Side-by-side comparison
| Dimension | Inherent risk | Control risk |
|---|---|---|
| What it measures | Susceptibility of the assertion to misstatement, absent controls | Likelihood that controls fail to prevent or detect the misstatement |
| What drives it | Nature of the account, complexity, judgment, estimation uncertainty | Design of controls, implementation, operating effectiveness |
| Can it be zero? | No. Every assertion has some inherent risk. | Conceptually cannot be zero either; no control system is perfect |
| Assessment method | Spectrum approach (ISA 315 Revised 2019) based on likelihood and magnitude | Tested through design and operating effectiveness evaluation, or assumed at maximum if controls are not tested |
| When it changes | When the nature of the business, the account, or external conditions change | When controls are redesigned, implemented, or fail |
| Link to procedures | Higher inherent risk requires more persuasive substantive evidence | Lower control risk (from effective controls) allows reduced substantive testing |
Key Points
- Inherent risk exists independently of the entity’s controls. Control risk depends entirely on the design and operating effectiveness of those controls.
- The revised ISA 315 introduced a spectrum of inherent risk, requiring auditors to assess it on a scale rather than as high, medium, or low.
- You assess inherent risk first, then evaluate whether controls reduce the combined risk of material misstatement.
- Confusing the two leads to audit procedures that are either insufficient or misdirected.
When the distinction matters on an engagement
ISA 315 (Revised 2019) requires the auditor to assess the risk of material misstatement at the assertion level, which is the combination of inherent risk and control risk. The distinction matters because each risk component calls for a different audit response. If inherent risk on an estimate is high because the valuation model involves significant judgment and estimation uncertainty, no amount of control testing will reduce that inherent susceptibility. The engagement team needs substantive procedures that directly test the reasonableness of the estimate.
Conversely, if an account balance has moderate inherent risk but strong controls (automated matching, exception reporting, segregation of duties, and management review), the team can test those controls and reduce the volume of substantive testing. ISA 330 requires a clear link between the assessed risks and the audit procedures performed. A file that lumps inherent and control risk into a single “medium” rating and then applies a standard set of procedures has not complied with ISA 315 or ISA 330.
Worked example: Transportes Reyes S.L.
Client: Spanish logistics firm, FY2024, revenue €67M, IFRS reporter. The entity operates a fleet of 200 trucks, has 800 active customer contracts with varied pricing terms, maintains four regional warehouses, and recently migrated to a new ERP system.
Assessing inherent risk on revenue recognition
Revenue comes from spot haulage contracts and long-term logistics service agreements. Spot contracts are high-volume, low-value (average €2,400 per trip). Long-term contracts include variable pricing tied to fuel indices and volume tiers. The inherent risk on revenue recognition is assessed at the higher end of the spectrum. Likelihood of misstatement is elevated because the variable pricing clauses require manual calculation outside the ERP system, and the ERP migration introduced data conversion risk. Magnitude is potentially material (variable-price contracts account for €19M of total revenue).
Documentation note: Record each inherent risk factor assessed (complexity, change from ERP migration, estimation uncertainty in variable pricing, susceptibility to management bias), the evaluation for each, and the conclusion on where the assertion falls on the spectrum. ISA 315 (Revised 2019) paragraph 32 requires this assessment at the assertion level.
Assessing control risk on revenue recognition
The entity has two relevant controls: an automated ERP validation that rejects revenue entries without a matched delivery confirmation, and a monthly management review of revenue by customer segment against budget. The engagement team plans to test both controls.
For the ERP validation, the team re-performs the matching logic on a sample of 40 transactions. No exceptions. For the management review, the team inspects the monthly review documentation for all 12 months. In ten months, the review is documented with variance explanations. In two months (immediately after the ERP migration), the review was performed but not documented. The team concludes the ERP validation is operating effectively but the management review has a two-month gap.
Documentation note: Document each control tested, the population and sample, the test results, and the assessed level of control risk. State the effect of the two-month gap on the overall control risk assessment, and how the team plans to address the uncovered period.
Combining the assessments
Inherent risk sits at the higher end of the spectrum. Control risk is below maximum for ten months (effective ERP control) but at maximum for two months (undocumented management review during the migration period). The combined risk of material misstatement on revenue recognition is significant. The engagement team designs substantive procedures accordingly: a sample of 50 revenue transactions across the full year, with an additional focused sample of 20 transactions from the two migration months, tested to delivery confirmations, customer contracts, pricing calculations, and cash receipts.
Documentation note: Link the combined assessment to the substantive procedures. State the sample sizes, the rationale for the additional focused testing in the migration period, and the assertions covered.
If the engagement team had assessed inherent risk as low because controls exist (confusing the two concepts), the sample would have been smaller, and the ERP migration period would not have received additional scrutiny. Inherent risk asks: how susceptible is this assertion to misstatement? Control risk asks: do the entity’s controls catch those misstatements? The two assessments answer different questions and produce different audit responses.
What reviewers get wrong
The PCAOB’s 2023 inspection findings on risk assessment highlighted that firms frequently assessed the risk of material misstatement as a single combined rating without separately evaluating inherent risk and control risk. ISA 315 (Revised 2019) requires separate assessment because the audit response differs depending on which component drives the combined risk. A high inherent risk with effective controls produces a different procedure set than a moderate inherent risk with no controls at all.
Under ISA 315 (Revised 2019), inherent risk must be assessed on a spectrum, not in categories. The FRC has flagged firms that continued using the old high/medium/low approach after the revised standard became effective. The spectrum approach requires the auditor to consider both the likelihood of misstatement and the magnitude of the potential misstatement when placing the assertion on the spectrum. ISA 315 lists the inherent risk factors the auditor must consider: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud.
Key standard references
- ISA 315 (Revised 2019) paragraphs 12(i), 12(d): Definitions of inherent risk and control risk.
- ISA 315 (Revised 2019) paragraphs 31–33: Requirements for assessing the risk of material misstatement at the assertion level.
- ISA 315 (Revised 2019) paragraph A4: The spectrum approach to inherent risk assessment based on likelihood and magnitude.
- ISA 330.7: Requirement to link assessed risks to the nature, timing, and extent of further audit procedures.
Related terms
Related reading
Frequently asked questions
Can inherent risk ever be zero?
No. Every assertion has some inherent risk. Revenue recognition on a simple contract still carries susceptibility to misstatement from cut-off errors, pricing mistakes, or recording in the wrong period. Inherent risk varies across a spectrum but never reaches zero.
What changed with ISA 315 (Revised 2019) regarding inherent risk?
The revised standard introduced a spectrum approach, requiring auditors to assess inherent risk on a scale rather than using high, medium, or low categories. The auditor must consider both the likelihood of misstatement and the magnitude of the potential misstatement. The FRC has flagged firms that continued using the old categorical approach after the revised standard became effective.