Revised ISA 315 – Are the new requirements really new?
Inherent risk and control risk
Inherent risk and control risk are not new concepts for auditors. As a reminder:
- Inherent risk is described as the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
- Control risk is described as the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s system of internal control.
The revised ISA clarifies that the auditor should perform a separate assessment of inherent risk and control risk. As a clarifying amendment, it’s likely some auditors would already have been undertaking separate assessments. Those that haven’t should nevertheless already be familiar with the requirement for separate assessments though, since ISA (UK) 540 Auditing Accounting Estimates and Related Disclosures introduced it for accounting estimates for periods commencing on or after 15 December 2019.
Spectrum of inherent risk
The revised ISA introduces the concept of a spectrum of inherent risk to be used for both the assessment of inherent risk and the assessment or risk of material misstatement at the assertion level.
Whilst the standard does not set out the spectrum to be used (instead, leaving this for auditors and their methodology providers to establish), it does make clear that the higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be.
Where on the spectrum a particular risk lies is a matter of professional judgement and is based on the significance of the combination of the likelihood and magnitude of a possible misstatement.
In considering the likelihood of a misstatement, consideration is given to the inherent risk factors (e.g. complexity, subjectivity, change, uncertainty and susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk).
Whilst the concept of a spectrum of inherent risk does represent a significant change to risk assessment overall, which will take a bit of getting used to, it’s worth noting that the concept should once again already be familiar to auditors in the context of auditing estimates, given it was introduced into ISA (UK) 540 for periods commencing on or after 15 December 2019.
IT environment
The revisions to ISA (UK) 315 introduce more requirements in relation to gaining an understanding of the entity’s IT environment, including requirements to identify and assess risks of material misstatement arising from the use of IT related to the IT applications and other aspects of the entity’s IT environment.
For those auditors who have previously taken a controls-based approach to audits and relied upon automated controls, these revisions may not have a significant practical impact.
For those auditors who have previously adopted a fully substantive approach, the revisions represent a much more significant change - one which would benefit from early consideration. We consider this area in more detail in our blog Revised ISA 315 – General IT Controls.
Professional scepticism
Another headline change to ISA (UK) 315 is the enhanced use of professional scepticism throughout the risk assessment process, including highlighting the need not to bias work towards obtaining evidence that is corroborative or excluding evidence that is contradictory.
Professional scepticism should already be at the forefront of auditors’ minds having long been required in an audit context. Its greater emphasis within the revised ISA is likely to have little practical effect for auditors already giving it due concern, although it perhaps serves as a useful reminder to maintain such focus, especially given its greater prominence within the revised versions of ISA (UK) 540 and ISA (UK) 240 The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements too.
How can Mercia help?
Your Mercia methodology has been updated to ensure auditors consider the entity’s IT environment and controls, in particular, GITCs.
The impact of the recently updates ISAs, including ISA 315, are considered in Audit Update and Topical Issues and Accounting and Auditing Update and Refresher - Spring courses.
You can also attend the short course Practical Aspects of Auditing Your Client’s IT environment – ISA 315, which considers some practical elements on understanding a client’s IT environment.