The adoption of technology in the audit profession has substantially lagged behind the development and utilization by management (Curtis and Payne 2008; Kim, Mannino, and Nieschwietz 2009; Bierstaker, Janvrin, and Lowe 2014; Cangemi 2015; Cangemi 2016; Li, Dai, Gershberg, and Vasarhelyi 2016). The consideration of technology by standard-setting bodies lags even further, hampered by an extant codification based on the facts and economics of obsolete measurement methods, practices, and technologies.
Acceleration of changes may occur when management's needs/technological changes force accounting methods to adapt and these, by their turn, pressure changes in assurance (Krahel and Titera 2015). For example, the adoption of large databases and cloud technology prompted the development of software and application layers for performance measurement, naturally leading to a demand for assurance.
This paper aims to imagineer the effects and usage of the technologies that encompass Industry 4.01 upon the audit process, prior to their widespread implementation in business. Originating in Europe and spreading to the U.S., Industry 4.0 emphasizes six major principles in its design and implementation: Interoperability, Virtualization, Decentralization, Real-Time Capability, Service Orientation, and Modularity (Hermann, Pentek, and Otto 2015). Furthermore, it promotes the use of remote devices to identify location, identification, temperature, pressure, movement, company (who was with whom), speed, intentions, face recognition, defect detection, etc.
The objective of Industry 4.0 is to increase the flexibility of existing value chains by maximizing the transparency of inbound and outbound logistics, manufacturing, marketing, and all other business functions such as accounting, legislation, human resource, etc. Industry 4.0 emphasizes the use of technology in three distinct domains: data collection, transmission, and analysis. Industry 4.0 utilizes data acquisition equipment, such as sensors and actuators, to collect data generated in manufacturing and business processes that reflect machine health, product quality, surrounding environment, energy expense, labor cost, inventory location, etc. This information is exchanged continuously between objects (e.g., machines, devices, products) across entire companies, and even with outside entities such as suppliers and customers. Data analytics techniques are developed using these data to monitor product quality, identify machine faults, save costs, and facilitate decision making.
As industry moves toward the next generation, auditing should also adapt to the new environment. Auditors can leverage new technologies to collect a large range of real-time, audit-related data, automate repetitive processes involving few or simple judgments, and eventually achieve comprehensive, timely, and accurate assurance. For example, since RFID tags are embedded into products for tracking their product codes, the collected geographic information could also be used to examine inventory quantities (Krahel and Titera 2015). Business processes can likewise be monitored for internal control defects through event log analysis (Jans, Alles, and Vasarhelyi 2014). With the increase of the digitalization of business processes across the entire enterprise, auditors can continuously monitor business operations and identify abnormal behaviors in real time.
This paper foresees the impact of the fourth industrial revolution on the auditing profession, imagineers the use of new schemata promoted by Industry 4.0 for audit purposes, and identifies challenges in the transformation toward the new generation of auditing: “Audit 4.0.” The remainder of this paper proceeds as follows. The second section provides a discussion on Audit 4.0 from the perspectives of definition, auditing history, and essential elements. The third section imagines how auditing schema could be changed toward the new generation. The fourth section identifies new challenges faced by Audit 4.0. Discussion of the evolution of the auditing profession is provided in the fifth section. The last section concludes this paper and identifies several future research directions.
Definition of Audit 4.0
Audit 4.0 will piggyback on technology promoted by Industry 4.0, especially the Internet of Things (IoT),2 Internet of Service (IoS),3 Cyber-Physical Systems (CPSs),4 and smart factories,5 to collect financial and operational information, as well as other audit-related data from an organization and its associated parties. It analyzes, models, and visualizes data in order to discover patterns, identify anomalies, and extract other useful information for the purpose of providing effective, efficient, and real-time assurance. It is typically an overlay of Industry 4.0 business management processes and uses a similar infrastructure, but for assurance purposes.
Evolution of Auditing: From 1.0 to 4.0
Traditional manual audits (Audit 1.0) have existed for centuries fulfilling many needs. Although the IT audit (Audit 2.0) emerged in the 1970s, and most all businesses are currently computer based, only about 15 percent of auditors are IT enabled (Protiviti 2015). This delay of IT adoption can be partially attributed to the conservatism and rigidity of the profession, as well as the calcifying effect of increasingly obsolete regulation (Liu and Vasarhelyi 2014), but also to the lack of quality tools that would allow traditional auditors (i.e., those without IT and analytics training) to automate the functions that they currently perform manually (Brown-Liburd, Issa, and Lombardi 2015). The key characteristics of these audit generations are presented in Table 1.
It is arguable that Audit 3.0 will emerge much faster than the previous generations, as it may be impossible to assure modern Big Data systems with the tools of the past. Anachronistic regulation, where for example a population of millions of transactions is examined with an extract of 70 transactions, may contribute to delays that reduce the relevance of external assurance.
Elements of Audit 4.0
Audit 4.0 will significantly change the auditing profession by automating current procedures, enlarging their scope, shortening timing, and eventually improve the overall assurance quality. This section illustrates the impacts of Audit 4.0 on the auditing profession from four perspectives: standards, principles, technology, and auditors.
Krahel (2012) discussed the formalization of auditing standards arguing that most standards should be embedded into software as their implementation, in modern systems, tends to be done by computers. Consequently, the ambiguity in current auditing standards should be replaced by formal representation to allow for near-real-time assurance. Assurance, in the world of Industry 4.0, will be largely dominated by formal inter-object protocols, the technical capabilities of “things,” and the objective functions of the interlinked objects.
Standards should be programmed into machines, production lines, and products to enable real-time measurement, processing, and communication of financial information. For example, inventory measurement would be automated by tracking the current values of purchases (Krahel and Titera 2015). Manufactured inventory can also be constantly measured by collecting real-time data regarding energy consumptions of production lines and labor costs. Many items that were overhead allocation will be measured directly. In addition, products will autonomously issue alerts if they are obsolete, slow moving, or damaged, to prevent including or overstating the value of obsolete inventory. Such automation could reduce auditor effort vis-à-vis physical observation and manual inventory pricing, additionally providing precise performance and risk information in real time.
Industry 4.0 consists of six main technological principles: Interoperability, Virtualization, Decentralization, Real-Time Capability, Service Orientation, and Modularity. Similar to Industry 4.0, Audit 4.0 relies on those six principles to increase data availability, enable continuous data monitoring and validation, and improve the automation of audit procedures.
Interoperability is both an important enabler of Industry 4.0 and a key design concept of a future lifestyle. An intuitive example is the interoperation among traffic lights and vehicles (Drath and Horch 2014). Traffic lights in the future would connect to a network and provide information regarding their colors and time schedules. Cars would then receive this information from the network and adjust speed accordingly to reduce gas consumption and minimize emissions. The cars could also send their geo-location information and speeds to the network to adjust the schedules of traffic lights for an optimal traffic flow. In Industry 4.0, field devices, machines, plants, factories, and even products will be all connected and communicate through a global network (Drath and Horch 2014), which enables interoperation within enterprises and across entire value chains. Through communication and interoperation, new business models could become more intelligent and informative, achieving a higher level of optimization.
As interoperability continues to change the current business model, it could further impact the audit profession. In Audit 4.0, interoperation among suppliers, customers, banks, and other business entities could enable near-real-time examination of transaction-level occurrences and completeness assertions. A secure network is established to facilitate communications across different business entities. If a transaction occurs that involves two business entities, the two ERP systems will share the related accounting information. The entities will receive the information, match it with the corresponding data in their system, and issue warnings if they cannot be matched. Such interoperation could automate the examination of transactions and highlight suspicious transactions for auditors and management. Within a company, transactions from different business processes could be utilized jointly to verify the continuity of the processes (Kogan, Alles, Vasarhelyi, and Wu 2014). By creating continuity equations over metrics generated from related business processes, auditors will be able to discover anomalies that are significantly different from the predicted value of the metrics.
In Industry 4.0, as objects are connected to networks, their information about location, conditions, surrounding environment, etc., can be shared and integrated, and become searchable, explorable, and analyzable (Drath and Horch 2014). Using such information, a virtual copy of the physical world could be created that represents all objects in business with their relations and activities. In this world, each physical “thing” has a digital representation with a unique identifier (e.g., the legal entity identifier of a corporate entity), and its information would be continuously updated and transmitted to related parties. Virtualization enables transparency throughout the value chain, with all business processes and their performance presented in detail (Schuh, Potente, Wesch-Potente, Weber, and Prote 2014). Management can detect problems and bottlenecks in real time through virtual process monitoring. R&D departments will also benefit from discovering and eliminating shortcomings of new products through virtual reproduction and simulation (Schuh et al. 2014).
Technologies have been developed to create a virtual copy of the physical world. Smart, Cascio, and Paffendorf (2007) described a scenario of virtual life called “mirror worlds,” similar to the virtualization in Industry 4.0. Smart et al. (2007) defined the mirror worlds as “informationally-enhanced virtual models or reflections of the physical world.” Google Earth is a well-known example of the mirror worlds, within which contextual information on objects is captured, stored, and managed (Smart et al. 2007). The mirror worlds map each individual physical object to its virtual representation, can record its conditions over time using sensors, and create models to simulate object behavior. Using mirror world technologies, either individual business processes or the entire value chain can be digitally represented to facilitate control and analysis.
Information recorded in the mirror world could dramatically reduce auditors' fieldwork and serve as an independent party to facilitate accounting information evaluation. As all relevant “things” in a business process will be virtualized and have representations in the mirror world, auditors could perform most of the onsite examination remotely and continuously. For example, the mirror world can record the time when a physical inventory item arrives and leaves the company, as well as its locations and conditions over time. Auditors can use this information as a substitute for physical inventory examination, and can likewise examine the occurrence and completeness of transactions by comparing the transactions in the mirror world with those in the company's ERP system. Mirror worlds can also be used to link nonfinancial processes (e.g., personnel, production, web clicks) to the accounting records providing sequential integrity assurance.
Corporate IT is increasingly dependent on cloud systems with virtual machines. In the near future, these systems will extend to a larger and larger network of progressively more intelligent “things” where the current capabilities of radio-frequency identification (RFID) chips will be replaced by self-contained computers performing a large number of enhanced functions.
The increasing demand for customized products complicates today's manufacturing systems and, thus, it is difficult to centrally control machines (Hermann et al. 2015). For example, there are over 15 billion possible configurations of the Ford Fusion in the German market (Schleich, Schaffer, and Scavarda 2007). Such massive customization demands require the operation of production and assembly lines to be decentralized so that each machine or production line can make individual decisions and adjustments (Schuh et al. 2014). As the business environment becomes more complex and dynamic, the trend of decentralization will extend to the auditing profession. Internal control mechanisms could be embedded in each individual machine or device in order to continuously monitor accounting data and detect abnormal transactions that exceed expected thresholds. Such systems will be able to adjust thresholds on their own based on the changing environment and inputs from auditors, and submit failures and complex decisions to auditors for further investigations. These systems would be substantive enhancements to the continuous audit process envisaged by Vasarhelyi and Halper (1991).
Factories in Industry 4.0 continuously monitor the conditions of physical objects and manufacturing activities in order to discover system faults, adjust production, and make decisions in real time. For example, if a machine failure is detected, the factory will immediately react to the fault and reroute production to other machines (Shrouf, Ordieres, and Miragliotta 2014). In the long-term horizon, factories will have the capability to adapt to changing market demands, technology options, and regulations in real time (Schlick, Stephan, Loskyll, and Lappe 2014).
Vasarhelyi and Halper (1991) argued for an “audit by exception” where metrics would measure systems, standards would serve as benchmarks, and analytics would encompass the rules guiding issuing alarms to trigger actual audits. Audit 4.0 would expand these concepts to have diagnostics activated, self-correcting data algorithms (Kogan et al. 2014) fix errors, and self-aware devices alerting to the need for human intervention. Siemens Corporation developed and adopted an efficient model to enable real-time controls monitoring (Alles, Brennan, Kogan, and Vasarhelyi 2006). This model analyzes control settings and provides real-time identification of high-risk transactions that exceed expected limits and parameters. Kim and Vasarhelyi (2012) built a model to continuously detect fraudulent transactions in the wire transfer payment process. By examining each transaction with predefined fraud indicators and estimating overall fraud risk, the model can identify potential fraud immediately and alert auditors for further investigation.
Hermann et al. (2015) described the service-oriented feature of Industry 4.0 as follows: “The services of companies, CPSs, and humans are available over the IoS and can be utilized by other participants.” This service-oriented architecture is evolving as an important business model in the era of Industry 4.0. Any resource, such as production lines, assembly lines, storage, computation, labor, expert knowledge, etc., can be offered via a network, and companies could pay per service. This business model can dramatically reduce manufacturing costs and bring extra profits by increasing cooperation between related parties, especially in those industries that have an increasing demand for customized products.
Audit 4.0 can adopt the service-oriented architecture to facilitate cooperation between auditors and other related-service providers. For example, data analytics is a useful and powerful technology that has been acknowledged by the audit profession, but its use is below expectation (Li et al. 2015). An important reason is that the inherent complexity of data analytics techniques may be beyond auditors' knowledge (Schneider, Dai, Janvrin, Ajayi, and Raschke 2015). To circumvent this barrier, auditors can outsource the workload to professional data analytics companies or analytics software providers. Using the services from experts, auditors could be free from analysis work and focus on essential decisions. In a similar vein, audit software service could become cloud enabled. Instead of selling audit software to individual audit firms or companies, the providers offer their software on a secure cloud and charge based on usage. This service-oriented model reduces both the upfront cost of audit software and later maintenance expenses.
Modular systems gain prominence in Industry 4.0, as they can easily adapt to changing environments or requirements (Hermann et al. 2015). For example, production assembly lines can be broken into modules and each assembly station can individually compose the required processes based on a customer-specific configuration. This model is flexible enough to produce new configurations and adjust to seasonal fluctuations (Hermann et al. 2015).
Vasarhelyi, Warren, Teeter, and Titera (2011) imagined how modularity could facilitate auditors to perform analytics flexibly and efficiently. They proposed the use of audit apps as modules, assembling them together to perform complete analytics procedures. Audit apps are a set of formalized analytical routines that can be performed by a computerized tool (Vasarhelyi et al. 2011). Each audit app often performs a single analytics-based audit test. Auditors can choose and deploy appropriate audit apps based on the individual audit plan, and audit by exceptions. A new set of apps is chosen and used for each different audit client sensitive to specific risks, client capabilities, business environment, and auditor competencies.
