Embracing the Revised Auditing Standard ISA [DE] 315 (Revised 2019) for IT Auditing

As of December 15th, 2022, the IDW has introduced ISA [DE] 315 (Revised 2019), an auditing standard that has been fundamentally revised by the IAASB to identify and assess the risks of material misstatement. Due to the changing audit scope resulting from ongoing digitization, the increasing use of new automated tools and techniques, and other reasons cited, a revision of the standards was necessary.

The article „IT and more: IT audit according to ISA [DE] 315 (Revised 2019)“ compares the audit standards IDW PS 330 and ISA [DE] 315 (Revised 2019) and describes the main differences and innovations for practice.

The IDW PS 330, now replaced, provided the basis for performing IT system audits as part of the audit of the financial statements. Apart from the relevance for financial reporting, there were no further criteria for assessing the significance of an IT system for the audit of the financial statements. The nature and scope of the IT system audit were determined by the materiality of the IT system for financial reporting and the complexity of the systems.

Through the newly introduced ISA 315 (Revised 2019), IT auditing is no longer addressed in a separate auditing standard; rather, it becomes the backbone of the risk-based audit approach. According to the standard, the auditor first has to obtain an understanding of the entity’s information system and communications relevant to the preparation of the financial statements. Following this, the auditor must obtain an understanding of the control activities that relate to the risk of material misstatement at the financial statement level. Finally, risks resulting from the use of IT are identified for the relevant systems and an assessment is conducted to determine which of these risks are addressed via IT general controls.

The IT audit according to IDW PS 330 was often performed in isolation. This can result in a disproportionate weighting of certain systems without reference to risks of material misstatement. A weak integration of IT audit and the relevant ICS means that, in the view of many auditors, a pure audit of general IT controls does not offer any added value. Emerging technologies – such as cloud computing or the use of automated tools and techniques – were not addressed at all or only superficially. In contrast, ISA 315 (Revised 2019) defines control activities in the IT-based accounting system as an essential component of the ICS. Automated or IT-supported controls along IT-supported business processes such as procurement or sales create a link to items in the financial statements and management report.

ISA 315 (Revised 2019) stands for breaking down the silo structures of IT auditing and financial statement auditing, because focusing on the IT systems and controls relevant for the financial statement audit requires a close coordination. The added value is therefore primarily in enabling a strong focus on the IT systems and controls relevant for the audit of the financial statements, considering the risks of material misstatement, and aligning the audit strategy consistently.