Key takeaways
- ISA 315 (Revised 2019) is the foundation standard for risk-based auditing. It requires the auditor to identify and assess risks of material misstatement (ROMM), both at the financial statement level and the assertion level, through understanding the entity, its environment, its financial reporting framework, and its system of internal control.
- The 2019 revision (effective 15 December 2022) introduced major changes: a more structured risk assessment process, explicit inherent risk factors, the concept of a “spectrum of inherent risk,” and expanded IT requirements. It also added better scalability guidance for audits of less complex entities.
- The auditor must understand five components of internal control: the control environment, the entity’s risk assessment process, the information system and communication, control activities, and monitoring activities.
- For each identified risk at the assertion level, the auditor separately assesses inherent risk (IR) and control risk (CR). IR is the susceptibility of an assertion to misstatement before considering controls. CR is the risk that controls will not prevent or detect that misstatement.
- IR sits on a spectrum based on the likelihood and magnitude of potential misstatement, driven by five inherent risk factors: subjectivity, complexity, uncertainty, change, and susceptibility to management bias or fraud.
- The auditor must determine which assessed risks are significant risks (those requiring special audit consideration). Significant risks drive the most intensive audit responses under ISA 330.
- Requirements for understanding the entity’s IT environment have expanded significantly, including risks arising from IT and IT general controls (ITGCs).
- What is ISA 315 (Revised 2019)?
- The risk assessment process: an overview
- Risk assessment procedures
- Understanding the entity
- Understanding internal control
- Identifying risks of material misstatement
- Assessing risks: the spectrum of inherent risk
- Significant risks
- Scalability considerations
- Documentation requirements
- ISA 315 in your jurisdiction
- Frequently asked questions
What is ISA 315 (Revised 2019)?
On most audits we have seen, the risk assessment is finished last. The team runs their substantive tests, clears the review notes, updates the planning file, and then someone goes back to make the risk assessment documentation match whatever they actually did. We have sat in those rooms. We have been the person updating the risk matrix at 11 pm the night before sign-off.
That is the gap.
ISA 315 (Revised 2019) exists to close it.
ISA 315, titled “Identifying and Assessing the Risks of Material Misstatement,” is the standard where the real intellectual work of an audit is supposed to begin. If ISA 200 establishes the objective (reasonable assurance) and ISA 300 requires planning, ISA 315 demands that the auditor understand the entity well enough to identify what can go wrong and how badly it could misstate the financial statements (FS). Every subsequent procedure (from materiality to sampling to substantive testing) flows from this assessment. Get it wrong, and the rest of the audit is pointing at the wrong targets.
Regulators across Europe keep saying the same thing: risk assessment quality is the single most common root cause of audit deficiencies. The FRC, AFM, WPK, and H3C all flag it year after year. The 2019 revision was the IAASB’s direct response. It was driven by findings that risk assessments had become a tick box exercise (copy last year’s working papers (WPs), change the date, move on) rather than genuine analysis of what could go wrong in this entity, in this year. That habit has a name in the profession: SALY, or “same as last year.” The revised standard was designed to make SALY harder to get away with, particularly around IT risks and the link between assessed risks and audit responses.
The risk assessment process: an overview
ISA 315’s requirements follow a logical sequence, though in practice the steps overlap and loop back on each other:
- Perform risk assessment procedures (inquiries, analytical procedures, observation, inspection) to obtain information for identifying risks.
- Obtain an understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control.
- Identify ROMM, determining whether they exist at the FS level or the assertion level.
- Assess those risks, separately assessing IR and CR for assertion-level risks, and evaluating FS-level risks.
- Determine which assessed risks are significant risks requiring special audit consideration.
- Evaluate whether the risk assessment needs revision as the audit progresses and new evidence emerges.
ISA 315.A3 makes this explicit: the process is iterative. Understanding develops throughout the audit, and risks identified at any stage may force the team to revisit earlier assessments. What actually happens on many engagements is that the iteration runs in one direction only (forward from planning to fieldwork) and the feedback loop back to the risk assessment gets lost under time pressure. We think this is the single biggest implementation gap in the standard, because it turns risk assessment from a living document into a static one.
Risk assessment procedures
ISA 315.14 requires the auditor to perform risk assessment procedures in four categories. The standard does not rank them, but in our experience, inquiry dominates planning while observation is where the real surprises tend to emerge.
Inquiries of management and others: discussions with management, internal audit, those charged with governance (TCWG), operating personnel, and in-house legal counsel. Anyone who might have information relevant to risk identification is fair game. The team discussion required by ISA 240 (fraud susceptibility) doubles as a risk assessment procedure.
Analytical procedures: comparing financial data with prior periods, budgets, industry data, and non-financial information, looking for unusual or unexpected relationships that may indicate risks.
