This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our PRIVACY POLICY for more information on the cookies we use and how to delete or block them.
  • External audit has sharpened its focus on systems & controls - what does this mean for Heads of Internal Audit?

External audit has sharpened its focus on systems & controls - what does this mean for Heads of Internal Audit?

04 April 2023

Richard Walker, Head of Risk Advisory Services |

Identifying and Assessing the Risks of Material Misstatement standard came into force for accounting periods beginning on or after 15 December 2021. Heads of Internal Audit will have already noted that it is being applied to the current audit cycle at their organisations by their external auditors.

This is an important audit standard since it deals with the responsibility of external auditors to understand the entity and its environment such as industry, regulatory and other external factors, the applicable financial reporting framework, and the entity’s system of internal control, to identify and assess risks of material misstatement and as a result, determine additional audit procedures to be performed. The primary revisions to the standard aim to improve the consistency of risk identification and assessment, refine the approach to understanding the system of internal control and to ensure that certain IT risks are sufficiently addressed.

Impact on the external audit approach

Audit risk model

The statutory audit risk model has remained the same. External auditors must identify risks of material misstatement at the financial statement and assertion levels. Where they identify risks, they must respond with devising appropriate audit procedures.

Financial statement level risks that relate pervasively to the financial statements such as going concern issues, external factors such as declining economic conditions or deficiencies in the control environment.

Auditors use assertions to determine the possible categories of material misstatement that may arise. These include assertions:

  • regarding classes of transactions and events, and related disclosures for the period under audit (occurrence, completeness, accuracy, cut-off, classification, presentation),
  • addressing account balances and related disclosures at the period end (existence, rights and obligations, completeness, accuracy, valuation and allocation, classification and presentation)
  • that aren’t directly related to recorded classes of transactions, events or account balances.

Risk at assertion level is the possibility that one or more of these assertions are incorrect resulting in material misstatement. Assertion level risk comprises inherent risk (the risk that a material misstatement of an assertion could arise before consideration of any related controls) and control risk (the risk that a material misstatement of an assertion will not be prevented, detected and corrected by the entity’s system of internal control).

Required audit risk assessment procedures

Considerable changes have been made to required audit risk assessment procedures. To promote consistency in the approach to the identification and assessment of audit risk, the revised standard is more prescriptive regarding the work that we undertake and the areas to be covered.

Risk assessment procedures to be performed are specified in respect of:

  • The entity and its environment, and the applicable financial reporting framework
  • Components of the entity’s system of internal control.

The risk assessment procedures involve understanding each of these areas as well as identifying and assessing the related audit risks.

For Heads of Internal Audit, the work that external auditors must now do regarding understanding and evaluating the entity’s system of internal control is important. In particular, the revised standard has significantly changed and enhanced the requirements and application material in relation to the auditor’s considerations about IT. The main changes can be found in the auditor’s required understanding of the information system and control activities components.

The standard defines the entity’s system of internal control as being made up of the following components:

  • Control environment
  • The entity’s risk assessment process
  • The entity’s process to monitor the system of internal control
  • Information system and communication
  • Control activities.

The control environment comprises the governance and oversight framework, culture, values, assignment of authority and responsibility, recruitment and training, accountability and performance management. Auditors must now evaluate whether the entity has a culture of honesty and ethical behaviour, whether the control environment provides an appropriate foundation for the other components of the entity’s system of internal control and whether control deficiencies acknowledged in the control environment undermine the other components of the entity’s system of internal control.

For those business risks relevant to financial reporting objectives, auditors are required to understand the entity’s process for identifying, assessing and addressing these risks and evaluate whether the process is appropriate for the entity.

Processes to monitor the system of internal control include control monitoring activities performed by management and internal audit. External auditors must understand these processes and evaluate whether they are appropriate for the entity.

