by John McCarthy Consulting Ltd. | Mar 2, 2026 | Blog, News
We complete many audit cold file review assignments every year. Whilst every audit file is different, and the approach by each firm varies, there are common themes in many of the reviews we undertake. Here we look at three of the most common issues and how firms should deal with them.
IT Systems and Controls
Compliance with ISA (Ireland) 315 ‘Identifying and Assessing the Risks of Material Misstatement’ still causes problems even though the standard came into effect for accounting periods beginning 15 December 2021. Frequently, auditors fail to properly document not only key transaction cycles but also the specific control activities required under ISA 315.26 which may not be part of the transaction cycle. As a result, walkthroughs of the transaction cycle to confirm:
- Design,
- Operating effectiveness and
- Implementation
do not always cover the controls required to be reviewed.
Audit files often overlook the requirement to consider the broader control environment including areas such as:
- risk management,
- how systems and controls are monitored,
- how the culture of the entity contributes to the control environment and
- how the control environment interacts with outsourced service providers like payroll, for example.
It is not sufficient to only document the key business cycles. The audit file must also document the overarching control environment as part of the audit risk assessment.
A useful IT Controls Questionnaire (as a downloadable Word document) to help with documenting part of this process, is available on our website, for €60+VAT at this link.
Going Concern
Many audit files don’t reflect the approach to fulfil the requirements of ISA (Ireland) 570 on Going Concern.
The audit work on going concern that is evidenced on the audit file often neglects to show that management have first of all prepared their own going concern assessment, which is supposed to be reviewed and appropriately challenged by the auditors.
Instead, files often include detailed notes, prepared by the auditors, explaining why the audit team believe the entity to be a going concern, but with little evidence of a challenge of management’s assumptions included an assessment of the budgets and forecasts prepared by management. It can appear that the files include a going concern assessment prepared for management by the auditors, which an inappropriate non-audit service.
Firms are required to show that they have documented management’s assessment of going concern and show how they have tested management’s assumptions, being careful not to be biased in favour or against any particular outcome.
Fraud
Quite often we see on audit files the following text or something similar – ‘the management tell us there has never been a fraud, so therefore there is no fraud in the latest financial year’’.
This approach hardly displays the kind of scepticism required by the standard. For example, ISA (Ireland) 240.13 states (our underline) ‘the auditor shall maintain professional scepticism throughout the audit, recognizing the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor’s past experience of the honesty and integrity of the entity’s management and those charged with governance.
Auditors, please also note the three Appendices at the back of ISA 240 which are not new and are well worth a read, when planning an assignment:
Appendix 1 – Examples of Fraud Risk Factors;
Appendix 2 – Examples of Possible Audit Procedures to Address the Assessed Risks of Material Misstatement Due to Fraud (we call this the ‘Auditors Toolbox’); and
Appendix 3 – Examples of Circumstances that Indicate the Possibility of Fraud.
How can John McCarthy Consulting help?
Our audit file review service is available either on-site or remotely where we will provide you with a written report benchmarking your audit file against the appropriate standards. You will receive a gap analysis of where your firm stands on a particular assignment within clear direction as to appropriate action to consider for improvement.
For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:
- Anti-Money Laundering Policies Controls and Procedures Manual (March 2022) — View the table of contents
- Letters of engagement and similar templates—Please visit our website here where immediate downloads are available in Word format. A bulk discount is available for orders of five or more items bought together.
- ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
by John McCarthy Consulting Ltd. | Feb 22, 2026 | Blog, News
The fallout from the Carillion case continues. On 16 February 2026 the UK Financial Conduct Authority issued a Final Notice and fined Richard Howson, former group chief executive of Carillion plc a total of £237,700 after he withdrew his challenge to the original penalty decision made in 2022. He was CEO of the group until July 2017. In October 2023 he was banned from acting as a company director for six years.
