Implementing data analytics in a big 4 setting and its effect on the audit procedure : an institutional perspective

(1)

Implementing data analytics in a big 4 setting

and its effect on the audit procedure:

an institutional perspective

Name: Thalisa Westerborg Student number: 11093757 Supervisor:

Georgios Georgakopoulos Date: June, 25 2018 Word count: 19579

MSc Accountancy & Control, specialization Accountancy Faculty of Economics and Business, University of Amsterdam

(2)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg -

Statement of Originality

This document is written by student Thalisa Westerborg who declares to take full responsibility for the contents of this document.

I declare that the text and the work presented in this document is original and that no sources other than those mentioned in the text and its references have been used in creating it.

The Faculty of Economics and Business is responsible solely for the supervision of completion of the work, not for the contents.

(3)

Abstract

Recently a new method of analysis emerged in the audit field, this is called data analytics. In the literature evidence was found that the adoption of data analytics and other

technologies is far behind. The intention of this research is to gain a better understanding of the effects of the social and technological aspects of integrating data. another aspect is the effect the application of data analytics has on the audit procedure. This triggered the subject of this research: How is data analytics implemented and institutionalized in audits, and what effect does it have on the audit procedures in a Big 4 setting? To answer this question, this research is based on the institutional work theory by Lawrence and Suddaby (2006). This framework is developed to gain a better understanding of the influence of actors in

institutions. This research was performed in the Big 4 setting, through a comparative study within two audit firms based on interviews. After detailed analysis and the link with the theory the following conclusion can be presented: The first steps have been taken in the implementation of data analytics in audits. It offers a number of opportunities and has a great impact on the audit procedure, and thus the audit firm has to carry out their audit in another way. However, the implementation of data analytics in audits has not been institutionalized yet in the Big 4 setting.

(4)

1. Introduction

This chapter contains the introduction regarding this topic. The first paragraph included the background information and research question. Paragraph two is the contribution of the research and the last paragraph includes the research structure.

1.1 Background information and contribution

In the last few years, several scandals involving auditor opinions have arisen with Big 4 firms, threatening audit quality. Auditors stated that the financial statements they viewed presented a reasonable and faithful representation of the organization, thus this was not the case. There was also a lack in the knowledge of statistical analysis (Broeze, 2006). Auditor’s opinions were based on subjective risk analysis, and they had little understanding of basic principles. Data analytics can help with that. In the last couple of years, Olsen and Dupin-Bryant (2016) found that big data and data science have experienced record-breaking growth. Data are now being generated easily and quickly. Data analytics is more and more embedded in our way of living and increasingly uses a various range of new types of data such as audio, video, and textual information that can be analyzed (Warren, Morfitt & Byrnes, 2015).

While big data and data analytics have had tremendous growth and it has been acknowledged that they will change the way organizations adapt, according to Alles (2015) and Early (2015), the accounting field is far behind in adopting data analytics and other technologies compared to other fields. Alles (2015) provided findings about the willingness of accounting professionals to adopt big data, data analytics, and associated technologies. One of his findings was that the audit profession struggles with the coercion of the current standards.

There has been an increase in the use of data analytics at public accounting firms, especially in their consultancy divisions, but the use of data analytics in their auditing processes was far behind while the audit field is their core business (Vasarhelyi, Kogan, & Tuttle, 2015). One reason why data analytics is still behind in the audit field is that there was a lack in the standards that oversight audit boards set (Vasarhelyi et al. 2015). These

standards are, according to Zhang et al. (2012), one of the main stimulators in improving the audit process.

With this, we can assume that big data analytics can fill the gap in statistical analytical knowledge where auditors can’t (Early, 2015). Although big data has begun to be integrated

(7)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - in the accounting field, it is still a new subject. The intention of this research is to gain a better understanding of the effects of the social and technological aspects of integrating data analytics in a financial audit within the Big 4 setting and provide relevant findings on why data analytics is so far behind in the audit field. The following research question will be answered: How is data analytics implemented and institutionalized in audits, and what effect does it have on the audit procedures in a Big 4 setting?

The findings of my research present the first development in the implementation of data analytics. It offers a lot of opportunities and has a great impact on the audit procedure, especially on the risk assessment. It makes your audit more relevant and specific.

Furthermore, it forces the auditor to adjust the traditional way of audit. However, the

implementation of data analytics in the audit field has not been institutionalized yet. One side note, there are differences in the progress of the data analytics implementation between the two firms, Company Y is further developed regarding the implementation of data analytics, comparing to Company X. Thus, the overall finding remains the same.

1.2 Contribution

With this research, there are two contributions. The first contribution is to the literature regarding the institutional work theory. This theory is often used in accounting research regarding the changes within organizations. With institutional work, a better understanding is these changes can be achieved. (Currie, Lockett, Finn, Martin, & Waring, 2012; Bjerregaard, 2011; Hayne & Free, 2014; Micelotta & Washington, 2013).

As far as I have determined, this is the first research that compares two firms within the big 4 setting regarding the implementation of data analytics within the audit field. Compared to other studies, this research presents a clear overview regarding the differences between the two Big 4 firms. This is the second contribution.

(8)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - 1.3 Research structure

This research is structured in the following way: chapter 2 discuss the literature review and theory. This chapter includes existing literature that is presented regarding data analytics, the application of data analytics and audit procedure. The theory section includes the institutional work theory. Chapter 3 contains the research methodology. In this chapter, the research is described and how the research is set-up. The interviews will be explained as the case design will be discussed. Chapter 4 presents the case analysis the findings of the interviews are presented in this chapter. In chapter 5 the discussion is presented. In this chapter the theory, findings and literature are compared. In the last chapter the conclusion, limitations and future research are presented.

(9)

2. Literature review

This section provides an overview of existing literature. The research is related to two streams of the literature: data analytics in the audit field and the theory behind institutional work.

2.1 Data analytics, the definition

Data analytics is a broad term in the audit field, with various interpretations from people in different functions. Cao, Chychyla, and Stewart (2015) provide an explicit description of big data analytics: “big data analytics is the process of inspecting, cleaning, transforming, and modeling big data to discover and communicate useful information and patterns, suggest conclusions, and support decision making.” Byrnes, Criste, Stewart, and Vasarhelyi (2014) define data analytics in audits as “the science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modelling, and visualization for the purpose of planning or performing the audit.”

