Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Technology-related changes in the revised 2025 ICAS Code of Ethics

By Ann Buttery CA, Head of Ethics, ICAS Policy Leadership

3 October 2024

In response to the impact of rapid technological advancements and accelerating digitalisation, we are updating our Code of Ethics. Ann Buttery, Head of Ethics at ICAS, explains what you need to know about the main technology-related changes taking effect from 1 January 2025.

The ICAS Code of Ethics is substantively based on the International Ethics Standards Board for Accountants (IESBA) Code of Ethics.

We are adopting a revised Code of Ethics with effect from 1 January 2025 to incorporate various IESBA revisions to the Code. This includes technology-related changes to the fundamental principle of confidentiality, and a revised definition of a public interest entity and listed entity.

Find out more about all changes to the Code here.

Technology-related changes to the ICAS Code of Ethics

The IESBA revised its Code to respond to the impact of rapid technological advancements and accelerating digitalisation.

The revisions refer to the generic term “technology” to help future proof their relevance.   However, considerable outreach was performed in the development of the revisions to ensure that the ethics and independence implications of technologies such as robotic process automation, and artificial intelligence for professional accountants were considered.

The revisions:

  • Strengthen the code in guiding the mindset and behaviour of professional accountants (PAs) when using any technology.
  • Provide enhanced guidance fit for the digital age in relation to the fundamental principles of confidentiality, and professional competence and due care, as well as in dealing with circumstances of complexity.
  • Address the circumstances in which firms and network firms may or may not provide a technology-related non-assurance service to an audit or assurance client.

Some of the key changes are in relation to the following areas:

Confidentiality

Definition of confidential information

The Code now includes a definition of ‘confidential information’ in the Glossary which is: ‘Any information, data or other material in whatever form or medium (including written, electronic, visual or oral) that is not publicly available.’

In addition, paragraph 114.1 A1 highlights that maintaining the confidentiality of information acquired in the course of professional and business relationships involves the professional accountant taking appropriate action to protect the confidentiality of such information throughout the data cycle i.e. in the course of its collection, use, transfer, storage or retention, dissemination and lawful destruction.

Disclosure of confidential information – exceptions to the prohibition

Paragraphs R114.1 to R114.2 describe the prohibition on disclosure of confidential information.  This is followed by paragraph R114.3 which states the limited situations where a professional accountant may disclose or use confidential information:

“R114.3 As an exception to paragraph R114.2, a professional accountant may disclose or use confidential information where: (a) There is a legal or professional duty or right to do so; or (b) This is authorised by the client or any person with the authority to permit disclosure or use of the confidential information and this is not prohibited by law or regulation.”

Application material is subsequently included at paragraph 114.3 A3 to provide examples of circumstances where a professional accountant (PA) might seek authorisation to use or disclose confidential information.

For certain matters, the authorisation could be of a general nature, for example, as found in some contracts signed between firms and their clients that permit the use of confidential information acquired in the course of a professional activity for the purposes of the firm’s internal training or other quality enhancement initiatives.

The reference to “internal training” in this paragraph is intended to encompass the training of both internal AI systems and staff in either a firm or an employing organisation.

In more specific circumstances where a PA seeks authorisation to use or disclose confidential information the revisions:

  • Set out what a PA might communicate when seeking the authorisation, preferably in writing.
  • Specify that such authorisation should be sought from the individual or entity that provided the confidential information.

Complex circumstances

Revisions to the Conceptual Framework at paragraphs 120.5 A6 to 120.5 A8 recognise that professional judgement exercised by PAs might need to take into account the complexity of the circumstances that they face. Although complex circumstances have always existed and are not a new phenomenon specific to technology, rapid digitalisation has increased the interconnectedness of social, economic, legal and geopolitical systems, and is a complex circumstance that PAs are now facing. In this regard, the guidance included should not be restricted to technology-specific complex circumstances.

The revisions highlight that managing complexity involves:

  • Making the firm or employing organisation and, if appropriate, relevant stakeholders aware of the inherent uncertainties or difficulties arising from the facts and circumstances.
  • Being alert to any developments or changes in the facts and circumstances and assessing whether they might impact any judgments the accountant has made.

It might also involve other matters, including:

  • Analysing and investigating as relevant, any uncertain elements, the variables and assumptions and how they are connected or interdependent.
  • Using technology to analyse relevant data to inform the PA’s judgement.
  • Consulting with others, including experts, to ensure appropriate challenge and additional input as part of the evaluation process.

Identifying threats

The revisions at paragraphs 200.6 A2 and 300.6 A2 highlight facts and circumstances relating to the use of technology that might create threats for a PA when undertaking a professional activity. These include the self-interest threat that a PA might not have sufficient information and expertise, or access to an expert with sufficient understanding, to use and explain the technology and its appropriateness for the purpose intended. A self-review threat is created where the technology was designed or developed using the knowledge, expertise or judgement of the accountant or employing organisation/firm.

