The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

No human verification has been conducted of the converted content.
While we strive for accuracy errors or omissions may exist.
This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

Thematic Review: Certification of Automated Tools and Techniques

The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.

1. Executive summary

Audit firms are increasingly making use of Automated Tools and Techniques (ATTs)¹ in audits to perform risk assessment procedures and obtain audit evidence. Some ATTs – for example, data analytics used to audit journal entries and revenue – have been routinely applied by audit firms for several years. We are now seeing increasing use of ATTs in more audit areas, with some of these beginning to incorporate emerging technologies, such as artificial intelligence. The use of ATTs has significant potential to improve audit quality, though this is dependent on the ATTs producing consistently reliable outputs and being used routinely in the intended manner.

ISQM (UK) 1 requires audit firms to establish quality objectives to ensure such tools and techniques are appropriately obtained or developed, implemented, maintained and used to enable the performance of engagements. In this context, our definition of certification broadly aligns to the key stages of a system development lifecycle, and captures initial planning and needs analysis, design and development, certifying the ATT for implementation, and subsequent maintenance and monitoring. The objective of the certification process is to verify the reliability of an ATT and its suitability for use in audits. These processes are therefore fundamental to the audit firms' use of ATTs and the delivery of audit quality.

We reviewed the certification processes across the six largest audit firms² and in this thematic report we summarise the common practice we observed, along with examples of good practice. We support a proportionate approach in this area and recognise that there are various ways firms can support the certification of ATTs used in their audits. The observations in this report do not represent an expected set of processes or controls, and firms should consider how they may be relevant and appropriate to their particular circumstances.

The ultimate objective of sharing these observations is to support the use of ATTs to improve audit quality.

Overall, we observed that most firms had well-established processes in place to certify ATTs prior to deployment for use in audits. However, in some cases, these processes were less mature and not supported by documented policies. We identified various examples of good practice across the certification process. This included innovative ways to identify opportunities for using ATTs in audits, guiding audit teams through the ATTs available to them depending on their requirements and targeting required training to relevant users. We also observed good practice across some firms to proactively review ATTs over time to confirm they remain appropriate for use in audits.

At the time of performing our review, there were areas where the firms were working to further develop their processes. This included updating their certification processes to consider and respond to the unique risks presented by ATTs using artificial intelligence, and developing capabilities to monitor the usage of ATTs and their impact on audit quality. We see these as important developments to ensure the certification processes appropriately address the risks related to emerging technologies used in ATTs, particularly as these become more widely used in audits. Further monitoring capabilities would allow firms to focus resources on the ATTs having the greatest impact on audit quality and also identify those that are not having the desired impact.

2. Purpose and scope

Resources is one of the eight components in a firm's system of quality management (SoQM) in ISQM (UK) 1. Resources can be from the firm, its global network, or from an external service provider. The Resources component of ISQM (UK) 1 covers human, intellectual and technological resources. It further defines³ relevant technological resources as:

Those that are directly used in designing, implementing or operating the firm's system of quality management;
Those that are used directly by engagement teams in the performance of engagements; and
Those that are essential to enabling the effective operation of the above, such as, in relation to an IT application, the IT infrastructure and IT processes supporting the IT application.

This thematic report focuses on those resources used by engagement teams in the performance of engagements (item 2 above) and in particular technology used to perform risk assessment procedures and/or obtain audit evidence. These are referred to in this thematic report as Automated Tools and Techniques (ATTs).

ISQM (UK) 1 requires⁴ firms to establish quality objectives around ensuring appropriate technological resources are obtained or developed, implemented, maintained and used, to enable the operation of the firm's system of quality management and the performance of engagements.

In this context our definition of certification broadly aligns to the key stages of a system development lifecycle and captures initial planning and needs analysis, design and development, certifying the ATTs for implementation, and subsequent maintenance and monitoring.

Audit teams are increasingly making use of ATTs in various areas of the audit. With emerging technological developments, including artificial intelligence, these ATTs are becoming more sophisticated and complex. It is crucial audit teams can rely on the outputs of ATTs to support their audit opinions. This includes having the necessary training and guidance to use the ATTs in the intended manner and being able to determine the suitability of particular ATTs for use on their audits. The firms' certification processes therefore have a direct impact on audit quality.

The purpose of this review was for the FRC to:

Develop its understanding of the certification processes and related controls at the six largest audit firms and how these support the planning, deployment and monitoring of ATTs for use in audits.
Share common practice – and examples of good practice – via this report with the ultimate aim of supporting the use of ATTs by audit firms to improve audit quality.

The timing of this thematic review aligns with the FRC observing an increase in the number and variety of ATTs being used by audit firms within the audits subject to inspection by the FRC's Audit Quality Review team. It is part of, and will help inform, the broader scope of work being performed by the FRC's Audit Market Supervision team in relation to the firms' system of quality management and the requirements in ISQM (UK) 1, in particular the monitoring of the technological resources aspects. It was also identified as a related future piece of work for the FRC in the 'Use of technology in the audit of financial statements' thematic review⁵ released in 2020.

Infographic depicting a network of digital concepts like AI, cloud, mobile data, security, and data visualization, with people interacting.

Our thematic review was limited to understanding the processes and controls in place at the six largest firms. However, this report is also intended to be used by firms outside the scope of our review, which may be at an earlier stage of using ATTs in their audits or looking to develop their system of quality management with regards to the certification of such technology.

It is important to note that the common and good practice observations in this report do not constitute an expected set of processes and controls firms should have in place. We recognise that the extent to which ATTs are currently being used in audits varies across firms. Equally, there are various approaches firms can take to support the certification and deployment of ATTs in their audits. Firms should review our observations and consider the extent to which these are relevant and appropriate to their circumstances.

Refer to Appendix B for a summary of the approach taken and timing of our procedures to perform this thematic review.

3. Observations

We have summarised the observations from our review across four sub-sections that broadly align to the key phases of a system development life cycle. These are shown in the diagram below and a brief overview for each area is included in each sub-section. References to 'firms' throughout this section refer to the six firms in scope for the thematic review.

The following icons are used throughout this section:

Represents common practice, defined for this review as generally similar practices or approaches observed across the firms in scope for review.

Represents examples of good practice, which were considered to be innovative or efficient approaches to achieving the objectives of the certification processes. Firms should consider whether these are relevant to their circumstances.

Planning and needs analysis

This section captures observations relating to how the firms identify opportunities, or particular needs, to use ATTs in audits. Once identified, this also includes gathering information on usage requirements, the processes for raising requests to develop or purchase ATTs, and the associated required approvals.

Identification

Firms noted that opportunities to use or develop an ATT may be identified though a range of sources. These include top down (for example, solutions released across the global firm, proposals from cross-network forums, or opportunities identified by global/regional/UK audit innovation teams); or bottom up (for example, opportunities identified by the audit service line/business unit or individual audit teams).
Firms generally noted any individual within the audit practice can raise a request to develop or purchase an ATT. All firms explained that a formal business case is required to support the purchase or development of software solutions, with relevant approvals required before development or procurement begins.
The majority of firms have central listings or inventories accessible by audit teams showing ATTs that are available for use in audits. Audit teams are expected to refer to these lists prior to initiating requests or suggestions for new ATTs.
The firms have global forums, typically including representatives from the largest member firms in the network, which are responsible for audit innovation initiatives and the use of technology at a global level. The size and prominence of UK firms mean they are usually members of such forums and will have visibility of, and contribute to, global development direction and strategy. Through such forums, UK firms may be notified of new ATTs from the global firm or other member firms. The UK firms are also able to develop or procure ATTs independently.

Most firms have defined mechanisms through which audit staff can raise ideas and suggestions for using technology in audits. Some of these were more formalised platforms or portals.

Two firms hold various periodic events to bring groups of staff together to discuss the use of existing ATTs in audits, and generate ideas for opportunities to use new ATTs. This included involvement of innovation teams at audit planning stages.

Usage requirements

Usage requirements at a conceptual level relating to the required functionality of the ATT and how it will be used, are typically gathered and analysed as part of the business case. This is usually with specialist technical involvement and input from other stakeholders, including audit service line leaders and methodology teams to assess alignment with the firms' audit methodologies.
Some firms explained that other factors, such as detailed data requirements, might not be defined at the planning and needs analysis stage, but rather at a later stage in the development cycle.

Design or selection

This stage relates to how the firms decide whether to develop an ATT internally, or source it from a third party or another network firm. This also covers the steps taken by the firms to ensure that the usage requirements identified at the planning stage are captured within the development or selection of the ATT. Integration with the firms' audit methodologies is also an important consideration at the design stage.

Sourcing

Firms generally expressed a preference for sourcing ATTs from their global firm or other network firms where possible. Firms will typically check whether alternative/equivalent solutions are in the global development pipeline, or that of another member firm, before initiating development or procurement locally. This reduces the risk of development efforts being duplicated across different member firms.
In cases where an opportunity is identified and no current ATT exists (either within the UK firm or across the global network), most firms preferred to develop new ATTs in-house rather than source these from third party vendors. Factors driving this included integration with existing systems and infrastructure, and greater control over design and functionality. We acknowledge that such a decision will be largely influenced by the capabilities and resources within the firms. Outside the largest firms, it is more likely that ATTs are sourced from third party vendors.
The majority of ATTs used by the UK firms typically originate from their global firm, or through local UK development. Sourcing of ATTs directly from other member firms in the network was less frequent. Where an ATT is developed by another member firm and adopted for broader roll-out, this would typically be communicated through global channels.

Where firms opt to develop an ATT in-house:

All firms have policies and processes for the design and development of technological solutions. These include defined technical roles and approvals required from, for example, IT, procurement and information security teams.
The firms' audit methodology teams are normally involved early in the design process, with input into design considerations and approval stages. This is important to ensure the possible impact on, or specific requirements of, the firms' audit methodologies are considered at the design and development stages.
Some firms noted that the design and development stages may include 'sandbox' testing to ensure the developed solution is meeting the originally defined requirements in the approved business case.

Where firms opt to source an ATT from a third-party:

This usually goes through the firms' normal procurement processes.
There was no clear expression of preferred third parties. Rather, procurement processes would be used by firms to identify relevant third parties depending on specific ATT requirements and use cases.
All firms considered third-party vendor control environments (including ongoing monitoring), data security and confidentiality within the selection process. Relevant information may be collated and assessed through supplier checklists or questionnaires, or review of available third-party assurance reports etc.

One firm explained that pilot programs may be run using multiple vendors to identify a preferred solution before a final decision is made.

Certification and implementation

This section covers the steps taken by the firms to certify that ATTs are functioning as intended, and producing reliable outputs, prior to implementation. This section also explores the extent to which these steps may vary depending on the source of the ATT, and the training and guidance developed for audit teams.

ATTs can broadly be divided into two categories:

Those that are developed and deployed for use across multiple audit engagements. These are typically designed to be used in a consistent manner by audit teams, though they may include some degree of tailoring, or configuration, for the audited entity. The certification processes for these ATTs are typically performed by a central team, rather than by individual audit teams. Within the following section, these are referred to as centrally certified ATTs.
Those which are bespoke, highly tailored or developed specifically for a particular audit. The certification processes for these ATTs are typically performed by the individual audit teams and would not be covered by the firms' central processes. Within the following section, these are referred to as engagement specific ATTs.

Centrally certified ATTs

Certification processes and policies

All firms have processes in place for certifying ATTs prior to deployment. However, the maturity of these processes was found to vary and in some cases were not supported by formal documented policies. The following points within this section expand on some of the key elements of the firms' certification processes, policies and approaches.

