Technology – Audit Documentation

April 2020

NON-AUTHORITATIVE SUPPORT MATERIAL RELATED TO TECHNOLOGY:

AUDIT DOCUMENTATION WHEN USING AUTOMATED TOOLS AND TECHNIQUES

This publication has been prepared by the Technology Working Group (TWG) of the International
Auditing and Assurance Standards Board® (IAASB). It is intended to assist auditors in understanding
how the use of automated tools and techniques during an audit engagement may affect, if at all, the
auditor’s documentation in accordance with International Standard on AuditingTM (ISATM) 230.1 This
publication does not amend or override International Standard on Quality Control (ISQC) 14 or the ISAs,
the texts of which alone are authoritative. Reading the publication is not a substitute for reading ISQC 1
or the ISAsTM.
This publication is intended to provide practical assistance to practitioners in understanding relevant
considerations for audit documentation when using automated tools and techniques. The examples are
provided for illustrative purposes only.

Note to readers

Included in this publication are references to current IAASB projects, specifically projects to
finalize:
 Exposure Draft International Standards for Quality Management (ISQM) 1 (ED–ISQM 1),
Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or
Other Assurance or Related Services Engagements.
 Exposure Draft ISA 220 (Revised) (ED–220), Quality Management for an Audit of Financial
Statements.
Some of the material within has been based on these proposals. Both these standards are
targeted for approval by the IAASB in 2020. Once approved the TWG will update this publication
as may be appropriate, taking into account the effective date of these standards.

Section I
Introduction

What are Automated Tools and Techniques?

Audit procedures can be performed using a number of tools or techniques, which can be manual or
automated (and often involving a combination of both). Practitioners may use various terms in practice to
describe tools or techniques that are automated. For example, applying automated analytical procedures
to data during risk assessment procedures are sometimes referred to as data analytics.

Although the term ‘data analytics’ is sometimes used to refer to such tools and techniques, the term does
not have a uniform definition or description. This term is too narrow because it does not encompass all of
emerging technologies that are being used when designing and performing audit procedures today. In
addition, technologies and related audit applications will continue to evolve, such as artificial intelligence
(AI) applications, robotics automation processes and the use of drones. Therefore, the IAASB uses the
broader term automated tools and techniques (ATT).

Page 1 of 9
 Audit Documentation When Using Automated Tools and Techniques

The Use of ATT and the Auditor’s Documentation

ISA 230 1 does not differentiate between the use of ATT and manual tools and techniques with respect to
audit documentation requirements, but the use of ATT may result in different documentation considerations.
For example, the nature and purposes of audit documentation as set out in paragraphs 2 and 3 of ISA 230
are the same regardless of whether ATT are used in performing the audit engagement and include the
following:

• Evidence of the auditor’s basis for a conclusion about the achievement of the overall objectives of
the auditor. 2

• Evidence that the audit was planned and performed in accordance with ISAs and applicable legal
and regulatory requirements.
• Assisting the engagement team to plan and perform the audit.

• Assisting members of the engagement team responsible for supervision to direct and supervise the
audit work, and to discharge their review responsibilities in accordance with ISA 220. 3
• Enabling the engagement team to be accountable for its work.

• Retaining a record of matters of continuing significance to future audits.

• Enabling the conduct of quality control reviews and inspections in accordance with ISQC 1 4 or
national requirements that are at least as demanding. 5

• Enabling the conduct of external inspections in accordance with applicable legal, regulatory or other
requirements.

Equally, ISA 230 does not differentiate between the use of ATT or manual tools and techniques when
recording the identifying characteristics of the specific items or matters tested. 6

ISA 230 is principles-based and, therefore, remains applicable regardless of the nature of the tool or
technique that the auditor applies.

Specific ISA Documentation Requirements

When using ATT in performing risk assessment or further audit procedures, the auditor is required to comply
with the documentation requirements in ISA 230 and in every other relevant ISA. 7 This includes

1
ISA 230, Audit Documentation
2
ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International
Standards on Auditing, paragraph 11
3
Extant ISA 220, Quality Control for an Audit of Financial Statements, paragraphs 15–17
4
ISQC 1, Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related
Services Engagements, paragraphs 32–33, 35–38, and 48
5
Extant ISA 220, paragraph 2
6
Paragraph A12 of ISA 230 provides examples of how the auditor may document the identifying characteristics of the specific
items or matters tested.
7
Paragraph A6 of ISA 230 explains that other ISAs contain specific documentation requirements that are intended to clarify the
application of ISA 230 in the particular circumstances of those other ISAs.

Page 2 of 9
 Audit Documentation When Using Automated Tools and Techniques

requirements such as those set out in paragraph 38 of ISA 315 (Revised 2019), 8 and paragraph 28 of ISA
330. 9 The Appendix to ISA 230 identifies paragraphs in other ISAs that contain specific documentation
requirements.

