Checklist for the evaluation of IT systems based on the international auditing standard ISA 315

The following 15 questions are based on the requirements of ISA 315. Answering the questions supports the decision-making process as to whether an audit of the IT environment of the client information system within the meaning of the ISA 315 audit standard is required. For a realistic assessment, a complete answer to all questions is necessary.

Please answer all questions. Questions for which a free text information is required, we ask you to answer properly.
Thank you!

[1] Does the client use IT applications such as ERP (Enterprise Resource Planning Software) for automated and paperless data processing?

[Checklist ISA 315, Automated data exchange]

[1a] The client uses none-complex standard software, e.g. Sage, KHK, DATEV

Accounting

Inventory management, purchasing

Sales

Controlling

E-Commerce

none

[Checklist ISA 315, Automated data exchange]

[1b] The client uses medium-sized and moderately complex standard software or IT applications, e.g. Comet.

Accounting

Inventory management, purchasing

Sales

Controlling

E-Commerce

none

[Checklist ISA 315, Automated data exchange]

[1c] The client uses large or complex IT applications (e.g. ERP systems), e.g. MS Business Central, Navision, Azure, Google, Amazon (AWS), SAP, MS 365, own development

Accounting

Inventory management, purchasing

Sales

Controlling

E-Commerce

none

Your ERP software was not listed? What is the Name of your software for automated and paperless processing of data.

Which modules of the ERP software are in use? In which business processes are they used? E.g. financial accounting, merchandise management. What is the name of the software used? Version? GOBD attestation?

[Checklist ISA 315, Automated data exchange]

[2] In what form are system-generated reports (e.g. totals and balance lists, business evaluations, merchandise management, account consolidation) generated for processing information?

The client only uses system-generated management reports without configurable settings. »Continue with question [3].

The client uses system-generated management reports with configurable settings. The calculations and algorithms are automated. »Continue with question [2a].

The client creates the management reports with data specially exported from the system, which he then processes with separate software (e.g. Excel, Power BI). »Continue with question [3].

[2a] What is the source of the data processed in the reports?

[Checklist ISA 315, Automated data exchange]

[3] Data entry: How does your client enter data?

The client enters the data manually. »Continue with question [4].

Via a simple interface (.csv, .txt, .tsv, .bin). »Continue with question [3b].

The data is entered via complex interfaces, e.g. API (HTML). »Continue with question [4].

[3a] Via which interface is the data entered?

[Checklist ISA 315, Automated data exchange]

[4] Data exchange: Are there automated internal and/or external interfaces for data exchange in the IT environment?

No, there are no automated interfaces for data exchange. »Continue with question [5].

Simple interfaces (.csv, .txt, .tsv, .bin). »Continue with question [4a].

The data is exchanged via complex interfaces, e.g. API (HTML). »Continue with question [5].

[4a] Via which interface does the data exchange take place?

[Checklist ISA 315, Automated data exchange]

[5] Where is the digital data, including the accounting documents, stored?

Most of the data is in analogue form, and stored locally/ available manually. »Continue with question [6].

Most of the data is available in digital form and stored locally. The amount of data is small. »Continue with question [5a].

The amount of data is large and mostly digital. The data is stored externally (e.g. data warehouse). »Continue with question [6].

[5a] What is the relevance of the digital or analogue data for the audit?

[Checklist ISA 315, IT applications and IT infrastructure]

[6] Are self-developed applications used?

The client only uses simple, purchased applications with little or no adjustments (e.g. Lexware, Microsoft Office, WISO accounting 365 (Buhl), Sage 50). »Continue with question [7].

The client uses purchased applications, small business ERP software (e.g. SAP Business One, Dynamics 365 Business Central, Navision, Genius ERP, DELMIA Works, SYSPRO ERP, Sage 100, other Sage software, KHK Classic, other KHK software ( <- Check list, delete or expand if necessary) with little or no adjustments. »Continue with question [6a].

The client uses custom-developed applications or more complex ERP with significant adjustments (e.g. SAP). »Continue with question [7].

[6a] Which software exactly?

[Checklist ISA 315, IT applications and IT infrastructure]

[7] How is the client's IT infrastructure structured?

Small computer solution (e.g. stand alone, peer-to-peer, laptop) - or small client-server network. »Continue with question [8].

Stable, local mainframe with client-server solution or cloud-based software-as-a-service for processing financial data (e.g. Datev). »Continue with question [7a].

