Most organisations could not now operate without the digital information systems on which we have all – professionally and personally – become so dependent. Audited entities are no exception: they rely on information technology (IT) to process and maintain data that underlies financial reporting processes and financial statements, and management relies on the associated controls over financial reporting and reports to perform functions that are relevant to the audit. It follows that the auditor must consider the associated risks.
The revised risk assessment standard, ISA 315, provides more material to support auditors in assessing risks relating to IT. It also includes prescriptive requirements for auditors.
In applying the revised ISA, auditors will have to gain an understanding of the audited entity’s information-processing activities and identify risks arising from the use of IT. They will also need to understand the entity’s general IT controls, including those addressing risks arising from its use of IT applications and other components in the entity’s IT environment, such as databases, operating systems and networks.
To put it briefly, auditors will need to:
- identify all relevant IT applications;
- understand what they do and how they operate;
- understand the general IT environment in which the entity operates;
- identify and assess related risks and general IT controls that address such risks; and
- devise appropriate responses.
Paragraphs A166-169 of the revised standard describe the reasons why the auditor must identify risks arising from the use of IT and general IT controls. This is because understanding those risks and controls may affect the auditor’s:
- decision about whether to test the operating effectiveness of controls to address risks of material misstatement at the assertion level;
- assessment of control risk at the assertion level;
- strategy for testing information prepared by the entity that is produced by or involves information from the entity’s IT applications;
- assessment of inherent risk at the assertion level;
- design of further audit procedures.
Before going into further detail and considering ways in which the revised standard has been made more scalable with respect to risks arising from IT, it is worth reminding yourself of some key definitions in ISA 315 relating to IT risks.
IT environment: the IT applications and supporting IT infrastructure, as well as the IT processes and personnel involved in those processes, that an entity uses to support business operations and achieve business strategies.
For the purposes of this ISA:
- An IT application is a program or a set of programs that is used in the initiation, processing, recording and reporting of transactions or information. IT applications include data warehouses and report writers.
- The IT infrastructure comprises the network, operating systems, and databases and their related hardware and software.
- The IT processes are the entity’s processes to manage access to the IT environment, manage program changes or changes to the IT environment, and manage IT operations.
The table in paragraph 4 of Appendix 5 suggests matters for auditors to consider in obtaining an understanding of the IT environment, and includes examples of typical characteristics of various types of software applications and infrastructure.
Risks arising from the use of IT: susceptibility of information processing controls to ineffective design or operation, or risks to the integrity of information (ie, the completeness, accuracy and validity of transactions and other information) in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes (see IT environment).
The table in paragraph 15 of Appendix 5 may help auditors determine whether an IT application is subject to risks arising from IT.
Information processing controls: controls relating to the processing of information in IT applications or manual information processes in the entity’s information system that directly address risks to the integrity of information (ie, the completeness, accuracy and validity of transactions and other information).
General IT controls: controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information (ie, the completeness, accuracy, and validity of information) in the entity’s information system. Also see the definition of IT environment.
Appendix 6 explores the characteristics of general IT controls.
Impact of IT on internal controls
The standard suggests ways in which the auditor can gain an understanding of the impact of IT on elements of the entity’s system of internal control. Inquiries, for example, might be directed towards IT personnel to understand IT-related risks, system changes, or learn about system or control failures. Depending on the entity’s use of IT and extent of changes in the IT environment, specialised skills may be required to assist with obtaining the required understanding.
The understanding of the entity’s information system will include understanding how information flows through it, and how the IT environment allows that flow. How well the auditor understands the entity’s business model is also likely to be important – the auditor’s understanding of the business model and how it integrates the use of IT may also provide useful context to the nature and extent of IT expected in the information system. The standard provides an example under A61 which might be helpful – it demonstrates that two seemingly similar businesses might use very different IT systems.
In terms of control activities, the auditor considers controls that address significant risks, controls over journal entries, controls where the auditor may plan to test operating effectiveness, and other controls that the auditor considers appropriate to address risks at the assertion level, noting that a general IT control alone is typically not sufficient to address a risk of material misstatement at the assertion level.
