Technology has transformed the way that businesses operate. The auditing profession is no exception. The SEC's recently released statistics for fiscal year 2016 showed that it filed 868 enforcement actions exposing financial reporting-related misconduct by companies and their executives, registrants, and gatekeepers. This is a single-year high, and many have attributed the results to the SEC's increasing use of data analytics. In addition, a recent Pew Research study released by the AICPA showed that CPAs are among the highest regarded business professionals, but auditors fare much poorer in the public's mind. Many have remarked upon the “expectations gap” between what the public expects from auditors and what they are engaged to perform. The continuing incidence of audit failures means that the spotlight remains on the profession. In light of this disconnect, as well as the increasing pervasiveness of technology, the time is ripe to examine the state of the auditing profession. Has the 85-year experiment of auditing public companies been a success? Has the profession met the expectations of the user community? How will technology transform the practice of auditing? What skills will future auditors need, and how will tomorrow's auditors be trained, selected, and prepared for the profession?
Assessing the Past
Anthony Sarmiento for The CPA Journal:
It's been roughly 85 years since the grant of monopoly of the audit to the CPA profession, and we'll start with the question: How is the profession doing?
I certainly believe that we're better off with an independent attestation function in the United States than without. I think that we saw prior to the issuance and the adoption of the Securities Acts back in the 1930s that investors were significantly harmed as a result of false, incorrect, and fraudulent financial information. I think the creation of a stronger, more independent profession has been a good thing.
On the other hand, we have since then had some fairly significant audit failures, recently, of course, resulting in the Sarbanes-Oxley act of 2002. I think that says that there is a need for the auditing profession to continue to try to more consistently provide that high level of independent service.
I think it's been an incredible century: what we've been seeing in the profession, how much it has evolved, and the complexity of our markets today. It's a lot more challenging than in the 1930s. The marketplace is more demanding, and more pressures are being placed on auditors to tackle difficult and complex transactions at a rapid pace. It's one of the most difficult professions to be in, where you're protecting the public interest, complying with the rules set by regulators and standards setters, and yet running a business. How do you efficiently operate in that model?
Getting consistent audit quality is the key. But how do you get there? Those are the challenges I think we're facing—audit quality is not consistent across the board, from small organizations all the way up to Fortune 500 companies.
There are some auditors that are doing an amazing job, that get it right at the grassroots level; they understand how to get a quality audit and be efficient at the same time, protect the investment community, service their clients, and have transparent reporting. But what we're seeing, whether it's here in the United States or on a global level, is that it's not a consistent issue. There's a lot of work that needs to be done.
I think that, for all the bad news and press that's out there, more people in our profession really are doing the right thing at the end of the day.
The balance you mentioned is, I think, still a significant issue. From the very beginning, there have been obvious problems and conflicts with the auditor-client relationship, with the auditor having a unique mission and responsibility to protect investors, yet needing to get and keep clients and engage in a business. You go back to the Cohen Commission in the'80s, one of the things we did was meet with the Chairman of the SEC, who said auditing used to be a profession with business overtones, and now it's a business with professional overtones—which kind of characterizes that problem.
I think the auditor-client relationship is still a huge problem. When the key decisions are made on audit scope and on financial statement presentation, there is unfortunately no representative of the investor in the room. The auditor is supposed to be that representative, but inevitably it doesn't happen, I think because of the business side—the need to keep and maintain clients.
How do you engender a viewpoint of protecting investors as the main mission and responsibility when your life as a business is over if you don't simultaneously please the client? Dealing with that balance has, if anything, become an increasing problem.
I totally agree, and it's a challenge for leadership at CPA firms to send that tone-at-the-top message saying, “Public interest comes first, our firm, and then our clients.” I think that message has to resonate.
I've seen firms that have done an amazing job doing setting the proper tone, talking about who we are as auditors and really defining the roles of auditors versus consultants. Throughout my career, I find that this message is crossed. There's an inconsistency, or the message is not being conveyed appropriately. I will certainly say that most auditors have probably not dedicated enough of their time reading the Code of Professional Conduct of the AICPA or the code of ethics of the state where they work, or, if they service public companies or broker-dealers, the SEC's independence rules in Article 2 of Regulation S-X or the PCAOB rules. All professionals should be adhering to those codes. I think if people are aware of them they can navigate those waters better, communicate those issues effectively to management, and hopefully come to the right conclusion.
I agree that we're privileged to have a unique position in that we're trusted by the public. We're entrusted with a unique opportunity to certify financial statements under the ’33 and ’34 acts. That is a privilege, and it's something we have to take very seriously. I also believe we have a long history of largely doing some very good work and being very cognizant of that role.
Having said that, I absolutely agree that the profession needs to do a better job of meeting the expectations of stake-holders. And I view stakeholders as the investors, the regulators, and everyone else that's part of the ecosystem.
Recently, I was at an International Corporate Governance Network (ICGN) conference, where we had a very closed group of investors together, and we talked about the auditing profession. It's very clear that they place a lot of confidence and value in the audit, notwithstanding sometimes it may not feel that way. They were very clear that what we do is important to them. I don't know that it's always as relevant as it could be, because some of the things we're opining on may not be as relevant to their decision making as other things. But, having said that, they place a lot of trust in us as well.
I do think the tension you're describing is real, and we have to deal with it. I believe our professionals understand their responsibility to capital markets. They don't go a day without hearing from me and our leadership team that what we do is all about public trust and protecting the capital markets. Yes, we have clients to serve, and that does create a tension, but we can't allow that to be a barrier to doing our job effectively.
I think, though, there are some challenges. Part of it is making sure we have people with the competence and the courage to make sure that they really do understand what their role is and how they should best apply it in the marketplace today. As we like to say, the clients we want to deal with are the ones that are willing to listen to us and have that argument about the facts and make sure that they get to the right place—because at the end of the day, I don't want to have a client in my portfolio that is going to the wrong place and trying to convince my people otherwise.
It's also very difficult to get 10,000 or 20,000 people at the same level of competence. So one of the things we have to do better as a profession is figure out ways to be more sustainable and consistent across our practices. We can't be in a place where the quality of our work relies upon simply who the partner is. Although the partner's a really important person, it can't just be that the partner either does a great job or doesn't. We've got to make sure that all of the quality control systems—all the processes we have around them, the tone, the culture, everything—support and consistently deliver on that. I do think we have to do a better job. I think we've been fortunate to be in this role, and we've got to continue to raise the bar.
We started by talking about the past, the present, and the future. And that progression, to me, gives us the opportunity to use hindsight to get insight, which hopefully will allow us to get foresight.
Sigmund Koch, a very famous and distinguished professor of psychology at New York University, in 1985 observed that the mark of maturity of a profession is its ability to do soul-searching. And so the fact that we are doing this kind of a panel is itself evidence that this is a profession that has that capacity, that is willing to look at itself critically.
If we are going to do the soul-searching that you referred to, Sri, I'd like to propose that that search needs to go deeper, and probably rather darker, than has been suggested. I yield to no one in my respect for the profession, its dedicated personnel, the good faith, the competence and the intentions, nor to the proposition that accounting and reporting and assurance will continue to have central and vital places in society. It's been part of our world since trade was invented and will continue to be.
The challenge for the profession today is that there is no virtuous assurance that it can or will or must be delivered in the form that it is and has been historically. As long as the question is raised by the user community, “Where were the auditors?”—which is the point at which the challenge to the trustworthiness really kicks in—until that question is deeply wrestled with, we're not getting there.
With respect to the work that's been done over the last dozen years post–Sarbanes-Oxley, or the years since the Cohen Commission, or the years since 1933 and 1934—which, I'm prepared to argue, was probably the high point of the profession's relationship with regulators and the user community, and it's been nothing but downhill since then—the profession is caught in that proposition that, “When I do good, no one remembers, and when I do bad, no one forgets.”
The challenges to the profession that would threaten the legitimacy of its franchise come most acutely into focus with those situations in which the answer to that question is the most grievous. The continuing eruption of those since 2002 and the passage of Sarbanes-Oxley challenges whether the profession has really moved the meter in its improvement or not.
The profession lacks the ability to measure how well it's doing. There are no metrics that are acceptable and credible to the user community, which wouldn't know a good audit from a bad audit. They get a pass/fail report, in commodity language. Nothing is communicated there that's been of value to the user community for 35 years. A piece of paper that says, in effect, “Most of the time, as far as we can tell, these numbers are okay, pretty much,” is only satisfactory up to the point that it's not satisfactory anymore.
We don't have to go back to 2007, 2008. Look what's on the table right now. Wells Fargo is going to get these questions. Volkswagen. Samsung. Valiant. The feeder funds cases. Not to mention the overhanging litigations that are still capable of taking down the largest global firms. So, I say, until we are prepared to deal with an agenda that starts with this topic in a really cleareyed and candid and honest way, we're not going to move the meter.
From the very beginning, there have been obvious problems and conflicts with the auditor-client relationship.
The Expectations Gap
Getting back to the history: Some years ago, I wrote about the concept, created by Théodore Limperg, that the audit profession needs to be responsive to the stakeholders; that the auditor has to continually try to improve to meet the expectations of society. The big problem I see is that, over the years, that hasn't happened. The firms do a lot of work to see whether they're meeting the demands of their clients. But I don't see the same effort being directed to, “How can we better meet the needs of society?”
Over the years, I've participated in a lot of studies, but when you have a subject like the auditor's responsibility for the detection of fraud, the response has been, “Well, we need to better inform the public about what our responsibilities are”—instead of saying, “Here's what the public expects, now what can we do to better meet public expectations?”
I definitely second that. There is a disconnect between the perception of what auditors really do and what their clients and the public expect their responsibilities to be. There also is a lack of understanding in our responsibility as a profession to communicate exactly who we are as auditors and what we do, because I think people in the marketplace believe that our main mission is to find fraud all the time, and the real statistic is we only uncover it less than 5% of the time. It's mostly whistleblowers that actually uncover these matters.
That communication has to start with us conveying that to the marketplace. As complicated as our business is, it's a challenge for nonauditors and non-accountants to understand what we do. We have to find a way to speak to them in plain English.
So, should we limit the expectation of what it is we do?
Not limit it, but clarify it. I think it needs to be conveyed in a clear picture: When we do an audit, what does that mean? Are we auditing 100% of a client's business results? No, not necessarily. We perform procedures and test on a sample basis. The way we look at things is based on risk. We analyze the areas where a trip-up could happen or a material error could be in the financial statements or internal controls. It's that type of education that really needs to start with us, and I think, over the last several decades, we have not been doing that effectively.
I would offer a different view. We've spent decades trying to describe what we don't do and what we do, as though that somehow will appease the public. I personally think that's misguided. I don't think there's anything wrong with being clear and providing more information with differentiated reports.
We just have to accept the fact that we're in the business of meeting the needs of stakeholders that have certain expectations and need certain relevant assurance. And if we don't provide it, somebody else will.
I think, more importantly, we just have to accept the fact that we're in the business of meeting the needs of stakeholders that have certain expectations and need certain relevant assurance. And if we don't provide it, somebody else will. While we have a unique and exclusive position as a profession in the sense of financial statement auditing, I think if we look at what's happening in the world around us, stakeholders are using other sources of information and different forms of information as more timely and relevant to making important decisions.
It's not much of a leap to say that other organizations, like Google or somebody else, will figure out how to provide assurance on that data. If we're trying to explain to the public why we don't do something else, I think we will get disintermediated. Being irrelevant is an even bigger risk to me than the idea that the public may misconceive what we do or that we might get sued. So I think we do have to better understand what the needs of our stakeholders are.
I think part of our problem is making sure we engage enough with those stake-holders. If you just ask them the simple question, it's hard for them to provide a response you can act on. You really have to engage at a very in-depth level and truly understand what they're trying to accomplish, what they need.
On this issue of the expectations gap, the MacDonald Commission in Canada very systematically broke it down into three separate gaps. One was the standards gap, another was the performance gap, and the third was the communications gap. That's one framework.
More recently, in 2012, the International Auditing and Assurance Standards Board [IAASB] talked about the information gap. There is a lot more information than what appears in the financial statements, and hence, the recent pressure on the profession to look in some way or the other at these non-GAAP measures. They're just proliferating, and it's clear that there is much more that investors and other stakeholders are demanding to know. In a world that is awash with information, I think these demands have gotten only worse. Herbert Simon, a Nobel Prize winner and a polymath, said, “a wealth of information creates a poverty of attention.” Simon perceptively noted that many designers of information systems incorrectly represented the design problem as information scarcity rather than attention scarcity. We don't have information scarcity; we have information abundance. Attention scarcity is the real issue.
He went on to say what was really needed were systems that exceled at filtering out unimportant or irrelevant information. This is going to be one of the future jobs of the auditing profession, to serve as that filter in such a way that we define relevance to our stakeholders. That really allows us to become trusted as a profession, because people don't know what's relevant and what's not. We are really becoming the curators of information in terms of its underlying quality, its relevance, and providing that decision context in which stakeholders can maximally use that information. The recent proliferation of non-GAAP measures, potentially more relevant but perhaps less reliable, is highlighting this perspective.
You sound, Sri, like maybe you're suggesting that we change places with management in some way. Maybe I'm stuck in the old paradigm of thinking that it's management's responsibility to provide the information and help users understand its relevance and its context, whereas the auditor's role is to provide that independent assurance that it's actually reliable.
I wanted to come back, though, to this relationship between the auditor and the client. We're in a situation now where, at least as of today, the regulators and lawmakers have decided, “We're not going to deal with that question.” For example, the question as to whether there should be mandatory audit firm rotation in the United States is dead again.
Within the last week in one of the SEC's enforcements releases, we saw the case where an auditor in an audit firm was sanctioned. Arguably, direction from management to the audit partner to improve the relationship with the client impaired that person's independence.
The culture within the audit firms is very, very important. I think it's probably something that the regulators are studying and looking at. I would hope the PCAOB is looking at the culture within firms to try to make sure that they create an environment where the audit partners are going to have the confidence to make those occasionally very difficult choices and decisions that could impact that relationship between the auditor and the client.
They're not occasional. They're ever-present and they're everyday. It's all the time.
Before we move on to the future, there is something I don't want to leave, and that is the question that got tabled about the clarity of communication with respect to addressing the expectation gap. The profession bears a significant degree of responsibility, I think, for overstating its capacity to deliver against user expectations. The profession doesn't get to set that standard. That standard is set from the outside by the users, and that includes not just the investor community and those deploying and providing capital, but it also includes the legal system and the agencies of law enforcement, so that, to the extent we are talking about building for the future, one of the issues in user expectation is the necessity to survive to get there.
In the area of the detection and prevention of fraudulent behavior and malfeasance in office, the legal systems have set a bar that the profession is unable to climb over. This was most sharply brought into focus in August down in Florida, where the U.S. firm of PwC went to trial at a level that put the life of the enterprise at risk. A claim against the firm of $5.5 billion—that's with a B—that is multiples of the financial capability of that firm to have withstood a worst-case outcome. They were fortunate to be able to settle the case three weeks into the trial. Having gone to trial, having been unable to settle a case at a level that was acceptable, PWC reached an outcome that was held confidential—but we can be absolutely certain that it was painful, even if within its ability to bear it.
That doesn't mean that the ability to continue to bear those litigation and penalty burdens will continue. That firm has two other multibillion-dollar cases on their trial calendar for next spring, and all the large firms face life-threatening litigation. The model today does not assure the survivability of the franchise into that future that everybody is so optimistically looking forward to. If that's not wrestled with, then the strategy of hoping it doesn't happen is really not a strategy.
You know, the medical profession's lament applies to us, too—that the operation was successful, but the patient died. All we are able to assure as auditors are the standards and the processes that are the inputs to the audit. But we are unable to guarantee the outcome. Yet, the first thing that happens when there is the collapse of a company, perhaps because of poor governance or a terrible business model, is that the business failure is almost immediately equated with an audit failure. And we have to live out the consequences as a profession. I think this is also going to be part of the education of the public, that we can't be held responsible for a mistake that is being really committed by company management and their governance.
If that's right, then you should be speaking to the legislators. We should be taking this franchise as it's presently defined and turning in the keys, because the general public doesn't give a damn for that. Who does care about it are the plaintiff's lawyers and the agencies of law enforcement. Unless you can change those standards, then the conundrum that you've stated doesn't go anywhere.
I think Congress has already decided. The audits that are going on now, the case down in Florida that was mentioned, were integrated audits, an audit of the financial statements and internal controls and financial reporting. And so it's not just the result of the financial statements—it's now the process, too. It has to be an audit of the process. You can't say that was management's fault, because the auditor's expressing an opinion on both the effectiveness of internal control and that the financial statements are free of material misstatement, whether caused by error or fraud.
