The era of auditors not considering IT risks during audits of alternative investment funds is long gone. Information Technology is an integral part of the audit approach in today’s world, as alternative asset servicers and managers now use IT platforms such as Yardi, Efront, Investran and others to calculate the net asset value (NAV) of alternative products – including at special purpose vehicle (SPV) level.
Revision of the ISA 315: a small revolution for the alternative sector
This shift in the audit approach has been accelerated by the new revision of the International Standards of Auditing 315 (“revised ISA 315 - Identifying and assessing the risk of Material Misstatement”), now effective for audits of financial statements for periods beginning on or after 15 December 2021, creating new audit requirements.
The now outdated previous standards for auditing did not consider IT risks and controls as a critical aspect. Arguably, an auditor could therefore complete an audit by performing tests of details or substantive audit procedures without factoring-in IT risk assessments and other procedures. Times have changed.
The Revised ISA 315 is widely seen as a much-needed course correction which encourages auditors to gain an understanding of the IT systems in use within the business environment and the associated risk factors.
This approach is well-developed and common for the audit of traditional investment funds such as UCITS funds, but it represents a small revolution for the alternative sector within which alternative asset servicers and managers are now facing additional and time-consuming audit requests on IT risks.
From this perspective, auditors are now required to gain an understanding of:
- The path by which information flows through the audited entity’s information systems
- The way transactions are initiated and the method of documenting and updating information about them, including any necessary corrections incorporated into the general ledger and reported in the financial statements
- The entity’s resources, including the IT environment used for the aforementioned processes
Understanding different types of IT risks under the (Revised) ISA 315
The considerations for understanding information technology are detailed in Appendix 5 of the Revised ISA 315. This appendix provides examples of typical characteristics of non-complex commercial software, mid-size or moderately complex commercial software or IT applications and large or complex IT applications (e.g., ERP systems) in terms of automation and their use of data, IT applications, IT infrastructure and IT processes.
The standard also details the IT controls related to access management processes, including authentication, authorization, provisioning, deprovisioning, privileged access, user access review, security configuration controls and physical access. Within change management processes, the controls identified include segregation of duties over change migration, systems development or acquisition, or implementation and data conversion. With respect to IT operations, the controls include job scheduling, job monitoring, backup and recovery and intrusion detection.
In summary, the revision to ISA 315 implements a minimum requirement for auditors to document their understanding of the role of IT in the transactions and processes relevant for the audit. This requirement also applies to audits of SPVs, SCSp, S.à r.l.[1] or other types of structures commonly used in the alternative industry.
If not done already, auditors of alternative investment structures now have to ask themselves the critical question: is it still possible to sign off on the audit without considering the impact of IT usage in the business and the inherent risks?
How the International Standard on Assurance Engagements (ISAE) 3402 will help
The trend in the past five years has been for alternative asset servicers to adopt controls reports (i.e., ISAE 3402 Reports) to cover operational and IT processes of their accounting platforms, following the same trend as traditional asset servicers. However, very often these accounting platforms are not certified to cover operations at SPVs level or other types of unregulated entities (e.g., SCSp) commonly used in private equity or real estate.
This gap of coverage of existing controls reports and the new requirements imposed by the (Revised) ISA 315 have created a significant increase in individual IT requests from auditors and further workload on asset servicers and managers.
To avoid this extra work answering individual IT requests from auditors, and to demonstrate the right level of assurance to investors and stakeholders, alternative players are encouraged to quickly redefine the scope of their existing ISAE 3402 report to cover certain aspects of the operational and IT processes impacting SPVs and unregulated entities.
Overall, the impact of technology on various services, including front-, middle-, and back-office operations is expected to continue shaping the asset servicing industry. To stay ahead in the industry, it is important to partner with a trusted expert and turn challenges into growth opportunities.
[1] Acronyms: Special Limited Partnerships (SCSp), Société à responsabilité limitée (Sàrl)
