Audit Risk Assessment: How ISA 315 Works in Practice

ISA 315 (revised) requires auditors to identify and assess risks of material misstatement at both the financial statement and assertion levels. The standard sets out a three-step framework: understand the entity and its environment, identify the risks, and assess them by likelihood and magnitude. The output drives the audit response under ISA 330. Without a proper risk assessment, the audit cannot produce reliable evidence and the opinion is not defensible.

ISA (UK) 315 (Revised 2019), issued by the Financial Reporting Council (FRC), sets out what’s required to understand the entity and its environment, evaluate internal controls, and assess the risk of material error. For businesses, understanding this process matters. It affects how the engagement is planned, how much work is needed, and ultimately what it costs.

What is an audit risk assessment?

An audit risk assessment is the process used to identify and assess the risks that financial statements contain errors big enough to matter. In technical language, auditors are looking for risks of material misstatement – mistakes or omissions in the accounts that could influence the decisions of someone reading them.

This sits at the planning stage of the audit. It isn’t something that happens once and gets filed away. The assessment gets updated throughout the engagement as new information comes to light. If something unexpected turns up during testing, the team goes back and reconsiders whether the original conclusions still hold.

The risk assessment procedures include four techniques. Inquiry means asking management and staff direct questions. Observation means watching how processes work in practice. Inspection means reviewing documents, records and reports. Analytical procedures look at relationships between financial and non-financial data to spot anything unusual.

Getting this right is critical. If the auditor underestimates risk in a particular area, they won’t gather sufficient appropriate audit evidence to support their opinion. If they overestimate it, the engagement takes longer and costs more than it should. ISA 315 provides the framework for getting this balance right.

What is the ISA 315 risk assessment?

ISA 315 is the International Standard on Auditing that deals specifically with identifying and assessing the risks of material misstatement through understanding the entity and its environment, including the entity’s internal control. In the UK, the FRC adopted the revised version as ISA (UK) 315 (Revised July 2020), effective for audits of financial statements for periods beginning on or after 15 December 2021.

The standard requires the auditor to carry out specific procedures to obtain an understanding of the entity at several levels:

• The entity’s industry, regulatory environment and other external factors – sector-specific risks, relevant accounting standards, the legal framework
• The nature of the entity – ownership structure, operations, how the business makes money, how it’s governed
• The entity’s accounting policies – whether they’re appropriate for the business and consistent with the applicable financial reporting framework
• The entity’s objectives and strategies – because business risk often translates into risk of material misstatement
• The entity’s internal control – the control environment, how management identifies risks, information systems, control activities and monitoring

ISA 315 also introduced more explicit requirements around IT. The engagement team must now understand how the entity uses information technology in its financial reporting, identify IT risks that could affect the processing of transactions, and evaluate general IT controls. This was one of the most significant changes in the revised standard.

ISA 315 risk assessment procedures

The risk assessment process under ISA 315 has five distinct components. They build on each other and they’re all required for audits of financial statements carried out under International Standards on Auditing. Skipping or rushing any of them weakens the basis for the engagement team’s opinion.

1. Understanding the entity and its environment. The auditor learns how the business operates, how it makes money, the regulatory framework it sits within, and how it interacts with customers, suppliers and other parties. This understanding is gathered through inquiry of management and staff, observation of operations, inspection of board minutes and prior period accounts, and analytical review of the trial balance and other relevant information.

2. Understanding the entity’s internal control. Each of the five internal control components – control environment, the entity’s own risk assessment process, information system, control activities, and monitoring – has to be understood to a sufficient depth. The team isn’t testing controls yet at this stage. They’re working out which controls are relevant to the audit and how they’re designed.

3. Identifying risks of material misstatement. Drawing on what’s been learned, the team identifies where misstatement could occur. This sits at two levels. The financial statement level captures risks that affect many balances or disclosures – things like a weak control environment or going concern uncertainty. The assertion level captures risks that attach to specific account balances, classes of transactions, or disclosures.

4. Assessing the identified risks. Once risks are identified, the auditor assesses inherent risk and control risk separately. The revised standard places inherent risk on a spectrum, and where it sits on that spectrum drives the audit response. Significant risks – those at the upper end – get specific procedures and require evaluation of related disclosures.

5. Linking the risk assessment process to further audit procedures. ISA 315 doesn’t stand alone. Its output feeds directly into ISA 330, which sets out how the auditor responds to the assessed risks. Audit procedures are designed to address each identified risk at the assertion level, and the engagement team has to gather sufficient appropriate audit evidence to support the audit opinion. If the risk assessment is wrong, the procedures will be misdirected and the evidence won’t fit the risk.

