Major Global Events and its Impact on the Audit Opinion

Energy security and frontier-AI cyber risk as triggers for ISA 705 considerations

Madhu Chennupati, Head of Audit Quality and Technical, Acumon
and
Thanzil Khan, Head of Risk and Technology Assurance, Acumon

Synopsis. The closure of the Strait of Hormuz and Anthropic’s announcement of Claude Mythos Preview have, within the same reporting period, materially altered two assumptions that auditors routinely take for granted: that energy inputs will continue to flow at broadly stable prices, and that the cost of attacking software is bounded by the supply of skilled human attackers. This article examines when, and how, these developments may translate into a modification of the auditor’s opinion under ISA(UK) 705; where they are properly addressed through Key Audit Matters, Material Uncertainty Related to Going Concern paragraphs, or Emphasis of Matter; and what practical steps audit teams and their clients can take now to reduce the risk of being caught short.

1. The professional question

Auditors are not in the business of underwriting geopolitical or technological risk. Their function is to obtain reasonable assurance that the financial statements are free from material misstatement, and to express an opinion accordingly. Yet two events during the current reporting season one in the physical economy and one in the digital have produced uncertainties of a magnitude that engagement teams cannot discard with a standard unmodified opinion and a paragraph in the strategic report.

The first is the de facto closure of the Strait of Hormuz since late February 2026, and the resulting collapse in seaborne hydrocarbon flows from the Persian Gulf. The International Energy Agency has characterised the resulting supply shock as the largest disruption in the history of the world oil market, with crude flowing through the Strait falling from in excess of 20 million barrels per day to under 4 million, and physical Brent prices touching $150 per barrel against a disconnected futures price. The second is Anthropic’s 7 April announcement of Claude Mythos Preview, a frontier model which, on its developer’s own evaluations and those of the UK AI Security Institute, can autonomously discover and weaponise software vulnerabilities at a rate previously confined to elite human researchers.

Mythos Preview was disclosed alongside Project Glasswing, a coordinated defensive-security initiative under which Anthropic has given controlled access to the model to Apple, Microsoft, Google, Amazon, NVIDIA, Cisco, CrowdStrike and approximately forty other organisations responsible for foundational software and critical infrastructure, supported by a commitment of up to $100 million in usage credits. The intent is that participants use the model to find and patch vulnerabilities in their own systems before adversaries with comparable capability emerge. Anthropic has stated that it does not intend to make the model generally available. Within hours of the announcement, however, an unauthorised group obtained access to Mythos Preview through a third-party vendor environment, raising precisely the supply-chain concern the programme was intended to address.

Both events sit awkwardly within the existing audit framework. Neither is a routine subsequent event; both are systemic; and both interact with management’s representations and forecasts in ways that may not be susceptible to ordinary audit evidence.

2. Energy security and the going concern assessment

Under ISA 570 (Revised), the auditor’s responsibility extends to evaluating management’s assessment of the entity’s ability to continue as a going concern, and to concluding on the appropriateness of that assessment in light of the audit evidence. For entities with material exposure to Gulf hydrocarbons  whether as producers, refiners, shippers, energy-intensive manufacturers, fertiliser and petrochemical operators, or downstream consumers operating on thin margins the Strait closure is not background colour. It is a direct input to the cash-flow forecasts on which the going concern conclusion rests. For other entities the impact of the energy crisis is less obvious but all entities rely on energy and so the ability for that energy to flow is at the heart of business continuity and a going concern assessment.

Two consequences follow. First, where management’s base-case forecast assumes a return to pre-crisis flow rates within the going concern assessment period and the audit team cannot corroborate that assumption against external evidence, the auditor should consider whether a Material Uncertainty Related to Going Concern paragraph is required. The International Energy Agency’s (“IEA”) central scenario continues to assume only a partial normalisation of Middle Eastern export flows by mid-2026 and expressly acknowledges material downside risks should disruptions through the Strait persist. Subsequent IEA updates have highlighted ongoing inventory depletion, constrained replacement supply chains and continued logistical disruption, indicating that forecasts which disregard prolonged-disruption scenarios may lack a reasonable basis.

Second, and most significantly, where uncertainty is so pervasive and so material that the auditor concludes sufficient appropriate audit evidence cannot be obtained, a disclaimer of opinion under ISA 705 may be the correct response. This is a high bar, and one rarely reached, but the present circumstances are themselves rare. The standard contemplates pervasive limitations, and a closed maritime chokepoint affecting twenty per cent of seaborne crude is, by any reasonable construction, pervasive.

3. Cyber security and the assertion of internal control reliance

The case in respect of cyber risk requires more careful framing, because the temptation to over-modify is significant and would devalue the modified opinion as a signal. The Mythos announcement does not, of itself, alter the auditor’s responsibilities. What it alters is the empirical basis for several long-standing audit assumptions about the cost and difficulty of attacking enterprise systems.

Three features are material to audit judgement. The model has identified thousands of zero-day vulnerabilities across every major operating system and web browser. It has been used to develop working exploits without expert human guidance. The access incident on the day of announcement followed precisely the supply-chain compromise pattern familiar from SolarWinds, the 2020 attack in which malicious code inserted into routine Orion software updates remained undetected for approximately nine months and reached some 18,000 customer organisations, including the US Departments of the Treasury, State and Homeland Security, and a long list of Fortune 500 companies providing attackers with access to confidential information for confidential and sensitive information. The combination is not merely a step-change in attacker capability; it is a step-change in the proliferation curve for that capability. The Mythos announcement has only elevated this risk to an unimaginable levels as such vulnerabilities are identified in all major operating systems supporting the businesses.

