Although audit practice has been improved over the last 30 years by the incorporation of office software such as Microsoft Excel and Word, working paper software such as CaseWare Working Paper, and audit tools such as Audit Command Language (ACL) and CaseWare IDEA, a massive amount of manual, repetitive, simple, and rule-based tasks are still taking up much of auditors’ time. Examples of such tasks include audit data preparation, file organization, integration of data from multiple files, performance of basic audit tests in Excel, copying and pasting data, and manual annotations. These tasks are not only time consuming and rule based; they are also prone to error. To further improve the efficiency and effectiveness of audit practice, auditors need to rethink methods and leverage newer technology.
Robotic process automation (RPA) is software that interacts with other application software at the user interface level (i.e., in the same way as a human) and is used to automate processes that are structured, rule based, and repetitive, as well as those with machine-readable data. RPA can automate tasks that are executed across different software applications. Kevin Moffit et al. (“Robotic Process Automation for Auditing,” Journal of Emerging Technologies in Accounting, Spring 2018, http://bit.ly/2JKLCee) proposed that RPA can facilitate audit process automation. This article uses a case study of an accounting firm’s employee benefit plan audits to demonstrate how RPA has the potential to improve audit quality.
Potential Applications of RPA to Audit
Automation is not a new concept in auditing. The innovation of RPA is that it offers the ability to connect otherwise unintegrated automated audit activities. For example, because RPA is an overlay software that resides on the presentation layer—that is, the layer of code that translates the program data into something a user can understand—it can be used to automate audit evidence collection activities. Much of the audit evidence comes from a variety of sources and can be burdensome for auditors to collect. RPA can streamline audit evidence collection, and potentially preparation activities, by taking standardized data and combining it from different sources into one audit workpaper; as a result, RPA can execute audit tests that have been preprogrammed in other software applications, such as Excel or CaseWare IDEA (Moffitt et al.). In this manner, RPA can help auditors achieve near end-to-end audit process automation.
An RPA-enabled audit production line has implications for audit quality. Because RPA replaces the structured, time-consuming, and repetitive activities that auditors perform, the audit process should inherently be more efficient. In addition, as the auditors have more time to perform complex testing involving the investigation of accounting anomalies, the effectiveness of the audit will also improve.
Several frameworks for the application of RPA to auditing have been proposed (Moffitt et al. 2018; Andrea Rozario, Three Essays on Audit Innovation, Rutgers University dissertation, 2019; Feiqi Huang, Three Essays on Emerging Technologies in Accounting, Rutgers University dissertation, 2019, http://bit.ly/2HFPk6E). These frameworks emphasize the need to thoroughly understand the process that is selected for RPA implementation; this makes it clearer which audit activities can be automated with RPA (i.e., the tasks that are structured, rule based, and repetitive) and whether the data that is needed to execute them is in a machine-readable format. The activities identified as being automatable with RPA will need to be subdivided into discrete steps that can be translated into programmable functions.
RPA can streamline audit evidence collection by taking standardized data and combining it from different sources into one audit workpaper.
The next area of focus is the standardization of audit-relevant data. For RPA to be scalable and usable across many environments, data should contain consistent labels and be formatted identically. For example, different organizations might represent the last names of employees using different labels, such as “Employee Last Name,” “last name,” or “Payee last name,” causing hurdles in automation. By using a standard label (e.g., “Last_Name”), the format of this field can be standardized as text with maximum length of 100 characters (see Audit Data Standards, AICPA Assurance Services Executive Committee Emerging Assurance Technologies Task Force, August 2013, http://bit.ly/2VVwtbU). Prototypes of the RPA solution can then be developed and tested to evaluate its success.
The subject of this case study, a public accounting firm headquartered in New York City, is one of the few national accounting firms that offers employee benefit plan (EBP) audit services. This firm annually audits more than 800 EBPs, ranging in size from 100 to 90,000 participants. Prior to the firm launching its automation project with the Rutgers Continuous Audit and Reporting Laboratory (CARLab), the EBP audits were extremely labor intensive and time consuming, especially in the substantive procedures phase, where auditors manually import audit data into Excel workbooks and perform various aspects of EBP testing, including writing and executing Excel functions and copying and pasting data from and to different tables.
Defined contribution (DC) plan audits represent 88% of the firm’s total EBP audit engagements, and limited scope audits represent 93% of all DC plan engagements. In a limited scope audit, an auditor excludes procedures that otherwise would be performed on the investments, which typically are the most significant plan assets. Some of the significant accounts for testing are 1) contributions (employee, employer, and rollovers), 2) benefits paid, and 3) notes receivables from participants (loans).
RPA Prototype Development Project
The objective of this automation project was to increase the efficiency and enhance the effectiveness of the limited scope defined contribution plan audits because the audit procedures in this type of engagement consist of labor-intensive, time-consuming, and repetitive testing.
In this step, the authors looked into how each aspect of the substantive audit procedures in the limited scope DC plan audits was performed. The objective was to identify the tasks that are highly repetitive, simple, rule based, time consuming, and have machine-readable data. Based on discussions with the auditing firm, the authors decided to focus on the testing of eligibility, personal data, and employee loans.
In this article, loan testing is used to illustrate the RPA prototype; the prototypes for other testing follow the same logic. In loan testing, loans to participants and the related interest are tested to determine whether the amounts due to the plan have been properly identified, valued, recorded, and disclosed in the financial statements.
