    information, endpoint security, and patching cadence.

    There are signs Congress may step in. Bipartisan legislation has already been introduced (the
    Cybersecurity Disclosure Act of 2019) that would direct the SEC to require public companies
    to disclose board expertise or experience in cybersecurity. Likewise, the Cyberspace Solarium
    Commission has recommended amending the Sarbanes-Oxley Act of 2002 (15 U.S.C. 7201) to
    “harmonize and clarify cybersecurity oversight and reporting requirements” for publicly traded

    While disclosure regulations are adequate, investors need more specificity about cyber-risk to
    appropriately manage their market exposure. Companies should articulate what strategies and
    tools they are using to manage cyber-risk (e.g., incident response planning, deploying available
    technologies, and using independent or outside-in assessments).



    By: SecurityScorecard, National Association of Corporate Directors (NACD), Cyber Threat
    Alliance, IHS Markit, and Diligent

    As is evident from its webpage, “Spotlight on Cybersecurity, the SEC and You”, the SEC
    continues to focus on both (1) increased cybersecurity risks faced by public companies and
    regulated entities, and (2) investors’ reliance on inadequate cybersecurity risk disclosures.
    The SEC issued best practices guidance in 2018 for cybersecurity risk disclosures (the “2018
    SEC Guidance”), expanding on related guidance from 2011.1 Likewise, in December 2019, the
    SEC’s Division of Corporation Finance issued staff guidance on the disclosure obligations of
    public companies with respect to intellectual property and technology risks associated with
    international business operations, stating:

    “[…] we encourage companies to provide disclosure that allows investors to evaluate these
    risks through the eyes of management. Importantly, disclosure about these risks should
    be specifically tailored to a company’s unique facts and circumstances. In this same vein,
    where a company’s technology, data or intellectual property is being or previously was
    materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of
    potential risks is not sufficient to satisfy a company’s reporting obligations.”2

    The Office of Compliance Inspections and Examinations published ransomware and credential
    compromise risk alerts in July and September 2020, respectively, in response to an increased
    number of cyber-attacks against SEC-regulated market and investment intermediary
    registrants.3 Gartner has also reported on the “surge in ransomware affecting organizations’
    operational systems” and supply chains.4 NACD estimates that 2020 saw seven times more
    ransomware attacks than 2019, attributable at least in part to vulnerabilities introduced by
    entire workforces transitioning to a remote work environment in response to the COVID-19
    pandemic.5 Yet even the most damaging of these ransomware events are under-reported in
    cyber-risk disclosures.

    1 Securities and Exchange Commission, “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Nos. 33-10459; 34-
    82746, February 26, 2018, available online at: .

    2 Guidance issued by the Division of Corporation Finance “is not a rule, regulation or statement of the Securities and Exchange Commission. Further,
    the Commission has neither approved nor disapproved its content.” Division of Corporation Finance, Securities and Exchange Commission, “Intellectual
    Property and Technology Risks Associated with International Business Operations,” December 19, 2019, available online at:

    3 While the Office of Compliance Inspections and Examinations’ risk alerts are not rules, regulations, or statements of the SEC, and have no legal force
    or effect, “the results of [its] examinations are used by the SEC to inform rule-making initiatives, identify and monitor risks and improve industry practices
    and pursue misconduct.” About the Office of Compliance Inspections and Examinations, modified August 26, 2020, available online at: https://www.; Office of Compliance Inspections and Examinations, Risk Alert, September 15, 2020, “Cybersecurity: Safeguarding
    Client Accounts against Credential Compromise”, available online at: ; Of-
    fice of Compliance Inspections and Examinations, Risk Alert, July 10, 2020, “Cybersecurity: Ransomware Alert”, available online at:
    Alert%20-%20Ransomware .

    4 Gartner, press release, “Gartner Predicts 40% of Boards Will Have a Dedicated Cybersecurity Committee by 2025,” January 28, 2020, available
    online at:–of-boards-will-have-a-dedicated-.

    5 C. Hetner and R. Peak, National Association of Corporate Directors, “Cyber Agenda May Affect Liability, Disclosure, and Enforcement,” January 26,
    2021, available online here:



    While the SEC and investors view cyber-risk as a priority concern, the average public
    company’s cyber disclosure contains insufficient detail for investors looking to evaluate its risk
    profile and to understand which remediation strategies, if any, it has implemented to control
    for the identified risks. Failure to articulate risk and mitigation strategies is increasingly
    costly: the World Economic Forum reported a 27.4% year-on-year increase in the per-company
    annual cost of responding to cyberattacks, which averaged £11.7M in 2017 (about USD 15M
    in 2017 dollars).6 Former SEC Commissioner Robert J. Jackson Jr. characterized rising cyber
    threats as “the most pressing issue in corporate governance today,” in a March 2018 speech
    delivered at the Tulane Corporate Law Institute.7 79% of the 1,500 global business leaders that
    participated in the annual 2019 Global Cyber Risk Perception Survey ranked cyber-risk as a
    top five concern for their organization.8 Similarly, Gartner’s most recent Board of Directors
    Survey found that “cybersecurity-related risk is rated as the second-highest source of risk for
    the enterprise,” and “few directors [surveyed] feel confident that their company is properly
    secured against a cyberattack.”9 Certain investors have represented that “given the current
    environment where cybersecurity attacks are inevitable, they are specifically focused on
    companies’ response and recovery mechanisms,” not only whether a company has experienced
    a cybersecurity incident.10 And in fact, poor cyber-transparency is said to “undermine investor
    confidence and negatively impact credit quality,” and to “complicate efforts by companies to
    raise capital and access liquidity.”11

    The SEC has in the past pursued enforcement action against companies that under-disclose
    or fail to disclose relevant cyber-risks to investors. In 2018, for example, the SEC announced
    that Altaba Inc. (formerly known as Yahoo!, Inc.) had agreed to a $35 million penalty to settle
    charges that it misled investors by failing to disclose what was at the time the largest-ever theft
    of user data, affecting over 500 million user accounts.12 Yahoo! failed to disclose that it had
    suffered a breach in every quarterly and annual report it filed for almost two years. Only after
    entering into an agreement to be acquired by Verizon Communications did it make known that
    it had suffered a breach in 2014.13 In October 2018, the SEC investigated nine public company
    victims of cyber-related fraud—specifically, business email compromises (BECs) involving
    “spoofed or otherwise compromised electronic communications” that resulted in payments

    6 World Economic Forum, “The Global Risks Report 2018”, 13th ed., 17 January, 2018, available online at:
    Report , at 15.

    7 Former SEC Commissioner Robert J. Jackson Jr., “Corporate Governance: On the Front Lines of America’s Cyber War”, March 15, 2018, speech deliv-
    ered at Tulane Corporate Law Institute, available online at:

    8 Marsh and Microsoft, 2019 Global Cyber Risk Perception Survey, September 2019, available online at:

    9 Gartner, press release, “Gartner Predicts 40% of Boards Will Have a Dedicated Cybersecurity Committee by 2025,” January 28, 2020, available
    online at:–of-boards-will-have-a-dedicated-.

    10 Bridget M. Neill, Chuck Seets, and Steve W. Klemash, “Disclosure on Cybersecurity Risk and Oversight”, October 17, 2019, Harvard Law School Forum
    on Corporate Governance, available online at:

    11 Moody’s Investors Service, Research Announcement, “Cybersecurity disclosures vary greatly in high-risk industries,” October 3, 2019, available online

    12 SEC Press Release, “Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million”,
    April 24, 2018, available online at:

    13 Securities and Exchange Commission, In the Matter of Altaba Inc., f/d/b/a Yahoo! Inc., Order Instituting Cease-and-Desist Proceedings Pursuant to
    Section 8A of the Securities Act of 1933 and Section 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-desist
    Order, Section 16, available online at: .


    to accounts controlled by the cybercriminals behind the scheme.14 The victim companies
    “may have violated federal securities laws by failing to have a sufficient system of internal
    accounting controls.”15 While the Commission ultimately decided not to pursue related
    enforcement actions, it “[deemed] appropriate and in the public interest […] to make issuers
    and other market participants aware that these cyber-related threats of spoofed or manipulated
    electronic communications exist and should be considered when devising and maintaining a
    system of internal accounting controls as required by the federal securities laws.”16


    A 2014 PricewaterhouseCoopers (PwC) report posited that corporate adoption of SEC
    cybersecurity guidance has “resulted in disclosures that rarely provide differentiated or
    actionable information for investors.”17 Similarly, scholars have stated that SEC guidance
    on cybersecurity risk disclosures “fails to resolve the information asymmetry at which the
    disclosure laws are aimed.”18 The subsequently-published 2018 SEC Guidance aimed at
    bridging this gap has not had the intended effect of improving cyber-risk disclosures, which
    remain typically generic and fail to “provide specific information that is useful to investors.”19
    Former SEC Commissioner Jackson has described the 2018 SEC Guidance as “rel[ying]
    heavily on the judgments of corporate counsel to make sure investors get the information
    they need,” stating: “I worry that these judgments have, too often, erred on the side of
    nondisclosure, leaving investors in the dark—and putting companies at risk.”20

    According to a report published by Moody’s Investors Service in 2019, “banks and
    telecommunications & media companies had the most thorough disclosures, discussing their
    specific cybersecurity risk management strategies in a fair amount of detail.”21 Other sectors,
    including healthcare, retail, lodging, health insurance, medical devices, and transportation
    services, “provide the least amount of information, despite having experienced some of the
    most well-publicized cyber-attacks to date.”22

    14 Securities and Exchange Commission, “Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain
    Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements”, October 16, 2018, available online
    at: .

    15 Securities and Exchange Commission, “Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain
    Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements”, October 16, 2018, available online
    at: .

    16 Securities and Exchange Commission, “Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 Regarding Certain
    Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements”, October 16, 2018, available online
    at: .

    17 PwC US and the Investor Responsibility Research Center, “What Investors Need to Know About Cybersecurity: How to Evaluate Investment Risks”,
    June 2014, available online at:

    18 Matthew F. Ferraro, “Groundbreaking” or Broken? An Analysis of SEC Cybersecurity Guidance, its Effectiveness, and Implications”, 77 Albany L. Rev.
    297 (2014).

    19 Securities and Exchange Commission, “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Nos. 33-10459; 34-
    82746, February 26, 2018, page 13, available online at: .

    20 Former SEC Commissioner Robert J. Jackson Jr., “Corporate Governance: On the Front Lines of America’s Cyber War”, March 15, 2018, speech deliv-
    ered at Tulane Corporate Law Institute, available online at:

    21 Moody’s Investors Service, Research Announcement, “Cybersecurity disclosures vary greatly in high-risk industries,” October 3, 2019, available
    online at:–PBC_1196854.

    22 Moody’s Investors Service, Research Announcement, “Cybersecurity disclosures vary greatly in high-risk industries,” October 3, 2019, available
    online at:–PBC_1196854.


    Without more detail, SEC registrants’ oft-disclosed “risk of experiencing a cybersecurity
    incident,” ultimately weakens the spirit of disclosure: “[i]t is not a question of whether a
    company will have a [cybersecurity] incident; rather it’s a matter of when and how prepared
    the company is to respond and minimize the impact of the incident.”23 For example, an
    American multinational hospitality company, in its 10-K for the 2019 fiscal year, disclosed that
    “[c]yber-attacks could have a disruptive effect on our business,” stating further:

    “From time to time we and our third-party service providers experience cyber-attacks,
    attempted and actual breaches of our or their information technology systems and networks
    or similar events, which could result in a loss of sensitive business or customer information,
    systems interruption or the disruption of our operations. The techniques that are used
    to obtain unauthorized access, disable or degrade service or sabotage systems change
    frequently and may be difficult to detect for long periods of time, and despite our deployment
    of cyber-attack prevention and detection techniques, we are accordingly unable to anticipate
    and prevent all data security incidents. We have in the past been subject to cyber-attacks and
    expect that we will be subject to additional cyber-attacks in the future and may experience
    data breaches.”

    Without explaining to investors what the company is doing to prevent and handle an
    anticipated breach the tone of this and certain other SEC disclosures is resigned—“[e]ven if
    we are fully compliant with legal standards and contractual or other requirements, we still
    may not be able to prevent security breaches involving sensitive data.” A meaningful level of
    disclosure lies somewhere past citing abstract cybersecurity risks, and somewhere short of
    “detailed disclosures that could compromise [a company’s] cybersecurity efforts—for example,
    by providing a ‘roadmap’ for those who seek to penetrate a company’s security protections.”24

    Compare the disclosure above with the following 10-K language filed by a multinational
    technology company for the fiscal year ended June 30, 2020, which describes the protective
    technologies the company uses to combat cyber-risks:

    “To defend against security threats to our internal IT systems, our cloud-based services,
    and our customers’ systems, we must […] maintain the digital security infrastructure that
    protects the integrity of our network, products, and services, and provide security tools
    such as firewalls and anti-virus software and information about the need to deploy
    security measures and the impact of doing so” (emphasis added).

    The company’s description of its defensive approaches to cyber-risk provides a welcome
    level of detail for the investor looking to gauge its cybersecurity posture—an approach that is
    reportedly more common amongst European companies than their American counterparts,
    who instead “appear[] more reliant on insurance to manage the financial impact of cyber
    risk.”25 Yet it is only a first step towards drafting more useful disclosures, and leaves many

    23 PwC US and the Investor Responsibility Research Center, “What Investors Need to Know About Cybersecurity: How to Evaluate Investment Risks”,
    June 2014, page 11, available online at:

    24 Securities and Exchange Commission, “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Nos. 33-10459; 34-
    82746, February 26, 2018, page 11, available online at: .

    25 Moody’s Investors Service, Research Announcement, “Cybersecurity disclosures vary greatly in high-risk industries,” October 3, 2019, available
    online at:–PBC_1196854.


    other foundational questions unanswered, including whether the company is using technology
    and processes to, for example, monitor the cybersecurity posture of critical vendors in a
    meaningful and ongoing way.

    Consider, too, the Form 10-K of an American multinational retail corporation for the fiscal year
    ended January 31, 2020, which contemplates specific ways in which it is exposed to vendor

    “We also utilize third-party service providers for a variety of reasons, including, without
    limitation, for digital storage technology, content delivery to customers and members, back-
    office support, and other functions. Such providers may have access to information we hold
    about our customers, members, associates or vendors.”

    The language of this disclosure is consistent with the SEC’s encouragement that public
    companies acknowledge the “aspects of [their] business and operations that give rise to
    material cyber-risks and the potential costs and consequences of such risks, including
    industry-specific risks and third party supplier and service provider risks”26 (emphasis
    added). It is not unusual for public companies to outsource key business processes to improve
    operational efficiencies. Doing so, however, introduces additional layers of cyber-risk and
    makes vendor monitoring an imperative, especially where they have access to or process
    sensitive company data. After all, third-party breaches are one of the most significant cyber
    threat vectors companies face: according to a January 2020 Ponemon Institute survey,
    as reported by Security Boulevard, “[i]n the past two years, 53% of organizations have
    experienced at least one data breach caused by a third party.”27

    In its most recent 10-K, the aforementioned retail corporation at least goes as far as to
    acknowledge that it is vulnerable to third-party cyber-risk—something many other companies
    are reticent to do. Of course, mere acknowledgement of third-party risk, without more
    specificity, is unsatisfactory. Just as the technology company has started to identify the
    technologies it uses to help mitigate certain threat vectors, companies must also identify
    the processes they employ to manage third-party risk, whether it is through independent
    assessment tools to monitor vendors on a continuous basis, or by assessing vendors against
    their peers by sourcing objective ratings. These facts, if disclosed, demonstrate commitment
    to reducing cyber-risk in quantifiable ways and helps companies set themselves apart in a bid
    for investor confidence—and in a way that the SEC is coming to expect. Regulator attention to
    third party risk has increased in the aftermath of the 2020 SolarWinds attack, particularly with
    respect to how companies and government entities monitor third-party vendors in their supply
    chain, deploy third-party software, or grant access to critical information systems. It will be
    interesting to see how public company users of the compromised SolarWinds Orion product
    disclose that use and the corresponding cyber risk it has introduced to the company.

    An increasing number of tools are available to help companies evaluate their own and their
    vendors’ cybersecurity posture. For example, SecurityScorecard and other security ratings

    26 Securities and Exchange Commission, “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Nos. 33-10459; 34-
    82746, February 26, 2018, page 15, available online at: .

    27 Jingcong Zhao, Security Boulevard, “Automation In Compliance: Why It’s a Business Imperative and Where to Start”, June 23, 2020, available online


    organizations offer cyber-risk ratings on, amongst other metrics, Domain Name System (DNS)
    health, web application security, network security, leaked information, endpoint security, and
    patching cadence.28 To meaningfully assess a company’s cyber-risk profile, investors will need
    to understand if the company is availing itself of best-practice tools. The example disclosures
    cited herein indicate that companies are beginning to address particular technologies they are
    using; others have started noting the materiality of their vendor risk exposure. The next logical
    step is for these evolutions to converge.


    The latest National Association of Corporate Directors (NACD) public company governance
    survey (“2019-2020 NACD Survey”) reports that 75% of directors believe they are receiving a
    higher quality of information from management as compared with two years ago.29 Findings
    from the EY Center for Board Matters’ meta-analysis, based on proxy statements and Form
    10-K filings of 76 Fortune 100 companies filed from 2018 through May 31, 2020 (“2020 EY
    Report”), is also encouraging: cybersecurity risk disclosures are exhibiting a slight trend in
    increased transparency.30 The 2020 EY Report revealed that while 100% of the company filings
    reviewed cite cybersecurity as a risk factor, and 99% cite data privacy, it remains rare for
    companies to provide more detailed disclosures:

    • 16% disclosed the use of an external independent advisor to support management;

    • 5% disclosed board engagement with an external independent advisor (an increase of
    one point each year since 2018);

    • 7% “stated that preparedness includes simulations, tabletop exercises, response
    readiness tests or independent assessments” (up from 3% in both 2019 and 2018); and

    • 12% disclosed collaborating with peers, industry groups or policymakers (steady from
    2019, and up from 7% in 2018).31

    According to a January 2020 Gartner press release, by 2025, “40% of boards of directors will
    have a dedicated cybersecurity committee overseen by a qualified board member,” up from
    10% at the time of publishing, partly as a result of the increased risk deriving from a larger
    digital footprint during, and likely following, the COVID-19 pandemic.32

    In 2020, only 17% of the Fortune 100 companies surveyed disclosed management reporting
    cyber-related issues to the board or relevant board committees at a “frequency of at least
    annually or quarterly; remaining companies used terms like ‘regularly’ or ‘periodically’,” even

    28 SecurityScorecard, Security ratings, available at

    29 National Association of Corporate Directors (NACD), “2019-2020 NACD Public Company Governance Survey”, available online at: https://corpgov. , at 20.

    30 EY Center for Board Matters, “What companies are disclosing about cybersecurity risk and oversight in 2020”, August 2020, available online at:

    31 EY Center for Board Matters, “What companies are disclosing about cybersecurity risk and oversight in 2020”, August 2020, available online at:

    32 Gartner, press release, “Gartner Predicts 40% of Boards Will Have a Dedicated Cybersecurity Committee by 2025,” January 28, 2020, available
    online at:–of-boards-will-have-a-dedicated-.


    while the 2018 SEC Guidance explicitly states that “[c]ompanies should assess whether they
    have sufficient disclosure controls and procedures in place to ensure that relevant information
    about cybersecurity risks and incidents is processed and reported to the appropriate personnel,
    including up the corporate ladder.”33

    There is a clear opportunity here to enhance board oversight. First, by ensuring that internal
    reporting structures are in place to help normalize cybersecurity as a board-level issue.
    Second, by regularizing the frequency of such internal reporting and disclosing this cadence
    as part of the company’s cyber-risk disclosures to the SEC. Third, by dispelling the perceived
    friction between business objectives and management of cyber-risks: the 2019-2020 NACD
    Survey reports that 61% of directors “would be willing to compromise on cybersecurity to
    achieve business objectives,” while only 28% “prioritize cybersecurity above all else.”34 A
    balance must be struck between “pursuit of digital innovation, transformation, and ultimately
    corporate growth,” and managing the cybersecurity risks that could impede each of the
    foregoing objectives.35 A November 2020 post published on the influential Harvard Law School
    Forum on Corporate Governance recommends cyber-risk disclosure improvements in, among
    other areas, boardroom capability and boardroom engagement.36

    Additionally, Congress is also considering how to improve corporate cybersecurity governance.
    In the 116th Congress Senator Jack Reed introduced the Cybersecurity Disclosure Act of
    2019, which “would direct the SEC to issue final rules requiring a registered public company to
    disclose in its annual report or annual proxy statement whether any member of its board has
    expertise or experience in cybersecurity.”37

    Finally, in March 2020 the Cyberspace Solarium Commission, established by Congress to
    “develop a consensus on a strategic approach to defending the United States in cyberspace
    against cyber-attacks of significant consequences,” issued a report including multiple
    recommendations to improve the cybersecurity of the nation. The Commission recognized
    that transparency is an important element in improving cyber-risk management. One of its
    recommendations included amending the Sarbanes-Oxley Act of 2002 (15 U.S.C. 7201) to
    “harmonize and clarify cybersecurity oversight and reporting requirements for publicly traded
    companies [],” including by mandating that public companies maintain internal records of
    cybersecurity risk assessments.38

    33 EY Center for Board Matters, “What companies are disclosing about cybersecurity risk and oversight in 2020”, August 2020, available online at:; Securities and Exchange Commission,
    “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Nos. 33-10459; 34-82746, February 26, 2018, page 18-19, avail-
    able online at: .

    34 National Association of Corporate Directors (NACD), “2019-2020 NACD Public Company Governance Survey”, available online at: https://corpgov. , at 5.

    35 National Association of Corporate Directors (NACD), “2019-2020 NACD Public Company Governance Survey”, available online at: https://corpgov. , at 19.

    36 Paul Ferrillo, Bob Zukis, and Christophe Veltsos, “Next-Generation Cybersecurity Disclosures for Publicly Traded Companies”, November 4, 2020,
    Harvard Law School Forum on Corporate Governance, available online at:

    37 Paul Ferrillo, Bob Zukis, and Christophe Veltsos, “Next-Generation Cybersecurity Disclosures for Publicly Traded Companies”, November 4, 2020,
    Harvard Law School Forum on Corporate Governance, available online at:

    38 United States of America Cyberspace Solarium Commission, “Introduction”, available online at:; the Cyberspace Solarium
    Commission, Final Report, March 2020, available online at:



    To be clear, current disclosure regulations are adequate but through guidance the SEC
    has demonstrated its expectation for more meaningful cyber-risk information from public
    companies. For example, it would be helpful to investors for companies to disclose “cyber-
    enabled intellectual property theft […] to inform defensive actions at other companies,
    allow the discovery of larger campaigns,” and encourage increased investment in security.39
    Even where theft has not occurred, there are arguments for requiring companies to disclose
    “the number and type of incidents that occurred in the previous year, […] total spending
    on cybersecurity and spending as a percentage of information technology spending.”40 To
    this end, standardizing the definitions of “event,” “incident,” and “data breach,” could be

    Publicly traded companies can balance the need for disclosure without sharing sensitive
    data in a number of different ways. Most notably by leveraging cyber-risk ratings capable
    of providing “point-in-time” reports will allow companies to fulfill the aim of the 2018 SEC
    Guidance and build investor trust without “publicly disclos[ing] specific, technical information
    about [their] cybersecurity systems, […] in such detail as would make such systems […] more
    susceptible to a cybersecurity incident.”42 Cyber-risk ratings will also provide a valuable metric
    upon which a company and its investors will be able to measure progress with regard to its
    overall cyber health. On January 14, 2021, the U.S. Cybersecurity and Infrastructure Security
    Agency identified security ratings as a component of cyber-risk metrics, characterizing them
    as “a starting point for companies’ cybersecurity capabilities and [a tool to] help elevate cyber-
    risk to board decision making.”43

    Businesses are indeed slowly but unmistakably moving in the direction of increased
    transparency, and as we have seen, are starting to identify their specific mitigation approach
    to cyber-risk and recognize third party vendors as serious threat vectors. This trend must
    continue for investors to begin deriving actionable value from cyber-risk disclosures. Gaining
    investor confidence will depend on companies’ willingness to move beyond identifying
    systemic cyber-risks to articulating which proven strategies and tools they are using to manage
    them. The SEC expects it and investors deserve it.

    39 Robert K. Knake, Council on Foreign Relations Digital and Cyberspace Policy Program, “Expanding Disclosure Policy to Drive Better Cybersecurity”,
    October 16, 2019, available online at:

    40 Robert K. Knake, Council on Foreign Relations Digital and Cyberspace Policy Program, “Expanding Disclosure Policy to Drive Better Cybersecurity”,
    October 16, 2019, available online at:

    41 Robert K. Knake, Council on Foreign Relations Digital and Cyberspace Policy Program, “Expanding Disclosure Policy to Drive Better Cybersecurity”,
    October 16, 2019, available online at:

    42 Securities and Exchange Commission, “Commission Statement and Guidance on Public Company Cybersecurity Disclosures”, Nos. 33-10459; 34-
    82746, February 26, 2018, page 11, available online at: .

    43 B. Kolasky, “A Risk-Based Approach To National Cybersecurity,” January 14, 2021, available online at:

    Cybersecurity and Auditing


    ©McGraw-Hill Education

    Learning Objectives
    Recognize key cybersecurity concepts and terms.
    Recognize the regulatory Landscape for Cybersecurity
    Recognize common cybersecurity frameworks and standards (e.g., NIST, AICPA Trust Services Criteria).
    Introduce SOC reporting

    ©McGraw-Hill Education.

    Defining Cybersecurity
    Monteith, T. Cybersecurity. Black & Veatch Management Consulting
    Cybersecurity is only part of a holistic security risk and resilience effort that is required to protect people, assets, and operations.
    Cybersecurity is the concept of protecting information and technology systems from attacks, damages or unauthorized access.
    Cybersecurity encompasses solutions against all sorts of breaches and hacking, including internal misuse, corporate espionage, ransomware, crypto-mining and denial of service attacks.
    Due Care: Putting reasonable measures in place to protect assets or data.
    Due Diligence: Ensuring that security measures remain sufficient to protect that assets or data.

    ©McGraw-Hill Education.

    OT Security

    IT Security

    Physical Security

    Incident vs. breach
    Incident: A security event that compromises the integrity, confidentiality or availability of an information asset.
    Breach: An incident that results in the confirmed disclosure—not just potential exposure—of data to an unauthorized party

    Cyber and reliability incidents are real, recent, and relevant.  
    Most incidents are preventable with cybersecurity best practices.

    ©McGraw-Hill Education.

    Primary Driver: Cyber threats are increasing across all sectors
    Bluefin 2021

    WXYZ-TV Detroit | Channel 7

    ©McGraw-Hill Education.

    Primary Driver: Cyber threats are increasing across all sectors
    Colonial Pipeline
    Ransom Paid: $2.3 million in Bitcoin
    Pumps in the eastern U.S. screeched to a halt earlier this year after a ransomware attack on a major fuel provider disrupted the petroleum supply chain. Colonial Pipeline, which carries 45% of the East Coast’s supply of petroleum, diesel and jet fuel, was compromised by a hacking organization called DarkSide.
    Facebook, Instagram and LinkedIn via Socialarks
    Records Breached: 214 million
    Tens of millions of Facebook, Instagram and LinkedIn profiles have been exposed by a company you’ve probably never heard of: Socialarks.
    Due to an unsecured database, the quickly growing Chinese social media management company leaked personally identifiable information (PII) of some 214 million social media users, some of whom were major influencers and celebrities.
    Bluefin 2021

    ©McGraw-Hill Education.

    State of Cybersecurity
    The 2021 Verizon Data Breach Incident Report (DBIR)
    Frequency 1,295 incidents, 84 with confirmed data disclosure

    Threat Actors External (87%), Internal (17%), Multiple (5%), Partner (1%)

    Actor Motives Financial (100%) (breaches)

    Data Compromised Personal (80%), Medical (43%), Bank (9%), Other (7%) (breaches)

    ©McGraw-Hill Education.

    State of Cybersecurity
    The 2021 Verizon Data Breach Incident Report (DBIR)
    Northern American organizations continue to be the target of Financially motivated actors.
    Social Engineering, Hacking and Malware continue to be the favored tools utilized by these actors.

    Social Engineering: Psychological compromise of a person, which alters their behavior into taking an action or breaching confidentiality.
    Frequency 13,256 incidents, 1,080 with confirmed data disclosure
    Top Patterns Social Engineering, System Intrusion and Basic Web Application Attacks represent 92% of breaches
    Threat Actors External (82%), Internal (19%), Multiple (2%), Partner (1%) (breaches)
    Actor Motives Financial (96%), Espionage (3%), Grudge (2%), Fun (1%) (breaches)
    Data Compromised Credentials (58%), Personal (34%), Other (27%), Internal (11%) (breaches)

    ©McGraw-Hill Education.

    The Compelling Issues

    Lack of business focus-only IT involved
    Inadequate resourcing and training-viewing incident response as a sunk cost
    Inadequate understanding of the risks-performing a cybersecurity framework risk assessment
    Lack of an incident response plan (IRP)- in small and medium-sized companies

    Auditing for Cybersecurity Risk – The CPA Journal

    ©McGraw-Hill Education.

    The Compelling Issues

    Lack of updating and testing of the IRP – not testing plans on a regular basis

    Lack of third-party support – getting an unbiased view of the problem

    Lack of audit involvement – key component in risk assessment and prevention
    Auditing for Cybersecurity Risk – The CPA Journal

    ©McGraw-Hill Education.

    Regulatory Landscape for Cybersecurity
    Monteith, T. Cybersecurity. Black & Veatch Management Consulting
    ITIL (Network Operations and Services Mgmt.)
    ISO 27001/27002 (IS-MS/InfoSec)
    NIST RMF, 800-53 Controls Framework
    COBIT (Security Operations Services Mgmt.)
    University Programs (Carnegie Mellon)
    Cisco Systems (PPDIOO)
    Network Project Management Industry (Deloitte / Price-Waterhouse / Accenture / SAIC / BoozAllen / BAE / Boeing / KPMG / Microsoft / General Dynamics

    ©McGraw-Hill Education.

    Monteith, T. Cybersecurity. Black & Veatch Management Consulting
    Regulatory Landscape alignment to Cybersecurity
    Privacy Act 1974 –
    PII Protection, fair use, and systems maintained by the Federal Government. Growing number of states have consumer data protection laws. (ex. Mass 201 CMR 17)
    Sarbanes-Oxley Act (SOX) – Government
    Protection from accounting errors and Corp Fraud. Internal controls, data storage, data transmission, encryption, key mgt, segregation of duties. Aligns with Control Objectives for Information and Technologies (COBIT) for auditing.
    Health Insurance Portability and Accountability Act (HIPAA, 1996) – Government
    Protects Patient Care, Treatments, Payment details, and health care operations. Includes administrative, physical, and technical safeguards. Includes: Access Control, Audit Controls, Data Integrity, Authentication
    Transmission Security, and Encryption for PHI and PII.
    Payment Card Industry (PCI) Data Security Standard (DSS) – Commercial Industry
    A continuous compliance process of Assess, Remediate, Report. PIN Security, Vendor Security, Data Security, Vulnerability Assessment & Mgt Requirements, Data Storage, Data Encryption

    ©McGraw-Hill Education.

    Prevent Your Organization from Being Breached
    How well do you know your IT environment?
    Accurate inventory of devices
    Accurate inventory of software
    Accurate inventory of Internet- facing systems
    What data do the hackers want and where does it live?
    Look at not only structured data, but unstructured as well (e.g., spreadsheets, user reports, downloads from ERP or CRM systems)
    What data lives in your employee’s email accounts? & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Prevent Your Organization from Being Breached
    If you have identified critical systems and data, how do you further protect access to it?
    Do you require complex passwords? (e.g. letter&number&symbol)
    Do you require two-factor authentication to critical systems and the network?
    CRM & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Prevent Your Organization from Being Breached
    Are your employees susceptible to being phished?
    Statistics show the answer is likely “yes”.
    Have you tested/trained them?
    What technical controls have you put in place to stop it?
    e.g., Advanced Email Protection
    If phishing succeeds, do you have additional protection methods?
    Advanced endpoint protection complements traditional anti-virus
    Encryption of data
    Whitelisting of allowed applications & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Prevent Your Organization from Being Breached
    Does your IT staff concentrate more on security or operations?
    Management often believes that their IT staff focuses on security more than they actively do in reality.
    Reality is that security and IT operations often conflict with each other
    Having an independent security group or security consulting partner helps bridge the gap
    Do you know where you are vulnerable?
    A large amount of breaches take advantage of unpatched operating systems and application software.
    e.g., Equifax breach leveraged vulnerability in Apache Struts software toolkit.
    How often does your IT team patch systems and software?
    Have you run vulnerability scans to test the effectiveness of the patching process? & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Prevent Your Organization from Being Breached
    Have you simulated an external attack to determine how secure/vulnerable you really are?
    Penetration tests or ethical hacking exercises are valuable because they help identify issues before the bad guys do.
    How prepared are you for a breach?
    Its not a matter of “IF,” but, “WHEN”
    Having a solid incident response plan that is tested may not prevent a breach, but will surely limit the impact
    Practice common scenarios (e.g., phishing, ransomware, business email compromise, etc.)
    Have you adopted and assessed yourself against a standard security framework?
    Allows for continuous improvement
    Set a road map for long-term information security success & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Intro to SOC Reporting

    Viator, J.,

    ©McGraw-Hill Education.

    Intro to SOC Reporting

    Viator, J.,

    ©McGraw-Hill Education.

    Intro to SOC Reporting
    SViator, J.,

    ©McGraw-Hill Education.

    SOC 2 Framework

    Viator, J.,

    ©McGraw-Hill Education.

    SOC 2 Framework

    Viator, J.,

    ©McGraw-Hill Education.

    Assessing Cybersecurity Risk
    SOC for Cybersecurity Examination
    Assurance engagement performed by an independent CPA firm
    Examined against suitable control criteria
    i.e., SOC 2 Trust Services Criteria
    Results in a Cybersecurity Risk Management Examination Report that consists of:
    Management’s description of the entity’s cybersecurity risk management program
    Management’s assertion
    CPA’s opinion on the effectiveness of the entity’s cybersecurity risk management program
    Report covers a specific time period (6 months) & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Assessing Cybersecurity Risk
    Cybersecurity Maturity Assessment
    Evaluate your cybersecurity risk management program against industry best practices
    NIST Cybersecurity Framework
    ISO 27001
    Results in a Cybersecurity Maturity Assessment Report that consists of:
    Completed cybersecurity risk assessment report
    Prioritized list of control gaps with recommended plans of action & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Assessing Cybersecurity Risk
    External Footprint Analysis
    Use commonly available open source tools, scanners and databases to obtain a blueprint of the network and its Internet profile
    Black box approach
    Gather data about hosts
    Results in a report that consists of:
    List of identified hosts, including operating systems, applications, domain names, IP ranges
    May discover hosts or applications that management was not aware existed & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Assessing Cybersecurity Risk
    Vulnerability Assessment
    Provides a comprehensive view of potential security flaws in an environment
    Check for misconfigurations, unpatched services, open ports and other architectural mistakes
    Results in a report that consists of:
    Summary of identified vulnerabilities
    Vulnerabilities ranked by criticality
    Remediation plans & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Assessing Cybersecurity Risk
    Penetration Test
    Builds on the external footprint analysis and vulnerability assessment
    Simulate actions of an internal/external attacker and attempt to exploit vulnerabilities and misconfigurations
    Attempt to use multiple attack vectors
    Expose unpatched systems
    “Phishing for compromise”
    Physical access
    USB flash drive drop
    Results in a report that consists of:
    Summary of vulnerabilities
    Results of exploitation attempts
    Criticality rankings
    Remediation strategies & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    Assessing Cybersecurity Risk
    Phishing Assessments
    Simulate realistic phishing campaigns
    Results in a report that consists of:
    Summary of customized phishing campaign
    Results about user’s actions, including:
    Percentage of employees who opened the email
    Percentage of employees who clicked on the link/attachment
    Percentage of employees who provided account details & Colorado Society of Certified Public Accountants, 2018

    ©McGraw-Hill Education.

    The CPA’s Role in Addressing Cybersecurity Risk
    Cybersecurity Reporting Framework
    Management’s Description of the entity’s cybersecurity risk management program based on suitable criteria for management to describe its cybersecurity risk management program.
    Management’s Assertion to the presentation of their description and that the controls management implemented are operating effectively to achieve the entity’s cybersecurity objectives.
    the CPA’s Opinion on that description and the effectiveness of the controls to meet the entity’s cybersecurity objectives.
    Center for Audit Quality 2017

    ©McGraw-Hill Education.

    The CPA’s Involvement with Auditing IT Controls

    Center for Audit Quality 2017

    ©McGraw-Hill Education.

    How CPAs Promote Cybersecurity Resilience
    Auditing standards require auditor to obtain an understanding of how the company uses IT and the impact of IT on the financial statements.
    Auditors consider whether the information, or the manner of its presentation, is materially inconsistent with information appearing in the financial statements or a material misstatement of fact.
    Auditors use a top-down approach to the audit of ICFR to select the controls to test.
    The auditor’s focus is on access and changes to systems and data
    Center for Audit Quality 2017

    ©McGraw-Hill Education.

    Cybersecurity Risk Management Oversight
    Understanding How the Financial Statement Auditor Considers Cybersecurity Risk
    SOX 2002 requires auditors assessing the effectiveness of the company’s ICFR
    Board members with cybersecurity risk oversight may use when discussing roles and responsibilities of the financial statement auditor related to cybersecurity risks.
    Understanding the Role of Management and Responsibilities of the Financial Statement Auditor Related to Cybersecurity Disclosures
    The SEC is focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed.
    Investor groups have also asked company boards to strive for transparency in reporting efforts to prevent and mitigate cyber threats.

    ©McGraw-Hill Education.

    Cybersecurity Risk Management Oversight
    Understanding Management’s Approach to Cybersecurity Risk Management
    Executives and board members are increasing their oversight of management’s development, implementation and monitoring of a comprehensive enterprise-wide cybersecurity risk management program
    The board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility.

    ©McGraw-Hill Education.

    Cybersecurity Risk Management Oversight
    Understanding How CPA Firms Can Assist Boards of Directors in Their Oversight of Cybersecurity Risk Management
    The AICPA recently issued a cybersecurity risk management reporting framework.
    The framework can be used by auditors as part of an attestation service

    ©McGraw-Hill Education.

    Blockchain Technology
    and Its Potential Impact
    on the Audit and
    Assurance Profession

    Blockchain Technology
    and Its Potential Impact
    on the Audit and
    Assurance Profession

    Blockchain Technology
    and Its Potential Impact
    on the Audit and
    Assurance Profession

    This paper was prepared by the Chartered Professional Accountants of Canada (CPA Canada)
    and the American Institute of CPAs (AICPA), as non-authoritative guidance.

    CPA Canada and AICPA do not accept any responsibility or liability that might occur directly
    or indirectly as a consequence of the use, application or reliance on this material.

    Copyright © 2017 Deloitte Development LLC.

    All rights reserved. This publication is protected by copyright and written permission is required to reproduce,
    store in a retrieval system or transmit in any form or by any means (electronic, mechanical, photocopying,
    recording, or otherwise).

    For information regarding permission, please contact


  • Table of Contents
  • Executive Summary
  • 1

  • The ABCs of Blockchain
  • 3

    What Is Blockchain Technology? 3

    Characteristics of a Blockchain 4

    What Are the Benefits? 4

    Blockchains Are Not Made Equal 5
    Permissionless Blockchain 5
    Permissioned Blockchain 6

    Evolution of Blockchain: Smart Contracts 6

    Where Can Blockchain Be Applied? 8

    The Potential Impact of Blockchain on the
    Financial Statement Audit and the Assurance Profession


    Financial Statement Auditing 9

    How Audit and Assurance Might Evolve with Blockchain 10

    Opportunities for Future Roles of the CPA in the Blockchain Ecosystem 11
    Auditor of Smart Contracts and Oracles 11
    Service Auditor of Consortium Blockchains 12
    Administrator Function 12
    Arbitration Function 13

  • Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession
  • vi

  • Conclusion
  • 15

    Call to Action 16

    Other Resources 17

    About the Authors 17

    About Deloitte 17


    Executive Summary

    Blockchain was first introduced as the core technology behind Bitcoin,1 the headline-grabbing
    decentralized digital currency2 ecosystem proposed in 2008. The appeal of blockchain tech-
    nology lies in its use of peer-to-peer network technology3 combined with cryptography.4 This
    combination enables parties who do not know each other to conduct transactions without
    requiring a traditional trusted intermediary such as a bank or payment processing network.
    By eliminating the intermediary and harnessing the power of peer-to-peer networks, block-
    chain technology may provide new opportunities to reduce transaction costs dramatically and
    decrease transaction settlement time. Blockchain has the potential to transform and disrupt a
    multitude of industries, from financial services to the public sector to healthcare. As a result, a
    number of venture capital firms and large enterprises are investing in blockchain technology
    research and trials to re-imagine traditional practices and business models.

    In recent years, blockchain technology has evolved far beyond bitcoin and is now being
    tested in a broad range of business and financial applications. However, blockchain technol-
    ogy is still emerging and has not yet been proven at enterprise scale, which is a fundamental
    challenge to blockchain’s transformative potential. In addition, many accounting firms have
    undertaken blockchain initiatives to further understand the implications of this technology. It
    is important for the audit and assurance profession to stay abreast of developments in this
    space, and we encourage Chartered Professional Accountants and Certified Public Accoun-
    tants (collectively, CPA auditors) to learn more about this technology. The focus of this paper
    is to explain blockchain technology and how it could potentially impact the financial state-
    ment audit, introduce possible new assurance services and new roles for the CPA auditor in
    the blockchain ecosystem.

    1 The term “bitcoin” is used when describing a bitcoin as a unit of account, whereas “Bitcoin” is used when describing the con-
    cept or the entire network designed by Satoshi Nakamoto.

    2 Digital currency can be defined as an Internet-based form of currency or medium of exchange (as distinct from physical
    currency such as banknotes and coins) that exhibits properties similar to physical currencies but allows for instantaneous
    transactions and borderless transfers of ownership.

    3 Peer-to-peer computing or networking is based on a distributed application architecture that shares tasks among peers. All
    participants engage equally in the application to form a peer-to-peer network of nodes.

    4 Modern cryptography uses mathematics, computer science and electrical engineering to enable secure communication
    between two parties in the presence of a third party.

    Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession2

    Blockchain technology has the potential to impact all recordkeeping processes, including
    the way transactions are initiated, processed, authorized, recorded and reported. Changes
    in business models and business processes may impact back-office activities such as finan-
    cial reporting and tax preparation. Independent auditors likewise will need to understand
    this technology as it is implemented at their clients. Both the role and skill sets of CPA
    auditors may change as new blockchain-based techniques and procedures emerge. For
    example, methods for obtaining sufficient appropriate audit evidence will need to consider
    both traditional stand-alone general ledgers as well as blockchain ledgers. Additionally,
    there is potential for greater standardization and transparency in reporting and accounting,
    which could enable more efficient data extraction and analysis.

    Blockchain technology could bring new challenges and opportunities to the audit and assur-
    ance profession. While traditional audit and assurance services will remain important, a CPA
    auditor’s approach may change. Just as the audit and assurance profession is evolving today,
    with audit innovations in automation and data analytics, blockchain technology may also have
    a significant impact on the way auditors execute their engagements. Moreover, CPAs may need
    to broaden their skill sets and knowledge to meet the anticipated demands of the business
    world as blockchain technology is more widely adopted.

    The Chartered Professional Accountants of Canada (CPA Canada), the American Institute
    of CPAs (AICPA), and the University of Waterloo Centre for Information Integrity and Infor-
    mation System Assurance (UW CISA) all encourage the audit and assurance profession to
    continue the discussions already begun in regard to the impact of blockchain technology on
    the profession and auditing standards.


    The ABCs of Blockchain

    What Is Blockchain Technology?
    A blockchain is a digital ledger created to capture transactions conducted among various
    parties in a network. It is a peer-to-peer, Internet-based distributed ledger which includes all
    transactions since its creation. All participants (i.e., individuals or businesses) using the shared
    database are “nodes” connected to the blockchain,5 each maintaining an identical copy of the
    ledger. Every entry into a blockchain is a transaction that represents an exchange of value
    between participants (i.e., a digital asset that represents rights, obligations or ownership). In
    practice, many different types of blockchains are being developed and tested. However, most
    blockchains follow this general framework and approach.

    When one participant wants to send value to another, all the other nodes in the network
    communicate with each other using a pre-determined mechanism to check that the new
    transaction is valid. This mechanism is referred to as a consensus algorithm.6 Once a trans-
    action has been accepted by the network, all copies of the ledger are updated with the
    new information. Multiple transactions are usually combined into a “block” that is added to
    the ledger. Each block contains information that refers back to previous blocks and thus all
    blocks in the chain link together in the distributed identical copies. Participating nodes can
    add new, time-stamped transactions, but participants cannot delete or alter the entries once
    they have been validated and accepted by the network. If a node modified a previous block,
    it would not sync with the rest of the network and would be excluded from the blockchain.
    A properly functioning blockchain is thus immutable despite lacking a central administrator.

    5 The blockchain is managed by a network of nodes. When a node first accesses the database (i.e., the blockchain), it downloads
    its own instance of the entire ledger.

    6 An algorithm is a process or set of rules to be followed in calculations or other problem-solving operations, especially by a
    computer. Consensus involves multiple nodes agreeing on values. A consensus algorithm is used to agree among the nodes.
    In practice, there are different types of consensus algorithms and mechanisms.

    Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession4

    Characteristics of a Blockchain
    As a near real-time and distributed digital ledger, a blockchain has several unique and valu-
    able characteristics that, over time, could transform a wide range of industries:

    Near real-time settlement A blockchain enables the near real-time settlement of transactions,
    thus reducing risk of non-payment by one party to the transaction.

    Distributed ledger The peer-to-peer distributed network contains a public history of
    transactions. A blockchain is distributed, highly available and retains
    a secure record of proof that the transaction occurred.

    Irreversibility A blockchain contains a verifiable record of every single transaction
    ever made on that blockchain. This prevents double spending of the
    item tracked by the blockchain.

    Censorship resistant The economic rules built into a blockchain model provide monetary
    incentives for the independent participants to continue validating
    new blocks. This means a blockchain continues to grow without an
    “owner”. It is also costly to censor.

    What Are the Benefits?
    A major advantage of blockchain technology is its distributed nature. In today’s capital
    markets, the transfer of value between two parties generally requires centralized transaction
    processors such as banks or credit card networks. These processors reduce counterparty
    risk for each party by serving as an intermediary but centralize credit risks with themselves.
    Each of these centralized processors maintains its own separate ledger; the transacting par-
    ties rely on these processors to execute transactions accurately and securely. For providing
    this service, the transaction processors receive a fee. In contrast, a blockchain allows parties
    to transact directly with each other through a single distributed ledger, thus eliminating one
    of the needs for centralized transaction processors.

    In addition to being efficient, the blockchain has other unique characteristics that make it a
    breakthrough innovation. Blockchain is considered reliable because full copies of the block-
    chain ledger are maintained by all active nodes. Thus, if one node goes offline, the ledger is
    still readily available to all other participants in the network. A blockchain lacks a single point
    of failure. In addition, each block in the chain refers to the previous blocks, which prevents
    deletion or reversing transactions once they are appended to the blockchain. Nodes on a
    blockchain network can come and go but the network integrity and reliability will remain
    intact as long as it is being used. In this way, no single party controls a blockchain and no
    single party can modify it or turn it off.

    The ABCs of Blockchain 5

    Blockchains Are Not Made Equal
    CPA auditors should be aware that blockchain technology is a new form of database and each
    blockchain implementation may have different characteristics that make it unique. While the
    technology is emerging, there is a risk that a specific blockchain implementation does not live
    up to the promise of the technology. In the current ecosystem, there are two major classifica-
    tions of blockchain networks: permissionless and permissioned. The biggest difference is the
    determination of which parties are allowed access to the network. A blockchain may be shared
    publicly with anyone who has access to the Internet (i.e., permissionless or “public” blockchain),
    or shared with only certain participants (i.e., permissioned or “private” blockchain).

    Permissionless Blockchain
    A permissionless blockchain is open to any potential user. For example, the Bitcoin blockchain
    is a public or permissionless blockchain; anyone can participate as a node in the chain by
    agreeing to relay and validate transactions on the network thereby offering their computer
    processor as a node. Joining the blockchain is as simple as downloading the software and
    bitcoin ledger from the Internet. Because the blockchain maintains a list of every transaction
    ever performed, it reflects the full transaction history and account balances of all parties.

    Figure 1 is an example of a transfer of bitcoin (BTC) from one individual to another. When
    one party sends bitcoin (i.e., buyer sending value) to another party (i.e., seller receiving
    value), the Bitcoin blockchain is updated by the following process, including a process
    referred to as “mining”:7

    FIGURE 1

    An example of a bitcoin transaction which is a public/permissionless blockchain: peer-to-peer payment over the
    Bitcoin network. Note: Permissioned blockchains may have consensus protocols that may be similar to or different
    from Figure 1 because they are dependent on the agreement of the participants.

    7 Mining is the act of adding new transactions to the blockchain by solving algorithmic problems with computing resources.
    Miners or participants in this process are awarded bitcoin for the computational effort they expend in order to support the

    Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession6

    While a permissionless blockchain lives up to the potential of the technology by allowing
    anyone access, it can have limitations that are difficult to remedy. For example, when the
    blockchain is created, transaction volume or size may be set to the best available technology
    at the time. As technology advances, initial settings may become limitations that may make
    the blockchain out of date, potentially slowing transaction speeds. Users of permissionless
    blockchains should also be aware that their transaction history is exposed to anyone who
    downloads the database for as long as the database is active. While it may be difficult for
    an outside party to identify a participant on the blockchain, if a participant is identified, their
    entire transaction history would be public.

    Permissioned Blockchain
    The limitations of permissionless blockchains have led some organizations to explore the
    use of private or permissioned/consortium blockchains, which restrict participation in the
    blockchain network to participants who have already been given permission by agreed-upon
    administrators.8 These blockchains address some of the drawbacks of public blockchains, but
    also sacrifice some of the potential benefits (e.g., decentralized transactions, wide distribution
    of the ledger, and a truly decentralized environment without any intermediaries). Permissioned
    blockchains are likely to be set up by a consortium of parties that can collectively benefit from
    a shared ledger system. For example, a supply chain network may want to use a blockchain to
    track the movement of goods.

    Given the widely acknowledged limitations inherent in public blockchains, private or per-
    missioned/consortium blockchains are expected to have a higher adoption rate in the near
    term, especially in enterprise environments. However, adoption of public blockchains is also
    expected to increase in the longer term once the key infrastructure and technical challenges
    of the new technology have been addressed. The paradigm shift introduced by blockchain
    (and the level of interest in blockchain-based initiatives) in many ways parallels the develop-
    ment of the Internet in the 1990s. With Internet technology, there was a strong initial emphasis
    on corporate intranets until a critical mass was reached and the broader public Internet began
    to offer more benefits to offset the perceived risks of participating in an open network.

    Evolution of Blockchain: Smart Contracts
    A key development in blockchain technology was the introduction of smart contracts. Smart
    contracts are computer code stored on a blockchain that executes actions under specified
    circumstances. They enable counterparties to automate tasks usually performed manually
    through a third-party intermediary. Smart-contract technology can speed up business pro-
    cesses, reduce operational error, and improve cost efficiency.

    8 A consortium is a group of organizations that aims to achieve a common objective.

    The ABCs of Blockchain 7

    For example, two parties could use a smart contract to enter into a common derivative con-
    tract to hedge the price of oil at the end of the year. Once the terms of the contract have
    been agreed to, it is appended to the blockchain and the wagered funds are held in escrow
    and registered on a blockchain. At year end, the smart contract would read the price of oil by
    referencing a trusted source defined in the smart contract (known as an “oracle”), calculate
    the settlement amount, and then transfer funds to the winning party on the blockchain.

    Ethereum9, at the time of publication the second largest blockchain network after Bitcoin
    (based on market capitalization), was the first platform to introduce the concept of a smart
    contract that could be deployed and executed on a distributed blockchain network. Ethereum
    is a public protocol that allows anyone accessing the Ethereum blockchain network to view
    the terms of each contract unless they are protected by encryption. This may prove problem-
    atic for contracts involving sensitive information (e.g., a hedge fund using smart contracts to
    execute a proprietary investment strategy or to quietly build a position in a particular stock).
    However, developers are actively building solutions to preserve confidentiality while taking
    advantage of public blockchains. Even with such perceived limitations, there is significant
    market interest across industries in smart contract applications because they could transform
    the processing and settlement of a wide range of contracts, from hedging and futures deriva-
    tives to automated payments under lease contracts.

    Smart contracts are a method to automate the contracting process and enable monitoring
    and enforcement of contractual promises with minimal human intervention. Automation can
    improve efficiency, reduce settlement times and operational errors. Because using smart
    contract technology requires the translation of all contractual terms into logic, it may also
    improve contract compliance by reducing ambiguity in certain situations.

    As smart contracts continue to evolve, inherent risks may emerge that need to be mitigated.
    For example, when setting up a smart contract, the parties may decide not to address every
    possible outcome, or they may include some level of flexibility so they do not limit themselves.
    This could lead to smart contracts with vulnerabilities or errors that could lead to unexpected
    business outcomes. Parties may find it difficult to renegotiate the terms of a deal or modify
    terms due to an unforeseen error. Also, incomplete or flexible contracts can lead to settlement
    problems and disputes. Perhaps most importantly, however, at the date of this publication,
    smart contracts have not been tested thoroughly in the court system. Nevertheless, smart
    contracts offer a compelling use case for blockchain adoption.


    Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession8

    Where Can Blockchain Be Applied?
    Blockchain technology offers the potential to impact a wide range of industries. The most
    promising applications exist where transferring value or assets between parties is currently
    cumbersome, expensive and requires one or more centralized organization. A specific activ-
    ity attracting significant interest is securities settlement, which today can involve multi-day
    clearing and settlement processes between multiple financial intermediaries. Certain financial
    services experts believe the financial services industry is on the verge of being disrupted:
    advances in innovative technologies such as blockchain are expected to transform the indus-
    try and its workforce by automating many of the activities currently performed by humans.

    The table below illustrates industries where interest in blockchain technology and its potential
    transformative benefits has been high, as demonstrated by significant investments from both
    venture capital firms and large enterprises.


    Several stock exchanges around the world are piloting a blockchain platform that
    enables the issuance and transfer of private securities. Additionally, multiple groups
    of banks are considering use cases for trade finance, cross-border payments, and
    other banking processes.

    and industrial

    Companies in the consumer and industrial industries are exploring the use of
    blockchain to digitize and track the origins and history of transactions in various

    Life sciences
    and healthcare

    Healthcare organizations are exploring the use of blockchain to secure the integrity
    of electronic medical records, medical billing, claims, and other records.