Global versus UK certification

Certification processes and policies at the majority of firms were globally defined and implemented. This means the policies and related processes are applied and operated consistently across the international member firms, including the UK. Processes at the remaining firms were UK-specific.
We noted some differences in the level of additional certification procedures performed by the UK firms on globally certified ATTs, ranging between:
- The ATTs being subject to full certification by the UK firm, including allocation of a UK ATT owner. This process may place some reliance on certification steps performed at the global level.
- No UK-level certification or incremental testing on globally certified ATTs. It was explained to us that in such cases the UK firm would typically be involved in, or contribute to, certain aspects of the testing and assessment as part of the global certification.
We consider the approach of performing a UK-level certification (albeit with reliance on steps performed globally) to be an effective way to ensure all aspects of the certification process, particularly steps that may have UK-specific considerations, such as data confidentiality or audit methodology, have been assessed and evidenced from a UK-firm perspective.

Two firms require globally deployed/certified ATTs to have a UK 'owner' and go through UK-level certification (though this may rely on elements of global certification process).

Application of certification processes

The majority of firms noted they apply a consistent certification process across ATTs in scope for central certification, regardless of the assessed risk or impact of the ATT.
Some firms noted that ATTs may be exempt from central certification if used only by a 'small number' of audit teams. In these cases the ATTs are treated as engagement specific ATTs, and therefore covered by the engagement-specific certification processes outlined later.
The firms' certification policies and templates outline the various criteria and steps that are required to be completed prior to an ATT being certified. This typically included approvals from relevant individuals including the tool owner, methodology teams and the business.

We reviewed the firms' certification policies, and the associated templates used to evidence the central certification of ATTs. Within appendix C we have drawn out some of the common sections and criteria that were observed in these policies and templates.

Integration with audit methodology

In our 2020 thematic review on the use of technology in the audit of financial statements⁶, we explained how embedding ATTs within the firms' audit methodology is considered a crucial enabler to their success. Such integration can help audit teams understand whether the use of an ATT is suitable for the audited entity's circumstances and what further audit procedures may be required. In our work on the firms' certification processes, we observed that:

Firms noted that methodology teams are involved in the certification processes to support alignment and integration with their methodologies. The majority of firms explicitly capture methodology input (and sign-off) within their certification documentation.
Most firms captured information relating to ATT usage requirements as part of the certification process. This included elements such as how the ATT was designed to be used in audits (for example, risk assessment procedures and/or for obtaining substantive audit evidence) and specific data input requirements.

The majority of firms explicitly capture methodology input in the certification process.

Only two firms explicitly outlined the limitations of the ATTs and/or restrictions of use within the certification templates. Other firms noted that such information would instead be communicated to audit teams and users of the ATTs, where relevant, through separate training and guidance material.

Two firms explicitly captured limitations of the ATTs and restrictions of use as part of the certification process.

Inputs, outputs and logic

Firms were consistent in noting that engagement teams are responsible for assessing the completeness and accuracy of data that is entered into an ATT when used on an audit. We noted that, in some cases, the certification templates/documentation did not explicitly articulate requirements for users of centrally certified ATTs to assess the completeness and accuracy of ATT input data.
All firms' certification processes included testing to ensure the ATT functions as intended and produces reliable outputs based on the input data. This may include procedures such as comparing expected output to that generated by the ATT or reviewing the logic or coding of the ATT.

Deployment

Pilot phases are often completed before full deployment of an ATT. Some firms explained they will consider the business units impacted, or the relevant industry, when selecting specific audits for inclusion (or exclusion) in the pilots. For example, ATTs may be designed specifically for use in the audit of banks or be relevant only to a particular sector. Some firms also noted that pilots may be run on lower risk, non-Public Interest Entity audits before wider deployment. Given their relative size and significance, UK firms are often included in pilots of new ATTs that are being deployed globally.

Training and guidance

Formal training is typically only rolled out for global ATTs with expected widespread use on many audits. More specific and lesser-used ATTs will typically not have formal training prepared but instead are more likely to have guidance developed and/or specific templates to assist audit teams in using them. Certification templates/documentation for the majority of firms included a section to summarise the related training, guidance and support available to staff.

One firm has implemented a system that tags ATTs based on the intended/permitted users (e.g. those from a particular department/group) and this is used to target specific training requirements.