Howson, one of two executive directors on the Board, was aware that Carillion UK and Ireland construction business was in trouble. He failed to reflect this in company announcements or alert its board and audit committee, leading to poor oversight. Ultimately the company had a £200 million black hole.
Howson’s responsibilities included working closely with the group finance director (the other executive director on the board) to ensure Carillion communicated effectively with investors and had appropriate internal control processes. Provisions made on four of the largest projects operated by Carillion were insufficient to cover the loses expected and he did not inform the Board or the Audit Committee about these under-provisions.
In Ireland, there were at least six school projects affected by the collapse of Carillion which were:
- Loreto College, Wexford;
- Coláiste Raithín, Bray;
- Ravenswell Primary School, Bray;
- Tyndall College, Carlow;
- Carlow Institute of Further Education, and
- Eureka Secondary School, Kells.
Bespoke Audit Training at a location of your choice
If you would like a quotation for a tailored audit training session to include the latest accounting changes in FRS 102 (leasing and revenue recognition) dealing with issues like the Carillion case and how to spot these issue in your work, please contact is at john@jmcc.ie.
For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:
- Anti-Money Laundering Policies Controls and Procedures Manual (March 2022) — View the table of contents
- Letters of engagement and similar templates—Please visit our website here where immediate downloads are available in Word format. A bulk discount is available for orders of five or more items bought together.
- ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
by John McCarthy Consulting Ltd. | Feb 22, 2026 | Blog, News
The International Standard on Quality Management (ISQM) 1 has now been in place since 15 December 2022. Have you reviewed your ISQM in action and updated it for any root cause analysis carried out in the interim?
The standard requires firms to record quality objectives in six key areas. These are:
- Governance and leadership;
- Relevant ethical requirements;
- Acceptance and continuance of client relationships and specific engagements;
- Engagement performance;
- Resources; and
- Information and communication.
The first of these areas is Governance and leadership. This is of paramount importance to quality management because it drives how the firm is perceived by its Partner, staff, audit clients and ultimately the public. Governance and leadership principles serve as the framework for how the firm’s decisions are made.
The standard has enhanced requirements regarding the firm’s commitment to quality through its culture.
4 Key Areas of Quality
The requirements now also focus on 4 key areas:
- The firm’s public interest role;
- The importance of professional ethics, values and attitudes;
- The responsibility of all personnel for quality relating to the performance of engagements or activities within the Statement of Quality Management (SoQM), and their expected behaviour; and
- Quality in the context of the firm’s strategic decisions and actions (e.g. will we expand the Tax Department and offer tax planning services to our private company audit clients?), including the firm’s financial and operational priorities.
There are requirements that:
- Address leadership’s behaviour and commitment to quality, and their accountability for quality;
- Address the organizational structure of the firm and the firm’s assignment of roles, responsibilities and authority; and
- Address resource needs, and resource planning, allocation and assignment, which also include financial resources for matters like up-to-date software and training.
This brief blog is only a summary of the main requirements.
For more assistance please see our ISQM Toolkit or if you prefer to chat through the different audit risks and potential appropriate responses presented by this standard, please call or e-mail John McCarthy FCA on Governance and leadership or e-mail him at john@jmcc.ie
Other publications and AML webinar
by John McCarthy Consulting Ltd. | Feb 15, 2026 | Blog, News
The CPI, or the Corruption Perceptions Index (CPI) is (according to the publishers Transparency International) the leading global indicator of public sector corruption and provides a comparative snapshot of 182 countries and territories. The latest index, for 2025, was published last week (10 February 2026) at this link.
It is often used by MLROs as a supplementary tool to assist in their understanding of money laundering risks in overseas territories.
Transparency International (TI) is a Berlin based non-profit organisation set up by former employees of the World Bank. The index is calculated using data from 13 external sources (including interviews of businesses around the globe) and scores countries out of 100, meaning that the higher the score, the lower the level of corruption is in the country. In this index, Denmark comes out best with a score of 89 in this year’s report – a drop of one point compared to 2024.
Ireland has a score of 76 (compared to 77 in the 2024 report) out of 100, meaning it ranks 15th out of 182 countries (a drop of four places compared to its ranking in the 2023 index).
As a result of this poorer score – Transparency International (TI) Ireland has called on the Government to strengthen transparency and oversight across political finance, corporate and financial services regulation. TI warned that the State remains exposed to emerging corruption risks that receive less public attention but may have significant long-term consequences.
See our ISQM TOOLKIT at this link. We can tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
For AML training and compliance please send a mail to john@jmcc.ie.
For audit cold file reviews and tailored training sessions explaining more about various topics like AML, Audit, FRS 102, please send a mail to john@jmcc.ie.
For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:
ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
by John McCarthy Consulting Ltd. | Feb 2, 2026 | Blog, News
The move away from using human beings in professional services has already started.
In May 2025 the UK Legal sector regulator, the Solicitors Regulatory Authority approved Garfield Law, as the first fully AI-driven law firm, to operate without human lawyers.
Garfield offers businesses and individuals cost-effective legal services, such as debt collection, at substantially lower rates—starting at just £2 for initial actions.
The firm was Co-founded by former litigator Philip Young and quantum physicist Daniel Long. Garfield initially concentrates on small claims debt collection and aims to recover billions in unpaid debts and streamline court processes using AI.
Pursuing claims in the UK under £10,000 is typically seen as too costly or time-consuming. The English small claims Court process is perceived as confusing and intimidating, especially for sole traders and smaller businesses.
See our ISQM TOOLKIT at this link. We can tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
For AML training and compliance please send a mail to john@jmcc.ie.
For audit cold file reviews and tailored training sessions explaining more about various topics like AML, Audit, FRS 102, please send a mail to john@jmcc.ie.
For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:
ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
by John McCarthy Consulting Ltd. | Feb 2, 2026 | Blog, News
The Financial Reporting Council issued a Thematic Review Report in June 2025 which provides useful guidance on the use of artificial intelligence in audit procedures, including illustrative examples and documentation expectations for firms utilizing AI tools in their audits.
Use of AI in Audit Procedures
The Financial Reporting Council have come up with a new acronym call ‘ATTs’ or Automated Tools and Techniques to describe the use of AI tools in audit. Specifically, these would be ‘Technology used to perform risk assessment procedures and/or obtain audit evidence’. Some of this is not new as firms have already been using ATTs for data analytics used to audit journal entries and revenue.
The ultimate aim of the Report is to support the use of ATTs by audit firms to improve audit quality.
The Report refers to the need to ensure that ATTs are subject to a certification process that complies with the requirements of the ISQM (Ireland) 1 so that quality objectives are established to ensure such tools and techniques are appropriately obtained or developed, implemented, maintained and used to enable the performance of quality audit engagements.
The Financial Reporting Council reviewed the certification process in the Top 6 firms in the UK namely BDO, Deloitte, EY, Forvis Mazars, KPMG and PwC and the report is based on these findings. One unidentified firm had a KPI which reported against usage targets for certain key ATTs, to encourage their use by audit teams.
Responsible AI deployment according to the Report helps to improve trust in financial reporting by for example helping identify potentially fraudulent journals.
Use of AI in Audit Procedures
The report is accompanied by an illustrative example and documentation guidance which covers the testing of journals for suspected fraudulent entries in a listed retail business.
Fraud procedures often consist of filtering the population of journals by applying rules-based criteria which may indicate higher risk, for example, journals posted at certain times or with certain values. This tool allows the identification of more subtle patterns that may be indicators of risk, enhancing the quality of the procedure.
More information is available in Technical Alert 04 2025 Quality Management Top tips available on the Institute’s website. A template ISQM Toolkit (to assist with the ISQM implementation) is available to purchase for €250 +VAT.
