Managing the Risks of Emerging Technologies
“Without proper application of professional skepticism, the effectiveness of audit procedures is diminished. As a result, the sufficiency and appropriateness of audit evidence obtained is negatively impacted.”
The Importance of Professional Skepticism in an Audit
New technologies can pose a challenge to exercising skepticism that may be easily overlooked. The very fact that emerging technologies are greeted with great fanfare and anticipation reinforces the importance of striving to maintain skepticism in considering the information these technologies deliver. A Center for Audit Quality report offers guidelines for external auditors that can also be adopted by boards and management:
- Gain a holistic understanding of changes in the industry and the information technology environment to effectively evaluate management’s process for initiating, processing, and recording transactions and then design appropriate auditing procedures.
- Consider risks resulting from the implementation of new technologies and how those risks may differ from those that arise from more traditional, legacy systems.
- Consider whether specialized skills are necessary to determine the impact of new technologies and to assist in the risk assessment and understanding of the design, implementation, and operating effectiveness of controls.
The risks emerging technologies present may include the following:
- Incorrect processing of data or processing of incomplete or inaccurate data.
- Unauthorized access to and manipulation or destruction of data, master files, and information systems.
- Failure to make required changes to data.
- Insufficient segregation of duties among information technology personnel.
- Risks associated with third-party service providers.
- Lack of response to cybersecurity and other information security risks.
It is important to maintain sufficient professional skepticism when reviewing management’s risk assessment for new systems. Management should also perform due diligence and critically assess the risks of new technology systems. Those in the financial reporting supply chain should be ready to question the inputs, outputs, and configurations of systems to obtain assurance about their reliability and effectiveness. That includes questioning which data are included and whether the logic of the algorithms is independently tested and challenged to consider the various possible outcomes.
While technology is a powerful tool, it cannot replace the professional’s knowledge, judgment, and exercise of skepticism.
Skepticism in Practice September 2020
AFC – Anti Fraud Collaboration