Under ISA 315 (Revised), auditors need to understand how IT systems impact the flow of transactions, including general IT controls such as user access, password management, backup, intrusion detection and the broader information system environment. They also need to document that understanding rigorously.

However, mid-tier practices often lack formal IT audit teams. To bridge this gap, they can deploy a blend of guided risk identification and automation, and encourage a  firm-wide mindset shift, to enable non-specialists to tackle these areas while maintaining audit quality.

Embed IT risk prompts into workflows

The first step is to ensure that ISA 315’s requirements are embedded into audit methodology. Generalist auditors need prompts and frameworks that force consideration of the IT environment as part of risk assessment. This entails structured engagement documentation that not only asks about transaction flows, but how those flows are supported, controlled and safeguarded by systems.

Use guided risk identification

ISA 315 explicitly allows the use of automated techniques to perform risk assessments. Full-population analysis, anomaly detection and transaction flow tracing can all help auditors to uncover risks that might otherwise be invisible to sampling alone.

The Financial Reporting Council’s (FRC’s) thematic review on the certification of automated tools and techniques (ATTs) makes clear that ATTs can be a powerful driver of audit quality when used effectively. Tools properly certified by firms provide auditors with greater consistency, reduce manual effort and enhance the reliability of audit evidence.

The thematic review notes that ATTs can strengthen risk assessment procedures and testing, especially by enabling data-driven insights at scale. For firms, this means clearer insight into how risks are addressed and potentially more efficient audits.

However, the FRC has stressed the importance of planning, certifying, implementing and monitoring automation in a structured way. Even for firms without proprietary tools, the lesson is clear: automation only supports audit quality if it is reliable, validated and properly understood. The FRC’s AI in audit guidance, which accompanied the thematic review, encourages this understanding for Gen AI, wider AI and other ATTs.

AI-assisted audit platforms

For mid-tier firms, the challenge is not just awareness of IT risks but the practical capacity to test and document them to meet ISA 315 requirements. This is where purpose-built agentic AI platforms can play a pivotal role.

AI auditors can automate mapping risks to controls, analyse documents and system outputs at scale, and produce audit-ready documentation that aligns with ISA 315 requirements.

Crucially, these systems use a ‘human-in-the-loop’ model, flagging issues, surfacing anomalies and drafting documentation for auditors to review, validate and challenge. Rather than replacing judgement, professional scepticism remains central to the engagement.

By surfacing gaps, inconsistencies or outdated control data in real time, this approach lets generalist auditors focus on professional judgement rather than manual reconciliation. It gives mid-tier firms access to the same automated audit capabilities that larger firms use, without the cost or infrastructure burden.

Build a risk-mindset and upskill generalists

However, a mindset shift is also essential. The FRC has cautioned that large firms are not yet measuring the impact of automation on audit quality, focusing instead on usage metrics. Mid-tier firms should heed that lesson: tools only help when combined with auditor judgement and review.

That means developing training programmes aimed at giving generalists the ability to interpret system flows, identify where control designs may be weak and use data insights to sharpen risk assessments, rather than producing fully fledged IT auditors.

Designating tech champions or innovation taskforces within teams can accelerate adoption. Auditors comfortable with scripts, analytics or AI platforms can support colleagues in the field. Above all, firms need to foster a culture where automation aids, but never replaces, professional judgement.

Governance, monitoring and continuous improvement

The FRC’s guidance makes clear that adopting automation is not a one-time step but an ongoing responsibility. Tools must be certified, documented and periodically reassessed to ensure they remain effective in diverse client environments. For mid-tier firms, this does not have to be bureaucratic.

A simple governance framework can make the difference. Each automated workflow or template should be documented: how it operates, what thresholds it applies and how its results are validated. Audit teams should review whether flagged anomalies were meaningful and whether documentation aids reduced errors. Feedback from practitioners helps refine these tools, building a continuous improvement cycle that mimics the oversight structures of larger IT audit teams.

Some platforms build governance directly into workflows by tracking tool use, flagging stale data and providing an audit trail of how automation supports the engagement. This helps firms demonstrate compliance with the FRC’s expectations on monitoring.

By maintaining discipline in monitoring and evaluation, firms show regulators and stakeholders that automation enhances the integrity of their audits.

The FRC’s thematic review underlines the importance of monitoring and validation, while industry experience shows that AI and automation can scale down effectively. For ICAEW firms and the wider profession, the path forward is pragmatic: equip generalist auditors with smarter workflows, structured aids and the confidence to interrogate IT environments with professional scepticism.

The IT audit gap is real, but with a deliberate approach it is also bridgeable.

James Evans is a co-founder of Platformed, an AI audit agent specialising in Information Technology General Controls (ITGC) assessments.