Our News

46ISA 315: Five key changes to adopt - Insight Training

ISA 315: Five key changes to adopt

For December 2022 year-ends, audits will need to adopt the revised version of perhaps the most important ISA of the lot – ISA 315, which focuses on identifying and assessing risk. The revision is the result of a long process and, while not a revolutionary set of changes, there are some key differences auditors need to appreciate to transition successfully to the new Standard. Here are five of those key changes to adopt:

1. Risk is in colour now

For decades, most auditors have assessed risks on a crude, three-point scale (high, moderate or low). ISA 315 adopts a more nuanced, granular approach requiring auditors to assess inherent risk on a spectrum. At its simplest, this might mean moving to a five-point scale or score instead. A wider scale allows very high risks to be properly addressed, but it also permits auditors to class some risks at the very low risk end of the spectrum, justifying why little, if any, further work is needed.

You’ll need to be aware of how your methodology has adapted to include a spectrum, and make sure that audit teams make best use of the wider range of responses this allows.

2. You may need to think harder about IT risks

A key area of enhancement in the revised ISA is the approach to risks arising from the use of IT. Software applications that are standalone, and where the number of transactions processed is modest, may not pose significant risks, but those which are tightly integrated with other apps, or which run automated scripts and actions, are more prone to such risks. Auditors will need to understand the design and consider the implementation of general IT controls (GITCs) including how access to the app is managed, how changes such as updates or upgrades are handled and how data is kept secure, even if auditors do not intend to test such controls for operational effectiveness.

3. Control risk is dealt with separately

Although the standard audit risk model that’s been the backbone of risk assessment for many years hasn’t fundamentally changed, the revised ISA requires control risk to be addressed separately from inherent risk. If an auditor tests controls for operational effectiveness (and if the results are satisfactory), control risk can be formally assessed, and can reduce the overall risk of material misstatement for the assertion in question. Auditors are not required to undertake such tests (in most scenarios) but if they do not do so, the inherent risk will be the sole driver of the resulting risk of material misstatement.

4. Risk assessment is more iterative than ever

Risk assessment should never be a static process, undertaken at planning and locked in place. Auditors need to be alive to the possibility that risks will need to be reassessed at various points throughout the audit, depending on what they encounter. This is hard to achieve and to document, but the revised ISA insists that it’s vital to ensure that the audit stays on track until the end.

5. The revised ISA is scalable (no, really)

A key reason for the revision of ISA 315 has been to respond to criticisms that it’s hard to scale, especially for smaller or less complex audits. Although the main text of the Standard may not appear especially scalable, there are numerous ‘scalability’ paragraphs in the application guidance to help auditors of such entities apply the principles proportionately. You’ll need to remember that, while most audit methodology is built to ensure compliance for complex scenarios, there may be better ways to record your risk assessment for those smaller and simpler audits. The Standard insists that documentation may be ‘simple and brief’ in such cases, that it need not include every possible risk factor the team has considered, and that much of the assessment can be rolled forward from prior years in many circumstances.

Want more detail on how to apply ISA 315 in a pragmatic way to your next audit? Book onto our two -hour webinar ‘ISA 315 Risk Assessment’ which is running on 6 December 2022. We’ll explain the standard and provide practical examples for how to adopt it efficiently and effectively.

Jez Williams, November 2022

Recent posts