Audit Risk Assessment: How ISA 315 Works in Practice

Every statutory audit starts with understanding risk. Before testing a single transaction or reviewing a single balance, the engagement team needs to understand where the financial statements might be wrong – and why. That’s what ISA 315 is about. It’s the standard that tells auditors how to identify and assess the risks of material misstatement, and it shapes every decision made throughout the audit.

ISA (UK) 315 (Revised 2019), issued by the Financial Reporting Council (FRC), sets out what’s required to understand the entity and its environment, evaluate internal controls, and assess the risk of material error. For businesses, understanding this process matters. It affects how the engagement is planned, how much work is needed, and ultimately what it costs.

What is an audit risk assessment?

An audit risk assessment is the process used to identify and assess the risks that financial statements contain errors big enough to matter. In technical language, auditors are looking for risks of material misstatement – mistakes or omissions in the accounts that could influence the decisions of someone reading them.

This sits at the planning stage of the audit. It isn’t something that happens once and gets filed away. The assessment gets updated throughout the engagement as new information comes to light. If something unexpected turns up during testing, the team goes back and reconsiders whether the original conclusions still hold.

The risk assessment procedures include inquiry (asking management and staff questions), observation (watching how processes work in practice), inspection (reviewing documents, records and reports), and analytical procedures (looking at relationships between financial and non-financial data to spot anything unusual).

Getting this right is critical. If the auditor underestimates risk in a particular area, they won’t gather sufficient appropriate audit evidence to support their opinion. If they overestimate it, the engagement takes longer and costs more than it should. ISA 315 provides the framework for getting this balance right.

What is the ISA 315 risk assessment?

ISA 315 is the International Standard on Auditing that deals specifically with identifying and assessing the risks of material misstatement through understanding the entity and its environment, including the entity’s internal control. In the UK, the FRC adopted the revised version as ISA (UK) 315 (Revised July 2020), effective for audits of financial statements for periods beginning on or after 15 December 2021.

The standard requires the auditor to carry out specific procedures to obtain an understanding of the entity at several levels:

• The entity’s industry, regulatory environment and other external factors – sector-specific risks, relevant accounting standards, the legal framework
• The nature of the entity – ownership structure, operations, how the business makes money, how it’s governed
• The entity’s accounting policies – whether they’re appropriate for the business and consistent with the applicable financial reporting framework
• The entity’s objectives and strategies – because business risk often translates into risk of material misstatement
• The entity’s internal control – the control environment, how management identifies risks, information systems, control activities and monitoring

ISA 315 also introduced more explicit requirements around IT. The engagement team must now understand how the entity uses information technology in its financial reporting, identify IT risks that could affect the processing of transactions, and evaluate general IT controls. This was one of the most significant changes in the revised standard.

The audit risk model

At the heart of ISA 315 sits the audit risk model. It’s a formula that every trainee learns early in their career:

Audit Risk = Inherent Risk x Control Risk x Detection Risk

Audit risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. Nobody wants that. The job is to reduce audit risk to an acceptably low level.

The model breaks risk down into three components. Inherent risk and control risk are characteristics of the entity – the auditor assesses them but can’t change them. Detection risk is the risk that the procedures performed by the auditor won’t catch a material misstatement that exists. The engagement team controls detection risk by choosing the right procedures and applying them properly.

Here’s how it works in practice. If inherent risk is high for a particular account balance (say, revenue recognition for a company with complex contracts) and control risk is also high (weak controls over contract accounting), then much more testing is needed to bring detection risk down. That means more work, more time on site, and a higher fee. If the same company had strong internal controls over contract accounting, control risk would be lower, and less substantive testing would be needed.

Does ISA 315 apply to all audits?

Yes. ISA 315 applies to all engagements conducted under International Standards on Auditing. In the UK, that means every statutory engagement – whether it’s a small owner-managed company just above the threshold or a large listed group.

The standard is scalable. The FRC and ICAEW have both emphasised that it should be applied proportionately. A practitioner examining a small company with straightforward transactions doesn’t need to document the same depth of IT analysis as a Big Four firm working on a FTSE 100 company. But the core requirement is the same: identify and assess the risks of material misstatement before designing procedures to address those risks.

For smaller engagements, the focus might sit heavily on management override of controls (which ISA 240 treats as a presumed risk in every audit) and the areas where accounting estimates involve judgement. For larger engagements, the scope expands to cover group structures, complex financial instruments, multiple IT systems, and the work of component auditors.

What is PSA 315 Revised 2019?

PSA 315 is the Philippine Standard on Auditing equivalent of ISA 315. The International Auditing and Assurance Standards Board (IAASB) issued a revised ISA 315 in 2019, and individual jurisdictions then adopted it into their own frameworks. In the Philippines, it became PSA 315. In the UK, it became ISA (UK) 315 (Revised July 2020). The requirements are essentially the same – identifying and assessing the risks of material misstatement – with some local modifications to reflect jurisdiction-specific regulation.

The key changes in the revision included a more explicit requirement to assess inherent risk and control risk separately (previously, these could be assessed in combination), a new concept placing inherent risk on a spectrum, expanded requirements on understanding IT, and clearer links between the risk assessment process and the auditor’s responses under ISA 330.