The profession is already there with that responsibility. And the issue should be how to meet it, not to say, “Wow, this is a terrible responsibility. How can we possibly achieve it?” Congress not only gave CPAs the franchise to audit financial statements, but the mandate that required public companies to have those audits, which is unique.
The audit profession cannot do what the doctors do, because no agreement between the client and the auditor can say that the responsibilities are less than stated in the report to do audits in accordance with the PCAOB standards, and no agreement with the client can change the responsibility required of us.
What about what is being done by insurance companies when they offer directors and officers liability insurance? There is the severability clause, which says that if there was fraud going on in the organization and the directors and officers who were insured were the perpetrators of the fraud, they can't then ask the insurers to bail them out. If you were involved in the perpetration of fraud, you are now doing another fraud on the insurance company. That's a compounded moral hazard.
Again, you're talking about a world that will not be allowed to exist in the environment of the law enforcement agencies and the regulators. That would be entirely intolerable, completely unacceptable. I mean, what Doug has effectively said is that the evolving complexity of the expectations of the legal system makes it less and less likely that the auditor will be successfully able to satisfy them. The world has gotten more challenging, not less. And the tools from other professions are just inapplicable because of the embedded interests of the participants in this model.
But, Jim, I think that's the point, right? The interests here are different. Here you have a third party that's not privy to either of these elements, whereas when you look at your example, the perpetrator is also the beneficiary of the insurance policy. Here, the public wants to be protected from the very act that they wanted you to detect.
I think what Doug said is absolutely true. This is what we have to get our head around as a profession. We have to meet the expectations and standards around both the internal controls and the financial statements. That's an audit quality question, and we have to make sure we deal with that.
I think the harder question is the stuff that's outside of that but still could potentially harm a company; that's where the expectations gap gets even harder, right? Because it may not be within the areas that an auditor traditionally would be responsible for. For example, a noncompliance matter that has nothing to do with financial statements but damages the brand of a company terribly could be life threatening, but it may or may not be something that traditionally would be viewed within the internal controls or the financial statements.
Does that mean we have to reassess our definition of scope? I don't know that you can convince the public that they should have a different scope in mind. We've tried that for decades. It's an area that I think is probably the most challenging for the profession.
You referred earlier, Scott, to the notion of clients and client acceptability and the relationship with clients and their expectations. And the profession has talked for decades about client quality and our willingness to be associated with them and the like. The challenge to the credibility of that assertion is that enterprises of all kinds and all shades of disrepute somehow continually manage to engage auditors. This brings in the business side of things.
A large international organization recently exposed as a fundamentally corrupt kleptocracy—that is, FIFA—recently went through a departure of its long-standing auditors. Notwithstanding the number of arrests and high executives taken away with sheets over their heads, it seems to have had no difficulty in engaging the services of another one of the large accounting networks. Now, it's fair to ask whether an enterprise as corrupt as FIFA is actually entitled to the services of the profession, especially on the track record that it had. Until there's a vote that says, “No, we will not do your work because you're not entitled to it,” those questions about credibility on the quality commitment side remain unanswered.
This is an excellent point. Scott was a speaker at the Deloitte auditing symposium at the University of Kansas, and it really resonated with me when he said, “You cannot audit better than the client's environment will allow.” Now, why that struck me as a very interesting statement is that it is consistent with what is called Ashby's Law of Requisite Variety. This is from an industrial engineering professor at the University of Illinois, W. Ross Ashby, who said, “If you do not have the complexity of the environment impounded in the regulator or the governor of that environment, that governor or regulator cannot do an adequate job of dealing with that environment.” The complexity that's out there must be in some way impounded in the regulator or the governor.
This is another way of saying, as Einstein did, that we cannot solve our problems with the same thinking that created them. We do need to start thinking at a different level here to deal with some of these issues. A lot of things are changing, and I don't believe we are adapting fast enough. So it could be a velocity of risk issue here, that the speed with which change and risk are happening to us is so fast that our capacity to respond is being challenged to its limits. Can the profession do something about making sure that the client is going to offer us the best possible environment in which the audit will actually be successful?
I want to segue to the present and talk about one way of addressing the challenge of complexity, and that's data analytics and big data. Can the profession use the tools that are there today or help develop tools moving forward that will enable it to serve the public better?
I've been living in a virtual world for about 18 years. My former firm, CohnReznick, went through some mergers, and the volume of our work increased, the size of our clients increased, and the complexity of the system increased. The use of computers and digital evidence increased at a geometric rate, yet the number of IT auditors with the ability and experience to audit these systems did not increase.
But I'm trying to figure out how we can use big data in the audit. Big data analytics can be used. But the problem becomes, you can only audit what the client will allow you to audit. When we ask, Scott, for all the data, we get a trial balance. “Pick some samples.” Because that's what they're used to.
We've had on very rare occasions some clients who wanted us to use large data sets, millions of records, hundreds of fields, and analyze them. One example I would give you is telecoms. Telecoms have a large volume of electronic records. How do you analyze a gigantic collection of data and figure out if revenue is presented fairly? What do the auditors do? They come to me. They say, “We're going to pick a sample of 100 phone bills, and then we're going to see what's in the computer system, and we're going to have them print out a copy of a bill, and we're going to compare it.” This is meaningless. I was able to convince the audit partner, “Get me the data.” And the client said, “you'll never be able to handle it, it's too big.” I said, “Give us a chance.” The way big data works is, you don't know what's driving the independent variable of revenue.
Data analytics can be used if you can get the data, but then you need these people called data scientists, and they're very hard to come by. In the case of the telecom, what we were able to show was that whatever management thought was driving revenue, there were other things that were also driving revenue. We took those data points, and we ran a correlation matrix, and we figured out which one of these data points is correlated with revenue, and we got a bunch. Then we started running regressions on it until we could figure out which of the data points is statistically significant.
The profession bears a significant degree of responsibility, I think, for overstating its capacity to deliver against user expectations.
Having done that, we were able to find outliers. Which one of these bills doesn't belong here? For 30 months of data, we figured out which month of revenue was not predicted by the data. We'd never have found this doing sampling or doing a traditional audit. But the revenue recorded in December was far more than it should have been.
So the audit partner asked management why, and they said, “Well, we have a change in revenue recognition. We forgot to tell you.” But the point is, you need the client to give you that data. This is data analytics.
I want to make two points. I taught statistics when I was in the PhD program in psychology, and I've done work in neural networks. These are pattern recognition tools, and I applied them to enhance risk assessment done by internal auditors. The study was done at the University of Illinois at Urbana-Champaign, and Dick Traver was then the chief audit executive for all three campuses. That neural network application, it gave us something dramatic. It said the riskiest department of all academic departments was the audit department. How can that be? All the risks of the other departments are actually getting aggregated in the internal audit department! We have to be careful when we use these tools to understand what kind of hypotheses are coming out. I still believe that human intelligence far exceeds machine intelligence.
In philosophy, we have two types of reasoning. We have deductive reasoning, which is concept-driven. It's top-down. The data-driven techniques that Bruce was talking about, they are fundamentally bottom-up, and they are what philosophers call inductive reasoning. In inductive reasoning, you are going from the particular to the general. And you know what the problem is there? It is completely at the mercy of what the truth actually is. It could give you a bunch of false positives. The correlations that we come up with using big data, if we don't have a really good understanding, we're actually going to be misled many times rather than get to the right conclusion.
We use these phrases like they all mean the same things, when they really don't. Big data is a notion of discovering patterns, but you don't necessarily understand why the pattern exists. TIBCO and others discovered this and started using it with customers, and if they're wrong, it's not a big deal. But if you're an auditor and you think you see a pattern and you're wrong, that's a big problem.
To answer your question directly, we are using data and analytics to improve quality and audit effectiveness. In some cases, it's simply doing things that humans could have done, but it would have taken an inordinate about of time, so we'd sample instead—but seeing entire populations tells you new things. It does allow you to discover things you wouldn't have discovered through sampling, which can be very valuable.
It gets harder and harder when you think about primary audit evidence, because you've got to be able to meet the appropriate auditing standards. In some cases, you can. A three-way match of information, as long as it's provided from the right sources, could be a viable test in compliance with auditing standards and very powerful because you could test 100% of the transactions in the process.
There's also artificial intelligence and cognition. I think that brings home the idea of using it not just to see patterns, but to actually understand and analyze patterns—because you're teaching the machine to actually reason like a human being, but in big data sets, which humans could never do.
In fact, we just launched a pilot around doing that with commercial mortgage loans in large organizations with thousands of pages of documents. No human being could absorb all of that data and actually see any anomalies or nuances.
That will be difficult to get to fruition, because, again, will the auditing standards allow for that? Does it provide enough evidence? Those are things we're going to have to sort out. But I think there's power here; the question is where it fits best. How will we make sure that we don't have any erroneous assumptions, or misunderstand the data or patterns in the data, and make bad decisions as a result? I think we've got to be very careful as a profession.
One of the things that's going to get very interesting in that area is the operational one. In the relationship among the players in the assurance process, the constraints on the ability of auditors to engage in best-quality work that are imposed by scope-of-services and independence limitations, and the business constraints on auditors to access and utilize the most complex, most sophisticated sources of information, are liable to become very troublesome.
Regulators have expressed a good deal of concern about the growth of the advisory services at the large firms. They're not necessarily friendly toward the acquisition of those competencies, and they're going to have distinct problems with the ability to access and utilize that information in the audit process, and there are multiple difficulties with that for the firms. That will put a constraint on growth opportunities because they are being barred from using those advisory services with respect to the 25% of their client base in the audit sector. That is not going to go down well very much longer with these rapidly growing advisory practices.
On the other hand, to the extent that there are constraints on the audit side of the practice from accessing and utilizing those best practices—which, by the way, the marketplace will value and get from somebody else if the auditor can't deliver—then the value of the audit product will continue to degrade.
I think these issues—access to personnel, access to the best-quality practices, strains and antagonisms in the structure—are structurally significant for the large firms. I lived through the divorce between Arthur Andersen and Andersen Consulting, and if that doesn't give you a blueprint for the future as the large firms continue to grow advisory practices, then it's just not being recognized.
That is always something we think a lot about, because I do believe there's a lot of value, particularly in a changing world that's going to change even faster, in keeping up with technology. We have to be able to do that effectively; otherwise, we will not meet expectations.
Having said that, we also know that there is tension in a big firm. The thing we always remind ourselves is, our brand starts with our audit. I actually would say it's not just the financial risk; it's the brand risk of a major failure. There is no doubt that the audit side is by far the most important part. And it gives our advisory business credibility it wouldn't otherwise have if it were not part of KPMG.
The way we look at it from our very most senior partner, who happens to be in our case the CEO, is that there is no doubt in our mind that we are better as a multidisciplinary firm. But the audit practice is absolutely, incredibly sacred to our business and our brand. I think you're right. That is a fragile thing that we've got. If we don't stay focused, any of us could fall into the issue that you describe.
