With several tax cases in which AI has been used and provided incorrect or misleading information, we outline how to apply the five fundamental ethical principles to AI use.
ISA 600 on group audits was revised, effective for audits of financial statements for periods commencing on or after 15 December 2023. These changes are quite wide ranging, particularly when it comes to the treatment of component auditors. We go through the details.
Host
- Philippa Lamb
Guests
- Sophie Wales, Director of Regulatory Policy at ICAEW
- Catherine Hardinge, Partner, Price Bailey
Producer
- Natalie Chisholm
Transcript
Philippa Lamb: Hello, welcome to Accountancy Insights. We've got two topics for you today: the big questions accountants need to ask when they use AI for tax work and best practice in group audit following the revisions to ISA 600. Sophie Wales will be joining us again remotely, this time to discuss the first topic. She's director of regulatory policy at ICAEW and Price Bailey partner Catherine Harding is here to talk about group audits. Both of them have been involved with producing guidance on their respective topics. Just before we start, I'm hoping you all now know that this podcast counts towards your annual CPD, if you log your listen on the ICAEW website. You do need to do that every time, fortunately, it's very quick to do. And as you all know, you can subscribe to the podcast on any app to make sure you catch every upcoming episode. Now, tax and Sophie Wales, nice to see you again, Sophie.
Sophie Wales: And you, Philippa.
PL: AI, it's the big question around so much of accountancy work right now. Tell us about the background for this new guidance about using AI, specifically in tax.
SW: AI is becoming so widespread in its use that ICAEW and the other bodies who author the professional conduct in relation to taxation decided that we should produce some guidance on the ethical use of AI for members working in tax. Because I think there's a nervousness among members around you using AI for fear of falling foul of professional body expectations. But at the same time, AI is here to stay, and it does represent an opportunity for firms if it's used in the right way. So we really felt that guidance was needed. And there have also been a few high profile cases where professionals have used AI to their detriment, in particular where the AI has fabricated case law that a professional has then relied upon.
PL: Yeah, there have been some less than ideal outcomes there haven't there? Clearly, there are concerns, and quite justifiably so, tax accountants need to understand the pitfalls. So how did you set about the guidance then?
SW: So the topical guidance was produced by a working group with representatives from all of the professional bodies, and I chaired that group, and the guidance is intended to be read alongside the main PCRT guidance. So what that guidance does is it explains what we mean by AI, but briefly, because we're not this is not technical guidance. Give some examples of how AI tools are being used in tax work, and then it considers the use of AI tools in the context of the fundamental principles within PCRT. So it identifies possible ethical risks and the safeguards you could put in place if you needed to. So really, what this guidance does is it explains how to apply the ethical principles in an AI context. So it's just joining the dots for members.
PL: And you've pulled up five specific ethical principles. Do you want to run us through them?
SW: People will be familiar with these principles, because they are the ones within the main code of ethics, and then they're also the principles that form the bedrock of PCRT. So the first one of those is: integrity, and what integrity requires is that members should be straightforward and honest in their professional work. And what this means in our context here is considering the level of transparency you provide to clients about the use of AI tools. Now clearly that's going to depend on how fundamental the use of AI has been in producing the client work, but if it's been a large part of it, then it seems fair that a client knows that that's what's happened. And the other part of integrity is members making sure they're not associated with misleading information. So as I mentioned a moment ago, for example, the AI may have fabricated or hallucinated some of the information it presents to you as if it's fact. So it's really important that you sense check that output.
PL: So objectivity is the key point there?
SW: Yeah, well, I think objectivity is maybe one of the key of the of the five principles when we're talking about use of AI in tax work, and it's all about avoiding bias. So there's two main elements to this. The first one is not assuming that if a computer gives you the answer, it must be right, and it is tempting to do that, but that is known as automation bias. And the second element is being aware of bias in the results that the AI produces for you, because if the AI has drawn on sources that include biassed data or biassed views, then this could be reflected in the output that the AI tool gives you. And it's really important that members are alert to the risk of bias in the output, and that you review it to see if certain groups perhaps are disproportionately affected in what the AI has produced. And one example of this is, I think it's Amazon in the US, used AI to screen applicants for senior roles, and the AI identified that nearly all people in those senior roles were men. So it screened out all the female applicants on the basis that, you know, the data it had seen showed that it should be men in those roles. So you have to be alive to the fact that it might give you results with that kind of outcome.
PL: It’s tricky that, isn't it? Because some bias, like that example, is going to leap to the eye if you review what you've got properly. Some is going to be about the training data – the data the AI has been trained on – and you won't necessarily know what that is or what its inherent biases it might conceal, will you?
SW: No, you won't. And so I think actually, it's just about being alert to the fact that there could be bias there, and just taking a step back and having a think about what it's telling you. And some AI tools are a bit more transparent in terms of: these are the sources we've looked at to give you this answer. And if that's the case, then you could have a quick look at the sources, and are they reliable? And is something where you would have concern that what it's giving you is perhaps not a fair, unbiased result?
PL: So we've had integrity, we've had objectivity, and number three?
