ISA 315 (Revised) DEALS with the auditor’s responsibility to identify and assess the risks of Material Misstatement in the ‘Financial Statements’, through understanding the Entity and its Environment, INCLUDING the entity’s internal control.
What is ISA 315?
ISA 315 (Revised 2019), formally titled Identifying and Assessing the Risks of Material Misstatement, is an International Standard on Auditing issued by the International Auditing and Assurance Standards Board (IAASB) in December 2019. It establishes the auditor’s responsibilities for identifying and assessing the risks of material misstatement in financial statements through a thorough understanding of the entity and its environment.
“ISA 315 (Revised 2019) is a foundational standard to auditing in that it contains the requirements relating to the process for identifying and assessing the risks of material misstatement i.e. forming the basis for a focused, risk-responsive audit under ISA 330.”
The standard was substantially revised to address gaps identified in previous practice. Many firms had treated risk assessment as a procedural box-ticking exercise rather than a genuine exercise of professional judgment. The 2019 revision introduces more robust requirements, new concepts, and enhanced application material to correct this.
It became effective for audits of financial statements for periods beginning on or after 15 December 2021, and applies to all audits conducted in accordance with ISAs regardless of entity size, sector, or complexity.
Objective of the Standard
The primary objective of ISA 315 is for the auditor to identify and assess the risks of material misstatement at both the financial statement level and the assertion level. This provides the foundation for designing and implementing appropriate responses under ISA 330, The Auditor’s Responses to Assessed Risks.
ISA 315 is iterative, not linear. Many of its requirements are interrelated and are revisited as the auditor’s understanding of the entity evolves throughout the engagement. Risk assessments may need to be revised as new audit evidence emerges.
Key Changes from the Prior Standard
ISA 315 (Revised 2019) introduces significant changes that auditors must understand and incorporate into their methodologies. These are not merely cosmetic; they alter what the auditor must understand, document, and assess.
| Area | Prior Standard | ISA 315 (Revised 2019) |
|---|---|---|
| Inherent Risk Factors | Not explicitly defined | Five specific factors introduced (SCUCM) |
| Risk Spectrum | Binary: significant / non-significant | Spectrum of risk; significant risks at the higher end |
| Control Risk Assessment | Always required | Only required when testing operating effectiveness of controls |
| IT Focus | Limited guidance | Explicit IT considerations, general IT controls and information processing controls |
| Relevant Assertions | Considered broadly | New concept of “relevant assertions” explicitly defined |
| Scalability | Implied | Explicitly addressed with scalability guidance throughout |
| Financial Reporting Framework | Part of entity understanding | Elevated to standalone understanding requirement |
| Separating Identification & Assessment | Combined treatment | Separate requirements for identifying vs. assessing RoMM |
The Five Inherent Risk Factors
One of the most significant additions in the revised standard is the introduction of five inherent risk factors to help auditors assess the susceptibility of assertions to misstatement. These factors guide the auditor in gauging where on the Inherent Risk spectrum a given assertion falls.
The degree of complexity in transactions, accounting estimates, or financial reporting requirements that increases the likelihood of misstatement.
The extent to which significant management judgment is required, leaving room for different reasonable conclusions (increasing misstatement risk).
Areas with significant estimation uncertainty, where outcomes cannot be precisely determined and divergence from actual amounts is likely.
Significant changes in the entity, its environment, or the applicable financial reporting framework that increase inherent risk during the period.
Susceptibility to misstatement due to management bias or fraud, particularly relevant where subjective judgments or estimates are involved.
The Spectrum of Inherent Risk
Rather than classifying inherent risk as simply “high” or “low,” ISA 315 (Revised 2019) introduces a spectrum of inherent risk. At the higher end of this spectrum lie significant risks, risks that require special audit consideration. The auditor must evaluate where each assertion falls on this spectrum, using the five factors above as inputs.
This spectrum-based approach encourages auditors to apply more nuanced professional judgment, rather than binary classification, and ensures that audit responses under ISA 330 are properly calibrated to actual risk levels.
Five Components of the System of Internal Control
ISA 315 (Revised 2019) requires the auditor to obtain an understanding of all five components of the entity’s system of internal control. While these components remain the same as the prior standard, what the auditor must understand about each has been enhanced and clarified particularly regarding the distinction between direct and indirect controls.