    Public sector Governments are exploring blockchain to support asset registries such as land and
    corporate shares.

    Energy and

    Ethereum is being used to establish smart-grid technology that would allow for
    surplus energy to be used as tradable digital assets among consumers.

    Since all businesses track information and face the challenge of reconciling data with coun-
    terparties, blockchain technology has the potential to be relevant to everyone. The first major
    adoptions, however, may transform business processes and old legacy systems that are
    cumbersome to maintain.


    The Potential Impact of
    Blockchain on the Financial
    Statement Audit and the
    Assurance Profession

    Financial Statement Auditing
    The public looks to CPA auditors to enhance trust in the audited information of the compa-
    nies they audit and help a multi-trillion dollar capital markets system function with greater
    confidence. CPA auditors practice under strict regulations, professional codes of conduct and
    auditing standards, and are independent of the entities they audit. They apply objectivity and
    professional skepticism to provide reasonable assurance about whether an entity’s financial
    statements are free of material misstatement and, depending on the engagement, about
    whether a company’s internal controls over financial reporting are operating effectively.

    Some publications have hinted that blockchain technology might eliminate the need for a
    financial statement audit by a CPA auditor altogether. If all transactions are captured in an
    immutable blockchain, then what is left for a CPA auditor to audit?

    While verifying the occurrence of a transaction is a building block in a financial statement
    audit, it is just one of the important aspects. An audit involves an assessment that recorded
    transactions are supported by evidence that is relevant, reliable, objective, accurate, and
    verifiable. The acceptance of a transaction into a reliable blockchain may constitute sufficient
    appropriate audit evidence for certain financial statement assertions such as the occurrence
    of the transaction (e.g., that an asset recorded on the blockchain has transferred from a
    seller to a buyer). For example, in a bitcoin transaction for a product, the transfer of bitcoin
    is recorded on the blockchain. However, the auditor may or may not be able to determine
    the product that was delivered by solely evaluating information on the Bitcoin blockchain.

    Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession10

    Therefore, recording a transaction in a blockchain may or may not provide sufficient appro-
    priate audit evidence related to the nature of the transaction. In other words, a transaction
    recorded in a blockchain may still be:
    • unauthorized, fraudulent or illegal
    • executed between related parties
    • linked to a side agreement that is “off-chain”
    • incorrectly classified in the financial statements.

    Furthermore, many transactions recorded in the financial statements reflect estimated values
    that differ from historical cost. Auditors will still need to consider and perform audit procedures
    on management’s estimates, even if the underlying transactions are recorded in a blockchain.

    Widespread blockchain adoption may enable central locations to obtain audit data, and
    CPA auditors may develop procedures to obtain audit evidence directly from blockchains.
    However, even for such transactions, the CPA auditor needs to consider the risk that the
    information is inaccurate due to error or fraud. This will present new challenges because a
    blockchain likely would not be controlled by the entity being audited. The CPA auditor will
    need to extract the data from the blockchain and also consider whether it is reliable. This
    process may include considering general information technology controls (GITCs) related to
    the blockchain environment. It also may require the CPA auditor to understand and assess
    the reliability of the consensus protocol for the specific blockchain. This assessment may
    need to include consideration of whether the protocol could be manipulated. As more and
    more organizations explore the use of private or public blockchains, CPA auditors need to
    be aware of the potential impact this may have on their audits as a new source of informa-
    tion for the financial statements. They will also need to evaluate management’s accounting
    policies for digital assets and liabilities, which are currently not directly addressed in inter-
    national financial reporting standards or in U.S. generally accepted accounting principles.
    They will need to consider how to tailor audit procedures to take advantage of blockchain
    benefits as well as address incremental risks.

    How Audit and Assurance Might Evolve with Blockchain
    Despite these complexities, blockchain technology offers an opportunity to streamline
    financial reporting and audit processes. Today, account reconciliations, trial balances, journal
    entries, sub-ledger extracts, and supporting spreadsheet files are provided to a CPA auditor
    in a variety of electronic and manual formats. Each audit begins with different information
    and schedules that require a CPA auditor to invest significant time when planning an audit.
    In a blockchain world, the CPA auditor could have near real-time data access via read-only
    nodes on blockchains. This may allow an auditor to obtain information required for the audit
    in a consistent, recurring format.

  • The Potential Impact of Blockchain on the Financial Statement Audit and the Assurance Profession
  • 11

    As more and more entities and processes migrate to blockchain solutions, accessing infor-
    mation in the blockchain will likely become more efficient. For example, if a significant class
    of transactions for an industry is recorded in a blockchain, it might be possible for a CPA
    auditor to develop software to continuously audit organizations using the blockchain. This
    could eliminate many of the manual data extraction and audit preparation activities that
    are labour intensive and time consuming for an entity’s management and staff. Speeding
    up audit preparation activities could help reduce the lag between the transaction and veri-
    fication dates — one of the major criticisms of financial reporting. Reducing lag time could
    offer the opportunity to increase the efficiency and effectiveness of financial reporting and
    auditing by enabling management and auditors to focus on riskier and more complex trans-
    actions while conducting routine auditing in near real time.

    With blockchain-enabled digitization, auditors could deploy more automation, analytics and
    machine-learning capabilities such as automatically alerting relevant parties about unusual
    transactions on a near real-time basis. Supporting documentation, such as contracts, agree-
    ments, purchase orders, and invoices could be encrypted and securely stored or linked to a
    blockchain. By giving CPA auditors access to unalterable audit evidence, the pace of financial
    reporting and auditing could be improved.

    While the audit process may become more continuous, auditors will still have to apply
    professional judgment when analyzing accounting estimates and other judgments made by
    management in the preparation of financial statements. In addition, for areas that become
    automated, they will also need to evaluate and test internal controls over the data integrity
    of all sources of relevant financial information.

    Opportunities for Future Roles of the CPA
    in the Blockchain Ecosystem
    As blockchain systems standardize transaction processing across many industries, a CPA,
    including CPA auditors, may be able to help provide assurance to users of the technology.
    The CPA may be able to fill a potential future role because of their skill sets, independence,
    objectivity, and expertise.

    The following list of potential new roles for a CPA is illustrative only and not all-inclusive;
    significant regulatory and professional hurdles may remain before a CPA is able to take on
    these potential roles.

    Auditor of Smart Contracts and Oracles
    As described above, smart contracts can be embedded in a blockchain to automate busi-
    ness processes. Contracting parties may want to engage an assurance provider to verify
    that smart contracts are implemented with the correct business logic. In addition, a CPA
    auditor could verify the interface between smart contracts and external data sources that

    Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession12

    trigger business events. Without an independent evaluation, users of blockchain technologies
    face the risk of unidentified errors or vulnerabilities. To take on this new role, a CPA auditor
    may need a new skill set, including understanding technical programming language and the
    functions of a blockchain. This type of role also raises important questions for the auditing
    profession, including:
    • What types of skill sets does the profession need to remain relevant?
    • What factors would impact assurance engagement risk?
    • What would an assurance provider’s ongoing responsibility entail once a smart contract

    is released into a blockchain?

    In the context of a financial statement audit, management will be responsible for establishing
    controls to verify whether the smart-contract source code is consistent with the intended busi-
    ness logic. An independent CPA auditing an entity with smart contracts/ blockchain is likely
    to consider management’s controls over the smart contract code. However, many companies
    may choose to reuse smart contracts built by other entities already active on a blockchain.
    Future auditing standards and auditing guidance may need to contemplate this technology
    and thereby bring clarity to the role of the CPA auditor in those scenarios.

    Service Auditor of Consortium Blockchains
    Prior to launching a new application on an existing blockchain platform or leveraging or
    subscribing to an existing blockchain product, users of the system may desire independent
    assurance as to the stability and robustness of its architecture. Instead of each participant
    performing their own due diligence, it may be more efficient to hire a CPA to achieve these
    objectives. In addition, critical blockchain elements (e.g., cryptographic key management)
    should be designed to include sophisticated GITCs that provide ongoing protection for sensi-
    tive information, as well as processing controls over security, availability, processing integrity,
    privacy and confidentiality. On an ongoing basis, a trusted and independent third party may
    be needed to provide assurance as to the effectiveness of controls over a privateblockchain.
    This type of service raises important questions for the profession:
    • When providing assurance across a blockchain, who is the client?
    • How would a CPA auditor assess engagement risk for an autonomous system?
    • How would independence rules apply to users of a blockchain?

    Administrator Function
    Permissioned blockchain solutions may benefit from a trusted, independent and unbiased
    third party to perform the functions of a central access-granting administrator. This function
    could be responsible for verification of identity or a further vetting process to be completed
    by a participant before they are granted access to a blockchain. This central administrator
    could validate the enforcement and monitoring of the blockchain’s protocols. If this function
    is performed by a user/node of the blockchain, then an undue advantage could exist and
    trust among consortium members could be weakened. Since this role would be designed

    The Potential Impact of Blockchain on the Financial Statement Audit and the Assurance Profession 13

    to create trust for the blockchain as a whole, due care will be needed when establishing both
    its function and its legal responsibilities. As a trusted professional, an independent CPA may
    be capable of carrying out this responsibility. However, this role would raise new questions
    for the profession:
    • By taking on such a critical role, is the assurance provider independent from the block-

    chain participants?
    • Could the CPA auditor conduct financial statement audits on those participants?

    Arbitration Function
    Business arrangements can be complex and result in disputes between even the most well-
    intentioned parties. For a permissioned blockchain, an arbitration function might be needed
    in the future to settle disputes among the consortium-blockchain participants. This function
    is analogous to the executor of an estate, a role typically filled by various qualified profes-
    sionals, including CPA auditors. Participants on the blockchain may require this type of
    function to enforce contract terms where the spirit of the smart contract departs from a
    legal document, contractual agreement or letter. Further considerations should be explored
    to determine whether an arbitration function is necessary. If CPAs want to take on this role,
    critical questions will need to be answered, such as:
    • What legal framework would be used to settle disputes?
    • What skill set would be required for a CPA auditor?
    • Could this role create unintended threats to independence regarding attest clients?



    There are still many unknowns with respect to how blockchain will impact the audit and
    assurance profession, including the speed with which it will do so. Blockchain is already
    impacting CPA auditors of those organizations using blockchain to record transactions and
    the rate of adoption is expected to continue to increase. However, in the immediate future,
    blockchain technology will not replace financial reporting and financial statement auditing.
    Audited financial statements are a cornerstone of business and play a key role in debt and
    equity financing, participation in capital markets, mergers and acquisitions, regulatory com-
    pliance, and the effective and efficient functioning of capital markets. Financial statements
    reflect management assertions, including estimates, many of which cannot be easily summa-
    rized or calculated in blockchains.

    Furthermore, the process of an independent audit of financial statements enhances the trust
    that is crucial for the effective functioning of the capital markets system. Any erosion of this
    trust may damage an entity’s reputation, stock price and shareholder value, and can result in
    fines, penalties or loss of assets. Users of financial statements expect CPA auditors to perform
    an independent audit of the financial statements using their professional skepticism. CPA audi-
    tors conclude whether they have obtained reasonable assurance that the financial statements
    of an entity, taken as a whole, are free from material misstatement, whether due to fraud or
    error. Blockchains are unlikely to replace these judgments by a financial statement auditor.
    However, CPA auditors need to monitor developments in blockchain technology because it will
    impact their clients’ information technology systems. CPA auditors will need to be conversant
    with the basics of blockchain technology and work with experts to audit the complex technical
    risks associated with blockchains.

    In addition, CPA auditors should be aware of opportunities to leverage their clients’ adop-
    tion of blockchain technology to improve data gathering during the audit. They should also
    consider whether blockchain technology will allow them to create automated audit routines.
    The auditing profession must embrace and “lean in” to the opportunities and challenges from
    widespread blockchain adoption. CPA auditors are encouraged to monitor developments in
    blockchain technology because they have an opportunity to evolve, learn, and capitalize on
    their already proven ability to adapt to the needs of a rapidly changing business world.

    Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession16

    Call to Action
    Blockchain technology is part of the rapid digitization of business processes. CPA Canada
    and the AICPA urge CPAs, including CPA auditors, to continue to monitor developments
    in blockchain technology (see the Other Resources section below for suggestions on addi-
    tional reading). Additionally, CPA Canada and the AICPA encourage auditing and accounting
    standard setters to monitor progress and adoption of blockchain technology in the business
    ecosystem. Questions around audit evidence, internal controls, independence, risk assess-
    ment, cyber security and more are likely to emerge and require new consideration by standard
    setters. Finally, the CPA profession needs to contemplate the skills that will be required in the
    future so CPAs will be able to meet the demands of the market in a business world where
    blockchain technology has been widely adopted. As such, the CPA profession should consider
    additions to the education syllabus for new CPAs and continuing education requirements for
    experienced CPAs. The pace of innovation related to this technology is unrelenting; new digital
    asset classes are being rapidly created to “live” on the blockchain. As critical professional ser-
    vice providers who underpin well-functioning markets, CPAs should lean in, help identify the
    risks associated with this new technology, and find ways to leverage its benefits.

    Other Resources
    CPA Canada Blockchain Publication — Technological Disruption of Capital Markets and
    Reporting? An Introduction to Blockchain
    CPA Canada Magazine — An intro to blockchain technology
    CPA Canada Magazine — Blockchain — Part 2: Under the Hood
    Deloitte Publication — Driving FinTech innovation in financial services
    Deloitte Publication — Blockchain: Enigma, Paradox, Opportunity
    Deloitte University Press — Series of blockchain blog posts
    Deloitte Webpage — Break through with Blockchain: How can financial institutions leverage a
    powerful technology?
    Harvard Business Review — The Truth about Blockchain
    Harvard Business Review — The Blockchain Will Do to the Financial System What the Inter-
    net Did to Media
    World Economic Forum Video — What is Blockchain?
    Ted Talks by Don Tapscott — How the blockchain is changing money and business

    Conclusion 17

    About the Authors
    CPA Canada, the AICPA and the UWCISA would like to express their gratitude to William
    Bible, Jon Raphael, Matthew Riviello and Peter Taylor of Deloitte & Touche LLP, and Iliana
    Oris Valiente, CPA, CA, who authored this publication.

    CPA Canada, the AICPA and UWCISA would also like to express their gratitude to the following
    professionals for their contributions to this publication: Eric Piscini of Deloitte Consulting LLP,
    Mawadda Basir of Deloitte Canada, Malik Datardina of Deloitte Canada, Theo Stratopoulos of
    the University of Waterloo, Canada, and Juli-ann Gorgi, CPA, CA, MAcc of Toronto, Canada.

    About Deloitte
    Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), a U.K. private
    company limited by guarantee, its network of member firms, and their related entities. DTTL
    and each of its member firms are legally separate and independent entities. DTTL (also
    referred to as Deloitte Global) does not provide services to clients. In the United States,
    Deloitte refers to one or more of the U.S. member firms of DTTL, their related entities that
    operate using the “Deloitte” name in the United States and their respective affiliates. Cer-
    tain services may not be available to attest clients under the rules and regulations of public
    accounting. Please see to learn more about our global network
    of member firms.

    T. 416 977.3222 F. 416 977.8585

      Blockchain Technology and Its Potential Impact on the Audit and Assurance Profession
      Table of Contents
      Executive Summary
      The ABCs of Blockchain
      What Is Blockchain Technology?
      Characteristics of a Blockchain
      What Are the Benefits?
      Blockchains Are Not Made Equal
      Permissionless Blockchain
      Permissioned Blockchain
      Evolution of Blockchain: Smart Contracts
      Where Can Blockchain Be Applied?
      The Potential Impact of Blockchain on the Financial Statement Audit and the Assurance Profession
      Financial Statement Auditing
      How Audit and Assurance Might Evolve with Blockchain
      Opportunities for Future Roles of the CPA
      in the Blockchain Ecosystem
      Auditor of Smart Contracts and Oracles
      Service Auditor of Consortium Blockchains
      Administrator Function
      Arbitration Function

      Call to Action
      Other Resources
      About the Authors
      About Deloitte

    Blockchain Technology
    A game-changer
    in accounting?


    Blockchain technology has the potential to upend entire
    industries. Especially the financial sector may undergo
    disruptive change. Although this technology caught
    the attention of many of the largest financial institu-
    tions, use cases still remain in the experimental phase.
    This whitepaper lays out the benefits of the blockchain
    technology for specific use-cases in accounting across

    Current state of accounting technology
    Digitalisation of the accounting system is still in its infancy
    compared to other industries, some of which have been
    massively disrupted by the advances of technology. Some
    of the reasons may be found in the exceptionally high
    regulatory requirements in respect to validity and integrity.
    The entire accounting system is built, such that forgery is
    impossible or at least very costly. To achieve this it relies
    on mutual control mechanisms, checks and balances.
    This inevitably affects every day’s operations. Among
    other things there are systematic duplication of efforts,
    extensive documentations and periodical controls. Most
    of them are manual, labour intensive tasks and far from
    being automated. To date, that seemed to be the sacrifice
    of revealing the truth.

    The recently emerged Blockchain is a trustless,
    distributed ledger that is openly available and has
    negligible costs of use. The use of the Blockchain for
    accounting use-cases is hugely promising. From simpli-
    fying the compliance with regulatory requirements to
    enhancing the prevalent double entry bookkeeping,
    anything is imaginable.

    The giant leap: How the Blockchain may enhance
    today’s accounting practice
    Modern financial accounting is based on a double entry
    system. Double entry bookkeeping revolutionized the
    field of financial accounting during the Renaissance
    period; it solved the problem of managers knowing
    whether they could trust their own books. However, to
    gain the trust of outsiders, independent public auditors
    also verify the company’s financial information.1 Each
    audit is a costly exercise, binding the company’s accoun-
    tants for long time periods.

    1 Stakeholders place their trust in the auditors retained by
    management to vouch for them. An obvious problem of agency
    is created by this arrangement: Do auditors work for the
    managers who hire and pay them or for the public that relies on
    their integrity in order to make decisions?


    Complete, automated
    audit of all transactions

    Blockchain entry serves in both companies’ accounting

    Every transaction becomes



    Tax authorities



    Company BCompany


    Fig. 1 – Blockchain technology enables complete, conclusive verification without a trusted party


    Blockchain technology may represent the next step for
    accounting:2 Instead of keeping separate records based
    on transaction receipts, companies can write their trans-
    actions directly into a joint register, creating an inter-
    locking system of enduring accounting records. Since
    all entries are distributed and cryptographically sealed,
    falsifying or destroying them to conceal activity is practi-
    cally impossible. It is similar to the transaction being
    verified by a notary – only in an electronic way.

    The companies would benefit in many ways: Standardi-
    sation would allow auditors to verify a large portion of
    the most important data behind the financial statements
    automatically. The cost and time necessary to conduct
    an audit would decline considerably. Auditors could
    spend freed up time on areas they can add more value,
    e.g. on very complex transactions or on internal control

    First steps towards Blockchain based accounting
    It is not necessary to start with a joint register for all
    accounting-entries. The Blockchain as a source of trust
    can also be extremely helpful in today’s accounting
    structures. It can be gradually integrated with typical
    accounting procedures: starting from securing the
    integrity of records, to completely traceable audit trails.
    At the end of the road, fully automated audits may be

    At first, let us have a look at the case of keeping
    immutable records. The regulatory requirements for
    record keeping in Germany for example urge the proof
    of immutability over the entire retention period.

    For paper receipts, the risk of unnoticed modification
    is seen as comparably low, because of their physical
    nature. In contrast, electronic files cannot be perceived
    physically and hence are especially vulnerable. As a
    consequence, digitalizing paper records introduces the
    necessity for further preventive measures.

    2 For a more detailed explanation of the concepts also known as
    “triple entry accounting”, also refer to Ian Grigg’s paper “Triple
    Entry Accounting” or Bitcoin Magazine’s article authored by Jason
    M. Tyra.

    The result is a wide range of organizatory, technological
    and processual provisions. All preventive measures
    have to be documented in a conclusive manner for
    third parties. Unsurprisingly, many companies shy away
    from introducing a holistic electronic archiving system,
    although they are aware of the benefits.

    Using the Blockchain makes it possible to prove integrity
    of electronic files easily. One approach is to generate a
    hash string of the file. That hash string represents the
    digital fingerprint of that file. Next, that fingerprint is
    immutably timestamped by writing it into the Blockchain
    via a transaction.

    At any subsequent point in time, one can prove the
    integrity of that file by again generating the fingerprint
    and comparing it with the fingerprint stored in the
    Blockchain. In case the fingerprints are identical, the
    document remained unaltered since first writing the
    hash to the Blockchain.

    Hashing ensures that original
    information cannot be seen
    by third party

    Original record Audited record

    Hash string is
    written into the

    Search for
    the identical
    hash string


    Hash string is embedded in

    the Blockchain:

    • Search for the hash string
    in the blockchain

    • If search is successful,
    record must have remained



    Fig. 2 – One approach to verify the integrity of records using the Blockchain

    AuditingRecord keeping


    Timestamping can be conducted at any point of
    the documents life cycle and render any subsequent
    organizatory, technological and processual integrity
    provision obsolete. Preferably, the fingerprint should be
    timestamped right after the creation of the electronic
    document, even before the document is sent from the
    issuer to the recipient. That way one can rule out the
    risk of the document being modified over the entire
    document life-cycle. For archiving the document, usual
    data storages may be used, because the integrity can be
    proven easily.

    To extend this concept, one may represent the life-cycle
    of each accounting incident on the Blockchain, including
    all relevant documents. Entire business processes,
    spanning over multiple departments or companies
    become easily traceable.

    Finally, blockchain technology allows for smart
    contracts, i.e. computer programs that may execute
    under certain conditions. Think of an invoice paying
    for itself after checking that delivered goods have been
    received according to specifications and sufficient funds
    are available on the company’s bank account.

    The blockchain technology has the potential to shapeshift
    the nature of today’s accounting. It may constitute a way
    to vastly automate accounting processes in compliance
    with the regulatory requirements. As described above,
    there are numerous starting points to leverage blockchain
    technology. A cascade of new applications will likely
    follow that are built on top of each other, leading way for
    new, unprecedented services.

    Your contact

    Nicolai Andersen
    Partner, Leader Innovation
    Deloitte Deutschland
    Tel: +49 (0)40 32080 4837

    For more information please visit our website

    Deloitte Consulting GmbH (“Deloitte”) as the responsible entity with respect to the German Data Protection Act and, to the extent legally
    permitted, its affiliated companies and its legal practice (Deloitte Legal Rechtsanwaltsgesellschaft mbH) use your data for individual contractual
    relationships as well as for own marketing purposes. You may object to the use of your data for marketing purposes at any time by sending
    a notice to Deloitte, Business Development, Kurfürstendamm 23, 10719 Berlin or This will incur no additional costs
    beyond the usual tariffs.

    Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of
    member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred
    to as “Deloitte Global”) does not provide services to clients. Please see for a more detailed description of DTTL
    and its member firms.

    Deloitte provides audit, tax, financial advisory and consulting services to public and private clients spanning multiple industries; legal advisory
    services in Germany are provided by Deloitte Legal. With a globally connected network of member firms in more than 150 countries, Deloitte
    brings world-class capabilities and high-quality service to clients, delivering the insights they need to address their most complex business
    challenges. Deloitte’s more than 225,000 professionals are committed to making an impact that matters.

    This communication contains general information only not suitable for addressing the particular circumstances of any individual case and is
    not intended to be used as a basis for commercial decisions or decisions of any other kind. None of Deloitte Consulting GmbH or Deloitte
    Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte network”) is, by means of this communication,
    rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any
    person who relies on this communication.

    © 2016 Deloitte & Touche GmbH Wirtschaftsprüfungsgesellschaft

    Issued 3/2016

    Blockchain and the
    future of accountancy




    ICAEW’s IT Faculty provides products and services to help its members make the best
    possible use of IT.

    It represents chartered accountants’ IT-related interests and expertise, contributes to IT-
    related public affairs and helps those in business to keep up to date with IT issues and
    developments. The faculty also works to further the study of the application of IT to business
    and accountancy, including the development of thought leadership and research. As an
    independent body, the IT Faculty is able to take a truly objective view and get past the hype
    surrounding IT, leading and shaping debate, challenging common assumptions and clarifying
    arguments. For more information about the IT Faculty please visit

    About the ICAEW IT Faculty

    Copyright © ICAEW 201


    All rights reserved. If you want to reproduce or redistribute any of the material in this publication, you should first get ICAEW’s permission in
    writing. ICAEW will not be liable for any reliance you place on the information in this publication. You should seek independent advice.

    ISBN 978-1-78363-933-5



    Blockchain is fundamentally an accounting technology. In this paper, we
    describe the technology and its likely impact on business, and in particular
    on the accounting profession.

    Blockchain has the potential to increase the efficiency of the process of accounting for
    transactions and assets, operating as a system of universal entry bookkeeping. This would
    create certainty over rights and obligations and provenance, which in turn would empower
    the accountancy profession to expand its scope to record more types of activity than before,
    and to drill down closer to the economic reality underpinning the transactions recorded.

    The key features of blockchain are that:

    new transactions originate with one user but propagate to a network of identical
    ledgers, without a central controller;

    all transactions and records are permanent, unable to be tampered with or
    removed; and

    many blockchains are programmable, allowing for automation of new transactions
    and controls via ‘smart contracts’.

    In this paper, we explain how the technology differs from the familiar, and how these features
    drive the potential applications of blockchain.

    While there are undoubtedly some technological and legal challenges to solve before
    blockchain can be fully bedded into the financial recordkeeping systems of the world, the
    accountancy profession’s unique combination of technical and business knowledge makes
    it particularly well-suited to helping design the environment and solutions that blockchain
    will rely on. Blockchain is a combination of an economically-incentivised business model and
    clever supporting technology; by working with blockchain specialists, accountants can help to
    form the standards that will drive blockchain forward.

    While some detail on the operation of blockchain is included, this paper is intended to be
    suitable for any reader in the financial and business sector with an interest in technology.
    Glossaries of specialist terms are provided throughout, and for the curious, a brief technical
    explanation is provided in the appendix.

    Executive summary


    Blockchain is a foundational change in how financial records are created, kept, and updated.
    Rather than having one single owner, blockchain records are distributed among all their
    users. The genius of the blockchain approach is in using a complex system of consensus and
    verification to ensure that, even with no central owner and with time lags between all the
    users, nevertheless a single, agreed-upon version of the truth propagates to all users as part
    of a permanent record. This creates a kind of ‘universal entry bookkeeping’, where a single
    entry is shared identically and permanently with every participant.


    Blockchain is unusual for a hyped tech trend in that it is a back-office solution to how to
    transfer ownership of assets and record data online – in other words, it is a platform for
    accounting and business to be done on, rather than a novel application or business model.
    The technical details of how blockchain works and what makes it proof against attack and
    theft are outside of the scope of this paper; however, a brief overview is provided after the
    main text.

    We have summarised what we believe to be the most important facets of blockchain
    technology, into the ‘Three Ps‘ – three key terms that explain what makes blockchain different
    from the more familiar ledgers of today, which are databases owned and run by a single party.
    The key features are as follows.

    Propagation: There are many copies of a blockchain ledger, and no ‘master’
    copy. All participants have access to a full copy of the ledger and all copies
    are identical and equivalent. No one party has control of the ledger. New
    transactions can be posted quickly and will propagate to all participants’ copies.