Using the output of technology

Paragraphs R220.8 and 220.8 A1 have been added in Section 220 ‘Preparation and presentation of information’ for professional accountants in business and corresponding paragraphs R320.11 and 320.11 A1 in Section 320 ‘Professional Appointments’ for professional accountants in practice in relation to “Using the output of technology”.

When preparing or presenting information, a PA who intends to use the output of technology, whether internally or externally developed, is required to exercise professional judgement to determine the appropriate steps to take, if any, to guard against matters such as bias or being associated with misleading information.

When a PA in public practice intends to use the output of technology in the course of undertaking a professional activity, the accountant needs to determine whether the use is appropriate for the intended purpose.

Factors to consider include:

  • The nature of the activity to be performed by the technology.
  • The expected use of, or extent of reliance on, the output of the technology.
  • Whether the PA has the ability, or has access to an expert with the ability, to understand, use and explain the technology and its appropriateness for the purpose intended.
  • Whether the technology used has been appropriately tested and evaluated for the purpose intended.
  • Prior experience with the technology and whether its use for specific purposes is generally accepted.
  • The employing organisation’s/firm’s oversight of the design, development, implementation, operation, maintenance, monitoring, updating or upgrading of the technology.
  • The controls relating to the use of the technology, including procedures for authorising user access to the technology and overseeing such use.
  • The appropriateness of the inputs to the technology, including data and any related decisions, and decisions made by individuals in the course of using the technology.

While ultimately it is the “output of the technology” that a PA will utilise in the delivery of their professional activity or service, in order to be able to use such output, the whole process of making use of the technology is considered within the application material as seen in the above bullets.

International Independence Standards

The IESBA has also incorporated revisions to Parts 4A and 4B of the Code – the International Independence Standards - in relation to technology.

Please note that auditors undertaking an audit in the UK, and professional accountants undertaking other public interest assurance engagements in compliance with the engagement standards issued by the Financial Reporting Council (FRC), are required to comply with the requirements of the FRC’s Ethical Standard and there is no requirement to also have to comply with Part 4A of the Code. Detailed explanation is provided in Section 400 of the ICAS Code of Ethics.

In January 2024, the FRC published its Revised Ethical Standard 2024, which becomes effective from 15 December 2024. New paragraphs 5.53 and 5.54 in relation to Information Technology Services were added in order to reflect the IESBA revisions. More information on the changes to the FRC’s Ethical Standard is provided here.

IESBA’s revisions to its Code of Ethics include the following:

Providing, selling, reselling or licensing technology

New paragraph 520.7 A1 states that in situations where a firm or a network firm provides, sells, resells or licenses technology:

(a) to an audit client; or
(b) to an entity that provides services using such technology to audit clients of the firm or network firm.

depending on the facts and circumstances, the requirements and application material in the non-assurance services provisions (Section 600) apply. This is to cover situations where a firm may provide a non-assurance service via technology.

Subsection 606 – Information Technology Systems Services

Paragraph R400.20 prohibits a firm or network firm from assuming a management responsibility for an audit client. Providing IT systems services to an audit client can result in a firm assuming a management responsibility.

Paragraph 606.2 A1 now describes IT systems services as follows:

“IT systems services comprise a broad range of services including:

  • Designing or developing hardware or software IT systems.
  • Implementing IT systems, including installation, configuration, interfacing, or customisation.
  • Operating, maintaining, monitoring, updating or upgrading IT systems.
  • Collecting or storing data or managing (directly or indirectly) the hosting of data.”

New application material in paragraphs 606.3 A1 and 606.3 A2 provides further guidance in relation to this:

“606.3 A1 Examples of IT systems services that result in the assumption of a management responsibility include where a firm or a network firm:

  • Stores data or manages (directly or indirectly) the hosting of data on behalf of the audit client. Such services include:
    • Acting as the only access to a financial or non-financial information system of the audit client.
    • Taking custody of or storing the audit client’s data or records such that the audit client’s data or records are otherwise incomplete.
    • Providing electronic security or back-up services, such as business continuity or a disaster recovery function, for the audit client’s data or records.
  • Operates, maintains, or monitors the audit client’s IT systems, network or website.

606.3 A2 The collection, receipt, transmission and retention of data provided by an audit client in the course of an audit or to enable the provision of a permissible service to that client does not result in an assumption of management responsibility.”

IESBA case studies

The IESBA has also developed two publications containing technology related case studies which members might find useful:

Find out more about the ethics resources ICAS provides to support its members here.

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: