Header EN - KRESTON Ukraine 1
+38 044 333 44 93
Facebook Linkedin Instagram
FILE A REQUEST
file a request

Use of 1C and BAS in auditing services: risks, ISA 1 requirements, and practical recommendations

An informational notice has been published regarding the use of software developed on the 1C and BAS platforms by entities performing auditing activities (auditing firms). The document was prepared in connection with decisions by authorized government authorities to restrict the use of certain software products due to potential security risks.

Why the use of 1C and BAS is relevant for auditors

Following the publication by the State Service of Special Communications and Information Protection of Ukraine of a list of software prohibited for use in government authorities, local self-government bodies, state-owned enterprises, and critical infrastructure operators, particular attention has been given to products developed on the 1C and BAS platforms.

Some auditing entities (auditing firms) use the relevant software for:

  • planning and performing audit procedures;
  • creating and storing audit documentation;
  • processing clients’ accounting and analytical information;
  • storing copies of primary documents, contracts, and accounting registers.

Such information may contain confidential or restricted-access data, which increases the security requirements for the technological resources of an auditing firm.

ISA 1 requirements for an auditing firm’s technological resources

Technological resources as part of the quality management system

According to ISA 1, software used by an auditing firm is part of its technological resources and must comply with established quality objectives.

Specifically:

  • Paragraph 32(f) of ISA 1 – technological resources should be acquired, implemented, maintained, and used in a way that ensures the functioning of the quality management system and the proper performance of engagements;
  • Paragraph 32(h) of ISA 1 – resources provided by suppliers should be suitable for use within the quality management system in line with the established quality objectives;
  • Paragraph 25 of ISA 1 – auditing entities must identify and assess quality risks and implement appropriate responses.

Key risks when using 1C and BAS in auditing activities

Among the main challenges that should be addressed within the quality management system are:

  • potential unauthorized access to data; control over software updates;
  • dependency on suppliers;
  • threats to confidentiality and data integrity;
  • potential reputational risks for the auditing firm.

Given decisions by authorized bodies to restrict the use of 1C and BAS due to security risks, these circumstances must be properly assessed by auditing firms.

Recommended actions for auditing entities

In the context of ISA 1 requirements, it is advisable to:

1) Conduct a reassessment of quality risks

  • review risks related to confidentiality and information security;
  • strengthen response measures if necessary;
  • update information security policies.

2) Limit the use of 1C and BAS in sensitive areas

It is recommended to refrain from using 1C- or BAS-based software for processing and storing information of clients related to government authorities, local self-government bodies, state-owned enterprises, critical infrastructure operators, and defense industry entities.

Impact on the quality management system and professional ethics

Compliance with ISA 1 requirements, information protection legislation, and principles of professional ethics is a key factor in ensuring audit quality.

Using technological resources with elevated security risks without proper assessment may:

  • create critical non-compliance factors within the quality management system;
  • increase regulatory risks;
  • negatively impact the reputation of the auditing firm.

Frequently asked questions

Are auditors prohibited from using 1C or BAS?

The informational notice does not impose a direct, blanket ban for all auditing firms but emphasizes the need for proper assessment of quality and security risks.

Should the quality management system be reviewed?

Yes. If 1C- or BAS-based software is used during an audit, it is advisable to conduct a reassessment of risks in accordance with ISA 1.

Which clients are considered the highest risk in this context?

Government authorities, state-owned enterprises, critical infrastructure operators, and defense industry entities.

Categories

News and publications

Check out other expert materials from Kreston Ukraine

OUR SERVICES

Kreston Ukraine services to international and Ukrainian clients
Audit and Related Services

Kreston Ukraine represents one of the best leading audit practices in Ukraine

READ MORE
Transfer pricing

We offer a range of professional services to reduce tax risks in transfer pricing matters

READ MORE
Independent valuation and financial modeling

Valuation of business and assets for financial reporting, capital transactions and international financial institutions

READ MORE
Consulting and Transaction
Support

Business restructuring, financial and tax Due Diligence, consulting services

READ MORE
Header EN - KRESTON Ukraine 1

TRUST YOUR PROJECT TO PROFESSIONALS

audit@kreston.ua
Header EN - KRESTON Ukraine 1

JOIN KRESTON

hr@kreston.ua