The revised ISA 315, Identifying and Assessing the Risk of Material Misstatement, beefed up the expectation on auditors to look not just the numbers, but also the IT systems that generate those numbers.

“It’s hard to separate the systems from the numbers generated by the system,” says ICAEW’s Head of Data Analytics and Tech, Ian Pay. “The revised ISA 315 puts more emphasis on the auditor having a thorough understanding of the company’s IT environment, and also understanding the bearing of that IT environment on the financial audit.”

With the level of tech audit rigour on the rise, relevant tech systems are getting more attention in the course of the financial audit, particularly when auditors want to rely on IT automated business controls.

ICAEW’s Head of Tech Policy, Esther Mallowah, says that auditors should start by simply asking about any major changes in the IT environment. “Is there a new relevant tech system or has one been implemented in the audit period; did it involve a data migration; what are the controls around the new system; how have they been tested; and have there been any key staff changes?”

Answers to these questions help the auditor identify risk areas and focus their work. As so much of a business’s activities relies on its IT systems, the relevant controls have to be tested thoroughly.

The financial audit itself

Marc Bena is Partner, Digital Audit Leader and Audit CTO at PwC. As a tech audit leader, there are two angles to his work. One is auditing clients’ tech systems; the other is using tech to deliver the financial audit itself. “We have an obligation to understand how our clients use systems and the overall systems environment so that we can understand how the numbers are generated out of the different systems.”

When the audit team reviews a client’s tech systems, Bena says, it looks to make sure the information coming out of those systems is complete and accurate, and “that nobody could have changed that information – we look at information security”.

Change control is vital. “We must make sure that no unapproved person can make changes to the system or the data,” he says. “If we conclude that we cannot rely on the systems, we might need to do extra manual procedures.” 

Any insufficiency of controls is reported to management and where this is a significant deficiency, to those charged with governance, which is typically the audit committee.

“We also document any change in the audit approach we are taking – this might be an increase in the sample or we might decide to use data analytics,” says Bena. “As financial auditors, we have different ways of obtaining the evidence we need to be sure the numbers are accurate. So we will adapt our audit approach to mitigate identified IT risks.”

As tech systems become more sophisticated, the onus is on the audit firm to make sure its people are trained on the different systems used by clients. 

“In some sectors where systems are complex, like banking, or where there are bespoke systems in place, we may need to go into the code itself. Once we have confidence around systems security, we will look at the actual activities performed by the system, be it producing reports, producing a calculation of revenue (quantity times price) or any other calculation,” he says.

Technology as an audit tool

Just as technology is vital to clients’ record-keeping and calculations, so too is it vital in the performance and quality of the audit itself, usually in the guise of complex data analytics. “What used to take three weeks of programming 20 years ago now takes five minutes.”

PwC has equipped its staff with a data analytics tool called Alteryx, which can be used to upgrade complex reperformance calculations and analysis of data quality. “Auditors use this type of tech to create specific audit procedures,” says Bena. 

His team calls this ‘citizen-led technology’ and ‘citizen-led automation’. “We’ve provided all our people with the tools to extract data, analyse it and reperform it,” he says. “We also use DataSnipper which scans any invoice, for example, and grabs all the balances and dates. It’s an intelligent tool that can read a document, inspect it and facilitate the work for the auditor.”

In Bena’s team, there are 120 data analytics experts fully dedicated to audit. For example, in the retail sector, consumers can pay by cash, cards or voucher, which makes it easy to match revenue with one of the payment methods. “For us to audit the revenue numbers, instead of picking a sample of small receipts, we match all of the revenue to all of the different types of payment which helps us prove pretty much 100% of the revenue,” he says.

This means that, if there are security flaws in the client’s tech systems, it’s not hugely consequential for the audit because all the revenue transactions are reconciled. “We've connected hundreds of clients to our systems so we can do that sort of matching.”

No escaping AI

Now generative artificial intelligence (AI) is being used to help draft information, produce transcripts and undertake repetitive administrative tasks. “What’s critical for us as auditors is that information must be correct. Because generative AI can hallucinate, we need to have humans – experts – in the loop to review any information that is produced using generative AI,” says Bena.

So what does it mean for the auditor when clients start using large language models in their business processes? “We’re going to have to audit those models in the same way that we audit automation in SAP, for example,” says Bena.

“Today, to audit revenue, we go into the code and check that the code is finding the price from the right table and then we check that it is finding the quantity from the right table. We will evolve our procedures and technology to be in a position to audit AI-generated information in the same way.”

PwC uses the Responsible AI toolkit to help clients implement a responsible AI framework using secure models trained on unbiased data. 

Tech auditing is becoming both increasingly commonplace and will continue to do so as the business environment becomes increasingly automated. Humans, however, will always be in the loop.