It’s important to remember that for controls that address significant risks, the auditor is required to identify the IT applications and other aspects of the IT environment that are subject to risks arising from the use of IT, identify the related risks and the general IT controls addressing the risks, and evaluate the design and implementation of those controls.
The auditor’s evaluation of the control environment as it relates to the entity’s use of IT may include such matters as whether governance over IT is commensurate with the nature and complexity of the entity and its business operations enabled by IT, and the management organisational structure regarding IT and resources allocated to it.
The auditor also needs to understand the entity’s process to monitor the system of internal control. That system is likely to include controls that monitor how errors or control deficiencies related to the automation of financial reporting are identified and addressed, and controls that monitor the permissions applied in automated information processing controls that enforce the segregation of duties.
Non-complex vs complex IT environments
As mentioned earlier, Appendix 5 of the standard provides considerations for understanding IT, including paragraphs that may be especially helpful in explaining how the audit approach to IT controls may be scalable.
Although likely to be less sophisticated than in larger entities, and involving a less complex IT environment, the role of the information system is just as important: “Less complex entities with direct management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Understanding the relevant aspects of the entity’s information system may therefore require less effort in an audit of a less complex entity, and may involve a greater amount of inquiry than just observation or inspection of documentation”.
The standard notes that the complexity of the IT environment and hence the auditor’s approach to understanding it is likely to be more straightforward where the entity uses an ‘off-the-shelf’ commercial package with little ability to tailor, as opposed to a bespoke package, which is integrated with other systems and where staff at the entity may be actively able to tailor the software – even its source code.
The standard also notes that for these commercial programs, the entities may not have dedicated IT resources, but may have a person assigned in an administrator role for the purpose of granting employee access or installing vendor-provided updates to the IT applications.
For these less-complex situations, there are specific matters that the auditor may consider in understanding the nature of a commercial accounting software package, which may be the single IT application used by a less complex entity in its information system. These matters may include:
- the extent to which the software is well established and has a reputation for reliability;
- the extent to which it is possible for the entity to modify the source code of the software to include add-ons to the base software, or to make direct changes to data;
- if, instead, an entity is not able to modify the source code of the software, many software packages still allow for configuration (eg, amending reporting parameters). The auditor may consider the extent to which the entity is able to configure the software when considering the completeness and accuracy of information produced by the software that is used as audit evidence; and
- the extent to which data related to the preparation of the financial statements can be directly accessed (ie, direct access to the database without using the IT application) and the volume of data processed. The greater the volume of data, the more likely that the entity may need controls that address maintaining the integrity of the data, which may include general IT controls over unauthorised access and changes to the data.
Conversely, signs that the entity might have a more complex IT environment may include:
- Highly customised or highly integrated IT applications that may require more effort to understand.
- Multiple legacy IT systems that are not well integrated.
- Financial reporting processes or IT applications may be integrated with other IT applications.
- Complex IT environments also may require dedicated IT departments that have structured IT processes supported by personnel that have software development and IT environment maintenance skills.
- In other cases, an entity may use internal or external service providers to manage certain aspects of, or IT processes within, its IT environment (eg, third-party hosting).
The table in paragraph 4 of Appendix 5, in particular, may help guide auditors in determining the complexity of the IT environment – and whether it is non-complex or complex.
Read the revised standard
All of the material referenced in this article and the other IT-related material in the revised ISA 315 merit careful reading and will support auditors in assessing risks relating to IT. Additional resources to assist with this and other aspects of the revised ISA 315 are available on ICAEW’s website.
Revised ISA 315
The International Standard on Auditing (ISA) 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement was published by the International Auditing and Assurance Standards Board in late December 2019; ISA (UK) 315 was revised (with very minimal supplementation) by the Financial Reporting Council (FRC) in July 2020.
These revised ISAs are effective for accounting periods beginning on or after 15 December 2021. In most cases, this means that auditors will be applying the revised ISA 315 for the first time to December 2022 year ends.
About the author
Alex Russell, Head of Audit and Assurance Strategy, ICAEW