    Permanence: With each user having their own copy of the ledger, truth is
    determined by consensus. Past transactions cannot be edited without the
    consent of the majority, meaning that blockchain records are permanent. The
    entire ledger is stored by each participant and can be inspected and verified.


    Programmability: Some blockchains allow for program code to be stored on
    them, as well as ledger entries – creating automatic journal entries that execute
    automatically when triggered. These are the so-called ‘smart contracts’.

    Whether blockchain is applicable in any particular business or sector will depend on if these
    qualities are desirable alternatives to present methods. Good blockchain applications centre
    on the cost and timing advantages of removing central parties from the system, and the
    increased security and certainty from having a system of consensus.

    Blockchain is not a single technology, but rather a protocol – a way of doing things – for
    recording transactions. Unlike the internet, in which data is shared, in a blockchain ownership
    can be transferred from one party to another. Blockchain is a desirable model for several
    reasons. For example, in a market with many transacting parties, it could remove the need
    to reconcile disparate ledgers. Being distributed between all users also eliminates outages
    and removes the cost of having to pay a central authority to maintain the accuracy of the
    ledger. Any participant in the ledger can trace all previous transactions, allowing for increased
    transparency and the blockchain to ‘self-audit’.


    • A distributed ledger

    system is any system that
    spreads the ownership of
    a ledger across multiple
    parties, each with their own
    copy, instead of being held

    • Blockchain is the most
    successful and common
    implementation of a
    distributed ledger system.
    Note that there are several
    meanings of the term

    – The lower-case term
    ‘blockchain’ is the generic
    name for the protocol –
    the agreed rules of how
    to transact – used to
    implement a distributed
    ledger in one particular

    – ‘A blockchain’ is a specific
    distributed ledger run in
    this way.

    – Confusingly, the
    blockchain that runs
    bitcoin (see below)
    is simply called ‘the
    blockchain’, as it is the

    – There is also a bitcoin
    services company that is
    called Blockchain.

    The term in this paper
    refers only to the first two

    • Bitcoin is an online
    ‘cryptocurrency’ – a sort
    of digital cash – that uses
    blockchain technology to
    operate. Blockchain was
    first invented for bitcoin.


    The first two of the three key features – propagation and permanence – are intrinsic to
    blockchain and not optional; any potential application must desire (or at least be neutral to)
    these key qualities. For example, a permanent record makes some activities unsuitable for
    blockchain solutions, such as those involving the storage of unencrypted personal data. With
    each participant having access to the full ledger, other applications might be constrained if a
    concern over opening up commercially sensitive data exists. While data on a blockchain could
    be encrypted, a copy of that encrypted data would still be available to all participants.

    Some other constraints of blockchain, which are discussed later in this paper, could be
    reduced or overcome with focused development, but these qualities are fundamental parts of
    how blockchain is built. Distributed ledger systems beyond blockchain might forgo or reduce
    these qualities, but this must be for a trade-off in security or other qualities.


    Conceptually, blockchain is a move from a point where the trustworthiness of a ledger
    derives from the central controller that maintains it, to one where it is derived from trust in
    the system that drives the recordkeeping. Furthermore, the potential for self-executing smart
    contracts allows for a programmable ledger that could fundamentally alter how all contracts
    operate. Assuming that all the technological barriers could be overcome, blockchain has
    huge potential.

    If we consider just the capabilities of blockchains without smart contract functionality, a full
    implementation could lead to disintermediation of a large part of the financial system. Private
    blockchains between groups that often transact with one another could replace central
    authorities such as banks, clearing-houses and lawyers. With the ability to directly interact, and
    with only one ledger that never requires reconciliation, businesses could save on both the
    costs of paying the ledger owner, as well as efforts spent reconciling with their counterparties.
    Removing uncertainty benefits the economy by streamlining it, facilitating greater confidence
    in decisions.

    What’s more, where appropriate a tax authority, regulator, or similar oversight body could be
    granted view-only access to such a blockchain, and would be able to observe and monitor
    transactions in real time. This kind of insight could lead to a reduction in costs and increases in
    the efficiency of regulatory and compliance activities. The permanent record of a blockchain
    reduces the chances for financial crime, thus making records more trustworthy.


    Blockchain is an accounting technology. It is concerned with the transfer of ownership
    of assets, and maintaining a ledger of accurate financial information. The accounting
    profession is broadly concerned with the measurement and communication of
    financial information, and the analysis of said information. Much of the profession is
    concerned with ascertaining or measuring rights and obligations over property, or
    planning how to best allocate financial resources. For accountants, using blockchain
    provides clarity over ownership of assets and existence of obligations, and could
    dramatically improve efficiency.

    Blockchain has the potential to enhance the accounting profession by reducing the
    costs of maintaining and reconciling ledgers, and providing absolute certainty over
    the ownership and history of assets.

    • The name blockchain is

    inherently descriptive of
    how the technology works
    – new transactions are
    gathered together into a
    block and added to a chain
    of all previous transactions,
    by a cryptographic process
    that is complex to perform,
    but which makes it easy to
    confirm that the history of
    all transactions is genuine.

    • A hash is a sort of digital
    signature or summary of
    a block that is used to
    authenticate it and its place
    in the chain.

    • Blockchain works through
    a process of consensus –
    all nodes will be able to
    identify the longest and
    most up-to-date ledger
    and agree on what it is.



    Blockchain could help accountants gain clarity over the available resources and
    obligations of their organisations, and also free up resources to concentrate on
    planning and valuation, rather than recordkeeping.

    Alongside other automation trends such as machine learning, blockchain will lead to
    more and more transactional-level accounting being done – but not by accountants.
    Instead, successful accountants will be those that work on assessing the real economic
    interpretation of blockchain records, marrying the record to economic reality and
    valuation. For example, blockchain might make the existence of a debtor certain,
    but its recoverable value and economic worth are still debateable. And an asset’s
    ownership might be verifiable by blockchain records, but its condition, location and
    true worth will still need to be assured.

    By eliminating reconciliations and providing certainty over transaction history,
    blockchain could also allow for increases in the scope of accounting, bringing more
    areas into consideration that are presently deemed too difficult or unreliable to
    measure, such as the value of the data that a company holds.

    Blockchain is a replacement for bookkeeping and reconciliation work. This could
    threaten the work of accountants in those areas, while adding strength to those
    focused on providing value elsewhere. For example, in due diligence in mergers and
    acquisitions, distributed consensus over key figures allows more time to be spent on
    judgemental areas and advice, and an overall faster process.

    Blockchains also allow for a greater degree of transparency than traditional ledgers. This is
    appealing in cases where corruption or misappropriation of assets are at risk. For example,
    aid spending could be provided in a blockchain-based asset; from there the end recipient of
    the funding could be readily identified.

    Presently, transactions between companies lead to a sort of ‘quadruple entry bookkeeping’,
    where each company does their own double-entry, and in theory the two sets of entries are
    equal in value. This model could be substantially altered by blockchain. By lowering the walls
    around each company’s internal accounting and making entries directly on the blockchain,
    the bookkeeping allows for the transaction to be recorded faithfully, verifiably and identically
    by each party. This might start as something for intra-group trading, but with time could grow
    to cross multiple entities, creating a kind of ‘universal entry bookkeeping’.

    Fundamentally, any kind of asset ledger will have to be designed around the limitations of
    privacy that a blockchain creates. While the data in each transaction can be encrypted, if
    the provenance or ownership of assets is at stake, then prior transactions must be public to
    verify this. Finding a way to balance the competing priorities of decentralisation, privacy, and
    security is a current area of research among blockchain specialists.

    There are more areas still which blockchain could affect. When coupled to a robust digital ID
    system, an identity blockchain could store credentials for individuals, simplifying ‘Know Your
    Client’ and other identity processes by allowing organisations to share identification work.
    Similarly, a database of intellectual property rights could be distributed to simplify the process
    of identifying IP owners, requesting and paying for rights.



    Blockchain applications divide into several categories depending on the element of the
    technology that they are most focused on. Some applications are built around the automatic
    synchronicity of the ledger and the ability to simplify the reconciliation processed around
    these activities while also gaining additional transactional certainty. Others are more
    interested in the ability to remove middleman institutions from the system, reducing cost
    and bias while opening up access to more participants. And still others are interested in
    using blockchain as a platform to host smart contracts, automating and adding certainty to
    contractual arrangements and transactions.

    A few case studies are illustrative in understanding how blockchain could form a part of a
    range of implementations.


    Bitcoin is an online cash currency, which was created by an unknown person or persons
    under the pseudonym Satoshi Nakamoto. Posting their seminal white paper in late 2008
    and launching the initial code in early 2009, Nakamoto created bitcoin to be a form of
    electronic cash that could be sent peer-to-peer without the need for a central bank or
    other authority to operate and maintain the ledger, much as how physical cash is used.
    While it wasn’t the first online currency to be proposed, the bitcoin proposal solved several
    problems in the field and has been by far the most successful version, now accounting for a
    market capitalisation of around US$69bn in issued bitcoins, according to figures taken from in September 2017.

    The engine that runs the bitcoin ledger was named blockchain, a name which is now used
    to refer to all similar distributed ledger technologies. The original and largest blockchain
    is the one that still orchestrates bitcoin transactions today. Others run the several hundred
    ‘altcoins‘ – other similar currency projects with different rules – as well as truly different
    applications such as Ethereum or Ripple. The system has several features that have caught
    the attention of investors and disruptors across the financial services systems and it is
    thought that blockchain, the underlying technology, has the potential to be a disruptive
    technology and perhaps grow to be a bedrock of the worldwide recordkeeping systems.

    Bitcoin works by paying miners – those that do the computational legwork of posting new
    transactions – with newly-minted bitcoins. As long as the currency is desirable, it is self-
    sustaining. The system also automatically adjusts the difficulty of posting transactions and
    the reward for doing so in order to control inflation.

    Blockchain leverages economic incentives originally designed for bitcoin. Only adding
    to the longest existing chain is rewarded, so that miners are incentivised to take on new
    transactions rather than forking off into differing subgroups. But standardisation is a
    challenge, as new updates to the bitcoin client are effective only when an overwhelming
    majority of participants agree to install them.

    Bitcoin is attractive to users for several reasons:

    • payer-borne transaction costs are low;

    • the valuation of the currency has generally been growing strongly since its creation; and

    • the system is much less restricted than traditional banking.

    Blockchain case studies

    • A node is a computer

    that is participating
    in a blockchain, by
    posting transactions and
    maintaining a copy of the
    ledger. Nodes may or may
    not be miners.

    • A miner is a particular node
    that not only participates in
    the blockchain, but helps
    to keep it operating by
    running computations that
    allow new transactions to
    be verified and posted.

    – In bitcoin, miners are
    rewarded automatically
    with a transaction fee and
    with some newly-minted
    bitcoins. This is a very
    computation-intensive –
    and lucrative – business.

    – Other systems have been
    proposed for computing
    and maintaining new
    transactions that are more
    sustainable, cheaper, and
    more efficient, but none
    of them has yet risen to



    Bitcoin has no ‘Know Your Client‘ or identity requirements – anyone with a working internet
    connection can join and start receiving and sending bitcoins. While this does make the system
    cheap and easy to access, it has also made it attractive to criminals in much the same way as
    paper cash, with the Silk Road ‘dark net‘ black market site having mostly used bitcoin before
    being shut down by the FBI in October 2013.

    As an internet-based currency, bitcoin also observes no international borders, meaning that
    transfer between territories is no different from any other payment. There are other blockchain
    projects that are looking to capitalise on this for international payments applications in central
    bank issued fiat currencies, such as Ripple.


    Blockchains are designed to be useful in systems that require reconciliation between parties.
    Many of the major players in banking are backing the R3 consortium, which is researching the
    use of a blockchain-like distributed ledger for interbank reconciliations and other financial
    applications. Currently, millions per year are spent reconciling ledgers between banks;
    however, if a distributed ledger solution could be created that is able to handle the volume of
    transactions between the banks, then this could be greatly reduced.

    This kind of application would be a private ledger – one where only invited parties can view
    the records or participate in creating new entries. However, it would allow for interbank
    transactions to form a single, authoritative record that all parties could verify. This could
    reduce the considerable efforts currently spent reconciling books with counterparties, and
    allow for a more efficient banking system.

    A solution of this kind is not feasible with the present implementations of blockchain, either
    in volume or in speed, and indeed the R3 project has now morphed into other distributed
    ledger applications for the financial sector. However, assuming that these significant
    challenges could be overcome, this is potentially a very impactful area of application for
    blockchain. Others are looking at supply chain integration for similar reasons.


    Blockchain has applications in external audit. Performing confirmations of a
    company’s financial status would be less necessary if some or all of the transactions
    that underlie that status are visible on blockchains. This proposal would mean a
    profound change in the way that audits work.

    A blockchain solution, when combined with appropriate data analytics, could help
    with the transactional level assertions involved in an audit, and the auditor’s skills
    would be better spent considering higher-level questions.

    For example, auditing is not just checking the detail of whom a transaction was
    between and the monetary amount, but also how it is recorded and classified. If a
    transaction credits cash, is this outflow due to cost of sales or expenses, or is it paying
    a creditor, or creating an asset?

    These judgemental elements often require context that is not available to the general
    public, but instead require knowledge of the business, and with blockchain in place,
    the auditor will have more time to focus on these questions.




    Perhaps the clearest case for where blockchain could be advantageous is provenance and
    transfer of ownership of assets, and land registry is a particularly good case. There have been
    several pilot studies and proofs-of-concept made, but none have reached full operational
    maturity as of yet. One proof-of-concept in this field was for land registry in Honduras, which
    has no current public land ownership registry and experiences difficulties with corruption and
    misappropriation; other projects have been proposed or developed in Georgia and Sweden,
    but none have yet reached large-scale testing. Creating a clear and permanent record of
    ownership and transfers of ownership would help create additional liquidity in the economy
    by increasing security, and fight corruption by distributing the maintenance of records to all
    parties rather than just to some.

    As a public register, the open visibility of the blockchain is not an obstruction for land registry.
    It is acceptable for participants to see who owns, sells, and divides land; furthermore, the
    verifiability aspect can help to add transparency where needed.

    A land registry blockchain would have to start by tokenising the land assets in question –
    that is, creating a representation of each section of land as a legally-equivalent digital asset,
    stored on the blockchain. This would be followed by making sure that the present owners
    had the ownership of the appropriate tokens assigned to them. This is no small undertaking
    as existing systems are already very complex, and there is a need to be flexible in future
    if existing land deeds are altered or split. What’s more, if corruption in state officials is a
    concern, then getting approval from those same officials for a project that would reduce that
    corruption is challenging – and indeed this is what stalled the Honduras pilot scheme.

    There is a larger lesson for blockchain in this example – bitcoin works because it is a wholly
    online system, with all participants agreeing to the ownership and provenance records of
    bitcoin due to how blockchain works. But many other areas are more complex – ownership
    still needs to be registered, but also be tied to the real world. This causes problems in both
    directions: the register must reliably reflect real-world existence and condition of assets, and
    there must also be legal mechanisms for enforcing ownership rights when blockchain records
    indicate these are held, even against parties who are not part of the blockchain, or do not
    recognise it as legitimate.

    Assuming that these challenges could be overcome, then a land registry blockchain could
    thereafter record sales of land (or other similar transactions), creating a verifiable and
    permanent record. Furthermore, the distributed nature of the ledger would mean that neither
    downtime nor server failure would ever affect the availability of the service. While the costs of
    transacting on a blockchain can be relatively high, for a low-volume, high-value channel such
    as purchases and sales of land, they would likely be competitive.


    There are already many examples of automated contracts in place in the present-day financial
    system – from the mechanical simplicity of a vending machine, to a bank-operated standing
    order or direct debit. The idea of a smart contract is to allow for all kinds of transactions to be
    made automatically and simply, in the same way as a vending machine purchase – and without
    the need to rely on (or pay) a central party to adjudicate the operation of the contract terms.

    Some blockchains, such as
    Ethereum, can also contain
    executable computer code
    on them.

    • A smart contract is code
    that is set to add certain
    transactions automatically
    upon certain trigger events
    taking place; it works
    something like a self-
    operating escrow account.
    The code that makes
    up the smart contract is
    examinable, so that the
    parties can confirm how it
    will operate ahead of time.

    Distributed Ledger
    Technology – beyond
    the block chain

    Government Office for
    Science. Available at
    [accessed 19 September

    An excellent introduction to
    the potential government
    applications of distributed
    ledger systems such as


    Blockchain technology offers opportunities in this arena, because smart contract code can
    be written directly onto a blockchain and is examinable by the contracting parties ahead of
    time, just like a traditional legal contract. If it is agreed to, then the smart contract – armed
    with appropriate rights – will automatically execute its own terms. This could mean releasing
    a payment following a certain trigger, running a software escrow account, making an
    investment, or anything else.

    Other than disintermediation, one potential advantage of smart contracts over traditional law
    is that they reduce counterparty risk. With a traditional legal contract, the courts act as a cure
    to breach – if the contract is broken, they can enforce the terms after the fact. However, smart
    contracts can be preventative – they operate on the stated terms regardless, which binds its
    parties without the ability to choose to default. What’s more, smart contracts are unambiguous
    – the contract will carry out the one and only meaning of its code.

    To reach this world of smart contracts, there are some challenges that must first be resolved.
    While the process of executing a smart contract might be disintermediated, there may
    still be a need for a trusted professional – in this case, a programmer to create the smart
    contract. If institutional trust (and cost) moves from the lawyers drawing up the contract to the
    programmers encoding it, there is no real advantage to be gained.

    There are some projects out there, such as Legalese, which are seeking to build a computer
    language for legal contracts that can easily be translated into natural language. However,
    we are currently a fair way away from this reality. Courts would have to recognise that the
    operations of smart contracts are legitimate ways to transfer ownership and value between
    parties, and that the terms of smart contracts are enforceable in case a breach somehow
    does occur. What’s more, an answer would have to be found to the question: What redress is
    available if the smart contract is exploited in a way not expected by one of the parties? Could
    intent override the letter of the code?

    This last issue is not theoretical – when the DAO (a smart contract-driven investment vehicle
    created for the Ethereum blockchain) had much of its funding hijacked through a loophole
    in a poorly-written smart contract, there was a fierce debate over how to resolve the issue
    that eventually lead to a fork, with most participants agreeing to roll back the loss of funds.
    But some kept the status quo and became a separate blockchain, which now exists under
    the name Ethereum Classic. This rollback was only possible because more than half of the
    participants agreed to implement it.

    Smart Contract Templates:
    foundations, design
    landscape and research

    Christopher D. Clack,
    Vikram A. Bakshi, Lee Braine.
    Available at
    [accessed 19 September

    Highly technical paper, but
    a good covering of possible
    directions for integrating
    smart contracts with legal



    There are some key guidelines for assessing whether a particular project should use
    blockchain. Virtually any activity that would otherwise run on a database could be on a
    blockchain platform, but whether this is actually beneficial will depend on the circumstances.
    Many proposed blockchain applications could use a shared traditional database hosted by a
    trusted central party and would provide nearly identical results.

    A problem where blockchain might be an appropriate solution is one that has:

    • a number of participants who don’t have institutional trust in one another;

    • a desire to work without an intermediary (either because of cost or because one isn’t
    available); and

    • a need for a complete definitive log of transactions.

    With present technology, there are some barriers to blockchain becoming a central element
    of the financial system. Taking bitcoin, as the most developed and widespread example, here
    are some key statistics, based on calculations and information taken from in
    September 2017.

    1. The fee per transaction posted has historically averaged US$5 to US$8 (currently
    over US$40 due to the strong BTC); most of this cost is met with new bitcoins and
    not passed on to those transacting.

    2. Latency – the time between a transaction being initiated and officially recorded –
    averages at four to five minutes but can be considerably more in times of peak demand.

    3. The maximum capacity for transactions is around seven transactions per second
    for the smallest possible transactions, or around three transactions per second for
    the average actual transaction size (compared to thousands or tens of thousands of
    transactions per second for Visa).

    These qualities derive from the way that bitcoin is designed and how blockchain works.
    Much of the work involved in Nakamoto’s design of blockchain was in setting up economic
    incentives to make the system self-sustaining without a central manager or organisation to run
    it. The design of the system requires enormous computing power to verify the transactions
    made: in total several hundred times the world’s top supercomputers’ power across the
    network. For the moment, that means that the system relies on minting new bitcoins as the
    primary way of rewarding those that contribute computing resources to the network, and can
    handle only so much throughput.

    Additionally, blockchain requires each participant to be furnished with a full copy of the
    ledger to operate. If the ledger is commercially sensitive, this would require the data to
    be encrypted. Furthermore, for a large or active ledger, there could be a barrier for new
    participants, who would need to download very large historic data files before being able to
    join in.

    While these statistics for bitcoin are currently nowhere approaching the levels needed to
    compete as a major player in the payments sector, many of these are held back by the fact
    that bitcoin allows transactions from anyone and hence requires additional security. Private
    blockchains between trusted collaborators could forgo this security and consequently run
    more efficiently.

    Constraints and challenges

    Avoiding the pointless
    blockchain project

    Multichain. Available at
    [accessed 19 September

    Detailed and technical
    explanation of when
    blockchain is or is not

    • An unpermissioned ledger

    is one that allows anyone
    at all to view or add
    transactions (bitcoin is one

    • A permissioned ledger is
    one that has some rules
    about which parties can
    add transactions, but may
    still be open to public

    • A private ledger is a
    permissioned ledger
    shared only between
    certain nodes by invitation,
    and in many ways is simply
    a shared database with
    a multiplicity of copies
    instead of a single one.

    • These terms affect how
    centralised the ledger
    is – to what extent control
    of the ledger is held by
    a central party or small
    group, versus being an
    open standard.




    The answer is two-fold. First, the more immediate applications will be in areas where these
    figures are better than existing alternatives, and blockchain can be of use in its current state.
    Second, the transformational applications of blockchain to areas such as payments or inter-
    bank reconciliation, will come only after R&D and innovation are applied to reach a point
    where the technology’s limitations have been greatly reduced.

    While bitcoin’s key metrics compare unfavourably with payment architecture such as Visa, it
    is ahead of the game in some fields. For example, clearing and settlement in capital markets
    takes days and the costs are high. The suggestion above to use blockchain for land registry is
    common because transactions are relatively infrequent and in a situation where higher fees
    would be acceptable. Likewise, blockchain company Everledger has created a digital asset
    register for diamond trading, using a large collection of physical and chemical measurements
    to uniquely identify stones and track their provenance and ownership. Everledger also
    benefits from having a restricted base of users, with identity requirements to join, meaning that
    less verification needs to occur within the actual system.

    It is worth noting that the latency aspect – the time between transactions – cannot be
    improved without knock-on effects. A problem with distributed ledger systems such
    as blockchain is making sure that all the participants remain synchronised, even when
    communications take time to reach each participant; this is important to prevent the ledgers
    falling out of synch with one another and opening the door to double-spending the same
    resource. Blockchain solves this by gathering new transactions together into blocks and
    posting them at once, roughly every 10 minutes in the case of bitcoin. Shorter time delays
    can be done (Ethereum uses a ~17 second delay, for example), but this means that mining is
    less cost-efficient and the short-term potential for differences or abuse is higher. While other
    alternative methods have been proposed, there is no simple solution to decrease block times.


    The move to a financial system with a significant blockchain element offers many
    opportunities for the accountancy profession. Accountants are seen as experts in
    record keeping, application of complex rules, business logic and standards setting.
    They have the opportunity to guide and influence how blockchain is embedded and
    used in the future, and to develop blockchain-led solutions and services.

    To become truly an integral part of the financial system, blockchain must be
    developed, standardised and optimised. This process is likely to take many years – it
    has already been nine years since bitcoin began operating and there is much work
    still to be done. There are many blockchain applications and start-ups in this field,
    but there are very few that are beyond the proof of concept or pilot study stage.
    Accountants are already participating in the research, but there is more for the
    profession to do. Crafting regulation and standards to cover blockchain will be no
    small challenge, and leading accountancy firms and bodies can bring their expertise
    to that work.

    Accountants can also work as advisers to companies considering joining blockchains
    themselves, providing advice on weighing the costs and advantages of the new
    system. Accountants’ mix of business and financial nous will position them as key
    advisers to companies approaching these new technologies looking for opportunity.

    The Distributed Ledger
    Technology Applied to
    Securities Markets

    European Securities and
    Markets Authority. Available
    [Accessed 19 September

    Provides a balanced
    assessment of the possibility
    of implementing blockchain
    solutions in clearing and
    settlement and other
    securities applications,
    alongside the risks and



    A final area of challenge is getting an appropriate legal framework into place. An entry
    created on a blockchain ledger has to gain full legal recognition as a proper transfer of value
    between parties, with courts having the ability to enforce this if appropriate. With no central
    location, it is unclear which jurisdiction(s) even would have to rule on such matters. The
    legalisation of blockchain is a substantial challenge. It is unlikely that specific legislation will
    be written for blockchain while there are so many competing approaches and standards in the
    marketplace. Standardisation on both the technological elements of blockchain and the use
    standards for areas such as asset ownership and transfer will need significant development.
    Only after this can the legal problem be truly tackled.

    Legal recognition will also have to deal with smart contracts, which differ significantly from
    the form of traditional legal contracts. Not only do smart contracts self-execute, they are
    autonomous, and thus restrict the control that parties have once the contract is initiated. This
    could be particularly difficult if a smart contract does not operate as a party in good faith
    believed it would. There are also issues with recourse – due to the records propagating across
    many users, it could be impossible to enact a court’s judgment to remove a transaction or take
    down data stored on a blockchain.


    The parts of accounting concerned with transactional assurance and carrying out
    transfer of property rights will be transformed by blockchain and smart contract

    The reduction in the need for reconciliation and dispute management, combined
    with the increased certainty around rights and obligations, will allow greater focus on
    how to account for and consider the transactions, and enable an expansion in what
    areas can be accounted for. Many current-day accounting department processes
    can be optimised through blockchain and other modern technologies, such as
    data analytics or machine learning; this will increase the efficiency and value of the
    accounting function.

    As a result of the above, the spectrum of skills represented in accounting will change.
    Some work such as reconciliations and provenance assurance will be reduced or
    eliminated, while other areas such as technology, advisory, and other value-adding
    activities will expand.

    To properly audit a company with significant blockchain-based transactions, the
    focus of the auditor will shift. There is little need to confirm the accuracy or existence
    of blockchain transactions with external sources, but there is still plenty of attention
    to pay to how those transactions are recorded and recognised in the financial
    statements, and how judgemental elements such as valuations are decided. In the
    long term, more and more records could move onto blockchains, and auditors and
    regulators with access would be able to check transactions in real time and with
    certainty over the provenance of those transactions.

    The Future of Blockchain:
    Applications and Implications
    of Distributed Ledger

    CA ANZ and Deloitte Access
    Technologies. Available at
    [Accessed 19 September

    Good discussion of how
    blockchain and accounting
    might interact; also has a
    useful list of blockchain
    companies and projects.



    Accountants will not need to be engineers with detailed knowledge of how
    blockchain works. But they will need to know how to advise on blockchain adoption
    and consider the impact of blockchain on their businesses and clients. They also
    need to be able to act as the bridge, having informed conversations with both
    technologists and business stakeholders. Accountants’ skills will need to expand to
    include an understanding of the principle features and functions of blockchain – for
    example, blockchain already appears on the syllabus for ICAEW’s ACA qualification.