Inherent risk factors

The revised ISA 315 introduced the concept of inherent risk factors – specific characteristics that affect how likely it is that an assertion about a class of transactions, account balance, or disclosure contains a misstatement that could be material. Where inherent risk will be higher, the auditor needs to respond with more targeted audit procedures. The standard identifies five factors:

• Complexity – transactions or disclosures that involve complex calculations, multiple data sources, or subjective interpretation of accounting standards
• Subjectivity – areas where the accounting treatment depends on management’s judgement, such as provisions, impairment assessments, and fair value measurements
• Change – new accounting standards, new business activities, restructuring, or changes in the economic environment
• Uncertainty – estimates that depend on future events or conditions that are inherently unpredictable
• Susceptibility to misstatement due to management bias or fraud – where there are incentives or pressures that might lead to intentional misstatement

The degree to which these factors affect the combination of likelihood and magnitude determines where the risk sits on the spectrum. The spectrum of inherent risk helps to determine whether an identified risk is a significant risk – one that requires special attention in the audit process.

The concept of a significant risk matters because it changes what the auditor must do. Where inherent risk is close to the upper end of the spectrum, the engagement team must test controls that address significant risks (not just rely on substantive procedures) and consider the adequacy of related disclosures.

Control risk and internal controls

Control risk is the risk that a misstatement that could be material won’t be prevented or detected by the entity’s internal control. Under ISA 315, the auditor must obtain an understanding of internal controls relevant to the engagement. This doesn’t mean testing every control – it means understanding the control environment well enough to assess the risk of material misstatement at the assertion level.

The standard breaks internal control into five components:

1. The control environment – the tone at the top, management’s attitude toward controls, governance and oversight
2. The entity’s own risk process – how management identifies business risks that could affect the accuracy of financial reporting
3. The information system and communication – how transactions are initiated, recorded, processed and reported. This is where IT risk comes in.
4. Control activities – the policies and procedures that help ensure management directives are carried out. Authorisations, reconciliations, segregation of duties, physical controls over assets.
5. Monitoring of controls – how the entity evaluates whether its internal controls are present and functioning. Internal assurance functions play a key role here.

For the auditor, a strong control environment with effective controls means lower control risk. That translates into less substantive testing. A weak control environment means controls can’t be relied on at all, and more persuasive audit evidence needs to be gathered through detailed substantive procedures.

How risk assessment shapes the audit plan

The whole point of the risk assessment is to drive what happens next. ISA 330, The Auditor’s Responses to Assessed Risks, picks up where ISA 315 leaves off. Once the auditor has completed their identification and assessment of risks of material misstatement, they design responses to the assessed risks at two levels:

• Overall responses – changes to the general approach, such as assigning more experienced staff to high-risk areas, increasing supervision, or incorporating more unpredictability into the testing programme
• Responses at the assertion level – specific procedures designed to address the risk of material misstatement at the financial statement and assertion level. This includes tests of controls (where the team plans to rely on them) and substantive procedures (tests of details and substantive analytical procedures)

Areas assessed as higher risk get more attention in the audit process. The auditor needs more persuasive evidence, which might mean larger sample sizes, more detailed testing, or testing at the year-end rather than at an interim date. Lower-risk areas can be addressed with less extensive procedures – perhaps analytical procedures alone, or testing at interim with a roll-forward to year-end.

This risk-based approach means the engagement is focused where it matters most. Two companies of similar size in the same industry might have very different plans if their risk profiles differ. A company with identified risks around revenue recognition will face much more detailed testing of revenue than one where revenue is straightforward.

What this means for your business

If your company is subject to statutory audit, this process directly affects you. Here’s how:

Better controls mean lower fees. This is the single most practical takeaway. When the auditor can rely on your internal controls, less substantive testing is needed. That saves time and reduces the fee. Companies that invest in strong financial controls – proper segregation of duties, regular reconciliations, documented approval processes, reliable IT systems – typically pay less than comparable companies with weak controls.

Cooperation during planning saves time. The engagement team will ask questions during the planning phase – about changes in the business, new transactions, management’s key judgements, IT systems. Responding promptly and openly lets them complete the assessment efficiently. Delays at the planning stage push work into the fieldwork period and increase pressure on the timetable.

The management letter matters. After the engagement, the auditor reports control weaknesses and identified risks in a management letter. These aren’t just observations to file away. Fixing the issues raised genuinely reduces risk for the next cycle. We see this regularly at Audit Group – clients who act on management letter points in year one see a smoother, faster process in year two.

Understand what’s driving the plan. Ask your auditor to explain which areas they’ve assessed as higher risk and why. You have a right to understand what’s driving the work. If you disagree – perhaps because you’ve implemented new controls since last year – raise it. A good auditor will reconsider their assessment if you can demonstrate that controls are working.

Audit Group’s approach to risk assessment

At Audit Group, this isn’t a box-ticking exercise. We use the ISA 315 framework as it’s intended – to build a genuine understanding of the entity and its environment, assess the risk of material misstatement at every level, and design procedures that address the risk efficiently.

We’re part of the Jack Ross group of chartered accountants (est. 1948), ICAEW-registered, and we’ve been carrying out UK auditing work for decades. Our audit methodologies reflect the practical realities of working with UK businesses – from companies just above the threshold of 10.2 million turnover to larger groups with complex structures.

Our approach covers all five components of internal control, considers inherent risk factors against the spectrum, evaluates IT risks proportionately, and links directly to how we plan the engagement. We carry out a separate assessment of inherent risk and control risk for every significant account balance and class of transactions, and document everything clearly so our audit work stands up to scrutiny.

If you’re looking for auditors who take this seriously and deliver an efficient, focused engagement, talk to us about your statutory audit.