Supporting control environment

Three firms explicitly captured identification and assessment of the firms' supporting control environment, including general IT controls (GITCs), within the certification templates. In some cases, this cross-referred to the testing performed by the firm as part of its overall system of quality management.

Certified tool repositories

Most firms have listings/repositories of ATTs that have been certified centrally and are available to staff. More comprehensive examples guide the user through the various ATTs available to them and can be part of scoping to identify which tools are appropriate for engagements.

One firm's digital repository of ATTs guides audit teams through the technology available to them and assists with identifying the most appropriate ATT for the specific circumstances.

Legacy ATTs

There are instances where ATTs already existed – and were in use – prior to the firms' formal certification processes being implemented (referred to here as legacy ATTs). For some firms, certain legacy ATTs have not been through the formal certification process. The firms explained that these ATTs would have been subject to testing and assessment at the time of deployment, though supporting documentation and evidence may be less formal.

Emerging technology – ATTs using artificial intelligence

We are beginning to see firms deploying ATTs that use artificial intelligence (AI). This includes those using machine learning, which can be applied to analyse full populations of journals or revenue transactions and identify unusual patterns or higher risk transactions. Some firms are also now deploying tools using generative AI (GenAI) technologies. However, at the time of our review these were limited to applications to assist audit teams or aid productivity, for example, chat bots, rather than within ATTs as defined for this review. The use of AI within ATTs can present unique risks and challenges which need to be considered by the firms' certification processes. These may include, but are not limited to:
- Assessment of the underlying algorithm or model, including source, version number and the basis for selection.
- Consideration of the data used to train the underlying algorithm or model.
- Consideration of the interpretability and explainability of the ATT outputs, including requirements for audit team review to ensure outputs are relevant to the audited entity.
- Consideration of ethical risks, including the potential for bias in the ATT outputs.
- Consideration of additional training and guidance for audit teams on how to use the ATT and interpret the outputs. This may also include guidance for audit teams in determining the situations AI can be used for and whether it is appropriate for the specific audited entity.
Firms acknowledged that the use of AI within an ATT presented additional risks that may not be addressed by existing certification processes. At the time of our review they were therefore planning to introduce supplements or changes to certification processes to address the unique risks presented by AI. Given such tools are now being used in audits, we encourage firms to implement the required changes to their certification processes as soon as possible. We see these as important developments to ensure the certification processes appropriately address the risks related to the emerging technologies used in ATTs, particularly as these become more widely used in audits.

Separate guidance has been issued by the FRC at the same time as this report relating to documenting ATTs that use artificial intelligence. Refer to AI in Audit

Group audits

Where the UK firm is signing a group audit opinion, the firms noted that UK group audit teams may request overseas component teams to use particular ATTs within the referral instructions. As noted earlier, the majority of firms have globally defined and consistent certification processes. Therefore, in the majority of cases, the ATTs being used have been subject to certification at the global or local firm level.
In performing their supervision and review of component team work⁷, UK group teams may identify that component teams have used an ATT that is not included in the list of global- or UK-certified ATTs. In these cases, firms generally noted that group teams would be required to understand and review the certification procedures performed by the component firm.
There may also be situations where the UK is a component team and has been requested to use an ATT for the group audit that is not included in the list of global- or UK-certified ATTs. In such cases, firms explained that these would be treated as engagement-specific ATTs and subject to the process covered later in this section. Some firms noted that consultation with the UK firm audit quality or methodology teams would also be required.

One firm explicitly referred to group audits within its certification policy. This included the situations of an overseas team using, or instructing the UK to use, an ATT that had not been subject to UK-level certification, and the related responsibilities of the audit teams.

Documentation

Documentation relating to central certification procedures is retained centrally, not on individual audit files. While audit teams may refer to central certification procedures, there is no expectation for evidence of central certification procedures to be retained on audit files.
Workpaper templates to be completed by audit teams when using an ATT, along with related guidance, are developed and released for ATTs as required.

