What are Risk Assessment Procedures?
ISA 315 (Revised 2019) paragraph 14 requires the auditor to perform risk assessment procedures that include all four types: inquiries of management and other appropriate individuals within the entity, analytical procedures, observation, and inspection. The 2019 revision tightened this requirement — all four types are mandatory on every engagement, not a menu from which the auditor selects.
Risk assessment procedures are inputs to the risk assessment, not outputs. They provide the auditor with the information needed to identify and assess risks of material misstatement at the financial statement and assertion levels. ISA 315.28 requires the auditor to use the results of these procedures to make risk assessment judgments. The procedures themselves do not provide audit evidence for the opinion — that comes from further audit procedures under ISA 330.
The distinction matters in practice. A walkthrough performed as a risk assessment procedure helps the auditor understand how transactions flow through the system and where misstatements could occur. The same walkthrough is not a test of controls. If the auditor wants to rely on controls, ISA 330.8 requires separate tests of operating effectiveness. Conflating the two is one of the most common file deficiencies flagged in inspections.
Key Points
- All four procedure types are mandatory (ISA 315.14): inquiry, observation, inspection, and analytical procedures.
- Inquiry alone is never sufficient. The 2019 revision explicitly requires corroboration through other procedure types.
- Risk assessment procedures identify risks; further audit procedures (ISA 330) respond to them. They are not interchangeable.
- A walkthrough for risk assessment is not a test of controls. Separate operating effectiveness testing is required under ISA 330.8.
Why it matters in practice
The FRC's 2023 annual inspection report found auditors relying on inquiry as the sole or primary risk assessment procedure. Teams documented conversations with management about business changes and risks but did not corroborate those responses through observation, inspection of documents, or analytical procedures. ISA 315.14 requires all four types precisely because each provides different information and no single type is sufficient on its own.
Analytical procedures performed as risk assessment procedures are a second area of weakness. ISA 315.17 requires the auditor to apply analytical procedures as risk assessment procedures to help identify risks of material misstatement that the auditor might not otherwise recognise. In practice, teams often perform variance analysis (comparing current year to prior year) without investigating what conditions for misstatement the variances might indicate. The purpose of the analytical procedure at this stage is not to explain the variance. It is to identify where misstatements could occur.
ISA 315.15 requires inquiries of management, but also of other individuals within the entity who may have information relevant to identifying risks. Teams that limit inquiries to the CFO and financial controller miss perspectives from operational staff, internal audit, and those charged with governance. The standard specifically requires the auditor to consider which individuals may have relevant information beyond the finance function.
Key standard references
- ISA 315.14: Requirement to perform all four types of risk assessment procedures.
- ISA 315.15: Inquiries of management and others within the entity.
- ISA 315.16: Observation and inspection as risk assessment procedures.
- ISA 315.17: Analytical procedures to help identify risks of material misstatement.
- ISA 315.28: Using results of risk assessment procedures to assess risks.
Related terms
Related reading
Frequently asked questions
Can the auditor choose between the four procedure types?
No. ISA 315 (Revised 2019) paragraph 14 requires all four types: inquiry, observation, inspection, and analytical procedures. You do not choose between them. Inquiry alone is never sufficient.
Are risk assessment procedures the same as further audit procedures?
No. Risk assessment procedures identify and assess risks (ISA 315.14–18). Further audit procedures respond to those risks with evidence for the opinion (ISA 330.4–27). A walkthrough used for risk assessment is not a test of controls.