While the documentation requirements of the ISAs are the same for manual and automated tools and
techniques, this publication describes circumstances when the use of ATT during an audit engagement
may result in different documentation considerations when compared to manual tools or techniques. This
publication is organized as follows:

• Section II: Selected paragraphs of ISA 230 and how the use of ATT may affect the auditor’s
documentation.

• Section III: Special considerations.

Section II
Selected Paragraphs of ISA 230 and How the Use of ATT May Affect the Auditor’s Documentation

Results of audit procedures performed – ISA 230 paragraph 8(b)

8. The auditor shall prepare audit documentation that is sufficient to enable an experienced auditor,
having no previous connection with the audit, to understand:
(a) …
(b) The results of the audit procedures performed (emphasis added) and the audit evidence
obtained; and
(c) ….

The nature of ATT may provide auditors with an opportunity to review and analyze large data sets. In the
context of ISA 230 paragraph 8(b), when using ATT in analyzing an entire data set, the auditor is required
to document the results of the analysis for the data set. This may be quite simple, for example, by using a
visualization of the results. Alternatively, this may be achieved by documenting that for every item tested,
analysis was done to show that, for example:

• Transactions have been recorded within normal business hours,

• Transactions are linked to a unique purchase order number, or

• Transactions have been approved by the same user ID.

Therefore, while the documentation requirements do not vary for ATT, there may be different documentation
due to the different nature of the tools and techniques used.

For example, in determining the adequacy of an entity’s expected credit losses for accounts receivable, the
auditor may use ATT to analyze an entity’s entire set of accounts receivable data to generate a listing of
accounts receivable balances that meet specified criteria (e.g., exceeded credit limit, no re-payment activity,
etc.). Where such analysis results in numerous items for further investigation, the nature and extent of

8
ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement. Note that the requirements of ISA 315
(Revised 2019) are effective for periods beginning on or after December 15, 2021.
9
ISA 330, The Auditor’s Responses to Assessed Risks

Page 3 of 9
 Audit Documentation When Using Automated Tools and Techniques

documentation required may increase compared to if the auditor chose to use sampling techniques. In
documenting such analysis, the auditor may use ATT to quantify such exceptions and if needed, export the
results of the analysis to a format or document type (e.g., a spreadsheet or word processer) that is suitable
to be included in the auditor’s engagement file.

Significant matters arising during the audit – ISA 230 paragraph 8(c)

8. The auditor shall prepare audit documentation that is sufficient to enable an experienced auditor,
having no previous connection with the audit, to understand:
(a) …
(c) Significant matters arising during the audit, the conclusions reached thereon, and significant
professional judgments made (emphasis added) in reaching those conclusions. (Ref: Para.
A8–A11)
A8: Judging the significance of a matter requires an objective analysis of the facts and circumstances.
Examples of significant matters include:
• Matters that give rise to significant risks (as defined in ISA 315 (Revised 2019)).
• Results of audit procedures (emphasis added) indicating (a) that the financial statements
could be materially misstated, or (b) a need to revise the auditor’s previous assessment of
the risks of material misstatement and the auditor’s responses to those risks.
• Circumstances that cause the auditor significant difficulty in applying necessary audit
procedures.
• Findings that could result in a modification to the audit opinion or the inclusion of an
Emphasis of Matter paragraph in the auditor’s report.

The choice to perform a procedure through the use of ATT or by performing the procedure manually does
not affect the documentation of a significant matter but the use of different tools and techniques, whether
manual or ATT, may result in different significant matters being identified.

Nonetheless, paragraph 8(c) of ISA 230 requires the auditor to document the conclusions reached and
significant professional judgments made in reaching those conclusions. When using ATT, the nature of
‘significant professional judgments made’ may be different when exercising professional judgment during
the performance of manual tools and techniques. For example, consider the following two scenarios relating
to a highly material and difficult inventory count:

• Scenario 1: Performing test counts of inventory and analyzing the results.

• Scenario 2: Performing test counts of inventory and analyzing the results using ATT – such as those
obtained through use of a drone and AI-enabled image analysis.

Whereas both analyses may require professional judgment, the nature of the documentation to support the
‘significant professional judgments made’ may be different. For example, documentation of Scenario 1
would likely not involve how a member of the engagement team was trained to visually “count” the inventory
(that is, little professional judgment involved). However, documentation of Scenario 2 may need to include
steps used by personnel in operating the drone for purposes of the inventory count to enable the drone
being placed to obtain the best view of the inventory being counted and how the AI was determined to be
appropriate for analyzing the images.

Page 4 of 9
 Audit Documentation When Using Automated Tools and Techniques

Form, content and extent of audit documentation – ISA 230 Paragraph A2

The form, content and extent of audit documentation depend on factors such as:

• The size and complexity of the entity.

• The nature of the audit procedures to be performed.

• The identified risks of material misstatement.

• The significance of the audit evidence obtained.

• The nature and extent of exceptions identified.

• The need to document a conclusion or the basis for a conclusion not readily determinable from
the documentation of the work performed or audit evidence obtained.

• The audit methodology and tools used.

Audit documentation describes what procedures the auditor performed and how the auditor arrived at
conclusions throughout the audit. In the context of using ATT to perform audit procedures, the following
aspects may also be appropriate in considering the form, content and extent of audit documentation:

• The name of the automated tool used, and a description of the source data used in the analysis. The
tool used or the complete original data set (e.g., file, database, etc.) may not typically be retained as
audit documentation.

• Details of the data capture (e.g., data request letter), data extraction and delivery process, and
validation and reconciliation procedures performed by the auditor. As would also be the case for
manual tools and techniques, the details of the data capture may include how the data was used in
the audit procedures, including how the data was assessed to be accurate and complete for the
purpose of obtaining sufficient appropriate audit evidence.

• If the ATT allows the auditor to “drill down” through the information being analyzed to identify unusual
items or characteristics, documentation around the filters/segments applied and the path or thought
process followed.

• Nature of the procedures performed and the resulting visualization or table of contents of the analysis
(could be either as an exported report or a screen shot) relevant to the procedures being performed.
• The involvement of third-party service providers to carry out data extraction services, and how the
data was determined to be accurate and complete.

The use of various iterations of filters (ATT) – ISA 230 Paragraphs A4 and A7

A4. The auditor need not include in audit documentation superseded drafts of working papers and
financial statements, notes that reflect incomplete or preliminary thinking, previous copies of
documents corrected for typographical or other errors, and duplicates of documents.

A7. Audit documentation provides evidence that the audit complies with the ISAs. However, it is neither
necessary nor practicable for the auditor to document every matter considered, or professional

Page 5 of 9
 Audit Documentation When Using Automated Tools and Techniques

judgment made, in an audit. Further, it is unnecessary for the auditor to document separately (as
in a checklist, for example) compliance with matters for which compliance is demonstrated by
documents included within the audit file.

One of the unique characteristics of using ATT is that many different iterations of procedures performed on
the data can be viewed. For example, the auditor may design and perform several iterations of procedures
by applying different filters to the data before arriving at a final result. As noted in paragraph A4 of ISA 230,
superseded drafts of working papers need not be included in audit documentation. However, the auditor
may choose to include different visualizations, results of applying different filters, or iterations of algorithms
when, in the auditor’s judgment, these assist in understanding the nature, timing and extent of audit
procedures performed and the results obtained.

Often, the use of ATT (e.g., a data analytic) to obtain an initial understanding of an account balance or class
of transactions may be corroborated by subsequent iterations of that analytic. The auditor may retain
documentation of an earlier iteration when the analysis of its results may support professional judgments
made in determining or designing the analytic.

SECTION III
Special Considerations – How the Firm’s Approval of Technological Resources, such as ATT, may
Affect the Auditor’s Documentation

Questions may arise about the differences in the nature and extent of the auditor’s documentation when
using ATT that are approved by the firm as opposed to the use of ATT that have not been subject to a
formal approval process by the firm (e.g., where an engagement team develops its own software solutions
or amend or revise firm standard algorithms to achieve a particular testing objective). Specifically, would
the engagement team be required to document any considerations in respect of whether:

• The ATT are appropriate to enable the consistent performance of quality engagements; and

• Personnel are appropriately qualified or experienced to use the ATT?

While the IAASB has not issued requirements or guidance on the topic, the recent exposure drafts of ED-
ISQM 1 and ED-220 (Revised) address the issue. For example:

a) ED-ISQM 1

38. The firm shall establish the following quality objectives that address appropriately obtaining,
developing, using, maintaining, allocating and assigning resources, including human resources,
technological resources, and intellectual resources, in a timely manner to enable the design,
implementation and operation of the system of quality management:

(a) …

(e) The firm obtains or develops, implements and maintains appropriate technological resources
to enable the operation of the firm’s system of quality management and the performance of
engagements. (Ref: Para. A124–A131)

Page 6 of 9
 Audit Documentation When Using Automated Tools and Techniques

A130. When implementing an IT application, particularly a customized IT application that has been
developed specifically for the firm, it is necessary for the firm to determine that the IT application
operates appropriately. This determination may involve consideration of whether:

• The data inputs are appropriate and confidentiality of the data is preserved.

• The IT application operates as designed and achieves the purpose for which it is intended.

• The outputs of the IT application achieve the purpose for which they will be used.

• It is clear how users are required to interact with and use the IT application and users have
appropriate support.

• The general IT controls necessary to support the IT application’s continued operation as

designed are appropriate.

The firm may specifically prohibit the use of IT applications or features of IT applications, until
such time that it has been determined that they operate appropriately and have been approved
for use by the firm.

b) ED-220

A57. The firm’s policies or procedures may set forth required considerations or responsibilities for the
engagement team when using firm approved technology to perform audit procedures and may
require the involvement of individuals with specialized skills or expertise in evaluating or analyzing
the output.
A58. The firm’s policies or procedures may specifically prohibit the use of certain technological
resources (e.g., software that has not yet been specifically approved for use by the firm) or may
include requirements to seek approval to use a new technological resource. In some
circumstances, the firm’s policies or procedures may not specifically deal with the use of a specific
technological resource (e.g., a spreadsheet developed by the engagement team or obtained from
outside the engagement team or the firm). In these circumstances, the engagement partner may
exercise professional judgment in considering whether the use of the resource on the audit
engagement is appropriate in the context of the engagement, and if so, how the technological
resource is to be used. Factors that may be considered in determining whether a particular
technological resource, that has not been specifically approved for use by the firm, is appropriate
for use in the audit engagement may include whether:

• Use of the technological resource complies with the firm’s policies or procedures, including
policies or procedures related to data handling and security.

• The technological resource operates as intended.

• Personnel have the competence and capabilities required to use the technological resource.

Page 7 of 9
 Audit Documentation When Using Automated Tools and Techniques

When the firm has approved an ATT, the following documentation may be included at firm level
(documentation supporting the firm’s system of quality management) and therefore not at engagement
level:

• Policies or procedures employed by the firm in determining that the ATT is appropriate (e.g., the ATT
is fit for purpose and meeting its objective), and

• Information supporting the approval of the ATT.

However, when an ATT was not subject to a formal approval process by the firm for use in all or certain
audit engagements, documentation of the engagement team’s considerations in determining that the ATT
is appropriate for the engagement may be included in the audit documentation.

Practically, the following examples demonstrate how the use and approval of ATT may affect
documentation at the firm level or engagement level:

Circumstances Regarding the Use and Documentation Consideration

Approval of ATT

The ATT was approved by the firm or is off-the- Documentation in relation to the approval and the
shelf software approved by the firm (e.g., a use of the ATT may be included at firm level
branded application without tailoring)

The ATT was not subject to a formal approval
process at the firm level, but firm policies or
procedures set out the requirements if the
engagement team uses the ATT
Documentation in relation to the use of the ATT
may be included in the audit engagement
documentation in accordance with the
requirements as set out in the firm’s policies or
procedures

The ATT was not subject to a formal review
process and firm policies or procedures do not set
out requirements if the engagement team uses
such ATT
Documentation of the engagement team’s
considerations in determining that the ATT is
appropriate for the engagement may be included
in the audit engagement documentation. For
example, documentation may include how the
engagement team has determined that the ATT:
• Is used and secured in compliance with the
firm’s other relevant policies or procedures

• Operates as intended
• Is operated by personnel with the
competence and capabilities required to use
the ATT

Page 8 of 9
About the IAASB

The objective of the IAASB is to serve the public interest by setting high-quality auditing, assurance, and
other related standards and by facilitating the convergence of international and national auditing and
assurance standards, thereby enhancing the quality and consistency of practice throughout the world and
strengthening public confidence in the global auditing and assurance profession.

The IAASB develops auditing and assurance standards and guidance for use by all professional
accountants under a shared standard-setting process involving the Public Interest Oversight Board, which
oversees the activities of the IAASB, and the IAASB Consultative Advisory Group, which provides public
interest input into the development of the standards and guidance. The structures and processes that
support the operations of the IAASB are facilitated by the International Federation of Accountants (IFAC).

_____
The structures and processes that support the operations of the IAASB are facilitated by the International
Federation of Accountants® or IFAC®. The IAASB and IFAC do not accept responsibility for loss caused to
any person who acts or refrains from acting in reliance on the material in this publication, whether such loss
is caused by negligence or otherwise.

Copyright © April 2020 by IFAC. All rights reserved.

The ‘International Auditing and Assurance Standards Board’, ‘International Standards on Auditing’,
‘International Standards on Assurance Engagements’, ‘International Standards on Review Engagements’,
‘International Standards on Related Services’, ‘International Standards on Quality Control’, ‘International
Auditing Practice Notes’, ‘IAASB’, ‘ISA’, ‘ISAE’, ‘ISRE’, ‘ISRS’, ‘ISQC’, ‘IAPN’, and IAASB logo are
trademarks of IFAC, or registered trademarks and service marks of IFAC in the US and other countries.

For copyright, trademark, and permissions information, please go to permissions or contact

[email protected].

Page 9 of 9