ICAEW.com works better with JavaScript enabled.
Exclusive

audit & beyond

Identifying and addressing risks of material misstatement

Author: Andrew Paul

Published: 08 Sep 2023

Exclusive content
Access to our exclusive resources is for specific groups of students, subscribers, users and members.
piggy bank saw middle circle hole orange ICAEW Audit & Beyond reviewing risk

Andrew Paul considers key elements of the revised ISA (UK) 315 and how they relate to the fast-changing business landscape.

Firms and their auditors devote significant resources to preparing for a new or revised International Standard on Auditing (ISA), but putting theory into practice can also offer valuable learnings. 

After a period of live audit engagements, with December 2023 year-ends approaching, now may be a good time to revisit some of the key elements in the International ISA (UK) 315 (Revised July 2020) Identifying and Addressing the Risks of Material Misstatement and consider how these relate to the business landscape.

There are some important areas where risk assessment and audit approaches should have changed to reflect the revisions. Furthermore, the current economic environment could well drive the need to layer even more changes on to the approaches taken in previous years. 

As emerging technologies such as generative artificial intelligence (AI) tools and techniques make their way into more information systems relevant to the financial statements, potential risks may be a consideration for some auditors. 

But let’s begin with the aspects of information technology (IT) that are going to be central for most auditors: general IT controls (GITCs).

GITCs

The revised risk standard has much to say on GITCs and I strongly encourage those who have not already read the guidance in appendices 5 and 6 (on considerations for understanding IT and GITCs) to do so.

Awareness of GITCs needs to be much more robust than simply a note on the audit file that states: “The client uses [insert name of off-the-shelf bookkeeping package].” 

Auditing around the ‘IT box’ is not an option anymore. Audit teams need to understand the strategic role IT plays in every aspect of the business, particularly the financial information system. 

ChatGPT and other tools driven by generative AI have hit the headlines during 2023 and shown the transformative power that such technology can have on businesses. A recent statement from US regulator the Public Company Accounting Oversight Board (PCAOB) on Algorithms, Audits and the Auditor highlights some considerations and concerns. 

Auditing around the ‘IT box’ is not an option anymore

ISA (UK) 315 specifically states that auditors need to maintain their awareness of how emerging technologies may be used by their clients and the impact they may have on the audit approach.

So, for 2023 (and 2024) assignments, do not just roll forward previous systems notes. Include as much up-stream detail as possible on GITCs in the systems notes and be sure to discuss the implementation and use of new technologies with management.

Inherent risk factors

The introduction of the more explicit inherent risk factors seems to have been generally well received. With more guidance in the standard on why something is a risk – using the building blocks of subjectivity, complexity, uncertainty, change and susceptibility to misstatement due to fraud or management bias – audit teams better understand why certain risk response work is required, and where to focus their attention.

The introduction of the more explicit inherent risk factors seems to have been generally well received

2023 has been a year of uncertainties, as businesses navigate economic slow-downs, interest rate rises, inflationary pressures and changing consumer attitudes. 

The fact that the revised ISA (UK) 315 specifically mentions uncertainty as part of the inherent risk assessment is very helpful and, along with the other factors, gives much more focus to teams whilst planning an assignment. Risk documentation should be linked to those key phrases and articulate what is driving the risk.

Spectrum of inherent risk

Possibly the most discussed element of the ISA (UK) 315 revisions is the principle of inherent risk being a spectrum. Moving audit teams away from the siloed thinking of low, medium, and high risk has to be a good thing. We all know there is nuance to risk in all aspects of life, so why should audit be any different?

The revision again feels extremely timely as, in the current uncertain environment, the issues affecting businesses are many and varied and the ability to be more discerning in a risk assessment is entirely appropriate.

We all know there is nuance to risk in all aspects of life, so why should audit be any different?

In an age where almost anything can be bespoke, from dog food to digital experiences, the audit risk assessment and response should also be bespoke and able to deal with issues in a tailored, focused manner.

Audit documentation should be clear on the likelihood and magnitude of the risk and where it sits on the spectrum. Also, remember to consider significant risks at the upper end of the spectrum and those matters which are always considered significant, such as fraud and management override of controls.

The stand back requirement

The final area I will mention is the need for auditors to ‘stand back’ and evaluate the overall audit evidence obtained. Recent revisions to various ISAs (UK) have included specific requirements in this area, including ISA (UK) 315 (paragraph 36). This is a brilliant innovation, where having carried out the task at hand, the auditor is required to take a step back and look at the bigger picture, to see their work in context. 

Again, this is something that happens all the time in other areas of life and often flags something amiss. It is so easy to get caught up in the detail that we don’t always see the wider context. The specific wording in the standard around corroborative and contradictory evidence is most helpful.

In the current environment, taking that step back is more important than ever. Things are moving so fast that something which looked bad weeks or even days ago could now be considered good, and vice versa.

So again, it is vital that the auditor follows the requirement to stand back, think about the whole picture, consider what may have happened since they started that risk assessment, consider if it is still appropriate – and demonstrate that this has been done.

It is not enough to simply do the required stand back, this procedure needs to be clearly documented. As with all audit matters, simply ticking a box to say you have stood back is not going to impress an audit quality reviewer.

Andrew Paul, Audit Software and Technical Manager, Baker Tilly International


Further reading

ICAEW resources that may assist auditors with these and other key changes in the revised ISA 315 include:

ISA 315, the entity’s IT systems and related risks (highlighting the scalability of the standard and additional support material it provides on IT-related risks)

ISA 315 – Intelligent Auditing, Robust Assurance (an on- demand faculty webinar sharing some practical insights into how to apply the revised)

Risk assessments in 2023 (assessing risks faced by firms and entities they audit)

Sample sizes and caps: how much is enough? (including tips on embracing ISA 315 and ISA 530)

Revised ISA 315 for 2022 audits (a guide to the revised requirements and implications for smaller ISA audits)

Diverse thinking at the heart of NAO’s award-winning audit training (and its approach to training for the revised ISA 315) 

IT in management forecasting – a deep dive for auditors (including sections on software such as enterprise resource planning systems and spreadsheets)

Audit technology – a new era (introducing the faculty’s audit and technology hub) 

Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250