Practical advice when considering complexity in audit-relevant IT systems

As dependence on digital information systems and their complexity continue to grow in audited entities, so do considerations for financial statement auditors. As part of their risk assessment, they must, through effective documentation, demonstrate that they understand an audited entity’s information technology (IT) environment and its relevance to the entity’s financial statements.

If an audited entity relies on IT to collect, process and maintain data that underlies financial reporting processes and financial statements, the auditor must identify and assess IT risks and controls to understand how they could lead to misstatements in financial reports.

IT systems and risk assessments

When the risk assessment auditing standard, ISA 315, was revised for audits of financial statements for periods from 15 December 2021, auditors’ responsibilities to entity IT were emphasised. ICAEW’s Audit Monitoring Report 2025 highlights common weaknesses in this area including significant concern for the complexity in the entity IT environment.

Application guidance in ISA 315 (A171) notes that where an audited entity IT environment includes complexity in components such as IT applications, systems and services, gaining the understanding necessary for the auditor’s risk assessment and responses may require specialist IT expertise to identify and assess the associated IT risks – which can create challenges for some audit firms and teams.

Among the ‘more significant concerns’ around IT risk assessments and responses by auditors are instances where reviewers in the Quality Assurance Department (QAD) find audited entities with complex IT systems where there has been little consideration of these systems by the audit team, before a decision is made to apply a predominantly substantive audit approach.

In its 2025 monitoring report, QAD highlighted issues around the auditor’s approaches to complexity in entity IT systems (and other significant audit monitoring review findings). QAD considers these issues in more detail in a series of on-demand webinars, which give insights into areas where smaller firms may benefit from reviewing their audit approach to an audited entity’s IT environment.

“Many firms struggle to document their understanding of IT systems and risk assessments under the revised ISA 315,” says Neil Lawrinson, experienced auditor and QAD reviewer. Structure and complexity in an entity IT environment – and even a single component – can make understanding, risk assessment and the required documentation more challenging for smaller audit firms.

Complex IT in smaller entities

Not all smaller companies have simple IT systems. “We have seen an increase in smaller firms taking on relatively small subsidiaries of larger overseas groups that have more complex IT systems, where the firm has not considered this as part of their risk assessment,” says Lawrinson. Component auditors will find practical pointers in a 2024 Audit & Beyond article Understanding the group’s use of IT.

Also, there are some sectors and entity types with business models that depend on complex IT. If a firm is auditing a high growth entity that relies on tech as part of its solution and customer delivery, this may impact many areas of the audit and these will need to be considered, especially if money is being raised or the business is being sold. Sometimes, accounting software is just a tiny piece of the risk jigsaw.

ISA 315 application guidance may help audit firms understand and make judgements around complexity in an audit entity’s IT environment. A table in Appendix 5 of the standard offers examples of typical characteristics of non-complex, moderately complex and complex commercial software. It also looks at considerations for auditors on matters such as automation, data volume and use, IT applications, systems and processes.

ISA 315 notes, for example, that IT complexity can result when a company is using external or internal service providers for aspects of its IT environment. This can occur when an audited entity outsources certain aspects of its IT to a third party, or a small company in a group uses its centralised IT shared service centre. Certain technologies and types of software application can also add complexity.

Enterprise resource planning (ERP) systems, once exclusive to the largest organisations, are now implemented across a wide range of smaller entities, but this does not mean that those ERPs are not inherently complex. “Audit firms often underestimate the complexity of such systems,” says Lawrinson. “For example, SAP is unlikely to be a simple system and that’s true of any entity IT environment with an ERP.”

How software applications interact and exchange data may also create complexity. Even in smaller audited entities, auditors need to consider software that is used to add functionality and/or feed data into core entity IT systems such as an ERP or accounting system. “Audit firms often overlook feeder systems,” says Lawrinson. These can include booking platforms, cash flow or inventory systems, to name just a few.

Reminders from the revised ISA 315 and AI considerations

As artificial intelligence (AI) methods and techniques are increasingly built into commercial software applications that are used by audited entities, this also needs to be considered by auditors. ISA 315 is clear on the need for auditors to understand the use of AI in entity IT that is relevant to the preparation of financial statements, to assess the associated risks and evaluate relevant controls.

AI techniques such as machine learning and pattern recognition algorithms are commonly used across a wide range of software applications to automate, optimise and streamline tasks and workflows in areas that may be relevant to a financial statement audit. Examples include bank reconciliation, cash flow forecasting, extracting data from invoices, and throughout financial consolidation and close processes.

AI is one of the examples cited (with blockchain and robotics) in Appendix 5 of ISA 315. It notes that although these emerging technologies may appear more sophisticated or complex compared to more established technologies, the auditor’s responsibilities in relation to IT applications and general IT controls remain unchanged.

Where to get additional information and support

ISA 315 is not the only source of information to assist smaller firms considering the potential for complexity in the audited entity IT environment. Specialist providers have updated their audit methodologies and other tools for auditors. There are also practical support resources (see below) from the Audit and Assurance Faculty, including its webinar ISA 315: Putting the building blocks together.

This 90-minute webinar covers various aspects of ISA 315 and includes some very useful pointers relating to considerations for the auditor around complexity in entity IT– which may be lurking in plain sight. “Don’t be seduced by the apparent simplicity of spreadsheets,” says Rhodri Whitlock, one of the webinar speakers, and former audit partner and current Assurance and Advisory Consultant at HPL Associates.

Where clients use ‘end-user computing’ tools such as spreadsheets for aspects of accounting, some of these may be straightforward but others may be highly sophisticated. If a spreadsheet contains complex models with many thousands of formulae and it’s feeding data into processes that produce the annual accounts consolidation, then relevant inputs, formulae and controls must be assessed by the auditor.

“There are procedures the auditor needs to do to understand the quality and integrity of such spreadsheets,” says Whitlock. If an audited entity is using spreadsheets for complex calculations or accounting estimates, for example, getting a junior member of the audit team to cross-check some row and column totals will not be sufficient to verify the accuracy of financial statements.