Practical Advice for Considering Complexity in Audit-Relevant IT Systems

Digital transformation has turned even modest enterprises into users of sophisticated IT ecosystems. Auditors now confront a landscape where enterprise resource planning platforms, cloud‑based services, and AI‑driven analytics underpin core financial processes. The revised ISA 315 obliges auditors to demonstrate a deep understanding of these technologies, documenting how they could affect financial statements. This shift reflects regulators’ recognition that technology risk is a primary source of audit uncertainty, demanding more granular evidence than traditional control checklists.

For smaller audit firms, the reality is a steep learning curve. Many lack in‑house specialists capable of dissecting ERP configurations, evaluating machine‑learning models, or tracing data flows through feeder applications. The ICAEW’s 2025 monitoring report flagged recurring gaps: insufficient documentation, over‑reliance on substantive testing, and missed risks in outsourced or shared‑service environments. As AI embeds itself in functions like bank reconciliation and cash‑flow forecasting, auditors must expand their risk matrices to include algorithmic bias, data integrity, and model governance. Ignoring these layers can leave material misstatements undetected.

Fortunately, the profession is responding with targeted support. QAD’s on‑demand webinars, the Audit & Beyond guide, and ICAEW’s 90‑minute session on ISA 315 provide practical roadmaps for assessing complexity. Recommendations include mapping all IT components, engaging external IT experts when needed, and applying a tiered documentation approach that distinguishes non‑complex, moderately complex, and complex systems. By integrating these practices, audit teams can meet regulatory expectations, protect their reputations, and deliver higher‑quality assurance in an increasingly technology‑driven market.