My concern is there are pressures building for us to invite outsiders into the fold, because these outsiders are so much better informed than the people inside the profession. I want to give you the example of this—the $81 million heist at the Bank of Bangladesh. Basically, it was the Society for Worldwide Interbank Financial Telecommunication (SWIFT) credentials that were compromised, and the only way to audit this kind of stuff is if you understand Bitcoin and its blockchain technology. This is a computer science problem, involving math and cryptography, not an auditing problem. And as Bruce was saying, when describing the characteristics of data scientists, these are obviously not accountants. These are people who have PhDs in data science or statistics. We are going to have to bring in these outside disciplines and allow them to integrate with our audit teams. Otherwise, this is already a lost cause.
I couldn't agree more. But if you think about it, it's just expanding and accelerating something that already exists. For example, for me to do an audit of a really large, complex bank, I need credit specialists that aren't auditors but really understand credit. I need valuation experts that deeply understand level 3 types of securities and how to value very complex instruments. I need actuaries to study actuarial reserves in an insurance company. I need technologists to be part of my technology group.
If you look at our IT professionals, it's a huge group of people, and their backgrounds are varied. Some are former auditors that become very knowledgeable about IT. Others are technologists that spent their entire career coding and thinking about systems and architecture. When you think about the data sciences, it's going to be the same way. We've already hired upwards of several hundred data scientists.
Now, to Jim's point, some of them sit in audit, but a lot of them sit in our advisory businesses, and we benefit by having that community of people. And if we lose that, it would actually degrade our ability to have that group of people help us.
It's a really interesting question. You're talking about who you need. But flip that question over, especially those of you in practice. What are the implications for people you don't need? And think about the traditional pyramidal, hierarchic model in the firms and in the teams. What is it going to mean to be an auditor in the future? And by the way, there are implications for the academy—the training and education and schooling, and implications for the professional societies. You're looking at landscape-changing issues.
I think the large firms have a great advantage in that they are able to retain IT experts at their disposal. When we're looking at our profession overall, we've got to include the other thousands of CPA firms.
And we're only looking at it from the large firm perspective. How do you get all this knowledge, information, and specialists and make it affordable to small-to-midsize firms? As it is, with most CPA firms, auditors are really challenged when it comes to understanding a client's automated system of internal controls. In my opinion, auditors are not getting the proper training on how to audit the IT environment. They don't go into the heart of it; they audit around it by performing substantive procedures. Effectively auditing a client's internal control environment requires expertise from both an IT perspective and an auditing background.
What I'm seeing today is that it's not there. I think the large firms have a great advantage in that they are able to retain IT experts to be at their disposal. When we're looking at our profession overall, we've got to include the other thousands of CPA firms. How do we get the rest of the profession to come up to the level where all of us get increased audit quality across the board?
I have the same question. I have actually worked with the Big Four, but only on joint ventures. I've also worked with many of the firms that are between us and the Big Four, and they are facing the exact same thing as everybody below us.
When you get to big data and data analytics—and there's a difference; data analytics you could use directly on financial information that's in the general ledger, or on the subsidiary system. There's a lot of information in there that's not financial, and that information can be used like big data. The problem is, how do you find somebody to do that?
The difference between big data and data analytics is that big data is taking data external to the entity—for example, GPS data, videos, social media data, e-mails, those types of thing, website hits—and merging that with data inside the company. But what are they using it for? They're using it to increase profitability, to reduce costs or increase revenue. I haven't seen a single study where they have actually used this on the audit side.
What are the rest of the firms going to do? How can we compete in this world? These data scientists who work for big corporations that are using it, they're going to say, “Why don't we create a startup?” They'll get the funding, and they will create a big data service for everyone, leveling the playing field. I think that will be the answer. The smaller firms will be able to use a service that's affordable.
Exactly. Auditors are daunted by so many requirements, regulations, and standards, and so new skills have got to be developed, and this is just going to add another layer of complexity. Certainly, some CPA firms may not see it as viable to make those investments.
Well, they will when clients actually say, “What's your experience in big data?”
I'd see two scenarios for the future there. One of them is that big data service will quickly become commoditized and readily available across the board to the smaller firms. The other is that big data services—let's call it Google, or let's call it the joint venture between Accenture and Amazon—when that enterprise decides, “You know, we could add an assurance service to this, and we could become the source of big data assurance, and we will eat the lunch of the firms that are proceeding to do this by traditional means,” because they will be providing something that the marketplace is prepared to pay for and will functionally be delegitimizing the services delivered in traditional form.
The Next Generation
I want to move the discussion there into what the next generation of CPAs looks like. What kind of people are you looking for? What kind of skills do they need? And what's the role of educators in preparing the next generation?
I've always wondered why ours is probably the only discipline—I won't say profession—in which the word “creative” is a bad word. Creative accounting is not a bad thing.
H. G. Wells maintained that it is nature's inexorable imperative that you either adapt or perish. One may choose not to change, however, because survival is not mandatory. Given all the change that we're seeing, if we remain in the status quo, we're finished. We have to be grabbing at these opportunities to become more relevant in a fast-changing world.
In my opinion, we are facing a human capital crisis in the accounting profession, because the problem is not with the kids. The kids actually are very smart. There are these very advanced and sophisticated technologies that are really putting the lie to what used to be big problems. They can be solved, but you've got to be creative. And you need to master some of these new technologies.
To me, the need for being creative is fulfilled by having a diversity of experience, curiosity, and the ability to learn continuously. These are the kind of people we're looking for, and the profession should be able to attract them. The worst type of auditor we could have in today's world is the gullible auditor. We want the skeptical auditors who will not accept answers at face value. They're always going to dig deeper. We want to attract these kind of insatiably curious kids into our profession.
I think it's going to require a different skill set, a different kind of ability among young people. I'm not sure we want the types of students who did really well only in accounting, as in the olden days.
How do you find that behavior? What kind of test do you use?
