ISA 315 Risk
Assessment
Presented by
John Selwood
2020innovation.com
� Tech-Talk
> Full impartial support on your
technology journey
> Exclusive webinars and focus
groups
> Resources to maximise efficiency
> Up-to-date advice and guidance
on accounting software
2020innovation.com/tech-talk
The content of this course, along with the slides and accompanying notes, remains the copyright of the presenter and should not be reproduced, shared or distributed
without permission.
Where this document contains public sector information, this is licensed under the Open Government Licence v3.0 (www.nationalarchives.gov.uk/doc/open-
government-licence/version/3/). Where reference is made to professional body websites, the copyright for the material in question is retained by the relevant
professional body. UK Accounting, Auditing and Ethical Standards are © Financial Reporting Council Ltd (FRC) (https://www.frc.org.uk/about-the-frc/procedures-and-
policies/disclaimer-and-copyright). 20:20 Innovation cannot accept responsibility for any person acting or refraining to act as a result of any material contained in this
document or information otherwise shared during or after the training course to which it relates.
�ISA 315 – Risk assessment
Contents Page
1 ISA (UK) 315 - Overview 2
2 ISA (UK) 315 – Internal controls 3
3 ISA (UK) 315 - Risk assessment 9
Publication date: February 2024
Disclaimer
Whilst every effort has been made to ensure accuracy regarding the content of these notes, the authors cannot be held responsible in any way for consequences arising from the
information given. No decisions should be taken on the basis of information included in the slides/notes without reference to specialist advice. Furthermore, any responses given
during the course to questions are only based on an outline understanding of the facts and circumstances of the cases and therefore should not be relied upon without reference
to specialist advice tailored to your circumstances.
�ISA 315 – Risk assessment
1
� ISA 315 – Risk assessment
1 ISA (UK) 315 - Overview
ISA (UK) 315 (Revised July 2020) Identifying and Assessing the Risks of Material
Misstatement is effective for audits of financial statements for periods beginning on or
after 15 December 2021 (i.e. December 2022 year ends onwards, or short periods) and
early adoption is permissible.
The changes arising from ISA (UK) 315 (Revised) which can be summarised as follows:
• Five new inherent risk factors to aid in risk assessment
• A new ‘spectrum of risk’ at the higher end of which lies significant risks
• Sufficient and appropriate audit evidence to be obtained from risk assessment
procedures as the basis for the risk assessment
• Significant enhances on IT general controls
• More controls relevant to the audit on the design and implementation work
required for such controls
• Inclusion of considerations specific to smaller entities within the main body of
the standard and removal of the separate section related to this
• Requirement for inherent and control risk to be assessed separately
• Distinguishing between direct and indirect control components
• New stand-back requirement which requires the auditor to reconsider their
assessment if they deem material classes of transactions, account balances and
disclosures as insignificant
2
� ISA 315 – Risk assessment
2 ISA (UK) 315 – Internal controls
ISA (UK) 315 Identifying and Assessing the Risks of Material Misstatement is a vast
standard that seems to be causing a number of issues with audit firms (as evidenced
during file reviews).
Many of the issues found during file reviews appear to be with documenting the
systems and controls and the risks associated with those systems and controls.
General IT controls seem to be particularly problematic in terms of how they are
documented and the risks arising from those controls.
2.1 Understanding the entity’s system of internal control
One of the crucial planning activities carried out by an auditor is understanding the
system of internal control. This is covered by ISA (UK) 315 in Appendix 3 Understanding
the Entity’s System of Internal Control. It contains detailed guidance on understanding
the client’s internal control system and each relevant component as follows:
Component Explanation
Control environment The culture and ‘top-down’ commitment to integrity,
ethics and nurturing competent and accountable staff.
Risk assessment process How the entity identifies, assesses and responds to
risks.
Monitoring process How the entity monitors its system of internal control
(such as via internal audit or other compliance checks).
Information processing and How transactions are initiated and the relevant details
communication captured and processed along with accounting records,
financial reporting processes and IT resources. It also
includes how accounting issues are communicated to
management and (if separate), those charged with
governance.
Control activities Specific controls over significant risks, journal entries
and any other controls that the auditor plans to test for
operating effectiveness together with any related IT
applications.
Appendix 3 to ISA (UK) 315 also contains examples of control activities under the
following headings:
Authorization and approval
This control confirms that a transaction is valid. This will usually take the form of an
approval by a responsible official within the organisation, such as a supervisor
approving overtime or a manager approving an expense claim.
Reconciliations
These compare two, or more, data elements. For example, the bank reconciliation will
highlight any differences between the balance per the bank statement at the end of
an accounting period and the balance per the client’s cash book.
3
� ISA 315 – Risk assessment
Verifications
Verifications compare two, or more, items with each other or compare an item with a
policy. Where the two items do not match, or it is inconsistent with a policy, the auditor
will investigate further.
Physical or logical controls including those that address security of assets against
unauthorized access, acquisition, use or disposal
Typical examples include the physical security of assets (e.g. high-value inventory) and
other expensive assets, such as computer equipment. These controls also include
restricting access to computer programs and data files (e.g. restricting access to
payroll records or the online banking system) and the periodic counting of assets (e.g.
a cash count, or physical inventory count for comparison to the accounting records).
Segregation of duties
This control ensures that no one person has too much responsibility for a key area of
the accounting system. Segregation of duties intends to reduce the opportunity of
fraud. For example, a payroll clerk may process the payroll and then another person
in the finance team may review the payroll, followed by a detailed review by the
finance director to ensure that payments are being made to bona fide employees.
2.2 IT controls
There is much more emphasis on IT controls in ISA (UK) 315 (Revised). They are split
between two appendices in ISA (UK) 315 as follows:
• Appendix 5 Considerations for Understanding Information Technology; and
• Appendix 6 Considerations for Understanding General IT Controls.
These appendices are lengthy and intend to provide guidance to audit teams on the
new requirements. They detail various characteristics of commercial software
applications which are relevant to financial reporting and show how these are found
in:
• Non-complex software
• Mid-size and moderately complex software or IT applications
• Large or complex applications (such as Enterprise Resource Planning (ERP)
systems)
Where the client has a non-complex IT environment (e.g. a smaller audit client), the
requirements of ISA (UK) 315 are likely to give rise to more IT controls being tested
than was the case under the old version of the ISA (UK). Remember, ISA (UK) 315 is
intended to be scalable, hence brief notes or assessments are likely to be sufficient for
a client that uses an off-the-shelf package (e.g. SAGE/XERO or QuickBooks).
Where a client uses an ERP system, this is likely to be considered complex. It is likely
that the client will be large and will have a separate department that maintains the
ERP system. The issue faced by auditors is that complying with the requirements of
ISA (UK) 315 (Revised) is going to prove problematic because auditors will generally
not have any experience of the ‘mechanics’ behind the system and so it is likely that
the auditor will have to engage an expert with specific experience (or similar
experience) of the ERP system.
4
� ISA 315 – Risk assessment
2.3 Going ‘back to basics’
ISA (UK) 315 (Revised) does not require the auditor to become an IT auditor. What it is
trying to do is to get the auditor to think about the controls that are in place over the
client’s IT system as a means of assessing the risks of material misstatement in the
financial statements.
Illustration 1
Many people nowadays work from home and from the office (known as ‘hybrid’ working). This
will usually involve logging onto the firm’s server to carry out their work.
The employee will enter various logon details, including passwords and there may also be a
two-way authentication process whereby the user has to input a code that has been sent to
another trusted device. Once the user’s credentials have been correctly input, the system will
allow access.
These are all IT controls to prevent unauthorised access to the IT system.
Illustration 2
A client operates in the haulage business shipping goods from a central warehouse on behalf
of its customer. Due to the nature of the business, the warehouse operates 24 hours a day,
seven days a week. Warehouse staff are required to work shifts and must enter and exit the
warehouse using a swipe card which has their details stored on it electronically. This swipe
card records the number of hours worked, including overtime worked.
The electronic time recording system is also linked to the company’s payroll system. Each
week, the payroll department will import the hours worked from the electronic time recording
system into the payroll system. A report is produced detailing the number of hours worked
which is reviewed by the warehouse manager. The payroll cannot be finalised until the
warehouse manager has signed off that week’s hours worked report.
The payroll system automatically calculates the gross pay, statutory deductions and net pay.
It also calculates the PAYE/NIC liability due to HM Revenue and Customs each month.
In this cycle, the auditor should review and document:
• The controls in place at the warehouse which aim to prevent employees being paid for
hours not worked (the need to enter and exit the warehouse using the swipe card).
• The controls that are in place to ensure that the hours worked are accurately imported
from the time recording system into the payroll system (the warehouse manager
authorising the hours worked or a reconciliation carried out by the payroll department).
continued../
• Access controls over the payroll system itself.
• Controls over the payroll processing – ie, whether any reviews of information output from
the payroll system is reviewed by a senior official prior to the payroll being finalised.
• Controls over the payment of the payroll to employees, ie, looking for segregation of
duties between the payroll department and the physical payment of the payroll to
employees.
Flowcharts may be a useful way of identifying any missing controls in this process.
5
� ISA 315 – Risk assessment
Illustration 2
Here, the auditor is trying to identify the controls over the IT systems (and the payroll cycle
itself) to ensure that there is a control in place at each stage of the process.
2.4 Use of spreadsheets by a client
Despite many modern accounting systems being powerful, clients tend to maintain
spreadsheets for several aspects of the accounting system. These can be
straightforward documents, or highly sophisticated ones containing many thousands
of formulae to produce information that management needs for the decision-making
process.
A commonly quoted statistic is that as many as 90% of spreadsheets contain mistakes.
While many of these errors are generally minor, from an auditing perspective, a lot of
small errors can add up and end up being material. It is important that the auditor
carries out procedures that provides them with confidence that the data they have
been given is reliable.
Risk is also another factor that auditors need to keep in mind where spreadsheets are
concerned. If an IT system produces reports in the form of a spreadsheet (which most
systems do nowadays), there is a risk that the data can be manipulated by the user.
Manipulation can involve changing amounts/formulae/deleting information either
intentionally or unintentionally. Either way, this invariably becomes a risk of material
misstatement at the financial statement level.
Example – Sophisticated Enterprise Resource Planning (ERP) system
Sunnie Enterprises Ltd has a bespoke ERP system in place which includes the accounting
system. The financial controller prepares monthly management accounts and prepares the
year-end trial balance. The finance director prepares the draft accounts ready for the auditors
from the year-end trial balance.
The ERP system has been fully documented by the audit engagement team and tests of
controls have been carried out during an interim audit which revealed the IT controls are
working effectively.
A lot of the data from the ERP system is exported into manual spreadsheets which are used
in the financial reporting process. As the financial controller prepares this documentation
from a sophisticated accounting system, there are no further checks on this data.
In this situation, despite the business having a sophisticated accounting system with effective
controls, these controls essentially become redundant once the data is worked on in a manual
spreadsheet. Once work on the spreadsheets starts, no further checks are carried out.
continued../
The difficulty in this situation is that there is little in the way of an audit trail where the
spreadsheets are concerned. Hence it is difficult for the auditor to track changes and
understand who made those changes.
ISA (UK) 500 Audit Evidence requires the auditor to evaluate when information provided by the
audited entity is sufficiently reliable for the purposes of the audit. This includes obtaining
audit evidence concerning the accuracy and completeness of the information and evaluating
whether the information is sufficiently precise and detailed.
6
� ISA 315 – Risk assessment
Example – Sophisticated Enterprise Resource Planning (ERP) system
At the planning stage of the audit, the audit engagement team would need to devise
appropriate audit procedures over these spreadsheets, including ensuring the correct version
is being audited.
The other issue that is often encountered when carrying out audit work is that some
clients will often present information that has been exported from an accounting
system into a spreadsheet and the information presented to the auditor is presented
in a PDF format. Basic checks, such as checking for arithmetical accuracy, can be
carried out on the PDF, but the important issue the auditor must consider is whether
the underlying data is correct. For example, are the formulae correct and has the ‘raw’
data from the accounting system been exported correctly into the spreadsheet (the
auditor could perform a reconciliation of the information in the accounting system to
the information presented in the spreadsheet). In any event, it is important that the
auditor asks for the original spreadsheet so they can carry out audit procedures to
verify the underlying information and ensure accuracy.
Analytical review procedures
The auditor can use analytical procedures over a spreadsheet as a means of
identifying potential sources of misstatement. For example, recalculating amounts in
the spreadsheet, or using ratios can provide the auditor with indicators that the
amounts in the spreadsheet need to be challenged, or they can confirm that the
results are reasonable.
Trend analysis is also a key tool at the auditor’s disposal, especially where
spreadsheets are concerned. These sorts of charts can assist an auditor identify
patterns or trends that either contradict the auditor’s expectations or confirm them.
Substantive procedures
Substantive procedures on a spreadsheet are often the most effective in identifying
misstatements. Remember, substantive procedures aim to detect misstatements so
carrying out such testing on spreadsheets is very useful. Such tests may include:
• Reviewing formulae to identify if there are any errors or omissions (particularly with
larger spreadsheets).
• Inspecting the spreadsheet as Excel has a function to inspect a workbook and
identify potential issues.
• Identifying any inconsistencies in the spreadsheet which may be manipulating the
final result or output of the information in the spreadsheet (eg, balancing figures).
• Reperforming calculations to assess if the auditor’s output is consistent with the
client’s output.
2.5 Summary
The technical provisions of ISA (UK) 315 (Revised) have been covered a lot in previous
updates. A lot of what is in the standard is common sense and requires a logical
thought process to be put in place. For example, how do transactions and balances
start their journey from initial entry into the accounting system to the financial
statements? What processes and controls are there during this journey to ensure they
end up in the right place? The key is then documenting this journey and the controls
7
� ISA 315 – Risk assessment
in place to ensure the transactions and balances end up at the right destination in the
financial statements.
8
� ISA 315 – Risk assessment
3 ISA (UK) 315 - Risk assessment
3.1 Inherent and control risk assessments
ISA (UK) 315 (Revised) requires the auditor to carry out a separate assessment of
inherent risk and control risk.
Inherent risk
This is the risk that the financial statements contain a material misstatement before
the auditor considers any related controls over that risk.
Consider a client that has a material portfolio of financial instruments which are
measured at fair value through profit or loss. Accounting standards, such as FRS 102,
Section 12 Other Financial Instruments Issues and IFRS® 9 Financial Instruments are
inherently complex. The inherent risk in this respect is that the client does not fully
understand the requirements of these complex accounting standards and hence there
is a risk of material misstatement.
Appendix 2 to ISA (UK) 315 provides some examples of the risk factors that may
contribute to the inherent risk assessment as follows:
Risk factor Examples
Complexity
Regulatory • Operations that are subject to a high degree of complex
regulation
Business model • The existence of complex alliances and joint ventures
Applicable financial • Accounting measurements that involve complex
reporting framework processes
Transactions • Use of off-balance sheet finance, special-purpose entities
and other complex financing arrangements
Subjectivity
• A wide range of possible measurement criteria of an
Applicable financial
accounting estimate. For example, management’s
reporting framework
recognition of depreciation or construction income and
expenses.
• Management’s selection of a valuation technique or
model for a non-current asset, such as investment
properties.
Change
• Operations in regions that are economically unstable, for
Economic conditions
example, countries with significant currency devaluation
or highly inflationary economies
Markets • Operations exposed to volatile markets, for example,
futures trading
Customer loss • Going concern and liquidity issues, including loss of
significant customers
9
� ISA 315 – Risk assessment
Risk factor Examples
Industry model • Changes in the industry in which the entity operates
Business model • Changes in the supply chain
• Developing or offering new products or services or
moving into new lines of business
Geography • Expanding into new locations
Entity structure • Changes in the entity, such as large acquisitions or
reorganisations or other unusual events
• Entities or business segments likely to be sold
Human resources • Changes in key personnel, including the departure of key
competence executives
IT • Changes in the IT environment
• Installation of significant new IT systems related to
financial reporting
Applicable framework • Application of new accounting pronouncements
Capital • New constraints on the availability of capital and credit
Regulatory • The inception of investigations into the entity’s operations
or financial results by regulatory or government bodies
• Impact of new legislation related to environmental
protection
Uncertainty
Reporting • Events or transactions that involve significant
measurement uncertainty, including accounting
estimates and related disclosures
• Pending litigation and contingent liabilities, for example,
sales warranties, financial guarantees, and environmental
remediation
Susceptibility to
misstatement
• Reporting • Opportunities for management and employees to engage
in fraudulent financial reporting, including omission or
obscuring of significant information in disclosures
• Transactions • Significant transactions with related parties
• A significant amount of non-routine or non-systematic
transactions, including intercompany transactions and
large revenue transactions at period end
• Transactions that are recorded based on management’s
intent, for example, debt refinancing, assets to be sold
and classification of marketable securities
10
� ISA 315 – Risk assessment
Control risk
Control risk is the risk that the client’s system of internal control will not prevent and
detect, on a timely basis, a misstatement that could be material. The term ‘controls’ is
defined in ISA (UK) 315 as follows:
Policies or procedures that an entity establishes to achieve the control objective of ISA (UK) 315, para
12
management or those charged with governance. In this context:
i. Policies are statements of what should not be done within the entity to effect
control. Such statements may be documented, explicitly stated in
communications, or implied through actions and decisions.
ii. Procedures are actions to implement the policies.
ISA (UK) 315 provides the following examples:
Cash at a supermarket retailer would ordinarily be determined to be a high likelihood of possible ISA (UK) 315, para
A220
misstatement (due to the risk of cash being misappropriated), however, the magnitude would
typically be very low (due to the low levels of physical cash handled in the stores). The combination
of these two factors on the spectrum of inherent risk would be unlikely to result in the existence of
cash being determined to be a significant risk.
An entity is in negotiations to sell a business segment. The auditor considers the effect on goodwill
impairment and may determine there is a higher likelihood of possible misstatement and a higher
magnitude due to the impact of inherent risk factors of subjectivity, uncertainty and susceptibility
to management bias or other fraud risk factors. This may result in goodwill impairment being
determined to be a significant risk.
ISA (UK) 315 then goes on to provide further examples of where significant risks may
arise:
• Transactions for which there are multiple acceptable accounting treatments. ISA (UK) 315, para
A221
• Accounting estimates that have high estimation uncertainty or complex models.
• Complexity in data collection and processing to support account balances.
• Account balances or quantitative disclosures that involve complex calculations.
• Accounting principles that may be subject to differing interpretations.
• Changes in the entity’s business, for example, mergers and acquisitions.
3.2 Risk spectrum
As noted above, for the identified risks of material misstatement at the assertion level,
the auditor is required to carry out a separate assessment of inherent risk and control
risk. This separate assessment was introduced into ISA (UK) 315 (Revised) to maintain
consistency with ISA (UK) 330 The Auditor’s Responses to Assessed Risks which also
requires the auditor to consider inherent risk and control risk separately in order to
respond appropriately to the assessed risks of material misstatement at the assertion
level.
Inherent risk will be higher for some assertions and related classes of transactions,
account balances and disclosures than for others and this will require the exercise of
professional judgement by the auditor. The degree to which inherent risk varies is
referred to as the spectrum of inherent risk.
11
� ISA 315 – Risk assessment
The spectrum of inherent risk helps to determine whether an identified risk is a
significant risk. ISA (UK) 315 introduces the concept of a significant risk, which is an
identified risk of material misstatement for which the assessment of inherent risk is
close to the upper end of the spectrum of inherent risk. This is due to the degree to
which inherent risk factors affect the combination of the likelihood and the magnitude
of a potential misstatement.
When the auditor is planning responses to identified risks, risks may need to be
prioritised as the auditor must plan to obtain more (persuasive) audit evidence in
relation to significant risks. The higher on the spectrum of inherent risk a risk is
assessed, the more persuasive the audit evidence will need to be. In addition, the
auditor must identify the controls that address significant risks and whether those
controls have been designed effectively and implemented.
12
� Fully Managed Websites for Accountants
> Modern, mobile responsive designs
> Expert technical content
> Hassle free - automatically updated for you
> Weekly and monthly news, which can be
emailed to your clients
> Be found on Google with our SEO
2020innovation.com/websites
2020 Innovation Training Limited
TS4 Pinewood Business Park Coleshill Road Birmingham B37 7HG
Tel. +44 (0) 121 314 2020 info@the2020group.com www.the2020group.com
