ISA 315 (updated): The effect on the risk assessment with in regards to the auditor's understanding of the entity's use of IT: En retrospektiv analyse af effekterne ved ajourføringen af ISA 315 (ajourført)

Abstract

The main purpose of this thesis is to investigate the impact of ISA 315 (revised 2019) concerning IT requirements and their significance for the auditor's overall risk assessment. To achieve this, the primary research method has been conducting interviews with auditors. These auditors work in one of the four largest auditing firms in Denmark: EY, PwC, Deloitte, and KPMG. A total of seven respondents were carefully selected, with three of them representing the professional department responsible for implementing auditing standards, while the remaining four are practicing auditors with extensive experience. This selection was deliberate, as the dissertation seeks to shed light on the implementation of ISA 315 from both a professional perspective, tasked with defining the auditor's understanding, and an experiential perspective, which is tasked with evaluating its practical application and identifying any challenges that have emerged in this context. In the investigation of ISA 315 (revised), unintended consequences have been identified that were not initially considered or do not directly relate to the auditor's risk assessment but instead constitute derivative effects in the form of other challenges resulting from the revision. These effects pertain to the auditor's professional judgment, choice of audit strategy, and the consequence of the client's lack of understanding of their own use of IT. The findings of this investigation indicate that auditors have a clear comprehension of ISA 315 (revised) expanded requirements related to the use of IT. The professional department has made efforts to incorporate these into tools to be utilized by the practicing auditors. Furthermore, the study has revealed that the practicing auditors do not perceive ISA 315 (revised) as having altered their overall risk assessment. However, they find that the expanded documentation requirements related to the use of IT can be onerous. This is primarily because ISA 315 (revised) is not wellsuited for small companies in Denmark, which presents a challenge for the professional department in adapting the standard to a level appropriate for those clients. While the practicing auditors have gained a greater understanding of use of IT through their documentation in business processes in some areas, it is minimal and has not led to the identification of risks that were not already known by the auditor beforehand. Therefore, the overall result suggests that ISA 315's (revised) IT requirements have not proven effective in practice.