Sensors, CPS, IoT, IoS, and smart factories are the core technologies that enable the intelligence, flexibility, interconnectivity, and corporation of Industry 4.0 and Audit 4.0. Other technologies, such as RFID, GPS, and data analytics can also be integrated to support the next generation of auditing.
The advance in micro-electro-mechanical systems technology and digital electronics at the beginning of 21st century enabled low-cost, low-power, multifunctional sensors (Akyildiz, Su, Subramaniam, and Cayirci 2002). These sensors, with the functions of data acquisition, processing, and communication, would be widely used in Industry 4.0 and could completely replace humans' role in data collection. Sensors could include pacemakers, location identifiers (e.g., GPS), individual identification devices (e.g., RFID tags), etc. (O'Leary 2013). Applications using sensor data and spatial information serve as examples that form the basis for smart homes, smart factories, and smart cities (Paelke 2014). A recent project launched by the Boston mayor's office6 demonstrated how sensors collect real-time data to facilitate city improvements. The “Street Bump” project aims to monitor Boston's streets by collecting road condition data through sensors in volunteers' mobile phones while they drive. A mobile app can capture bumps on the road via built-in balance sensors of the phone, along with their locations and geo-tagged pictures of the environment. Such data provide governments with real-time street condition information, helping to fix bumps and plan long-term investments.
The acquisition of accounting data is increasingly automated (Alles and Issa 2013). Sensors can hasten data acquisition to a real-time level with a much broader scope of data. An efficient way to capture accounting data is to use the sensors that are already built into manufacturing systems, logistics systems, or products. For example, smart refrigerators in the future can be embedded with sensors, cameras, and computers for the purpose of tracking food, expiration dates, and conditions. Similar devices could be used to capture accounting data throughout the business process with small extra cost. Vasarhelyi (2015) defined such utilization of devices and infrastructures built in business or manufacturing processes for auditing purpose as “piggybacking.”7 Using this strategy, auditors could obtain real-time accounting information that reflects current performance, such as quantity and quality of inventory, working hours of employees, energy consumption, etc., and discover system faults in time.
Cyber Physical System (CPS)
Other equipment that would play an essential role in Audit 4.0 is Cyber Physical System (CPS), a new technology that embeds computers, sensors, and actuators into an integrated platform. CPSs merge the physical world and its digital copy by tracking and documenting the physical processes of production, analyzing data, and building an integrated virtual model that also links with other CPSs to enable real-time monitoring and decision making. An example of CPS is smart preventive maintenance (Lasi, Fettke, Kemper, Feld, and Hoffmann 2014) in which a machine's sensors capture process parameters, such as stress, temperature, operating hours, etc., and the embedded computer records wear and tear. By combining the information of the physical object and its digital process parameters, the real condition of the machine could be measured.
In the context of Audit 4.0, CPSs could be employed to monitor and analyze accounting data flow, recognizing behavior patterns of different business sectors, discover irregularities or anomalies, and taking in-time actions. Since future machines, devices, and products will possess CPSs, they can trigger the company's ERP system to record accounting transactions and business events without human intervention. In addition, since CPSs independently store the history of business activities, or the movement and condition of physical objects, such data could serve as a validation of companies' financial information. By automating the comparison between information stored in CPSs and the corresponding accounting data in the company's ERP system, auditors and management could obtain real-time alerts if a transaction record violates accounting standards.
Internet of Things
IoT is an essential element that enables factories moving forward to the new industry generation. IoT is a paradigm where physical objects are equipped with RFID tags, sensors, or CPSs and are linked through a network that offers connectivity among devices, systems, and humans (Chui, Loffler, and Roberts 2010; O'Leary 2013; Pisching, Junqueira, Santos Filho, and Miyagi 2015; Shrouf et al. 2014). The main purpose of IoT infrastructure is to integrate everything in the business world into the network where those “things” can communicate their status, surrounding environment, production processes, and maintenance schedules. (Pisching et al. 2015; Shrouf et al. 2014). This infrastructure collects and shares information through the value chain, and further facilitates real-time decision making and business automation.
Auditors can utilize the IoT infrastructure to enable real-time, comprehensive assurance. Recent studies promoted the use of a much broader scope of data (i.e., “Big Data”) than the traditionally defined accounting data when monitoring and auditing transaction information (Brown-Liburd and Vasarhelyi 2015; Moffitt and Vasarhelyi 2013; Vasarhelyi, Kogan, and Tuttle 2015). For example, blogs, message boards, and social media could be integrated in the analysis of financial information (O'Leary 2012; O'Leary 2013). Photo, video, and GPS location could also be used as evidence to verify transactions (Moffitt and Vasarhelyi 2013). Auditors can rely on IoT technology to capture the high volume, different structures of information from a large variety of resources in real time. In addition, IoT can facilitate real-time supervision of the expense and performance of business processes. For example, with the help of IoT, companies can remotely monitor energy consumption from individual machines and production lines (Shrouf et al. 2014). Internal auditors could detect wasteful energy usage by comparing production plans and real-time energy consumption.
