Big Data and Audit Evidence

JOURNAL OF EMERGING TECHNOLOGIES IN ACCOUNTING
Vol. 12
2015
pp. 116
American Accounting Association

DOI: 10.2308/jeta-10468
EDITORIAL
Big Data and Audit Evidence

Helen Brown-Liburd
Miklos A. Vasarhelyi
Rutgers, The State University of New Jersey, Newark
ABSTRACT: This editorial aims to create a dialogue regarding research to advance
audit thinking in light of the new evolving data environment. A Special Topic issue is
being planned for JETA in 2017.
INTRODUCTION
The Traditional View of Evidence
Audit evidence is all the information, whether obtained from audit procedures or other
sources that is used by the auditor in arriving at the conclusions on which the auditors
opinion is based. Audit evidence consists of both information that supports and
corroborates managements assertions regarding the financial statements or internal control
over financial reporting and information that contradicts such assertions.
Public Company Accounting Oversight Board (2010, AS 15)
ecent years have brought a substantively different technological environment for

organizational assurance processes. The advent of a very different set of business processes
that support the modern business organization has provided radically new tools, a new data
environment, and a new set of deep problems. As such, the traditional view of audit evidence may no
longer be sufficient and the audit profession and regulators must be mindful of the impact that a more
advanced technological environment is likely to have on certain traditional forms of audit evidence.
While business processes are progressively incorporating Big Data (Vasarhelyi, Kogan, and
Tuttle 2015), both the measurement of business (accounting) and the assurance of this measurement
(auditing) have yet to take advantage of these innovations and integrate new possibilities and threats
into their rules and regulations. These new emerging technologies can substantively change the
environment and practice of accounting and auditing.
The authors are thankful for comments received from Pei Li, Jun Dai, Fei Qi Huang, and at workshops at Itau Unibanco
and the Rutgers Business School at Rutgers, The State University of New Jersey. The help from Ms. Qiao Li and Sophia
(Ting) Sun, as well as the suggestions of JP Krahel, were very much appreciated.
Supplemental material can be accessed by clicking the link in Appendix A.
Published Online: December 2015

Corresponding Author: Miklos A. Vasarhelyi
Email: miklosv@andromeda.rutgers.edu
Brown-Liburd and Vasarhelyi
Technology has widened the distance between data and its users, creating a rich and complex
production environment, as well as an increased need for verification of the acuity of these
processes. A variety of threats has followed the capability enhancements provided by technology
(MIT Technology Review 2015). At the same time, the new data environment provides the
possibility of greatly enhanced assurance capabilities that will substantially change auditing. This
note focuses on the new data environment and its potential to enhance and transform the nature,
usage, and decision processes related to audit evidence.
Three key questions will be examined:

What forms of evidence are emerging from the new data environment?
How can this evidence be integrated into the traditional audit process?
How should the assurance process conceptually change?
The Emerging Data Environment
Linking the Business Process to external Data is drastically changing the data environment.
First, organizations are using a series of different cloud (Weinman 2013; Wei 2014; Du and Cong
2015) arrangements of virtual location. This type of arrangement allows for faultless ubiquitous
support of corporate data and facilitates better interfacing with its buffer (intermediate, boundary)
zones and with the exogenous Big Data environment. The actual physical location of data is
irrelevant in its classification as either (1) corporate data, (2) buffer data, or (3) exogenous Big Data.
Automatic Data Collection
Traditional data capture and preparation provided substantive support for business information
systems at a large cost of manual capture. During that technological period, data were mainly
prepared in punched cards and paper tape, then stored on magnetic tapes. Due to labor
intensiveness, process imprecision, and costly storage, data stores were limited in size. With the
advent of data scanners, the process continued to be mainly manual, but some degree of automation
was achieved in data capture and linkages between traditional data and purchase baskets1 were
established. An entire new set of questions became possible, as described in Figure 1. Later on, web
data (including click information, URLs, and referring links) provided further data linkages and a
substantially larger volume. Again, there were substantive increases in data volume and storage,
and unstructured, automatically captured data (URLs, click paths, identification labels) were
integrated into the environment. New types of analytic questions arose as click paths provided a
dynamic view of customer behavior, but in a less deterministic and more stochastic manner.
The next level, both endogenous and exogenous, is the Internet of Things (IoT) (Kopetz 2011;
Weinman 2013; Chui, Loffler, and Roberts 2010). Goldman Sachs (2014) predicts 28 billion
things will be connected to the Internet by 2020, as opposed to the six billion mobile Internet
items in the 2000s. However, this figure does not seem to incorporate the use of radio frequency
identification (RFID) chips (Shepard 2005), which are to be embedded into a large number of
inventory items that will, therefore, become web-enabled and many other applications of these
chips. These are devices that reflect identification information, but the rapid decrease in chip
costs means that their capabilities could become more active and even stronger elements of the audit
information chain. These RFID chips associated with connection devices will allow for
development of e-tracks that will reflect logs of items available and, eventually, more intelligent
information to be incorporated.
1
Purchase baskets consist of the merchandise a particular client purchased in one shopping trip.
Journal of Emerging Technologies in Accounting

Volume 12, 2015
FIGURE 1
The Big Data Environment
Adapted from Vasarhelyi et al. (2015)
The full-color version of Figure 1 is available for download as a PPT file, see Appendix A.
Organizations will eventually embed chips into their inventory and fixed assets, use mobile
trackers on equipment and employees, and have smart devices in most of their facilities, managing
access, location, environmental parameters, and dynamic behavior. These measurements could be
real and active parts of the corporate information system and will raise many privacy and security
concerns. The IoT adds another layer to the expanding data network that will serve both for
management and the assurance functions. The IoT can be exogenous and endogenous, with
interacting elements located inside, at the boundaries, and outside the organization. While detail and
precision are of great import on day-to-day operations of organizations, for the assurance function,
and in terms of audit evidence, in certain cases, a high-level view may be of more value.
Intermediary (Boundary) Data
In addition to the elements that link the external to the internal environment, a layer of information
is often found that is external to the organizational traditional information system, but an integral part
of its information processes. This intermediate layer includes a large set of externally captured
information that is briefly captured for rapid scrutiny. For example, video from hundreds of cameras
may be scrutinized using threat detection (Weidemann, Fournier, Forand, and Mathieu 2005) or face
recognition (Jafri and Arabnia 2009) software and selectively retained based on given parameters.
This intermediate environment of much data, of variable timing, and optional registration is
highly contingent on the predicted use of data. Organizations will capture data and place it in
intermediate storage for examination, filtering, and selective retention. The same data source could
be measured both on an annual basis (e.g., one full inventory scan), or every hundredth of a second
(frequent scans to immediately identify withdrawal of inventory). Such frequency of data
generation, filtering, and retention decisions are contingent on the predicted application of data and
Volume 12, 2015
the potential value of more frequent information. Over time, new applications emerge that may
require more frequent data. For example, while one measurement of inventory can suffice for yearend verification, hourly measurements might serve to verify the dynamics of inventory usage, relate
these to employee movement, and serve to segment predicted income into very small time intervals.
Intermediary data does present some challenges for organizations. For example, internal data (e.g.,
emails, employee tracking, camera images), under current U.S. laws, are available without privacy
restrictions to employers. On the other hand, external data may or may not be available for analysis.
Big and Intermediate Data Evidence Sources
External data sources continue to expand in terms of both content and interconnectedness. The
digital domain encompasses audio, video, and textual media with a progressing amount of sensor
data (e-tracking) being generated and partially captured by measurement and storage devices. These
domains feature a set of information characteristics2 such as: permanence (transitory to permanent),
privacy (private to public), level of aggregation (fine to coarse), security (secure to open), accuracy
(exact to incorrect), and timing (past to real-time), etc.
Overall, the emerging data environment has to be evaluated in light of its impact on the
sufficiency, competence, and reliability of audit evidence. While traditional evidence tends to be
mainly archival and internal,3 the evidence typically extracted from the external environment is more
probabilistic in nature and must be considered in light of the characteristics of information. A new body
of knowledge must be created to understand this information and the emerging limitations of the
traditional audit model. This note raises some issues, discusses some technologies, and provides some
examples to stimulate research into new sets of evidence and their impact on audit judgment.
The development of applications to manage multiple operational processes contributes to
connect (exogenous) Big Data (McAfee and Brynjolfsson 2012) to corporate measurement,
management, and assurance processes. Extending the above example, cameras in the corporate
parking lot (boundary), in the streets surrounding a facility (external), and in the stores (internal)
can be used to gather a corpus of visual information brought into some temporary storage for shortterm usage. This temporary storage is a boundary area that collects information, applies
applications, and feeds a small subset of information to main corporate stores, ERPs, etc. The
aforementioned video feeds may use face recognition software to identify employees, frequent
customers, or undesirables. Selections of these comparisons are then fed into client files, customer
support systems, or the security apparatus for warning, recording, or action. Applications that
interpret external Big Data feeds and link to the organizational information systems are called
bridges. These bridges can bring important data for operations and continuous monitoring, as well
as substantive evidential matter to support a new set of assurance processes.
Evidence Considerations in an Evolving Data Environment
An Audit Ecosystem to Administer a Progressively Automated Audit
Dai (2014) has proposed the usage of the Audit Data Standard (Zhang, Pawlicki, McQuilken,
and Titera 2012) and related apps into an integrated audit of the future (Figure 2). This audit
includes a risk assessment platform generating an automated audit plan with a set of assertions, a
recommender system choosing apps, results being analyzed by routines, and the process software
2
Information theory (e.g., Shannon and Weaver 1949) and measurement theory (Mock 1976; Romero, Gal, Mock, and
Vasarhelyi 2012) can be used in the conceptualization of relationships within and among data environments.
On the other hand, direct observation and confirmations transcend organizational boundaries (e.g., bank confirmations)
and this multi-entity feature is explored as evidence.

Volume 12, 2015
FIGURE 2
Evolving View of an Automated System Using the Audit Data Standard (ADS)
From Dai (2014)
generating internal and external audit reports. At all steps of the process, software agents would be
working and generating forms of evidence (Papazoglou 2001).4
WHAT FORMS OF EVIDENCE ARE EMERGING FROM THE BIG DATA
ENVIRONMENT?
This section examines, on a more detailed level, some data generated by devices such as RFID
chips and GPS localizers, illustrating the enriched set of management processes that can be
developed through their utilization.
Audit Evidence Then and Now
Audit standards largely provide guidance related to the traditional forms of audit evidence (e.g.,
evidence generated by company or external documents) (PCAOB 2010, AS No. 15; American
Institute of Certified Public Accountants [AICPA] 2012, SAS 122; International Auditing and
Assurance Standards Board [IAASB] 2009, ISA 500) and evidence considerations in an electronic
environment (e.g., information transmitted, processed, maintained, or accessed electronically)
(AICPA 2012, SAS 122; AICPA 2006, SAS 109). However, these standards do not sufficiently
4
There are many types of software agents, such as application agents, personal agents (or interface), general business
activity agents (including information-brokering agents, and negotiation and contracting agents), and system-level
support agents (planning and scheduling agents, interoperation agents, business transaction agents, and security
agents).

Volume 12, 2015
TABLE 1
Attributes of Big Data Evidence
Evidence Characteristics
difficulty of alteration
credibility
completeness
evidence of approvals
ease of use
clarity
Considerations in Big Data Environment

