It is the ISA which contains requirements on obtaining business understanding, risk assessment and internal controls, and is therefore key to the successful planning of an audit. This article explores some of the main requirements of the ISA and considers the practical implications for the auditor. 

This article was first published in the March 2012 UK edition of Accounting and Business magazine.

Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.

What is a 'misstatement'?

Before discussing how auditors should assess the risk of material misstatement, it is important to consider what is meant by 'misstatement'. The term 'misstatement' is not defined in ISA 315, but in ISA 450, Evaluation of Misstatements Identified During the Audit, which contains this definition: 'a difference between the amount, classification, presentation or disclosure of a reported financial statement item and the amount, classification, presentation or disclosure that is required for the item to be in accordance with the applicable financial reporting framework.

Misstatements can arise from fraud or error.' In other words, a misstatement arises where there is a difference between the reported figures, and what is expected to be reported in order for the financial statements to be fairly presented (or show a true and fair view). Misstatements can be factual, in the case of a clear breach of a requirement of a financial reporting standard, or could be judgmental, arising from unsuitable estimation techniques or the selection of inappropriate accounting policies.

ISA 315 requires that the engagement partner and other key engagement team members discuss the susceptibility of the entity's financial statements to material misstatement, and that the engagement partner determines which matters are to be communicated to the rest of the audit team. The discussion should place emphasis on any indicators that the financial statements may be at risk of material misstatement due to fraud. (ISA 240.15) This discussion, and the significant decisions reached must be documented.

Obtaining and documenting an understanding of the entity

Without an in-depth understanding of the audited entity, it is impossible to properly assess the risk of material misstatement. ISA 315 requires that the auditor obtains an understanding relating to five aspects of the audited entity:

  1. relevant industry, regulatory and other external factors including the applicable financial reporting framework
  2. the nature of the entity including its operations, its ownership and governance structures, the types of investments it makes, and the way the entity is structured and financed
  3. the entity's selection and application of accounting policies
  4. the entity's objectives and strategies, and business risks that may result in risks of material misstatement, and
  5. the measurement and review of the entity's financial performance. (ISA 315.11)

It is worth highlighting a couple of these areas in more detail. First, the requirement to understand the applicable financial reporting framework would entail understanding not only the relevant financial reporting standards (IFRS or national standards) but also whether there are any relevant industry specific regulations.

Note that under the requirements of ISA 210, Agreeing the Terms of Audit Engagements, the auditor should already have determined the acceptability of the financial reporting framework, as this is one of the preconditions of an audit.

Second, the requirement to obtain knowledge of the entity's objectives, strategies and business risks is a crucial step in audit planning. This is because according to the application guidance of ISA 315, 'business risk is broader than the risk of material misstatement, though it includes the latter'. (ISA 315.A30) Therefore, to successfully identify risks of material misstatement, the auditor should use a business risk approach.

A simple example is that a company may face a business risk such as a fall in demand for its products. The associated risk of material misstatement lies in the valuation of inventory therefore there is a risk of misstatement at the assertion level. However, the fall in demand could also have a longer-term impact on the company's going concern status, leading to a potential risk of misstatement at the financial statement level. Appendix 2 of ISA 315 contains a useful list of examples of conditions and events that may indicate risks of material misstatement.

The key elements of the business understanding obtained regarding each of the aspects outlined above must be documented (ISA 315.32). However, the ISA does not stipulate a method or level of detail required for this documentation, leaving it to the auditor's judgment to determine the extent of documentation needed.

In the audit of smaller entities, which often have a small range of products or services, operate from a limited number of locations and have a simple ownership structure, the documentation may be simple in form and relatively brief and it is not necessary to document the entirety of the auditor's understanding of the entity. Documentation may be prepared by using narrative notes or by completing a structured form. The notes may be maintained separately or incorporated in the documentation of the overall audit strategy.

Internal Control

It is a specific requirement of ISA 315 that the auditor obtains an understanding of the internal control relevant to the audit. This is a crucial step in assessing the risk of material misstatement, as one of the components of audit risk is control risk, defined as the risk that a misstatement that could occur will not be prevented, or detected and corrected, on a timely basis by the entity's internal control.

