What is a significant risk?
A significant risk is a risk of material misstatement that sits at the higher end of the inherent risk spectrum. It is not simply a "high risk" label — it is a formal designation under ISA 315.28 that triggers specific audit response requirements the auditor cannot bypass.
Two significant risks are presumed on every audit. ISA 240.26 presumes a risk of fraud in revenue recognition (rebuttable only if the auditor documents why it does not apply to the entity). ISA 240.31 treats management override of controls as a significant risk on every engagement, with no possibility of rebuttal.
Beyond these presumptions, the auditor identifies additional significant risks by evaluating the inherent risk factors in ISA 315.A5 — complexity, subjectivity, change, uncertainty, and susceptibility to management bias or fraud. When multiple factors converge at elevated levels for a single assertion, the risk warrants the significant risk designation and its mandatory response under ISA 330.15.
Key Points
- Significant risk triggers mandatory audit responses. ISA 330.15 requires substantive procedures specifically responsive to the risk — standard testing programmes are not sufficient.
- Two presumed significant risks exist on every audit. Fraud in revenue recognition (rebuttable) and management override of controls (non-rebuttable) under ISA 240.
- No reliance on controls alone. For significant risks, the auditor must always perform substantive procedures regardless of how effective the entity's controls are assessed to be.
- No reliance on prior period evidence. ISA 330.15(a) prohibits using audit evidence from a previous period for significant risk assertions — fresh evidence must be obtained each year.
Why it matters in practice
The most common inspection finding related to significant risks is a disconnect between identification and response. Firms correctly identify a significant risk but then respond with standard, template-driven procedures that are no different from the response to a non-significant risk. ISA 330.15 requires the response to be specifically designed for the identified risk.
ISA 330.15(a) also prohibits reliance on audit evidence obtained in prior periods for significant risk assertions. This means every significant risk must be tested with fresh evidence each year — the auditor cannot carry forward last year's walkthrough or rely on a prior period's confirmation results.
In practice, the number of significant risks on an engagement directly affects resource allocation and staffing. Each significant risk needs a tailored procedure, senior team member involvement, and explicit documentation linking the risk assessment to the audit response. Under-identification saves planning time but creates inspection exposure; over-identification triggers unnecessary work and dilutes audit focus.
Key standard references
- ISA 315.12(l): Definition of significant risk as an identified risk of material misstatement for which the assessed level of inherent risk is close to the upper end of the spectrum of inherent risk.
- ISA 315.28: Requirement to determine whether any of the identified risks of material misstatement are significant risks.
- ISA 315.A220–A224: Application guidance on factors to consider when determining significant risks, including the spectrum of inherent risk.
- ISA 330.15: Specific audit response requirements for significant risks — substantive procedures specifically responsive to the risk, no reliance on controls alone, no reliance on prior period evidence.
- ISA 240.26: Presumption of fraud risk in revenue recognition (rebuttable).
- ISA 240.31: Management override of controls as a non-rebuttable significant risk.
Related terms
Related reading
Frequently asked questions
What are the two presumed significant risks?
ISA 240.26 presumes a risk of fraud in revenue recognition (rebuttable if the auditor documents why it does not apply). ISA 240.31 treats management override of controls as a significant risk on every audit, with no rebuttal available. Both require specific substantive procedures responsive to the identified risk.
What does 'special audit consideration' mean in practice?
ISA 330.15 requires three things for significant risks: (1) substantive procedures specifically responsive to the risk, not just standard testing, (2) no reliance on controls alone — substantive procedures are always required, and (3) no reliance on prior period audit evidence. Fresh evidence must be obtained each year for every significant risk assertion.
How do you identify a significant risk?
Start with the inherent risk factors from ISA 315.A5: complexity, subjectivity, change, uncertainty, and susceptibility to management bias or fraud. When multiple factors are present at elevated levels for a single assertion, the inherent risk position moves toward the upper end of the spectrum. The judgment is whether the combination is severe enough to require special consideration under ISA 315.28.