Written by Shayne Huneault, CPA from Marcil Lavallée
To cope with the recent pandemic, many companies were forced to drastically change their business models and adopt a virtual management approach. Automated bank transfers replaced cheques, face-to-face meetings yielded to Zoom, and a growing number of companies began using and developing integrated software and applications to manage financial transactions remotely.
And although this change offers many opportunities for SMEs, it is nevertheless a major challenge for auditors. To support an audit opinion, it is essential to have a clear understanding of the companies’ environment, and the key controls they have in place. For the average CPA, it is much easier to see whether a cheque is legitimate by looking at the signatures it bears than it is to analyze a string of code from an automated bank transfer application. Auditing the use of automated controls can quickly turn into a real headache, especially since most auditors are not IT specialists.
In light of all this, the Auditing and Assurance Standards Board recently amended CAS 315 – Identifying and Assessing the Risks of Material Misstatement in the CPA Canada Handbook. The changes to the standard, which will be effective for audits of financial statements for periods beginning on or after December 15, 2021, cover various aspects of audit planning and clarify requirements for assessing the IT environment and risks arising from the use of IT.
Risks arising from the use of IT – what are the requirements?
Although the previous standard briefly touched on IT risks, the new revised CAS 315 clarifies and heightens the requirements in terms of work and documentation, some of which are listed below:
- The revised CAS now requires auditors to carry out procedures evaluating the relevance and significance of information technology use within the entity. In performing their assessment, auditors must consider, among other things, the automated controls that some applications may have in place and the use of reports automatically generated by these same applications;
- The revised CAS requires auditors to identify computer applications or any other aspect of the IT environment that may present vulnerabilities, in order to assess the risks related to their use for financial data;
- When risks are identified, the revised CAS requires auditors to assess both these risks and the controls in place within the entity that aim to address these risks;
- The revised CAS also requires auditors to determine during the audit whether there are any categories of transactions that, because they are automated, can only be tested using a control approach.
What impact will this have on your audit files?
The AASB added an important concept to the revised CAS 315: adaptability. The standard mentions that auditors can and should adapt these procedures according to the level of complexity of the entity being audited. In other words, the amount of work involved in assessing IT risks will be limited for small entities with minimal use of such technology. Conversely, assessing the IT environment is going to be an important concern for auditors of large entities that are developing their own systems and those in which automation of operations is becoming increasingly common. In such cases, auditors will have to increase their level of work and the amount of documentation on file when assessing the audited client’s IT structure, the identified risks, and the IT controls in place that have to be tested. This may mean adding questionnaires and programs to this effect to the work files, as well as using new analysis tools to evaluate how well automated controls are working.
The development of new technologies and their ever- increasing accessibility for businesses, both small and large, will no doubt reshape our old ways of working. Auditors will find it increasingly important to develop and use tools to properly test various IT controls. For firms to be able to perform high-quality audits, hiring IT specialists is likely to become commonplace. Even though this phenomenon forces auditors to adapt to a new environment, it also introduces new opportunities. The race to develop new automated audit approaches is heating up, and some firms may come away with a major competitive edge.