    Ultimately, blockchain is likely to be a foundational technology. It will take years – perhaps
    even decades – for it to be fully developed, standardised and embedded in the architecture
    of the internet and the financial system. It will also need to work quicker, more efficiently
    and have lower operating costs. But the rewards are trustworthy records and reduced
    reconciliations. So we can expect that if not blockchain, then some implementation of
    distributed ledger systems will emerge as a key business technology. Accounting will be
    more efficient due to the increased trust in the information available and the reduced time
    spent in reconciling and disputing records with other parties. This will lead to greater focus on
    the ultimate aims of accountancy – interpreting the economic meaning of transactions, and
    providing information to support better decisions.



    A detailed operational understanding of blockchain is not necessary to
    follow the work in this paper, but an overview is provided here.

    Each participant in a blockchain (each node) keeps a copy of all the historical transactions
    that have been added to the ledger, and by comparing to the other nodes’ copies, each is
    kept synchronised through a consensus process. Unlike in a traditional ledger system, there
    is no node with special rights to edit or delete transactions – in fact there is no central party at
    all, which is one of the reasons that blockchains can be useful when a trusted central party is
    either unavailable or too expensive.

    The idea of having a ledger that propagates to all its participants has been around for some
    time, but there were some serious barriers to overcome. The most important of these was
    the ordering of transactions and the ‘double spend problem’. In a large network, transactions
    are broadcast constantly from different nodes, and those transactions will take varying
    amounts of time to reach different points of the network. Hence, it is difficult to have a
    definitive order of transactions – especially important if two transactions attempt to credit the
    same resource, leading to double-spending and two parties disagreeing on who has the right
    to a given asset.

    Blockchain solves this problem by having newly broadcast transactions go, not directly onto
    the ledger, but into a holding space. These transactions are periodically bundled together
    into a block, which is then officially considered to have posted with a simultaneous timestamp,
    thereby propagating the transaction to all users. In order to prevent blocks from clashing,
    and to avoid the need for a central authority to do the block-making process, blockchains
    use various methods to impede the process of making (‘mining’) new blocks. The process
    for bitcoin, for example, automatically adjusts the difficulty of the process (which involves
    complex mathematics), so that on average a new block is formed every 10 minutes. Different
    nodes compete to solve these mathematical problems, so no central party controls the
    process. Successful mining is rewarded with new bitcoins and a transaction fee. A system that
    only included trusted parties of known identity can simplify this by reducing the amount of
    verification that is needed for each transaction.

    So that’s the ‘block’ part covered – what about the chain? Well, new blocks don’t just
    contain the list of approved transactions, they also contain the timestamp of the block, and
    the hash – a unique cryptographic signature – of the previous block. Because the block
    references the immediately preceding block, its order in the chain is unambiguous. What’s
    more, an attempt to change a previous block would be immediately obvious, as the hash
    signature would change and no longer match the backward reference in the following block.
    Consequently, changing something in a blockchain after the fact is not viable and blockchain
    records are permanent.

    Some blockchains are set up to contain, not only details of transactions and ownership, but
    also executable programming code. Parties can agree to add code to a blockchain in the form
    of a smart contract, that is, code that will carry out agreed transactions when triggered. This
    allows for automation of new transactions, and allows some blockchains to
    be programmable.

    Appendix: How blockchain works

    There are over 1.7m chartered accountants
    and students around the world − talented,
    ethical and committed professionals who use
    their expertise to ensure we have a successful
    and sustainable future.

    Over 150,000 of these are ICAEW Chartered
    Accountants. We train, develop and support
    each one of them so that they have the
    knowledge and values to help build local
    and global economies that are sustainable,
    accountable and fair.

    We’ve been at the heart of the accountancy
    profession since we were founded in 1880
    to ensure trust in business. We share our
    knowledge and insight with governments,
    regulators and business leaders worldwide as
    we believe accountancy is a force for positive
    economic change across the world.

    Information Technology Faculty
    Chartered Accountants’ Hall
    Moorgate Place
    EC2R 6EA

    T +44 (0)20 7920 8481

    © ICAEW 2018 TECPLN16346 09/18

    Introduction to blockchain


    ©McGraw-Hill Education

    What are blockchains?
    Familiar elements, combined in an elegant new way

    Shared ledger
    transacting and recording data
    and value
    A shared database of records, in which data transactions are recorded, replicated, shared and synchronized among the members of a decentralized network
    Information that has been translated into a form that is more convenient to move or process (e.g., bits)
    Preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information/value
    A collection of information that is organized so that it can easily be accessed managed, updated, and virtually impossible to alter without detection
    Single elegant design
    Traditional elements
    Public key infrastructure
    Introduction to blockchain
    Page 2


    Cryptocurrencies have experienced high growth and volatility
    Funding for companies with blockchain applications has grown exponentially
    Blockchain is one of the fastest-growing disruptive technologies of the last decade
    Investment in crypto-economy
    ($MM, end of June 2018)
    Source: Autonomous NEXT, Various for ICO, Pitchbook for VC, EOS Scan
    as of June 2019

    exchanges that
    deal in
    total daily trading volume as of June 10, 2019
    of total market cap accounted for by bitcoin, as of June 2019
    Introduction to blockchain
    Page 3
    Coinbase, whose users primarily deal in bitcoin and ethereum, reported that its revenue soared 847% in the first quarter to $1.8 billion, and that it now has 56 million verified users in 2021.


    Life cycle of a transaction on the blockchain


    A wants to send tokens to B from its address in the ledger.
    The tokens then move to B‘s address in the ledger.

    The transaction is broadcast to every node on the network.


    All or a subset of nodes in the network approve the transaction from A to B is valid.

    The approved transactions are bundled into blocks, which then are added to the chain – this provides an immutable and transparent record.

    Introduction to blockchain
    Page 4


    A cryptographic hash function creates a unique digital output from any digital input by applying an algorithm: creates unique digital ID # for each block.
    Blocks are hashed to create a tamper-evident trail that spans the entire blockchain.
    Each block added to the blockchain contains the evidence (hash) of the previous block adding further security to previously validated transactions.

    Cryptography brings security and immutability to the blockchain
    Transactions require a digital signature, which is generated by using a private key. A valid digital signature authorizes a transaction and unlocks cryptocurrency from its associated public address to be sent to the recipient’s public address.
    Public addresses are derived from the related private key using cryptographic methods.
    The public keys are used by network nodes to validate authenticity of signature to the associated private key.
    All completed transactions are visible on the distributed ledger.

    Private/public keys
    Function f(X)
    Function f(X)
    Introduction to blockchain
    Page 5


    Consensus ensures all nodes have the same ledger
    Nodes on the blockchain independently maintain their own version of the current ledger state. Consensus is the process by which each node checks with other nodes on the network (peers) to reconcile their version of the ledger with the rest of the network.
    When a miner successfully mines a block, they append the newly mined block of transactions to their local copy of the ledger. They then broadcast to their peers that their version of the ledger is at a higher block.
    The peers then check to see if the update is valid per the consensus rule set, before downloading the block and reconciling their own local copies of the ledger. There are two primary consensus rule sets:
    Proof of work:
    The model used by bitcoin, for example, which requires computational work to be performed by miner nodes; first miner to solve the problem on their proposed block with ‘proof of work’ gets to create the next block and is rewarded.
    Proof of stake:
    The greater the amount of tokens ‘staked’ by a node, the greater its chances of successfully creating a block and obtaining transaction fees.

    Introduction to blockchain
    Page 6
    Copies for verification via consensus rule set

    Ledger of successful miner updated with a new block(s)
    Synchronization of ledgers to reflect the update with a ‘winning’ block


    So what can a blockchain be?
    The blockchain provides a number of benefits:
    Connects peer-to-peer parties
    Supplements trust with mathematics (cryptography)
    Removes need for central intermediaries
    Many practical use cases exist:
    Supply chain management
    Shipping and logistics
    Registries of legal title
    Fractional asset ownership
    Digital rights and royalties management
    Food and pharmaceutical provenance and safety

    Introduction to blockchain
    Page 7


    Distributed ledgers can be public, private or hybrid

    Public – permissionless
    Private – permissioned
    The blockchain provides a number of benefits: transparency, no central intermediary
    Read/write access open to everyone
    >90% of all blockchain application developers work in this space
    Regulatory/legal status
    Scalability/processing speed
    Risk of cyber attack

    Elements of both ledger versions
    Public yet permissioned
    Shared challenges from private/public
    Read/write access permissioned to involved parties only
    Complex business processes being managed for companies
    Replicates Central Authority
    Slow to stand up and costly to maintain
    Adoption and onboarding challenges

    Introduction to blockchain
    Page 8


    More and more blockchain solutions incorporate
    smart contracts
    For additional reading:
    Execution and settlement are faster and cheaper, and can help parties avoid errors
    Your terms and conditions are encrypted on a shared ledger
    You control programmed terms of this digital agreement; no need for a broker or lawyer

    Smart contracts
    Contracts with predefined conditions that need to be met by specified parties to automatically trigger a predefined transaction on the blockchain
    Code posted on blockchain
    Once posted, code cannot be changed due to consensus-driven immutability of the blockchain

    Introduction to blockchain
    Page 9


    Bitcoin was the first payment coin and the first blockchain use case
    Bitcoin is a cryptocurrency:
    Cryptocurrency is a digital asset in which cryptographic techniques are used to regulate the generation of units and verify the transfer of units, operating independently of a central bank.
    Crypto-exchanges serve as a platform to transact in digital currency
    Some exchanges are cryptocurrency only; some incorporate fiat-denominated purchases and redemptions of cryptocurrencies.
    Most exchange-related ‘hacks’ you hear about are due to poor custody and cybersecurity practices by crypto-exchanges.
    Bitcoin does not equal blockchain!
    Introduction to blockchain
    Page 10


    What is an initial coin offering?
    Method of raising funds by issuing tokens
    Process flow


    Token transactions are recorded on blockchain, often Ethereum.
    Purchasers subscribe to buy tokens typically with cryptocurrency.
    Purchasers receive tokens that can be used to transact on the issuer’s blockchain solution, which is yet to be developed.

    Tokens are recorded on the blockchain.

    Issuer generates tokens using a smart contract.
    A white paper describes the features and functionality of the proposed blockchain solution.
    Introduction to blockchain
    Page 11


    Where Can Blockchain Be Applied?
    CPA Canada and AICPA 2017

    ©McGraw-Hill Education.
    Why is Blockchain a Game Changer?
    Blockchain & Cybersecurity Webinar , Wiley

    ©McGraw-Hill Education.
    How will blockchain disrupt the accounting profession?
    Double entry accounting to triple entry accounting
    Impact of blockchain on the financial statement auditing process
    Real-time remittances of sales, payroll and ultimately income taxes with no intermediary (CPA) involved
    Blockchain & Cybersecurity Webinar , Wiley

    ©McGraw-Hill Education.


    Triple Entry Accounting
    Blockchain & Cybersecurity Webinar , Wiley

    ©McGraw-Hill Education.
    What does blockchain do for accounting ?
    Blockchain & Cybersecurity Webinar , Wiley

    ©McGraw-Hill Education.
    The Potential Impact of Blockchain on the Financial
    Statement Audit and the Assurance Profession
    Financial Statement Auditing
    The occurrence of the transaction-The acceptance of a transaction into a reliable blockchain
    Management’s estimates- many transactions recorded in the financial statements reflect estimated values that differ from historical cost.
    Considering general information technology controls (GITCs) related to the blockchain environment.
    CPA auditors understanding and assessing the reliability of the consensus protocol for the specific blockchain
    Evaluating management’s accounting policies for digital assets and liabilities
    CPA Canada and AICPA 2017

    ©McGraw-Hill Education.


    The Potential Impact of Blockchain on the Financial
    Statement Audit and the Assurance Profession
    How Audit and Assurance Might Evolve with Blockchain
    Real-time data access via read-only nodes on blockchain
    Accessing information in the blockchain will likely become more efficient
    Reducing the lag between the transaction and verification dates
    Deploying more automation, analytics and machine-learning capabilities
    CPA Canada and AICPA 2017

    ©McGraw-Hill Education.


    The Potential Impact of Blockchain on the Financial
    Statement Audit and the Assurance Profession
    Opportunities for Future Roles of the CPA
    Auditor of Smart Contracts and Oracles: a new skill set, including understanding technical programming language and the functions of a blockchain.
    Service Auditor of Consortium Blockchains: to provide assurance as to the effectiveness of controls over a private blockchain
    Administrator Function: a trusted, independent and unbiased third party
    CPA Canada and AICPA 2017

    ©McGraw-Hill Education.


    Blockchain and Internal Control

    COSO & Deloitte 2020

    ©McGraw-Hill Education.


    Blockchain and Internal Control
    Implications of Blockchain on Five Components
    Control Environment: help facilitate an effective control environment
    Risk Assessment: new risks and simultaneously helps to mitigate extant risks
    Control Activities: help facilitate control activities
    Information & Communication : promote enhanced visibility of transactions and availability of data
    Monitoring Activities: monitoring more often, on more topics, in more detail

    COSO & Deloitte 2020

    ©McGraw-Hill Education.


    Blockchain and Internal Control
    COSO & Deloitte 2020

    ©McGraw-Hill Education.


    Blockchain and Internal Control
    Implications of Blockchain on Types of Controls

    Blockchain can be coupled with the analytical abilities of other emerging technologies – such as AI, IoT, and data analytics – may be used as a means of detecting anomalies.
    COSO & Deloitte 2020

    Type of Control Implications of blockchain
    Preventive controls Recognizing the immutable nature of transactions recorded on the blockchain, there is a premium on recording transactions correctly the first time.
    Detective controls The visibility of transactions in a blockchain world provides new avenues for detective controls, when the necessary information is either available on-chain or discoverable off-chain from the on-chain record.

    ©McGraw-Hill Education.


    Blockchain and Internal Control

    COSO & Deloitte 2020

    ©McGraw-Hill Education.


    Blockchain Financial Reporting Assertion
    COSO & Deloitte 2020

    ©McGraw-Hill Education.


    Blockchain and Internal Control

    COSO & Deloitte 2020

    ©McGraw-Hill Education.


    C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

    Sponsored By

    The information contained herein is of a general nature and based on authorities that are subject to change. Applicability of the information to

    specific situations should be determined through consultation with your professional adviser, and this paper should not be considered substitute

    for the services of such advisors, nor should it be used as a basis for any decision or action that may affect your organization.

    Jennifer Burns | Amy Steele | Eric E. Cohen | Dr. Sri Ramamoorti

    T H E C O S O P E R S P E C T I V E

    G o v e r n a n c e a n d I n t e r n a l C o n t r o l

    B L O C K C H A I N

    A N D

    I N T E R N A L C O N T R O L

    This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission
    (COSO), which is dedicated to providing thought leadership through the development of comprehensive
    frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to
    improve organizational performance and governance and to reduce the extent of fraud in organizations.
    COSO is a private-sector initiative jointly sponsored and funded by the following organizations:

    American Accounting Association (AAA)

    American Institute of CPAs (AICPA)

    Financial Executives International (FEI)

    The Institute of Management Accountants (IMA)

    The Institute of Internal Auditors (IIA)


    We would like to recognize and thank Yoland Sinclair, Manager, Deloitte & Touche LLP, the COSO Board, and COSO
    Chairman Paul Sobel for providing input, assistance, and valuable feedback in developing this paper. We also thank
    Tim Davis, Principal, Shelby Murphy, Managing Director, and Gireesh Sivakumar, Senior Manager, Deloitte & Touche
    LLP for their technical input and advice.

    The COSO Board would like to thank Dr. Sri Ramamoorti for originating the idea for this paper and Deloitte &
    Touche LLP for its support.

    Committee of Sponsoring Organizations
    of the Treadway Commission

    c o s o . o r g


    COSO Board Members

    Paul J. Sobel
    COSO Chair

    Douglas F. Prawitt
    American Accounting Association

    Robert D. Dohrer
    American Institute of CPAs (AICPA)

    Daniel C. Murdock
    Financial Executives International

    Jeffrey C. Thomson
    Institute of Management Accountants

    Richard F. Chambers
    The Institute of Internal Auditors

    Authors Contributing Authors

    Jennifer Burns
    Deloitte & Touche LLP

    Eric E. Cohen

    Cohen Computer

    Amy Steele
    Deloitte & Touche LLP

    Dr. Sri Ramamoorti
    Associate Professor
    University of Dayton

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | i

    C o m m i t te e o f S p o n s o r i n g O rg a n i z a t i o n s o f t h e Tre a d way Co m m i ss i o n

    July 2020

    Research Commissioned byResearch Commissioned by

    T H E C O S O P E R S P E C T I V E
    G o v e r n a n c e a n d I n t e r n a l C o n t r o l
    B L O C K C H A I N
    A N D
    I N T E R N A L C O N T R O L

    c o s o . o r g

    ii | Blockchain and Internal Control: The COSO Perspective

    Copyright © 2020, Committee of Sponsoring Organizations of the Treadway Commission (COSO).
    1234567890 PIP 198765432

    COSO images are from the COSO Internal Control – Integrated Framework ©2013, The American Institute of Certified Public
    Accountants on behalf of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO is a
    trademark of the Committee of Sponsoring Organizations of the Treadway Commission.

    All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted, or displayed in any form or
    by any means without written permission. For information regarding licensing and reprint permissions, please contact the
    American Institute of Certified Public Accountants, which handles licensing and permissions for COSO copyrighted materials.
    Direct all inquiries to or AICPA, Attn: Manager, Licensing & Rights, 220 Leigh Farm
    Road, Durham, NC 27707 USA. Telephone inquiries may be directed to 888-777-7077.

    Design and production: Sergio Analco.

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | iii

    Executive Summary 1

    I. Introduction 3

    II. The Wave of Change Known as Blockchain 4

    III. Components and Principles Overview 7

    Conclusion and Next Steps 20

    Appendix 1. Technical Appendix 22

    Appendix 2. Key Insights: 10 Things to Know
    About Blockchain 25

    Appendix 3. Blockchain, Financial Reporting
    Assertions, and Audit Evidence 27

    Supplementary Resources and References,
    including those provided by COSO Bodies 29

    About the Authors 30

    About COSO 32

    About Deloitte 32

    Contents Page

    c o s o . o r g

    iv | Blockchain and Internal Control: The COSO Perspective

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 1

    As blockchain becomes more mainstream, it is appropriate
    to focus on how this technology intersects with an
    entity’s internal control. With careful implementation and
    integration of blockchain, the distinctive capabilities of
    blockchain can be leveraged to create more robust controls
    for organizations. Further, blockchain-enhanced tools
    have the potential to promote operational efficiency and
    effectiveness, improve reliability and responsiveness of
    financial and other reporting, and improve compliance with
    laws and regulations. At the same time, blockchain creates
    new risks and the need for new controls. The Committee of
    Sponsoring Organizations of the Treadway Commission’s
    (COSO) Internal Control — Integrated Framework (2013
    Framework, see Figure 1) provides an effective and efficient
    approach that can be leveraged to design and implement
    controls to address the unique risks associated with

    Figure 1. The COSO

    2013 Framework

    When an organization evaluates the use of blockchain
    through a COSO lens, it enables the board of directors and
    senior executives to better understand the context and make
    more informed assessments of the technology’s potential
    and applicability with respect to internal control. This
    enables the organization to perform a detailed risk analysis
    and, in turn, develop appropriate control activities to address
    such risks, facilitating the effective adoption and use of

    This paper provides perspectives for using the 2013
    Framework to evaluate risks related to the use of blockchain
    in the context of financial reporting and to design and
    implement controls to address such risks. It is intended to
    help inform decisions regarding oversight, risks, and internal
    control over financial reporting (ICFR). As such, this paper is
    expected to be of value to the various stakeholders involved
    in financial reporting, within the context of their own
    environments (see Table 2). It is not the aim of this paper
    to explain the intricacies of blockchain nor detail technical
    differences between the major platforms. Appendix 1,
    however, includes a discussion of some of the key concepts
    as used in this paper (concepts in Appendix 1 are in bold the
    first time they appear in the Executive Summary and in the
    body of the paper) and the Supplementary Resources and
    References includes additional resources.

    Observations and Implications
    One of the more significant changes resulting from the use
    of blockchain relates to the hierarchy of the entity. Although
    the highest level of the hierarchy expressed in the 2013
    Framework as shown in Figure 1 is the Entity Level, drilling
    down to Division, Operating Unit, and Function, blockchain
    has the ability to create new collaborative units, spanning
    different entities, operating on a decentralized basis but
    bound together with shared data (i.e., a decentralized
    database). From shared ledgers and record-keeping
    to overarching governance (perhaps leveraging smart
    contracts for oversight and cross-organization internal
    controls), blockchain can change the concept of an “entity”
    in an internal control environment as well as the related
    responsibilities and requirements.

    The three objectives of the 2013 Framework, Operations,
    Reporting, and Compliance, may be heavily impacted by
    blockchain in terms of how the objectives are achieved.
    In particular, many advocates believe that record-keeping
    will be entirely transformed, leading to completely ad hoc,
    automated, and on-demand reporting and compliance
    activities. With those transformations, the role and skillsets
    of management, management accountants, financial
    executives, and internal and external auditors may be
    subject to change.


    c o s o . o r g

    2 | Blockchain and Internal Control: The COSO Perspective

    The Future of Blockchain and Its Impacts on
    Financial Reporting and ICFR
    The uses of blockchain will continue to develop and evolve
    and expanded adoption will likely transform how businesses
    operate. Many have expressed guarded optimism about
    the potential effect of blockchain on financial reporting and
    internal control. As with any disruptive technology, there is
    a need for each organization, in its own specific context, to
    evaluate the challenges, better understand the related risks,
    and work together to determine the best course of action
    and remediate those risks.

    Many of the changes that proponents attribute to the adoption
    of blockchain are not found in isolation; it is blockchain
    plus something that is most successful. As a foundational
    technology, blockchain has the potential to radically change
    the global digital business landscape that would, in turn, have
    significant impact on almost everything else.

    As organizations are contemplating the use of blockchain,
    they should know the following 10 things (See Appendix 2 for
    additional discussion):

    1 Information about blockchain in the news and on the
    Internet is often misleading or incorrect.

    2 Blockchain encompasses far more than digital assets; the
    benefits it can bring to an organization can be substantial.

    3 Blockchain is not magic; it comes at a cost and doesn’t
    eliminate all risks. In fact, it introduces new risks.

    4 Knowing how blockchain works is crucial for evaluating,
    preparing for, and managing blockchain’s impact on
    internal control and the organization as a whole.

    5 Blockchain has both technology and governance

    6 Blockchain will not make management, accountants, or
    auditors less relevant, although it will impact what they
    do and how they do it.

    7 Blockchain requires new skill sets (e.g., data science
    for greater hindsight, insight, and foresight) and new
    collaboration within and across organizations.

    8 Now is the time to educate and engage stakeholders
    throughout the organization.

    9 Blockchain is still in flux and continues to evolve.

    10 Adoption of blockchain may not be a choice.

    The potential benefits of blockchain to financial reporting
    will be maximized only if those who understand and are
    responsible for financial reporting, internal controls, and
    auditing are actively involved in the discourse about
    blockchain and collaborate to advance the collective agenda.

    Table 1. Implications of Blockchain on Five Components
    Component Implications of Blockchain


    Blockchain may be a tool to help facilitate an effective control environment (e.g., by recording
    transactions with minimal human intervention). However, many of the principles within this component
    deal primarily with human behavior, such as management promoting integrity and ethics, which, even
    with other technologies, blockchain is not able to assess. The greater challenge relates to the intertwining
    of an entity with other entities or persons participating in a blockchain and how to manage the control
    environment as a result.


    Blockchain creates new risks and simultaneously helps to mitigate extant risks, by promoting
    accountability, maintaining record integrity, and providing an irrefutable record (i.e., a person or
    organization cannot deny or contest their role in authorizing/sending a message or record).


    Blockchain can act as a tool to help facilitate control activities. Blockchain and smart contracts can be a
    powerful means of effectively and efficiently conducting global business (e.g., by minimizing human error
    and opportunities for fraud). The collaborative aspects of blockchain, however, can introduce additional
    complexity, particularly when the technology is decentralized and there is no single party accountable for
    the systems that fall under ICFR.

    Information &

    The inherent attributes of blockchain promote enhanced visibility of transactions and availability of data,
    and can create new avenues for management to communicate financial information to key stakeholders
    faster and more effectively. One aspect, in particular, for management to consider in applying blockchain
    is the availability of information to support the financial books and records, and related auditability of
    information transacted on a blockchain.


    The promise of blockchain to facilitate monitoring more often, on more topics, in more detail, may change
    practice considerably. The use of smart contracts and standardized business rules, in conjunction with
    Internet of Things (IoT) devices, may alter how monitoring is performed.

    Further, the introduction of blockchain into the business environment will have implications for the five components of the
    2013 Framework as follows:

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 3

    This paper describes the use of the COSO Internal Control
    – Integrated Framework (2013 Framework) to evaluate risks
    related to blockchain1 in the context of financial reporting
    and to design controls to address such risks. Although this
    paper provides a discussion of high-level concepts related
    to blockchain (some of which are explained in Appendix 1),


    this paper is not intended to be a comprehensive guide
    about blockchain or about all issues, risks, and internal
    controls associated with the use of blockchain. The
    following table provides additional context on the audience
    and intended use of this paper.

    . . . . . . . . .

    1 The term “blockchain” is used throughout this paper to reference blockchain and distributed ledger technologies. In a broader context, these terms are sometimes
    used interchangeably and sometimes strongly differentiated; the ideas in this paper can be applied to both at a conceptual level.

    Table 2. Audience and Intended Use
    Audience Intended Use

    Board of directors Understanding the following (governance level):
    • Key concepts related to blockchain
    • How blockchain may impact internal control at a sufficient level to enhance oversight


    Audit committee

    (CEO, CFO, Controllers)

    Understanding of the following (operational and/or technical level):
    • Key concepts related to blockchain
    • How to leverage the 2013 Framework to evaluate considerations related to the use of

    blockchain and make more informed decisions about using blockchain

    • Examples of how each component of the 2013 Framework may be impacted when block-
    chain is implemented

    Internal auditors,
    management accountants,
    and others concerned with
    internal control matters

    External auditors Understanding of the following: (operational and/or technical level)
    • Key concepts related to blockchain
    • How to evaluate management’s controls with respect to blockchain

    Academics Understanding the following (depending on basic or applied research interest):
    • Key concepts related to blockchain
    • How blockchain may impact internal controls
    • How to share the concepts as well as practical applications with students

    This paper discusses each of the COSO components,

    • how to use blockchain to enhance that component,

    • new threats or risks that arise from using blockchain, and

    • examples of how to mitigate such threats or risks.

    Finally, with a view to enhancing collaboration, the paper
    concludes with next steps that can be taken as blockchain
    becomes more widely adopted.

    c o s o . o r g

    4 | Blockchain and Internal Control: The COSO Perspective

    . . . . . . . . .

    2 Cryptography is relevant in that before any transaction is entered on a blockchain it must be agreed to through a consensus protocol. Each block is linked to the prior
    block with a unique identifier (i.e., a “hash”).



    In light of the potential changes blockchain may bring
    to business and operating environments – as both an
    enabler and a driver – it seems prudent to consider its
    implications on internal control. Blockchain implementations
    might address, or even eliminate, extant internal control
    weaknesses; might be used to improve existing controls; and
    – particularly in the absence of recognized best practices –
    might pose new risks or challenges in practical contexts.

    What is blockchain?
    There are many conflicting definitions of blockchain,
    but drawing on a variety of sources this paper uses the
    following working definition: blockchain is an append-only
    ledger, a sequential database maintained by a decentralized
    network of users responsible for agreeing upon additions to
    the chain and secured through cryptography.2 In laymen’s
    terms, a blockchain is a secure, transparent, irreversible
    digital ledger shared across participants. It is important to
    note that many different types of blockchains exist; there is
    no singular “the blockchain.”