Engagement-specific ATTs

Engagement-specific or bespoke ATTs were primarily data analytics routines, carried out using software platforms such as Alteryx or programming languages such as SQL, R, Python or SAS.
Most firms have established processes for audit teams using engagement-specific ATTs. These processes all require the completion of specific templates by the audit teams to evidence their consideration and assessment that the engagement-specific ATT is reliable and appropriate for use on the audit. In all cases, these templates were required to be retained on the audit file. At the remaining firms, processes related to the use of bespoke or engagement-specific ATTs were still being established and implemented at the time of our review.
We did observe some examples of:
- Ambiguity in the wording or instructions within the related templates which suggested that their completion was optional, rather than mandatory; and
- The absence of specific instructions in the related template to explain when the form should be used and whether it was mandatory.
We observed variation across the firms regarding whether the software used to develop and execute the custom routines (referred to here as routine-enabling applications, for example, Alteryx) were subject to central certification processes. While some firms certify the routine-enabling application centrally, as well as requiring engagement teams to separately assess the custom routine, others relied solely on the engagement team's assessment of the custom routine. We note such decisions may depend on the nature of the routine-enabling application and how it is used by the firm but would expect the bespoke routines created using the applications to be subject to the firms' engagement-specific certification processes.

Two firms have implemented formal processes to standardise and promote certain common data analytics routines for use in audits. These are made available to audit teams and can be tailored to the circumstances and processes of the audited entity.

Within appendix C, we have summarised some of the more common criteria and sections included in templates/workpapers implemented by the firms to evidence the audit teams' certification of engagement-specific ATTs.

Maintenance and monitoring

This section covers the processes in place at the firms to maintain the ATTs in use by audit teams. This includes processes to recertify ATTs and assess the supporting control environment. It also relates to the firms' monitoring of the use of ATTs and their approach to retiring or discontinuing them.

Monitoring the use and impact of ATTs

Monitoring performed by firms was generally restricted to a sub-set of more widely used ATTs, and primarily performed to understand how many audit teams were using the ATTs in their audits (typically for licensing purposes).
There was no formal monitoring performed by the firms to quantify the audit quality impact of using ATTs. We understand this is an area that firms are looking to develop further and that the use of ATTs may sometimes be captured in other activities such as root cause analysis. Firms are encouraged to establish policies or metrics to support the continuous and consistent evaluation of how ATTs impact audit quality. Equally, allocation of where monitoring responsibilities sit for globally deployed ATTs should also be defined. Further monitoring capabilities would allow firms to focus resources on ATTs having the greatest impact on audit quality and also identify those that are not having the desired impact.
Generally, the firms did not have key performance indicators (KPIs) in place relating to ATT usage and monitoring, although one firm did report against usage targets for certain key ATTs.

One firm included reporting of ATT usage rates against targets.

Recertification of ATTs already in use

Most firms took a broadly consistent approach, with formal recertification – following the certification processes covered earlier – typically only performed when an ATT is subject to change or update (a recertification trigger). To support this, two firms have implemented annual confirmation processes, whereby ATT owners in the UK are required to formally confirm if there were any significant changes or issues for the ATT during the period that may necessitate recertification, and that centrally-held certification documentation for the ATT remains up to date. We see this as a useful step, particularly given the point below regarding the identification of recertification triggers.
The identification of triggers for recertifying ATTs generally appeared to be informal, with firms typically relying on these being identified by ATT owners. We understand that ATT owners would usually be involved in the process of approving changes to ATTs and, therefore, be aware of a trigger for recertification being met. We would encourage firms to ensure that their change management processes include an assessment of whether recertification of the ATT is required. Some firms included definitions of triggers for recertifying ATTs within their certification policy.
One firm enforces a minimum required recertification frequency of three years for all ATTs. Although in practice most ATTs would be subject to more frequent recertification when they are changed or updated, we see the implementation of a backstop minimum period as a positive approach to ensure more stable ATTs remain appropriate for use and in line with the firm's methodology.

Two firms have implemented annual confirmation processes for ATT owners.

Supporting control environment

Controls (including GITCs) supporting ATTs are captured by the firm's annual ISQM (UK) 1 assessments, and typically subject to testing by the firms each year. One firm defined the frequency for testing the supporting control environment based on the risk rating assigned to the ATT. For example, the GITCs supporting higher risk ATTs would be tested annually, whereas those supporting lower risk ATTs may be tested on a less frequent basis with appropriate justification.

One firm enforces a three-year minimum required recertification frequency for all ATTs.

Maintenance and updates

All firms have change management policies and procedures in place that apply to ATTs. Where ATTs are changed or updated, these are typically subject to recertification as outlined earlier.

Restricting access to unapproved or outdated ATTs

In general, firms do not monitor that audit teams are only using authorised and current ATTs but instead rely on various preventative controls to restrict the download of software and remove outdated versions. Where ATTs are online or cloud-based, it is generally easier for firms to ensure only the current certified version is available for use. As noted earlier in this report, most firms also have directories or inventories of current certified ATTs available to staff, which include details of the current live version.
Firms have implemented various controls to manage access to ATTs/software. These vary across firms, but include:
1. Restricting download of software from only authorised software repositories.
2. Removing outdated ATTs from software repositories.
3. Restricting download/installation of unauthorised software.
4. Remote removal of outdated software from staff devices.
5. License management.

Retirement of ATTs

Some firms have documented policies relating to the decommissioning and retirement of ATTs. The number of ATTs being retired or decommissioned is expected to be low. However, the future implementation of different ATTs, particularly those using emerging technology, may see such situations become more frequent. We would therefore encourage firms to prepare policies and formalise related processes.

Some firms have documented policies relating to the decommissioning and retirement of ATTs.

Appendix A. Glossary of terms and definitions used

Term	As used in this review
Automated Tools and Techniques (ATT)	Technology used to perform risk assessment procedures and/or obtain audit evidence. A subset of technological resources.
Certify/certification	The processes, and related controls, implemented by audit firms to ensure that ATTs are being appropriately obtained or developed, implemented, maintained and used to enable the performance of engagements. Our definition broadly aligns to the key stages of a system development lifecycle and captures initial planning and needs analysis, design and development, certifying the ATT for implementation, and subsequent maintenance and monitoring. The ultimate objective of the certification process is to verify the reliability of an ATT and its related outputs and its suitability for use in audits
Central certification and centrally certified ATTs	Certification processes performed by a central team within the firm, rather than by individual audit teams. Typically applied to ATTs that are used across multiple audits in a generally consistent manner.
Engagement-specific ATTs	ATTs that are bespoke, highly tailored or developed specifically for a particular audit
Global firm/network	Responsible for the firm's globally applied processes and/or methodologies and making these available to network firms.
Network firm or member firm	A firm or entity that belongs to the firm's network.
Common practice	Similar practices or approaches observed across the firms in scope for review
Good practice	Practices that were considered to be innovative or efficient approaches to achieving the objectives of the certification processes. Firms should consider whether these are relevant to their circumstances.
Interpretability and explainability	Interpretability is defined as the ability to understand how the ATT (and supporting algorithm) reached an output. Explainability is defined as the ability to understand and explain why a decision or output was reached.
General IT controls (GITCs)	Controls over the firms' IT processes that support the continued proper operation of the ATT and the supporting IT environment.

Appendix B. Approach

The table below summarises the approach we have taken and the approximate timing of this thematic review to develop our understanding of the certification processes and controls in place at the firms.

Approach	Timing
Information Request List (IRL) issued to firms to supply information and supporting evidence on their certification processes.	April 2024
FRC review of the information received and meetings held with each firm to discuss their responses.	Summer 2024
Benchmarking and analysis of firm responses.	Autumn 2024
Feedback meetings held with each firm to share summary observations and examples of good practice.	June 2025
Summary observations and examples of good practice included in this public report.

It is important to note that the observations included in this report reflect a snapshot of the processes and controls in place at the firms based on their responses to our IRL in Q2 2024 and discussed during our subsequent meetings. These processes and controls may therefore have evolved, and readers of this report should consider their own use of technology in audits when determining the relevance of the observations to their own processes.

Our understanding of the firms' processes, including the examples of common and good practice summarised in this report, were based on the firms' responses to our IRL, our subsequent discussions with the firms, inspection of related policy and process documentation, and observation of the processes through a small sample of ATTs.

Appendix C. Policies and templates

This appendix includes examples of common elements and criteria included in the firms' certification policies and related templates/workpapers used to evidence the certification process. These do not represent specific requirements or an expectation that firms must include all of these elements. Rather, they are provided as examples for firms to consider against their own processes and circumstances.

The table below captures some of the common elements included in the firms' certification policies:

Details of various certification process paths (including classifying ATTs).	Roles and responsibilities in the certification process.	Details of the recertification process (for internal ATTs and third-party ATTs).	Description of trigger (change) events that would require recertification of an ATT.	Documentation and retention requirements (for example, what is retained centrally versus on the audit file).
Guidance for certifying teams/ATT owners to evaluate that tools are operating as intended.	Guidance for reviewing the outputs of ATTs.	ATT owner requirements and responsibilities.	Considerations for group audit engagements (for example, where a UK audit team is instructed to use an ATT certified locally by another member firm).	Decommissioning and/or retirement of ATTs.

The table below notes some common criteria captured by the firms' templates used to evidence certification of centrally certified ATTs:

Description of ATT and how it will be used in audits.	Whether ATT is internally developed or sourced from a third party.	Intended user groups (for example, general or specific users, or specialists etc).	Limitations of the ATT (such as functionality restrictions or situations where ATT should not be used).	Data input requirements.	Overview and evaluation of ATT program design process.
Testing of ATT functionality/logic (details of testing stages performed over operation of ATT).	Requirements for ATT users (such as assessing completeness and accuracy of input data and parameters).	Other considerations around data used by the ATT, including retention, storage location, data sensitivity, etc.	Identification/evaluation of supporting control environment, including GITCs.	Summary of related training, guidance and support available to staff.	Details of individuals involved in the certification review process and their roles (including methodology teams).

The table below notes some common criteria captured by the firms' templates used to evidence certification of engagement-specific/bespoke ATTs.

Outlines when the template is required and if it is mandatory.	Nature of the technology used.	Nature of procedure being performed (recalculation, reconciliation, test of control etc) and if the procedure is supporting risk assessment or substantive testing.	Risks of material misstatement being addressed by the ATT.	Assessment of data confidentiality considerations relating to audited entity data.	Identify sources of information used by the ATT.
Procedures to assess the completeness and accuracy of data being used by the ATT (including other data integrity checks).	Evaluation of configurations or specifications applied by the audit team (for example, date ranges, search parameters, selection criteria etc).	Outline understanding of coding/logic applied and procedures to verify that coding/logic of the ATT functions as expected.	Section(s) for preparer of the template to document follow-up procedures performed based on the output of the ATT.

Financial Reporting Council

London office: 13th Floor, 1 Harbour Exchange Square London, E14 9GE

Birmingham office: 5th Floor, 3 Arena Central, Bridge Street Birmingham, B1 2AX

+44 (0)20 7492 2300

www.frc.org.uk

Infographic depicting a network of digital concepts like AI, cloud, mobile data, security, and data visualization, with people interacting.

A full definition of terms in bold is provided in the glossary in appendix A of this report ↩
BDO, Deloitte, EY, Forvis Mazars, KPMG and PwC ↩
ISQM (UK) 1 paragraph A99 ↩
ISQM (UK) 1 paragraph 32(f) ↩
www.frc.org.uk/documents/4806/AQR_Thematic_Review_-_The_use_of_Technology_in_the_audit_of_financial_statements.pdf ↩
www.frc.org.uk/documents/4806/AQR_Thematic_Review_-_The_use_of_Technology_in_the_audit_of_financial_statements.pdf ↩
In line with the requirements of ISA (UK) 600 ↩

File

Name Thematic Review: Certification of Automated Tools and Techniques

Publication date 24 June 2025

Type Thematic review

Format PDF, 702.9 KB

Download original

Thematic Review: Certification of Automated Tools and Techniques

File

Is this page useful?