IT audits according to IDW PS 330/ISA 315 in transition: challenges, opportunities, outlook

From control instrument to strategic success factor

Increasing digitalization is not only changing business models, but also the risks to which companies are exposed. Today, IT systems control central business processes, process sensitive customer data, and secure the flow of information within and outside the organization. This makes dependence on stable, secure, and compliant IT structures all the more critical.

At the same time, cyberattacks on companies have been on the rise in recent years, regardless of industry or size. Ransomware attacks, data theft, and supply chain attacks clearly show how vulnerable even well-established organizations can be. In addition, there are increasing regulatory requirements, e.g., through the IT Security Act, DORA, NIS2, and BAIT, which require companies to actively address their IT risks.

Against this backdrop, IT audits are taking on a new role: they are no longer just a tool for regulatory compliance, but a key lever for strengthening corporate resilience, transparency, and control.

Increasing relevance for auditors

IT audits and IT risk analyses are becoming increasingly relevant not only for companies, but also for auditors who have previously focused primarily on financial audits – particularly in the context of ISA 315 (revised 2019) and IDW PS 330 n.F. The new standards require a much greater focus on the IT environment, IT-supported processes, and the associated risks for accounting.

For many audit teams, the question arises: How can I, as an auditor, properly assess the IT environment without having my own specialist department for IT audits?

This is where specialized IT auditors can provide support – as part of the audit team or in the form of independent IT audit and analysis assignments.

IT audits today: added value on multiple levels

Modern IT audits go far beyond traditional system audits. They offer concrete, multidimensional benefits—both for companies and for auditors in the context of financial statement audits:

1. Transparency regarding IT processes, systems, and risks

Many companies have invested in new technologies in recent years. However, what is often lacking is complete transparency regarding processes, system links, and control mechanisms. An IT audit provides a clear picture of the current maturity level of IT – both from a technical and a procedural perspective. For auditors, this means a more reliable basis for assessing the ICS and the audit risk.

2. Detection of weaknesses and potential for improvement

Undetected weaknesses in IT – such as insecure interfaces, inadequate access controls, or incomplete logging – pose a significant risk. IT audits specifically identify such weaknesses and provide the basis for remedying them. For companies, this means greater security. For auditors, it means a better understanding of whether and to what extent IT-based controls can be relied upon.

3. Basis for informed decisions

IT audits provide sound information about the actual reliability and resilience of IT systems. These findings help decision-makers to manage investments in a targeted manner. For auditors, this forms the basis for a risk-oriented audit design that avoids unnecessary audit scope – or specifically deepens it where necessary.

4. Greater security – also for stakeholders and supervisory bodies

Transparent and professionally conducted IT audits strengthen the confidence of investors, customers, partners, and, last but not least, supervisory authorities. Companies thus demonstrate that they take their IT governance seriously. With the appropriate IT support, auditors can position themselves professionally and in compliance with the law vis-à-vis clients and supervisory bodies.

5. Competitive advantage through professional IT risk management

Companies with a structured IT audit approach are better prepared for crisis scenarios and can respond more quickly to changes. Auditors who incorporate IT audit expertise (internally or through external partners) offer their clients additional value and clearly stand out from the market – especially when it comes to medium-sized or highly regulated clients.

The future of IT auditing: New technologies, new opportunities

IT auditing itself is also undergoing change. Technological advances are opening up new opportunities for companies and audit teams alike:

Artificial intelligence (AI) and machine learning

AI can analyze large amounts of data, recognize patterns, and automatically identify irregularities. This increases audit reliability and enables risks to be identified at an early stage—especially in dynamic IT environments.

Automation of audit processes

Standardized audit steps, such as the evaluation of user rights or log files, can be automated using specialized tools. This saves time, minimizes sources of error, and creates space for more in-depth analyses – especially in the context of annual audits with limited resources.

Continuous auditing

Instead of selective audits, the concept of continuous IT monitoring is gaining importance. This involves continuously checking systems against defined criteria – a particularly valuable approach for IT-related business processes or highly regulated industries.

Integration of cybersecurity audits

IT auditing and cybersecurity are converging. Technical security checks (such as penetration tests or vulnerability scans) are increasingly being integrated into IT audits to obtain a holistic picture of the IT security situation – not only for internal purposes, but also as part of regulatory audit requirements.

Conclusion: IT audits as part of future-proof corporate and auditing practices

The days when IT audits were viewed merely as a technical necessity are over. Today, they are a key tool for risk management, efficiency improvement, and strategic development—both for companies and for auditors.

For companies, IT audits provide clear insights into weaknesses and potential in the IT environment. For auditors, they create the basis for an appropriate understanding of the IT landscape – in the sense of a modern, risk-oriented audit approach in accordance with ISA 315 and IDW PS 330.

Our services

As an experienced partner in the field of information security, IT consulting, and IT auditing, we provide companies and auditors with tailored support in the planning, implementation, and follow-up of IT audits in accordance with ISA 315 (revised) and IDW PS 330—whether as part of independent projects or as support for financial statement audits.

Our audit areas include:

• IT infrastructure and network security

• Authorization concepts at the system, application, and database levels

• IT operations and system management

• Data protection and data flow security

• Evaluation of IT-supported business processes and controls

• Cybersecurity risks

• Artificial intelligence (AI) risks

Based on our risk assessment and identified vulnerabilities, we make specific recommendations that offer added value for both the client and our audit partner.

We also support auditing firms that want to supplement their own audit mandates with IT expertise, whether on an ad hoc or long-term basis.

Would you like to learn more about how IT audits can strengthen your company or your audit services?

We would be happy to provide you with a customized offer tailored to your requirements.

Get in touch with us!