Internet of Services
With the increasing digitalization of services, people are able to obtain computational resources, electronic storage, or even expert knowledge through the Internet. The main idea of IoS is to provide companies a platform that they can offer such services remotely to various customers. A good example of IoS is the project THESEUS (Buxmann et al. 2009). THESEUS deals with technology that facilitates services to be much more easily and precisely found, combined, used, and paid for via a network. It also attempts to establish a complete open platform on a cloud for developers and market participants to build applications, services, and new business models (Kagermann 2014). The platform increases the transparency of the availability of services, enables the collaboration between various partners, and facilitates participants to provide web-based services.
Auditing is a service industry that provides examination of an organization's financial statements. This profession is moving gradually toward online, digitalized services with the development of ERP system technology and the digitalization of accounting information. Vasarhelyi and Halper (1991) proposed a new model of audit that continuously monitors and analyzes the accounting data flow of an organization, and anomalies or exceptions will trigger alarms to call auditors' attention. This continuous auditing and monitoring may be represented as an online service that audit firms can offer remotely, continuously and, maybe, automatically. Companies will request services over the Internet, and such requests will then be matched with the services that audit firms can provide. Audit firms will deploy their continuous auditing and monitoring models over a cloud-based infrastructure or in the company's accounting information system to analyze the account data flowing through the organization. Anomalies, as well as relating information, will be sent to auditors to perform further investigation.
Smart factories and smart products
The advance in sensors, CPSs, IoT, and IoS ushers in the fourth industrial revolution, and promotes a new intelligent, flexible, and secure factory: the “smart factory.” Hermann et al. (2015) imagined that smart factories would employ a completely new approach to production, in which smart products are identifiable and traceable with the capability of self-awareness and optimization, and the whole manufacturing systems are connected vertically with other business processes and horizontally with related parties outside of the factory. Shrouf et al. (2014) visualized the main components and processes in a typical smart factory (Figure 1).
In a smart factory, production is initiated by receiving orders with customized requirements via a network that connects the entire factory and outside related parties. The smart factory then generates a manufacturing plan based on machines' capabilities and status collected from the network, and autonomously guides raw materials and products throughout the production lines. The smart factory produces smart products that integrate the functions of data processing, storage, and analysis. The smart products record and transfer their conditions and status, as well as customers' behaviors and demands, to the factory to facilitate quality control and product design. The smart factory is also connected to suppliers to enable just-in-time inventory. Compared to a traditional manufacturing industry, the smart factories improve the flexibility of manufacturing, increase the automation of operations, enable mass customization and proactive maintenance, and connect all sectors in the value chain (Shrouf et al. 2014). Therefore, smart factories are becoming the core of Industry 4.0.
As smart factories collect and integrate accounting and other audit-relevant information throughout the entire value chain, auditors could utilize those data and functions to facilitate monitoring and controls of accounting data flows in an organization, sharing accounting information among related parties, performing predictive and preventive audits, and eventually achieving close-to-real-time assurance, enlarging audit scope, and improving quality.
Some existing audit procedures could be automated under the context of smart factories, such as the automation of inventory valuation and measurement through tracking locations and conditions of smart products, and automatic validation of transactions using the corresponding accounting records from related parties. Moreover, auditors are able to analyze ever-larger volumes of data from various resources to provide precise “predictive assurance” (Kuenkaikaew 2013). Examples could be predictions of sales based on customers' comments and feedbacks, estimations of energy expense by collecting real-time consumption of each production line, or prevention of bad debts and preparation of allowances according to customers' profiles and ongoing behaviors. The same type of reorganization and utilization of new locational, computational, and analytics that enables the smart factory could create a continually updated “smart audit.”
Other techniques that support Audit 4.0
RFID can identify an object in the virtualized world and report product status. GPS can be used to track products. In addition, workers' location in a factory could also be tracked using smart ID cards in order to provide them with guidance and instructions onsite (Gorecky, Schmitt, Loskyll, and Zuhlke 2014). Data analytics will continue playing an important role in Audit 4.0 by discovering patterns, detecting anomalies, identifying relations, and obtaining other useful audit-related information.
In a world of intense automation and process scrutiny, the skillset of auditors is to change dramatically. Appelbaum, Kogan, and Vasarhelyi (2016) and Kozlowski (2016) discuss these needs. The auditor must be much more technically trained, but processes must also be built with untrained users in mind. For example, Byrnes (2015) developed a “super-app” to supplement auditor usage of clustering. This tool not only performs clusterization, but also applies statistical knowledge to complement auditor knowledge.
IMAGINEERING AUDIT 4.0
With the intense use of sensors, CPSs, IoT/IoS, and smart factories, the business world is moving forward toward a highly automated, highly flexible,8 and highly interconnected environment,9 with the real-time capabilities of corporation, fault detection,10 prediction,11 and decision making. The auditing profession should adapt to this wave of changes and leverage the emerging technology to enlarge the scope of auditing, shorten timing, improve accuracy, and eventually enhance the assurance level of the whole business world. This section imagines how auditing could be changed in the new environment of Audit 4.0. A summary of the Audit 4.0 structures is shown in Appendix A.
Since everything will be connected to the network, and potentially equipped with a CPS that allows data collection, processing, storage, and transmission, a virtual representation of the physical world, the “mirror world,” can be created. Each object in the physical world will have a representation in the mirror world, and continuously update the information about conditions, locations, surrounding environment, history, etc., to the virtual representation. The mirror world will be established in a large, integrated cloud, which serves as an independent third party. Using data from various resources, the mirror world will enable automatic confirmation between related business entities, automation of inventory and cash balance evaluation, real-time energy measurement and management, real-time faults and irregularity detection, remote continuous auditing/ monitoring, and remote audit-facilitating service. Figure 2 visualizes the basic structure and functions in Audit 4.0.
Figure 2 shows the four major parties in Audit 4.0, including companies, related business parties (such as suppliers, customers, banks), audit firms, and vendors that offer audit-facilitating services (such as audit software, audit data analytics, etc.). Those four parties are interconnected, communicating in real time, and cooperating with each other. All objects will be traceable and able to store their conditions, status, and history locally, which can facilitate the validation of accounting information in an organization. In Audit 4.0, the changes of the auditing profession will be mainly from three aspects: (1) inter-business parties, (2) intra-business, and (3) audit service. Figures 3–5 show the new audit model from these three aspects, respectively.
Figure 3 shows how Audit 4.0 can virtualize the physical examination and automate the confirmation process by allowing connections and corporations between related business entities. Due to its labor-intensive nature, physical examination can only be performed on a limited basis. Audit 4.0 makes products traceable and as a result enables real-time inventory examination. Confirmations are a highly regarded type of evidence, but they are historically costly to obtain. Audit 4.0 can minimize the cost by autonomously matching related accounts and transaction records from different parties, issuing alerts only if the information cannot be matched. Furthermore, organizations can opt to create autonomous storage of their joint transactions.
A supplier ships smart products (usually equipped with CPSs) to a company; the smart products will sense changes in location and record their status (out for delivery) and time in the embedded systems. They can also communicate with a worker's smart personal tag and provide personnel identifiers or electronic signatures. Next they will trigger the supplier's ERP system to record sales and receivables, reduce the inventory, identify the employee that executed the transaction, and send all the information to the mirror world. Upon arrival, the smart products will verify their locations and change their status to “arrived.” In addition, sensors embedded in the smart products can report their conditions to the warehouse personnel (also tag identified), who will decide whether to receive or return to the supplier. Those received products will trigger the purchasing company's ERP system to record inventory and payables, and change their status to “inventory.” The products will also update their locations and status upon the departure from the company's warehouse to record sales and reduce in inventory. All the changes and new information will be updated continuously in the mirror world. To count inventory, auditors can simply check the locations and status of virtual products through the mirror world.
The mirror world enables a new model that automatically collects confirmation evidence (Li and Vasarhelyi 2016). Relating accounting information (receivables and corresponding payables, cash account, and bank balance) from business partners will be located from the mirror world and matched. Such automatic confirmation can provide real-time, reliable, on-demand verification at both the transaction and account levels through company collaboration. Moreover, as the mirror world records the details of business activities happening in the physical world, it can serve as an independent information resource to verify the accuracy of accounting records in the company's ERP system.
Connecting the Mirror and the Real Worlds
The dual worlds have their connections providing the key functionalities that the world of IoT and other technologies allow.
Figure 4 shows how Audit 4.0 can provide a comprehensive assurance to a company by gathering and analyzing accounting and other business data from the entire business. The mirror world will continuously capture data that reflect the current status and performance of the organization. In addition, business processes will be monitored against predetermined rules to detect violations of key controls, and cross verified via certain continuity equations (Kogan et al. 2014). Employees' activities will also be captured by cameras and sensors to identify irregular or abnormal behaviors. Those data will all be linked to an organization's ERP system to enable real-time accounting.
The mirror world will integrate real-time data from the entire organization into a data repository in the cloud. Auditors and other experts can create analytics models on top of the data repository in order to continuously detect anomalies, discover system faults, identify control inefficiency, and manage resources. Once an anomaly or fault occurs, the models will send an alert to auditors or management, who will promptly take action. Some control monitoring models can also be implemented in the individual equipment or facilities instead of the cloud, if they only monitor local data generated or flowing through the machines. Such decentralization may dramatically reduce the workload in the cloud and improve overall efficiency.
Figure 5 shows how Audit 4.0 will enable flexible, low-cost, and high-quality audit service based on the concept of IoS. An open platform that is accessible by audit firms, companies, and audit-facilitating services vendors, will be established on a cloud. In the Audit 4.0 environment, audit firms are able to provide digitalized services, such as continuous auditing and monitoring and anomaly detection, in a remote manner. Each audit firm can publish detailed descriptions of their services and availability on the platform. Companies can also announce their requests for service along with requirements. The platform will autonomously match the services offered by audit firms with the demands from companies and recommend the most appropriate audit service to the companies based on the service matching, timing, and quality. A company will be able to use services from various audit firms. Once the company accepts the service, the audit firm will then offer the service remotely over the platform. Clients' feedbacks will be then collected for service improvement, as well as quality evaluation and controls.
Audit-facilitating service vendors could also use the platform to help perform audits with a relatively low cost. For example, vendors can deploy audit software on the cloud, and offer service to multiple auditors or audit firms at the same time. Auditors can pay per use instead of purchasing the software, and can obtain instant help from vendors as they can directly access the software from the cloud. Auditors can also use the platform to outsource technical work, such as data analysis, to a professional company. Similarly, the platform will match the services offered by the vendors and the needs from auditors and suggest the suitable services.
Although the Imagineering in this section is based on industry and physical products, the same rationale and methods can be applied to digital goods (Vasarhelyi and Greenstein 2003) such as the sale of software, educational materials, banking services, insurance services, etc. In that case, sensors and other measurement software will be replaced by measurement modules, but by and large the methods will be similar.
Digital Crime—“Technology Giveth, Technology Also Taketh”
Technology has been developed to facilitate and enhance a wide spectrum of human activities, but in parallel with these benefits, it also allows for dysfunctional use. For example, Audit 4.0 allows for the usage of RFID chips to mark and count inventory, but RFID chips can be piled in warehouses with no inventory attached. Remote access opens the door to unauthorized use. A highly integrated production system with an online audit layer can be a boon for industry but can also be used to integrate the facilities of an enemy or as an overbearing system of spying by a totalitarian regime. Of particular concern is the issue of cybersecurity, as the power of technology can be used to steal massive amounts of information without obvious traces.
Security and Privacy Issues of Companies' Data
Emerging technology poses a significant threat to the security and privacy of organizational information (Shapiro and Baker 2002). For example, as firms upload their data to the cloud, their accounting information, as well as customers' sensitive data could be exposed to an untrusted environment. Besides, the increasing frequency of communication between different business parties and the share of financial information enhance the probability of a data breach. To avoid potential damage and reputation loss due to security and privacy flaws, companies and audit firms should create strict policies to keep the data secure and private. Some effective approaches include encrypting sensitive information before transmitting to the cloud, using secure channels to commute with other entities, and hiring professionals to install secure products, detect and respond to attacks, and evaluate security and privacy risks over time.
Standardization of Information and Data
Developing uniform data standards is vital for the exchange of information and data in the context of Audit 4.0. Data in Audit 4.0 may originate from a variety of sources, such as the sensors embedded in machines and devices, companies' ERP systems, databases of associated outside parties, and public resources (e.g., news, social media, and governments), and they will be analyzed by different parties with different models of data structure, format, and naming rules. To facilitate information exchange and analysis in Audit 4.0, regulators and standardization agencies should create suitable standards that define the formats and naming rules of commonly used data. A recent initiative in auditing practice is the four voluntary, Audit Data Standards (ADS) issued by the AICPA's Assurance Services Executive Committee (ASEC) Emerging Assurance Technologies Task Force (AICPA 2015), which define the information necessary for three audit cycles. Those ADS provide an example of the efficient exchange of data from various companies. With standardization, interparty data transmission will become seamless, and various analytical tools can be directly employed upon the data without cumbersome data preparation processes.
NATURAL AND ACCELERATED EVOLUTION OF THE AUDIT PROFESSION
The slow evolution of socio-technical systems discussed in this paper creates serious discontinuities in functionalities and creates difficulties in the evolution of technological use. Some factors may serve to accelerate this process including visionary research followed by opportunistic business initiatives. Among the accelerating factors we find pressure from different stakeholders, competitive costing pressures, development of facilitating applications, and a competitive international disadvantage by more progressive legislation in other countries, etc.
