10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

Menu 

Risk and understanding the entity

Home / Students / Study resources / Advanced Audit and Assurance (AAA) / Technical articles
/ Risk and understanding the entity

ISA 315 (Revised 2019), Identifying and Assessing the Risks of

Material Misstatement

Candidates studying Audit and Assurance (AA) and Advanced Audit and Assurance (AAA) are often presented with questions

that focus on the planning stage of the audit.

Extracts from the AA syllabus (B) Planning and risk assessment

• Describe the audit risks in the financial statements and explain the

B3 Assessing audit risks auditor’s response to each risk

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understanding… 1/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

B4 Understanding the • Explain how auditors obtain an initial understanding of the entity and its
environment and the applicable financial reporting framework
entity and its environment
and the applicable • Describe and explain the nature, and purpose of, analytical procedures

financial reporting in planning, and

framework • Compute and interpret key ratios used in analytical procedures

Extracts from the AAA syllabus (D) Planning and conducting an audit of historical financial information

• Evaluate and prioritise business risks, audit risks and risks of material

D1 Planning, materiality misstatement for a given assignment

and assessing the risk of • Interpret the results of analytical procedures, in an unbiased manner
material misstatement and apply professional scepticism to support the identification of
contradictory information and assessment of risks of material
misstatement

• Evaluate the results of planning and risk assessment procedures to

determine the relevant audit strategy, including the auditor’s
responses, and

• Discuss the importance of the auditor gaining an understanding of the

entity including the applicable financial reporting framework, its
accounting policies, significant classes of transactions, balances and
disclosures and the entity’s system of internal control and recommend
additional information which may be required in gaining that
understanding.

Candidates will therefore need a sound understanding of ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material
Misstatement which becomes an examinable document from the September 2021 exam session for both AA and AAA. The
central theme throughout ISA 315 (Revised) is the assessment of risk. Questions involving risk assessment are highly

examinable at both AA and AAA, it is vital that candidates have studied this part of the syllabus thoroughly.

A word on assertions

The auditor needs to obtain sufficient appropriate audit evidence to support the assertions and disclosures in the financial
statements made by management. These assertions are used by the auditor when assessing the risks of misstatement on an
engagement.

Objective of the audit and the assessment of risk

The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the
financial statement and assertion levels thereby providing a basis for designing and implementing responses to the assessed
risks of material misstatement1.

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understanding… 2/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

ISA 315 (Revised) states the reasons ‘why’ risk assessment procedures should be carried out but provides further guidance with
‘what’ needs to be tested and ‘how’ it can be tested. Candidates are strongly encouraged to review the appendices to the revised
standard for examples of the ‘what’ and ‘how’.

ISA 200, Overall objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards
on Auditing states that audit risk is the risk that the auditor expresses an inappropriate opinion when the financial statements are
materiality misstated.

It should be noted that the fundamentals of the audit risk model which candidates will often come across during their studies has
not been affected by ISA 315 (Revised) and remains as follows:

However, there have been some changes as to how risks are evaluated. ISA 315 (Revised) enhances the requirement for the
auditor to understand the audit risk of the client by obtaining an understanding of the entity and its environment, the applicable
financial reporting standards and the entity’s system of internal control.

Using the risk model above, these can be considered as follows:

Inherent risk

• Understanding the entity and its environment

• Understanding the applicable financial reporting framework

Control risk

• Understanding the entity’s system of internal control.

Inherent risk
Inherent risk is described as the susceptibility of an assertion about a class of transaction, account balance or disclosure to a

misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of

any related controls2.

Understanding the entity and its environment

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understanding… 3/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

ISA 315 (Revised) has explicitly defined inherent risk factors as being qualitative or quantitative, and include:

Defined inherent risk Explanation and Example

factors

Complexity Arises because of the nature of the information or the way that it is prepared –
for example, complex accounting or reporting requirements such as the audit of
a large, multi-national insurance group.

Subjectivity Results from inherent limitations in the ability to prepare the information
objectively – for example, choice of valuation methodology or basis for
accounting estimations.

Change Events or conditions which affect the entity’s business, industry, regulatory or
economic environment. – for example, customer change or geographical
expansion.

Uncertainty Arises when the required information cannot be prepared based on sufficiently
precise and comprehensive data. – for example, contingent liabilities or
uncertainly over key issues - environmental, legal or financial – such as the
audit of a company with ongoing litigation issues (requiring provisions and
estimations of liability).

Susceptibility to Conditions which create susceptibility for intentional or unintentional failure by

misstatement due to management to maintain neutrality – for example, transactions with related
management bias or parties, the use of manual adjustments, bonus schemes dependent on financial
other fraud risk factors results.

Inherent risk is considered by the auditor before they consider any related controls. Inherent risk and control risk are both

elements of the risk of material misstatement at the assertion level.

Understanding the applicable financial reporting framework

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understanding… 4/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

Auditors must consider the impact of the accounting policies and financial reporting requirements, including industry specific
requirements, when assessing the risk of material misstatement.

There are several financial reporting standards which can be subject to misapplication, either deliberate or accidental, such as
IFRS® 15 Revenue from Contracts with Customers or IAS® 37, Provisions, Contingent Liabilities and Contingent Assets. Foreign

currency adjustments or complex financial instruments can further complicate the reporting (and regulatory) requirements.

New or emerging accounting issues, such as cryptocurrencies or environmental reporting may be affected by the subjectivity of

management. In the case of technological changes, a lack of definitive accounting standards may result in inconsistent or
incorrect valuations or disclosures.

Evaluating the financial reporting policies of the entity is part of the overall assessment of inherent risk.

Spectrum of inherent risk

For the identified risks of material misstatement at the assertion level, the auditor is required to carry out a separate assessment

of inherent risk and control risk. This separate assessment was introduced into ISA 315 (Revised) so as to maintain consistency
with ISA 330, The Auditor’s Responses to Assessed Risks which also requires the auditor to consider inherent risk and control

risk separately in order to respond appropriately to assessed risks of material misstatement at the assertion level.

Inherent risk will be higher for some assertions and related classes of transactions, account balances and disclosures than for

others and this will require the exercise of professional judgement. The degree to which inherent risk varies is referred to in ISA
315 (Revised) as the spectrum of inherent risk.

The spectrum of inherent risk helps to determine whether an identified risk is a significant risk. ISA 315 (Revised) introduces the
concept of a significant risk, which is an identified risk of material misstatement for which the assessment of inherent risk is

close to the upper end of the spectrum of inherent risk. This is due to the degree to which inherent risk factors affect the

combination of the likelihood and the magnitude of a potential misstatement.

When the auditor is planning responses to identified risks, risks may need to be prioritised as the auditor needs to plan to obtain

more evidence in relation to significant risks. The higher on the spectrum of inherent risk a risk is assessed, the more persuasive
the audit evidence needs to be. This is a particularly important skill when answering questions at the AAA level, and good

practice for practical audit work too. In addition, the controls that address significant risks are required to be identified by ISA 315
(Revised), and the auditor is required to evaluate whether the control has been designed effectively and implemented.

Control risk

Understanding the entity’s system of internal control

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understanding… 5/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

Control risk is the risk that the entity’s system of internal control will not prevent or detect and correct a misstatement on a timely
basis. This can be due to weak or absent internal controls. ISA 315 (Revised) sets out the components of the entity’s system of

internal control. Candidates need to be familiar with the components set out in ISA 315 as AA exam questions may ask
candidates to describe or explain the components of the entity’s system of internal control.

Components of the entity’s system of internal control Predominant type of control

under ISA 315 (Revised 2019) (para.20)

Control environment Indirect control

Auditor’s understanding of these control

components, are likely to affect the risk of
The entity’s risk assessment process
material misstatement at the financial
statement level.

The entity’s process to monitor the system of internal

control

Information system and communication Direct controls

Auditor’s understanding of these control

components, are likely to affect the risk of

Control activities material misstatement at the assertion

level

For further details on the components of an entity’s system of internal control refer to Appendix 3 included in ISA 315 (Revised
2019).

At the planning stage of the audit, the auditor will consider whether the audit procedures will include planned reliance on the
operating effectiveness of controls. Reliance on an entity’s system of internal control can reduce the level of substantive

procedures the auditor performs. If the auditor does plan to test the effectiveness of the entity’s controls, this is based on the

expectation that the controls are operatively effectively.

ISA 315 (Revised) stresses that the auditor’s assessment of the risks is affected by their understanding of each of the

components of the entity’s system of internal control. This understanding of how management identify and assess the business
risks of the entity would be gained at the planning stage by discussions with management or inspecting reports or procedures.

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understanding… 6/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

If the auditor does not plan to test the operating effectiveness of the entity’s internal controls, ISA 315 (Revised) states that in this

case, the risk of material misstatement is the same as the assessment of inherent risk. In other words, if the auditor is not

planning on testing the controls, they assume there are no controls present in their risk assessment. Further information on the

testing of controls is covered in ISA 330.

Direct/indirect controls

Direct controls are specific controls which are precise enough to address the risk of material misstatement at the assertion level,
for example, performing a monthly reconciliation of the bank account which is reviewed, and all differences are resolved. This is

an example of a direct control as it ensures the existence and accuracy of the asset (bank) at the period end.

Indirect controls, such as general IT controls, are those which are not sufficiently precise to prevent, detect or correct material

misstatement at the assertion level. However indirect controls may support direct controls and therefore have an indirect effect

on the likelihood that a misstatement can be detected or prevented.

Controls over the IT environment

ISA 315 (Revised) includes enhanced auditor considerations relating to IT, including new and updated material for understanding

IT and general IT controls. The auditor needs to understand how the entity processes information, and how this data is used

throughout the business. There should be an understanding of the accounting records, how the information is captured and

controlled and how these flow into the accounts in the financial statements.

The internal control of an entity generally benefits from the use of an IT system, for example by:

• Applying consistent business rules

• Performing complex or repetitive bulk calculations

• Facilitating analysis of information

• Improving timeliness, availability and accuracy of information

• Reducing the risk that controls can be avoided and enhancing the segregation of duties.

An IT system will only be as good as the controls which support it; therefore, it is imperative that an assessment is made of the

related risks of using IT and the entity’s general IT controls. General IT controls alone are not adequate, and an assessment

should be made to understand how management monitor the IT controls, permissions, errors or control deficiencies across the IT

environment.

Larger businesses may have fully integrated and possibly bespoke ERP systems (Enterprise Resource Planning), whereas

smaller entities are likely to have less complex, commercial software. ISA 315 (Revised) provides examples of potential issues

and possible tests in Appendix 5 and 6. The need to obtain an understanding of the IT environment within an entity remains

important when assessing the risk and designing the relevant audit procedures.

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understanding… 7/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

Manual and automation

An entity’s system of internal control will usually contain manual elements (such as authorising a purchase invoice) and
automated elements (such as password-protected applications).

Automated controls are generally considered to be more reliable than manual controls because they are not easily bypassed,
ignored or overridden. For example, logging into the online banking system will require a password which cannot be ignored or if

the password entered is incorrect, the system will prevent access. Similarly, if a customer has not paid their invoices on time, an

automated sales order processing system will prevent them from ordering further goods until they pay the overdue balance.

Detection risk
The last element of the audit risk model is detection risk which is the risk that the procedures performed by the auditor to reduce

audit risk to an acceptably low level will fail to detect a misstatement which exists that could be material. Candidates should keep

in mind that detection risk is the only risk under the control of the auditor. Also remember that detection risk is not part of the risk

of material misstatement.

Stand-back requirement
Once the auditor has obtained the required level of understanding and has identified the significant classes of transactions,

account balances and disclosures, the auditor must ‘stand back’ and evaluate the audit evidence arising from their risk
assessment procedures.

Once this understanding has been obtained (and throughout the audit process) the auditor must apply professional scepticism in

critically evaluating the audit evidence and knowledge.

For material classes of transactions, account balances or disclosures that have not been determined as significant, the auditor is

required to assess, using professional judgement, whether this determination still remains appropriate.

This requirement has been introduced into ISA 315 (Revised) to prompt the auditor to confirm the completeness of the identified

risks. In other words, requiring the auditor to focus their attention on material classes of transactions, account balances and

disclosures that have not been determined as significant and to assess whether this remains the case on evaluating all of the

evidence obtained from the risk assessment procedures which have been performed.

Scalability
The requirements introduced by ISA 315 (Revised) are extensive and will impact the audits of larger or more complex entities.

However, there are provisions throughout the standard which allow for scalability, whereby smaller or less complex entities will

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understanding… 8/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

involve less onerous assessments. Auditors can apply the principles in ISA 315 (Revised) to entities of different sizes and

different levels of complexity within the control systems, including the IT environment.

Conclusion
Candidates must ensure that they are using up-to-date study materials which reflect the provisions of ISA 315 (Revised 2019)

from the September 2021 exam session. There are a number of revisions to the standard which could be examined, and it is

important that candidates have a sound awareness of the changes reflected in the revised ISA.

References:

(1) ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement, para.11

(2) ISA 315 (Revised), para.4

Written by a member of the Advanced Audit and Assurance examining team

 Related Links

• Student Accountant hub page

Advertisement

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understanding… 9/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

Our sites

myACCA

ACCA mail

ACCA Careers

ACCA Career Navigator

ACCA Learning Community

Your Future

Useful links

Make a payment

ACCA-X online courses

Find an accountant

ACCA Rulebook

News

Work for us

Most popular

Professional insights

ACCA Qualification

Member events and CPD

Supporting Ukraine

Past exam papers

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understandin… 10/11
10/25/22, 12:45 PM Risk and understanding the entity | ACCA Global

   

Contact us
 Send us a message

Planned system updates

 View our maintenance windows

Accessibility Legal policies Data protection & cookies Advertising

Site map Contact us

https://www.accaglobal.com/uk/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/risk-understandin… 11/11