The information system comprises the information processing activities for each significant class of transactions, account balances and disclosures, together with human and IT resources and the IT environment. These need to be understood and evaluated. Specific additional guidance is provided in respect of the IT environment in Appendix 5 of the standard. The objective of understanding the IT environment is to help the auditor identify potential risks arising from the use of IT by identifying the key IT applications and processes relevant to the audit and evaluating whether the entity’s information system appropriately supports the preparation of the financial statements.

Communication refers to the ways in which significant matters supporting the preparation of the financial statements are communicated within the entity, between management and those charged with governance and with external parties such as regulators. Auditors are required to evaluate whether the entity’s information system and communication appropriately support the preparation of the financial statements.

For the control activities component, the standard clearly directs the external audit work towards identifying controls that address risks of material misstatement at the assertion level. These are specified as controls that address significant risks of material misstatement, controls over journals, controls where the auditor plans to test operating effectiveness to determine the extent of substantive testing and any other controls that the auditor considers relevant. For IT applications and aspects of the IT environment that are subject to the risks of using IT (e.g. unauthorised access, inappropriate data changes) identified through understanding the IT environment, the auditor is required to identify the IT risks and any related IT general controls.

The auditor is required to evaluate the design and the extent of implementation of all the controls relevant to the control activities component.

Relevance to internal audit

The external audit approach has shifted to a granular assessment of financial controls, the IT environment and IT general controls, even if the external auditors do not seek to rely upon them. Expectations have increased and auditors are now required to obtain detailed information so that they can understand and evaluate the entity’s system of internal control. As a result, management needs to provide more comprehensive documentation of financial and IT controls as audit evidence. External audit reporting is likely to include an increased number of recommendations relating to controls.

Consequently, the work of internal audit may come under increased scrutiny. Internal audit may be required to assist management in responding to requests for control documentation and to share more of their reports and schedules. Management could ask internal audit to undertake “pre-audit assessments” of controls so that everything is in order before the external audit. Those aspects of the internal audit plan relating to financial controls or the IT environment will be looked at more closely by management to ensure that they do not duplicate the work performed by the external auditors. Internal audit may also need to explain their findings more fully in these areas - especially if they appear inconsistent with the control reporting provided by the external audit.

Alongside these developments, the implementation of the proposed changes to South African corporate governance continues to progress steadily with most large corporate entities having begun to prepare for the expected requirement for an explicit directors’ statement on the effectiveness of internal controls over financial reporting and the basis for that assessment.

This is also driving a formal documentation of financial and IT controls. Although additional resources are often recruited to lead this project, internal audit still has a supporting role to play as the control documentation and approach is developed - drawing on the knowledge of the business obtained through its work on financial and IT processes and controls. Once the requirement comes into force, the internal audit plan may need to be reviewed again to ensure that it is aligned with any assurance required to support the directors’ statement.

How should Heads of Internal Audit respond?

Heads of Internal Audit need to be aware of, and understand, the impact of this change in approach. The revised standard is now being applied to all external audits, with audited entities’ financial and IT controls being assessed by audit teams in greater depth than before. South African corporate governance reform is also focused on these controls. More questions will be asked of the organisation, more controls points will be included in external audit reporting to the Audit Committee and management may look to their internal audit team for support and advice.

To respond to these challenges, it is essential that Heads of Internal Audit look again at their approach to financial and IT controls. This should include the strategy - the extent of coverage of these areas within the plan – and how this is aligned with external audit activity and any assurance to support the proposed directors’ statement. This will enable duplication of audit effort to be minimised.

The objective and scope of individual internal audits relating to financial and IT controls should also be considered in this light. The objectives and approach of an internal audit are very different from external audit. Audit risk for external auditors is focused primarily on financial statement misstatement, whereas internal audit is looking to provide assurance in respect of a much wider population of risks associated with the organisation’s strategy and business objectives. As a result, the conclusions arising from internal audit work can potentially differ from those reached by external audit - even though they appear to be looking at the same process area.

Refreshing the internal audit strategy and approach and articulating this to management, the Audit Committee and the external auditors should ensure that the assurance provided by internal audit is more clearly defined and the potential for perceived duplication or misunderstandings is addressed.

Read more BDO Insights