What is inherent risk?
Inherent risk, defined in ISA 200.13(n)(i), is the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a misstatement that could be material — considered before taking into account any related controls.
Under ISA 315 (Revised 2019), inherent risk is no longer assessed as high, medium, or low. Instead, auditors assess where each assertion sits on an inherent risk spectrum, from lower to higher. This spectrum approach forces more granular thinking about what makes one assertion riskier than another.
The standard identifies five inherent risk factors that drive the assessment: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud. The combination and intensity of these factors at the assertion level determines where the assertion sits on the spectrum.
Key Points
- Assessed before controls. Inherent risk considers only the nature of the item — its complexity, the degree of estimation involved, the extent of change — without credit for any controls the entity has in place.
- Assessed at the assertion level. ISA 315.31 requires the assessment at the assertion level for classes of transactions, account balances, and disclosures — not at the account or financial statement level.
- Spectrum replaces high/medium/low. The 2019 revision introduced a spectrum to prevent the common practice of defaulting everything to "medium." Assertions at the higher end of the spectrum require significantly more persuasive audit evidence.
- Five inherent risk factors. Complexity, subjectivity, change, uncertainty, and susceptibility to management bias or fraud. These are assessed in combination, not individually checked off.
Why it matters in practice
The most common mistake in practice is assessing inherent risk at the account level rather than the assertion level. Revenue as an account is not inherently risky — the completeness assertion for a cash-based retailer is very different from the occurrence assertion for a software company with multi-element arrangements. The spectrum only works when the assessment is granular enough to differentiate between assertions within the same account.
This granularity is precisely what drives a differentiated audit response. When inherent risk is assessed thoughtfully at the assertion level, the audit program naturally varies: assertions at the higher end of the spectrum get larger samples, more experienced staff, and more targeted substantive procedures. Assertions at the lower end can be addressed with analytical procedures or smaller samples.
Inspectors routinely challenge files where all assertions for an account receive the same risk assessment. If the valuation of a simple receivable and the valuation of a complex derivative both sit at the same point on the spectrum, the risk assessment has not been performed in accordance with ISA 315.
Key standard references
- ISA 200.13(n)(i): Definition of inherent risk as the susceptibility of an assertion to misstatement before consideration of related controls.
- ISA 315.12(f): Definition of the inherent risk factors — complexity, subjectivity, change, uncertainty, and susceptibility to management bias or fraud.
- ISA 315.A2–A5: Application guidance on the inherent risk spectrum and how inherent risk factors interact.
- ISA 315.31: Requirement to assess risks of material misstatement at the assertion level, considering inherent risk and control risk separately.
Related terms
Related reading
Frequently asked questions
What are the inherent risk factors under ISA 315?
ISA 315 (Revised 2019) identifies five inherent risk factors: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud. Each factor is assessed at the assertion level, not the account level. The combination of factors determines where the assertion sits on the inherent risk spectrum.
What is the difference between inherent risk and control risk?
Inherent risk asks how likely an assertion is to be wrong given the nature of the item, before any controls are considered. Control risk asks whether the client's controls would catch that misstatement if it occurred. A complex estimate can have high inherent risk but low control risk if strong review controls exist. ISA 315.31 requires assessing both separately.
Why did ISA 315 replace high/medium/low with a spectrum?
The 2019 revision of ISA 315 replaced the three-level classification with a spectrum because the old approach allowed teams to assess 80% of assertions as 'medium' without differentiation. The spectrum forces auditors to consider where each assertion sits relative to others, producing a more granular risk assessment that drives a more tailored audit response.