These definitions demonstrate that data analytics can be embedded in several phases of a financial audit. Data analytics includes software programs that help to analyze data and make the financial audit efficient (IAASB 2016). Furthermore, it could contribute to the visualization of an efficient financial audit (Early 2015). In the prior literature, it is stated that through this innovation, public accounting firms could increase their competitive advantage in a positive way by increasing the efficiency of the audit process (Bhimani & Willcocks, 2014; Dowling & Leech, 2014). Brown-Liburd, Issa, and Lombardi (2015) claim that data analytics can positively affect the audit engagements and change the engagements in a more efficient and effective way. They also noted that there has been a notable increase in the quantity of accounting transactions, and the complexity of these transactions has expanded. Therefore, it was highly demanding for auditors to analyze the transactions (Brown-Liburd, Issa, & Lombardi, 2015). One thing the prior literature lacks is knowledge on how data analytics is used in accounting and what the position this innovation has in the field of accounting.

(10)

2.2 Audit procedure 2.2.1 Audit

Audit is defined as “a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic actions and events to ascertain the degree of

correspondence between these assertions and established criteria, and communicating the results to interested users” (ISA 200). In this definition of audit, there are several

components such as a systematic approach. In the audit process, it is a must to follow a clear structure with a clear plan. An audit is conducted objectively. This component states that an auditor cannot be biased and that it revokes their objectivity. The auditor obtains and evaluates evidence. It is important that an auditor test the reliability and relevance of the gathered audit evidence that consists of the embedded accounting transactions. This relevant and reliable audit evidence should concern assertions about economic actions and events. These assertions involve the representations of managers that are incorporated in the financial statements. The last component is that the auditor ascertains the degree of

correspondence between the assertions and criteria that is established. The auditor must test the assertions in an ongoing process that involves evidence-gathering techniques such as inquiry, observation, physical examination of documents and confirmation (Hayes, Wallage, & Gortemaker, 2014).

Auditors examine the financial statements with the consideration of materiality. One definition of materiality provides that “misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could be reasonably be expected to influence the economic decisions of users taken on the basis of financial statements” (ISA320).

There is a distinction in the definition of materiality for performance materiality, which is when the amounts that are established by the auditor are lower than the actual materiality that is set for a financial statement in the engagement process. “This reduces to an appropriately low level the probability that the total of uncorrected and undetected

misstatements exceeds the materiality for the financial statement as a whole” (ISA 320). It is more likely that auditors use the performance materiality as a measurement in their audit.

(11)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - 2.2.2 Audit engagement process

In a report published by PwC, an engagement audit can be divided in five phases: planning, risk assessment, audit strategy and plan, gathering evidence, and finalization.

Figure 1: Five phases of an audit (PwC, 2013)

2.2.2.1 Planning

According to ISA 300, “the objective of the auditor is to plan the audit so that it will be performed in an effective manner.” It is the responsibility of the auditor to determine

enough time and a wide scope in order to perform an audit (Hayes, Wallage, & Gortemaker, 2014).

The audit process begins with the planning phase. In this phase, you start with the client acceptance. The audit firm considers whether or not to accept this client or, when it is an existing client, to accept the continuous engagement. This is called client continuance. With the client continuance, there is not much activity involved, since the audit firm is already familiar with the client. But if there is any risk regarding the business, for example fraud, the audit firm needs to perform tests on whether to accept the client.

Having a plan contributes to an effective audit in an efficient and timely manner (Hayes, Wallage, & Gortemaker, 2014). As discussed in the previous paragraph, the audit plan relies on the outcomes of the previous year’s audit (with an existing client). In this phase, it is important to understand the scope of the business, the control environments, and control activities. In short, in the planning phase, the audit firm develops an overall strategy before the audit as to the scope, timing, and direction.

2.2.2.2 Risk assessment

When the planning phase is completed, the risk assessment should be performed. In this phase, the auditor determines with his/her knowledge and expertise the risks that can occur within the business and that could lead to a material misstatement (PwC, 2013). All

(12)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - Wallage and Gortemaker (2014) define risk assessment as “the audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatements, whether due to fraud or error at the financial statement and assertion level.” In this phase, the audit firm determines the levels of materiality and risk for the client. In practice, the performance materiality is used, which means that the auditors set a lower amount than the materiality of he financial statement altogether.

The risk assessment procedure is relevant due to the fact that auditors take an audit sample of all transactions. It is impossible for the auditors to test every transaction on occurrence, completeness, accuracy, cut off, and classification, the assertions within the company.

Hayes, Wallage, and Gortemaker (2014) discuss audit risk, which is the probability that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated after their completion. Audit risk consists of three elements: inherent risk, control risk, and detection risk. Inherent risk is the risk that a misstatement that could be material to an account balance or class of transactions can be influenced, assuming that there were no integrated internal controls. Control risk is the risk that a misstatement could occur in an account balance or class of transactions that could be material and will not be corrected, prevented or detected. Detection risk is the risk that an auditor’s substantive procedure will not detect a misstatement that exists in the account balance or class of transaction (Hayes, Wallage, & Gortemaker, 2014) (Hayes, Wallage, & Gortemaker, 2014).

2.2.2.3 Audit strategy and plan

When the risks have been assessed, auditors establish an overall audit strategy and a plan. Besides this, they test to what extent they can rely on the internal controls that are embedded in the business. During this business process analysis, the auditor in this phase establishes a time plan and divides the tasks to team members. The audit strategy and plan must be kept up to date due to its contingency on new information that could be collected (PwC, 2013).

2.2.2.4 Gathering evidence

An auditor is obligated to apply professional judgement and skepticism when gathering evidence. Professional judgement is defined as “the application of relevant training,

knowledge, and experience, within the context provided by auditing, accounting, and ethical standards, in making informed decisions about the courses of actions that are appropriate in

(13)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - the circumstances of the audit engagement” (Hayes, Wallage, & Gortemaker, 2014). Skepticism is defined as “making a critical assessment, with a questioning mind, of the validity of evidence obtained and is alert to evidence that contradicts or brings into question the reliability of documents or representation by the management” (Hayes, Wallage, & Gortemaker, 2014). The gathering of audit evidence will be through substantive procedures and tests of controls (Hayes, Wallage, & Gortemaker, 2014).

With the substantive procedures, the auditor gains reasonable conclusions regarding its audit opinion. These procedures are designed to detect material misstatements at the assertion level. The substantive procedures are divided into two elements: 1) test of details, and 2) substantive analytical procedures. These audit evidence includes

2.2.2.5 Finalization

The last phase of the audit engagement process is also called the review phase. All findings that have been highlighted during the audit should be reviewed. The overall conclusion forms the audit opinion. The opinion contains the evidence and findings of the test. Through the whole audit engagement process, the auditor and business should interact with each other to solve possible critical matters (Hayes, Wallage, & Gortemaker, 2014).

There are two different kind of auditors’ opinions that could be issued: unqualified and qualified. An unqualified opinion is the most used opinion, and it states that there are no material misstatements found in the financial statement. There is a possibility that the auditor could issue an unqualified opinion with an emphasis of matter paragraph. This means that there are still no material misstatements found, but that an event has occurred or could occur in the future and could have an effect on the financial statements for the

following years.

The qualified opinion has three variances: the qualified opinion, the disclaimer opinion, and the adverse opinion. A business receives a qualified opinion when the auditor concludes that misstatements in the financial statement are material and not pervasive. The definition of pervasive is “the effect on the financial statement of misstatements or the possible effects on the financial statements of misstatements that are undetected due to an inability to obtain sufficient appropriate audit evidence” (Hayes, Wallage, & Gortemaker, 2014).

(14)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - 2.3 Data analytics and audit procedures

According to Bierstaker, Burnaby, and Thibodeau (2001), the auditors in the audit firms should count on paperless audits and software containing client information that is

developed to perform the audit procedures online. As we have seen in Section 2.2, an audit engagement process contains phases. Researchers have found evidence that data analytics can be used in the planning, risk assessment, and evidence-gathering phases (Bierstaker, Burnaby & Thibodeau, 2001; Murphy & Tysicac, 2015; Titera, 2013). According to Cangemi (2014), data analytics not only has a great value in the executing phase of audits but also has a positive effect when used from the start until the end of the audit procedure.

It is important to observe that there has been a switch in focus in the last few years on how auditing is being processed, from retrospective to risk-based auditing (Cangemi, 2014). In this new type of auditing, auditors must prepare a stategic plan on the forefront. When auditors create an audit plan, accountants comment on the findings, reports, and other changes of the audit of previous years (Cangemi, 2014).

When Data is used in the planning phase to asses the engagement risk regarding the acceptant of a client, auditors should ask this data and analyze it. With the application of data analytics, the auditor gains a better understanding of the clients’ environment and gain new insights (Titera, 2013).

As already mentioned, the risk assessment phase is to determine possible risk in the financial statements of the clients are misstated after the completion of the audit. With the use of data analytics, auditors will gain a better understanding of the environment as the business of the client. Data can give you a clear and efficient view of comparing data, whether this is data between the companies or with its peers. Furthermore. data analytics has the ability to view the data from different perspectives and to identify patterns, errors and exceptions (Titera, 2013).

In the audit gathering phase the client’s internal control, financial statements etc. are tested. There are different kind of evidence that can be gathered through data analysis. The application can increase the quality of audit evidence. Furthermore, data analytics within this phase can be applied efficiently (Titera, 2013).

(15)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - 2.4 Data analytics strategies

The application of data analytics can be divided into two concepts: the bottom-up concept and the top-down concept. In the following paragraphs these concepts briefly will be discussed.

2.4.1 Bottom-up concept

Keltanen (2013) noticed the relevancy of a lean concept in order to gather audit information. With this concept, the key is to analyze the relevant data instead of all data. This data can be analyzed by different kind of tools and other techniques. The lean concept is also called the direct approach. When you follow this concept, it will increase your relevancy in your data and will decrease the costs.

2.4.2 Top-down concept

In this concept, an explorative way of data is used. Within this data both obvious and not obvious correlation are presented. The auditors determine the type of data that will be analyzed. The risk with this concept is that the correlation does not consequently mean a cause. (Acker, Blockus, & Pötscher, 2013)

(16)

2.5 Institutional work

Data analytics is a new technology in the audit field. According to Bierstaker, Burnaby and Thibodeau (2001), these new technologies will cause a great change in the nature of audit processes. Due to these new technologies, organizational structures within the audit firm change too (Cohen, Deal, Meyer, & Scott, 1979). The theory of institutional work fits in the changes that occur in the accounting field (Suddaby, Saxton, & Gunz, 2015) (Canning & O'Dwyer, 2016).

There are a few ways to define institutional work, but for this study, the description of Lawrence and Suddaby (2006) is used: “the purposive action of individuals and

organizations aimed at creating, maintaining, and disrupting institutions.” In the following subsections, the concept of institutional work and the forms of institutional work will be explained.

2.5.1 The concept of institutional work

The concept of institutional work is connecting, bridging, and extending work on

institutional entrepreneurship, change, and innovation (Lawrence, Suddaby, & Leca, 2011). This concept draws special attention to individual actions amongst institutions. Institutional work is a popular and powerful explanation for both individual and organizational action. Dacin, Goodstein, and Scott (2002) found that institutions change over time, are not consistently taken for granted, have effects, and are challenged and controversial.

Greenwood, Suddaby, and Hinings (2002) examined the role of professional associations in changing highly institutionalized organizational fields. They stated that the concept of organizational field is central to the theory of institutional work. In their study, they found that associations play varied roles in the field.

According to Lawrence and Suddaby (2006), institutional work contains three key elements. The first element is to “highlight the awareness, skill, and reflexivity of individual and collective actors.” Actors do not adopt the notion of institutions. The second element is that “it would generate an understanding of institutions as constituted in the more and less conscious action of individual and collective actors.” This element means that the viewpoint of an institution depends upon the actions that the actors engage in and maintain. However, the actors could also create new actions and disrupt existing institutions.

