Use of Python Audit Data Analytics Routines by AICPA
The reliance on open-source technologies like Python and R in audit processes and the need for auditors to carefully assess these tools
Auditing standards emphasize the need for a thorough assessment of risks associated with the use of IT applications and technology resources by reporting entities. Auditors must not only understand the systems they audit but also take responsibility for the tools and software they themselves use during audits—especially third-party applications and open-source software.
Pandas
However, despite the increasing reliance on these tools, there is a gap in how auditors assess and document the appropriateness of open-source libraries used as a base for these tools. Published by AICPA guidelines on Audit Data Analytics (ADA) routines rely on popular open-source packages like NumPy and Pandas—but these publications do not address the inherent risks posed by their use.
The Pandas library, one of the most widely used tools in data analytics. Searching on the internet for critical security issues in these packages can reveal that on May 15, 2020, a critical security vulnerability (CVE-2020-13091) related to Pandas’ read_pickle() function was identified. This vulnerability, which could potentially allow malicious actors to execute arbitrary code, remains unresolved to this day.
Why?
Because the Pandas development team has placed the responsibility on the CPython team, claiming the issue originates upstream. When multiple projects interact—such as Pandas and CPython—issues can go unaddressed for years, as responsibility is shifted from one team to another. Using such tools exposes auditors to certain incremental risks (even though these risks undoubtedly are outweighed by the benefits).
The Implications for Audit Firms
Audit firms that rely on Python routines, including those published by the AICPA, need to carefully evaluate the following risks:
Dilution of Accountability: When software vulnerabilities arise, it may be unclear who is responsible for resolving them. This complicates risk management and can leave firms exposed to unresolved security issues.
Lack of Formal Control Over Program Changes: Open-source libraries are subject to frequent updates and changes, but firms using these tools may not have the oversight needed to ensure that changes do not introduce new risks or impair audit quality.
Delayed Responses to Critical Issues: The protracted resolution timeline of critical vulnerabilities like CVE-2020-13091 shows that open-source projects may not prioritize the same security concerns that auditors and audit firms do. This could lead to increased vulnerability for firms that fail to monitor updates closely.
What Audit Firms Should Do
Given these challenges, audit firms need to adopt a more proactive approach to evaluating and managing the risks associated with open-source tools. Here are three steps they should consider:
Conduct a formal risk assessment of the technologies used.
Continuously monitor and address newly identified critical security vulnerabilities in relevant open-source packages.
Implement quality controls that address the risks of unauthorized changes in packages that are used in ADA routines.
Conclusion
Open-source tools like Python and R provide great social value and can be used to improve the quality, speed, and cost-effectiveness of audits. However, these benefits come with risks that require auditors’ special consideration. By formalizing risk assessments, clarifying accountability, and actively monitoring security vulnerabilities, audit firms can continue to leverage these powerful tools while protecting the integrity and reliability of their audit processes.