What is inherent risk?

Open a risk assessment working paper from last year's file. If every assertion on the revenue account landed at the same point on the spectrum, the assessment wasn't doing its job. That's the core problem inherent risk (IR) is supposed to solve: forcing the auditor to think about why one assertion is more susceptible to misstatement than another, before controls enter the picture.

ISA 200.13 (n)(i) defines IR as the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a misstatement that could be material, considered before taking into account any related controls.

Under ISA 315 (Revised 2019), IR is no longer assessed as high, medium, or low. Instead, auditors assess where each assertion sits on an IR spectrum, from lower to higher. This spectrum approach forces more granular thinking about what makes one assertion riskier than another.

ISA 315 identifies five IR factors that drive the assessment: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud. The combination and intensity of these factors at the assertion level determines where the assertion sits on the spectrum.

Key points

  • Assessed before controls. IR considers only the nature of the item (its complexity, the degree of estimation involved) without credit for any controls the entity has in place.
  • Assessed at the assertion level. ISA 315.31 requires the assessment at the assertion level for classes of transactions, account balances, disclosures, and their related assertions. Not at the account or FS level.
  • Spectrum replaces high/medium/low. The 2019 revision introduced a spectrum to prevent the common practice of defaulting everything to "medium." Assertions at the higher end require more persuasive audit evidence.
  • Five IR factors. Complexity, subjectivity, change, uncertainty, and susceptibility to management bias or fraud. These are assessed in combination, not individually checked off as a tick box exercise.

Why it matters in practice

At firms like ours, the most common mistake is assessing IR at the account level rather than the assertion level. Revenue as an account is not inherently risky. The completeness assertion for a cash-based retailer is very different from the occurrence assertion for a software company with multi-element arrangements. The spectrum only works when the assessment is granular enough to differentiate between assertions within the same account.

That granularity drives the audit response. When IR is assessed at the assertion level, the audit program varies: assertions at the higher end of the spectrum get larger samples and more experienced staff, while assertions at the lower end can be addressed with analytical procedures or smaller samples. Without it, you end up with a SALY program that doesn't respond to the actual risks on the engagement.

This is the review note that never goes away. The fix isn't complicated, it just takes time teams don't feel they have. But inspectors routinely challenge files where all assertions for an account receive the same risk assessment. If the valuation of a simple receivable and the valuation of a complex derivative both sit at the same point on the spectrum, the risk assessment has not been performed in accordance with ISA 315 .

Key standard references

  • ISA 200.13 (n)(i): Definition of IR as the susceptibility of an assertion to misstatement before consideration of related controls.
  • ISA 315.12 (f): Definition of the IR factors (complexity, subjectivity, change, uncertainty, and susceptibility to management bias or fraud).
  • ISA 315 .A2–A5: Application guidance on the IR spectrum and how IR factors interact.
  • ISA 315.31 : Requirement to assess risks of material misstatement at the assertion level, considering IR and control risk separately.

Related terms

Control RiskRisk of Material MisstatementSignificant RiskAudit RiskDetection Risk

Related tools

Materiality Calculator
ISA 320
Sample Size Calculator
ISA 530

Related reading

ISA 315: Risk Assessment in Practice
Blog guide
ISA 330: Responses to Assessed Risks
Blog guide

Frequently asked questions

What are the inherent risk factors under ISA 315?

ISA 315 (Revised 2019) identifies five IR factors: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud. Each factor is assessed at the assertion level, not the account level. The combination of factors determines where the assertion sits on the IR spectrum.

What is the difference between inherent risk and control risk?

IR asks how likely an assertion is to be wrong given the nature of the item, before any controls are considered. Control risk asks whether the client's controls would catch that misstatement if it occurred. A complex estimate can have high IR but low control risk if strong review controls exist. ISA 315.31 requires assessing both separately.

Why did ISA 315 replace high/medium/low with a spectrum?

The 2019 revision replaced the three-level classification with a spectrum because the old approach allowed teams to assess 80% of assertions as 'medium' without differentiation. The spectrum forces auditors to consider where each assertion sits relative to others, producing a more granular risk assessment that drives a more tailored audit response.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: · Standards version: IAASB 2024 Handbook