Internal control has five components, each of which must be understood and documented by the auditor:

  1. the control environment
  2. the entity's risk assessment procedure
  3. the information system, including the related business processes, relevant to financial reporting and communication
  4. control activities, and
  5. monitoring of controls.

This requirement appears onerous, and indeed for large and complex organisations the documentation of internal control can be laborious. But, it is important to remember that it is only required that the auditor understands and documents those elements of internal control which are relevant to the audit, in particular to the auditor's risk assessment, which is a matter of professional judgment.

In determining whether a control is relevant to the audit, matters such as the significance of the related risk, materiality, and the complexity of operations should be considered. In relation to control activities, the ISA specifically states that 'an audit does not require an understanding of all of the control activities related to each significant class of transaction, account balance and disclosure in the financial statements or to every assertion in them'. (ISA 315.20)

Therefore the documentation of internal control should be commensurate with the nature, size and complexity of the entity. The ISA also suggests that the extent of documentation should also be appropriate to the experience and capabilities of the audit engagement team, as less experienced members of the audit team may require more detailed documentation to assist them to obtain appropriate understanding of the entity and its controls.

In a smaller entity, the audit documentation on internal control is likely to be relatively simple, focusing on how sales and purchasing cycles operate and highlighting the risks of material misstatement that arise from the controls (or lack of) that are in place.

It is tempting to think that in a simple system operating in a small company there is little risk of material misstatement, but of course there are specific risks associated with this type of company, especially the risks posed by opportunities for management override, and the limited scope for segregation of duty and authorisation controls. In a smaller company, the extent and nature of management's involvement in internal control is likely to be a key aspect in the documentation of internal control.

Remembering that the under-pinning concept of ISA 315 is risk assessment, it is not surprising that one of the elements of internal control that that auditor must understand and document is the entity's own risk assessment process. Most large organisations will have an internal risk management function, the effectiveness of which may be assessed by the auditor.

Smaller entities will not have such a function, and risk assessment will be performed in an ad-hoc manner by the company's owners and/or managers. In this case, it is required that the auditor discusses with management whether business risks relevant to financial reporting have been identified and addressed, and should then consider whether this represents a significant deficiency in internal control. (ISA 315.17)

Assessing the risks of material misstatement

Having obtained and documented an understanding of the entity including its internal control, the auditor is now in a position to identify and assess the risks of material misstatement, which should be done at the financial statement level, and at the assertion level for classes of transactions, account balances and disclosures. The point of the risk assessment is to provide a basis for designing and performing further audit procedures.

Risk assessment procedures should include inquiries of management and other relevant individuals, analytical procedures, observation and enquiry. (ISA 315.6)

An important part of assessing the risk of material misstatement is that the risks identified should be prioritised. This is because ISA 315 determines that risks which are identified as being significant risks require special audit consideration. It is a matter of judgment as to whether a risk constitutes a significant risk, and matters such as the complexity of the transaction, whether there is a risk of fraud, the involvement of related parties, and whether the transaction is outside the normal course of business should be considered. (ISA 315.28)

It is further required that where a significant risk is identified, the relevant controls, including control activities should be understood. (ISA 330, The Auditor's Responses to Identified Risks then deals with the action that should be taken in obtaining evidence in relation to significant risks. If the auditor plans to rely on controls over a significant risk, the controls must be tested in the current period, and substantive procedures should be performed in response to significant risks at the assertion level.)

Continual revision of risk assessment

The risk assessment outlined above takes place in the planning phase of the audit. Of course, as the audit progresses, further information may come to light which provides additional insight into the company's operations and internal control. It may therefore be necessary to revise the original risk assessment, and modify the planned audit procedures in response to new or amended risks identified.


Auditor's should not underestimate the importance of ISA 315, as its requirements relating to risk assessment help to ensure that audits are responsive to individual audit clients' circumstances, and when applied properly should help to reduce audit risk. Though the requirements of the ISA can seem onerous, careful application of the standard and appropriate use of auditor's judgment should mean that compliance with documentation requirements is relatively straightforward.