(17)

outside of action as practice—even action which is aimed at changing the institutional order of an organizational field occurs within sets of institutionalized rules.” These elements imply that the actions of actors in between the boundaries of the institutionalized follow rules, even if they are focused on changing the institution (Lawrence & Suddaby, 2006, p20). Bjerregaard (2011) extended and summarized Lawrence and Suddaby’s work and gave new insights in the research streams in institutional work.

2.5.2 Forms of institutional work

As already mentioned, Lawrence & Suddaby (2006) describe institutional work as “the purposive action of individuals and organizations aimed at creating, maintaining, and disrupting institutions.” In the following paragraphs, the concepts of creating, maintaining, and disrupting will be explained.

2.5.2.1 Creating

Creation work includes establishing rules and constructing rewards and sanctions to enforce these rules (Canning & O'Dwyer, 2016). The ability to do this is in any given field is related to the position of the actors. For example, this can be established by a state or a delegation. However, it is also possible to gain through political and economic processes (Lawrence & Suddaby, 2006).

Lawrence and Suddaby (2006) defined though empirical research a list of practices divided into three categories. The first category is the political work in which actors reconstruct rules and set up boundaries regarding material resources. Advocacy, defining, and vesting are three practices related to this category.

Advocacy is defined as “the mobilization of political and regulatory support through direct and deliberate techniques of social suasion.” For most of the cases, this institutional practice is the key element for the starting point of an institution. The object of advocacy is to think about the political and social capital that is needed to create new institutions (Lawrence & Suddaby, Institutions and institutional work., 2006).

Defining is the second practice of political work and is described as “the

construction of rule systems that confer status or identity, define boundaries of membership, or create status hierarchies within a field” (Lawrence & Suddaby, 2006).

The third practice regarding this category is vesting, which is defined as “work directed toward the creation of rule structures that confer property rights.” This form is focused on the authority of the regulation and actor that is active and interested in that

(18)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - particular field (Lawrence & Suddaby, Institutions and institutional work., 2006).

The second category is related to actions in which the boundaries of meaning systems are altered(Lawrence & Suddaby, 2006; p.225).The practices constructing

identities, changing normative associations, and constructing normative networks are related to this category.

The practice of constructing identities is essential for creating institutions due to the relationship that is maintained between an actor and the field(Lawrence & Suddaby, 2006). Changing normative associations and constructing normative networks both refer to the way new institutions coexist and interact with institutions that are already created without

challenging these preexisting institutions but with lead actors supporting and questioning them (Lawrence & Suddaby, 2006).

The last category is actions that are designed to alter abstract categorizations in which the boundaries of meaning systems are altered (Lawrence & Suddaby, 2006; p.221). This category includes the practices mimicry, theorizing, and educating (Lawrence & Suddaby, 2006).

Mimicry is defined by Lawrence and Suddaby (2006) as a potential practice where if actors attempt to create new institutions, they can leverage existing sets of taken-for-granted practices, technologies, and rules. With this practice, it is possible that actors compare new practices or changes with existing practices and changes. With mimicry, it is possible to gain insight for new, clear, and accessible structures by comparing old and new templates (Lawrence & Suddaby, 2006).

Theorizing is defined as “the development and specification of abstract categories and the elaboration of chains of cause and effect” (Lawrence & Suddaby, 2006; p.228). This practice includes naming and describing new concepts so that there is a possibility to grow in the part of the field.

The last practice is educating, which gives actors the relevant knowledge to interfere in new practices or to interact with new structures (Lawrence & Suddaby, 2006; p.228). New institutions involve new supporting information that might need additional skills and knowledge.

(19)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - 2.5.2.2 Maintaining

Canning & O’Dwyer (2016) describe maintaining as “supporting, repairing, and recreating social mechanisms that ensure compliance with existing institutional norms” (Lawrence & Suddaby, 2006; p.230). In other words, institutions do not have the ability to reproduce existing institutional norms by themselves through time. The practices of maintaining are divided in two categories.

The first category focuses on the maintenance of institutions through compliance with the rules (Canning & O'Dwyer, 2016). The practices linked to this category are enabling, policing, and deterring.

Enabling focuses on the support, facilitation, and supplementation of institutions. This enabling process is accomplished through actors’ authorization and by arranging resources differently to ensure the ongoing concern of the entity (Lawrence & Suddaby, 2006; p.230).

Policing is auditing and monitoring by involving sanctions and incentives combined together within the same entity to ensure compliance. Lawrence and Suddaby (2006) stated that it is not necessary to use policing in professional fields, because this is already assured due to auditing and monitoring.

Deterring is the last practice regarding compliance, and it is defined as “establishing coercive barriers to institutional change which involve the threat of coercion to inculcate the conscious obedience of institutional actors” (Lawrence & Suddaby, 2006; p.232). The effectiveness of deterring depends on the level of authorization of the coercive agent. Besides that, economic threats can influence as well.

The second category focuses on the effort to maintain institutions with the aim to reproduce existing norms and belief systems. The practices associated with this category are valorizing/demonizing, mythologizing, and embedding and routing.

The fundamentals of institutions can be strengthened or weakened by positive and negative examples for public consumptions. This practice is called

valorizing/demonizing(Lawrence & Suddaby, 2006; p.232). Mythologizing is a practice that ensures that normative underpinnings of an institution are preserved regarding its history (Lawrence and Suddaby, 2006). Embedding and routing “involves actively infusing the normative foundations of an institution into the participants’ day to day routines and organizational practices” (Lawrence & Suddaby, 2006; p.233).

(20)

This means that practices are so deeply rooted into routines that members fail to think about the reason why the practices were established. The routines feel comfortable, and members will continue the routines (Lawrence and Suddaby, 2006).

2.5.2.3 Disrupting

Disruption work, according to Canning and O’Dwyer (2016), is the involvement of attacking or undermining the mechanisms that lead actors to access with institutions. Frequently, some actors do not want to be related to a particular institution. Disrupting can occur directly and indirectly, according to Lawrence and Suddaby, (2006). They describe three practices of disrupting work: disconnecting sanctions and rewards, disassociating moral foundations, and undermining assumptions and beliefs.

When an entity is underpinned to authoritative judgment, this judgment can erode the formal powerful position of an established institution (Lawrence & Suddaby, 2006). There are different ways to disrupt the fundamentals of an entity. One way is to recreate the basis of the concept of the institution. When this practice occurs, the disconnection of sanctions and rewards has a great influence on the actors and their relationship, with the result that the institution becomes less powerful (Lawrence & Suddaby, 2006; p.235). This practice can disrupt only when important stakeholders see the value to persuade a transferral of power (Lawrence & Suddaby, 2006).

The second practice is disassociating moral foundations and is defined as

“disassociating the practice, rule or technology from its moral foundation as appropriate within a specific cultural context” (Lawrence & Suddaby, 2006; p.236). This practice takes a slow approach of disrupting an institution.

The last practice is undermining assumptions and beliefs. Lawrence and Suddaby (2006) found only little evidence of this form of institutional work. This is due to the fact that this knowledge comes from creating institutions and not from actually disrupting existing institutions (Lawrence & Suddaby, 2006; p.237). This last practice assumes that the effects of invalidating are associated with a change in the existing institution.

(21)

3. Research methodology

This chapter contains the research methodology. The first section structures the research description. The second section describes the content of the research and how it was

conducted, followed by the third section, which provides a sample of the interviews and the coding of the interviews. In the last section, the data analysis will be explained.

3.1 Research description

The aim of this study is to understand through a comparative study in the Big 4 setting the implementation of data analytics in the audit field and what effect it has on the audit procedure. This paper focusses on the outcome of this study and the institutionalization. Institutional work is an existing theory that this study relies on. The process of the

implementation of data analytics in the Big 4 setting through a case study will be described and analyzed to determine the effect it has on the audit procedure.

This research is relevant due to new technology that is entering the audit field. Furthermore, the adjustments in audit procedure will determine how data analytics are institutionalized. The researcher chose the comparative study in a Big 4 setting due to limitations that non-Big 4 firms face, such as budgetary limits and knowledge. Furthermore, the non-Big 4 firms usually adopt new methods at a later stage.

3.2 Research setup

This study was conducted as a qualitative case study. According to Malsch and Salterio (2015), qualitative studies are not often realized in the audit field. Their main objective with their study was to provide guidance on how to assess the quality of field research within the audit field. Qualitative research is a “multimethod research that uses an interpretive,

naturalistic approach to its subject matter” (Rynes & Gephart, 2004). According to their research, qualitative studies give a clear overview on how social experiences are determined and provide a visualization that reflects the experiences. They state that qualitative research reflects the explanation of societal individuals and what kind of perspective they have on the subject matter.

According to Kılıçoglu (2018), “qualitative research is a type of scientific research which includes document analysis, observation or interview”. The process of a qualitative

(22)

study is identified as events that occur in the natural environment that reflect it realistically and holistically.

O’Dwyer and Unerman (2008) used qualitative research in their study to engage specifically in the interpretation of the subject matter they examined. It is very important to determine the nature and impact of the research question. When conducting qualitative research, this research can “contribute to radical change or emancipation from oppressive social structures, either through a sustained critique or through direct advocacy and action taken by the researcher, often in collaboration with participants in the study” (Marshall & Rossman, 2006). For this research question, case study setting is appropriate.

3.3 Interviews

This study will be conducted through a comparative study of two Big 4 firms in the form of interviews. There are several types of interviews, including structured, semi-structured, unstructured, informal, and focus groups. This case study used semi-structured interviews. The interview questions were prepared, but with both closed and open questions so as to gain relevant information from the interviewee. All interviews were conducted by the researcher. The interview questions were divided into four main subjects: experience with data analytics, knowledge and training, regulation, and the future of data analytics. To ensure that the objective of the interview was clear for every interview, some basic information regarding the research and its topic was discussed.

The interviews were recorded, with the agreement of the participants, in order to validate and gain the relevant information (Cao, Chychyla, & Stewart, 2015) (Chan & Vasarhelyi, 2011) (Currie, Lockett, Finn, Martin, & Waring, 2012). The interviews were transcribed and sent to the interviewee afterward. In this way, interviewees could validate the information and, if necessary, elaborate or give more information regarding their answers. Once all answers were validated, they were compared with one another, then categorized, coded, and labeled in order to give an overview.

3.4 Case study design

As already mentioned, this case study was conducted in a Big 4 setting and compares two Big 4 audit firms. In this research, the audit firms will be named Company X and Company Y. The reason for choosing these two particular Big 4 firms was because of their resources, expertise, and access.

(23)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - The use of data still depends on the resources of the company and if the tools have a valuable contribution. For one of the companies, the researcher gained the information through a thesis internship, which made it easier to access auditors of the company and gain the relevant input. The other company was chosen due to network contacts.

In total, there were 10 interviews conducted, 6 at Company X and 4 at Company Y. This is why the interviews are divided into two groups. The objective of these interviews was to gain relevant insight and information regarding the implementation of data analytics and its effect on the audit procedure.

In selecting the interviewees, it was important for the researcher to select auditors who have experience with data analytics in the audit process. First, there was a conversation with an employee of the data analytics team of Company X. The purpose and objective of the research question were explained. After that, the team member arranged for six auditors to be interviewed. These auditors were at the level of senior staff, assistant manager, and senior manager level. The general experience in auditing was five to eight years. For Company Y, the auditors were at the level of senior staff and manager. The duration of the interviews was approximately 45 to 50 minutes, and the language of the interviews was Dutch. See Table 1, below, for an overview of the interviewees.

As already mentioned the interviews were semi-structured, so as the interviews continued, new or other questions were asked and addressed in the following interviews. The interviews were recorded on mobile devices. Nine of the interviews were face-to-face interviews. Only one interview was through a video call due to the distance of the

interviewee.

The participants were first addressed through an email. In this email, the purpose and objective of the research were explained, and the interviewees were asked if they were willing to participate. Furthermore, the requirements such as recording of the interview and the face-to-face meeting were outlined in the email. Some of the participants required the questionnaire list beforehand so they knew what kind of questions were expected.

At the start of each interview, the research question and its objective and purpose were again described. The focus on the topic of the definition of data analytics, the strategy of implementation, the audit procedure, strengths and weaknesses of data analytics and education and training were also highlighted before the start of the interview.

As already mentioned, the duration of the interviews was 45 to 50 minutes. This was quit long due to the researcher self. The researcher did not want to have unclear issues. This is the reason why the researcher asked after every interview if it was possible if there were

(24)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - any issues that the participants could be contacted through email or telephone.

Table 1: Overview of Interviewees

The participants and companies are coded. The companies are coded as Company X and Company Y. The interviewees within company X are coded as RX1, RX2, RX3, RX4, RX5 and RX6. The interviewees within Company Y are coded as RY1, RY2, RY3 and RY4. In the next chapter a distinguish between tools is being coded, this to clarify the differences. For company X the tools are coded as tool X1 and tool X2 as for Company Y, tool Y1 and tool Y2. For both companies, the tools coded as 1 are the tools they used the most. For company X, tool X1 is a new tool as for Company Y the ‘game changer’.

3.5 data analysis

As already mentioned, the interviews were transcribed. The companies, participants and tools are coded as anonymous. The coding process was manually. In this process notes and relevant points were marked.

When the case analysis was written a second coding process was written. This time open coding system was conducted. This means that words and sentences are categorized. This process was done manually. The researcher did not made use of a coding tool. To assure that no data was forgotten, the transcriptions and coding process was read again.

Function Function

RX1 Assistant-manager RY1 Assistant-manager

RX2 Manager RY2 Manager

RX3 Assistant-manager RY3 Assistant-manager

RX4 Assistant-manager RY4 Manager

RX5 Senior-manager

RX6 Manager

(25)

4. Case study analysis

In this chapter, the findings of this study will be discussed in order to answer the research question. During the interviews, relevant information about the implementation of data analytics and its effect on the audit procedure were gathered. The first section contains the definition of data analytics. Implementation strategies will be discussed in the second section. The third section examines the effect on the audit procedure of the use of data analytics. The fourth section strengths of data analytics. Weaknesses of data analytics is content for the fifth section. Education and training is the sixth section. For each section, I make a distinction between Company X and Company Y, which makes it easier to compare them with one another. Due to this comparability study, in the last section, an overview of the differences between the two Big 4 firms is presented.

4.1 Definition

As mentioned in the literature review, data analytics is a broad term and can be interpreted in different ways. During the interviews, participants were asked for the definition of data analytics. Employees of both Company X and Company Y answered that data analytics is a broad term. One participant within Company X claimed that using Microsoft Excel is data analytics as follows:

“As far as I am concerned, data analytics can be applied in different ways. You already use data analytics when you carry out your analyses through Excel.” (RX1)

One participant within Company Y claimed the opposite and did not recognize Excel as data analytics. Furthermore, he thought that there is a clear line between what data analytics is and what it is not:

“I do think that there is a clear line of what is data analytics and what it is not. And I think

that many people think that something is data analytics but that this is not actually it. As an example, in Excel, you analyze the links with other figures. In Excel, that is not data

analytics.” (RY1)

A few participants within both companies thought that data analytics is equal to gaining new insights:

(26)

“For me, data analytics is getting new insights based on data, and how you want to call it or how you want to do that, I find that less relevant. In the audit and often with external parties, data analytics is often a tool that they use. Based on the data that you have, and sometimes you have to obtain it in another way, or combine it with others. If you combine information that you already have, it gains different insights. That is data analytics.” (RX2) “Data analytics is to pull in an effective way data out of large bins to get certain insights, where you use smart tools and smart algorithms to visualize data in a certain way, but also to identify exception.” (RY4)

“Data analytics is not exception, rocket science or either something new. It is looking in a structured way to a bin with data. Using data in a practical way and applying it in such a way that you can use it for your intended purpose. The bucket of data is already available, but the proper use of data is, I think, that is even more important. Data analytics can be structuring data in efficient ways and processing data through a program/tool. In my opinion, these are the two most important forms to analyze and view data properly and look for the relevant information.” (RX4)

In each company, there was one participant who thought that data analytics gave audit evidence. Participant RX3 of Company X stated the following:

“Data analytics is a broad term. Data analytics in the audit field is trying through effective

(27)

The participant of Company Y started off differently but ended with the same point: “Data analytics is to make data of clients measurable. This is a large amount of data and

these data should be make understandable with specific tools in order to satisfy the needs of the user. In this field, I am the user and I need this to process my audit and to gather my audit evidence.” (RY2)

During the interviews, two participants from Company X thought that despite the broad term of data analytics, this could be done on whole samples instead of on statistically substantiated samples that were manually prepared:

“Data analytics could not only be processed on a small sample, but over a whole sample so that you could gain 100% insights on what you normally would manually do.” (RX3) “It could be efficient to look at the whole sample instead of looking through the

‘deelwaarnemingen’ with data analytics, what you would manually do in the past.” (RX5)

Due to the fact that the definitions were so different as to what data analytics exactly is, it reflects the practice of theorizing of the institutional work theory as weak. There is no clear definition of data analytics, so there is no clear approach to the concept of data analytics in the audit field. Therefore, the actors in this field don’t have a solid protocol on how to interpret this.

(28)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - 4.2 Implementation strategy

This section will highlight a few topics that were asked about during the interview in order to get an overview of the implementation strategy. These topics are experience, tooling, and client experience

4.2.1 Experience

As already mentioned, the participants were selected partly based on their experience with data analytics in their audits, and their experience ranged from three to seven years. Yet during the interviews, it became clear that the application of data analytics in the audit is used differently. This sub-section discusses the different routines.

4.2.1.1 Journal entry testing

Data analytics was used for both companies in journal entry testing. Journal entry testing is a required procedure that has to be executed by the auditor and belongs to the standard analysis. Within this procedure, the auditor reviews whether the journals are booked in a correct way. Both companies used data analytics as a tool in this routine.

