Key Takeaways
- ISA 315 (Revised 2019) is the foundation standard for risk-based auditing. It requires the auditor to identify and assess the risks of material misstatement (ROMM) — both at the financial statement level and at the assertion level — through understanding the entity, its environment, its financial reporting framework, and its system of internal control.
- The 2019 revision (effective 15 December 2022) introduced significant enhancements: a more structured risk assessment process, explicit inherent risk factors, the concept of a "spectrum of inherent risk," enhanced IT requirements, and better scalability for audits of less complex entities.
- The auditor must understand five components of internal control: the control environment, the entity's risk assessment process, the information system and communication, control activities, and the entity's monitoring activities.
- For each identified risk at the assertion level, the auditor must separately assess inherent risk (the susceptibility of an assertion to misstatement, before considering controls) and control risk (the risk that the entity's controls will not prevent or detect the misstatement).
- Inherent risk is assessed on a spectrum based on the likelihood and magnitude of potential misstatement, considering five inherent risk factors: subjectivity, complexity, uncertainty, change, and susceptibility to misstatement due to management bias or fraud.
- The auditor must determine which assessed risks are significant risks — risks requiring special audit consideration. Significant risks drive the most intensive audit responses under ISA 330.
- The standard has enhanced requirements for understanding the entity's IT environment and identifying risks arising from IT, including IT general controls.
What is ISA 315 (Revised 2019)?
ISA 315 (Revised 2019), titled "Identifying and Assessing the Risks of Material Misstatement," is arguably the most important standard in the ISA framework. If ISA 200 establishes the objective (reasonable assurance) and ISA 300 requires planning, ISA 315 is where the actual intellectual work of the audit begins — understanding the entity well enough to identify what can go wrong and how likely it is.
Every subsequent audit procedure — from materiality to sampling to substantive testing — flows from the risk assessment performed under ISA 315. A flawed risk assessment leads to misallocated resources, missed risks, and an opinion that may not be well-founded. This is why regulators across Europe consistently identify risk assessment quality as the single most critical driver of overall audit quality.
The 2019 revision was the most significant rewrite of this standard since the original clarity redraft. It was driven by regulatory findings that risk assessments were often formulaic, not sufficiently specific to the entity, and insufficiently rigorous — particularly regarding IT risks and the connection between risk assessment and audit responses.
The Risk Assessment Process: An Overview
ISA 315's requirements follow a logical sequence:
Step 1: Perform risk assessment procedures (inquiries, analytical procedures, observation, inspection) to obtain information for identifying risks.
Step 2: Obtain an understanding of the entity and its environment, the applicable financial reporting framework, and the entity's system of internal control.
Step 3: Identify the risks of material misstatement — determining whether they exist at the financial statement level or the assertion level.
Step 4: Assess the identified risks — separately assessing inherent risk and control risk for assertion-level risks, and evaluating financial statement-level risks.
Step 5: Determine significant risks — identifying which assessed risks require special audit consideration.
Step 6: Evaluate whether the risk assessment needs revision — as the audit progresses and new evidence emerges, the assessment must be updated.
This process is iterative and dynamic (ISA 315.A3) — the auditor's understanding develops throughout the audit and risks identified at any stage may require revisiting earlier assessments.
Risk Assessment Procedures
ISA 315.14 requires three types of risk assessment procedures:
Inquiries of management and others — discussions with management, internal audit, those charged with governance, operating personnel, in-house legal counsel, and others who may have information relevant to identifying risks. The team discussion required by ISA 240 (fraud susceptibility) is also a risk assessment procedure.
Analytical procedures — performed as risk assessment procedures, these are designed to identify unusual or unexpected relationships that may indicate risks. This includes comparing financial data with prior periods, budgets, industry data, and non-financial information.
Observation and inspection — observing the entity's operations, inspecting documents and records, reviewing reports from management and those charged with governance, and visiting the entity's premises and plant.
Understanding the Entity
The entity and its environment
ISA 315.19–20 requires the auditor to understand:
| Area | What the Auditor Obtains |
|---|---|
| Industry, regulatory, and external factors | Industry conditions, regulatory environment (including the financial reporting framework), economic conditions, technological changes |
| Nature of the entity | Operations, ownership and governance structures, types of investments, financing arrangements, how the entity is structured and financed |
| Accounting policies | Selection and application of accounting policies, including reasons for changes — and whether they are appropriate for the entity's business |
| Objectives, strategies, and business risks | The entity's objectives and strategies, and the related business risks that may result in material misstatement |
| Measurement and review of financial performance | How management monitors the entity's performance — KPIs, management reporting, budgets, variance analysis |
The applicable financial reporting framework
ISA 315.21 separately requires understanding the financial reporting framework — how complex it is, how much judgment it requires, and how the entity applies it. This is particularly relevant where the framework introduces new requirements (such as IFRS 9, IFRS 15, IFRS 16, or IFRS 17) that require significant management judgment or estimation.
Understanding Internal Control
The 2019 revision restructured the internal control requirements around five components, with enhanced specificity about what the auditor must understand within each:
1. Control environment
The foundation — management's attitudes, awareness, and actions regarding internal control. Includes the entity's commitment to integrity and ethical values, governance oversight, organisational structure, human resource policies, and the assignment of authority and responsibility.
2. Entity's risk assessment process
How the entity identifies, analyses, and manages risks relevant to financial reporting — including how it identifies changes in the business or regulatory environment that require attention.
3. Information system and communication
How transactions are initiated, recorded, processed, corrected, transferred to the general ledger, and reported in the financial statements. The 2019 revision significantly enhanced the requirements here, including understanding the entity's IT environment and identifying IT applications and other aspects of the IT environment that are subject to risks arising from the use of IT.
4. Control activities
The policies and procedures that help ensure management's directives are carried out. The 2019 revision introduced the concept of "identified controls" — controls that the auditor is required to identify in the control activities component, including controls that address risks of material misstatement at the assertion level, controls over journal entries, and IT general controls that address risks arising from IT.
5. Monitoring activities
How the entity evaluates whether its internal control system is present and functioning — ongoing monitoring, separate evaluations, or a combination. This includes the internal audit function, if one exists.
The IT requirements are real
The most significant practical change in the 2019 revision is the enhanced IT focus. The auditor must now understand the entity's IT environment, identify IT applications used in the information system, identify risks arising from the use of IT, and identify IT general controls that address those risks. For many smaller firms auditing entities with standard ERP systems (SAP, Oracle, Microsoft Dynamics, Exact), this means developing IT audit capabilities that may not have been needed previously. Regulators are actively inspecting this area — the days of treating IT as a "specialist issue" that the auditor can safely ignore are over.
Identifying Risks of Material Misstatement
ISA 315.28 requires the auditor to identify risks of material misstatement and determine whether they exist at:
The financial statement level — pervasive risks that are not attributable to specific assertions but that affect the financial statements as a whole. Examples: a weak control environment, going concern doubts, management integrity concerns, entity-wide fraud risk. These require overall audit responses (ISA 330.5).
The assertion level — risks related to specific classes of transactions, account balances, and disclosures. These require specific further audit procedures (ISA 330.6).
The auditor must also determine the relevant assertions — the representations by management, explicit or otherwise, embodied in the financial statements. The standard assertions are grouped into three categories:
- Assertions about classes of transactions and events: occurrence, completeness, accuracy, cut-off, classification
- Assertions about account balances: existence, rights and obligations, completeness, valuation and allocation
- Assertions about presentation and disclosure: occurrence and rights, completeness, classification and understandability, accuracy and valuation
Assessing Risks: The Spectrum of Inherent Risk
The 2019 revision introduced one of its most important conceptual changes: the spectrum of inherent risk.
For each identified risk at the assertion level, the auditor must separately assess:
Inherent risk — by assessing the likelihood and magnitude of misstatement, taking into account how, and the degree to which, five inherent risk factors affect the susceptibility of the assertion to misstatement:
| Inherent Risk Factor | What It Means |
|---|---|
| Subjectivity | The degree to which the preparation of information involves human judgment — more subjective items carry higher inherent risk |
| Complexity | The complexity of the transaction, measurement, or disclosure — complex structures or calculations carry higher risk |
| Uncertainty | The degree of measurement uncertainty — fair value estimates, provisions, and contingencies carry higher risk |
| Change | Changes in the entity or its environment that affect the assertion — new systems, new products, restructuring, or new standards |
| Susceptibility to misstatement due to management bias or fraud | The degree to which the assertion is susceptible to intentional manipulation |
The assessed inherent risk falls somewhere on the spectrum — from lower to higher. Where the risk falls on the spectrum determines the quality and quantity of evidence needed (ISA 330).
Control risk — the risk that the entity's internal controls will not prevent or detect the misstatement. Control risk is only assessed for assertions where the auditor plans to rely on controls (i.e., plans to perform tests of controls).
Significant Risks
ISA 315.32 requires the auditor to determine whether any of the assessed risks of material misstatement are significant risks — risks at the upper end of the spectrum that require special audit consideration.
In determining significant risks, the auditor considers: the degree of the inherent risk factors (particularly complexity, subjectivity, and uncertainty), whether the risk involves significant transactions with related parties, the degree of measurement uncertainty, and whether the risk is a risk of fraud.
Significant risks have important consequences throughout the audit:
- Under ISA 330, the auditor must design procedures that are specifically responsive to the significant risk — and cannot rely solely on prior-period evidence.
- Under ISA 260, significant risks must be communicated to those charged with governance.