Let's say we give a great case study, this Bank of Bangladesh heist. How could auditors have audited this? How could they have known that their SWIFT credentials might be compromised? And what would you do? And you know what? Some of these young people can actually provide you the answer already. Using crowdsourcing to find the answers to the most complex problems—that may be the way forward.
That's a point that I had recently made. I had a meeting with a businessman, and he was picking my brain on big data. He said, “How do you go about doing this?” I said, “You get a bunch of kids, and you put them in a room, and you give them the data.” The idea is, instead of coming from the top, and saying, “Here's our objective,” we start with big data, at the bottom and say, “Here, you have five people. You have five weeks to come up with something in this data to help us be more profitable.”
I also want to get another academic perspective on what your students are like today, and what you think they need to learn.
Last semester, I was asked to be the academic advisor for a team of six Baruch College students who were invited to an audit challenge contest sponsored by one of the large auditing firms. It was around big data, and they were given a very broad statement about using data analytics and big data to improve the audit and enhance the value of the services provided to their clients
Without giving them very much input and direction other than teaching them what auditing is all about—because none of these students had taken an auditing course yet—they just went off and did the research on their own. They came up with an amazing solution that was really quite intellectually rigorous and potentially very effective. And they even linked it to some existing products that the audit firm had developed and implemented in their own practice. I was really blown away by it, the intelligence and the initiative that these students took in developing that solution. So I think we have some cause for optimism that the raw material is there.
In terms of teaching them, there are a lot of challenges, even with 150 credit hours, which sounded like a lot five years ago. But there's a lot of material we're being asked to pack into that 150 credit hours. At the same time, the profession doesn't just need students who understand the auditing standards. They need to know how to solve problems. They need to know how to critically think. How do we teach that at the same time? I think it's a big challenge.
This is something I've thought about personally. I separate it into a couple of challenges. One is: how do you develop the right people? The second is: how do you attract them? Because it's not just developing the best and brightest and giving them the right skills. Do they want to be auditors with those skill sets?
We're looking for a very interesting combination, one different than we probably would have said five or 10 years ago. I really want someone who has somewhat of a liberal arts background, in the sense that they've got critical thinking skills and can solve problems, combined with enough knowledge of the profession—and you're stuck with a certain number of your hours just getting the core curriculum in order to sit for the CPA exam—and also having a really rich understanding of data analytics and technology. The fact is, you will never stack those things on top of each other.
We try to take the existing curriculum and say, “Let's add some more stat classes. Let's add some more predictive analytics classes. Let's add a few classes to help critical thinking skills.” You now are going to take that 150 [hours], and, even if you try to carve other stuff out, you're going to be at 200-plus hours. You're going to lose any hope of attracting the people who have traditionally come into an accounting program.
We have to figure out ways to integrate those things so that, when you're in an auditing class, you're using that auditing set of skills to exercise deductive logic and reasoning and critical thinking skills, but you're also bringing in data and analytical tools.
The use of computers and digital evidence increased at a geometric rate, yet the number of IT auditors with the ability and experience to audit these systems did not increase.
One of the things we've done, or are thinking about, is we've just launched a new master's program, collaborating with Ohio State University and Villanova to build a master's of accountancy in data and analytics. The idea being we would build a new curriculum from the ground up for the master's-only program to help students have a different set of skills and also get excited about how they can deploy those skills into the accounting and auditing profession. We've already picked the first 52 students in the program. It's been very exciting to see that happen.
But we think we've got to start a lot younger than that. One of the things we're working on now is using simulation trainings that we could put in at sophomore, junior, and senior years so they could use those simulations to compete on a case study. If you do it right, we believe that technology will allow friendly competition among universities.
We think that'll help us discover the best and brightest. We also think that's the kind of stuff millennials are going to say, “Wow, that's interesting. That is something I'd like to be part of” about. Those are just examples, and I'm sure people in other firms have great ideas. But it's that kind of creativity that I think we've got to bring to the table.
Who's going to champion this transformation in the schools?
I saw the aspiration on display in August at the American Accounting Association convention here in New York. These joint ventures between the firms and the schools are the tip of the spear. There were a number of these different partnerships. There's a not subtle self-interest, obviously, in keeping your intake pipeline as filled as possible with the highest-quality students. There is also, it should be said, a considerable deer-in-the-headlights attitude amongst the academics. What those who were trailing behind are trying to do is borrow and beg and steal competency from other departments in their universities. As a nonacademic, it was pretty obvious to me that that's nothing more than an interim solution that will obsolesce very fast when those competencies become part of the mainstream qualification for the auditor of the next decade.
I think the leadership is available, what they're identifying in some of these ventures. But getting it deployed out there is going to be a massive challenge.
I've had the privilege of sitting down with about 10 or 12 deans of business schools around the country last year talking about this very issue. And what I see is a real passion and energy to do it.
I think what we've got to do is help everybody get the same sense of urgency, because I think this is no different than the disruption we were talking about before. If we don't collectively create an environment where the very best want to be in our profession and go to these schools, the profession is going to be frustrated by the fact that they're not getting the very best and brightest. It's a cycle that could be very negative.
On the other hand, if we get it going the other way, it could be a very positive cycle, because we offer tremendous learning and very rapid acceleration in a career. Even if people don't want to stay in public accounting, it's still enticing to be part of an organization to learn that much. If we could do it in a way that brings these other capabilities together, I think it could be really powerful.
There's an interesting aspect that demonstrates the holistic nature of these challenges, which is that you articulated it from the perspective of the universities and the supply of best-quality people into your organizations. But take into account the internal competition for talent inside firms. Which part of your practice do new recruits want to go into? These probably are related, because the ability to take advisory and integrate that into a practice that will build an assurance function that's fit for the future is going to require that you can keep the best and the brightest engaged, whichever form of that they come to.
