What are risk assessment procedures?

ISA 315 (Revised 2019) paragraph 14 requires the auditor to perform risk assessment procedures that include all four types: inquiries of management and other appropriate individuals within the entity, analytical procedures, observation, and inspection. The 2019 revision tightened this requirement. All four types are mandatory on every engagement, not a menu from which the auditor selects.

Risk assessment procedures are inputs to the risk assessment, not outputs. They give the auditor the information needed to identify and assess risks of material misstatement (RMM) at the financial statement (FS) and assertion levels. ISA 315.28 requires the auditor to use the results to make risk assessment judgments. These procedures do not provide audit evidence for the opinion. That comes from further audit procedures under ISA 330 .

A walkthrough performed as a risk assessment procedure helps the auditor understand how transactions flow through the system and where misstatements could occur. The same walkthrough is not a test of controls. If the auditor wants to rely on controls, ISA 330.8 requires separate tests of operating effectiveness. Conflating the two is one of the most common file deficiencies flagged in inspections.

Key Points

  • All four procedure types are mandatory under ISA 315.14 : inquiry, observation, inspection, and analytical procedures.
  • Inquiry alone is never sufficient. The 2019 revision explicitly requires corroboration through other procedure types.
  • Risk assessment procedures identify risks. Further audit procedures ( ISA 330 ) respond to them. They are not interchangeable.
  • A walkthrough for risk assessment is not a test of controls. Separate operating effectiveness testing is required under ISA 330.8 .

Why it matters in practice

The FRC's 2023 annual inspection report found auditors relying on inquiry as the sole or primary risk assessment procedure. Teams documented conversations with management about business changes and RMM but did not corroborate those responses through observation or inspection of documents. ISA 315.14 requires all four types because each provides different information. No single type is sufficient on its own.

Analytical procedures at the risk assessment stage are a second area of weakness. ISA 315.17 requires the auditor to apply analytical procedures to help identify RMM that the auditor might not otherwise recognise. At firms like ours, teams often perform variance analysis (comparing current year to prior year) without investigating what conditions for misstatement the variances might indicate. At this stage, the purpose is not to explain the variance. It is to flag where misstatements could occur.

ISA 315.15 requires inquiries of management, but also of other individuals within the entity who may have information relevant to identifying risks. Teams that limit inquiries to the CFO and financial controller miss perspectives from operational staff and internal audit. ISA 315.15 specifically asks the auditor to consider who may have relevant information beyond the finance function.

Doing this well is hard, and most teams know it. The honest difficulty is that a proper risk assessment takes real thought at a stage of the engagement when the budget pressure is highest and the deadline for the audit plan is tightest. When the work gets treated as a tick box exercise (SALY the working papers, update the dates, move on) the risk assessment loses its purpose and the rest of the audit is built on a weak foundation.

Key standard references

  • ISA 315.14 : Requirement to perform all four types of risk assessment procedures.
  • ISA 315.15 : Inquiries of management and others within the entity.
  • ISA 315.16 : Observation and inspection as risk assessment procedures.
  • ISA 315.17 : Analytical procedures to help identify risks of material misstatement.
  • ISA 315.28 : Using results of risk assessment procedures to assess risks.

Related terms

Understanding the Entity and Its EnvironmentRisk of Material MisstatementInternal Control AssessmentAudit Plan

Related reading

ISA 315: Identifying and Assessing Risks of Material Misstatement
Blog guide

Frequently asked questions

Can the auditor choose between the four procedure types?

No. ISA 315 (Revised 2019) paragraph 14 requires all four types: inquiry, observation, inspection, and analytical procedures. You do not choose between them. Inquiry alone is never sufficient.

Are risk assessment procedures the same as further audit procedures?

No. Risk assessment procedures identify and assess RMM (ISA 315.14–18). Further audit procedures respond to those risks with evidence for the opinion (ISA 330.4–27). A walkthrough used for risk assessment is not a test of controls.

Get practical audit insights, weekly.

No exam theory. Just what makes audits run faster.

290+ guides published20 free toolsBuilt by practicing auditors

No spam. We’re auditors, not marketers.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: · Standards version: IAASB 2024 Handbook