SW: Professional competence and due care. This, I think, of the five with objectivity, I think this is also the really key principle to bear in mind. Professional competence is all about members carrying out their work properly to a professional standard. So in an AI context, I think it's making sure that you're sufficiently competent in using the AI tool and that staff receive appropriate training on what they should be doing with it and what they shouldn't be doing with it, probably. And linked to what we were just talking about, performing some kind of due diligence or sense check on the output from the AI tool, and part of that is applying professional scepticism to determine whether what you've been given – does it accurately represent the client's specific circumstances? Does it align with the legislation? etc, etc. So the key thing here is that a member is always accountable for the work they produce, regardless of whether AI has been used to develop that work.
PL: Always human oversight…
SW: Absolutely.
PL: Number four on my list is data security.
SW: Yeah, so confidentiality, and the main risk that regulators have been concerned about with this is that somebody could naively input client data into a publicly available AI model, and this would be a breach of confidentiality, because that data has now been sucked into the AI tool. It's part of its source data, and you can't get it back again. So what this guidance is trying to do is just warn people to be careful what they put in these tools. And it's really important that if you are going to be putting client data in a tool that it's anonymised. But that may not always be enough, because there's still a risk that the nature of the client means that they could still be identified, even if you've taken their name out, because it might be an unusual client or it might be a high profile organisation, and actually, other tools or other people might be able to put two and two together and work out how you're talking about, so the message there is caution.
PL: And digging into the privacy settings, tedious as that might sound.
SW: Yeah, absolutely. And some of our firms have developed their own AI tools that are internal to their organisation and are effectively locked down to prevent that from happening. So their staff know that they can use that tool, and that information is not going out into the wider world.
PL: But presumably, most accountants aren't using those in house tools. Are they? This is larger firms, so smaller firms will be using generic tools.
SW: Yeah, probably. You'd expect that the smaller firms are using the publicly available tools.
PL: So number five, the last one: professional behaviour.
SW: This is something that always applies to whatever context you're looking at, but for completeness, I think it's worth just touching on what that may mean in a tax AI context. So one part of this is exercising some caution when you use an AI tool to come up with tax planning ideas or tax planning advice, because there's a risk there that the solution it comes up with is something that would breach the standards for tax planning within PCRT, because it's highly contrived or highly artificial, or goes against the clear intention of parliament. So again, you can't say, "well, the AI tool came up with the wizard planning idea, so it's not, not my responsibility". And the second element of it is, if you use an AI tool to generate correspondence, for example, which a lot of people do use it for in many contexts, you just need to make sure that the tone and the content is appropriate. Again, you don't want to inadvertently send a letter to HMRC that is maybe not making your point in a professional way.
PL: So if you were to think about the overarching message here, Sophie, for accountants using AI in this way, what would it be?
SW: I think the most important thing for members to take away is that they are always accountable for the work they produce, regardless of whether AI has been used as part of the production of that work. So professional judgement is key to sense check whether what the AI is telling you is right and not just blindly relying on it.
PL: Thanks, Sophie, and of course, you can find a link to that guidance in the show notes.
PL: Now let's move on to group audits and the revisions to ISA 600. Catherine Hardinge is with me. Hello, Catherine.
Catherine Hardinge: Hi Philippa.
PL: So this change, it came in some time ago, didn't it? But it's significant enough... you put together a guide, haven't you with ICAEW on the changes? What exactly is it that's making it so tricky?
CH: I think one of the key aspects that change in the standard is that they removed something called significant components, and that term really used to drive how the audit was approached. Now removing that means that actually now you have to focus very much more on your risk assessment. So there's been a fundamental change in the way that you now look at these audits. It's very much looking at it more from a top down approach, rather than a binary approach as to whether something was purely significant or not significant.
PL: Okay, so this is about using judgement more?
CH: Yes, there's a lot more judgement involved now. You really need to understand how the group is made up, where all the different risks are, because where that clear line used to be, if something was a significant component, it would have to have a full audit. That's now gone, which means you have to use judgement now to try and work out how much work is going to be needed on those different components and the best way to approach that.
PL: This is a big mindset change, isn't it? I mean, obviously it's early days, but in your judgement, so far, how well are firms getting on with applying it?
CH: I think there's been a bit of a mix. I think there will be some firms that haven't really appreciated the significance of the change. Part of the changes were just updating for other standards that have changed. So ISA 315, and ISA 220, but that whole removal of significant does mean you do need to change that approach, and I think some firms have probably missed that at the moment. There's a lot more involvement now that you need from the component auditors that you didn't used to have, and changes around that as well. So where you have used to perhaps send a checklist out to the component auditors – that comes back, you'd review it, they'd do some work, send you an updated checklist, and that would be it. Now there needs to be that much more engagement with them.
PL: Should we get into some of the detailing? Because there's an important point to note about how component is actually defined now, isn't there?
CH: Yeah, so when you're thinking about your different components, you've got to think about the different risk attributes and then determine how much work you're going to do. So it's no longer just thinking about the financial size of a component. It's actually thinking about where the risks are. But it's also broader now. So it isn't just talking about subsidiaries where the focus used to be, you've now got to think about, well, maybe there's branches or different operations in different jurisdictions that you actually need to take into account as well.