Observation and inspection: watching the entity’s operations, inspecting documents and records, reviewing reports from management and TCWG, and visiting premises.
The standard says all four categories must be performed. What actually happens is that teams default to inquiry (because it is fast) and analytical review (because it can be done remotely), while observation and inspection get compressed into a single site visit that may happen after many key planning decisions have already been taken. We have seen engagements where the walkthrough was the only observation performed, and by that point the risk assessment was already locked.
Understanding the entity
The entity and its environment
ISA 315.19–20 sets out the areas the auditor must understand. In practice, this is where the gap between a SALY risk assessment and a genuine one shows up most clearly, because understanding the entity requires thinking about what changed since last year, not just confirming that last year’s description is still vaguely accurate.
| Area | What the auditor obtains |
|---|---|
| Industry, regulatory, and external factors | Industry conditions, regulatory environment (including the financial reporting framework), economic conditions, technological changes |
| Nature of the entity | Operations, ownership and governance structures, types of investments, financing arrangements, how the entity is structured and financed |
| Accounting policies | Selection and application of accounting policies, including reasons for changes — and whether they are appropriate for the entity’s business |
| Objectives, strategies, and business risks | The entity’s objectives and strategies, and the related business risks that may result in material misstatement |
| Measurement and review of financial performance | How management monitors the entity’s performance — KPIs, management reporting, budgets, variance analysis |
The applicable financial reporting framework
ISA 315.21 separately requires understanding the financial reporting framework: how complex it is, how much judgment it demands, how the entity applies it, and where management has made accounting policy choices that could be challenged. This matters most where the framework introduces new requirements (IFRS 9, IFRS 15, IFRS 16, IFRS 17) that require significant management judgment or estimation. A team that does not understand why management chose a particular IFRS 16 discount rate, for example, cannot meaningfully assess the IR on lease liabilities.
Understanding internal control
The 2019 revision restructured internal control requirements around five components of COSO, with greater specificity about what the auditor must understand within each. In our experience, the first two components (control environment and the entity’s risk assessment process) receive the least genuine attention on most engagements, because they require judgment rather than procedure-ticking, and because a weak control environment finding creates an uncomfortable conversation with the client.
Control environment
Management’s attitudes and actions regarding internal control. This covers commitment to integrity and ethical values, governance oversight, organisational structure, and human resource policies. A weak control environment does not automatically mean material misstatement exists, but it does mean the auditor should be sceptical of every other control the entity claims to operate.
Entity’s risk assessment process
How the entity itself identifies, analyses, and manages risks relevant to financial reporting. For many smaller entities this process is informal, but the auditor still needs to understand it. If the entity has no process at all, that is itself a risk factor.
Information system and communication
How transactions are initiated, recorded, processed, corrected, transferred to the general ledger, and reported in the FS. The 2019 revision expanded the requirements here substantially. The auditor must now understand the entity’s IT environment and identify IT applications and other aspects of that environment subject to risks arising from IT use.
Control activities
The policies and procedures that help ensure management’s directives are carried out. The 2019 revision introduced the concept of “identified controls” (controls the auditor is required to identify in the control activities component). These include controls that address ROMM at the assertion level, controls over journal entries, ITGCs that address risks arising from IT, and any other controls the auditor judges relevant to the risk assessment.
Monitoring activities
How the entity evaluates whether its internal control system is present and functioning. This could be ongoing monitoring, separate evaluations, or both. It includes internal audit where one exists. Many smaller entities have none.
The IT requirements are not optional anymore
The most significant practical change in the 2019 revision is the expanded IT focus. The auditor must understand the entity’s IT environment, identify IT applications used in the information system, identify risks arising from IT use, and identify ITGCs that address those risks. For many smaller firms auditing entities with standard ERP systems (SAP, Oracle, Microsoft Dynamics, Exact), this means developing IT audit capabilities that did not exist in the firm before. Regulators are actively inspecting this area, and the AFM in particular has flagged IT risk identification as inconsistent across firms. Treating IT as a “specialist issue” that the engagement partner (EP) can safely ignore is no longer a defensible position.
Identifying risks of material misstatement
ISA 315.28 requires the auditor to identify ROMM and determine whether they exist at two levels.
FS-level risks are pervasive. They are not attributable to specific assertions but affect the financial statements as a whole: a weak control environment, going concern doubts, management integrity concerns, entity-wide fraud risk. These require overall audit responses under ISA 330.5.
Assertion-level risks relate to specific classes of transactions, account balances, and disclosures. These require specific further audit procedures under ISA 330.6.
The distinction matters because FS-level risks are the ones teams tend to underweight. It is easy to identify assertion-level risks (revenue completeness, provision valuation) because audit software prompts for them. FS-level risks require the auditor to step back and ask whether something is systemically wrong with how this entity operates or governs itself. That is a harder question, and one that many firms find politically uncomfortable to ask about a continuing client.
The auditor also determines the relevant assertions. The standard groups them into assertions about classes of transactions and events (occurrence, completeness, accuracy, cut-off, classification), assertions about account balances (existence, rights and obligations, completeness, valuation and allocation), and assertions about presentation and disclosure.
Assessing risks: the spectrum of inherent risk
Before the 2019 revision, many firms assessed IR as “high,” “medium,” or “low” and moved on. The revised standard replaced those buckets with a spectrum, and we think this is the most important conceptual change in the entire rewrite, because it forces auditors to think about degree rather than just category.
For each identified risk at the assertion level, the auditor separately assesses IR and CR.
IR assessment considers the likelihood and magnitude of misstatement, taking into account how (and how much) five inherent risk factors affect the susceptibility of the assertion to misstatement:
| Inherent risk factor | What it means |
|---|---|
| Subjectivity | The degree to which the preparation of information involves human judgment — more subjective items carry higher inherent risk |
| Complexity | The complexity of the transaction, measurement, or disclosure — complex structures or calculations carry higher risk |
| Uncertainty | The degree of measurement uncertainty — fair value estimates, provisions, and contingencies carry higher risk |
| Change | Changes in the entity or its environment that affect the assertion — new systems, new products, restructuring, or new standards |
| Susceptibility to misstatement due to management bias or fraud | The degree to which the assertion is susceptible to intentional manipulation |
The assessed IR falls somewhere on that spectrum, from lower to higher. Where it lands determines the quality and quantity of evidence needed under ISA 330. A risk sitting at the upper end of the spectrum demands substantive procedures that are specifically responsive to it; a risk at the lower end might be addressed with less targeted work.
There is a legitimate disagreement among practitioners about whether the spectrum model actually changes behaviour. Some engagement teams (particularly at firms that built custom risk matrices) find that the spectrum forces more granular thinking and produces better-targeted responses. Others argue that teams just swap “high/medium/low” for a numeric score and the underlying SALY problem remains. Both sides have a point, and the difference usually comes down to whether the firm’s methodology gives the auditor room to exercise genuine judgment or constrains them into a template that produces a number without requiring thought.
Then there is CR. CR is the risk that the entity’s internal controls will not prevent or detect the misstatement. It is assessed only for assertions where the auditor plans to rely on controls (i.e., plans to perform tests of controls). No reliance, no CR assessment needed.
Significant risks
ISA 315.32 requires the auditor to determine whether any assessed ROMM are significant risks (those at the upper end of the spectrum requiring special audit consideration). Revenue recognition and management override of controls are presumed significant risks under ISA 240, but beyond those, the determination requires judgment.
In making that determination, the auditor considers the degree of the inherent risk factors (particularly complexity and subjectivity), whether the risk involves significant related-party transactions, the degree of measurement uncertainty, and whether the risk is a fraud risk.
The consequences of designating something a significant risk cascade across the audit:
- Under ISA 330, the auditor must design procedures specifically responsive to the significant risk and cannot rely solely on prior-period evidence.
- Under ISA 260, significant risks must be communicated to TCWG.
- Under ISA 540, accounting estimates with high estimation uncertainty that give rise to significant risks require additional procedures.
- Under ISA 701, significant risks are strong candidates for key audit matters (KAMs) in the auditor’s report.
Here is the perverse incentive: designating a risk as significant creates extra work. That creates pressure (conscious or not) to keep the significant-risk list short. We have seen engagement teams argue themselves out of a significant risk designation for a complex provision because the extra testing would blow the budget. The standard does not account for this dynamic, but it is real, and partners and managers (PMs) should be aware of it when reviewing the team’s risk assessments.
Scalability considerations
ISA 315 (Revised 2019) explicitly addresses scalability. For less complex entities, many of the standard’s requirements can be met through less formal processes:
- The control environment may be set directly by the owner-manager rather than through formal policies.
- Risk assessment processes may be informal but still present.
- Information systems may be simple accounting packages rather than full ERP systems.
- Control activities may involve direct oversight by the owner-manager rather than documented procedures.
- Monitoring may occur through the owner-manager’s daily involvement rather than through internal audit.
The application material includes specific guidance signalled by paragraphs prefixed “Considerations specific to smaller entities” or “Considerations for audits of less complex entities.” This is a genuine attempt to make the standard workable for the majority of audits worldwide, which involve smaller entities. Whether it succeeds is debatable. At firms like ours, the frustration is that audit software and firm methodology templates are usually built for complex entities and then labelled “scalable,” when in practice they force teams auditing a 20-person company to complete the same risk assessment documentation as a team auditing a listed group. The standard itself is flexible; firm implementation often is not.
Documentation requirements
ISA 315.38 requires documentation of the following:
- The team discussion required by ISA 240 and the significant decisions reached.
- Key elements of the understanding of the entity and its environment, the financial reporting framework, and internal control, including the sources of information and risk assessment procedures performed.
- The identified and assessed ROMM at the FS and assertion levels, including significant risks.
- The identified controls in the control activities component and ITGCs.
This is where it gets uncomfortable.
Documentation is where the second-order problem with risk assessment lives. The standard asks the auditor to document their understanding. But the incentive structure of audit (time pressure, fixed fees, review-note culture) rewards documentation that looks complete rather than documentation that captures what the auditor actually thought. An experienced senior might have excellent judgment about where the risks sit on a particular engagement, but if the WPs do not reflect that judgment in a way the reviewer can trace from risk to response, it does not count. We think better risk assessment starts with giving teams time to write what they actually think, not what the template expects.
ISA 315 in your jurisdiction
Netherlands: COS 315 adopted the Revised 2019 standard effective for periods beginning on or after 15 December 2022. The AFM’s inspection focus has shifted to evaluating whether firms have genuinely implemented the expanded requirements, particularly the IT-related provisions and the separate assessment of IR and CR. Early implementations show improvement in the specificity of risk assessments, but the AFM notes that IT risk identification quality remains inconsistent.
Germany: IDW PS 261 n.F. integrates the ISA 315 (Revised 2019) requirements. The WPK’s inspections focus on whether risk assessments are entity-specific rather than generic, and whether the link between assessed risks and planned procedures (ISA 330) is clearly documented. German practice has traditionally been thorough on understanding the entity, but the expanded IT and inherent risk factor requirements represent new territory for many firms.
United Kingdom: ISA (UK) 315 (Revised July 2020) adopted the international standard with UK-specific additions. The FRC’s inspections have identified risk assessment as the most common root cause of audit quality deficiencies. The recurring themes are insufficient understanding of the entity’s business model and inadequate risk identification for revenue and management estimates.
France: NEP 315 implements ISA 315 within the French statutory framework. French practice benefits from the multi-year mandat system, which provides continuity of understanding. The H3C’s inspections have identified that this continuity can become complacency: insufficient re-evaluation of risks in changing circumstances, and over-reliance on prior-year assessments without adequate updating. The mandat, designed to give auditors deeper knowledge of the entity, can paradoxically encourage exactly the SALY behaviour the revised standard was designed to prevent.
Frequently asked questions
What changed in the 2019 revision?
The major changes: a more structured risk assessment process, explicit inherent risk factors, the spectrum of IR (replacing high/medium/low categories), expanded IT requirements (understanding the IT environment, ITGCs), the concept of “identified controls,” better scalability guidance, and more detailed requirements for understanding the information system.
What is the difference between inherent risk and control risk?
IR is the susceptibility of an assertion to material misstatement before considering the entity’s controls. CR is the risk that those controls will fail to prevent or detect the misstatement. Together, they determine the risk of material misstatement at the assertion level.
Must the auditor understand all internal controls?
No. The auditor must understand the entity’s system of internal control to the extent needed to identify and assess ROMM and design further audit procedures. The auditor is required to identify specific controls in the control activities component (including journal entry controls and ITGCs), but does not need to understand every control the entity operates.
What is a significant risk?
A significant risk is an assessed ROMM that falls at the upper end of the IR spectrum, requiring special audit consideration. The auditor determines significant risks by considering the inherent risk factors, particularly complexity, subjectivity, uncertainty, and susceptibility to fraud.
How does ISA 315 relate to ISA 330?
ISA 315 identifies and assesses risks. ISA 330 governs the responses. The assessed risks under ISA 315 directly determine the nature, timing, and extent of further audit procedures under ISA 330. A well-assessed risk leads to a well-designed response; a SALY risk assessment leads to SALY testing.
Further reading and source references
- IAASB Handbook 2024 contains the ISA 315 (Revised 2019) full text, including application material and appendices.
- The IAASB First-Time Implementation Guide provides practical guidance on implementing the revised standard with worked examples.
- ISA 240 (The Auditor’s Responsibilities Relating to Fraud) is the companion standard for fraud risk assessment.
- ISA 330 (The Auditor’s Responses to Assessed Risks) translates ISA 315 assessments into audit procedures.
- ISA 320 (Materiality in Planning and Performing an Audit) interacts directly with risk assessment.
This guide reflects the ISA 315 (Revised 2019) text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.
Production-ready audit templates
Related ciferi content
ISA 315 in detail:
Related ISA guides:
Put audit concepts into practice with these free tools: