The American Institute of CPAs is encouraging firms to modernize the way they conduct audits by using data analytics technology and working to improve the way employee benefit plan audits are conducted in response to a critical Labor Department report.

During a speech Tuesday in New York at a meeting of the Accountants Club of America, AICPA president and CEO Barry Melancon discussed the findings of the report, along with other topics (see AICPA Takes on IRS and Expands Internationally and Labor Department Finds Problems with CPA Audits of Employee Benefit Plans). The U.S. Department of Labor’s Employee Benefits Security Administration found serious deficiencies in 39 percent of the audits of employee benefit plans that it examined.

Melancon admitted the report pointed to “very bad results” for employee plan audits. He said the AICPA put together a six-point action plan to address the issues in the report.

“Congress reacted very favorably to that, and ultimately the DOL,” said Melancon. “The DOL wanted to see even more regulation put forward, but in the end, Congress said, ‘No, we trust the profession to work on these things they have been targeting from that standpoint.’ And we are doing that.”

Part of the plan involves improving the peer review process, and the AICPA has been working with the state CPA societies on that initiative. “We need to make some specific changes in peer review as it relates to firms that take on new types of engagements that are very specialized,” said Melancon. “The reputation of the profession is based on the fact that we do quality work, and we have to focus on where there are particular deficiencies in that area. We also have a plan that we are working on that would materially change peer review as it relates to a technology-based approach. We’re actually piloting that beginning in the fall of 2016 with different-sized firms that volunteered for that. They’ll work in 2016 and 2017 on that concept. Instead of reporting out, it’s going to be used internally at first so we can learn from that and see how it works. What we envision is really a connection with the technology and the software that firms use to manage their engagements, with audit indicators on quality and being able to spin off earlier indications of problems before a firm even issues a report.”

Instead of looking at the results afterward, as is standard with the current peer review process, the concept is to use technology to affect the results before they go out the door. “Then we would be delivering the quality that is expected of the profession,” said Melancon. “The negative of that is people will feel it is a bit intrusive, so we’ve got to find the right balance.”

The AICPA is making changes in both auditing and assurance services. The Service Organizations Task Force of the AICPA’s Auditing Standards Board has developed an illustrative dual opinion service auditor’s report. The new report is for use when a service auditor is reporting on a description of a service organization’s system and the suitability of the design and operating effectiveness of controls (type 2 report) under both AT section 801, Reporting on Controls at a Service Organization (AICPA, Professional Standards), and International Standard on Assurance Engagements (ISAE) 3402, Assurance Reports on Controls at a Service Organization. The illustrative report is intended for reports dated on or after Dec. 15, 2015.

Cybersecurity Assurance
In addition, the AICPA is working on developing new assurance and attestation services in areas such as cybersecurity. “We now have a whole family of standards called SOC [Service Organization Control] reporting, or statements on controls, that are about attestations to third parties about how businesses are doing in a variety of different ways in their technology operations and things of that nature, not just their financial results,” said Melancon. “This is an explosive area where people want these types of reports. There are firms that in 2015 whose numbers show 400 percent increases in the number of reports that were issued under the SOC standards. This is not because they’re being mandated by the government. These are actually market forces that users, vendors, etc., are saying they want these types of assurances that companies are operating in the best light and doing certain things. That leads us to a very explosive and emerging area that this profession is going to have a role in, which is cybersecurity. Cybersecurity is on the agenda of every board and every single management team in America, and it is a very complex and difficult process.”

He sees significant demand from companies that want attestation on whether or not they have done what they should to minimize the risk of a cyberattack.

“The CEOs of the eight largest firms, working with the Institute, have said we have to have a rational professional answer to this,” said Melancon. “We’re not going to build a firm X answer and have the early adopter advantage in the marketplace. That’s not the way to go, just like we didn’t do that when we built auditing in the 1930s. This is a new wave of that occurring.”

Even firms that don’t service public companies could play a role in providing such services for private companies. Last fall, the AICPA met with the chief information officers of a group of major manufacturing and financial services companies to discuss the need for including provisions for such services in the contracts they sign with other companies, similar to uptime provisions for technology suppliers that can be audited by a CPA.

“What the CIOs of these large enterprises said to us is we have those things in our contracts, but there is no way we have the resources to go in and do that in our vendors,” said Melancon. “They want the ability to require a SOC report from a CPA firm for their vendor or customer. It’s a cascading down of market forces, not regulation. The market is saying, ‘We need to be responsible corporate citizens.’ It will cascade down to smaller businesses.”

Big Data Analytics for Audits
Melancon foresees smaller firms beginning to use the type of sophisticated data analytics technology that the largest audit firms are already embracing.

“Audit is evolving,” he said. “The notion of tests is pretty much gone. One of the major concerns I have is how do we take the technology and the thinking that’s being applied at the largest firms and find a way to bring it down to the smallest firms? It’s a business model change that is pretty dramatic. It’s change management, and a major concern I have is whether or not the entirety of the profession moves on that as quickly as it’s moved. We’re looking at audit software capabilities that are taking ‘big data’ concepts into an audit environment, even of a small company, totally changing the type of work that needs to be done in an audit environment.”

He noted there are 44,000 firms in the U.S., and 16,000 of them do audits in some fashion. “How do we take what is being deployed, predominantly in about six or seven firms, and bring it down to 16,000 firms? It’s a real daunting challenge.”

Melancon believes many firms will need to re-engineer their audit and business processes for this new environment. He sees more small firms using cloud computing technology to deal with their small business clients, including clients that don’t need auditing services. In some ways cloud computing is breaking down some of the traditional barriers between company management and accounting firms.

“We’ve changed our standards to create a new kind of SSARS [Statements on Standards for Accounting and Review Services] standard, SSARS 21, that allows you to be in the preparation notion without a reporting responsibility through using cloud computing,” said Melancon. “So it’s you touching the client’s data and the client touching the data at the same time, and a financial statement comes out of that, but a financial statement without any level of assurance from you. That’s an example of our standards changing as it relates to a new world.”

The AICPA is also working on a research project in conjunction with the six largest audit firms and Rutgers University in New Jersey to drive further change in auditing standards. “The purpose is to take their big data approaches and to do about an 18-month study of how their approach is actually driving quality in the audit process,” Melancon explained. “Then that result can be used to argue for changes in the auditing standards to support this changing business approach. We can change the auditing standards as it relates to private companies, but we can’t as it relates to public companies. The PCAOB sets that. But if we have the research that shows how this has in fact affected the quality and approach to audit, we can do it.”