    Many of the changes that proponents attribute
    to the adoption of blockchain are not found
    in isolation; it is “blockchain plus something”
    (i.e., other emerging technologies) that may
    make the changes possible. These technologies
    focus on supplementing or eliminating manual
    tasks, and moving toward a more streamlined
    state of financial reporting with more timely
    reporting of relevant information. Certain tools
    and technologies that may be helpful in further
    exploiting the potential evolution of blockchain
    include the following:

    Artificial intelligence (AI)
    AI is an area of computer science where intelligent
    machines work and react like people for tasks
    like decision-making, problem-solving, emulating
    senses, learning, planning, and activities like visual
    perception and speech recognition. It is particularly
    useful at identifying patterns and outliers. AI can
    be used to augment human involvement or as
    its replacement. For instance, AI can be used to
    analyze real-time trade transactional data and
    other information on a blockchain to simulate
    human judgment in classification, recording,
    analytics, and decision-making.

    Internet of Things (IoT)
    Internet of Things is a broad term for the growing
    list of things that can link to the Internet. With
    home automation devices, just about anything that
    can turn on and off can be Internet-enabled and be
    part of a network of things that can monitor, report
    about, and act upon the environment around it.
    IoT devices can potentially write to or act upon
    information in a blockchain to assist auditors in
    their work.

    Big Data/Open Data
    The availability of data beyond an entity’s own
    books and records, so-called exogenous data, can
    facilitate broader industry analytics to provide
    greater context to advanced audit data analytics.
    Big data refers to the wide variety of data coming
    from sources such as IoT, social media, and other
    data sources too large or complex to be processed
    by traditional applications. Open data is a subset
    of big data: large, usually structured, data sets,
    usually made available by governments.3 Big data,
    IoT, AI, and blockchain may all be used together in
    the future and, working in conjunction with internal
    control processes, could become a powerful toolset.

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 5

    . . . . . . . . .


    Implications for Internal Control
    The internal control environment is likely to be different
    in a blockchain-enabled world. As such, it is important
    to consider and leverage these differences, factoring in
    blockchain capabilities, attributes, risks, and benefits.
    Leveraging distinctive capabilities of blockchain to
    enhance internal control, in turn, may promote greater:

    • Effectiveness and efficiency of operations,

    • Accuracy, consistency, and reliability of financial and
    other reporting, and

    • Compliance with applicable laws and regulations.

    In many ways, the control considerations with respect to
    implementing and operating blockchain solutions are much
    like those of a new Enterprise Resource Planning (ERP)
    or document management system. When considering
    financial reporting controls, certain “mainstay” financial
    controls (e.g., reconciliations) and processes (e.g.,
    creation of financial reports) will likely fundamentally
    change. Further, new risks may emerge, which will require
    new controls. See sidebar for examples of how financial
    reporting controls and processes may change.


    Internal controls related to the control environment
    The amount of control an entity may be able to
    impose within different blockchain environments will
    vary. In many cases, control will no longer rest within
    the entity. This will impact how entities consider and
    evaluate issues within the control environment.

    With the use of a blockchain solution to respond
    to reconciliation-heavy areas (e.g., intercompany
    transactions), reconciliations will become highly
    streamlined, efficient, and result in increased
    visibility to all parties to the transaction.

    With the ability to reperform calculations of
    transactions on the blockchain, there may no longer
    be a need for certain types of confirmations. However,
    there may also be an increased need for other
    confirmations with potentially new service providers.

    Vendor and supplier approval
    The use of blockchain may change the nature of
    an organization’s relationships with vendors and
    suppliers (e.g., how transactions are processed,
    visibility to pricing, and reporting and transparency
    of information).

    Third-party service providers
    Like other technology solutions, blockchain
    solutions may be controlled internally or sourced
    externally. Most externally sourced systems are
    typically overseen by a particular third party, the
    service organization. Management can request a
    type 2 SOC 2® system and organization controls
    report providing information about “the fairness of
    the presentation of [third party’s] management’s
    description of the service organization’s system
    and the suitability of the design and operating
    effectiveness of the controls to achieve the related
    control objectives included in the description
    throughout a specified period.”4 Consequently, the
    demand for some form of SOC reporting in these
    environments will likely increase.

    Decentralized external systems
    In a blockchain world, there may be no singular,
    centralized management to oversee a particular
    blockchain. Although the pre-established rules
    (protocol) of the designers and changes brought
    on by the consensus of the stakeholders can be
    communicated, there may be no singular external
    entity that can be held accountable for achieving
    the control objectives or held responsible when
    there are problems. This lack of accountability
    poses a serious challenge. Without centralized
    management, there may be no simple or easy way
    to engage a SOC auditor and, absent SOC reports,
    enterprises must consider alternatives.

    c o s o . o r g

    6 | Blockchain and Internal Control: The COSO Perspective

    Types of Controls in a Blockchain World
    Controls are characterized as preventive (before risk materializes) and detective (during or after risk materializes).
    With blockchain, these control types are still relevant and applicable.


    Integration of Digital Assets
    Another way blockchain can be different from traditional technology solutions is integration of digital assets
    into the system. Some blockchains have their own integrated digital payment or value that exists nowhere
    else and can be tracked no other way. Traditional systems can link into banking or other financial systems;
    blockchain is sometimes the system itself.

    Electronic audit trail
    An important benefit from certain blockchains is the automatic creation and presence of an electronic record
    of all transactions (i.e., an audit trail). Nevertheless, additional challenges exist with respect to determining
    ownership and rights, and just because a transaction is on a blockchain does not necessarily validate the
    transactions for books and records purposes. Further, it is possible that the evidence an auditor may wish
    to find is not on the chain itself (“on-chain”); although, there may be sufficient context to be able to get that
    information from other sources (“off-chain”), if they exist and are readily available.5

    Work of internal and external audit
    Given the underlying blockchain-enabled platform for implementing internal control, the work of both external
    and internal auditors may be facilitated by the increased automation of controls and interactions with other
    emerging technologies (e.g., AI, IoT). An internal control environment facilitated by blockchain may enable a
    more reliable internal audit environment on which external auditors may be able to better rely. Coordination of
    the work performed, and coverage achieved by the external and internal auditors may be enhanced.

    Continuous real-time financial reports
    More substantive and substantial continuous real-time financial reports will be possible and may become
    routine. Some parties may wish to have access to a blockchain and produce their own ad hoc reports (and be
    able to access real-time information), rather than receive agreed-upon, periodic reports from an organization.

    Monitoring becomes the only control “after the fact”
    If internal environments are streamlined to the point that once a transaction hits the system, the end reporting is
    pre-determined, one could make the case that everything other than monitoring is considered “before the fact”/
    transaction pre-processing, and the only controls needed “after the fact”/post-processing are monitoring controls.

    Table 3. Implications of Blockchain on Types of Controls
    Type of Control Implications of blockchain


    Recognizing the immutable nature of transactions recorded on the blockchain, there is a premium on
    recording transactions correctly the first time.


    The visibility of transactions in a blockchain world provides new avenues for detective controls, when the
    necessary information is either available on-chain or discoverable off-chain from the on-chain record.
    In addition, because a significant amount of data will be available, blockchain coupled with the analytical
    abilities of other emerging technologies – such as AI, IoT, and data analytics – may be used as a means
    of detecting anomalies6. The challenge, in a blockchain world, is what to do when an issue is identified.
    Although generally corrections are still possible, given blockchain’s append-only feature, corrections will
    need to be reflected as adjustments rather than directly as corrections to an existing transaction. Note
    that this will depend on the specifics of the particular blockchain being used.

    . . . . . . . . .

    5 On-chain refers to information that is stored on the blockchain itself. In contrast, off-chain refers to information not stored on the blockchain, but directly or indirectly
    connected to the information on-chain.

    6 For instance, comparisons of internally and externally generated data will become quite efficient, and inconsistencies, if any, will be quickly discovered and highlighted.
    This will become a powerful means of monitoring. See also sidebar on page 4.

    Given the speed with which transactions are processed and
    recorded on the blockchain, coupled with the immutability
    and irreversibility of such transactions, the implementation
    of more preventive rather than detective controls will likely

    become more prevalent to assist companies in mitigating the
    risk of significant loss or error. Companies may also consider
    increasing the frequency with which detective controls are
    performed to promote more timely identification of errors.

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 7

    • New threats or risks that may arise from blockchain
    implementation that impact the referenced principle

    • Examples of how to mitigate those risks while seeking the
    greatest benefit


    When implementing blockchain, the potential implications
    for ICFR, considering each COSO component and principle
    (see Table 4), should be analyzed. It is helpful to consider:

    • Blockchain’s usefulness in achieving the principles of the

    2013 Framework

    Table 4. 2013 Framework Control Components and Summarized Principles

    Components Principles

    Control Environment 1. Demonstrates commitment to integrity and ethical values

    2. Exercises oversight responsibility

    3. Establishes structure, authority, and responsibility

    4. Demonstrates commitment to competence

    5. Enforces accountability

    Risk Assessment 6. Specifies suitable objectives

    7. Identifies and analyzes risk

    8. Assesses fraud risk

    9. Identifies and analyzes significant change

    Control Activities 10. Selects and develops control activities

    1 1. Selects and develops general controls over technology

    12. Deploys control activities through policies and procedures

    Information and Communication 13. Uses relevant, quality information

    14. Communicates internally

    15. Communicates externally

    Monitoring Activities 16. Conducts ongoing and/or separate evaluations

    17. Evaluates and communicates deficiencies

    The internal control opportunities and risks associated
    with blockchain will vary based on the nature and type
    of blockchain implemented and the amount of influence,
    oversight and control an organization can impose within
    different blockchain environments. In applying the 2013
    Framework to blockchain, it is important to be aware of
    the following:

    • Implementing a private, permissioned blockchain within
    a single enterprise will bring some new considerations
    and risks, but will also be an experience much like
    adopting any previous technology, if management has
    the ability to control the blockchain, including the inputs,
    processing, and outputs.

    • Joining a consortium blockchain or another
    organization’s private blockchain brings new
    inter-organizational challenges such as risks and
    controls being shared across organizations,
    demanding more coordinated decision-making.

    • Making a public, permissionless blockchain part of
    the financial reporting environment brings an entirely
    different set of risks and challenges, because
    decision-making may be decentralized, leaving little
    room for individual influence and little individual
    accountability. While this may be compared with the
    use of an outside service organization, management
    will need to take a much broader and potentially
    more in-depth view of these “outsourced” processes.

    c o s o . o r g

    8 | Blockchain and Internal Control: The COSO Perspective

    Control Environment is primarily about the existence of
    a risk and control-conscious culture and the policies,
    processes, and structures that guide people at all levels
    in carrying out their responsibilities in a manner that is
    consistent with the entity’s commitment to integrity and
    ethical values. The perception of blockchain as just another
    (albeit exciting and perhaps revolutionary) technology could
    result in underestimating its potential impact on the control
    environment. Blockchain does not change human nature or
    the behavioral aspects of governance that have a significant
    influence on the overall control environment – those remain
    largely unchanged regardless of the technology used.

    Nevertheless, there are important control environment
    implications when using blockchain. It is important that
    management has the appropriate skill set to sufficiently
    understand how the entity plans to use the blockchain
    and the governance structure of the particular blockchain
    (i.e., the unique governance structure and ongoing health
    and operating effectiveness of such structure), in order to
    assess whether the use of blockchain supports the entity’s
    commitment to integrity and ethical values. It is also important
    that the board of directors has a sufficient understanding of
    the technology to fulfill their oversight responsibilities.

    Using Blockchain to Enhance the Control
    • Blockchain can provide organizations with a method

    of executing and recording transactions with minimal
    human intervention. Further, the highly automated nature
    of blockchain, coupled with the technology’s ability to
    validate and record immutable transactions on a shared
    ledger, provides organizations with opportunities to
    avoid human error and combat transactional and
    reporting fraud.

    • With blockchain, processes will commonly have
    cryptographically verifiable immutability and irreversibility;
    thus, with a well-designed and implemented blockchain,
    management should be able to rely upon and provide
    evidence of actions.

    • The increased visibility provided by a shared ledger
    system contributes to transparency, which promotes a
    strong control environment and facilitates the ability to
    provide real-time financial reports.

    • Blockchain, coupled with the analytical abilities of other
    emerging technologies such as AI and data analytics,
    may allow organizations to identify deviations from an
    organization’s standards of conduct on a timelier basis.
    This may prove especially helpful in implementing
    effective oversight in large and/or decentralized

    • In some instances, blockchain may facilitate the removal
    of management’s manual intervention from processes,
    making them largely immune to the influence of
    management decisions, integrity, and ethics.

    New Threats or Risks Posed by
    the Use of Blockchain
    • The pseudo-anonymity7 of the parties that transact on a

    blockchain, coupled with the open nature and potential
    lack of guard rails, poses a threat that a permissionless
    blockchain may be used for unethical exploits.8

    • Each blockchain is set up with a unique governance
    structure that needs to be actively monitored concerning
    the health and the operating effectiveness thereof.

    Control Environment
    Summary Principle

    1. Demonstrates commitment to
    integrity and ethical values

    The organization demonstrates a commitment to integrity and ethical values.

    2. Exercises oversight responsibility The board of directors demonstrates independence from management and exercises
    oversight of the development and performance of internal control.

    3. Establishes structure, authority,
    and responsibility

    Management establishes, with board oversight, structures, reporting lines,
    and appropriate authorities and responsibilities in the pursuit of objectives.

    4. Demonstrates commitment to

    The organization demonstrates a commitment to attract, develop, and retain
    competent individuals in alignment with objectives.

    5. Enforces accountability The organization holds individuals accountable for their internal control
    responsibilities in the pursuit of objectives.

    . . . . . . . . .

    7 In a public blockchain, assets are exchanged between blockchain addresses and private keys are used for authorization, but people and organization names are not
    explicitly associated with those addresses and keys. This offers a level of disguised identity, because it is possible to transact without giving any personally identifiable
    information. It is, however, possible to pierce the veil of identity through various de-anonymizing methods.

    8 Recognizing that while efforts are underway to incorporate the Legal Entity Identifier (LEI, a unique serial number for organizations globally) into blockchain –
    which would make assessing conflicts of interest easier to identify and assess – there still is a threat of potential unethical exploits in the current space given
    the pseudo-anonymity.

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 9

    For certain blockchains, the decentralization and lack of
    a central intermediary, system or oversight body to hold
    parties accountable for their actions leads to situations in
    which there is literally “no one minding the store.” If and
    when things go wrong, for certain blockchains, there is no
    recourse to anyone, and thus no accountability – a serious
    governance-related drawback.

    • Although generally, the use of blockchain is considered
    forward-thinking and positive, the act of advocating,
    adopting, and embracing blockchain or associating
    with certain groups may be seen negatively by an
    organization’s employees, clients, advisors, and overseers.
    Further, depending on the nature of the blockchain and
    the fellow participants in the blockchain, an organization
    may face reputational risk, because participating may be
    perceived as sharing in the lowest common denominator
    of the group’s ethics (i.e., reputation by association).
    For certain arrangements, controlling who gets in and
    consensus changes to the system will be out of the control
    of management.

    • Blockchain’s newness and complexity means competent
    personnel are hard to find, and a commitment to
    competence is difficult to guarantee or assess. The
    potential that blockchain has to facilitate pervasive
    automation means more tasks can be done automatically,
    and the nature of people’s responsibilities and related
    competencies can change, sometimes dramatically.
    Similarly, it may be difficult for management and those
    charged with governance to obtain the relevant level of
    understanding and expertise to effectively oversee the
    implementation and use of blockchain.

    Mitigating New Threats and Risks Associated
    with Blockchain Implementation
    In response to the specific risks identified, management and
    the board of directors may consider the following actions:

    • Where applicable, develop a code of conduct that governs
    the conduct of parties within a blockchain and establishes
    guidelines for addressing noncompliance. Organizations
    seeking to implement a private blockchain or create
    a consortium blockchain may develop such a code of
    conduct and mechanisms to (1) validate each member’s
    commitment to ethics and integrity and (2) enforce
    accountability with the code of conduct and report/
    address/remediate any deviations. Organizations should
    have a clear understanding of the governance process

    and actively monitor and evaluate whether it is effective.
    Organizations may also consider engaging an independent
    external party to provide oversight and validate adherence
    to the established code of conduct, if possible. In such
    cases, it will be important for the organization to have
    clear reporting lines established to ensure the external
    party reports directly to those charged with governance of
    each respective party.9

    • Also, consider expectations regarding the code of
    conduct, responsibilities, and authority of outsourced
    service providers. Although much of the activity related
    to outsourced service providers occurs outside the
    blockchain, the results could be challenging if unreliable
    data associated with these relationships enters the

    • Develop due diligence policies that establish guidelines
    and criteria for determining parties with whom the
    organization will transact; parties with whom the
    organization will grant access to a blockchain; and the
    public blockchains that an organization may elect to use
    in conducting transactions. These policies may include
    Know-Your-Customer (KYC) procedures, Anti-Money
    Laundering (AML) procedures, asking for SOC reports, and
    other due-diligence procedures to understand the identity
    and integrity of the counterparty. Such procedures may
    also include obtaining an understanding of the policies in
    place to govern the conduct of parties within a blockchain.
    Maintaining an understanding of the governance process
    and continuing to monitor its effectiveness is particularly

    • Assess the need to obtain or build expertise surrounding
    the blockchain technology, to ensure effective
    implementation of blockchain and appropriate use and
    updating of the technology post-implementation. Further,
    such competencies should continue to be re-evaluated
    and monitored as the technology continues to evolve

    • Ensure that the organization is capable of assessing and
    evaluating the new technology and process. This may
    be achieved through in-house resources, outsourced
    resources, or a combination.

    . . . . . . . . .

    9 Establishing a code of conduct will most likely not be feasible for public blockchains. As such, management and those charged with governance will need to evaluate
    the risks associated with using a public blockchain and their corresponding levels of tolerance for such risks.

    c o s o . o r g

    10 | Blockchain and Internal Control: The COSO Perspective

    • Establish cross-disciplinary teams, which include
    blockchain specialists and representatives from
    each aspect of the business that are affected by the
    implementation of the technology (e.g., IT, accounting,
    finance, operations, and internal audit). Such teams
    should be engaged throughout the planning, development,
    and implementation process.

    • Evaluate and enhance, if needed, the board and audit
    committee’s ability to understand the potential uses and
    risks associated with blockchain and its ability to effectively
    oversee the implementation and use of blockchain.

    • Define degrees or levels of responsibility and authority
    surrounding the blockchain technology, considering

    segregation of duties concerns (e.g. access-level
    privileges, private key access and the ability to authorize
    transactions, and associated financial reporting). Develop
    a suitable succession plan for assigned degrees or levels
    of authority and responsibility surrounding the blockchain
    that are key to internal controls.

    • Establish clear reporting lines for consortium or private
    blockchains that identify individuals or a group of
    individuals responsible for handling disputes which
    arise among members of a network, if not built into
    the underlying protocol. This could involve defining a
    dispute resolution jurisdiction and mutually agreed-upon
    procedures as well as potential parting of ways when
    “irreconcilable differences” arise.

    Risk Assessment
    Summary Principle

    6. Specifies suitable objectives The organization specifies objectives with sufficient clarity to enable the identification
    and assessment of risks relating to objectives.

    7. Identifies and analyzes risk The organization identifies risks to the achievement of its objectives across the entity
    and analyzes risks as a basis for determining how the risks should be managed.

    8. Assesses fraud risk The organization considers the potential for fraud in assessing risks to the
    achievement of objectives.

    9. Identifies and analyzes
    significant change

    The organization identifies and assesses changes that could significantly impact the
    system of internal control.

    Risk assessment involves the iterative process of
    identifying and assessing threats to the achievement
    of objectives. Blockchain will likely bring about new
    objectives and risks that need to be addressed. It is
    important for organizations to have the appropriate skills
    and resources to comprehend the unique risks associated
    with blockchain and identify, assess, and address those
    risks on an ongoing basis.

    Using Blockchain to Enhance Risk Assessment
    • The integration of blockchain with other emerging

    technologies could provide management, the board, and
    external parties with real-time reporting – thereby creating
    a more agile business environment – that identifies and
    assesses the achievement of various entity objectives (e.g.,
    operational, external financial reporting, compliance or
    other internal objectives).

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 11

    New Threats or Risks Posed by the
    use of Blockchain
    • Traditional risk assessments have been entity-focused,

    but with the use of blockchain, companies will need to
    consider risks more broadly. For example, entities may
    consider the susceptibility of the other parties within
    the blockchain network to risk and the effects that this
    could have on their respective businesses. Furthermore,
    different risk appetite/risk tolerances among members of a
    blockchain can lead to conflict when monitoring controls
    are designed for a blockchain. For particular blockchains,
    there may be questions about who is responsible for
    managing risks if no one party is in charge, and how
    proper accountability is to be achieved.

    • The implementation of a blockchain may leave companies
    vulnerable to new fraud schemes or new avenues to
    carry out traditional fraud schemes. See right sidebar for

    • The amount of data available in a blockchain-enabled
    environment can become unmanageably large; attempting
    to manage too much data may bring about data overload,
    resulting in exacerbated data governance issues.

    • Smart contracts are both a potential risk and an important
    part of the risk mitigation tool set. Once put in place, they
    will self-execute and are difficult to stop. Therefore, if
    developed incorrectly or manipulated, the effects could lead
    to error or potentially significant loss on a magnified scale.

    • The use of a blockchain could present issues surrounding
    obtaining sufficient appropriate evidence to support
    transactions recorded in an organization’s financial
    records (i.e., due to the loss of the transaction audit trail in
    an electronic environment).

    • Digital assets introduce a new class of assets for
    which there exists little or no prior experience and few
    meaningful parallels in managing risk and identifying
    unusual behavior. Businesses considering holding digital
    assets have incremental considerations regarding the
    assets themselves, including the market volatility, or lack
    of market for certain digital assets, cybersecurity risks
    around the protection of the private keys, accounting
    and financial reporting of such assets, and evolving
    regulatory requirements.


    • The reliability of financial information stored on
    the digital shared ledger is dependent on the
    underlying technology. If the underlying consensus
    mechanism, or other aspects of the blockchain,
    have been tampered with, this could render the
    financial information stored in the ledger to be
    inaccurate and unreliable.

    • The pseudo-anonymity of parties on a blockchain
    can increase opportunities for collusion or
    obfuscate related party transactions. This risk
    may be more applicable with reference to public
    blockchains, given the likelihood of a more
    pseudo-anonymous environment with large
    numbers of unknown parties on such networks.

    • Although a reliable blockchain provides
    transaction security, it does not provide account/
    wallet security; hence, value stored in any
    account is still susceptible to account takeover,
    if an organization’s private keys are stolen or

    • There are heightened cybersecurity risks to
    blockchain. If the underlying technology is
    compromised as a result of cyberattacks an
    organization’s assets could be stolen. Furthermore,
    the impact of cyberattacks could extend beyond
    the organization to others within the network.
    There are also some unique aspects of cyber
    risks affecting blockchain as a result of its use of
    cryptography, wallets, and its decentralized nature.

    . . . . . . . . .

    10 Deloitte’s 2019 Global Blockchain Survey, Blockchain Gets Down to Business. Deloitte Insights.

    c o s o . o r g

    12 | Blockchain and Internal Control: The COSO Perspective

    • Integration challenges between the blockchain and
    existing legacy systems may arise. Blockchain will
    most likely be a tool that is a part of a larger core
    infrastructure and will have to work seamlessly with
    legacy infrastructure. Poor integration of blockchain with
    other entity systems could result in less-than-desired
    outcomes, such as poor client experience and regulatory
    noncompliance issues. See sidebar at right for additional

    • The regulatory environment surrounding blockchain, smart
    contracts, and digital assets continues to evolve and may
    vary across jurisdictions, leading to uncertainty around the
    regulatory requirements (including tax, data privacy, and
    protection, reporting, or other regulatory requirements).

    • The blockchain business environment also continues
    to evolve, with improvements in the technology, best
    practices, and new use cases being identified every day.
    The ability to monitor the fast-paced, and rapidly evolving,
    environment may prove difficult and challenging.

    • Fragmented solutions that exist today may soon be
    replaced. The significant investment of time, talent, money,
    and media coverage into the technology and methodology
    has resulted in a highly fragmented market of solutions,
    with overlapping capabilities and little interoperability.
    Given the ongoing haphazard, uncoordinated approach
    to blockchain development, Gartner has predicted that
    90% of 2019’s blockchain implementations will require
    replacement by 2021.11

    In addition, due to the highly automated nature of the
    technology, general IT and other risks may be exacerbated
    or heightened in a blockchain environment, such as in the
    following areas:

    • Although issues such as access rights to the system
    and data and program integrity are common to other
    technological solutions, concerns about technology
    access rights are heightened because the effects of
    inappropriate access issues can become shared issues
    across companies on a blockchain.

    • Where the blockchain is visible to many parties, the visibility
    may bring cybersecurity challenges and cyberattacks.

    • For most public blockchains, users may not be able
    to obtain an understanding of the general IT controls
    implemented and the effectiveness of these controls.
    Furthermore, where there is no central authority to
    administer and enforce protocol amendments, there could
    be a challenge to establishing development/maintenance
    process control activities for the technology.

    • Given the speed with which transactions are recorded
    on a blockchain, coupled with the immutability and
    irreversibility of transactions, organizations may face
    increased risk of significant loss or error in the event that
    deficiencies in internal controls over a blockchain are not
    identified and corrected in a timely manner. Additionally,
    the elimination of centralized overseers and intermediaries
    may leave companies with no recourse when errors or
    losses occur, creating governance challenges. Companies
    engaging in blockchain-based transactions cannot rely
    on central intermediaries, such as a bank, to restore
    their funds in the event of fraud. As such, companies will
    need to consider whether enhancements to their internal
    control infrastructure may be warranted.

    . . . . . . . . .


    Interoperability of Blockchain

    There are limited success stories related to
    blockchain interoperability despite indications
    that businesses believe the integration of multiple
    chains is important.10 In an era where the Web has
    brought platform agnosticism, and Macs, PCs,
    and portable devices can all access important
    resources, most blockchain use today is stand-
    alone. Future uses will have to be interoperable,
    as value networks exchange information with
    service networks, which exchange information
    with content networks, and all work together with
    AI or IoT or traditional databases and systems.
    The market has proven the network effect in
    the past: adoption begets more adoption and
    enhancements, which will in turn breed more
    adoption, and so on.–of-current-enterprise-blockchain

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 13

    • As organizations begin to incorporate blockchains, there
    will be a transition period. During this time, legacy systems,
    ERPs, or third-party cloud-based systems will perform
    front-end processing and data collection, then interface
    with a blockchain for additional processing or recording.
    Although data is largely secure and tamper-proof once in a
    blockchain, that data is still vulnerable to common IT risks
    while outside the blockchain.12 The interface transmission
    of data from upstream systems to a blockchain will be a
    sensitive control point in these new environments.

    Mitigating New Threats and Risks Associated
    with Blockchain Implementation
    In response to the specific risks identified, organizations
    may need to consider some of the following actions:

    • Establish objectives for the use of blockchain such that its
    implementation supports reliable and verifiable books and
    records to enable appropriate accounting and effective
    financial reporting.

    • Develop more robust risk assessment processes that
    consider the implications of blockchain on all aspects of
    the organization. In developing such an assessment, it
    may be helpful for companies to engage relevant IT and
    blockchain specialists to assist in identifying potential
    threats, areas of risk, and fraud schemes (based on
    knowledge of the organization’s control environment,
    the blockchain, and common fraud schemes).
    Performance of such a risk assessment process prior to
    the implementation of blockchain will also be helpful in
    evaluating the potential benefits and costs associated
    with the technology.