- Under ISA 540, accounting estimates with high estimation uncertainty that give rise to significant risks require additional procedures.
- Under ISA 701, significant risks are candidates for key audit matters in the auditor's report.
Scalability
ISA 315 (Revised 2019) explicitly addresses scalability. For less complex entities, many of the standard's requirements can be met through less formal processes:
- The control environment may be set directly by the owner-manager rather than through formal policies.
- Risk assessment processes may be informal but still present.
- Information systems may be simple accounting packages rather than complex ERP systems.
- Control activities may involve direct oversight by the owner-manager rather than formal procedures.
- Monitoring may occur through the owner-manager's daily involvement rather than through a separate internal audit function.
The standard's application material includes specific guidance for less complex entities throughout, signalled by paragraphs prefixed "Considerations specific to smaller entities" or "Considerations for audits of less complex entities." This is a genuine attempt to make the standard workable for the majority of audits worldwide, which involve smaller entities.
Documentation
ISA 315.38 requires documentation of:
- The team discussion required by ISA 240 and the significant decisions reached.
- Key elements of the understanding of the entity and its environment, the financial reporting framework, and internal control — including the sources of information and risk assessment procedures performed.
- The identified and assessed risks of material misstatement at the financial statement and assertion levels, including significant risks.
- The identified controls in the control activities component and IT general controls.
ISA 315 in Your Jurisdiction
Netherlands. COS 315 adopted the Revised 2019 standard effective for periods beginning on or after 15 December 2022. The AFM's inspection focus has shifted to evaluating whether firms have genuinely implemented the enhanced requirements — particularly the IT-related provisions and the separate assessment of inherent and control risk. The AFM has noted that early implementations show improvement in the specificity of risk assessments but that the quality of IT risk identification remains inconsistent.
Germany. IDW PS 261 n.F. integrates the ISA 315 (Revised 2019) requirements. The WPK's inspections focus on whether risk assessments are entity-specific rather than generic, and whether the connection between assessed risks and planned procedures (ISA 330) is clearly documented. German practice has traditionally been thorough in understanding the entity, but the enhanced IT and inherent risk factor requirements represent new territory for many firms.
United Kingdom. ISA (UK) 315 (Revised July 2020) adopted the international standard with UK-specific additions. The FRC's inspections have identified risk assessment as the most common root cause of audit quality deficiencies — particularly insufficient understanding of the entity's business model, inadequate risk identification for revenue and management estimates, and formulaic rather than entity-specific assessments.
France. NEP 315 implements ISA 315 within the French statutory framework. French practice benefits from the multi-year mandat system, which provides continuity of understanding. However, the H3C's inspections have identified that this continuity can lead to complacency — insufficient re-evaluation of risks in changing circumstances and over-reliance on prior-year assessments without adequate updating.
Related Ciferi Content
Continue building your understanding of the ISA framework:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
What changed in the 2019 revision?
The major changes include: a more structured risk assessment process, the introduction of explicit inherent risk factors, the concept of the "spectrum of inherent risk," enhanced IT requirements (understanding the IT environment, IT general controls), the concept of "identified controls," better scalability guidance, and more detailed requirements for understanding the information system.
What is the difference between inherent risk and control risk?
Inherent risk is the susceptibility of an assertion to material misstatement before considering the entity's controls. Control risk is the risk that the entity's controls will fail to prevent or detect the misstatement. Together, they determine the risk of material misstatement at the assertion level.
Must the auditor understand all internal controls?
No. The auditor must understand the entity's system of internal control to the extent needed to identify and assess risks of material misstatement and to design further audit procedures. The auditor is required to identify specific controls in the control activities component (including journal entry controls and IT general controls), but does not need to understand every control the entity operates.
What is a significant risk?
A significant risk is an assessed risk of material misstatement that falls at the upper end of the spectrum of inherent risk — requiring special audit consideration. The auditor determines significant risks by considering the inherent risk factors, particularly the degree of complexity, subjectivity, uncertainty, and susceptibility to fraud.
How does ISA 315 relate to ISA 330?
ISA 315 identifies and assesses the risks. ISA 330 governs the auditor's responses to those risks. The assessed risks under ISA 315 directly determine the nature, timing, and extent of further audit procedures under ISA 330. A well-assessed risk under ISA 315 leads to a well-designed response under ISA 330.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISA 315 (Revised 2019) text, including extensive application material and appendices.
- IAASB First-Time Implementation Guide — Practical guidance on implementing the revised standard, including worked examples.
- ISA 240 — The Auditor's Responsibilities Relating to Fraud — the companion standard for fraud risk assessment.
- ISA 330 — The Auditor's Responses to Assessed Risks — the standard that translates ISA 315 assessments into audit procedures.
- ISA 320 — Materiality in Planning and Performing an Audit — materiality interacts directly with risk assessment.