AICPA Issues Technical Q&As on Technology Use in Financial Statement Audits

October 30, 2025

The AICPA on October 23, 2025, published technical questions and answers (TQA) section 8400, Use of Technology in an Audit of Financial Statements.

The update comes as audits are increasingly performed in environments with extensive use of IT. Auditors must understand the entity’s IT environment, risks, and controls. Advancements in technology allow auditors to enhance risk assessments and tailor audit procedures, thereby improving audit quality.

The sections’ overview notes that the requirements in AU-C section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, help the auditor focus on matters such as the IT environment and risks arising from the use of IT and an entity’s general IT controls that address such risks.

AU-C section 500, Audit Evidence, requires the auditor to evaluate information to inform the auditor’s overall conclusion about whether sufficient appropriate audit evidence has been obtained. GAAS neither requires nor precludes the use of automated tools and techniques in an audit of financial statements. Thus, the guide notes that, for example, certain automated tools and techniques can enable the auditor to aggregate or disaggregate information or to consider information obtained from multiple sources, which may result in more persuasive audit evidence as the volume of information available to auditors expands.

AU-C section 530, Audit Sampling, involves the selection and evaluation of less than 100% of the population of audit relevance. Auditors would need to expect the selected items to be representative of the population. Because audit sampling involves testing only a sample, it introduces sampling risk.

Audit data analytics (ADAs) enable the auditor to analyze patterns, identify anomalies, and extract other useful information in data that relate to the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing the audit.

AU-C section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, states that when designing tests of controls and tests of details, the auditor should determine the means of selecting items for testing that are effective in meeting the purpose of the audit procedure.

“ADA tools can help the auditor in performing robust risk assessment procedures to obtain a better understanding of the characteristics within a population to (a) identify specific items for further testing, (b) process large volumes of data from multiple sources, or (c) perform an analysis of a complete population. Using ADAs may not necessarily eliminate the need for audit sampling, and ADAs may be used in conjunction with audit sampling procedures or other selection methods,” the TQA states.

In particular, the AICPA added the following sections to the TQAs:

Q&A 8400.01, “Background to Sections 8400.02−.08”

Q&A 8400.02, “Automated Tools and Techniques — Permissibility Under GAAS”: Auditors may use them to process, organize, structure, or present data in a given context in order to generate information that can be used as audit evidence.

Q&A 8400.03, “Automated Tools and Techniques — Benefits of Auditor Use”: While GAAS does not require the use of automated tools and techniques, the guide notes that they can be helpful when the entity is highly automated and has a high volume of complex data or large datasets. These tools assist the auditor in looking for unusual patterns or for items that exhibit specified attributes that may require further investigation and helps the auditor to organize data to enable further analysis or to identify relationships.

Q&A 8400.04, “Automated Tools and Techniques — Auditor Considerations”: Automated tools can enhance audit quality, but they don’t replace the need for auditor involvement, judgment, and skepticism in all audit phases. Auditors must understand the entity’s IT environment and evaluate whether electronic data is relevant and reliable for audit evidence.

Q&A 8400.05, “Automated Tools and Techniques — Types of Procedures Performed”: Automated tools and techniques may be used in risk assessment, analytical procedures, and tests of controls.

Q&A 8400.06, “Automated Tools and Techniques — Analyzing Entire Populations”: While auditors traditionally use sampling for tests of controls and substantive procedures, automated tools and techniques enable a more comprehensive approach. They reduce or eliminate sampling risk. For example, tools can help with revenue testing by matching cash receipts from automated bank feeds to sales invoices and shipping records; identify any invoices, shipments, or payments without corresponding items; and investigate all unmatched items as potential misstatements

Q&A 8400.07, “Analyzing Entire Populations — Addressing Characteristics That Vary From Expectations”: When auditors identify characteristics that vary from expectations, these may indicate previously unidentified risks or risks that are higher than originally assessed. The auditor should consider whether to refine the procedure performed; determine if items indicate additional risks of material misstatement; and decide whether to tailor further audit procedures. The guide notes that this is an iterative risk assessment.

Q&A 8400.08, “Identification of Subpopulations”: Populations don’t need to be entire account balances or transaction classes. They can be separated into smaller groups sharing similar characteristics to reduce variation and enable risk-based, targeted procedures.

[Thomson Reuters]