Extensive and complex mainframes (e.g. with virtual workstations) or client-server applications or cloud-based as Infrastructure-as-a-Service. »Continue with question [8].

[7a] Describe the IT infrastructure. Which client-server solution do you use or what is the software-as-a-service you use?

[Checklist ISA 315, IT applications and IT infrastructure]

[8] Is data stored locally or externally?

The data is only stored locally. »Continue with question [9].

The client uses external professional hosting (cloud providers such as Amazon Cloud, Strato, ionos) for data storage. »Continue with question [8a].

The data is otherwise hosted externally, e.g. by a new or start-up provider. »Continue with question [9].

[8a] Identify the hosting provider and hosting product? Is there a security certificate for hosting?

[Checklist ISA 315, IT applications and IT infrastructure]

[9] Are emerging technologies used in accounting (e.g. blockchain, robotics, artificial intelligence)?

The client does not use any emerging technologies. »Continue with question [10].

The client uses emerging technologies in a few applications. »Continue with question [9a].

The client uses emerging technologies across platforms. »Continue with question [10].

[9a] What emerging technologies is the client using in the applications?

[Checklist ISA 315, IT processes]

[10] What is the skill level of the IT support staff?

The company uses off-the-shelf software that does not require complex upgrade and access management. Upgrades and backups are preconfigured or carried out independently by the system. »Continue with question [11].

Dedicated personnel with limited IT skills are sufficient for maintaining the IT landscape. »Continue with question [10a].

The company uses complex IT applications and has knowledgeable IT support with programming skills. »Continue with question [11].

[10a] What IT skills do staff have? Where does the primary responsibility for IT support lie?

[Checklist ISA 315, IT processes]

[11] How are access rights managed?

A single natural person with administrative rights manages access rights. »Continue with question [12].

A few natural persons with administrator rights manage the access rights. »Continue with question [11a].

Access rights management is complex and managed by the IT department. »Continue with question [12].

[11a] How many people have administrator rights? Who decides which people get admin rights? Who manages the administrator rights?

[Checklist ISA 315, IT processes]

[12] Does the organization have one or more external interfaces that could pose a cyber risk? (e.g. web-based applications or platforms with web-based access)

There are no external interfaces, access is only local. »Continue with question [13].

There are some web-based applications with role-based access rights. »Continue with question [12a].

There is cross-platform web-based access with complex security models. »Continue with question [13].

[12a] Name the web-based applications. Are there other role-based external interfaces in addition to the web-based ones?

[Checklist ISA 315, IT processes]

[13] Are changes made to the source code on a regular basis, and if so, to what extent do they affect information processing during the review period?

No, the client only uses standard software without installed source code. »Continue with question [14].

The client uses some commercial applications with no source code and other mature applications with a small number of simple modifications. The software is subject to a traditional life cycle in system development and associated regular slight changes in the source code. »Continue with question [13a].

The client sets up new programs for information processing or made a large number of complex source code changes during the test period. The software is subject to several development cycles per year. »Continue with question [14].

[13a] Which commercial applications are used? How many source code changes were made during the testing period?

[Checklist ISA 315, IT processes]

[14] Have significant changes been made to the IT applications or the underlying IT infrastructure (e.g. due to a data or system migration, upgrade, version jump, expansion of the old system, creation of new interfaces, ERP adjustments)?

The changes are limited to version updates of the standard software. »Continue with question [15].

The changes consist of updates to the standard software and ERP version or the extension of the old system, data or system migration, upgrade, version jump, extension of the old system, creation of new interfaces. »Continue with question [14a].

A large number of complex changes were made to the IT applications and IT infrastructure, such as significant ERP adjustments during the test period. »Continue with question [15].

[14a] Describe the changes in more detail.

[Checklist ISA 315, IT processes]

[15] Were significant data conversions performed during the audit period?

The updates/upgrades of the standard software did not contain a data conversion function. »Thank you for answering the questions!

Only a very small proportion of business-relevant data was converted during updates/upgrades. »Continue with question [15a].

Larger version upgrades or a new release or platform change resulted in extensive data conversions. »Thank you for answering the questions!

[15a] What was the type of data (e.g. financially relevant business data, data from the test period) and how was the conversion carried out (e.g. after cleaning up the old data, proof of integrity, avoidance of redundancies).

Checklist for the evaluation of IT systems based on the international auditing standard ISA 315

[1] Does the client use IT applications such as ERP (Enterprise Resource Planning Software) for automated and paperless data processing?

Social Networking