AI in Audit and ISA 315: What Every Auditor Needs to Know in 2026

ISA 315 and AI: What Changed in the 2022 Revision

The 2022 revision of ISA 315 (Identifying and Assessing the Risks of Material Misstatement) substantially increased the requirements for auditors to understand and document IT systems used in clients' financial reporting processes. The revised standard introduced a more granular framework for understanding IT general controls, automated application controls, and the IT environment — all of which directly apply to AI systems used in financial reporting.

Paragraph 19 requires auditors to obtain an understanding of the entity's information system relevant to financial reporting — including the completeness and accuracy of information produced by the system. Where AI models generate financial estimates, accruals, valuations or summaries, auditors must understand how those models work well enough to assess whether the information they produce is complete and accurate.

Paragraph 26 requires auditors to obtain an understanding of automated controls — and increasingly, AI models used in transaction processing, estimate generation and financial statement preparation are the controls that matter most.

Practical AI Scenarios Under ISA 315

AI-generated accruals and provisions: Many ERP systems now include AI features that suggest month-end accruals based on historical patterns and current-period data. Auditors must understand: what data the AI model uses; how the model generates suggestions; what human oversight exists over AI-generated postings; and whether the IT general controls over the AI model (access, change management, data quality) are adequate.

AI-assisted budgeting and forecasting used in impairment testing: Where management uses AI forecast models as inputs to impairment calculations or going concern assessments, auditors must evaluate the model as part of their assessment under ISA 540. The ISA 315 IT understanding extends to the AI system generating the forecast.

AI document processing in accounts payable/receivable: AI-assisted invoice processing, OCR systems and automated matching are now standard in many finance functions. ISA 315 requires auditors to understand these automated processes — including the controls over AI-generated payment recommendations and exception handling.

AI in revenue recognition: Contract analysis tools using AI to determine performance obligation completion, variable consideration estimates and standalone selling prices create specific ISA 315 considerations around the automated application controls involved in revenue recognition.

FRC, ICAEW, IAASA and PCAOB Guidance

FRC Audit Quality Review findings (2023, 2024) consistently identify IT general controls assessment — including automated processing — as an area of recurring weakness. The FRC expects auditors to document their understanding of automated controls with sufficient precision to support their assessment of the risks of material misstatement arising from those controls.

ICAEW's guidance for audit engagement partners on technology-enhanced audits addresses the ISA 315 implications of AI systems in client environments. ICAEW QAD inspection findings have highlighted cases where auditors did not adequately assess controls over client AI systems.

IAASA's thematic reviews of IT audit quality in Ireland mirror FRC findings. IAASA expects auditors to demonstrate understanding of automated controls proportionate to the significance of AI-processed data in the audit.

PCAOB Staff Guidance on AI in Audit (2024) establishes that audit firms using AI tools in their own procedures must document those tools, their supervision and their limitations. The guidance also addresses client AI environments under existing PCAOB auditing standards.

Frequently Asked Questions

What training do auditors need to comply with ISA 315 in AI environments?

Auditors working in AI-augmented client environments need training covering: how to identify AI systems relevant to financial reporting; how to assess IT general controls over AI models (access, change management, data integrity); how to evaluate automated application controls where AI is involved in transaction processing or estimate generation; and how to document ISA 315 assessments for AI-augmented systems in working papers. Learnsignal's AI for Auditors programme maps directly to these requirements.

Does ISA 315 apply to AI tools used by the auditor (not just the client)?

ISA 315 focuses on the entity being audited, not the auditor's own tools. However, ISA 220 (Quality Management for an Audit of Financial Statements) and ISQM 1/2 (Quality Management at the Firm Level) require audit firms to ensure that AI tools used in audit procedures are appropriately supervised, documented and reviewed. The PCAOB's 2024 Staff Guidance and FRC guidance both address the auditor's own AI tool use.

How do auditors document AI-related IT controls under ISA 315?

Working paper documentation for AI-related IT controls should include: a description of the AI system and its role in financial reporting; an assessment of IT general controls over the AI model (logical access, change management, data quality controls); testing of relevant automated application controls; and the auditor's conclusion on the reliability of AI-generated information. The FRC's practice notes on IT in the audit provide documentation guidance.

What are the most common ISA 315 weaknesses in AI-augmented audits?

FRC and IAASA inspection findings identify common weaknesses: inadequate documentation of the auditor's understanding of AI systems used in financial reporting; failure to test IT general controls over AI models; relying on AI-generated data without understanding the controls over that data; and insufficient professional scepticism when AI-generated outputs appear reasonable but have not been independently verified.