On most files we review, inherent risk (IR) and control risk (CR) end up collapsed into a single "medium" rating with no explanation of which component drove the assessment. ISA 315 (Revised 2019) requires separate assessment because the audit response differs depending on which one is elevated. If you can't explain whether the risk comes from the nature of the item or a gap in controls, you don't have a basis for your procedures.
Inherent risk is the susceptibility of an assertion to a misstatement that could be material, before considering any related controls. Control risk is the risk that the entity's internal controls won't prevent or detect and correct such a misstatement on a timely basis. Together, they form the assessed risk of material misstatement (RMM) under ISA 315 (Revised 2019).
Side-by-side comparison
| Dimension | Inherent risk | Control risk |
|---|---|---|
| What it measures | Susceptibility of the assertion to misstatement, absent controls | Likelihood that controls fail to prevent or detect the misstatement |
| What drives it | Nature of the account, complexity, judgment, estimation uncertainty, susceptibility to bias | Design and implementation of controls, operating effectiveness over the period |
| Can it be zero? | No. Every assertion has some IR. | No. No control system is perfect. |
| Assessment method | Spectrum approach ( ISA 315 Revised 2019) based on likelihood and magnitude | Tested through design and operating effectiveness evaluation, or assumed at maximum if controls are not tested |
| When it changes | When the nature of the business or account changes, or when external conditions shift | When controls are redesigned or fail |
| Link to procedures | Higher IR requires more persuasive substantive evidence | Lower CR (from effective controls) allows reduced substantive testing |
Key points
- IR exists independently of the entity's controls. CR depends on the design and operating effectiveness of those controls.
- ISA 315 (Revised 2019) introduced a spectrum of IR, requiring auditors to assess it on a scale rather than as high, medium, or low.
- You assess IR first, then evaluate whether controls reduce the combined RMM.
- Confusing the two leads to procedures that are either insufficient or pointed in the wrong direction.
When the distinction matters on an engagement
ISA 315 (Revised 2019) requires the auditor to assess RMM at the assertion level, which is the combination of IR and CR. Each risk component calls for a different response. If IR on an estimate is high because the valuation model involves significant judgment and estimation uncertainty, no amount of control testing will reduce that susceptibility. The engagement team needs substantive procedures that directly test the reasonableness of the estimate.
Conversely, if an account balance has moderate IR but strong controls (automated matching and management review), the team can test those controls and reduce the volume of substantive testing. ISA 330 requires a clear link between the assessed risks and the procedures performed. A file that lumps IR and CR into a single "medium" rating and then applies a SALY set of procedures has not complied with ISA 315 or ISA 330 .
Worked example: Transportes Reyes S.L.
Client: Spanish logistics firm, FY2024, revenue €67M, IFRS reporter. The entity operates a fleet of 200 trucks, has 800 active customer contracts with varied pricing terms, runs four regional warehouses, and recently migrated to a new ERP system.
Assessing IR on revenue recognition
Revenue comes from spot haulage contracts and long-term logistics service agreements. Spot contracts are high-volume, low-value (average €2,400 per trip). Long-term contracts include variable pricing tied to fuel indices and volume tiers. IR on revenue recognition sits at the higher end of the spectrum. Likelihood of misstatement is elevated because the variable pricing clauses require manual calculation outside the ERP system, and the ERP migration introduced data conversion risk. Magnitude is potentially material (variable-price contracts account for €19M of total revenue).
Documentation note: Record each IR factor assessed (complexity, change from ERP migration, estimation uncertainty in variable pricing, susceptibility to management bias), your evaluation for each, and the conclusion on where the assertion falls on the spectrum. ISA 315 (Revised 2019) paragraph 32 requires this assessment at the assertion level.
Assessing CR on revenue recognition
Two relevant controls exist: an automated ERP validation that rejects revenue entries without a matched delivery confirmation, and a monthly management review of revenue by customer segment against budget. The engagement team plans to test both.
For the ERP validation, the team re-performs the matching logic on a sample of 40 transactions. No exceptions. For the management review, the team inspects the monthly review documentation for all 12 months. In ten months, the review is documented with variance explanations. In two months (immediately after the ERP migration), the review was performed but not documented. The team concludes the ERP validation is operating effectively but the management review has a two-month gap.
Documentation note: Document each control tested, the population and sample, the test results, and the assessed level of CR. State the effect of the two-month gap on the overall CR assessment and how the team plans to address the uncovered period.
Combining the assessments
IR sits at the higher end of the spectrum. CR is below maximum for ten months (effective ERP control) but at maximum for two months (undocumented management review during the migration period). The combined RMM on revenue recognition is significant. The engagement team designs substantive procedures accordingly: a sample of 50 revenue transactions across the full year, with an additional focused sample of 20 from the two migration months, tested to delivery confirmations, customer contracts, pricing calculations, and cash receipts.
Documentation note: Link the combined assessment to the substantive procedures. State the sample sizes and the rationale for the focused testing in the migration period.
If the team had assessed IR as low because controls exist (confusing the two concepts), the sample would have been smaller and the ERP migration period wouldn't have received additional scrutiny.
What reviewers get wrong
PCAOB 2023 inspection findings on risk assessment highlighted that firms frequently assessed RMM as a single combined rating without separately evaluating IR and CR. The standard requires separate assessment because the audit response differs depending on which component drives the combined risk. High IR with effective controls produces a different procedure set than moderate IR with no controls at all. In our experience, the merged rating is often a sign the team treated risk assessment as a tick box exercise rather than an input to planning.
Honestly, it's frustrating how often we see files where every assertion on every account lands at the same point on the spectrum. That's not risk assessment. Under ISA 315 (Revised 2019), IR must be assessed on a spectrum, not in categories. The FRC has flagged firms that continued using the old high/medium/low approach after the revised standard became effective. The spectrum approach requires the auditor to consider both the likelihood of misstatement and the magnitude of the potential misstatement when placing the assertion on the spectrum. ISA 315 lists the IR factors the auditor must consider: complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud.
Key standard references
- ISA 315 (Revised 2019) paragraphs 12(i) and 12(d) define IR and CR.
- ISA 315 (Revised 2019) paragraphs 31–33 set out the requirements for assessing RMM at the assertion level.
- ISA 315 (Revised 2019) paragraph A4 explains the spectrum approach to IR assessment based on likelihood and magnitude.
- ISA 330.7 requires a link between assessed risks and the nature, timing, and extent of further audit procedures.
Related terms
Related reading
Frequently asked questions
Can inherent risk ever be zero?
No. Every assertion carries some IR. Revenue recognition on a simple contract still has susceptibility to misstatement from cut-off errors and pricing mistakes. IR varies across a spectrum but never reaches zero.
What changed with ISA 315 (Revised 2019) regarding inherent risk?
The revised standard introduced a spectrum approach, requiring auditors to assess IR on a scale rather than using high, medium, or low categories. The auditor must consider both the likelihood of misstatement and the magnitude of the potential misstatement. The FRC has flagged firms that continued using the old categorical approach after the revised standard became effective.