The whole process is iterative. As fieldwork uncovers new information, the team revisits the assessment and adjusts procedures. A risk that looked low in planning might escalate after the testing of a related balance, and the audit plan flexes to address it.

The audit risk model

At the heart of ISA 315 sits the audit risk model. It’s a formula that every trainee learns early in their career:

Audit Risk = Inherent Risk x Control Risk x Detection Risk

Audit risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated. Nobody wants that. The job is to reduce audit risk to an acceptably low level.

The model breaks risk down into three components. Inherent risk and control risk are characteristics of the entity – the auditor assesses them but can’t change them. Detection risk is the risk that the procedures performed by the auditor won’t catch a material misstatement that exists. The engagement team controls detection risk by choosing the right procedures and applying them properly.

Here’s how it works in practice. Take a worked example. Inherent risk is high for a particular account balance – say, revenue recognition for a company with complex contracts. Control risk is also high because controls over contract accounting are weak. In that case, much more testing is needed to bring detection risk down. That means more work, more time on site, and a higher fee. If the same company had strong internal controls over contract accounting, control risk would be lower, and less substantive testing would be needed.

Does ISA 315 apply to all audits?

Yes. ISA 315 applies to all engagements conducted under International Standards on Auditing. In the UK, that means every statutory engagement – whether it’s a small owner-managed company just above the threshold or a large listed group.

The standard is scalable. The FRC and ICAEW have both emphasised that it should be applied proportionately. A practitioner examining a small company with straightforward transactions doesn’t need to document the same depth of IT analysis as a Big Four firm working on a FTSE 100 company. But the core requirement is the same: identify and assess the risks of material misstatement before designing procedures to address those risks.

For smaller engagements, the focus might sit heavily on management override of controls (which ISA 240 treats as a presumed risk in every audit) and the areas where accounting estimates involve judgement. For larger engagements, the scope expands to cover group structures, complex financial instruments, multiple IT systems, and the work of component auditors.

What is PSA 315 Revised 2019?

PSA 315 is the Philippine Standard on Auditing equivalent of ISA 315. The International Auditing and Assurance Standards Board (IAASB) issued a revised ISA 315 in 2019, and individual jurisdictions then adopted it into their own frameworks. In the Philippines, it became PSA 315. In the UK, it became ISA (UK) 315 (Revised July 2020). The requirements are essentially the same – identifying and assessing the risks of material misstatement – with some local modifications to reflect jurisdiction-specific regulation.

The revision brought four key changes. First, an explicit requirement to assess inherent risk and control risk separately rather than in combination. Second, a new concept placing inherent risk on a spectrum. Third, expanded requirements on understanding IT. Fourth, clearer links between the risk assessment process and the auditor’s responses under ISA 330.

Inherent risk factors

The revised ISA 315 introduced the concept of inherent risk factors. These are specific characteristics that make a misstatement more likely. They apply to assertions about a class of transactions, an account balance, or a disclosure – and they help the team judge whether any misstatement could be material. Where inherent risk will be higher, the auditor needs to respond with more targeted audit procedures. The standard identifies five factors:

• Complexity – transactions or disclosures that involve complex calculations, multiple data sources, or subjective interpretation of accounting standards
• Subjectivity – areas where the accounting treatment depends on management’s judgement, such as provisions, impairment assessments, and fair value measurements
• Change – new accounting standards, new business activities, restructuring, or changes in the economic environment
• Uncertainty – estimates that depend on future events or conditions that are inherently unpredictable
• Susceptibility to misstatement due to management bias or fraud – where there are incentives or pressures that might lead to intentional misstatement

The degree to which these factors affect the combination of likelihood and magnitude determines where the risk sits on the spectrum. The spectrum of inherent risk helps to determine whether an identified risk is a significant risk – one that requires special attention in the audit process.

The concept of a significant risk matters because it changes what the auditor must do. Where inherent risk sits close to the upper end of the spectrum, more is required. The engagement team must test the controls that address those significant risks – not just rely on substantive procedures. They must also consider the adequacy of related disclosures.

Control risk and internal controls

Control risk is the risk that a misstatement that could be material won’t be prevented or detected by the entity’s internal control. Under ISA 315, the auditor must obtain an understanding of internal controls relevant to the engagement. This doesn’t mean testing every control – it means understanding the control environment well enough to assess the risk of material misstatement at the assertion level.

The standard breaks internal control into five components:

1. The control environment – the tone at the top, management’s attitude toward controls, governance and oversight
2. The entity’s own risk process – how management identifies business risks that could affect the accuracy of financial reporting
3. The information system and communication – how transactions are initiated, recorded, processed and reported. This is where IT risk comes in.
4. Control activities – the policies and procedures that help ensure management directives are carried out. Authorisations, reconciliations, segregation of duties, physical controls over assets.
5. Monitoring of controls – how the entity evaluates whether its internal controls are present and functioning. Internal assurance functions play a key role here.

For the auditor, a strong control environment with effective controls means lower control risk. That translates into less substantive testing. A weak control environment means controls can’t be relied on at all, and more persuasive audit evidence needs to be gathered through detailed substantive procedures.

How risk assessment shapes the audit plan

The whole point of the risk assessment is to drive what happens next. ISA 330, The Auditor’s Responses to Assessed Risks, picks up where ISA 315 leaves off. Once the auditor has completed their identification and assessment of risks of material misstatement, they design responses to the assessed risks at two levels:

• Overall responses – changes to the general approach, such as assigning more experienced staff to high-risk areas, increasing supervision, or incorporating more unpredictability into the testing programme
• Responses at the assertion level – specific procedures designed to address the risk of material misstatement at the financial statement and assertion level. This includes tests of controls (where the team plans to rely on them) and substantive procedures (tests of details and substantive analytical procedures)

Areas assessed as higher risk get more attention in the audit process. The auditor needs more persuasive evidence, which might mean larger sample sizes, more detailed testing, or testing at the year-end rather than at an interim date. Lower-risk areas can be addressed with less extensive procedures – perhaps analytical procedures alone, or testing at interim with a roll-forward to year-end.

This risk-based approach means the engagement is focused where it matters most. Two companies of similar size in the same industry might have very different plans if their risk profiles differ. A company with identified risks around revenue recognition will face much more detailed testing of revenue than one where revenue is straightforward.

What this means for your business

If your company is subject to statutory audit, this process directly affects you. Here’s how:

Better controls mean lower fees. This is the single most practical takeaway. When the auditor can rely on your internal controls, less substantive testing is needed. That saves time and reduces the fee. Companies that invest in strong financial controls – proper segregation of duties, regular reconciliations, documented approval processes, reliable IT systems – typically pay less than comparable companies with weak controls.

Cooperation during planning saves time. The engagement team will ask questions during the planning phase – about changes in the business, new transactions, management’s key judgements, IT systems. Responding promptly and openly lets them complete the assessment efficiently. Delays at the planning stage push work into the fieldwork period and increase pressure on the timetable.

The management letter matters. After the engagement, the auditor reports control weaknesses and identified risks in a management letter. These aren’t just observations to file away. Fixing the issues raised genuinely reduces risk for the next cycle. We see this regularly at Audit Group – clients who act on management letter points in year one see a smoother, faster process in year two.

Understand what’s driving the plan. Ask your auditor to explain which areas they’ve assessed as higher risk and why. You have a right to understand what’s driving the work. If you disagree – perhaps because you’ve implemented new controls since last year – raise it. A good auditor will reconsider their assessment if you can demonstrate that controls are working.

Audit Group’s approach to risk assessment

At Audit Group, this isn’t a box-ticking exercise. We use the ISA 315 framework as it’s intended. The aim is to build a genuine understanding of the entity and its environment. From there, we assess the risk of material misstatement at every level, then design procedures that address the risk efficiently.

We’re part of the Jack Ross group of chartered accountants (est. 1948), ICAEW-registered, and we’ve been carrying out UK auditing work for decades. Our audit methodologies reflect the practical realities of working with UK businesses – from companies just above the threshold of 10.2 million turnover to larger groups with complex structures.

Our approach covers all five components of internal control, considers inherent risk factors against the spectrum, evaluates IT risks proportionately, and links directly to how we plan the engagement. We assess inherent risk and control risk separately for every significant account balance and class of transactions. The documentation is detailed and clear, so our audit work stands up to scrutiny from the FRC, peer reviewers, and successor auditors alike.

If you’re looking for auditors who take this seriously and deliver an efficient, focused engagement, talk to us about your statutory audit.

Related reading

• The Audit Process: A Step-by-Step Overview
• What Is an Audit Trail?
• Audit Adjustments Explained
• Material Misstatement in Audit
• Regulatory Audit Explained

Common questions

What is PSA 315 (revised 2019) on identifying and assessing the risks of material misstatement?

PSA 315 is the Philippine equivalent of the international standard. In the UK we apply ISA (UK) 315 (Revised July 2020), issued by the Financial Reporting Council. It carries the same name – “Identifying and Assessing the Risks of Material Misstatement” – and the same core requirements: understand the entity and its environment, evaluate the design and implementation of internal controls, and identify risks of material misstatement at the assertion level. The 2019/2020 revisions tightened the documentation expected and introduced the spectrum of inherent risk. If you’re searching for PSA 315 from a UK perspective, the UK ISA 315 (Revised) is what your auditor will follow. See our full ISA 315 guide for the procedures.