Conceptually, many questions arise as it could be argued that a layer of automated assurance is not an audit but a set of controls. This issue will be raised with predictive audits (Kuenkaikaew 2013), prescriptive audits,12 and continuous auditing (Vasarhelyi and Halper 1991). Although it has not been much discussed in the literature, layers of technology and the utilization of analytics will change the natural roles of the three lines of defense (management, internal audit, and external audit). Internal audit has in some instances taken a more aggressive role in the adoption of technology (Vasarhelyi, Alles, Kuenkaikaew, and Littley 2012). External audit has in instances relied on this more advanced work and, in certain cases, under adverse economic incentives, adopted advanced analytics to decrease its risks, although the traditional audit steps are still required by regulators. Management is increasingly utilizing advanced analytics in their processes and is starting to require their assurers to do the same, although the Sarbanes-Oxley Act limits advisory services provided by external auditors.
CONCLUSION AND FUTURE RESEARCH
Audit 4.0 utilizes data collection equipment such as sensors, embedded computers, and software modules to collect data across the entire company and its outside entities, such as suppliers and customers, via a network in close-to-real time. Data analytics techniques are employed to build models upon these data for the purposes of monitoring product quality, identifying machine faults, saving costs, and facilitating decision making. Audit by exception (Vasarhelyi and Halper 1991) is used to bring attention to major issues in a largely automated audit. The audit process strongly relies on a mirror world representation of processes and a strong analytical interlinking of not only financial but especially nonfinancial to financial linkages. Finally, the approach will substantially rebalance the concepts of lines of defense, will be applicable to many types of assurances (external, internal, specialized), and will be mainly automated.
A large number of issues arise from the vision in this paper:
What new types of audit evidence can be generated and collected in the context of Audit 4.0?
As more data will be collected in Audit 4.0, how can auditors avoid information overload to find relevant auditing information?
How should the auditing standards be changed to adapt to the next auditing environment?
What are the new audit procedures to be developed/created in Audit 4.0?
What new knowledge should auditors obtain to perform audits in Audit 4.0?
What should be done to protect the security and privacy of companies' sensitive information in Audit 4.0?
How should external and internal auditors cooperate to enable Audit 4.0?
8. Will the current audit model be changed in Audit 4.0?
What are the new roles of the different lines of defense?
How can predictive and prescriptive audits be used in Audit 4.0?
Audit 4.0 will considerably lower the cost of auditing procedures. These are typically the result of trade-offs of the cost of a particular procedure versus the benefits of such examination. How will this change the depth of examination, the procedures used, and their frequency of usage?
As many emerging technologies/systems are used in Audit 4.0, what are new controls that should take place to examine whether the technologies/systems operate as they are supposed to do?
—Jun Dai Rutgers, The State University of New Jersey, Newark Southwestern University of Finance and Economics
—Miklos A. Vasarhelyi Rutgers, The State University of New Jersey, Newark
Industry 4.0, also called “Industrie 4.0,” became publicly known at Hannover Fair in 2011 (Drath and Horch 2014). It introduces the state-of-the-art technologies, such as Internet of Things, Internet of Service, Cyber-Physical Systems, and Smart Factories, into the manufacturing environment, which enables fundamental improvements to the industrial processes of manufacturing, engineering, material usage, and supply chain and life cycle management (Kagermann, Helbig, Hellinger, and Wahlster 2013).
Available at: http://www.cityofboston.gov/DoIT/apps/streetbump.asp
Progressively, hardware and software are built cumulatively and undergo multiple uses. For example, chips and other hardware elements are the basis for computers and their operating systems. These are the bases for accounting systems, etc. This cumulative usage of overlapping technologies is called piggybacking.
Auditing standards and the PCAOB review process likely preclude flexibility in the auditing domain.
Interconnectivity of processes, as well of business partners, would pose serious challenges for assurance standards but could substantially reduce risks to population and value integrity.
Systems are most often set up sequentially; consequently, upstream fault detection is downstream fault prevention.
Audits are not inherently retroactive, but are forced into a “looking backward” role by technological limitations. Modern Big Data and analytic methods allow for assurance that can be predictive or at least very close to the event.
Interlocking of processes where equations (Kogan et al. 2014) are created that verify the continuity of processes including timing differences
Interlocking of similar processes across organization boundary lines for confirming transactions and bank deposits, as well as account balances
A large number of analytics can be developed out of printed press, social media utterances, etc. to predict/correlate to/support the values of the balance sheet and income statement
The same approach can be applied to utilization of items connected through the Internet of Things (IoT), such as track items' locations and conditions to perform remote inventory evaluation, measure and evaluate assets' conditions and qualities using sensors, as well as monitor real-time energy expense
An open platform can be established to allow remote auditing/monitoring services and audit-facilitating services offered on the Internet or a cloud
The ideas, comments, and suggestions of J. P. Krahel, Bo Chen, Trevor Stewart, Deniz Appelbaum, Neha Borkar, Kristyn Calabrese, Xuan Peng, Andrea Rozario, Zhaokai Yan, Lu Zhang, and Jiahua Zhou are very much appreciated.
Editor's note: Accepted by Miklos A. Vasarhelyi.