    • Develop procedures to stay abreast of changes in the
    business and regulatory environment around blockchain.
    Early engagement of the entity’s legal counsel and internal
    audit department in the implementation of the technology
    may assist in keeping informed about changes in the
    regulatory environment.

    • As blockchain is integrated into an organization’s business
    information process, and such integration has financial

    reporting implications, management should engage
    with appropriate parties (e.g., internal auditors, external
    auditors) to identify new risks relevant to financial
    reporting, internal control, appropriate accounting
    treatment, and implications for audits (e.g., potential
    auditability challenges).

    • Engage appropriate IT and blockchain specialists with
    knowledge of the entity’s existing systems to assess
    how blockchain will be integrated into and operate as a
    part of the entity’s existing IT infrastructure, prior to its

    • Develop strong governance and change-control
    processes to deploy new or amend existing smart
    contracts or changes to the blockchain. Such processes
    should also contemplate incident response management,
    and methods to identify and respond to glitches in smart
    contract and blockchain operations.

    While control activities will be discussed more fully in
    the next section, example controls to mitigate fraud and
    cybersecurity risks could include:

    • Implementing appropriate segregation of duties between
    the ability to authorize blockchain transactions (i.e.,
    access to the private keys) and the ability to record
    transactions within the entity’s general ledger, as well as
    establishing appropriate access controls surrounding the
    ability to authorize and execute changes to the underlying

    − User-acceptance testing should be undertaken
    through blockchain prototypes and realistic use cases
    to avoid undesirable outcomes, including with respect
    to segregation of duties.

    • Establishing controls over information transfer to and from
    the blockchain to the entity’s general ledger system and
    other off-chain systems.

    • Using multisignature or key sharding techniques13
    to manage the ability to authorize blockchain-based

    . . . . . . . . .

    12 M.D. Sheldon, “A Primer for Information Technology General Control Considerations on a Private and Permissioned Blockchain Audit,” Current Issues in Auditing, Vol. 13,
    No. 1, (Spring 2019: A15–A29).

    13 Key sharding, like multisignatures, is a method of managing keys to decentralize risk and control by requiring multiple parties to be involved
    (e.g., by splitting up portions of the private key).

    c o s o . o r g

    14 | Blockchain and Internal Control: The COSO Perspective

    • Deploying a combination of preventive controls and
    detective controls to protect from intruders accessing the
    information systems; or when an intrusion has occurred,
    quickly detecting and preventing further access after the
    initial layers of defense are compromised.

    • Developing and implementing a structured approach to
    manage the identification and assessment of cybersecurity
    risk, including an assessment of how the organization and
    other members of the blockchain network may identify and
    address shared cybersecurity risks.

    Control Activities
    Summary Principle

    10. Selects and develops control

    The organization selects and develops control activities that contribute to the
    mitigation of risks to the achievement of objectives to acceptable levels.

    11. Selects and develops general
    controls over technology

    The organization selects and develops general control activities over technology to
    support the achievement of objectives.

    12. Deploys through policies and

    The organization deploys control activities through policies that establish what is
    expected and procedures that put policies into action.

    Control activities help mitigate risks to the achievement
    of objectives and are performed at all levels of the
    organization, at various stages within business processes,
    and over the technology environment. Control activities
    may be preventive or detective in nature and may
    encompass a range of manual and automated activities,
    such as authorizations and approvals, verifications,
    reconciliations, or business performance reviews. The goal
    of control activities is to sufficiently mitigate risks to the
    achievement of objectives to acceptably low levels.

    Blockchain – with its use of cryptographic methods,
    capability to create smart contracts, and its ability to
    provide increased visibility – can be an important adjunct
    to enabling control activities, making such controls more
    reliable and secure, and providing enhanced or new tools
    to carry out the necessary steps in this context. At the
    same time, new challenges emerge requiring specialized
    considerations for control activities and for IT general

    Using Blockchain to Enhance Control Activities
    • A well-designed and implemented blockchain may

    provide companies with the ability to further enhance
    their internal controls (e.g., by promoting accountability,
    maintaining record integrity, and being irrefutable). A
    properly implemented blockchain may reduce concern
    over direct access to record, modify, or delete historical
    data. For example, for certain blockchains, once a block
    is sufficiently buried (i.e., newer verified blocks exist on
    top of it), there is minimal risk of changes to historical
    data unless the governing parties agree to perform a
    change or the chain is forked (presuming no breaches to
    the security of the blockchain).

    • The highly automated nature of blockchain, coupled with
    the technology’s ability to validate and record immutable
    transactions on a shared ledger, provides companies
    with opportunities to combat transactional and reporting
    fraud, due to the reduction of human intervention in the
    financial reporting process. With the use of blockchain,
    traditional opportunities to commit fraud or manual error
    will decrease, thereby reducing risk of loss. Further, the
    fact that multiple members participate in the consensus
    protocol allows for greater likelihood of errors being
    identified as many parties validate the accuracy of the
    transaction prior to posting.

    • Blockchain eliminates the need for certain IT general
    controls as it minimizes the risk of data loss and
    therefore, traditional controls like data backups, batch
    processing among nodes, and disaster recovery may not
    be necessary, unless a platform is abandoned or goes
    into disuse. As the blockchain ledger is shared across
    multiple nodes on the network, reliance on backups is
    less important because the most recent versions of the
    ledger may be recovered from other non-affected nodes
    across the network.

    • Use of blockchain may also mitigate the risk of untimely
    transaction processing and recording, because
    depending on the particular blockchain, it may provide
    the organization with the ability to process and record
    transactions on a near real-time basis. This capability
    can greatly reduce errors.

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 15

    • Smart contracts may enhance control activities and
    prevent opportunities for fraud (due to the automation
    of executing contractual terms). Note, however, that
    as smart contracts are a tool, the tool or inputs used
    by smart contracts (including inputs from blockchain
    oracles) could be manipulated to commit fraud.

    New Threats or Risks Posed by the
    use of Blockchain
    • The appropriate functionality of blockchain is highly

    dependent upon the reliability of the underlying
    technology and the implementation of complementary
    business process and general IT controls. A poorly
    implemented blockchain or the lack of appropriate
    supporting controls could result in new or more
    widespread issues related to blockchain, including
    issues surrounding smart contracts, key management,
    consensus protocols, chain rollbacks, and forks.

    • Smart contracts are powerful but can add complexity.
    Like any other programming application, smart contracts
    may contain programming errors or back doors, or
    be subject to other challenges. Poorly designed and
    implemented smart contracts with deficient business
    logic could lead to large-scale automatic execution
    and recording of invalid transactions, for which there
    could potentially be no recourse – a highly undesirable

    • Blockchain does not provide management protection
    over access to an organization’s private keys and hence
    does not provide direct control of its digital assets. A lack
    of proper controls over the private keys and the ability
    to initiate blockchain-based transactions could lead to
    potential loss or misappropriation of organization assets.

    Enterprise key management software is only beginning to
    emerge, as are key management guidelines.14

    • The consensus protocol (or mechanism) of a blockchain
    sets the rules, preconditions, and requirements for
    validating transactions in accordance with the agreed-
    upon rules. A poorly designed and implemented
    consensus protocol compromises the technology’s ability
    to properly validate transactions in accordance with the
    agreed-upon rules. In such cases, information recorded
    on the shared ledger may be invalid and unreliable.
    Even with the implementation of an effective consensus
    protocol, there is still a risk that transactions recorded
    on the blockchain may be invalid, for many reasons,
    including if the distribution of computational power
    among members of the network is such that one or more
    members of a group of members is able to manipulate
    the consensus protocol, a.k.a., a “51% attack”.

    • Consensus protocols drive updates and changes to
    the system. Chain rollbacks are a primary method of
    “correcting” major errors in a blockchain but can be
    used to circumvent the immutability of a chain through
    restarting from an earlier point. As such, chain rollbacks
    may provide management with the ability to alter
    transactions recorded on the blockchain.

    • The completeness of transactions recorded on
    the blockchain may be brought into question if the
    organization engages in recording off-chain transactions.
    Off-chain transactions are not captured on the
    blockchain and would require additional considerations
    and controls to reconcile with on-chain transactions and
    the associated financial reporting.

    . . . . . . . . .

    14 NIST Key Management Guidelines.

    c o s o . o r g

    16 | Blockchain and Internal Control: The COSO Perspective

    Mitigating the New Threats and Risks
    Associated with Blockchain Implementation

    Controls over Key Aspects of the Blockchain
    Although the implementation of blockchain could either
    enhance or impair the effectiveness of an entity’s control
    activities, there are specific steps that can be taken
    to mitigate these risks and utilize blockchain to its full

    potential. For example, revised policies and procedures
    should address new risks, internal controls, and accounting
    related to the use of blockchain, as well as establish
    responsibility and accountability for executing the policies
    and procedures. In addition, organizations should consider
    identifying and implementing relevant controls over key
    aspects of the blockchain, including, as appropriate, those
    outlined in the following the table:

    Table 5. Controls Over Key Aspects of Blockchain
    Aspect of the

    Control Activity Considerations

    Nodes Each computer on a blockchain network is known as a “node.” It will be important for companies to
    have established controls governing the activities of nodes that store copies of the database, perform
    validation of transactions, work to prepare data to be added to the chain, or perform other services.
    Controls may relate to the following objectives:

    • Making sure there are enough nodes working to minimize the opportunity for some to collaborate to
    attack the system. Ensuring the computational power is appropriately distributed across all nodes, such
    that the consensus protocol cannot be manipulated.

    • Testing the availability of blockchain data from different nodes in the network.

    • Verifying the consistency of data obtained from different nodes in the network.

    • Testing that nodes are performing relevant validations before agreeing to add data to the chain.

    • Tracking and providing incentives for correct validations and penalties for incorrect validations.
    (Note: An organization may not be able to perform these in relation to a public blockchain, given the large number of nodes operating on the network.)


    Consensus protocols for specific blockchains should be periodically evaluated to determine whether:

    • The appropriate nodes are authorized to participate in consensus.

    • Protocols have been appropriately designed and are operating effectively.

    • Incentives for complying with the protocols and penalties for not complying have been appropriately
    designed to mitigate fraud.

    The major categories of consensus include proof-of-work, proof-of-stake, or majority vote.15


    Companies should take steps to manage access to their private keys. These controls will be dependent on
    how such keys are stored (e.g., hot wallet or cold wallet). In some instances, companies may engage a
    third-party custodian to assist in key management or to manage the assets directly. Custodians may require
    splitting access to the private key across multiple parties, thereby requiring approval of transactions by
    multiple parties (multisignature). It will also be important to ensure that the organization has considered
    appropriate segregation of duties to ensure that persons who approve blockchain transactions do not have
    the ability to record transactions within the organization’s books and records.


    To mitigate the risks associated with smart contracts companies may:

    • Implement controls to validate the appropriateness of the design and implementation effectiveness of
    smart contracts, track changes and updates in a controlled fashion, and ensure there is proper
    documentation and historical record to establish accountability.

    • Implement controls over the inputs into smart contracts, including inputs from blockchain oracles.

    Controls over smart contracts should provide timely alerts and exception reports to ensure that everything
    is working as intended and departures and deviations are promptly reported to appropriate parties.

    . . . . . . . . .

    15 More information on the nature of public and private blockchains is available in the posting by one of the founders of Ethereum, Vitalik Buterin, “On Public and Private
    Blockchains,” Buterin, V. 2015. Available at

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 17

    The Information and Communication component of the
    2013 Framework focuses on identifying, processing,
    and communicating relevant information to and from
    internal parties and external parties. Blockchain has
    the opportunity to support the effective and timely
    communication of information by connecting organizations
    for collaboration, while also presenting new risks and
    threats. At the same time, organizations must consider the
    information and communication changes expected to be
    needed in light of the use of blockchain. For example, most
    blockchain implementations today do not include on-chain
    all of the information helpful to support management’s
    representations about classes of transactions, events,
    or account balances.

    Using Blockchain to Promote Information and
    • Blockchain results in enhanced visibility of transactions

    and new avenues for management to communicate
    financial information to key stakeholders (e.g., through
    ad hoc, real-time financial reporting).

    • As a comprehensive, shared database, blockchain can
    be a foundation for providing data about transactions,
    relevant to both financial reporting and decision-making.

    • Blockchain, if properly implemented, can promote
    the availability of data that is accessible, accurate,
    consistent, current, retained, and timely.

    • Data is less likely to be lost when being entered into
    or aggregated within a common and comprehensive
    digital ledger, promoting better visibility and offering
    supplemental provenance evidence.

    New Threats or Risks Posed by the
    use of Blockchain
    • With the uncertainty about the full capabilities of

    blockchain and what blockchain is and does, there
    can be a false sense of comfort that information on a
    blockchain is always correct, information is available,
    people have been notified, and feedback has been
    received. In fact, information on a blockchain only
    maintains the integrity of what was entered; as in
    everything else, “garbage in, garbage out” prevails.
    Furthermore, the reliability of the data stored on a
    blockchain is dependent on the effectiveness of the
    underlying technology. Blockchain supported by flawed
    technology may provide data that is unreliable and
    cannot cure underlying deficiencies.

    • Although blockchain has the ability to record large
    amounts of transactional data in a timely manner, this
    data will need to be processed into useful and actionable

    • As it pertains to financial reporting, companies may face
    challenges gathering sufficient appropriate evidence to
    support assertions they make about the digital assets or
    digital asset transactions processed on a blockchain.
    Furthermore, companies may face challenges with the
    ability of auditors to obtain the evidence they need to
    assess whether the books and records are adequately
    supported (See Appendix 3 for further discussion of

    Information and Communication
    Summary Principle

    13. Uses relevant, quality

    The organization obtains or generates and uses relevant, quality information to support the
    functioning of other components of internal control.

    14. Communicates internally The organization internally communicates information, including objectives and
    responsibilities for internal control, necessary to support the functioning of internal control.

    15. Communicates externally The organization communicates with external parties regarding matters affecting the
    functioning of other components of internal control.

    c o s o . o r g

    18 | Blockchain and Internal Control: The COSO Perspective

    Mitigating the New Threats or Risks Associated
    with Blockchain Implementation
    In response to the new risks and threats to providing and
    receiving information, organizations may need to consider
    some of the following actions:

    • Educate key stakeholders (including those charged with
    governance) on how blockchain will be used by the
    business and the associated benefits and risks of using
    the technology. It will be important for stakeholders to
    understand that although blockchain has been designed
    to improve the transaction execution and recording
    process with the aim of providing real-time validated
    transactions, there are still risks associated that could
    render the data unreliable.

    • Determine that the board of directors and audit
    committee have the information they need to perform
    their related oversight responsibilities.

    • Establish a method for members of a blockchain network
    to report any concerns. The methods may include a
    whistleblower hotline, if not already in place.

    • Develop communication methods to ensure that
    operational and other changes/updates relating to the
    use of blockchain are communicated to appropriate
    personnel so they can understand and carry out their
    internal control related responsibilities.

    • Determine new information requirements needed in light of
    the use of blockchain in order to produce relevant, quality
    information to support the functioning of internal controls.

    • Develop data analytics procedures to identify and obtain
    relevant, quality data from the blockchain that can then
    be processed into information to be used to support
    management’s business processes and reporting objectives.

    • Engage in discussions with both internal and external
    auditors during the development of or identification of a
    blockchain to be used in the entity’s processes. As a part
    of these discussions, it will be important for management
    to understand typical auditability issues associated with
    using blockchain and corresponding processes that can
    be implemented to mitigate against such issues, so that
    the appropriate information and support for transactions
    is available.

    Monitoring Activities
    Summary Principle

    16. Conducts ongoing and/or
    separate evaluations

    The organization selects, develops, and performs ongoing and/or separate evaluations to
    ascertain whether the components of internal control are present and functioning.

    17. Evaluates and

    The organization evaluates and communicates internal control deficiencies in a timely
    manner to those parties responsible for taking corrective action, including senior
    management and the board of directors, as appropriate.

    Monitoring controls are used to determine whether internal
    control, including each of the components and principles,
    are effective and functioning. Findings are evaluated
    and communicated appropriately. Blockchain does not
    change the need to evaluate whether the components and
    principles are present and functioning, but the method of
    evaluation may change in light of the use of blockchain
    (for example, when the internal control environment is
    shared across multiple enterprises and may require more
    collaboration between organizations).

    Using Blockchain to Enhance Monitoring
    • As blockchain facilitates a more integrated, flow-

    through environment with minimized human intervention,
    evaluations themselves can be built into a blockchain-
    enabled process using smart contracts, AI, and
    standardized rules engines. In addition, blockchain can
    be used with other technologies to help in identifying
    information for effective oversight. For example,
    IoT devices can act where human intervention was
    previously impractical, to permit real-time recording of
    transactions16 based on changes in the environment.
    Blockchain can maintain detailed data that can be
    summarized in different ways to allow for the completion
    of evaluations of varying scopes and frequencies.

    . . . . . . . . .

    16 For example, IoT sensors in a shipping container can monitor for possible damage from rough movement or temperature variations and trigger appropriate claims for
    insurance or other contractual reparations.

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 19

    • As information is collected or aggregated onto a
    blockchain on a real-time basis, monitoring activities can
    catch problems closer to the occurrence of a deficiency,
    minimizing exposure and speeding remediation.

    • If effectively implemented, the use of blockchain
    may allow for more timely identification of errors and
    performance reviews, carried out more holistically.
    Advanced analytics, AI, and other tools can be used to
    analyze the detail allowing management to concentrate
    on higher risk areas. Separate evaluations performed by
    internal auditors can also focus on the information most
    relevant to their own use.

    New Threats and Risks Posed by the
    use of Blockchain
    • Working with large amounts of data that is frequently

    updated could potentially exacerbate the level of, and
    susceptibility to, risks related to information overload and
    result in additional challenges in adequate monitoring.

    • Similar to challenges identified surrounding the control
    environment component, finding competent people to
    design and perform effective monitoring controls over
    blockchain may prove challenging.

    • The use cases for blockchain are growing in number and
    complexity, as are the regulations and laws surrounding
    blockchain. It is difficult to stay abreast of ongoing change
    and ensure proper and timely updates to the technology
    and to any other procedural or operational processes that
    are needed, including with respect to monitoring.

    • The decentralization and lack of a central intermediary
    associated with certain blockchains may result in no
    established party or body responsible for executing
    monitoring controls, posing governance challenges.

    Mitigate the New Threats and Risks Associated
    with Blockchain Implementation

    In response to the new risks and threats, organizations
    may need to consider the following:

    • Given the large volume of data processed on the
    blockchain and the high frequency at which these
    transactions are processed, using computerized
    continuous monitoring techniques to perform ongoing
    evaluations, as opposed to traditional manual techniques.

    • Using ongoing evaluations to identify changes and
    updates to the technology, and to validate whether
    the components of internal control are present and

    • Identifying and obtaining talent with requisite knowledge
    of an entity’s baseline control environment, blockchain
    technology, and best practices surrounding monitoring
    techniques to 1) assist in designing and implementing
    appropriate monitoring controls and 2) assess the results
    and efficiency of such monitoring activities.

    • Assessing the unique aspects of blockchain such as
    consensus protocols, smart contracts, and private
    keys, as well as factors relating to the ongoing health,
    governance, and overall reliability of the blockchain in

    • Within a consortium or private blockchain, identifying
    individuals who will be charged with executing
    monitoring controls and establishing agreed-upon
    policies and procedures for communicating deficiencies
    and taking corrective action in the event that
    deficiencies are identified.17

    • In some instances, retaining an objective third party
    to assess consortium blockchains. For example, if
    proprietary information is needed from individual entities
    to determine whether the components are functioning, to
    evaluate deficiencies, and to communicate deficiencies,
    a trusted intermediary can access such information.

    • Monitoring service-level agreements with and control
    reports from outsourced service providers. As stated
    earlier, if unreliable data associated with these
    relationships enters the blockchain, the results could be
    severely compromised, even catastrophically.

    . . . . . . . . .

    17 Establishing monitoring controls over a public blockchain may not be possible given the level of decentralization and management’s lack of control over the management
    and oversight of the technology.

    c o s o . o r g

    20 | Blockchain and Internal Control: The COSO Perspective


    Many businesses, industries, and governments are
    investing in and exploring how blockchain could positively
    impact the achievement of their objectives.18 When an
    organization evaluates the potential use of blockchain
    through a COSO lens, it enables the board of directors
    and senior executives to better understand the context
    and make more informed assessments of the technology’s
    potential and applicability with respect to internal control.
    This enables others within the organization to perform
    a detailed risk analysis and in turn, develop appropriate
    controls to address such risks, which will facilitate the
    effective adoption and use of blockchain.

    Many challenges need to be addressed to leverage the
    potential of blockchain. These challenges and issues will

    likely be sorted out by organizations 1) with motivation
    to have transparent and accessible blockchain-based
    systems and 2) in industries that are being disrupted by
    blockchain.19 These organizations bear a greater burden
    in identifying solutions, lighting a new path that will help
    other blockchain adopters in the future. Further, it is these
    organizations that will develop new use cases, not only
    advancing their own organization, but also helping others
    (including regulators and other stakeholders) understand
    the potential benefits of blockchain.

    The introduction provided a list of potential stakeholders
    and the intended use for the document. The following table
    provides potential next steps for the same stakeholders.

    Table 6. Next Steps for Key Stakeholders
    Audience Next steps

    Board of directors • Leverage this document and relevant blockchain-related information, educational materials,
    webcasts, training sessions and other resources to gain a foundational understanding of the

    • Build internal expertise on the board and support discussion at the leadership level on
    blockchain activities within the organization and the potential benefits and challenges

    • Understand how blockchain-enabled processes may promote or reduce reporting
    efficiency and risk

    • Understand how internal and external auditors may be considering the technology’s potential

    Audit committee

    (CEO, CFO,

    • Build internal expertise and support discussion at the divisional and/or departmental level on
    the potential benefits and challenges of blockchain

    • Gain insights about how blockchain is being used by peer organizations and what innovative
    practices are in use

    • Coordinate with blockchain developers to help them prioritize and design blockchain
    technology that is ready for internal control

    • Talk with external auditors to understand how blockchain may impact the audit, including
    how appropriate audit evidence may be obtained in a blockchain-enabled world

    • Put into practice the 2013 Framework to evaluate risks and control implications related to the
    use of blockchain

    Internal auditors,
    accountants, and
    others concerned
    with internal control

    External auditors • Build knowledge and expertise of blockchain
    • Understand how blockchain may impact the audit, including how sufficient appropriate audit

    evidence may be obtained in a blockchain-enabled world and how blockchain may be used for
    audit purposes

    • Work within the firm and with third-party audit tool developers to develop necessary tools
    (e.g., to understand the internal controls and audit blockchain transactions)

    Academics • Leverage information and educational materials, webcasts, training sessions, and other
    resources to help educate students

    • Consider potential research projects related to the implementation of blockchain and its use
    cases to help evaluate the implications of blockchain and effective internal control

    • Explore new knowledge, innovative practices, and standards and regulations in this
    evolving space

    . . . . . . . . .

    18 Deloitte’s 2020 Global Blockchain Survey, From Promise to Reality. Deloitte Insights.
    19 When people talk about industries being disrupted by blockchain, certain industries tend to rise to the top of the list. Defining characteristics of these industries

    include those with supply chains, longer term record-keeping needs, and large volumes of repetitive detail (e.g., financial services; health care, trade, and supply chain

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 21

    Even while blockchain technology is evolving, the financial
    reporting stakeholder community can jointly work to better
    understand the challenges and risks, ways to remediate,
    and leading practices such that the potential benefits are
    realized. Stakeholders must realize that adoption is likely to
    move forward (even given the associated risks) regardless
    of whether such activities occur. If efforts are not made
    now, the knowledge, learning, and application gap will
    widen, and more effort will be required later to react to the
    challenges with the technology and its adoption.

    The benefits of blockchain specific to financial reporting
    reliability will be maximized only if those who understand
    financial reporting, internal controls, and third-party
    assurance are actively involved in the evolution of the
    blockchain ecosystem as well as related regulation and
    guidance. Further, the potential benefits of blockchain to
    financial reporting stakeholders will be maximized only in
    conjunction with coupling with other technologies, such
    as, AI and IoT.

    c o s o . o r g

    22 | Blockchain and Internal Control: The COSO Perspective


    Short History of Blockchain

    The initial blockchain adoption was primarily for Bitcoin.
    As highlighted in the seminal Satoshi Nakamoto paper,
    “Bitcoin: A Peer-to-Peer Electronic Cash System” (2008),20

    Bitcoin was designed for peer-to-peer payments (value
    exchange) without the need for a central bank or
    intermediary; this has led to excitement by some and
    concern among others that digital assets could pose a
    legitimate threat to traditional financial services.

    While digital assets and their volatility in value made
    headlines, market participants began to investigate the
    underlying technology, blockchain, and its potential as
    a new means of connecting parties. Given blockchain’s
    rapidly evolving use cases, global efforts to standardize
    and utilize the technology for a wide variety of purposes
    beyond Bitcoin have gained steam. With blockchain
    functionality (e.g., facilitating the transfer of digital assets
    in near real time), organizations have the opportunity to
    work differently, with new business models and value
    chains, and increased speed toward product or delivery.

    When did blockchains begin?

    The proto-blockchain
    Blockchain’s beginning goes back to the early
    1990s when Dr. Stuart Haber and Dr. Scott
    Stornetta published a number of academic
    research papers21 related to using math and
    cryptography to prove document integrity by
    linking new batches of document metadata to
    an existing chain. This append-only structure
    leverages time-stamping and digital signatures,
    with the goal to ensure the integrity of data
    throughout the chain.

    Bitcoin’s blockchain
    Nakamoto’s paper, which does not use the term
    blockchain, cites and expands on Haber and
    Stornetta ground-breaking work to support
    electronic cash and peer-to-peer exchange.
    The goals included eliminating the need for a
    single financial intermediary, preventing double
    spending,22 and incentivizing the decentralized
    participants to maintain the decentralized network
    and do the work to add the new records. “Bitcoin
    is open-source; its design is public, nobody owns
    or controls Bitcoin and everyone can take part.”23
    Bitcoin’s ability to rely on the system without
    needing to trust the participants is the source of
    the phrase “trustless.”

    Later blockchains, adding tokens,
    and smart contracts
    After Bitcoin, a number of other blockchains
    sprouted (e.g., the ethereum24 blockchain).
    These added the ability to design custom digital
    assets called tokens and introduced a powerful
    programming environment called smart contracts.

    . . . . . . . . .

    20 .
    21 Such as “How to Time-Stamp a Digital Document”; .
    22 With physical coins and bills, only one person at a time can be in possession. However, when using digital assets that were not designed to deal with the “double spend

    problem”, the proof of availability of an open balance can be promised to multiple parties at the same time. Bitcoin sought to minimize the problems this might cause.
    24 More about Ethereum, the catalyst for its development, and how it expanded on Bitcoin’s blockchain with tokens and smart contracts, can be found at

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 23

    . . . . . . . . .

    25 For example, the Bitcoin ecosystem focuses on tracking Bitcoin, a digital asset with value that stands on its own (or not). The Ethereum platform has its primary digital
    asset, Ether, but also permits the creation of customized (bespoke) mutually exchangeable tokens (ERC* 20) and other non-fungible tokens (ERC 721); many digital
    assets are created using Ethereum.