Control Environment
The foundation of the internal control system including the tone at the top, governance structure, ethical values, and competence of personnel. Controls here are primarily indirect, influencing the risk of misstatement by setting the context for all other components.
Entity’s Risk Assessment Process
The entity’s own process for identifying, analyzing, and managing business risks relevant to financial reporting. The auditor evaluates whether this process is appropriate and whether risks identified by the entity are consistent with the auditor’s own risk identification.
Information System & Communication
The information system relevant to financial reporting, including the related business processes and communication channels that support the preparation of financial statements. Includes both IT and manual elements of transaction processing.
Control Activities
The specific policies and procedures that ensure management directives are carried out. These are direct controls that directly prevent or detect misstatements in assertions. Examples include authorizations, reconciliations, and segregation of duties.
Monitoring of Controls
The processes used by management to assess whether controls are operating effectively over time, and to take corrective action when necessary. The auditor’s understanding of this component influences the extent of reliance that can be placed on controls.
The standard clarifies that the control environment, entity risk assessment process, and monitoring of controls contain primarily indirect controls, while control activities contain primarily direct controls. This distinction affects how auditors identify and assess risks, and how they test controls.
The ISA 315 Risk Assessment Process
ISA 315 (Revised 2019) follows a structured sequence of requirements, though the process is iterative in practice. Auditors must continually revisit earlier steps as understanding deepens.
Perform Risk Assessment Procedures
The auditor performs procedures to obtain sufficient appropriate audit evidence as the basis for risk identification and assessment. Sources include: inquiries of management, those charged with governance, and other entity personnel; analytical procedures; observation and inspection; and information gathered from prior engagements.
Obtain an Understanding of the Entity
The auditor builds a comprehensive understanding covering: the entity’s industry, regulatory environment, and external factors; its nature, including ownership structure and business model; applicable financial reporting framework; accounting policies; objectives, strategies, and related business risks; and financial performance measurement and review.
Understand the System of Internal Control
The auditor gains a sufficient understanding of all five components of internal control to evaluate the design and determine whether controls have been implemented, and to identify the types of potential misstatements and factors that affect RoMM.
Identify Risks of Material Misstatement
Using the information gathered, the auditor identifies RoMM at the financial statement level and the assertion level for significant classes of transactions, account balances, and disclosures including relevant assertions within each class.
Assess Risks of Material Misstatement
The auditor assesses identified risks, considering inherent risk (using the five inherent risk factors) and control risk. The result informs the auditor’s significant risk determination and overall risk classification across the inherent risk spectrum.
Revise Assessments as Needed
As further audit procedures under ISA 330 are performed and new information is obtained, the auditor revises risk identifications and assessments accordingly reinforcing the iterative nature of the standard.
IT Considerations in ISA 315 (Revised 2019)
A major enhancement in the revised standard is the expanded treatment of information technology. Recognizing the pervasive role of IT in modern financial reporting, ISA 315 (Revised 2019) introduces clearer requirements and guidance for the auditor’s understanding of the entity’s IT environment.
General IT Controls (GITCs)
The standard introduces General IT Controls (GITCs) controls over IT processes that support the continued proper operation of the entity’s information system. GITCs include controls over program development, program changes, computer operations, and access to programs and data. The auditor must understand whether relevant GITCs have been implemented.
Information Processing Controls
Information processing controls are controls that address risks arising from the processing of information in IT applications. These can be automated controls (embedded in application software) or manual controls that rely on information produced by IT. Understanding these controls is essential for evaluating the completeness and accuracy of information the auditor uses as audit evidence.
The extent of the auditor’s understanding of IT processes will vary with the nature and circumstances of the entity. As the entity’s IT environment becomes more complex, the work performed will likely involve team members with specialized IT skills.
Scalability of IT Requirements
ISA 315 recognizes that less complex entities may have simpler IT environments. The depth of understanding required is calibrated to the entity’s specific IT complexity, a small entity using off-the-shelf accounting software faces fundamentally different IT risks than a large multinational with bespoke ERP systems.