For audit purposes, this affects three areas. The first is the auditor’s risk assessment under ISA 315 (Revised 2019), particularly in respect of the IT environment and general IT controls. Where management has concluded that controls over financially significant applications are designed and operating effectively, the auditor must now consider whether the residual vulnerability surface unpatched dependencies, legacy systems, third-party software is consistent with a low control risk assessment in the current threat environment. The AI Security Institute’s assessment is that Mythos-class models can exploit systems with weak security posture; the question for the auditor is whether the entity’s posture has been independently validated against that threat model, or merely against the model that prevailed twelve months ago.

The second area is contingent liability and subsequent event treatment. Entities that were participants in Project Glasswing, vendors to those participants, or users of any software identified as having been remediated through Mythos-driven disclosure during the reporting period, may face disclosure obligations under IAS 37 in respect of remediation costs and potential third-party claims. The auditor’s role is to challenge management’s assessment of the probability and quantum of such obligations.

The third is reliance on service auditor reports. ISAE 3402 and SOC 2 reports issued to date were prepared against a threat model that did not contemplate autonomous exploit development at scale. Auditors who have historically placed reliance on such reports in respect of outsourced financial processes should consider whether that reliance remains appropriate without further enquiry, or whether bridging procedures are now required.

4. A Y2K-shaped precedent

There is a useful precedent for an industry-wide modification of audit reporting in response to a systemic technology risk. In the late 1990s, in the run-up to the millennium date change, UK auditors inserted disclosures and, in a number of cases, qualified opinions where management could not adequately demonstrate that information systems would continue to function across 1 January 2000. The Auditing Practices Board issued specific guidance on Year 2000 issues for both directors’ reports and auditors’ reports, supplemented by Bulletins and supporting commentary from the ICAEW. The approach was, on the whole, proportionate: the great majority of opinions remained unmodified, but a clearly defined disclosure regime emerged, and modification was reserved for cases where management’s remediation programme was demonstrably inadequate.

The Y2K analogy is instructive in two respects, and misleading in a third. It is instructive, first, in showing that the profession has previously stepped up to a horizon-defined technology risk by way of standardised disclosure rather than reflexive qualification; and second, in demonstrating that the existence of such disclosure can itself sharpen management’s remediation efforts. It is misleading in that Y2K was a single, dated event with a clear remediation pathway. Mythos-class capability has no end date, the vulnerability surface is not enumerable in advance, and the threat model evolves with each successive frontier model. A Y2K-style disclosure framework is therefore a useful starting point, but not a sufficient response.

5. What can be done

The discipline of the audit opinion is most useful when it is paired with practical work that reduces the underlying audit risk. There are three areas in which audit teams and their clients can act now.

Contingency planning. Boards should be asked, and audit committees should expect to see evidence, that documented contingency plans exist for both a prolonged Strait closure and a material cyber incident attributable to AI-augmented attack. For the energy case, that means tested supplier substitution, alternative routing assumptions, and stress-tested liquidity headroom under a sustained $130–$150 Brent scenario. For the cyber case, it means an incident response plan that has been exercised against a current threat model focusing on business continuity and ensuring minimal disruption to business. Such plans should also address the assumption that an attacker can develop working exploits faster than internal patch cycles.

Assessing how teams will react. Plans on paper are of limited value. The more important question is whether finance, treasury, IT and operations functions can execute under pressure. Tabletop exercises, red-team engagements, and simulated supplier failure drills provide evidence that auditors can use, and that management can rely on. Where such exercises have not been conducted, or have been conducted at a level of generality that does not engage the current threat environment, the auditor’s scepticism should rise accordingly.

Scenario planning. Forecasts presented to auditors should articulate at least three scenarios  a base case, a downside consistent with the IEA alternative case for energy and an autonomous-exploit threat model for cyber, and a severe-but-plausible tail with clearly identified triggers and management actions for each. Forecasts that present only a base case are increasingly difficult to support as a reasonable basis for the going concern conclusion, and engagement teams should expect to challenge them.

The Risk and Technology Assurance team at Acumon, led by Thanzil Khan, has been working with clients across various sectors including financial services on the following areas: cyber maturity assessments mapped to current frontier-AI threat models, third-party and service-organisation control reviews, contingency and incident response exercises, and scenario-based forecast challenge. The work is designed to give boards assurance and to support auditors in obtaining sufficient appropriate audit evidence to form an unmodified opinion where one is properly available. Reducing the underlying residual risk is, in our experience, the most reliable way to reduce the risk of opinion modification for clients.

6. When modification is, and is not, the right answer

None of the foregoing constitutes a general invitation to qualify. The default position remains that an unmodified opinion accompanied by appropriate Key Audit Matters disclosure under ISA 701, and where relevant an Emphasis of Matter paragraph under ISA 706, is the correct response to material but adequately disclosed uncertainty. The discipline of ISA 705 is reserved for circumstances in which either the financial statements are materially misstated, or the auditor has been unable to obtain sufficient appropriate audit evidence.

The judgement in the present cycle is therefore not whether to modify reflexively, but whether the engagement team has tested management’s assumptions against the right counterfactuals and whether management has done the underlying work to make those assumptions defensible. Where it has, an unmodified opinion remains appropriate. Where it has not, and where the resulting uncertainty is material and, in the energy case, potentially pervasive, modification  whether by qualification, disclaimer or adverse opinion as the facts require, is the response the standards contemplate. That is what the standards are for.

Madhu Chennupati Thanzil Khan
Head of Audit Quality and Technical Head of Risk and Technology Assurance
Acumon Acumon