Audits and COVID-19: A paradigm shift in the making.

The COVID-19 pandemic has exposed the obsolescence and vulnerability of many existing auditing practices. Whilst some progressive practices have been implemented (i.e., remote audits using rudimentary Information & Communication Technologies), a new paradigm is needed to not only account for the risk of repeated lockdowns, but also to align practices with the level of digitalization, automation, and use of artificial intelligence in the current business environment. In this paper, we argue that the adoption of new technologies requires a fundamental rethinking of how auditing services are delivered. We argue that new technological possibilities have implications for five other auditing elements that enable a shift from the old to the new paradigm of auditing, namely actors, processes, spaces, training and skills development, and services. We explain how non-financial audits conducted under the new paradigm are key enablers of a firm's ability to participate and thrive in a competitive international marketplace.

Strategic nature of audits

Non-financial audits – as part of testing, inspection and certification (TIC services) – affect nearly every organization across the globe. Products require testing and approvals, as many manufacturers seeking to shift production to hand sanitizers, face masks, and ventilators were reminded during the COVID-19 pandemic. Facilities and equipment also require regular inspection, including for health and safety purposes in factories, cargo ships, and pipelines, to name but a few examples. Organizations are often required to comply with a plethora of standards and regulations, both voluntary and mandatory, that are dictated by their customers, governments, and customs offices. These vital TIC services, including first-, second-, and third-party services, are worth about US$200bn annually and are expected to surpass US$260bn by 2025 (Economics, 2020). TIC services were severely impacted by the pandemic, which was mainly due to travel restrictions and lockdowns that prevented auditors and inspectors from visiting facilities (Castka, Searcy, & Fischer, 2020; Fischer, 2020; UNIDO, 2020).

The pandemic has shown the strategic nature of TIC services. Many companies experienced a rapid, short-term decline in the demand for their products and explored new ways to utilize their production assets. For instance, cosmetics giant LVMH began producing hand sanitizer in its perfume factories (Forbes, 2020b), while electronics manufacturer Foxconn altered part of its production to produce surgical masks (BBC, 2020). However, companies looking to alter their production soon found that they were often required to seek approvals from regulatory authorities before they could introduce these new products to the market. These approvals are grounded in TIC practices, and while some companies succeeded in securing rapid approvals, others found the process difficult. For instance, in the United Kingdom, Airbus and F1’s ventilator was promptly approved by the Medicines and Healthcare Products Regulatory Agency (MHRA), whilst a similar effort by Dyson was discontinued after “Dyson’s team found that winning regulatory approval from the Medicines and Healthcare Products Regulatory Agency (MHRA) was more difficult for [the organization] than for established manufacturers of ventilators in the UK.” (Forbes, 2020a).

Non-financial audits (as part of TIC service provision) are pervasive and can touch all aspects of an organization’s delivery of products and services. For example, a plastic pipe manufacturer can be required to comply with 40 plus standards requiring auditing across the entire value chain - from the inspection of incoming pipes and manufacturing according to product specification standards to ensuring standardized installation with contractors (ISO, 2012). However, far from being overhead, TIC services are a strategic asset that support innovation and allow firms to rapidly address changing demand. The TIC Council (Council, 2021), an international organization formed in 2018 and representing over 90 organizations engaged in testing, inspection, and certification, has identified three areas where demand for such services will be particularly accelerated in the future: (1) health, safety, and welfare, (2) environment, and (3) disruptive technologies (Economics, 2020).

The academic literature has been scrutinizing financial auditing for decades (Jelinek, 2015). Non-financial auditing has continued to develop as the demand for quality, health and safety, sustainability, and other audits has grown (Power, 1997). The literature has, however, only paid limited attention to the changes in non-financial auditing practices. In part, this was because the practice itself has been slow to change and has been highly reliant on ‘traditional’ practices (Herding & Fischer, 2015). To support evolving needs (and the rapid impact of COVID-19 on non-financial auditing practices), a new paradigm is needed that recognizes both the changing nature of TIC and its centrality to organizational and societal stability and resilience. Firms, as well TIC services providers and their auditors, must further embed the new paradigm in their core long-term strategies to increase their preparedness to external shocks, such as a pandemic, severe supply chain disruptions, or rapidly changing consumer demands (Summers & Charrington, 2020).

Pandemic as a catalyst for change: The move to remote auditing

Prior to the COVID-19 pandemic, TIC services were largely based on what we call ‘traditional’ audit practices – many of which date back to the pre-internet era (Herding & Fischer, 2015). The traditional audit process typically starts with a review of documents, records or site measurements, and is followed by on-site visits by a team of auditors for the purposes of testing, visual inspection, and auditee interviews (Byrnes et al., 2018). The evidence gathered through this process provides the basis for an audit report, often focused on a binary assessment of whether requirements have been met or not. These ‘traditional audits’ largely dominated non-financial auditing until the pandemic: while new innovations have been emerging, they were slow to be adopted (Fischer, 2020).

One practice some in the TIC sector had been experimenting with for several years are remote audits, which “refer to the use of ICT to gather information, interview an auditee, etc., when “face-to-face” methods are not possible or desired” (ISO19011, 2018). For example, auditors had begun to use drones equipped with video cameras to remotely inspect pipelines, water tanks, or other hard-to-access areas. Ernst & Young, for example, used drones to conduct inventory counts in a trucking company in Canada (CPA, 2019). Bureau Veritas, a major provider of TIC services, has used drones to conduct a survey on a bulk carrier in an Italian port, including conducting ultrasonic thickness measurements (UTM) in two cargo hold spaces, in order to satisfy inspection obligations under an enhanced ship survey program implemented by the International Maritime Organization (MarineInsight, 2020). Another provider of TIC services, Applus+, has used drones to inspect pipelines, as well as for prison security and wildlife protection, among other applications (APPLUS, 2021). Others in the TIC industry had experimented with wearable technology auditors could monitor as auditees moved throughout their facility. For example, KPMG has piloted the use of smart glasses and wearable video cameras in inventory audits (KPMG, 2021), while other companies have used wearable headgear and augmented reality technology in on-farm and processing plant auditing (ThePoultrySide, 2018). Prior to the pandemic, however, these practices were not widely employed and were usually reserved for unusual circumstances (e.g., auditing and inspection of remote and/or hazardous locations).

The COVID-19 pandemic rapidly forced the widespread adoption of remote auditing practices. Worldwide travel restrictions and lockdowns severely restricted or entirely shut down the possibility of in-person, on-site audits. It did not, however, eliminate the need for the continued provision of TIC services (Summers & Charrington, 2020). Many TIC services cannot be reasonably suspended, such as testing, inspection, certification, and compliance in the food sector (Aday & Aday, 2020). As TIC service providers scrambled to provide their services during the pandemic, many sought to essentially replicate their traditional auditing practices online, often through the use of videoconferencing technologies such as Skype, Zoom, and Microsoft Teams (ISEAL, 2021; Nowicki & Kafel, 2021).

While greater adoption of videoconferencing and other communication technologies are important steps in the redesign of TIC services, experiences with remote auditing during the pandemic also revealed that online replication of traditional audit practices is insufficient (Castka, Searcy, & Fischer, 2020). For instance, many expected that the introduction of remote audits would reduce audit costs, due to the reduction or elimination of travel costs. Remote auditing, however, does not necessarily result in reduced costs, particularly in the short-term. TIC service providers realized that remote audits come with unique challenges. For instance, the time spent on audit preparation and review of documents increased dramatically, often offsetting the cost savings from reduced travel (Castka, Zhao, Bremer, Mirosa, & Wood, 2021). Additionally, TIC service providers realized the potential of new ways of service provision. For instance, remote work provides auditors with more privacy when they can conduct the audit from their offices. Audit teams can also increasingly be formed drawing on experts across the world. The TIC industry realized that many aspects can indeed be conducted remotely with the same level of integrity, though this can require new investments.

The ability to ensure the integrity of remote audits can vary widely within and between industries. In some instances, TIC services are objectively determined and relatively easy to codify. For instance, the calibration of measuring instruments for chemical, physical, electrical, and biological testing are based on procedures that can be consistently replicated by trained technicians. In other areas, TIC services are more subjective and their consistency is more difficult to achieve (Busch, 2011). For instance, determining whether or not a food facility complies with all applicable requirements can require a considerable amount of judgment on the part of the auditor (Calabrese, Costa, Ghiron, & Menichini, 2019; Rasche, 2010). While the auditor may follow a defined process that includes documents and record inspection at the facility based on a set of pre-defined compliance criteria, there is a room for variation (e.g., the auditor needs to use judgement in selecting a sample of documents and records for audit) and room for error (e.g., how auditors choose to use their limited time on-site) (Prajogo, Castka, & Searcy, 2020). Emerging technologies can play an important role in ensuring the integrity of TIC services delivered remotely, including, but not limited to, auditing (Castka, Searcy, & Mohr, 2020). There are, however, many challenges that must be overcome to advance a new paradigm for TIC going forward.

Auditing in the post-pandemic era

The COVID-19 pandemic catalyzed the implementation of remote TIC practices and seeded the ground for more investments in adopting advanced technologies. The academic literature has, in part, predicted this trend. The work on the Audit 4.0 concept (Dai & Vasarhelyi, 2016), the use of data analytics in auditing (Earley, 2015), and the work on technology enhanced auditing (Castka, Searcy, & Mohr, 2020), provide the conceptual underpinning for greater reliance on technology in non-financial auditing – providing the possibility of improving the veracity and timeliness of audits.

For example, technology can enable a move towards real-time monitoring, through the use of sensors, satellites, and the cloud. This could reduce or eliminate delays between the occurrence and awareness of an event, such as an accident, a non-compliance, or a harmful emission (Finer et al., 2018; Slough, Kopas, & Urpelainen, 2021). Big data and artificial intelligence (AI) have yet to be widely adopted in non-financial auditing, and they could enable improved review of data at previously unattainable quantities and speed. Big data and AI also provide a foundation for a greater use of predictive analytics as part of TIC services. The development of digital twins could enable other new opportunities, such as exploring variations in real-world process testing of what-if scenarios (for instance in smart farming (Verdouw, Tekinerdogan, Beulens, & Wolfert, 2021) and streamlining of TIC services (Dai & Vasarhelyi, 2016)). For example, Ulli Klenk, Head of Additive Manufacturing Product Management & Sales at Siemens AG, predicts that “machines will be so well optimized and processes so highly digitalized that equipment or even the production process could be certified through a digital twin. The final certification step will be carried out locally, but much faster than before. And the digital twin itself well automatically produce the complete documentation” (Carl & Gondlach, 2017).

New technologies introduce numerous opportunities for enhanced TIC, but establishing them can require substantial up-front investments, the development of collaborative relationships with business partners, and the ability to integrate new technologies into new and existing TIC practices (Castka, Searcy, & Mohr, 2020). Implementing new technologies must also comply with data protection and/or surveillance legislation, which is rapidly evolving in jurisdictions around the world (Cliza, Olanescu, & Olanescu, 2018). Importantly, adopting new technologies will require training a new generation of auditors in their use and how they can replace or supplement auditing practices and decisions grounded in human judgement.

Figure 1 and Table 1 identify six key areas that must be considered in the shift from the old to the new paradigm in TIC. These areas were identified by the authors based on over two decades of experience in the field, as well as a recent study with leading experts from the TIC industry. Technology is the key enabler, but the adoption of new technologies requires a fundamental rethinking of how TIC services are delivered. New technological possibilities have implications for the other five areas, namely actors, processes, spaces, training and skills development, and services.

Figure 1

A technology-enabled shift from the old TIC paradigm to the new TIC paradigm

Table 1

Non-financial auditing practices: Old and new paradigms

	Old paradigm - Focus on	New Paradigm – Focus on
Technologies	Using rudimentary ICT technologies to facilitate audits	Using a broad set of technologies to enhance veracity and timeliness of audits
Human-Machine Interaction	Human activities	Human activities as well as autonomy of robots/automated systems
Processes	Determining compliance through auditing	Determining compliance through investigating & scenario testing
Spaces	Auditing in the real world (in-person or remotely)	Auditing in real world & of digital twins
Training and skills development	Training auditors in real world	Training of auditors in augmented reality and through simulations of critical scenarios
Services	Determining compliance	Compliance and predictive analytics

Technologies

The shift from the old TIC paradigm to the new one is enabled by new technological applications. Rudimentary ICT will likely continue to dominate remote audits in the near future. However, new technologies must be progressively introduced to enhance the audit process. There are myriad possibilities, though the implementation of new technologies must be tailored to the context of their application, while considering the implications for the other five key areas driving the shift from the old to the new TIC paradigm. For instance, auditors are increasingly reporting that they are overwhelmed by document and record review during the preparation for remote audits (Castka et al., 2021; ISEAL, 2021). New technologies introduce opportunities to automate much of this process. For example, machine learning can be used to recognize text, as well as to automate data verification and analysis. Machine learning can also be used to make predictions and to make decisions under specified conditions. Data collection can be supported through a range of technologies, such as drones, satellites, and sensors, among many other possibilities.

Human-machine interaction

In virtually all industries, activities that were previously or are currently being conducted by humans are being augmented with or replaced by robots, automated systems, and AI. TIC practices must evolve to reflect this new reality, shifting to a greater emphasis on automation. The rate of change from human to automated activity is quite rapid, and often outpaces the ability of policymakers to adapt. For instance, discussions on the taxation of robots and how robots should be accounted for are ongoing and have yet to be resolved (Somers, 2019). The same can be observed in several domains of TIC services. In management systems certification, for example, the focus still tends to be on humans even though in many environments, robots and AI are behind the majority of organizational processes – not humans. While TIC will continue to cover human activities in the future, it should not overlook the increasing role of robots, avatars, machine learning, and AI. An audit and certification of robots and AI might be far more relevant. In such environments, conducting audits remotely might be more straightforward: an auditor does not have to consider ‘human behavior’ on-site nor the data protection or surveillance legislation that often limits the use of technological solutions in audits, though this benefit must be balanced against any losses in on-the-ground human judgement or perception.

Processes

Traditional audits are dominated by a compliance logic: an auditor is asked to determine compliance against a set of defined criteria. Accordingly, auditors are trained to make those assessments. Additionally, traditional audits are often completed in a pre-determined window; this means auditors often have only a few continuous days on-site, potentially including the write-up of the final report. Such an approach forces the auditor to ‘box’ the audit into a limited timeframe. This means that auditors often face severe constraints in their ability to assess compliance, which raises concerns over the effectiveness of the audit. The pandemic – and roll out of remote audits – demonstrated that the preparation for audits provides auditors with more time to process an ‘investigation’ (Castka et al., 2021). For instance, auditors are able to search the internet for further evidence of claims and seek clarification. Similar to a crime investigation, the auditor acts as an investigator and the direction of the investigation evolves over time – and is not necessarily driven by the documents and records that are provided to the auditor by the auditee.

Spaces

Traditional audits are based on the assessment of a real-world brick and mortar facility. The same applies to remote audits: although done remotely, the auditor still inspects the real-world facility. Technology can enable enhanced auditing of real-world facilities, including through spaces that are difficult to reach or are inaccessible by human auditors. Drones, for example, can be used to inspect cell phone towers or power lines, while sensors can be used to monitor toxic gases. Technology can also enable completely new forms of TIC, such as auditing through digital twins and virtual reality. Digital twins are used in many industries (Stackpole, 2021) – from aviation, construction, farm management, and many others – and provide a ‘copy’ of the real-world equivalent of a product, facility, supply chain, or even entire cities. Moreover, digital twins not only duplicate the real world, they also allow for testing and modelling of future scenarios. In addition to testing, inspection, and certification being done in real-world facilities, future TIC assurance activities can be well conducted in this virtual space. While not possible under the old TIC paradigm, this could become increasingly prevalent under the new paradigm.

Training and skills development

The auditing profession has been grappling with an aging workforce for some time (Jackson, Michelson, & Munir, 2020). The shift towards the new paradigm thus provides a unique opportunity to align the auditing profession with the preferences and strengths of the new generation. Whilst under the old paradigm, an auditor would be a travelling agent that assesses compliance, the future auditor could interact with new technologies, act as an investigator, and operate in virtual reality. This raises questions, though, with respect to how this new generation of auditors should be trained. At the moment, auditors often spend a significant part of their careers in their industry sectors, later drawing on this experience as they transfer into the auditing profession. This might not be a feasible process in the future if the auditors need to be skillful with various technologies and be good “investigators”. In order to train these analytical investigators, new training methods need to be embraced. For instance, virtual reality can be used to simulate the audit process. An auditor can be exposed to various scenarios – which can be, for instance, developed from the data derived from audits of digital twins.

Services

Determination of compliance has been, and will remain, the main purpose of TIC. However, the sector has been slow in innovating their services. New technological applications introduce many new possibilities, including those which can inform firm strategy. One critical area is predictive analytics. At the moment services are provided to assess compliance – often against past performance. Shifting to the new TIC paradigm offers opportunities to improve compliance assessment, but the industry also maintains a range of data that provide a strong foundation for predictive analytics. The data on non-compliance (at the firm or sectoral level) provides intelligence about common problems. Such data can serve as a proxy of risk identification – for individual firms or for societal benefit. For instance, some authors speculate that past outbreaks and food scandals – such as the horsemeat scandal, which involved the 2013 discovery of contaminated meat products throughout Europe, could have been predicted had the TIC sector been focused on sectoral predictive analytics (Lloyds, 2021).

Summary: A call for a new-nonfinancial auditing paradigm

Non-financial auditing, including testing, inspection and certification, is a key strategic enabler of a firm’s ability to participate and thrive in a competitive international marketplace. The post-pandemic world offers the possibility of radical change – more digitalization and remote work, reshoring of critical production and manufacturing, further growth of the Internet of Things (IoT), consumer demand for increased worker and public safety, and continued pressure for enhanced visibility in supply chains (e.g., for safety, sustainability, modern slavery, etc.), among many others. Auditing provides an essential foundation to all of these changes. It is time to revisit TIC in the light of these evolving circumstances.

A new paradigm of testing, inspection, certification, and compliance is rapidly emerging. This new paradigm is rooted in new technological applications, which facilitate new ways of considering TIC actors, processes, spaces, training and skills development, and services. The COVID-19 pandemic has highlighted the need for firms to take a more strategic approach to TIC, as it is clearer than ever that TIC is critical to their ability to flourish. There are several managerial and practitioner implications of this shift, including that firms must now consider TIC an integral part of their overall strategy, the need to align auditing with firms’ other digitalization efforts, and the need to develop TIC competencies across firms and their supply chains. The transition to the new TIC paradigm will look different for different firms given their different product and service mixes, current conditions, and aspirations, but the pandemic has provided a clear window to proactively embark on the transition. It may take time to get things right, but it is important to get started on the transition to the new TIC paradigm right away.