New Concepts & Key Terms
ISA 315 (Revised 2019) introduces several new concepts and terms that are not found in the prior standard. Auditors must understand these precisely to apply the standard correctly.
- Relevant Assertions
- Those assertions about classes of transactions, account balances, or disclosures where a risk of material misstatement exists. The auditor identifies relevant assertions to focus risk assessment and audit procedures appropriately.
- Significant Classes of Transactions
- Classes of transactions, account balances, or disclosures that are deemed significant based on their nature or the level of inherent risk assessed. These drive the primary focus of the audit.
- Inherent Risk Spectrum
- A continuum from lower to higher inherent risk. Significant risks occupy the higher end. The auditor places each assertion on this spectrum based on the five inherent risk factors.
- Significant Risk
- An identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum, due to the degree to which one or more inherent risk factors apply.
- General IT Controls (GITCs)
- Controls over IT processes that support the continued, proper operation of the entity’s information system and the overall integrity of information produced by IT applications.
- Indirect Controls
- Controls that have an indirect effect on the likelihood that a misstatement will be prevented or detected and corrected, primarily found in the control environment and monitoring components.
- Direct Controls
- Controls that directly prevent or detect and correct misstatements in financial statement assertions. Primarily found in control activities and information processing controls.
Audit Documentation Under ISA 315
ISA 315 (Revised 2019) includes specific documentation requirements. The auditor must include in audit documentation:
Discussion Among Engagement Team
Key aspects of discussions among the engagement team regarding susceptibility to material misstatement due to fraud or error, including how and when the discussion occurred and who participated.
Understanding of the Entity
The key elements of understanding obtained regarding the entity, its environment, the applicable financial reporting framework, and the system of internal control.
Identified and Assessed Risks
The identified and assessed risks of material misstatement at both the financial statement level and assertion level, including significant risks and the rationale for significant judgments made in the risk assessment.
Risks Where Controls Are Tested
The risks for which the auditor has identified controls that are intended to mitigate those risks, forming the basis for testing operating effectiveness of controls under ISA 330.
Throughout the risk assessment process, ISA 315 requires the auditor to exercise and maintain professional skepticism including maintaining a questioning mind, being alert to conditions that may indicate possible misstatement, and critically assessing audit evidence. The documentation should reflect this skeptical mindset.
Frequently Asked Questions
ISA 315 (Revised 2019) is the international standard that governs how auditors identify and assess the risks of material misstatement in financial statements. It matters because a thorough and well-documented risk assessment is the foundation of every effective, risk-based audit. The assessed risks directly drive the nature, timing, and extent of further audit procedures under ISA 330.
ISA 315 (Revised 2019) is effective for audits of financial statements for periods beginning on or after 15 December 2021. For calendar-year-end entities, this means it first applied to 31 December 2022 year-end audits.
The five inherent risk factors are: (1) Complexity complexity of transactions or accounting requirements; (2) Subjectivity degree of management judgment required; (3) Uncertainty estimation uncertainty; (4) Change significant changes in the entity or environment; and (5) Susceptibility to management bias or fraud particularly where subjective assessments are made.
Yes. ISA 315 applies to all audits conducted under ISAs, regardless of entity size. However, the standard explicitly includes scalability guidance throughout, recognizing that the nature and extent of risk assessment procedures will vary based on the entity’s size and complexity. Less complex entities typically require less extensive procedures, though the same fundamental requirements apply.
ISA 315 and ISA 330 form a linked pair of standards. ISA 315 governs risk identification and assessment, understanding what could go wrong. ISA 330 governs the auditor’s responses to those assessed risks, what audit procedures to perform. The assessed risks under ISA 315 directly determine the nature, timing, and extent of further audit procedures under ISA 330. Conforming amendments to ISA 330 were also made as part of the ISA 315 revision project.
A notable change is that ISA 315 (Revised 2019) states that the auditor is only required to assess control risk if there are plans to test the operating effectiveness of controls. If the auditor does not plan to test controls, the assessment of control risk shall be set at the same level as inherent risk ensuring the assessed risk of material misstatement is not lower than the inherent risk level, even without a separate control risk assessment.
(Qualified) Chartered Accountant – ICAP
Master of Commerce – HEC, Pakistan
Bachelor of Accounting (Honours) – AeU, Malaysia