Replacing previous auditing standards
In the course of ongoing digitalisation, IT systems have ever greater significance for accounting processes and the preparation of annual financial statements at companies. The consequences of this are, among other things, the adjustment of audit strategies for statutory audits as well as the use of tools to provide an enhanced level of assurance and audit efficiency.
As we already reported in the PKF newsletter 2/2023, International Standards of Auditing (ISA) are gradually replacing the auditing standards of the Institute of Public Auditors in Germany [Institut der Wirtschaftsprüfer, IDW] (IDW AuS). With respect to IT auditing, IDW AuS 330 will now be replaced by ISA DE 315. This will require a markedly more rigorous approach as regards the scope and intensity of the audit.
In the following section we present the main features of ISA DE 315. The IDW pronouncement will apply for the first time to the audit of financial statements for the 2023 financial year.
Conducting an IT audit
The basic requirement for conducting an efficient audit is that the controls related to the IT systems have to operate effectively and there is no possibility of material misstatements being generated. Consequently, German public auditors have to gain an overview of the IT system environment that is relevant to financial reporting. In doing so, both the inherent risk as well as the control risk are considered. Similarly to the approach that has hitherto been used, this is a matter of gaining an understanding of the company and its environment as well as identifying and assessing risks.
In the context of the methods to be used, it is possible to distinguish four steps, namely,
- gaining an understanding,
- testing the design,
- testing the operating effectiveness and
- deriving substantive audit procedures.
Gaining an understanding
First of all, the auditor has to gain an understanding of the business model and carry out a general analysis of the IT system and of the complexity of the IT environment of the company to be audited. The entire IT environment and the information processing procedure have to be included here in order to be able to determine which systems and processes are relevant to the financial reporting. In doing so, an auditor will consider whether, for example, service providers take over relevant tasks in the IT and whether systems are outsourced.
Please note: Determining the necessary depth of understanding of the IT will depend on its relevance. Only relevant processes and systems will then be included for further consideration.
Testing the design
The next step involves creating an overview of the relevant control activities by identifying controls that counteract the risks of material misstatement. Here, as part of the test of the design, it would initially be sufficient to test the appropriateness of each identified control.
Testing the operating effectiveness
Whether or not it is necessary to also test the operating effectiveness of the controls that are identified in this regard will depend on the assessment of the respective control risk. If information processing controls depend on general IT controls then auditors may decide whether they
- (1) wish to test the effectiveness of general IT controls within the scope of the test of the operating effectiveness, or
- (2) switch to substantive audit procedures (see section "Substantive audit procedures").
In the case of (1), where it becomes necessary to have IT-based process controls in respect of applications within the scope of the test of the operating effectiveness by the auditor, two main areas will emerge for the IT audit once an understanding has been gained:
(1a) Testing of general IT controls that concerns the use of program change procedures for IT applications as well as IT security (e.g. authorisation assignments); this will be supplemented by general processes (such as, for example, backup management). Categories of typical control activities mentioned in the ISA DE 315 standard are:
- authorisations for the actual execution of a transaction and approvals by those responsible for a transaction;
- data reconciliation operations;
- verifications of the conformity of a matter in respect of mandatory guidelines;
- physical or logical controls, including those that address security of assets against unauthorised access, acquisition, use or disposal (admittance and access to assets and data);
- segregation of duties between two business functions that need to be separated to reduce risk.
(1b) When testing IT-based process controls in respect of applications, the auditors specifically analyse the IT-based process controls implemented in the ERP system (and in the upstream systems or subsystems).
Substantive audit procedures
If in the case of (2) the effectiveness of general IT controls (possibly direct) can be tested via tests of operating effectiveness then the risks that arise from the IT application have to be tested on the basis of substantive audit procedures.
Please note: It is however not always possible to generate sufficient appropriate audit evidence on the basis of these audit procedures, in particular, not if risks from the IT area are concerned.
When preparing for such a newly adjusted IT audit as part of the audit of the annual financial statements, clients should be aware that auditors will request the following records and documents early on:
- IT overview list / IT system map;
- reports on outsourced IT controls;
- timetable for gaining an understanding of the IT system, including other necessary considerations.
Please note: Moreover, the auditors of the annual financial statements will also enquire about cyber incidents and other infringements of legal rules that could have implications for the financial statements of the entity (e.g. data protection laws).
Conclusion: In contrast to the now superseded IDW AuS 330, in the case of the ISA DE 315 the scope of the conduct of the IT audit is based solely on risk considerations. Only the systems that are relevant for the statutory audit and that constitute a risk arising from the use of IT and that could lead to material misstatements in the financial reporting will be subject to a test of design and, if required, a test of operating effectiveness.