Participants for both companies thought that the use of data analytics is very relevant, because it generates an overview of what is a normal journal entry and what is not, and in this way, the auditors are able to focus on the exception rather than the normal journal entry. For Company X, there were several ways to process the journal entry testing routine: “For example, DNA on journal post analysis is mandatory. The teams are free to decide which tools they use. So that is possible with three different tools.” (RX6)

So it is clear that Company X used different tools, and team members could choose in which one they execute their journal entry testing routine. This participant used the first data analytics tool that had been introduced in the company:

“Yes, we have piles of tools, the first tool of this organization, that tool structured those journals. It visualizes how did those journal entries flow through the system and that is actually the primary and best form. Because you know your customer, you know how the

(29)

processes run, I know that they normally post debtors to sales and costs to creditors, and if you see a certain transaction does not go through that posting, you can zoom in on it.” (RX4)

“Within the tool, there are some specific modules, in which you can easily view the planning analytics standings per month where you can click, analyze the booking flows that take place, test journal entries where you can look on a specific item.” (RX5)

While Company X made use of several tools for this routine, Company Y had one tool for all journal entry testing:

“In our tool, we retrieve the entire administration from the customer. So from all the

transactions they have made and put it in a tool and then we did some analysis, for example what kind of transactions are booked on a particular general ledger account. Or what are the fluctuations in a certain general ledger account.” (RY3)

“For our company, everybody understands that journal entry testing is a significant risk, so the easiest way to use data analytics within the tool is the most easiest way.” (RY2)

4.2.1.2 Three-way match/purchase process

The second routine, the three-way match, is to match the invoice with the order and receipt. This match needs to be complete and accurate. Data analytics is used in both companies with the relevant tools to process the three-way match automatically.

“Have you ever heard of a three-way match? That means invoice, order, and receipt. At the moment something has been ordered, it must also have been received and the number plus amount must match the order invoice. There is co-worker within the company that says ‘I have compared these three elements and I agree.’ But who says he is the right person to approve that? You do not know that. I find data analytics very strong in that respect, due to the fact he can automatically review this.” (RY1)

“One of the things that we can do with data analytics is the three-way match. It uses transactional data and the sub ledger to automatically perform three-way matches and other things.” (RX5)

(30)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - The participants for both companies used data analytics in the three-way match to review whether what their clients told them during inquiry could be related to the data itself:

“Once, I did a three-way match with a customer. As it turned out, 3% of all outbound goods had 0 invoice in front of them, while in normal circumstances, 0 invoices do not appear in your figures. It turned out that some things were given away for free, which was easy to explain and what the management also knew about, only they did not know it was that much. We did not see this in prior audits, thus it was not possible to recognize this through

traditional audit without data analytics.” (RX3)

“A purchase order is created, the goods come in, an invoice comes in, a matching is made, and then the invoice is paid. What this tool does is, I am an auditor, and my client has told me which steps are being taken, then I will implement those steps. Then this tool visually shows how that process goes through a certain happy flow. I am happy when that happens; the customer has not withheld anything. But because the customer does not always tell everything because he forgot to mention certain important points, through that tool, you can very well see through those branches that it is visual and I should do something with it.” (RY2)

4.2.1.3 Forecasting

As already mentioned, the companies use data analytics both for journal entry testing and three-way matching. Company Y uses data analytics for forecasting what they could expect at the end of the year:

“It depends on when you have a meeting with the client. That can be organized in Q2 and Q3 and afterwards, we execute data analytics procedures. At the end of the year, we once again execute data analytics procedures.However, we already have the data from the client of Q1 to Q3. Very often, Q4 continuous in a linear line, so your questions during inquiry about Q4 are already answered in Q1 to Q3.”

(31)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - 4.2.2 Support team

During the interviews, a few questions about data analytics and its support were asked. Both companies have a separate department that supports audit teams when they use data

analytics. One question asked about the collaboration between the support team and the data analytics team and how this process is executed.

Company X recently set up this supporting department for data analytics:

“I do the initial assessment. I am an auditor, and I have certain customers’ network. I know which tools I can have at my disposal and which characteristics I need. After that, I can select the tool that can be used because of my prior knowledge. I have been involved with the tool as an ambassador. Based on my own assessment, I think about the work activities I have to carry out, what kind of SAP package the client uses and see if it is possible.

Eventually, I approach a technical lead from the data analytics supporting team, and I cooperate with them because he is specialized in the technical part, the implementation of that data, and that ensures that the tool is installed so that we can perform the data

analysis, that is the process.” (RX1)

“Yes, when a choice is made that data analytics will be used, then one of the data analytics ambassadors helps us. He or she is like a coach and acts like a bridge between the audit team and support team. Moreover, team members of data analytics support team are involved. After this, it is important to indicate some elements. First of all, the support team informs the audit team what kind of data of the client they need, how much time they expect to need to extract the data. The audit team informs in their turn where they expect to implement automatization and where they want to use data analytics. For every

engagement, a kick-off is organized for everyone who is involved in the engagement. In this kick-off, the support team indicates if the use of data analytics is possible. Should this data be available and is actually determined, a business case will be drawn up of okay, we can apply data analytics to this customer.

The timeline of the audit will be determined based upon these prior meetings. In this timeline, they agree when the audit control starts, when it needs to be finished. When the data is available and in this way a time path and responsibilities are divided. So it is important that the audit team requested the data from the client and delivers this to the

(32)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - support team. After they receive the data, they will start with the data and divide the

responsibility. One thing that is important to keep in mind, the audit team is still responsible for the actual delivery of the data. When the support team completed its work activities regarding the data, they process the results and share these results with the audit team. From this point forward, the interpretation of the results and the further follow-up is full responsibility of the audit team.” (RX3)

During the interviews with the participants of Company X, it was clear that the procedures regarding the collaboration between the audit team and support team are followed up well. The audit team has to collaborate with the client to extract the data.