Loan testing contained several audit activities that did not require audit judgment, were time consuming, and had to be executed across several audit engagements. These activities included the collection and preparation of audit evidence and the performance of rules-based audit tests, including the matching of loan amount balances and interest rates from one data source to the other. A review of audit workpapers and discussions of the EBP subject matter revealed that many loan testing activities could be automated using a combination of 1) Microsoft Access to program automated audit tests using basic Structured Query Language (SQL) and 2) RPA to collect audit evidence, then use RPA to execute the automated tests in Access.
Audit data standards.
For the RPA to be scalable, it is important to develop an audit data standard, such as the AICPA standard referenced above, for the CPA firm’s own use. This standard is essentially a template that contains consistent data labels and formats. Because sources of audit evidence that reflect the same values may label and format their data differently, the objective of this standard is for the CPA firm to maintain data in a consistent manner so that the RPA can work on numerous audit engagements.
The audit data standard, which could be in the form of an Excel file, incorporates templates for a data dictionary, raw source data, data preparation, and its integrated structure. The data dictionary tab describes the standard name of the audit data fields and maps it to name the data fields from the sources. Part of the data dictionary developed in this case study is shown in Exhibit 1. For example, the “Participant Name” column from the report “Annual Loan Balance” and the “Payee” column from the report “Check Register” will all be converted to “Name” with the data type of “Text.”
Excerpt of Data Dictionary Developed for the Employee Benefit Plan Audit
The second template is an extract of the raw data from the sources, such as the company reports. The data preparation template links the data from the company reports and contains preprogrammed commands to process it, which could include the command to filter and trim the data. Finally, the integrated data structure tab reflects the standardized data. An example of the standardized data (with simulated information) for the loan testing is shown in Exhibit 2.
Excerpt of Data Dictionary Developed for the Employee Benefit Plan Audit
The proposed methodology to achieve near end-to-end automation for loan testing was to use Excel as the audit data standard and Microsoft Access as the tool to execute audit tests that match one data source to the other (Exhibit 3). As a result, the activities delegated to the RPA were collecting the data, bringing it into the standard template, activating filters to prepare it, and copying the integrated data structure to transfer it to Microsoft Access. Essentially, the RPA was used to automate the steps an auditor performs to import data from Excel to Access. Finally, the RPA executes the preprogrammed audit tests; accordingly, the auditor’s time is limited until the results of the tests are available. In addition, it is important to note that the event logs of the RPA software are available to check whether the process operates as expected.
The CARLab provided the RPA prototype to the CPA firm, and the firm is now experimenting with it and comparing it with alternative methods such as Visual Basic for Applications (VBA). Because an automation solution has not yet been fully deployed at this firm, parallel comparisons of the traditional method to the new cannot be made. Nevertheless, the authors conducted preliminary tests of the prototype’s usefulness to assess its value.
The evaluation of the prototype entailed an assessment of its efficiency and effectiveness. As to efficiency, RPA took less than one minute to execute the assigned tasks of collecting audit evidence and conducting audit tests on the complete population of accounting records—obviously less time than an auditor would spend conducting the same tasks. In addition, it is logical to assume that RPA will be more accurate in the performance of these relatively simple tests, which should lead to enhanced effectiveness. For example, the authors overstated the loan amount balance of a few transactions and restarted the RPA to test whether it would detect the anomalies; it detected them all. In addition, as auditors are able to allocate more time to more complex areas of the audit, it is reasonable to assume that more anomalies would be appropriately investigated.
In this use case and other audit automation projects, the tasks to be automated are only those that are highly repetitive, simple, rule based, and time consuming. The tasks that require professional judgement are difficult to automate, and auditors are expected to spend more time on such tasks. While it is clear that technology can help improve audits, audit judgment cannot be easily replaced by machines. Professional skepticism, for example, can be described as a mindset that aids auditors in differentiating whether an accounting treatment or client behavior is reasonable. This mindset is ingrained in auditors during their time as students and improves with experience. Therefore, to maximize the benefits of technology in auditing, it is important to consider its application in coordination with auditors’ exercise of professional skepticism.
If the audit fee model is based on hours spent on the engagement, it might be intuitive to claim that audit fees will decrease, since as efficiency of the engagement increases, the total hours spent on the engagement should decrease. Although automation can save time on repetitive, simple, rule-based, and time-consuming tasks, the total hours spent on an engagement may not change, because auditors may be required to spend more time on other areas. One could also argue that if RPA leads to cost savings, those savings could be passed on to the audit client as reduced audit fees, which in turn could help the firm remain competitive.
RPA is at the forefront of disruptive technologies and has tremendous potential to transform audit practice. There is much to be explored, however, about the implications of this emerging technology on auditing before it can be fully implemented. Additional testing of RPA, as well as actual implementation on real audit engagements, is necessary to obtain a better understanding as to its benefits and challenges. In the meantime, it seems that RPA can be used to automate segments of the audit, but that caution and due diligence are needed in its development and implementation. Although preliminary assessments of the value-add of RPA indicate that it can lead to improved audit quality, it would be interesting to measure its usefulness on real audit engagements. This may be difficult to do, however, until prototypes are ready for deployment. As more about the cost and benefits of RPA is revealed over time, it will be important for CPAs to become familiar with its potential application to auditing.