Now you're into the regulatory challenge of permissible scope of service—can this be done in an environment that suffers under the constraints that are imposed by shortsighted regulators? Where's the business community that's prepared to lobby for changes? All of these bits and pieces pull together into a comprehensive set of integrated problems.
Leading the Change
Let me go back to my question. Scott, you've worked with 10 schools. There are 3,000 accounting schools in America. Who's going to lead this change, if indeed this is what the future of auditing needs to be?
I think flexibility is important. This is an age-old problem, and it shows up at different levels. Take IT as an example. Every reasonably large firm has IT specialists. It's always been a difficult task to figure out, what does the general auditor need to know about IT, and what do the IT specialists need to know about auditing? A lot of the time, the specialist just comes in and does what the specialist does, and the audit team doesn't really understand what that is and how it affects what they're doing. They over-rely on specialists, but they don't really use a specialist.
On the educational side, there have been different attempts over the years. Arthur Andersen decided that they wanted to try just picking out good, intelligent people, the problem-solvers, and hire them, and then teach them accounting and auditing. For example, they'd learn how you account for property, plant and equipment, and at the same time they'd be learning how you audit it and what the taxation factors are—concentrated training. That's one approach.
Specialists are inevitably going to be specialists. In other words, it's not going to be possible for the general auditor to be fully versed in all specialties. Maybe it's not really going to be possible to have one revamping of the curriculum and have every school do it. I think that kind of experimentation is fine, where a firm deals with 10 schools, and another deals with 10 schools, and maybe does it differently to see what's working.
I don't know that we're going to need one driver that will change all schools and all curricula. I think the experimentation and the willingness on the part of the firms to support, different approaches and to see what works best over a period of time is probably going to be important—because at this point, no one really knows.
No one could have predicted the skills that the firms are saying they want right now five years ago. That kind of experimentation and approach is necessary. Particularly, something needs to be done to start earlier, because the people that are attracted to accounting because debits equal credits are not the kind of people that you really need as auditors. Getting them in college and dealing with it when people have already reached that level is just too late.
I've argued there were people that described what the future of an auditor might be even 20 years ago: Robert Elliott, who worked for us, was describing an auditor of the future that actually looks a lot like today.
I always joke that for the first 20 to 25 years of my career, I would guess something was going to happen, and I was always wrong about the pace. I always thought it would happen faster than it ultimately did. I think I'm now finding during the last five years that the inverse is true. Every time I think something's going to happen, it happens faster than I thought, because the rate of technology advancement is really fast.
It's in our firm's own selfish best interest to figure out how to navigate it, because we need that supply of really skilled people. We'll do whatever we can to help make that happen. I think that will naturally start to get momentum. And I think all the universities will benefit. They may not all produce the same kind of student, they may not all have the same programs, but they'll all learn from each other. And it's not just the universities. We, as firms, also have to enrich our training to help people deal in that world. If we get that right, we'll get smart people and they'll help solve the problems. If we don't, then we'll be starved for talent.
One of the things that they'll be solving is the problem of the products, the outputs the profession is delivering. The diversity of solutions delivered to clients will be the flip side of that ability to attract the best students and best thinkers and best people.
The continuing delivery of that single one-page audit report, which has not changed significantly in 160 years, is going to have to change. The evolution can and will happen. The early returns are really not in yet on how well that's going, but it's certainly attracting plenty of attention and discussion.
I want to go back to the question about what can we do to have a coordinated effort to lead change and transformation in auditing? Because I personally don't think the American Accounting Association is doing it. But it may be possible for those of us who are CPAs and academics and who are committed to getting the profession to solve these formidable challenges, if we work with the firms, the state societies, and the AICPA, to change the content of the AICPA's CPA exam.
Because a lot of us academics, we literally are educating our students in a way that'll be easier for them to pass the exam. We have to pay attention to that; our schools, they'll actually maintain statistics as to how well their students are doing in passing the CPA exam. If the CPA exam is not delivering, we are really barking up the wrong tree.
I spent three years of my volunteer time on the AICPA's Board of Examiners’ Content Committee, which develops the questions on the Uniform CPA Examination, as its IFRS expert at large, as well as advising on the auditing part of the exam. The exam is moving in that direction to test entry-level professionals, not only just to memorize standards, but actually work through a situation, to use critical thinking. I think what's lacking in today's environment is that we're creating professionals who know the standards, but find it difficult when they have to navigate through challenging and contentious situations; there are still soft skills that are essential. How do you become someone who's able to research and navigate through things, instead of asking somebody to do it?
I was really blown away by it, the intelligence and the initiative that these students took in developing that solution. So I think we have some cause for optimism that the raw material is there.
It takes a certain skill set. It takes dedication. In my career, I had those forces at work when I started. When I worked at the SEC, I was set on a path of learning those skills early on. The exam is recognizing in the marketplace that this is what CPA firm leaders are looking for. But the reality is, that's not what you're getting. In today's environment, you need someone who's very well rounded, could be able to bring in business, manage clients, have executive presence, be a networker, a bran-der, a marketer, be able to do public speaking and writing. That's a core curriculum that I think is necessary in today's marketplace to be a successful auditor and a trusted advisor.
One of the things that I think is a positive is we do see the CPA exam changing over time. It does attempt to stay at least reasonably close to our current practices. Some might argue it doesn't move as quickly as it ought to, and that it could be used as a driver to help get the profession to where it needs to be.
One step beyond that is, I think, our credential itself. What does the credential mean? What is the public expectation of that credential? What skills do each of the jurisdictions in this country expect a person to possess in order to provide them with a CPA license? That's another issue I think that we ought to have on the radar screen.