- RI CPD – Each Responsible Individual’s (RI) CPD is reviewed in line with the IAASA CPD Guidelines on the regulation, monitoring and enforcement of continuing education for statutory auditors. More details are available at final-cpd-guidelines-020221.pdf (iaasa.ie).
RIs are required to:
- Plan CPD annually by reflecting on the knowledge, skills and values required to fulfil their responsibilities;
- Identify learning and development needs;
- Complete sufficient, relevant, and appropriate CPD annually to meet the learning and development needs and to demonstrate achievement of learning outcomes in the Institute IES 8, Table A template document;
- Evaluate the effectiveness of the CPD activities regularly and revise the approach as necessary;
- Maintain appropriate written CPD records, including supporting documentation to evidence CPD planning, completion, and evaluation; and
- Submit an annual declaration confirming compliance with CPD
More information is available at the CPD hub on the Institute’s website CPD for Responsible Individuals – ..rteredaccountants.ie (charteredaccountants.ie)
- Evidence of challenge and scepticism – Audit files must demonstrate that the
auditor has evaluated whether the accounting estimates and related disclosures are reasonable (see ISA540). Auditors should watch out for indicators of possible management bias.
- Central Bank Regulated Entities– Under the Companies Act 2014 (Schedule 5)
Republic of Ireland entities cannot avail of the small company exemption and cannot file abridged financial statements with the CRO.
Auditors are reminded that financial statements for such entities cannot be prepared under FRS 102 Section 1A, and full financial statements must be filed with CRO. Neither can such entities avail of the Provisions Available for Audits of Small Entities (PAASE).
- Risk assessment (ISA 315) – the risk assessment on file must be tailored to the specific client’s circumstances and generic risks that are prepopulated with not be regarded as convincing.
- Fraud considerations (ISA 240) – fraud considerations should be evidenced on the file, including the likelihood of management override of controls and risks connected to related parties. In our own file reviews John McCarthy Consulting Ltd. Has seen comments like ‘there has never been a fraud’, according to the Directors. Such comments are not regarded as displaying sufficient scepticism by the auditors.
- Audit of construction contracts, including long term contracts and work in Audit files need to show that the audit firm has a good understanding of the entity being audited, the risk assessment is appropriate and responses to assessed risks are adequate. The requirements of ISA 540 on accounting estimates and judgements will be relevant. The audit file will also need to contain adequate evidence of challenge of management assumptions.
8. Assembly of the final audit file – ISA 230 requires the auditor to complete the administrative process of assembling the final audit file on a timely basis, typically within 60 days after the date the auditor’s report is signed. New audit procedures or forming new conclusions cannot be documented once the audit report is signed.
9. Statutory Duty Confirmation (SDC) – under Section 27B of the Central Bank Act 1997, auditors are obliged to make a written report (‘SDC’) to the Central Bank of Ireland (CBI), stating whether or not circumstances have arisen that require the auditor to report a matter to the CBI.
The ‘SDC’ must be submitted to the CBI within one month of the date of the auditor’s report. The ‘SDC’ should cover the period commencing on the date of issue of the previous declaration to the date of signing the current declaration. The format for these reports is set out in Appendix 2 of Technical Release 02 2025 – Reporting under The Central Bank and Financial Services Authority of Ireland Act 2004 which is available on the Institute’s website.
- Group Audits (ISA 600) – Where group accounts are not prepared, firms are expected to clearly document the basis for the non-consolidation.
Group Audit documentation should clearly demonstrate how the component auditor’s work was directed, supervised, and reviewed. Firms are reminded that component performance materiality should be set at an amount lower than group performance materiality.
See our ISQM TOOLKIT at this link. We can tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
For AML training and compliance please send a mail to john@jmcc.ie.
For audit cold file reviews and tailored training sessions explaining more about various topics like AML, Audit, FRS 102, please send a mail to john@jmcc.ie.
For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:
ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