Company Y follows essentially the same protocol. However, the data extraction, which will be discussed in Section 4.2.3, is completed in a different way. Within Company Y, the support team extracts and is responsible for the data. One of the participants

explained the process:

“We have a certain way of working. The data that you need to analyze can be quite large, and the questions you submit to the customer can be quite research. We have a policy within the organization that we split the year into two periods. It depends on when you have a meeting with the client, that can be organized in Q2 and Q3, and afterwards, we execute data analytics procedures. At the end of the year, we once again execute data analytics procedures. When an audit team decides to use data analytics in their audit, the first step is to create a request to the data analytics support team. This needs to be done early due to the high demand. They approach on aa first come, first served policy so they know when to hire specialists. This is important to know, because an audit team says they want to use data analytics in their audit, but there is no room in the current planning to realize it. Therefore, we need to request data analytics for a certain date. When we filled in the request, one of the members of the support teams asks us the following things, the contact details of the customer, maturity of the financial year, and which financial package the customer uses.” (RY1)

“We have a support team, and in a system, we request that we want to make use of data analytics in our audit. Depending on how busy the support team is, they determine whether the audit team can make use of data analytics. Eventually, one of the team members of the support team contacts us and discusses what kind of procedures we want to carry out where data analytics is involved. Questions like how many entities are involved with this client,

(33)

what kind of data do they have, which ERP package do they use. The support team contacts the client and installs the script so that the data can be downloaded.” (RY3)

Nevertheless, it is highly important how these meetings and agreements between the audit team and support are documented. Before the start of an audit using data analytics, it is extremely important within Company Y that the data is tested on the reliability,

completeness, and matching with other figures:

“Then they will generate an analysis to determine the reliability of that data. They review the data and the balance and if these match with each other and other general ledgers, they analyze all these things. If they agree that the data is reliable, the audit team receives the data and needs to do a completeness check. The partner of managers gives an approval on their completeness check, and the support team reads the data in the portal of the tool.” (RY3)

These checks in Company Y are very important to test the reliability of the data:

“A support team within the organization is responsible for the reliable and completed data. They test the data based upon their reliability so that we do have all the data and the data can’t be adjusted.” (RY2)

As a result of the responsibility of the support team for the data, the agreement needs to be clear and be done on a timely basis. Company Y wants to have the certainty that the data analytics procedures are carried out with reliable, completed, and matching data:

“We cannot go any further with our audit. We receive a checklist from these specialists, at which point they register whether the data is completed, reliable, and matches with the financial statement. If they don’t give an approval, we cannot continue our audit. After that, we need to explain for which tests we need the data, and the explanation must be clear and justified. Otherwise, we may not use the data for data analytics. There are quite a few checks before we can and may use this data for the analysis.” (RY1)

(34)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - 4.2.3 Data extraction

In this section, the data extraction will be discussed. Data extraction sounds easy but has a point of criticism from both companies. This is due to the barriers they face in practice, particularly the ERP systems of clients.

Company X faces barriers with the customization of ERP systems. Clients customize their systems according to their needs and what they think is relevant, and this make it more difficult to extract the clients’ data. The second barrier that Company X copes with is the different kind of ERP systems that clients use for their financial administration. The complexity of both systems and data extraction is also a limitation.

“When you have a meeting with the client about the use of data analytics in their audit and discuss which type of ERP system they use, we can have 200 IT auditors, but in the end, only five really know something about that specific ERP system.” (RX2)

“You actually have to know your customers’ system. If you noticed that the systems are complex due to the fact they customized their ERP systems towards their own needs, and every client does that, it is not more challenging to extract the data.” (RX3)

Furthermore, participants from Company X thought that other barriers include the volume of the client, when they are a part of a holding, and when their systems are outdated.

“Usually if you have an ERP system and the client is not part of the group, then you usually see that the data is easy to extract. The data you extract is fixed in a structured way. While when you look at a client that is part of a larger group, you can already notice that they cannot access all the data. This makes it less easy to extract the data. Or if you have a substantial client that has all different kinds of ERP systems that are connected with an intermediary tool, this makes it more difficult to apply data analytics than the customer who has a standard package. So it is not a certain type of customer that it does not work for, but you have to inspect each customer and their system in order to ascertain what is the most efficient way to use data analytics for them. Furthermore, some clients’ systems still run on outdated software. So there is no possibility or at least no standard option to extract large amounts of data directly. This happens more often than you would think, and it is almost impossible to extract data without knowledge of the system.” (RX3)

(35)

– Thesis MSc Accountancy & Control 2017-2018 Thalisa Westerborg - Currently, Company X invests a significant amount of time in the data analytics tool. In prior years, it was a combination of trying and failing. If the client’s data allows for extraction, it is a major advantage for both Company X and the client. For now, the tool is developed in a way that the data can be read from all SAP systems.

“When I have a client that has structured their data well and uses an SAP system, I can easily extract the data and carry out data analytics procedures.” (RX1)

“Now all SAP customers are switching to this tool. It is so well developed that it can run as well as a machine on clients with SAP systems. The data can be extracted and analyses can be performed well.” (RX4)

Another participant from Company X agreed with the part that the tool is currently well developed for SAP systems, but on the other hand, they still manage to extract data for those clients with a non-SAP system. However, the data cannot be extracted through the tool. “Specifically for clients with an SAP system, we can use this tool. However, when a client has another system than SAP, we can build it custom with SQL for the client. We extract the data and compare the data. One side note, it does not have such a very fancy front-end as when it goes through the tool. But we can still help the audit team to perform the analysis and achieve the same as for the clients with an SAP system.” (RX5)

Within Company X, the observation is that not all participants have knowledge regarding data extraction when clients use other than SAP systems (RX5). Company Y faces other barriers than Company X. The tool of Company Y can read in data from different kinds of ERP systems.

“The data analytics tool that this company uses is a download of all data. So we could extract all data from all kind of clients in our tool. No matter what kind of type client or ERP system our clients have, it is not a problem.” (RY3)

Nevertheless, a participant within Company Y thought that there were still some practical problems while reading the data into the current tool. The first problem that this participant mentioned was about the volume of journal entry transaction that could not be processed by the tool:

Implementing data analytics in a big 4 setting and its effect on the audit procedure : an institutional perspective