What is the future of external audit?

Article by Carolyn Clarke - Deputy President of the Chartered IIA and director of Brave Consultancy

This is a serious question – does our current external audit system add value across the spectrum of stakeholders and issues that comprise a resilient organisation today? What does it tell us? Is this what we most need to know – and does it make our companies stronger?  

It seems crazy that in the 21st century we have an external audit profession that developed to meet specific circumstances in the late 1880s. The first iterations of The Companies Act emerged in the late 19th century to resolve needs created by the industrial revolution. Manufacturers and their aristocratic investors did not speak the same language or share common experiences - and they did not trust each other. Rules were needed to hold management to account and protect investors’ money. 

Once the rules were in place, an assurance profession developed to monitor and assess reports. This helped to inspire trust among people who had little in common. The audit profession developed from here. 

And because auditing was all about preparing financial reports for shareholders, so the profession developed in tandem with the accountancy bodies. These bodies therefore became responsible for training and accrediting auditors. This system has continued for so long that we rarely question whether it still makes sense. 

However, technology and artificial intelligence are now transforming how we gather, track and monitor financial data and how it is then restructured to comply with financial reports and accounting standards. Tech can flag up areas that require judgments and can prompt board discussions and decision-making. It can monitor the decision-making process and produce reports for shareholders, automatically and in real-time.  

What do we need now? 

Some human intervention is still necessary. We need to check whether the technology is set up correctly and whether it is reliable and accurate. People need to make decisions about complex areas where judgment is required. Investors still want assurance that these aspects are considered and adequately managed. Many would also want to see humans monitor and make decisions over intentional wrongdoing. 

The Companies Act states that companies must consider all their stakeholders, not just their investors. This implies that in order not to give undue weight to investors, you should focus on the needs of other stakeholders. Yet these people are often less concerned with the company’s financial results (so long as it is sustainable financially) and want to know about other issues, such as its environmental impact and reputation. 

These concerns are less comprehensively reported under our existing financial standards. We therefore need a broader range of reports that show us the real state of our companies and their resilience – are directors thinking about broader risks and making decisions that take these into account?  

It is hard to see how we can do this through our existing external audit system without incurring huge costs and an unrealistic reporting and assurance burden. Furthermore, to gain this information, we first need to know that directors have the internal oversight and assurance they require to run the business sustainably. 

More internal, less external? 

This leads to a conclusion that we need more people with a professional remit, expertise and skills working within the business to provide assurance to directors over a broad range of issues relevant to all stakeholders. Surely we would have stronger, more resilient businesses if we used more resources to provide comprehensive internal assurance to directors, and less to provide limited financial reporting to investors? 

Once automated external financial auditing is in place, it makes sense to divert resources to improving the internal assurance that provides the information relevant to the wider pool of stakeholders. Well-structured internal assurance, and professional scrutiny that meets established standards, can be used internally by directors and reported externally to stakeholders. 

In ten years’ time, could we see a situation where it’s the norm for companies to spend 80% of their assurance and audit budget on getting the internal information flow right, with the remainder focused on the few financial reporting areas that require human input? And would this increased flow of data on a range of internal issues increase trust in our businesses? 

It would also raise questions about why external assurance should be so closely aligned with the accountancy bodies. Would trained accountants be the best, or only, people who could make the judgments or ask the questions raised by the automated systems?  

There are clear structural issues here, but how long should companies continue to spend more and more on an external financial assurance process that adds less and less value. After all, how often do external audits result in adverse opinions? Our biggest corporate failures were not prevented by external audits. And how does it benefit companies if directors focus on reporting requirements more than on spotting internal problems? 

Boards should be asking what companies and their stakeholders need in the future. How do we train the people we need to meet these needs? How do we ensure smooth interaction across global borders and between directors and stakeholders? How do we ensure directors get the assurance they need to make critical decisions?

These questions require debate. But whatever we decide, it’s unlikely that a system set up to protect aristocratic investors in the 19th century is the answer.