Firms and their auditors devote significant resources to preparing for a new or revised International Standard on Auditing (ISA), but putting theory into practice can also offer valuable learnings. 

After a period of live audit engagements, with December 2023 year-ends approaching, now may be a good time to revisit some of the key elements in the International ISA (UK) 315 (Revised July 2020) Identifying and Addressing the Risks of Material Misstatement and consider how these relate to the business landscape.

There are some important areas where risk assessment and audit approaches should have changed to reflect the revisions. Furthermore, the current economic environment could well drive the need to layer even more changes on to the approaches taken in previous years. 

As emerging technologies such as generative artificial intelligence (AI) tools and techniques make their way into more information systems relevant to the financial statements, potential risks may be a consideration for some auditors. 

But let’s begin with the aspects of information technology (IT) that are going to be central for most auditors: general IT controls (GITCs).

GITCs

The revised risk standard has much to say on GITCs and I strongly encourage those who have not already read the guidance in appendices 5 and 6 (on considerations for understanding IT and GITCs) to do so.

Awareness of GITCs needs to be much more robust than simply a note on the audit file that states: “The client uses [insert name of off-the-shelf bookkeeping package].” 

Auditing around the ‘IT box’ is not an option anymore. Audit teams need to understand the strategic role IT plays in every aspect of the business, particularly the financial information system. 

ChatGPT and other tools driven by generative AI have hit the headlines during 2023 and shown the transformative power that such technology can have on businesses. A recent statement from US regulator the Public Company Accounting Oversight Board (PCAOB) on Algorithms, Audits and the Auditor highlights some considerations and concerns. 

ISA (UK) 315 specifically states that auditors need to maintain their awareness of how emerging technologies may be used by their clients and the impact they may have on the audit approach.

So, for 2023 (and 2024) assignments, do not just roll forward previous systems notes. Include as much up-stream detail as possible on GITCs in the systems notes and be sure to discuss the implementation and use of new technologies with management.

Inherent risk factors

The introduction of the more explicit inherent risk factors seems to have been generally well received. With more guidance in the standard on why something is a risk – using the building blocks of subjectivity, complexity, uncertainty, change and susceptibility to misstatement due to fraud or management bias – audit teams better understand why certain risk response work is required, and where to focus their attention.

2023 has been a year of uncertainties, as businesses navigate economic slow-downs, interest rate rises, inflationary pressures and changing consumer attitudes. 

The fact that the revised ISA (UK) 315 specifically mentions uncertainty as part of the inherent risk assessment is very helpful and, along with the other factors, gives much more focus to teams whilst planning an assignment. Risk documentation should be linked to those key phrases and articulate what is driving the risk.

Spectrum of inherent risk

Possibly the most discussed element of the ISA (UK) 315 revisions is the principle of inherent risk being a spectrum. Moving audit teams away from the siloed thinking of low, medium, and high risk has to be a good thing. We all know there is nuance to risk in all aspects of life, so why should audit be any different?

The revision again feels extremely timely as, in the current uncertain environment, the issues affecting businesses are many and varied and the ability to be more discerning in a risk assessment is entirely appropriate.

In an age where almost anything can be bespoke, from dog food to digital experiences, the audit risk assessment and response should also be bespoke and able to deal with issues in a tailored, focused manner.

Audit documentation should be clear on the likelihood and magnitude of the risk and where it sits on the spectrum. Also, remember to consider significant risks at the upper end of the spectrum and those matters which are always considered significant, such as fraud and management override of controls.

The stand back requirement

The final area I will mention is the need for auditors to ‘stand back’ and evaluate the overall audit evidence obtained. Recent revisions to various ISAs (UK) have included specific requirements in this area, including ISA (UK) 315 (paragraph 36). This is a brilliant innovation, where having carried out the task at hand, the auditor is required to take a step back and look at the bigger picture, to see their work in context. 

Again, this is something that happens all the time in other areas of life and often flags something amiss. It is so easy to get caught up in the detail that we don’t always see the wider context. The specific wording in the standard around corroborative and contradictory evidence is most helpful.

In the current environment, taking that step back is more important than ever. Things are moving so fast that something which looked bad weeks or even days ago could now be considered good, and vice versa.

So again, it is vital that the auditor follows the requirement to stand back, think about the whole picture, consider what may have happened since they started that risk assessment, consider if it is still appropriate – and demonstrate that this has been done.

It is not enough to simply do the required stand back, this procedure needs to be clearly documented. As with all audit matters, simply ticking a box to say you have stood back is not going to impress an audit quality reviewer.

Andrew Paul, Audit Software and Technical Manager, Baker Tilly International