    26 AICPA, “Practice Aid: Accounting for and Auditing Digital Assets,” December 2019.
    27 .

    Table 7. Key Concepts Associated with Blockchain
    Concept Explanation

    (or protocols)

    With decentralized control of a blockchain, some means of gaining agreement on 1) the way transactions
    are checked against a base set of rules and making sure the blockchain contains a consistent set and 2) the
    ordering of validated transactions within the shared, distributed information is necessary. This means of
    gaining agreement is known as a consensus mechanism. (Bitcoin accomplished agreement through
    incentives by compensating the participants, called “miners.”)


    Consortium blockchains are normally permissioned, but some are built upon public blockchains. Consortium
    blockchains include different organizations that have come together and agreed to jointly use a blockchain.


    Blockchain is often described as a “decentralized” database. A “database” is usually described as structured
    data organized to be easily accessed, managed, updated, and queried, with a focus on retrieval. This is not
    true of all blockchains; some are designed to be opaque and prevent any form of third-party analysis.
    A major distinction between blockchain with digital assets and a database is the possibility of blockchain
    being the sole record keeping device for the digital assets.25 Blockchain excels where a disparate group of
    people want to share information but not have to rely on one of the parties to act as the intermediary.

    Digital asset The term digital asset as used in this paper is referring broadly to digital records, made using cryptography
    for verification and security purposes, on a distributed ledger (e.g., blockchain). Digital assets, as defined
    by the AICPA,26 may be characterized by their ability to be used for a variety of purposes, including as a
    medium of exchange, as a representation to provide or access goods or services, or as a financing vehicle,
    such as a security, among other uses. The rights and obligations associated with digital assets vary
    significantly, as do the terms used to describe them.

    Forks Forks are an important tool that have been used widely in public blockchains like Bitcoin and Ethereum.
    As the name would imply, when a blockchain forks, some decision is made that results in two potentially
    different paths. Two separate chains will now have commonality up to the point of the fork, after which
    different sets of rules, different additions to data, and sometimes completely different assets will apply.
    Groups may choose to fork a blockchain in order to make a correction to the “immutable” blockchain on
    which they are based.
    In the fork illustrated in the following example, holders of the original digital asset also became holders
    of another digital asset in the new chain created by forking the original chain. Sometimes, Bitcoin and
    Ethereum have forked solely in order to apply new rules.

    Original Chain

    1 2 …

    Chain created
    by forking the
    original chain

    The same keys
    unlock these




    After the fork,
    new blocks differ

    Hash A hash is a cryptographic, one-way algorithm for taking data of any size and converting it to a unique piece
    of information of a fixed size. With blockchain, each block on a blockchain is linked to the prior block with
    such a unique identifier.

    and record

    Immutability refers to the append-only nature of a blockchain. The design of blockchain as append-
    only with cryptography means that information, once written to the blockchain, is very difficult to alter.
    Although corrections are still possible, corrections will need to be reflected as adjustments rather than
    directly as corrections to an existing transaction. Blockchain promises record integrity, but it does not
    promise that the records themselves reflect lawful or appropriately classified transactions.

    Miners Bitcoin accomplished a consensus through incentives, by compensating the participants (called miners) who
    exert effort and provide computational power to solve a computationally difficult mathematical puzzle – one
    that is difficult to perform but easy to check – a method known as “proof-of-work.” The Bitcoin design was
    purposefully challenging. Other methods, including giving more credibility to those who hold more of the
    digital asset themselves, called proof-of-stake, are also being used. As the original Bitcoin white paper notes,
    “What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any
    two willing parties to transact directly with each other without the need for a trusted third party.”27

    Some of the key concepts associated with blockchain as used in this paper include the following:

    c o s o . o r g

    24 | Blockchain and Internal Control: The COSO Perspective

    Table 7. Key Concepts Associated with Blockchain (cont.)
    Concept Explanation

    Nodes Each computer on a blockchain network is known as a node.


    On-chain transactions are the transactions available on the distributed ledger and are also potentially
    visible to all the members of the blockchain network. Off-chain transactions represent the movement of
    assets or recording of related information outside of the blockchain.

    Open-source An open-source model is a collaborative development and distribution model. It encourages those with
    common development interests to work together to produce something cost-effectively and with a greater
    eye to quality through numbers than individual commercial developers could create on their own.

    Oracle Oracles are a means of writing information to a blockchain as a record so smart contracts can monitor the
    records for changes and then act on them. Because oracles provide important input used to execute the
    terms of smart contracts, implementing controls over such oracles is important. It is important to check
    that an entity obtains periodic evidence about safeguards used to secure third-party oracles, if such are
    used. In addition, where IoT devices are used to act on external activities as part of the oracle, additional
    risks and controls should be considered.


    Private blockchains require permission from the owner or the protocols set up by the developer to
    read, write, or otherwise access the blockchain. It is possible, but unusual, for a private blockchain to be


    Permissionless blockchains do not require permission to read or otherwise access the blockchain. They do
    have specific rules on who can write, also known as consensus. It is possible for a public blockchain to be

    Private and
    Public Keys

    Blockchains use public and private keys (see following figure) for the authorization of the movement
    of digital assets from one blockchain address to another. Although common in security and especially
    encryption,28 the use of such keys has not been part of daily business activities. Digital asset transfers are
    authorized using the private key, and managing these keys is a new and critical responsibility in blockchain
    environments. Much like multiple written signatures being required for banking transactions, multiple keys
    may be required for digital asset transactions (multisignature or multisig). And much like people
    counterfeiting someone else’s signature, someone with access to someone else’s keys can act without the
    key owner’s permission.
    As seen in the following figure, a large random number is used to seed standardized mathematical
    algorithms to create a private key (kept secret, but used to authorize the movement of digital assets from
    a specific blockchain address). Further algorithms create the public key and, from the public key, the
    blockchain address, the tracking number for digital asset balances. It is very easy to determine the address
    from the seed and the key. It is, however, practically impossible to go the other way – from address to
    public key, public key to private key, or private key to seed.

    Cryptographic Seed
    Random information

    used to create key pairs

    Math happens here!
    Private Key

    A number derived
    from this: kept secret

    Public Key
    A number derived

    from the private key

    Public Blockchain Address
    A number derived

    from the public key
    (Bitcoin, Ethereum, etc.)


    Rollback A chain rollback is similar to copying over an existing database with an older version of that database due to
    data corruption or other problems. When a situation arises where there is sufficient support to “undo” later
    transactions, the chain is restored to a prior state, and a process of rewriting the necessary transactions after
    that point is conducted.

    In the following figure, a series of transactions after block 125,998 are invalidated/removed, resulting in a
    rollback. With public blockchains like Bitcoin, this is not a simple process and has severe repercussions given
    blockchain’s reputation as immutable. Where there is more centralized control, this could be easier to
    accomplish, although such an action would be obvious to observers.

    Original Chain
    1 2 …

    The original chain is recreated from the point at which the problem occurred (which is the point at which the chain is rolled back to)

    A problem occurs with a transaction in
    block 125,998, but isn’t caught until much later

    . . . . . . . . .

    28 Encryption is a two-way process where information is altered in a way that only those with appropriate knowledge or tools can re-create the original message. It is used to
    deny intelligible content to an unauthorized interceptor.

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 25

    Table 7. Key Concepts Associated with Blockchain (cont.)
    Concept Explanation


    Smart contracts in blockchain are computer programs stored on a blockchain that “self-execute” and
    where the outcome of any execution of the program is recorded on that blockchain. Although not limited
    or designed specifically to act like a legal contract, these programs can drive the recording of a transaction
    or the exchange of a digital asset automatically given the necessary input. When conditions are met, either
    from transactions occurring naturally on the blockchain or by transactions written by external sources, called
    oracles, the smart contract will create transactions autonomously.

    Here, both times the oracle
    writes, the smart contract
    follows up with a transaction Smart

    Contracts act


    Contracts act



    Tokens Tokens are a type of digital asset, which can be new digital assets on their own, represent intangible assets
    (such as voting rights), or work as a digital proxy to physical assets.

    Wallet Wallets are used to manage keys. A cold wallet is not connected to the Internet. A hot wallet is connected to
    the Internet.


    The 10 things organizations should know about blockchain
    include the following:

    1 Information about blockchain in the news and on the
    Internet is often misleading or incorrect.

    In gaining an understanding of blockchain refer to
    reliable sources. Be aware there is not one blockchain
    (i.e., “the Blockchain”) and use of a blockchain will
    not instantly and magically link every organization
    together in commerce in a fully trustworthy, self-auditing
    environment, where the encrypted data within will open
    to only the right people at the right time. In fact, there are
    many blockchains, most of which do not easily speak to
    each other, many things that can go wrong, and much of
    the information needed is not on the blockchain itself.

    2 Blockchain encompasses far more than digital assets;
    the benefits it can bring to an organization can be

    Blockchain technology goes beyond digital assets and
    use cases are broad across industries. Blockchain
    became best known for Bitcoin, but the use cases are
    much wider now (e.g., supply chains, finance, insurance,
    and other areas). As the global economy moves toward
    digital assets, blockchain technology may affect
    everything from the products and services organizations
    provide and how they provide them, to the way entities

    manage internal record-keeping and data management
    systems and handle the processing of transactions.

    3 Blockchain is not magic; it comes at a cost and doesn’t
    eliminate all risks. In fact, it introduces new risks.

    Blockchain does not address all risks by replacing
    all functions of an ERP system nor does it ensure
    compliance with all rules and requirements. In fact,
    with blockchain come new risks to consider for new
    asset classes and processes. When participating in
    a blockchain, each participant should understand the
    responsibilities, operating and governance models,
    transaction rules, security protocols, incentives,
    penalties, and processes for joining and leaving the
    consortium, if applicable.

    4 Knowing how blockchain technology works is crucial
    for evaluating, preparing for, and managing blockchain’s
    impact on internal control and the organization as
    a whole.

    Blockchain will create significant benefits for the right
    use cases, such as increasing efficiency and reducing
    human error. Generally, blockchain is most worth
    considering when:

    • There are multiple parties and intermediaries to a
    process, all recording the same information

    c o s o . o r g

    26 | Blockchain and Internal Control: The COSO Perspective

    • There is a reconciliation-heavy process for managing
    the business and its relationships

    • There is substantial manual data entry and tracking

    • Stakeholders require different aggregations of reports
    and frequent ad hoc reporting

    5 Blockchain has both technology and governance

    New blockchain controls will inherently have a heavy
    technology focus. It is also important, however, to
    consider issues such as governance, document and
    data retention, privacy laws, competitive advantage,
    reputation, accountability, and information visibility.

    6 Blockchain will not make management, accountants, or
    auditors less relevant, although it will impact what they
    do and how they do it.

    Blockchain is not currently capable of judgments,
    interpretation, valuations, accrual accounting,
    tracking commitments and contingencies, or providing
    assurance. Further, blockchain will change how
    financial transactions are recorded and analyzed,
    how reconciliations are performed, and how auditors
    obtain evidence. The use of blockchain may increase
    the demand for service auditor reports on the controls
    around the technology (See sidebar on page 5).
    Understanding and monitoring the evolving accounting
    and financial reporting rules is important.

    7 Blockchain requires new skill sets (e.g., data science
    for greater hindsight, insight, and foresight) and new
    collaboration within and across organizations.

    Blockchain will create a demand for different skill sets
    with expertise in the technology (and its ramifications)

    to develop, implement, and monitor the blockchain.
    Blockchain education and upskilling will be critical.
    New collaborative skills and blending of management,
    technical, and legal skills – both within and across
    organizations – will be necessary.

    8 Now is the time to educate and engage stakeholders
    throughout the organization.

    Early engagement throughout the organization will be
    important to consider the potential blockchain use cases,
    skill sets and training needed, performance requirements,
    scalability, integration with present systems, implications
    on evidence used to support the books and records, and
    resource needs. Creating both a short-term and long-
    term plan may be needed.

    9 Blockchain is still in flux and continues to evolve.
    Some analysts say any solution implemented today

    will have to be redone in a few years.29 However, once
    the industry or regulatory environment clarifies the
    needed functionalities of blockchains, digital assets, and
    programming languages, there will be increased stability.

    Academics, collaborating with practitioners, could be
    indispensable in advancing thought leadership, as well
    as helping cope with real world practical challenges and
    proposing solutions.

    10 Adoption of blockchain may not be a choice.
    Blockchain will likely have an impact on all organizations

    through direct investments in digital assets, indirect
    investments in digital assets, creation of their own
    permissioned blockchain, participation in an external
    permissioned blockchain, or other activities. There may
    be a pull for implementation from customers, suppliers,
    partners, and the government.

    . . . . . . . . .

    29 Gartner has suggested that 90% of 2019’s blockchain implementations will require replacement by 2021.–of-current-enterprise-blockchain.–of-current-enterprise-blockchain

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 27


    Management implicitly or explicitly makes assertions regarding the recognition, measurement, and presentation of
    information in the financial statements and related disclosures. The work of the auditor is to obtain sufficient
    appropriate audit evidence to support their opinion. Audit evidence comprises both information that supports and
    corroborates management’s assertions, and information that potentially contradicts such assertions.

    The following table highlights ways in which blockchain may present challenges with respect to how companies provide
    sufficient and appropriate audit evidence to support management’s assertions surrounding assets or transactions stored
    on a blockchain.30

    . . . . . . . . .

    30 Eric Cohen, “Will Blockchain Make Auditors Obsolete?”, ThinkTWENTY20, Spring 2019. , accessed June 16, 2020.

    31 Fair Value Measurement (Topic 820), .

    Table 8. Management’s Assertions and Blockchain
    Concept Explanation

    Valuation Most use of blockchain is to track a quantity of something (such as a digital asset balance), but the value
    of the item being tracked is not necessarily maintained in the blockchain. In addition, the determination of
    the value of digital assets may prove difficult in the event that there is little or no observable market data
    to support the value of these assets or large variations in market data (e.g., Level 3 assets, most illiquid and
    hardest to value, per ASC Topic 82031).

    Existence Often, the existence of digital assets is solely dependent on the evidence that can be obtained from a
    blockchain. Although blockchain has been developed to reduce tampering within transaction processing
    and recording, this does not, by itself, render the information stored on the distributed ledger fully reliable.
    The reliability of the information obtained from the blockchain is heavily dependent on the effectiveness
    of the underlying technology and relevant controls implemented to support the system. Therefore, solely
    providing information from a blockchain may not be deemed sufficient appropriate evidence to validate
    the existence of an asset. In many cases, additional procedures are warranted (e.g., test of internal controls
    related to the blockchain and security of the private keys to the digital assets).

    Allocation Blockchain information – such as blockchain-based tracking of shares, voting rights, or other relationships –
    can be used to support allocation calculations. However, additional procedures may be needed to support the
    reliability of information obtained from the blockchain to support such allocation calculations.

    Occurrence As with existence, information obtained from the blockchain may not, by itself, support the occurrence
    assertion. Additional procedures may be necessary to prove the reliability of information stored on the
    blockchain and hence the occurrence of a transaction. Furthermore, the pseudo-anonymous nature of
    transactions on the blockchain could provide users with the opportunity to engage in fictitious transactions
    or transactions with related parties that have no economic substance, thereby inflating revenues.

    Completeness Where a blockchain is the only record of transactions, it can serve as a complete record; however, the com-
    pleteness of transactions stored on the blockchain will be dependent on the reliability of the blockchain
    technology as well as the controls implemented by the entity to ensure its books and records are appropri-
    ately capturing all transactions. Further, where information is recorded in whole or part in another system,
    blockchain does not support completeness. Controls would have to be in place to ensure that all activity,
    on-chain or off, and all detail, on-chain or off, is available and completely recorded.

    Classification The classification of a digital asset may prove difficult, because accounting guidance and precedent sur-
    rounding this topic is still evolving. Furthermore, companies will need to objectively evaluate the purpose
    and use of the asset in order to determine the appropriate classification of such assets.


    Blockchain does not take into account the need for any reporting or summarization of the information in
    an understandable fashion and does not have a function to do so. Management will need to determine
    what data from the blockchain will be useful to support the development of its financial statements and
    an appropriate method for obtaining and summarizing such data. Similar to the classification assertion,
    accounting guidance and precedent surrounding this topic is still evolving and due care should be taken in
    determining the presentation of digital assets within an entity’s financial statements.

    Accuracy Serving as the record for digital assets, blockchain stores the history of all transactions and balances. It
    does not mean that information within the blockchain is accurate, only that records keep their integrity.

    Presentation See considerations surrounding understandability.

    c o s o . o r g

    28 | Blockchain and Internal Control: The COSO Perspective

    Table 8. Management’s Assertions and Blockchain (cont.)
    Concept Explanation

    Cutoff As a complete record of all related transactions, where records or blocks are time-stamped as they are
    written to the blockchain, there are capabilities to assess cutoff of recording dates. However, there is
    no inherent capability for accounting recognition dating, or concepts of accruals, prepaids, or matching
    expenses with revenues.

    and Rights

    Generally, there are no written title agreements associated with digital assets to support the rights and
    obligations assertions. Although procedures such as signed messaging may be used to demonstrate
    control over a private key (and hence rights to an asset) operational limitations may not allow for these
    procedures to be completed. Furthermore, these procedures may depend on the reliability of the
    underlying blockchain technology, thereby warranting the performance of additional procedures (e.g., test
    of internal controls). Finally, although signed messaging procedures may demonstrate control over the
    private key, there is still the risk that the private key may not be solely controlled by the organization (i.e.
    other parties may have access to the private key and hence control or ownership of the associated assets).

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 29


    This paper has been written to complement the many helpful documents and other resources provided by the sponsoring
    organizations and other related stakeholders. Examples of those documents relevant to this discussion include:




    Frans Roozen, Ph.D.; Bert Steens, Ph.D.; and Louis Spoor, “Technology: Transforming the Finance Function and the
    Competencies Management Accountants Need,” Management Accounting Quarterly, Fall 2019,

    Reina G. Wiatt, CMA, CPA, “From the Mainframe To the Blockchain,” Strategic Finance, January 2019,

    From the Mainframe to the Blockchain

    Natalia Maslova, CMA, CTP, PMP, “Blockchain: Disruption and Opportunity,” Strategic Finance, July 2018,

    Blockchain: Disruption and Opportunity


    Other relevant sources

    ACCA Global: Divided We Fall, Distributed We Stand

    ICAEW: Blockchain and the Future of Accountancy

    From the Mainframe to the Blockchain

    Blockchain: Disruption and Opportunity

    c o s o . o r g

    30 | Blockchain and Internal Control: The COSO Perspective


    Jennifer Burns, Partner, Deloitte & Touche LLP

    Jennifer is a Partner in the National Office of Deloitte & Touche LLP and has over twenty-
    five years of experience in regulatory, standard-setting, and quality matters impacting
    the performance of audits. She currently leads Deloitte’s National Office efforts related
    to emerging areas of assurance services (including in the areas of artificial intelligence,
    blockchain, sustainability and other third-party assessments) and consults with
    engagement teams regarding the appropriate application of professional standards.
    She also engages regularly with audit committees and clients regarding regulatory
    developments impacting the profession.

    Jennifer is a member of the AICPA’s Assurance Services Executive Committee, driving
    its mission to help the profession meet evolving market needs. She interacts with other
    standard-setting and regulatory entities including the PCAOB, SEC, IAASB, and COSO,
    representing the views of the firm. Jennifer also served on the task forces advising
    COSO in its development of its Internal Control over Financial Reporting Small Business
    Guidance (2006), Guidance on Monitoring Internal Control Systems (2009), and COSO’s
    Internal Control- Integrated Framework (2013).

    Previously, Jennifer was a Professional Accounting Fellow at the U.S. Securities and
    Exchange Commission in the Office of the Chief Accountant, where she was involved in
    the oversight of the development of professional standards and the implementation of
    requirements related to the Sarbanes-Oxley Act.

    Jennifer is a CPA, licensed in Washington, D.C., California, and Nevada, a member of the
    AICPA, and graduated cum laude from Claremont McKenna College in Claremont, California.

    Amy Steele, Partner, Deloitte & Touche LLP

    Amy is a Partner in the National Office of Deloitte & Touche LLP and leads audits of public
    and private companies in the Technology and Media industries. Amy has deep experience
    in regulatory, standard-setting, and audit quality, and leads strategies to enhance quality,
    and innovate and transform audits across Deloitte’s global organization. Amy is Deloitte’s
    U.S. and Global audit methodology leader for blockchain and digital assets. Amy is also
    the lead partner for Deloitte’s emerging assurance services – focused on the expanded
    role of the audit professional and the impact of technology in audits. Additionally, Amy
    leads Deloitte’s audit methodology for revenue and consults with engagement teams
    on complex applications of auditing standards. In these roles, Amy engages often with
    regulatory agencies and profession-wide bodies.

    Amy chairs the AICPA Digital Assets Working Group, leading the profession in developing
    auditing and accounting guidance for digital assets. Amy also serves on the Center for
    Audit Quality Emerging Technologies Task Force and Cybersecurity Task Force. Amy
    is an active thought leader in the business community, is sought out for her views on
    issues impacting financial reporting and the audit profession and communicates to broad
    audiences and regulators on technical topics.

    Previously, Amy served as Associate Chief Accountant in the Office of the Chief
    Accountant of the SEC where she had a unique opportunity to support the Office of the
    Chief Accountant in its role as the principal advisor to the Commissioners on profession-
    wide auditing matters and oversight of the PCAOB. Additionally, in this role, Amy
    consulted on technical audit and internal control matters with auditors and various SEC
    offices and divisions and was the SEC’s official observer to COSO during the development
    of COSO’s Internal Control – Integrated Framework (2013).

    Amy graduated Magna Cum Laude, University of Washington and with honors from the
    Master of Professional Accounting, University of Washington. She is a member of the
    AICPA and holds her CPA license in Washington and Connecticut.

    c o s o . o r g

    Blockchain and Internal Control: The COSO Perspective | 31

    Eric E. Cohen

    Eric Cohen is the proprietor of Cohen Computer Consulting, a consultancy focused
    on emerging accounting and audit technologies, including audit data standards,
    blockchain, continuous audit, sustainability/corporate responsibility, and XBRL. He is
    a co-founder of the Extensible Business Reporting Language (XBRL) movement and
    “inventor” of XBRL’s Global Ledger Taxonomy Framework (XBRL GL). As an ambassador
    of XBRL, he has worked in cooperation with virtually every other standards effort
    attempting to standardize accounting and audit data, and a long cooperation with
    UN/CEFACT led to his assuming the role of UN/CEFACT Domain Coordinator for the
    Accounting and Audit Domain.

    Mr. Cohen is a prolific author and willing speaker, teacher and trainer, having written or
    contributed to numerous books (including Guide to Customizing Accounting Software
    (CTS) and Accountant’s Guide to the Internet (John Wiley), as well as hundreds of articles
    for the business, professional and academic press. He enjoys a long partnership with
    the academic community, cooperating with many professors in research and curriculum
    building on XBRL, continuous audit, and related areas of interest.

    It was this collaboration that led to his work in blockchain and distributed ledger
    technologies; he serves as a national expert to ISO/TC 307 Blockchain and Distributed
    Ledger Technologies, where he focuses on standards development around governance,
    interoperability, and audit guidance. Mr. Cohen is a member of the NYSSCPA Digital
    Assets Committee and was the Chair of the 2019 NYSSCPA/FAE Digital Assets Conference.

    Dr. Sridhar Ramamoorti

    Dr. Sridhar Ramamoorti, ACA, CPA/CITP/CFF/CGMA, CIA, CFE, CFSA, CGAP, CGFM, CRMA,
    CRP, MAFF, is an Associate Professor of Accounting at the University of Dayton, Ohio. To
    remain engaged with practice issues, he is affiliated as a principal with two consulting
    firms, Quetzal GRC LLC that offers risk advisory services, and the Behavioral Forensics
    Group LLC that provides fraud risk mitigation, detection, and investigation services.
    Previously, he was an Associate Professor of Accounting and a Director of the Corporate
    Governance Center, Michael J. Coles College of Business, Kennesaw State University in
    Kennesaw, Georgia.

    Dr. Ramamoorti has a unique, blended academic-practitioner background with over 35
    years of experience in academia, auditing, and consulting. After finishing his Ph.D. from
    The Ohio State University, he initially served on the accountancy faculty of the University
    of Illinois. Subsequently, he progressed successively as a principal with Andersen’s
    Professional Standards Group, National SOX Advisor for EY, and corporate governance
    partner with Grant Thornton, all in Chicago, Illinois. He briefly led the governance, risk,
    and compliance (GRC) professional services practice of Infogix, Inc. in Naperville, Illinois,
    prior to re-entering academia.

    Dr. Ramamoorti was a member of the authoring/development teams of the 2009 COSO
    Guidance on Monitoring Internal Control Systems, 2010 ISACA guidance on Monitoring
    Internal Control Systems and IT, The Audit Committee Handbook (5th ed., Wiley, 2010),
    Internal Auditing: Assurance and Advisory Services (IIA, 2017, 4th ed), and A.B.C.’s of
    Behavioral Forensics (Wiley, 2013) on the psychology of fraud that has been presented
    to the FBI Academy and at several Conferences. He has published over 60 papers and
    articles in academic and professional journals and serves on numerous editorial boards.

    Active in the profession, he is a member of all five sponsoring organizations of COSO and
    has served as a Trustee for the IIA and FEI Research Foundations. He is a former member
    of the Standing Advisory Group of the Public Company Accounting Oversight Board
    (PCAOB). Over the past two decades, Dr. Ramamoorti has been a speaker in 16 countries.

    c o s o . o r g

    32 | Blockchain and Internal Control: The COSO Perspective


    Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”),
    its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and
    independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients.

    Please see for a detailed description of DTTL and its member firms. Please see
    for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available
    to attest clients under the rules and regulations of public accounting..

    This publication contains general information only and none of COSO, any of its constituent organizations or any of the
    authors of this publication is, by means of this publication, rendering accounting, business, financial, investment, legal, tax or
    other professional advice or services. Information contained herein is not a substitute for such professional advice or services,
    nor should it be used as a basis for any decision or action that may affect your business. Views, opinions or interpretations
    expressed herein may differ from those of relevant regulators, self-regulatory organizations or other authorities and may
    reflect laws, regulations or practices that are subject to change over time. Evaluation of the information contained herein is
    the sole responsibility of the user. Before making any decision or taking any action that may affect your business with respect
    to the matters described herein, you should consult with relevant qualified professional advisors. COSO, its constituent
    organizations and the authors expressly disclaim any liability for any error, omission or inaccuracy contained herein or
    any loss sustained by any person who relies on this publication.


    Originally formed in 1985, COSO is a joint initiative of five private sector organizations and is dedicated to providing thought
    leadership through the development of frameworks and guidance on enterprise risk management (ERM), internal control,
    and fraud deterrence. COSO’s supporting organizations are the American Accounting Association (AAA), the American
    Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), the Institute of Management
    Accountants (IMA), and the Institute of Internal Auditors (IIA).

    Committee of Sponsoring Organizations
    of the Treadway Commission
    c o s o . o r g
    G o v e r n a n c e a n d I n t e r n a l C o n t r o l

    B L O C K C H A I N
    A N D

    I N T E R N A L C O N T R O L :

    T H E C O S O P E R S P E C T I V E
    c o s o . o r g

    Committee of Sponsoring Organizations of the Treadway Commission

    G o v e r n a n c e a n d I n t e r n a l C o n t r o l

    Expert paper writers are just a few clicks away

    Place an order in 3 easy steps. Takes less than 5 mins.

    Calculate the price of your order

    You will get a personal manager and a discount.
    We'll send you the first draft for approval by at
    Total price: