ISA 315 (Revised) – The Key Changes

ISA 315 (Revised) deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control, which is effective for periods commencing on or after 15 December 2021, with early adoption permitted. In this blog we have a look at some of the key changes, what we as auditors are to expect and what we might already be familiar with:

1) Understanding system of internal control

Internal control has been revised to the entity’s system of internal controls. These include controls that address a significant risk, controls over journal entries, controls for which the auditor plans to test operating effectiveness, and other controls that the auditor considers appropriate.  An important management responsibility is to establish and maintain a system of internal controls. The auditor is required to consider the design of each control relevant to the audit and if it has been implemented correctly. IAASA are of an opinion that understanding an entity’s system of internal control is integral to the auditor’s identification and assessment of the risks of material misstatement.

2) Inherent Risk and Standard Risk

The revised standard states that the auditors must carry out a separate assessment of inherent risk and control risk and the introduction of five new inherent risk factors to aid in risk assessment; subjectivity, complexity, uncertainty, change and susceptibility to misstatement due to management bias or fraud.  Auditors would probably already be familiar with the requirement for separate assessments, since ISA (UK) 540 Auditing Accounting Estimates and Related Disclosures introduced it for accounting estimates for periods commencing on or after 15 December 2019. However, it is possible that some auditors would already have been performing separate assessments.

3) Spectrum of Risk

A new spectrum of risk, at the higher end of which lie significant risks. The intention being to drive more focused responses to risks identified. Whilst the standard does not set out the spectrum to be used (instead, leaving this for auditors to establish), it does make clear that the higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be. Whilst a spectrum of risk will take a bit of getting used to and does represent a significant change to risk assessment overall, it’s worth noting that auditors should once again already be familiar to the concept in the context of auditing estimates.

4) Professional Scepticism

There is a greater focus on professional scepticism. The standard sets out that all evidence obtained must know be considered when performing risk assessment procedures whether corroborative or contradictory, to evaluate whether the audit evidence obtained from risk assessment procedures provides an appropriate basis for risk assessment. Documentation may include how the auditor evaluated the evidence. 

Auditors should be quite familiar with professional scepticism as it has long been required in an audit context and should already be at the forefront of auditors’ minds. In reality the greater emphasis within the revised ISA is likely to have little practical effect for auditors already giving it due concern, although it perhaps serves as a useful reminder to maintain such focus, especially given its greater prominence within the revised versions of ISA (UK) 540 and ISA (UK) 240 The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements too. 5) Entity’s use of Information Technology (IT)

The standard recognises that there could be risks of material misstatement from the entity’s use of IT such as, risks to the integrity of information in the entity’s information system due to ineffective design or operation of controls in the entity’s IT processes. Therefore, there is a need for more robust understanding of the entity’s control environment including its IT controls. An IT system will only be as good as the controls which support it; therefore, it is imperative that an assessment is made of the related risks of using IT and the entity’s general IT controls. General IT controls alone are not adequate, and an assessment should be made to understand how management monitor the IT controls, permissions, errors or control deficiencies across the IT environment. Accordingly, the standard introduces new definition of ‘general IT controls’ and ‘information processing controls’. For those auditors who have previously taken a controls-based approach to audits and relied upon automated controls, these revisions may not have a significant practical impact.   For those auditors who have previously adopted a fully substantive approach, the revisions represent a much more significant change - one which would benefit from early consideration.


In summary, the ISA 315 (Revised) is an important revision that strengthens the auditors’ responsibilities in identifying and assessing the risks of material misstatement in the financial statements. It requires the auditor to exercise professional scepticism and to obtain sufficient appropriate audit evidence to support the conclusion reached on the financial statements.