external Big Data are not under the business control
data capture and preprocessing must be verified
external data are practically infinite and not always accessible
data are external
new automatic methods are being developed for this purpose
external Big Data tend to be stochastic
address the nature of evidential matter that will be necessary in the more complex and advanced
technological environment. Auditing standards require auditors to gather audit evidence that is
sufficient, competent, and reliable to support their audit opinion, but the characteristics used to
define sufficient, competent, and reliable audit evidence may not be adequate. Table 1 summarizes
the attributes in the standards required of audit evidence and issues that should be considered in a
more complex Big Data environment.
As a result, it is important to evaluate how technology can be utilized to ensure that the
attributes defined in the standards are met. Several relevant points to consider are:
1. Sufficiency (quantity) may not be the primary issue. Because new technology will allow
auditors to examine 100 percent of the population, the shift in focus will most likely relate
to timely accessibility of the relevant data and the auditors use of various data analytic tools
to analyze and interpret the data in a more meaningful and effective way.
2. Appropriateness (quality). Relevance and reliability are key issues and the traditional
approaches for their evaluation may not apply. Relevance most likely will be determined by
judgment as it is today. However, such judgment will be subject to evaluation by
formalization, as many tests will be formalized into computer procedures that do not
currently exist. Typically, automated data extraction and utilization by formal models
creates a much higher level of reliability than manual processes.
3. The sources and types of evidence are new, and how this evidence may compliment or
replace traditional evidence must be better understood by researchers and the profession.
Incorporating Modern Technology to Obtain Enhanced Audit Evidence
Incorporating advanced technology into the audit process will undoubtedly raise questions
concerning the implication of a less transparent audit trail (e.g., traceable paper documents may not
exist). Although the traditional manual audit trail has become rare, computer processes can create
logs with reasonable facility and these can be collected and processed in many ways not previously
possible. Process mining techniques (Jans, Alles, and Vasarhelyi 2010) can be used to build
relevant audit logs and create a plethora of tests that would be impractical to apply manually. For
example, each transaction can have its path evaluated and rated in terms of suspicion; each
transactions approvals evaluated in terms of segregation of duties (SOD) and rank; the networks of
people dealing with transactions traced and tracked; and etc.
Another question to consider is how traditional audit procedures should change to adapt to
technology. Audit procedures address assertions. Since assertions are driven by financial reporting
standards, they are unlikely to change, and auditors will still be required to establish audit
objectives and design their audit procedures to address these assertions. The change will instead be
driven by how technology impacts the nature, extent, and timing of audit procedures performed. For
Volume 12, 2015
example, most audit objectives and assertions will be formalized and programmed into repetitive
apps to be applied within an automated audit that will implement a formal audit plan with elements
to be repeated at predetermined times or continuously.
Finally, the risk-based nature of the audit process will need to consider the audit risks
associated with obtaining sufficient, competent, reliable audit evidence in the Big Data era. With the
advent of Big Data, the risk assessment process potentially becomes even more complex because
the unstructured nature of Big Data increases ambiguity. On the other hand, full population testing
may reduce the risk associated with certain items to zero. Thus, the challenge that auditors face
involves how they can derive value from the increased amount of information that they are exposed
to and how to ensure that audit judgments and decisions are based on quality information that is
relevant and trustworthy. The use of more sophisticated audit tools can assist auditors by
automating the collection, formatting, and mapping of key audit objectives and procedures. For
example, these audit tools will be highly structured due to the formalization of the audit plan with
preselected apps processing data at predetermined times, covering a measured range of known risks,
and using mathematically (or judgmentally) derived algorithms. Uncovered or unexpected evidence
or judgments will then be manually evaluated and the human approach captured and integrated into
the existing system. A feedback system evaluating outcomes in the short and long term will be used
to evaluate audit system performance over time.
Nature of the New Type of Evidence
Some key technical questions must be raised in the context of audit processes and audit
evidence in the modern information age: first, the role of automation; second, recency (timeliness)
of information; and third, how this ties to the traditional view of evidence.
The Essentiality of Automation
The processes of the advanced information environment are automation-based, very dataheavy, and must be synchronized. Imagining all, or even a small percentage, of telephone calls,
messages in the Internet, etc., being manually processed is absurd. The same applies to audit
processes, matching of data streams, exception analytics, and reporting. However, the top level of
the decision schema in the current technological environment must still be manual, and this equally
applies to the feedback loop applicable to formal system improvements. Schema, as earlier
discussed by Dai (2014) and Kozlowski and Vasarhelyi (2014), will serve to bring evidence
together and anchor the top-level non-formalizable audit decision process.
Capturing Evidence Every Nanosecond
The frequency of the assurance process has been discussed frequently in the literature
(Vasarhelyi and Halper 1991; Chiu, Liu, and Vasarhelyi 2014). Although strong arguments have
been made for a continuous audit (Vasarhelyi, Alles, and Williams 2010) in general, the consensus
has been that assurance must be performed at maximum at the pulse of the system. Managers
given a choice of employing very frequent usage of audit applications tend to be comfortable with a
monthly approach (Taylor 2015). However, if the automatic data traces discussed in this note
materialize, and the argument that data usage through apps and its economics dominate frequency,
then a new scenario may evolve.
The Discrepancy with the Traditional View of Evidence
An entire new, different set of evidence is evolving. This evidence is so strong that it will
pressure regulators and practitioners to bring it into consideration. However, it will present pressure
Volume 12, 2015
to reconsider traditional concepts in the audit such as materiality, independence, and method of
judgment. This evidence may be mainly based on data streams primarily used for operations and
continuous monitoring. Under the current view, their operation could be seen as forms of additional
controls or integration of controls. Furthermore, the requirements for automation will force the
formalization of evidence evaluation processes that are not available today.
Predictive Evidence
Continuous audit research (Chiu et al. 2014) focuses on a model of monitoring business
processes through selected metrics, the comparison of these metrics with standards (models) of
performance and acceptable variance, and the issuance of alarms (alerts) when an allowable
variance is exceeded. Once alarms are issued, an assessment of the nature of the alarms will lead to
an audit by exception.
Recent research has focused on improving comparison models to establish more reasonable
standards for comparison (Kuenkaikaew 2013; Kogan, Alles, Vasarhelyi, and Wu 2014).
Furthermore, the need for, say, predicting fourth-quarter levels analytically (time-series or crosssectional) and accepting reported figures if discrepancies are small has become greater, as SarbanesOxley provides a much narrower time frame to issue the annual opinion.
Stochastic Evidence
Audit evidence derived from external data tends to be more independent, but less tailored for
the actual decision process. It is reasonable to expect that much of this evidence will be stochastic
and probabilistic, and statistical methods will have to be built for its usage.
HOW CAN THESE TYPES OF EVIDENCE BE INTEGRATED INTO THE
TRADITIONAL AUDIT PROCESS?
Figure 3 is a flowchart of key business processes (Vasarhelyi and Greenstein 2003; Romero et
al. 2012). These processes are regularly examined in the annual audit and are being changed by
evolving technology. As an illustration of the changes in the business measurement and assurance
processes (Vasarhelyi and Allles 2006), Figure 3 shows arrows linking business-to-consumer (B2C)
and business-to-business (B2B) markets to the property, plant, and equipment (PP&E) process.
Current quotes and sales of equipment are used for the valuation of this account and can also be
used for the valuation of inventory. This is both a shift from the traditional cost basis toward current
market (fair) value and a way to provide assurance (if this new method of accounting is adopted) on
inventory and PP&E. Dotted arrows link sources of external data to other processes indicating some
form of validation that may be used as modern evidence.
Among these relationships, examples can be drawn that are further discussed later in this note:

Security recordings of arrivals and departures of trucks from parking lots for assuring
inventory changes.
Telephone records, associated with emails, to validate sales, ordering, and discrepancy
determinations.
Examination of video streams in network TV to confirm that ads were actually placed. These
can be linked to variations in order/sales to validate the ad efficiency promised by ad
agencies and marketing strategies.
Global Positioning System (GPS) tracks of truck trajectories to validate deliveries and
pickups. This can also support sales validation, purchase validation, efficient usage of trucks,
etc. RFID logs of items loaded in trucks would allow detailed measures of content.
Volume 12, 2015
FIGURE 3
Modern Business Measurement and Modern Assurance Using External Sources of Evidence
Sentiment analysis of social media postings to determine frequency and needs of customer
assistance, repairs, and potential reputational risk. Content analysis of this same media for
fault determination in manufactured parts.
Evidence from the Internet of Things (IoT) on energy and facility usage, individual
movement and health, and many other indices that can be used in a confirmatory or
predictive mode.
The new sources of information and their linkage to business processes, as above illustrated,
can offer an enormous set of confirmatory and predictive evidence, as well as tools for control and
continuous monitoring. The transition is expensive and behaviorally challenging, as it requires
changed behavior, management processes, and statutes.
The economics of digital innovation are different, mostly because processes will require less
manual labor and fixed costs will exceed variable costs in the development of applications to
provide information and support. The challenges are enormous, but the benefits are such that an
evolution is very likely.
These challenges include: Incompleteness of external data; stochastic relationships among Big
Data variables and internal business processes; transition from current to future status; anachronistic
Volume 12, 2015
10
FIGURE 4
Linking Inventory RFID Measures to Everything
standards; the need or lack of need for recent data; the multi-part, multi-agent problem; data relating
one-to-many and many-to-many artifacts; etc.
HOW SHOULD THE ASSURANCE PROCESS CONCEPTUALLY CHANGE?
This section examines, on a more detailed level, structural changes, nature of data streams, and
linkages of the different data environments.
Incorporating Automatic Sensing
The usage of GPS devices (Kaplan and Hegarty 2005) for localization and RFID chips for
identification opens a new chapter in automatic assurance and process management. Traditionally,
inventory verification is performed at the end of the period by physical inventory counts. If RFID
chips are embedded into each inventory item, then automatic measurement would follow (Figure 4).
The incremental cost of performing this measurement is close to zero, but overly frequent scans can
result in cumbersome data volume and, subsequently, difficult manipulation and storage. Although
this section focuses on these two artifacts, utilization of IoT in general offers enormous potential.
Linking to Other Corporate Measurement Processes
The representation of entity wealth and operations has evolved over the years into the current
set of financial statements for external consumption, but also to a much larger and complex set of
business reporting platforms, such as ERPs. These incorporate dozens of processes and thousands
of controls and reports, typically built around a relational database system and linked to a set of
legacy software. These typically store and use structured data. The new Big Data and electronic
tracking logs more likely will be unstructured and stochastic in the information they provide.
Volume 12, 2015
11
Linking with Inventory Arrivals

Although taking inventory counts every millisecond may not be useful, monitoring inventory
arrivals may serve to manage and verify part of the P2P process (Figure 4). If this process is
extended with GPS and partnered with suppliers it can verify supplier provisioning and so on. This
external linkage with relevant processes of business partners can potentially represent a major
change in business and assurance process thinking. Vasarhelyi (2003) proposed, prior to many of
these technical developments, peer matching (confirmatory extranets) of cooperating parties as a
substantively improved confirmation process (Dull, Tegarden, and Schleifer 2006).
Linking Inventory Departures with the Sales Process
Although taking inventory counts every millisecond may not be apparently useful, monitoring
inventory movement may serve to connect with cash registers, receivables posting, out-shipping
processes, etc. This may also serve to manage and verify another part of the P2P process (Figure 4).
Extending this verification to large clients, tax collection entities, and service providers will blur the
currently tight boundaries of the business process. Industrial processes that manufacture
continuously are often automated, with links and sensors to most elements. Business processes
are still reasonably manual with strong human components, although the most manually repetitive
processes are being rapidly automated (Monga 2015).
The digital trace of inventory measurements can be linked to sales records, electronic cash
registers, supermarket checkouts, and theft detectors at store exits (Figure 4). Depending on the
accuracy and completeness of these links, they can be seen as part of a larger and more complex
corporate measurement, control, and assurance ecosystem, or even as just one large system.
Eventually, much of these management control and assurance processes will focus on exception
examination and diagnostics, while the core processes will be performed automatically.
The value of more frequent automatic data collection depends on the applications developed
to use this data.
It must be noted that the development and utilization of these close-to-the-event data flows
depends on a series of technologies and applications being piggybacked (Vasarhelyi 2015) and
the intrinsic characteristics and liabilities (threats) brought in from this process.
Automatic confirmations are only one example of the disruptive technological change
eventually affecting assurance.
Much of the extant concern in assurance is with population integrity and computational
correctness. If this integrity is assured by a series of automatic close-to-the-event control
processes that auto-self-verify, then the emphasis and focus of audit will change.
The matching/integration problem of progressively adding new sensing data streams

(Hoogduin, Yoon, and Zhang 2015) is the general concern faced by automatic confirmations. Some
processes are totally within the system and can be fully engineered, while others depend on
measuring and aggregating streams of data outside the controlled environment on which very little
influence is exerted.
The Multi-Party Problem
A corporation has a large set of frequent partners among its suppliers, customers, service
providers, government entities, and regulators. Setting up automatic confirmations for regular highvolume partners (Figure 4) with peer-to-peer confirmatory pinging is of mutual benefit and will
provide the basis for improved processes. Establishing these relationships for one-time (e.g., single
Volume 12, 2015
12
sale) or seldom performed transactions poses a different problem and is subject to different
economics. Some type of extensible protocol, of adaptable characteristics, that can identify types of
relationships and benefit from the open transport nature of the Internet, has to be developed. The
lower end of the transaction stream, such as an individual buyer, may not have the same storage and
information processing capabilities as a corporation, but still has confirmatory streams from
secondary sources such as credit card records of purchases, carrier receipts from deliveries, etc. It is
nave not to expect certain root transactions to be non-confirmable, such as cash transactions in a
store.
XML was developed as a protocol to allow for multiple forms (extensions) of communication
interchange standards typically tied to an industry (e.g., XBRL), but conceivably can be adapted to
be used in the above multi-party problem. XMLs goal was to create interoperability between
processes and has been applied in multiple industries. Tagging can also be used for confirmatory
flags for different types of assurance functions.
In addition to their potential value as confirmatory evidence of the performance of business
processes, the utilization of these interlinked processes portends opportunities for management
through continuous monitoring of product, money, and information flow.
Connecting to the External Environment (Closed and Open Loops)
Figure 4 also illustrates the environment with multiple suppliers and customers, some of which
are too small or unwilling to participate on a closed loop with the organization being considered.
For example, ABC Company opens a relationship with a bank (or a supplier, or a customer). The
contractual agreement includes a protocol definition of mutual pinging for confirmations and access
to defined files, data streams, and protocols desired not only for electronic confirmations, but also
for expanded digital stream cooperation with access to ordering, storage, logistics, and other
streams of data. In this case, a closed loop of verification and information can be derived not only at
the individual transaction level, but also at summaries and aggregate numbers. A closed loop of
information is established and improved supply chain accuracy is obtained with joint processes of
error correction and process management.
This type of internal-external tight linkage can already be found in processes such as suppliermanaged inventory and automatic reorder in inventory optimization. However, there is always
serious hesitation to allow third parties to observe/change the organizations internal data streams.
If this closed loop is not obtained, then organizations may be able to resort to secondary
observation out of the boundaries of the corresponding partners. Typically, these measurement
streams are much less accurate than direct connectivity, but still may be useful for many purposes.
Direct measurement at a detailed level offers great benefits. Assurance verification processes may
not need to exist if the operations are automatically monitored. The analogy is that early IT audits
were concerned with hardware computational errors and, progressively, this concern disappeared
due to inherent hardware controls.
Auditors may be able to rely on operation controls and remedial processes without having to
monitor certain data flows. The level of aggregation of auditor control and action, the circumstances
where auditors should be part of the transaction stream, and the principles, regulations, and methods
of audit in this environment are still open questions for research. An interesting additional set of
questions relates to the types of anomalies, frauds, and serious risk operational issues that can arise in
this environment. The third set of questions that applies in most technological environments is what
type of utilization of technology also emerges as a threat to be incorporated into audit concerns.
Figure 4 also includes three sources of Big Data: emails, social media, and security videos. All
of these sources may be from inside or outside the system. The consideration that arises with the
usage of external Big Data is its availability. Users of social media became more selective on their
Volume 12, 2015
13
sharing habits and social media providers, pressured by public opinion, improved privacy for their
users. However, there are still enormous pools of public data that social media companies provide
to users and data assemblers for summarization and analysis. Third-party vendors (e.g.,
doubleclick.com) assemble private and public datasets to provide better pictures of Internet
commerce usage and trends. Important ethical, legal, and logistic issues arise. For example, the
right to be forgotten (Eugen and Marius 2013) raises issues of retention of public data.
Is it Really Evidence?
Several issues and a progressive view of the IT environment permeated by discussion of
evidence and audit procedure are presented in this note. These raised a series of questions about
audit evidence. The following are statements related to new or slightly different forms of audit
evidence:

No anomalies were extracted from the transaction stream.

Top key risk indicators were stable over the current period.
Our records and those of third parties match in 98 percent of the instances and in 94 percent
of values.
Systems have been down for 2.5 percent of the time.
The auditors predictive model is 3 percent below managements numbers.
Our Watson-based inference (Wallace-Wells 2015) system rates the client to be 97 percent
likely to have his financial statements fairly stated.
Research is needed to determine how these forms of evidence can be incorporated into the current
auditing framework, how this framework should be changed, the evolutionary approach to change
from the current to the future model, and, finally, the roles, competencies, and functions of the
human auditor in this future environment.
A parallel question that must be raised concerns the audit itself, in light of large sets of
interlinked, mutually trusting systems producing consensus numbers. What is its value added?
What additional functions must it provide? What is going to be the evolutional path?
CONCLUSIONS
The concept and nature of audit evidence is changing due to the emergence of Big Data, digital
evidence, and electronic traces propitiated by RFID, GPS, and IoT recording. The consequence of
these events is a progressive overlap between management, management control, continuous
monitoring, and continuous auditing functions that must be somewhat re-conceptualized. Auditing
systems will likely be complete ecosystems with layer over layer of data treatments and largely
automated processes. The upper layers will be the complex set of decisions that lead to a final
opinion or a final assessment of a complex process. The upper layers of assurance decision will be
constantly monitored and serve for adding improvements and create better man-machine
performance in assurance.
Evidence will be exponentially expanded in volume, and analytics will serve to summarize and
explain its meaning. Analytics to be used will vary within the context, but will generally be strongly
based on automatically sensed data, will be stochastic, and will constantly be scrutinized for
effectiveness.
Limitations
This note is speculative in nature, aiming at exposing forthcoming technological data
environments and their interpretation. Its main benefit is to initially raise issues and potentially
Volume 12, 2015
14
discuss factors relating to these issues. The main purpose is to call the attention to research
questions and motivate researchers to embark in their investigation. The main limitation of this note
is that the best it can hope for is to be directionally correct and to propitiate thinking and research on
a wide gamut of related topics.
Some Research Issues
Evidence in the future audit will use different fields of knowledge that range from computer
science to microelectronics, industrial engineering, statistics, and auditing. Some of the interesting
issues raised throughout this paper include:

The level of aggregation of auditor control and action.

The circumstances in which auditors should create monitoring transaction streams.
The principles, regulations, and methods of audit in this projected environment.
The types of new anomalies, frauds, and serious risk operational issues that can arise in this
environment.
Types of utilization of technology that emerge as a threat to be incorporated into audit
concerns.
What are the above threats?
Methods of the formalization of evidence evaluation processes.
The role and location of analytics in the audit process.
How can extant audit evolve to a Big Data-enriched method of assurance?
What are the assurance products of the auditor in this environment?
Will the current audit profession evolve to be the main provider of these products?
REFERENCES
American Institute of Certified Public Accountants (AICPA). 2006. Understanding the Entity and Its
Environment and Assessing the Risks of Material Misstatement. Statement on Auditing Standards No.
109, AU Section 314. New York, NY: AICPA.
American Institute of Certified Public Accountants (AICPA). 2012. Audit Evidence. Statement on Auditing
Standards No. 122, AU-C Section 500. New York, NY: AICPA.
American Institute of Certified Public Accountants (AICPA). 2015. Continuous Auditing and Audit
Analytics. Monograph. New York, NY: AICPA.
Chui, M., M. Loffler, and M. Roberts. 2010. The Internet of things. McKinsey (March). Available at: http://
www.mckinsey.com/insights/high_tech_telecoms_internet/the_internet_of_things
Chiu, V., Q. Liu, and M. A. Vasarhelyi. 2014. The development and intellectual structure of continuous
auditing research. Journal of Accounting Literature 33 (1/2): 3757.
Dai, J. A. 2014. Recommender Model for Audit Apps using the Audit Data Standard. Unpublished
dissertation, Rutgers, The State University of New Jersey.
Du, H. and Y. Cong. 2015. Going cloud for agility: Beyond financial, system, and control motives. Journal
of Emerging Technologies in Accounting 12 (1).
Dull, R. B., D. P. Tegarden, and L. L. Schleifer. 2006. ACTVE: A proposal for an automated continuous
transaction verification environment. Journal of Emerging Technologies in Accounting 3 (1): 8196.
Eugen, C., and C. Marius. 2013. Right to be forgotten. Anales Universitatis Apulensis Series Jurisprudentia
(16). Available at: http://www.journals.uab.ro/index.php/auaj/article/view/53
Goldman Sachs. 2014. The Internet of Things. Available at: http://www.goldmansachs.com/our-thinking/
outlook/iot-infographic.html?cid=PS_02_89_07_00_00_00_01I
Hoogduin, L., K. Yoon, and L. Zhang. 2015. Integrating different forms of data for audit evidence: Markets
research becoming relevant to assurance. Accounting Horizons 29 (2): 431438.
Volume 12, 2015
15
International Auditing and Assurance Standards Board (IAASB). 2009. Audit Evidence. International
Standard of Auditing No. 500. New York, NY: IAASB.
Jafri, R., and H. R. Arabnia. 2009. A survey of face recognition techniques. Journal of Information
Processing Systems 5 (2): 4168.
Jans, M. J., M. Alles, and M. A. Vasarhelyi. 2010. Process Mining of Event Logs in Auditing: Opportunities
and Challenges. Available at: http://papers.ssrn.com/sol3/papers.cfm?abstract_id2488737
Kaplan, E., and C. Hegarty, eds. 2005. Understanding GPS: Principles and Applications. Norwood, MA:
Artech House.
Kogan, A., M. G. Alles, M. A. Vasarhelyi, and J. Wu. 2014. Design and evaluation of a continuous data
level auditing system. Auditing: A Journal of Practice & Theory 33 (4): 221245.
Kopetz, H. 2011. Internet of things. In Real-Time Systems, 307323. New York, NY: Springer.
Kozlowski, S., and M. A. Vasarhelyi. 2014. An Audit Ecosystem: A Starting Point with Definitions,
Attributes, and Agents. Working paper, CarLab, Rutgers, The State University of New Jersey.
Kuenkaikaew, S. 2013. Predictive Audit Analytics: Evolving to a New Era. Ph.D. dissertation, Rutgers, The
State University of New Jersey.
McAfee, A., and E. Brynjolfsson. 2012. Big Data: The management revolution. Harvard Business Review
(October): 6066.
MIT Technology Review. 2015. The 20 most infamous cyberattacks of the 21st century. (August 25).
Available at: http://www.technologyreview.com/view/540786/the-20-most-infamous-cyberattacksof-the-21st-century-part-i/?utm_campaignnewsletters&utm_sourcenewsletter-daily-all&utm_
mediumemail&utm_content20150825
Mock, T. J. 1976. Measurement and Accounting Information Criteria. No. 13. Sarasota, FL: American
Accounting Association.
Monga, V. 2015. The new bookkeeper is a robot. Wall Street Journal (May 5). Available at: http://www.
wsj.com/articles/the-new-bookkeeper-is-a-robot-1430776272
Papazoglou, M. P. 2001. Agent-oriented technology in support of e-business. Communications of the ACM
44 (4): 7177.
Public Company Accounting Oversight Board (PCAOB). 2010. Audit Evidence. PCAOB Auditing Standard
No. 15. Washington, DC: PCAOB.
Romero, S., G. Gal, T. J. Mock, and M. A. Vasarhelyi. 2012. A measurement theory perspective on
business measurement. Journal of Emerging Technologies in Accounting 9 (1): 124.
Shannon, C. E., and W. Weaver. 1949. The Mathematical Theory of Information. Urbana, IL: University of
Illinois Press.
Shepard, S. 2005. RFID: Radio Frequency Identification. Boston, MA: McGraw-Hill Professional.
Taylor, P. 2015. The Rise of the Robot Auditor. Presentation at the Transformative Technology Workshop
of the AAA SET Section in Chicago, August.
Vasarhelyi, M. A. 2003. Confirmatory Extranets: A Methodology of Automatic Confirmations. Newark, NJ:
Rutgers, The State University of New Jersey.
Vasarhelyi, M. A. 2015. The New Scenario of Business Processes and Applications on the Digital World.
Working paper, CarLab, Rutgers, The State University of New Jersey
Vasarhelyi, M. A., and F. B. Halper. 1991. The continuous audit of online systems. Auditing: A Journal of
Practice & Theory 10 (1): 110125.
Vasarhelyi, M. A., and M. Greenstein. 2003. Underlying principles of the electronization of business: A
research agenda. International Journal of Accounting Information Systems 4 (1): 125.
Vasarhelyi, M., and M. Alles. 2006. The Galileo Disclosure Model (GDM): Reengineering Business
Reporting through Using New Technology and a Demand Driven Process Perspective to Radically
Transform the Reporting Environment for the 21st Century. Available at: http://raw.rutgers.edu/gdl/
Galileo
Vasarhelyi, M. A., M. G. Alles, and K. T. Williams. 2010. Continuous Assurance for the Now Economy. A
Thought Leadership Paper for the Institute of Chartered Accountants in Australia. Available at: http://
www.charteredaccountants.com.au/;/media/Files/News%20and%20media/Reports%
20and%20insights/continuous_assurance_for_the_now_economy.ashx
Volume 12, 2015
16
Vasarhelyi, M. A., A. Kogan, and B. Tuttle. 2015. Big data in accounting: An overview. Accounting
Horizons 29 (2): 381396.
Wallace-Wells, B. 2015. As Jeopardy robot Watson grows up, how afraid of it should we be? New York
Magazine. Available at: http://nymag.com/daily/intelligencer/2015/05/jeopardy-robot-watson.html
Wei, J. 2014. How wearables intersect with the cloud and the internet of things: Considerations for the
developers of wearables. Consumer Electronics Magazine, IEEE 3 (3): 5356.
Weidemann, A., G. R. Fournier, L. Forand, and P. Mathieu. 2005. In harbor underwater threat detection/
identification using active imaging. In Defense & Security, 5970. Bellingham, WA: International
Society for Optics and Photonics.
Weinman, J. 2013. Cloudonomics: The Business Value of Cloud Computing. New York, NY: John Wiley &
Sons, Kindle Edition.
Zhang, L., A. Pawlicki, D. McQuilken, and W. Titera. 2012. The AICPA Assurance Services Executive
Committee Emerging Assurance Technologies Task Force: The audit data standards (ADS) initiative.
Journal of Information Systems 26 (1): 199205.
APPENDIX A
Figures 1-4: http://dx.doi.org/10.2308/jeta-10468.s01

Volume 12, 2015
Copyright of Journal of Emerging Technologies in Accounting is the property of American

Accounting Association and its content may not be copied or emailed to multiple sites or
posted to a listserv without the copyright holder's express written permission. However, users
may print, download, or email articles for individual use.

Big Data and Audit Evidence

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Big Data and Audit Evidence

Încărcat de

Drepturi de autor:

Formate disponibile

JOURNAL OF EMERGING TECHNOLOGIES IN ACCOUNTING

American Accounting Association