.png?width=168&name=T-TECH%20logo%20(no%20strapline).png)
With cyberattacks growing in scale and sophistication, no organisation can afford to take cybersecurity lightly, least of all audit firms, especially under their ISQM requirements. The sensitive financial and personal data they manage makes them attractive targets, and a breach can have consequences far beyond the firm itself, affecting clients and the financial system as a whole. Regulators are responding by raising the bar for how firms must evaluate and address cyber risk. As we mentioned in our blog ‘Why UK Audit Firms Must Assess Their Clients’ Cyber Security Postures’, the regulatory requirements placed on auditors in relation to their clients’ cyber security are increasing, with ISA 315 being a core consideration.
ISA 315: The Standard That Puts IT and Cyber Risk Centre Stage
The International Standard on Auditing (UK) 315 (ISA 315), “Identifying and Assessing the Risks of Material Misstatement,” was revised by the Financial Reporting Council (FRC) and became effective for audits of financial statements for periods beginning on or after 15 December 2021. The revised standard recognises that IT and cyber risks are now fundamental to the audit process.
Key Requirements of ISA 315 Relating to Cyber Security
- Understanding the IT Environment: Auditors must gain a deep understanding of the audited entity’s IT systems, including how information flows, how transactions are processed, and what IT resources are used. This includes understanding the general IT environment, applications, infrastructure, and processes.
- Identifying IT-Related Risks: The standard requires auditors to identify and assess risks arising from the use of IT, including cyber security threats that could lead to material misstatements in the financial statements.
- Evaluating IT Controls: Auditors must evaluate the design and implementation of IT controls, such as access management, user authentication, privileged access, and security configuration controls. Weaknesses in these areas can increase the risk of fraud or error.
- Scalability and Prescriptive Guidance: ISA 315 provides more support material and prescriptive requirements for auditors, making it clear that cyber and IT risks must be considered for all audits, regardless of the size or complexity of the client.
What Does This Mean for Audit Firms?
- Cyber Risk Is Now a Core Audit Risk: Auditors can no longer treat cyber security as a peripheral issue. It must be integrated into the risk assessment and audit planning process.
- Increased Documentation and Evidence: The revised ISA 315 requires more robust documentation of the auditor’s understanding of IT systems and related risks, as well as the procedures performed to address them.
- Professional Scepticism: Auditors are expected to apply professional scepticism when evaluating management’s assertions about cyber security controls and incident response capabilities.
- Continuous Learning: Given the evolving nature of cyber threats, audit teams must stay up to date with the latest developments in cyber security and IT risk management.
Practical Steps for Audit Firms
- Invest in Training: Ensure audit teams are trained to understand IT environments and cyber risks. We can provide list of Top 10 things to look out for.
- Update Methodologies: Revise audit methodologies to align with the requirements of ISA 315, including enhanced procedures for IT and cyber risk assessment.
- Leverage External Guidance: Use frameworks from the NCSC, NIST, FRC, and industry bodies to benchmark client controls.
- Engage IT Specialists: For most audits, consider involving IT and cyber security specialists to support risk assessment and testing. Auditors are not trained cyber specialists and it can be very difficult for them to cover the appropriate ground.
Conclusion
Cyber security is no longer just an IT issue; it’s a core audit risk that must be addressed under ISA 315. By embedding cyber risk into your audit approach, you’ll not only comply with regulatory expectations but also help protect your firm, your clients, and the integrity of the financial system.
Please reach out for more information
Written by Daniel Teacher, CEO, T-Tech
