Financial Audits diving into the technology estate

The opening statement from EY on ISA 315 on Feb 2023 article:

Source: Revised ISA 315 and IT risks: how to reduce the additional workload it creates on the alternative industry? | EY Luxembourg

For a long time financial audits focused on checking the financial transactions in financial systems, to verify the accounts. But in the last years financial audits are expanding their audits into the sourcing of the financial transactions, such as systems for order handling, stock handling, shipping and receiving, time entry, etc etc.

As an example KPMG developed their methodology to review the IT landscape and risk in their Cyber In the Audit CiTa methodology. Closing statement from this article in 2022

The impact to you

What does this mean for you and how you are being audited? 

If you need to adhere to certain accounting principles, such as IFRS, your auditors will incorporate this in their audit activity. For smaller companies, who are not needing to follow an accounting standard, it will be a matter of time until they will be reviewed on their cyber risks. This could be driven by an accounting audit, but very likely will also be considered for company insurance policies.

So we suggest to be ready and think about this before it becomes an urgent high pressure question.

What happens during these audits

We have experienced a number of these audits, and they can create unexpected pressure. Mainly because financial audits usually didn’t need IT teams to provide data and information about the technical estate. Additionally the Finance language is different to the IT one. So quite easily things were misunderstood, requiring more time from either side to align on the requests for information.

Additionally a finance audit is usually time bound and not flexible. Therefore questions and information gathering has to happen at a high pace, while the IT teams had to retain the demand for technology improvements and upkeep from within the organisation itself. In our experience there was no time created to deliver the demanded information, it just had to happen there and then.

And because every organisation is different, with a different technical landscape, Finance Auditors don’t always know what to look for until they understand more about the technical landscape.

For example an organisation with a high amount of bespoke homegrown software and a high amount of processes supported by excel and excel macros have a different risk profile compared to an organisation who uses a modern online SAAS application. The organisation using SAAS is likely secured and maintaned by a commercial software development company. Business wise they could be equally valuable, but risk wise there is a significant difference.

Engage your finance auditor

We recommend to engage your finance auditor to verify if they need information about your technology landscape. If they do, it is useful to allocate dedicated time for IT members to accommodate the engagement.

With our experience in finance audits, it helped a lot with having a set of basic information about the technology landscape in 1 place.

Key aspects, such as narrative on the usage, where it is used, which areas/processes it supports for the organisation, and in some cases knowing what type of data is present, made answering questions a lot easier.

Therefore we recommend engaging your auditor on time to ask which information they might be needing.

Our perspective and approach

When using our methodology and our application, we expect value for financial auditing purposes as well as any insurance questions. In our approach, with collaboration with a number of your key resources, we can quickly create insight into your technology estate. And with that overview enhance the focus to areas at risk or areas that need clarification towards auditors or insurance companies.

We will focus on insights in the tech landscape, as well as the business processes. The technology is essential, but will be difficult to assess if it isn't clear where in the process the technology is used.

For example, when high risk technology (old, unsupported) is not be part of a critical business process, the risk might be lower compared to more modern SAAS technology, used in a critical business process, but the software missing a number of key security patches. In the SAAS example, the foundation of technology is more modern, but given those missing security patches the risk could be significantly higher for the organisation.

Therefore the combination of technology and business process is essential to assess the right risks.

So if you want to get ready for Finance Audits, or similar to us, experienced finance audits where you would have had benefit from base level information about your technology estate, our platform provides a good foundation to provide insight to you and your auditors.

On your own or with our help

We’re happy to help getting you started, but we're also happy to get you going yourself. Our software is simple to use.

Our core driver is that we give you a mechanism to structure your information into platform, so you can reuse and expand. We prefer to avoid those one-off spreadsheets, which will never get looked at again.

Interested? Connect with us via linkedin