(c) South Africa Institute of Chartered Accountants. Contact SAICA for permission to reproduce this article., Audit and Assurance, Information Technology

IT as a key audit matter

By Karlien Dempsey and Ben Marx

Information technology is an integral component of most organisations’ business operations, with individuals and societies placing ever-increased reliance thereon. IT brings with it significant benefits but also significant risks which impact directly on how entities conduct business .

The rapid evolution of the IT landscape, coupled with the Fourth Industrial Revolution, creates a new dimension for entities, bringing opportunities as well as challenges and risks. Recent data breaches and hackings have highlighted the importance of IT and IT risk for an organisation and its auditors. Examples of such hackings include the Gupta leaks and the June 2018 Liberty hacking of data stored on a compromised email server.

IT risk can be defined in many ways, but in its simplest form is the possibility that an event or occurrence will have an adverse impact on the gathering, processing and storing of an entity’s information. IT and IT risks are embedded in entities and if not correctly managed, can have dire consequences. It is therefore of the utmost importance that IT risks be mitigated to an acceptable level, in line with the entity’s risk appetite. Accordingly, IT governance should form a critical part of the overall governance of organisations. Businesses thus need to implement IT governance frameworks not only to maximise the benefits of IT but also to mitigate the associated risk. 

As IT risk and IT governance are an integral part of all organisations, it is imperative that their impact be thoroughly understood and communicated to stakeholders through the organisations’ reporting. Accordingly, it could be reasonably expected that IT governance, IT risk, and the mitigation of that risk would be disclosed in organisations’ integrated reports.

The modern-day IT environment and the advent of the Fourth Industrial Revolution also directly impact the external audit of entities’ financial statements, and ultimately the audit report itself. As such it could also be reasonably expected to find IT-related issues reported by auditors as key audit matters (KAM).

The audit report is the primary communication tool used by auditors to communicate their opinion to users of financial statements. The audit report format prior to 2016 had certain shortcomings that prevented the document from being fully understood by readers. The previous format also made it difficult to communicate audit findings clearly and in a straightforward and unbiased manner. These shortcomings included the audit expectation gap, limited information contained in the report, and the use of standardised, non-entity-specific language. The new audit report format was issued by the IAASB in January 2015. It aims to eliminate the audit expectation gap and increase the usefulness and understanding of the reports. The main changes that are intended to reduce the shortcomings of the previous format are: the conclusion and basis for conclusion is presented first in the audit report; the basis for the conclusion describes why the fail or pass opinion was issued; and KAMs are included to convey the auditor’s viewpoint on significant aspects in the audit of financial statements.

KAMs are a roadmap that helps users navigate through the financial statements and focus on the items that are most significant to the audit. KAMs are defined in ISA 701 as ‘those matters that, in the auditor’s professional judgement, were of most significance in the audit of the financial statements of the current period.  KAMs are selected from matters communicated with those charged with governance.’ Given the importance of IT and its impact on business operations, and ultimately financial results, the question then arises whether IT will constitute a KAM that the auditor should address in the audit report.

The most recent audit reports of the top 40 JSE-listed entities were obtained in June 2018 from company websites. The reports were analysed to compare the nature and extent of IT-related disclosure and whether IT was reported as a KAM. The findings indicated that 130 KAMs were disclosed in the 40 audit reports, with an average of 3,25 per entity. The majority (63%) of the reports disclosed three or KAMs or fewer. The analysis further indicated that none of the audit firms considered IT to be significant enough to be separately disclosed as a KAM.

Of interest are the words most commonly used in KAM titles. These are presented graphically below.

The analysis indicated that those charged with governance in 32 entities (80%) of the total sample disclosed IT as a top risk. Of the remaining eight entities which failed to identify IT as a top risk, one (12%) entity also neglected to disclose IT governance processes or any information about an IT committee. Upon further inspection, it became clear that the same entity did not disclose IT as a significant risk, nor did it disclose the IT governance processes or detail about an IT committee.

Although zero KAMs were raised relating to IT, those charged with governance for 39 of the entities nonetheless considered IT significant enough to disclose IT as a top risk, disclose IT governance processes or detail about an IT committee, as illustrated in the table.

From the above, it is clear that both the literature and those charged with governance view IT as a crucial aspect of the organisation yet none of the auditors disclosed IT as a matter requiring significant attention. This raises the question whether the new audit report is indeed overcoming the audit expectation gap and the limitations of the previous format, or are the auditors failing to recognise the importance of IT and its impact on the business and the audit process.

Karlien Dempsey, Senior Lecturer, Department of Accountancy, University of Johannesburg; and Ben Marx, Professor, Department of Accountancy, University of Johannesburg.

This article was originally published in ASA.