Both client and auditor have a lot to gain from the cloud, but it’s important that both sides are clear on the impact to the audit engagement (Getty Images/svetikd)
As more clients begin transitioning from traditional, physical data servers to virtual ones, cloud computing is changing how entities conduct their business. Audit practices are rapidly evolving alongside the explosion in this technology—especially as it relates to data.
One area that should be considered is the enterprise resource planning (ERP) systems. Many traditional ERP systems are now undergoing significant makeovers as they move to the cloud, such as with Microsoft Stack and SAP Oracle.
“The world of audit, risk and control, and security has been relatively well-defined,” says CPA Peter Hargitai, national digital risk solutions leader at PwC Canada. “But it is changing significantly with the cloud versions of these systems and applications being deployed.” Even more, some applications are moving to cloud-only applications and will no longer support conventional versions of their programs, forcing entities to adopt the new technology or find different programs to use.
This transition can introduce complexity, disruption and new risks for the organization and, as a result, to the financial statement audit as well.
Here’s a look at ways to address the challenges brought on by client adoption of the cloud.
ASSESS THE RISKS AND ADJUST THE APPROACH
When a client undergoes a cloud transition involving the entity’s information system relevant to the preparation of financial statements, it’s the auditor’s responsibility to obtain an understanding of the new cloud environment and related risks arising from the use of this IT as a basis for identifying and assessing the risk of material misstatement.
“We have to really look at how we [plan our audit and the related] audit work, and how we adjust our audit methodologies to account for this new technology,” says Erica Pretorius, partner in risk advisory and risk advisory leader of the telecommunications, media and technology program at Deloitte Canada. Auditors need to ask themselves “What risks does this expose the organization or the financial statements to?” says Pretorius. And subsequently, how should auditors adjust their approach and procedures to address these risks.
To gain a preliminary understanding of the cloud environment, auditors can ask their clients for an inventory of any cloud activities, including the nature and extent of third- and fourth-party cloud service provider vendors and any material changes in such arrangements during the period under audit.
While the cloud does create new risks, it can also create positive changes for audit practitioners. A client’s use of cloud computing offers new automation opportunities that allows auditors to complete more streamlined work. “The more automation you have, the more efficiency you can build in and the more you can focus on the valuable insights throughout the process,” says Hargitai.
CONFIRM ROLES AND RESPONSIBILITIES EARLY ON
To avoid confusion or surprises down the road, auditors need to be proactive and inform clients about necessary steps early in the audit process.
“At the start of our engagements, we often spend time with clients to explain what the requirements of our audit methodology are,” says Pretorius.
These conversations may also outline an understanding of who does what, recognizing the cloud service provider, the client and the auditor each have different roles to play. “From an audit point of view, what responsibility do we expect you to still have? And what oversight do we expect you to still execute?”
“We try to inform clients on what this early, timely and appropriate involvement looks like,” says Hargitai. That way, auditors can ensure they have the information they need and perform procedures earlier in the audit process where appropriate.
USE A TEAM-FOCUSED APPROACH
Another way auditors are navigating this new world is with an all-hands on deck approach by collapsing silos and bringing all information to the table.
“There’s a greater need for subject matter expertise integration at the firm with our financial statement auditors. It’s about [focusing on] the right risks within the new cloud environment,” says CPA Andrew Kwong, leader of Deloitte’s Ontario risk advisory practice.
Another challenge, Kwong says, is obtaining audit evidence in accordance with the auditing standards and requirements of the firm, which he likens to putting together a jigsaw puzzle.
“If the pre-cloud puzzle was 50 pieces, now we’re putting together puzzles with 1,000 pieces,” says Kwong. “It requires more communication, coordination and alignment than ever before.”
SCHEDULE INTERNAL TRAINING
To ensure CPAs are aware of these evolving practices, Kwong is a champion of educating teams internally. “We need training for our own people who are working in the cloud environment,” he says. “And then it’s educating our audit team around the impact of cloud on the overall audit methodology.”
Experts note there are firms currently rolling out training on cloud computing and financial statement audit, and hope this will help create foundational learning, though some firms are further along than others.
Despite the challenges presented by cloud computing there are lots of gains, says Pretorius. “There’s so much more that the systems can do for organizations. The innovation in cloud technology is absolutely phenomenal.”
STAY IN THE LOOP
Learn more about technology’s impact on the audit, why companies across all sectors are embracing the cloud, how early adaptors are using it to their advantage and the top questions CPAs have about the cloud.