Side-by-side comparison

Dimension Original ISA 315 (Revised 2013) ISA 315 (Revised 2019)
Risk assessment Binary assessment: risks were assessed as higher or lower. "Significant risk" was a distinct, separate category. Spectrum of inherent risk. The auditor assesses where each risk sits on a continuum from lower to higher, based on the likelihood and magnitude of misstatement. Significant risk is the upper end of the spectrum, not a separate category.
IT controls General requirement to understand IT relevant to financial reporting. No explicit mandate to identify and evaluate specific IT general controls. ISA 315.26 requires the auditor to identify IT applications and the IT general controls that address risks arising from the use of IT. Explicit evaluation of ITGCs over identified applications.
Inherent risk factors Not formally defined. Practitioners used professional judgment without a prescribed framework. ISA 315.A4 defines five inherent risk factors: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud.
Stand-back No equivalent requirement. ISA 315.35 requires the auditor to evaluate whether the risk assessment is complete by considering all audit evidence obtained, including evidence that contradicts initial assessments.
Scalability Limited guidance. Smaller engagement teams applied the standard based on general proportionality. Enhanced scalability guidance throughout the application material, with specific references to less complex entities.

Key Points

  • ISA 315 (Revised 2019) replaces the binary risk assessment with a spectrum of inherent risk.
  • IT general controls now require explicit identification and evaluation under ISA 315.26.
  • The stand-back requirement in ISA 315.35 forces the auditor to reassess completeness of identified risks before concluding.
  • Firms that still use the old binary approach on engagements with periods after 15 December 2021 are non-compliant.

When the distinction matters on an engagement

The spectrum approach changes how the engagement team documents risk. Under the original standard, a risk was either "significant" or not, and the documentation reflected that binary choice. Under ISA 315 (Revised 2019), ISA 315.A4 requires the auditor to consider five inherent risk factors when positioning each risk on the spectrum. The file must show the reasoning behind the placement, not just the conclusion.

A risk assessment that says "revenue recognition: high risk" without referencing the inherent risk factors does not comply with the revised standard.

The IT controls requirement in ISA 315.26 has a similar documentation impact. Under the original standard, teams could describe the IT environment in general terms. The revised standard requires identification of specific IT applications relevant to financial reporting and the ITGCs that address risks arising from those applications. A file that describes "the client uses SAP" without identifying which SAP modules are relevant and which ITGCs address the risks from those modules does not meet ISA 315.26.

Worked example: Pinturas Navarro S.L.

Client: Spanish paint manufacturer, FY2024, revenue €85M, IFRS reporter.

Under the original ISA 315 (Revised 2013)

The engagement team assessed revenue recognition risk. The file states: "Revenue recognition is assessed as a significant risk due to the nature of the industry and the volume of transactions."

Documentation note (as it would appear under the old standard): "Revenue recognition: significant risk. Refer ISA 240 presumption. Substantive procedures designed to address the risk at the assertion level."

This was compliant under the original standard. The binary classification was documented, the ISA 240 presumption was noted, and the response was linked.

Under ISA 315 (Revised 2019)

The engagement team must now assess revenue recognition against the inherent risk factors in ISA 315.A4. Pinturas Navarro sells through two channels: direct sales to construction companies (68% of revenue, €57.8M) with standard 30-day terms, and consignment sales to retail chains (32% of revenue, €27.2M) with complex rebate arrangements.

Documentation note (revised standard): "Revenue recognition assessed on the spectrum of inherent risk. Direct sales: lower end of the spectrum. Standard terms, low subjectivity, no significant judgment in cut-off. Consignment sales with rebate arrangements: upper end of the spectrum (significant risk). Inherent risk factors: complexity (rebate calculations depend on volume thresholds that span reporting periods), subjectivity (management estimates required for rebate accruals at year-end), change (new retail chain contracts added in Q3 2024 with different rebate terms), susceptibility to management bias (rebate accruals directly affect reported revenue and margin). IT application identified: SAP SD module processes both channels. ITGCs over SAP SD evaluated per ISA 315.26: access controls, change management. Stand-back per ISA 315.35: assessed risk of material misstatement on consignment revenue is at the upper end of the spectrum; no contradicting evidence identified."

Under the original standard, the team would have classified all of revenue recognition as a significant risk. Under the revised standard, the team disaggregated by channel and assessed each against the inherent risk factors. If the team had applied the old binary approach to an engagement with a period beginning after 15 December 2021, the file would be non-compliant regardless of whether the audit work itself was sufficient.

What reviewers get wrong

The most common finding is that firms update their templates to reference the revised standard but do not change the underlying risk assessment approach. Files still contain binary high/low classifications without reference to inherent risk factors or the spectrum.

IT general controls under ISA 315.26 are frequently documented at the entity level ("the client has adequate IT controls") rather than at the application level. The revised standard requires identification of specific IT applications relevant to financial reporting and the ITGCs that address risks from those applications. A generic statement about the IT environment does not satisfy ISA 315.26.

Key standard references

  • ISA 315 (Revised 2019): Effective for audits of financial statements for periods beginning on or after 15 December 2021.
  • ISA 315.A4: Defines the five inherent risk factors: complexity, subjectivity, change, uncertainty, susceptibility to management bias or fraud.
  • ISA 315.26: Requires identification and evaluation of IT applications and ITGCs.
  • ISA 315.35: Stand-back requirement to evaluate completeness of risk assessment.

Related terms

Risk of Material MisstatementSignificant RiskIT General ControlsISA 240 (Revised 2024) vs CurrentProfessional Skepticism

Related reading

ISA 315: Identifying and Assessing the Risks of Material Misstatement
Blog guide
ISA 240: The Auditor's Responsibilities Relating to Fraud
Blog guide

Frequently asked questions

When did ISA 315 (Revised 2019) become effective?

ISA 315 (Revised 2019) is effective for audits of financial statements for periods beginning on or after 15 December 2021. Firms that still use the old binary risk assessment approach on engagements after this date are non-compliant.

What is the spectrum of inherent risk?

Instead of classifying risks as simply high or low, the auditor assesses where each risk sits on a continuum from lower to higher based on five inherent risk factors: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud. Significant risk sits at the upper end of this spectrum rather than being a separate category.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook