Major auditors must improve auditing of bank IT controls, says regulator

Out-Law News | 28 May 2014 | 5:07 pm | 1 min. read

Major auditors must improve the way they audit organisations' IT controls, particularly in the financial services sector, the Financial Reporting Council (FRC) has said.

In its annual report (32-page / 1.31MB PDF), the FRC found that 40% of the audits carried out by nine major audit firms that it had it inspected required improvements, with 15% of the total requiring "significant improvements" to be made.

The UK watchdog highlighted particular concerns with the way some audits had been conducted at banks and building societies. It said audits of the IT controls that those organisations have in place for protecting data and around operational integrity need "significant improvement" and called on the auditors to review whether staff need additional training and guidance to conduct IT controls audits effectively and determine when it is appropriate to contract IT specialists to undertake such work.

"The audit approach for the largest listed entities, large retailers and financial institutions, where sufficient audit evidence cannot be obtained on a timely basis from substantive testing alone, generally requires the testing of the effectiveness of controls," the FRC said. "The testing of IT controls, both general IT controls and application controls, is a key aspect of this approach."

"A range of issues was identified covering both weaknesses in firms’ policies and procedures and deficiencies in the testing of controls in practice. Issues in relation to the audit of IT controls were a feature of a significant proportion of the audits we inspected. More common issues included limited consideration of the impact of IT general control weaknesses and insufficient IT general control roll-forward procedures being performed," it said.

The FRC's concerns about banks and building societies auditing practices have prompted it to launch a more thorough inspection of the quality such audits.

"This inspection will consider the actions being taken by firms to address the issues of a recurring nature identified by our routine inspection monitoring," the FRC said. "The findings from this thematic inspection are expected to be published in autumn 2014."

Among the deficiencies identified with IT controls audits was the reliance the auditors placed on "system-generated reports". The FRC said that audit staff had been encouraged to rely on such reports, without conducting further testing, by "high level" employees in their firms.

In addition, it said that audit teams sometimes lacked the necessary skills to conduct thorough testing of organisations' IT controls.

"We noted that while firms use IT specialists on the more complex audits, their work was sometimes limited to testing IT general controls, and that the testing of IT application controls was generally undertaken by the audit teams," it said. "The latter did not always have sufficient understanding, training or appropriately detailed guidance on how to test automated IT application controls effectively."