What is a significant risk?
In the FRC's 2022/23 inspection cycle, deficient responses to significant risks appeared in roughly one out of every four files reviewed. The finding was almost never that the team missed the risk. It was that the team identified the significant risk correctly, then responded with the same SALY procedures they'd run on every other balance. The risk assessment looked right on paper. The response was a tick box exercise.
A significant risk (SR) is a risk of material misstatement (RoMM) that sits at the upper end of the inherent risk spectrum. It isn't simply a "high risk" label. It's a formal designation under ISA 315.28 that triggers mandatory audit response requirements the auditor cannot bypass.
Two SRs are presumed on every audit. ISA 240.26 presumes a risk of fraud in revenue recognition (rebuttable only if the auditor documents why it doesn't apply to the entity). ISA 240.31 treats management override of controls as an SR on every engagement, with no possibility of rebuttal. Beyond these presumptions, the auditor identifies additional SRs by evaluating the inherent risk factors in ISA 315 .A5 (complexity, subjectivity, change, and susceptibility to management bias or fraud). When multiple factors converge at elevated levels for a single assertion, the risk warrants the SR designation and its mandatory response under ISA 330.15 .
Key Points
- ISA 330.15 requires substantive procedures specifically responsive to each SR. Standard testing programmes are not sufficient.
- Two presumed SRs exist on every audit: fraud in revenue recognition (rebuttable) and management override of controls (non-rebuttable) under ISA 240 .
- For SRs, the auditor must always perform substantive procedures regardless of how effective the entity's controls are assessed to be.
- ISA 330.15 (a) prohibits using audit evidence from a previous period for SR assertions. Fresh evidence must be obtained each year.
Why it matters in practice
The most common inspection finding related to SRs is a disconnect between identification and response. Firms correctly identify an SR but then respond with standard, template-driven procedures that are no different from the response to a non-significant risk. ISA 330.15 requires the response to be specifically designed for the identified risk. When the response reads like every other section in the file, reviewers notice.
ISA 330.15 (a) also prohibits reliance on audit evidence obtained in prior periods for SR assertions. Every SR must be tested with fresh evidence each year. The auditor can't carry forward last year's walkthrough or rely on a prior period's confirmation results.
The number of SRs on an engagement directly affects resource allocation and staffing. Each SR needs a tailored procedure and explicit documentation linking the risk assessment to the audit response. Under-identification saves planning time but creates inspection exposure. Over-identification triggers unnecessary work and dilutes audit focus. Getting the count wrong in either direction is frustrating for the team and expensive for the firm.
Key standard references
ISA 315.12 (l) defines a significant risk as an identified RoMM for which the assessed level of inherent risk is close to the upper end of the spectrum. ISA 315.28 requires the auditor to determine whether any identified RoMMs qualify as SRs. Application guidance on the factors to consider (including the spectrum of inherent risk) appears in ISA 315 .A220 through A224.
ISA 330.15 sets out the audit response requirements for SRs: substantive procedures specifically responsive to the risk, no reliance on controls alone, and no reliance on prior period evidence. ISA 240.26 establishes the rebuttable presumption of fraud risk in revenue recognition. ISA 240.31 establishes management override of controls as a non-rebuttable SR.
Related terms
Related tools
Related reading
Frequently asked questions
What are the two presumed significant risks?
ISA 240.26 presumes a risk of fraud in revenue recognition (rebuttable if the auditor documents why it does not apply). ISA 240.31 treats management override of controls as a significant risk on every audit, with no rebuttal available. Both require specific substantive procedures responsive to the identified risk.
What does 'special audit consideration' mean in practice?
ISA 330.15 requires substantive procedures specifically responsive to the risk (not just standard testing), no reliance on controls alone, and no reliance on prior period audit evidence. Fresh evidence must be obtained each year for every significant risk assertion.
How do you identify a significant risk?
Start with the inherent risk factors from ISA 315.A5: complexity, subjectivity, change, and susceptibility to management bias or fraud. When multiple factors are present at elevated levels for a single assertion, the inherent risk position moves toward the upper end of the spectrum. The judgment is whether the combination is severe enough to require special consideration under ISA 315.28.