Most organisations could not now operate without the digital information systems on which we have all – professionally and personally – become so dependent. Audited entities are no exception: they rely on information technology (IT) to process and maintain data that underlies financial reporting processes and financial statements, and management relies on the associated controls over financial reporting and reports to perform functions that are relevant to the audit. It follows that the auditor must consider the associated risks.
The revised risk assessment standard, ISA 315, provides more material to support auditors in assessing risks relating to IT. It also includes prescriptive requirements for auditors.
In applying the revised ISA, auditors will have to gain an understanding of the audited entity’s information-processing activities and identify risks arising from the use of IT. They will also need to understand the entity’s general IT controls, including those addressing risks arising from its use of IT applications and other components in the entity’s IT environment, such as databases, operating systems and networks.
To put it briefly, auditors will need to:
Paragraphs A166-169 of the revised standard describe the reasons why the auditor must identify risks arising from the use of IT and general IT controls. This is because understanding those risks and controls may affect the auditor’s:
Before going into further detail and considering ways in which the revised standard has been made more scalable with respect to risks arising from IT, it is worth reminding yourself of some key definitions in ISA 315 relating to IT risks.
IT environment: the IT applications and supporting IT infrastructure, as well as the IT processes and personnel involved in those processes, that an entity uses to support business operations and achieve business strategies.
For the purposes of this ISA:
The table in paragraph 4 of Appendix 5 suggests matters for auditors to consider in obtaining an understanding of the IT environment, and includes examples of typical characteristics of various types of software applications and infrastructure.
Risks arising from the use of IT: susceptibility of information processing controls to ineffective design or operation, or risks to the integrity of information (ie, the completeness, accuracy and validity of transactions and other information) in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes (see IT environment).
The table in paragraph 15 of Appendix 5 may help auditors determine whether an IT application is subject to risks arising from IT.
Information processing controls: controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (ie, the completeness, accuracy and validity of transactions and other information).
General IT controls: controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information (ie, the completeness, accuracy, and validity of information) in the entity’s information system. Also see the definition of IT environment.
Appendix 6 explores the characteristics of general IT controls.
Impact of IT on internal controls
The standard suggests ways in which the auditor can gain an understanding of the impact of IT on elements of the entity’s system of internal control. Inquiries, for example, might be directed towards IT personnel to understand IT-related risks, system changes, or learn about system or control failures. Depending on the entity’s use of IT and extent of changes in the IT environment, specialised skills may be required to assist with obtaining the required understanding.
The understanding of the entity’s information system will include understanding how information flows through it, and how the IT environment allows that flow. How well the auditor understands the entity’s business model is also likely to be important – the auditor’s understanding of the business model and how it integrates the use of IT may also provide useful context to the nature and extent of IT expected in the information system. The standard provides an example under A61 which might be helpful – it demonstrates that two seemingly similar businesses might use very different IT systems.
In terms of control activities, the auditor considers controls that address significant risks, controls over journal entries, controls where the auditor may plan to test operating effectiveness, and other controls that the auditor considers appropriate to address risks at the assertion level, noting that a general IT control alone is typically not sufficient to address a risk of material misstatement at the assertion level.
It’s important to remember that for controls that address significant risks, the auditor is required to identify the IT applications and other aspects of the IT environment that are subject to risks arising from the use of IT, identify the related risks and the general IT controls addressing the risks, and evaluate the design and implementation of those controls.
The auditor’s evaluation of the control environment as it relates to the entity’s use of IT may include such matters as whether governance over IT is commensurate with the nature and complexity of the entity and its business operations enabled by IT, and the management organisational structure regarding IT and resources allocated to it.
The auditor also needs to understand the entity’s process to monitor the system of internal control. That system is likely to include controls that monitor how errors or control deficiencies related to the automation of financial reporting are identified and addressed, and controls that monitor the permissions applied in automated information processing controls that enforce the segregation of duties.
Non-complex vs complex IT environments
As mentioned earlier, Appendix 5 of the standard provides considerations for understanding IT, including paragraphs that may be especially helpful in explaining how the audit approach to IT controls may be scalable.
Although likely to be less sophisticated than in larger entities, and involving a less complex IT environment, the role of the information system is just as important: “Less complex entities with direct management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Understanding the relevant aspects of the entity’s information system may therefore require less effort in an audit of a less complex entity, and may involve a greater amount of inquiry than just observation or inspection of documentation”.
The standard notes that the complexity of the IT environment and hence the auditor’s approach to understanding it is likely to be more straightforward where the entity uses an ‘off-the-shelf’ commercial package with little ability to tailor, as opposed to a bespoke package, which is integrated with other systems and where staff at the entity may be actively able to tailor the software – even its source code.
The standard also notes that for these commercial programs, the entities may not have dedicated IT resources, but may have a person assigned in an administrator role for the purpose of granting employee access or installing vendor-provided updates to the IT applications.
For these less-complex situations, there are specific matters that the auditor may consider in understanding the nature of a commercial accounting software package, which may be the single IT application used by a less complex entity in its information system. These matters may include:
Conversely, signs that the entity might have a more complex IT environment may include:
The table in paragraph 4 of Appendix 5, in particular, may help guide auditors in determining the complexity of the IT environment – and whether it is non-complex or complex.
Read the revised standard
All of the material referenced in this article and the other IT-related material in the revised ISA 315 merit careful reading and will support auditors in assessing risks relating to IT. Additional resources to assist with this and other aspects of the revised ISA 315 are available on ICAEW’s website.
Revised ISA 315
The International Standard on Auditing (ISA) 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement was published by the International Auditing and Assurance Standards Board in late December 2019; ISA (UK) 315 was revised (with very minimal supplementation) by the Financial Reporting Council (FRC) in July 2020.
These revised ISAs are effective for accounting periods beginning on or after 15 December 2021. In most cases, this means that auditors will be applying the revised ISA 315 for the first time to December 2022 year ends.
About the author
Alex Russell, Head of Audit and Assurance Strategy, ICAEW