PL: And we've got another big change about the treatment of component auditors, haven't we? What do the firms need to know there?
CH: Well, component auditors are now part of the audit team, which actually means you've got to assess their competency, you've got to make sure that they are aware of all the standards that they need to apply locally, whether that's the UK pluses on our auditing standards, which will be different from the international versions, but also the UK ethical standard. But it's also now having to be more involved in the audit of those different components, so it's having lots of communication with them, really understanding that actually you need to be involved and help direct the audit work that you need them to do for the group.
PL: So this is going to come down to how you format the work, isn't it?
CH: Yeah, documentation with group audits has always been challenging. It's definitely harder now with this and you find different software providers have slightly different solutions. A number of them are trying to find better solutions to try and help document this work. And it also depends on whether you know you might be auditing all of the subsidiaries yourself, and you might have separate files for those, whereas others you've got components, so you want to bring it into the group audit file. So there's lots of things to think about when you're doing your documentation.
PL: Do you want to give us a couple of examples of what good would look like, maybe when it comes to comms between the group and component auditors?
CH: I think when you're looking at how you communicate with the component auditors, the thing is the timing. You need to make sure that actually, you plan far enough in advance and you make it clear to them what they're going to be expected to do. If not, there's a risk that they'll go off and do their local audit and won't cover the things that they need to from the group. So it's really important that they also share information with you. So it has to be two ways. They might come across a real significant issue when they're doing their audit. You need to know about it for your group audit earlier in the day – you don't want to wait for that final report to come through.
PL: And then there is component materiality. How are firms going to be deriving that now?
CH: Well, when you're looking at components, you fully set a performance materiality level for those individual components. Now that is going to require a lot of judgement, and it's going to depend on the nature of the group, how that is divvied up amongst the different components to some extent. You'll have to look at where there is aggregation risk. So what we mean by that is you could have different errors in different components, which, when they come together, could end up being material at a group level. So where you've got complex groups and a number of different components. You're probably going to set a much lower performance materiality than you are if you've actually got quite a simple one with, say, one trading company, one company that holds the property, then actually that's going to be quite straightforward, and you're going to have a much higher performance materiality.
PL: There’s going to be some scenarios where it is complex, some less so. But you need to understand that at the outset which you're dealing with.
CH: Yeah, and you will find that in some situations, and quite often, actually, when you add up the different component performance materiality, that will exceed the total group performance materiality. And that's fine.
PL: This all means more documentation, right?
CH: Yes. (laughs)
PL: Okay, so tips on best managing that?
CH: I think it's making sure that you have really documented your thought process about how you're going to approach the audit, making sure that that communication with the component auditors is clearly documented. So thinking about… actually you might have a large number of subsidiaries in the past, which were all quite small, and therefore you didn't have to do much audit work on them at all because they weren't significant. Now you will do now you'll need to think about where those risks are and how you actually document those changes and how you apply them. It's going to need to be quite clear from somebody else looking at the audit file. And what you need to make sure is, as well, that sometimes we audit all the subsidiaries within the group, and therefore you assume that a lot of the information you already know because you're auditing those companies, but what you need to do is make sure they're sufficient within that group file that makes it clear actually what the group risks were, not just what necessarily was being the parent company. So it's making sure that you have a good story on the file.
PL: Now, as I said at the top, fortunately, there is now a guide, the guide that you've been working on for the best part of the year, I think, isn't it? Tell us a bit more about that.
CH: The guide covers lots of different attributes. It does look at it from the different groups. So there's a huge focus on planning. So it gives you guidance about things like how you're going to scope which components into your audit work. Talks about component performance materiality, and talks about some of those factors you need to consider when you're looking into that. There's also some helpful tips as well from when you're actually the component auditor, because actually, there's lots of things you need to consider in there as well about how much information you can give to the group auditor. But there's also some practical logistics and reporting guidelines in there as well.
PL: So read the guide. There'll be a link in the show notes to find it. Just to wrap it up, Catherine, your most important piece of advice for auditors thinking about doing this now and edging into this new reality?
CH: Plan early. I think you've really got to make sure that you understand that group, spend that time at that planning stage... really understand it. And the guide is there, so you can just literally pick and choose the bits that you need to read. It's not something you need to read from the beginning to the end in one go. The bits that you're struggling with – have a look.
PL: Thanks very much indeed, Catherine.
CH: Thank you.
PL: Head to the show notes for those links. If you want to dig deeper into either of the subjects we've tackled today, the next behind the numbers is all about the C-suite. How do you get there? What are the traits, skills and capabilities you will need to fit right in and keep an ear out for more MTD coverage on the podcast soon as we approach the introduction of MTD for income tax, plus the ongoing changes to FRS 102 and 105: How are they reshaping corporate reporting? If you enjoyed this episode, please do review the series on your app. As you will know, more reviews encourages the algorithms to spread the podcast more widely, and the more accountants it reaches, the happier we are. Thanks for being with us.
