internal audit Archives

ISA 315 (revised) and Data Analytics: Risk assessment procedures reimagined

The revised standard has been published as of December 2020, and you might be wondering what impact it has on your firm’s risk assessment procedures and how you can address the requirements. There are many useful sources of information on the changes, notably the IAASB’s Introduction to ISA 315. IFAC also published a helpful flowchart for ISA 315 during the work programme, which walks through the various steps required to assess risk of material misstatement.

There are a number of improvements to the standard, including an enhanced focus on controls (particularly IT controls), stronger requirements on exercising professional scepticism and documentation, and considerations around the use of data analytics for risk assessment. The new standard comes into effect from 15th December 2021, so now is the time to start planning how you will address the changes in your audit. Below we discuss some key considerations on how analytics can support a strong risk assessment.

Credit: https://www.ifac.org/system/files/publications/files/IAASB-Introduction-to-ISA-315.pdf

So how can data analytics support your risk assessment according to ISA 315? The areas identified above in red show the different procedures that can be supported by the use of these techniques. A key element of the revised standard is that this should be an iterative process conducted throughout the audit. This means using data analytics tools that can be easily refreshed with the latest information will better support this requirement than more traditional approaches.

Identifying risks of material misstatement at the financial statement level

Data analytics can support the risk assessment procedures laid out in ISA 315 by analysing previous and current accounting data to the financial statement level. This allows the auditor to see the material balances in the accounts, and if machine learning is applied, where the concentration of risky transactions lies. This is where the knowledge gained in the blue boxes above can be brought to bear. Comparing understanding gained through observation to the data is a powerful way to sense check and identify areas for further investigation.

Identifying risks of material misstatement at the assertion level

Specific analyses can target assertion risks and show where there are particular problems with an assertion. To do so effectively, several different analytics tests can be applied and combined to develop a good indicator of an assertion risk, for example accuracy. These can then be applied in an automatic way to give the auditor the information needed for their risk assessment.

Determine significant classes of transactions, account balances or disclosures (COTABD)

Combining assertion analytics with the ability to profile similar transactions can help auditors identify significant classes of transactions or balances. Analytics can help to produce similarity scores, but also to identify sets of transactions that are unusual. This can indicate previously unknown business processes that may require a separate assessment of their control environment.

Assess inherent risk by assessing likelihood and magnitude

Following identification of risk, the audit can guide their assessment by understanding the level of unusualness. Data analytics can provide finer grain evaluations of risk rather than simply risky or not. This can help support assessments aligned with the spectrum of inherent risk as defined in the standard.

Assess control risk

Data analytics such as process mining or automated testing of segregation of duties can help to inform or test control risk. These analytics can provide more comfort around the controls risk assessment and help to identify deviations in the control environment that require further examination.

Material but not significant COTABD

Where COTABD has been determined as material but not significant, recurring analytics can ensure that this assessment remains valid. Anomaly detection methods can be particularly helpful here, allowing the auditor to regularly check that nothing unusual has occurred since the initial assessment was undertaken.

Next Steps: ISA 315 and Data Analytics

Audit methodologies will need to reflect the revised workflow, with particular emphasis on the iterative nature of the risk assessment and ensuring that auditors are prompted to exercise professional scepticism and document it at every stage. Data analytics can help to ensure that the information used to continuously conduct risk assessment is timely, appropriate and relevant.

These improvements to the standard will result in a stronger audit approach and an advancement towards industry adaption data and analytics technologies. With AI audit software, accountants and auditors can gain deeper insights into their client’s financial data, in less time. Overall, the audit software can increase the efficiency of their processes, so they can focus on delivering better results, in time for the ISA 315 (revised) December 15th, 2021 deadline.

Want to learn more about how auditors are using AI?

Artificial intelligence (AI) and machine learning (ML) technologies can streamline traditional audit procedures for Accounts Receivable (AR) and Accounts Payable (AP) in audits of financial statements.

This blog will consider applications of AI and ML technologies using the MindBridge platform for both substantive analytical procedures as well as detailed testing of specific items.

What does the MindBridge platform do?

MindBridge Ai Auditor, in addition to core general ledger analysis, includes dedicated AR and AP modules that automatically analyze subledger data and, without any scripting, provide high-value visualizations and transaction-level analysis of data.

These capabilities allow you to leverage subledger-level insights and anomalies as critical inputs to your audit procedures and identify risks of material misstatement.

How MindBridge empowers you to perform effective and substantive analytical procedures for AR and AP

Substantive analytical procedures can be a powerful complement to traditional sampling and external confirmations. That is, provided that the auditor is comfortable with the internal controls in place regarding purchasing and sales cycles and has validated the accuracy and completeness of the subledger data.

Trends and patterns

Ai Auditor allows you to visualize how monthly AR and AP balances or net monthly activity track over multiple years at customer vendor levels, and in aggregate. Consistent patterns in these trends in the face of consistent sales and purchasing patterns (respectively) may provide audit evidence that subledger information is not materially misstated.

Vendors and customers related to the entity subject to audit are flagged directly in the summary detail as well.

Key performance indicators

Days Outstanding and Turnover Ratios are calculated at the customer and vendor level and are visualized on a monthly basis, allowing you to identify where there are periods of potential distress or deteriorating quality (e.g. is the volume of cash receipts slowing?). Similar to ending balances and activity, you are also able to compare certain customers or vendors against each other along the lines of these metrics to expose patterns of interest.

Aging

Aging at the customer and vendor level is automatically calculated and captured across respective buckets of days outstanding (0-30 days, 31-60 days, etc.). Consistent breakdown in the relative proportion of these aging buckets across multiple years of subledgers may provide audit evidence that subledger information is not materially misstated at the balance sheet date.

For certain entries that are significantly aged or stale, you’re able to drill-in to all the transactions with a particular customer or vendor and ascertain which invoice(s) are contributing to those totals and whether they could be at risk of bad debt.

How MindBridge streamlines detailed testing of AR & AP subledger data

Navigating and querying transactional level data via the Data Table in Ai Auditor is a powerful and effective way to explore and validate subledger activity.

Control Points, which are various statistical, rules-based, and machine learning tests, are run against every transaction. The results are summarized on a dashboard that supports interactions like filtering and drill-through.

Combining the query building capabilities of the Data Table with Control Point tests, you can efficiently identify relevant populations for sampling and have selections for external confirmation requests or alternative procedures testing (like subsequent receipts, for example) automatically identified on a risk-stratified basis. These selections can then be exported to Excel in one click to populate confirmation requests and/or to be included in supporting documentation.

The results of the transactional risk analysis may also be of particular interest to large entities and small businesses alike to provide insight into where there may be process improvements or gaps to consider in internal controls.

Take the first step towards AI-driven audit procedures on the AR and AP subledgers

To learn more, contact sales@mindbridge.ai.

How anomaly detection helps you stay on top of changing data tides

What Is anomaly detection, and why is it important?

ISA 315 revised: What it means for risk assessment procedures, and data analytics