Tackling fraud: internal controls and risk assessment under ISA-315

October 25, 2021

In 2020, many businesses temporarily abandoned established procedures and protocols as COVID-19 impacted organisations.

As life returns to normal, what does the International Standard on Auditing (ISA) 315 require of auditors when it comes to identifying possible fraud?

The International Auditing and Assurance Standards Board issued a revised ISA-315 in December 2019 titled ‘Identifying and Assessing the Risks of Material Misstatement’.

It provides guidance to auditors on the way in which they’ll identify and assess the risks of material misstatement in financial statements, and will apply to audits of financial statements for periods beginning on or after 15 December 2021.

What do you need to know about ISA-315?

ISA-315 provides a basis for designing and implementing responses to the assessed risks of material misstatement, either by error or by fraud. 

While external audits are not designed to detect fraud, external auditors need to assess the risk of material fraud and build it into their risk assessment. ISA-315 sets out how to do that.

Internal controls

Part of the process is assessing the internal controls of the business. This refers to the policies and procedures that are put in place to manage the business with appropriate governance.

During the pandemic, some businesses may have deviated from their policies and procedures. So a key risk area for upcoming audits is to check that policies were adhered to, or appropriately revised, despite the disruption.

This is an important factor for the auditor’s evaluation of the business’s accounting policies, and whether they’re consistent with the financial reporting framework. 

The term “internal control” has been revised in the updated ISA-315 to cover the business’s “system of internal controls”. This widens the definition to include all systems of the business that help to provide the management team with reasonable assurance that their financial reporting is reliable.

There’s now a greater emphasis on understanding the organisation’s use of IT. For example, a glitch in an IT system can lead to a misstatement. Or there may be fragility in the system that opens up the opportunity for fraud. While auditors aren’t responsible for detecting fraud, it’s now part of the role to raise potential vulnerabilities in the system.

You’ll need to understand the general IT and the information processing controls of the business. This includes IT applications, supporting IT infrastructure, IT processes and the personnel involved. 

It’s extensive and also includes the programs used for processing, recording and reporting transactions and financial information.

The risk assessment

You may already know that such audits must include a comprehensive risk assessment.

The risk assessment must be devised to obtain audit evidence impartially. That means that the risk assessment is not more focused on finding corroborative evidence than it is on finding contradictory evidence, and vice versa. The aim is to find balanced evidence, to give the clearest possible view of the financial statements.

How do you do that? You’ll need to question any contradictory evidence. Use your professional scepticism to scrutinise the reliability of the documents. View them in light of your inquiries with management and anybody who works in governance.

ISA-315 places greater weight on professional scepticism. You’ll need to show how you evaluated the evidence. This will go to show whether you’ve adequately identified and assessed the risk of material misstatement.

How we can help

ISA 315 is a complicated framework of guidance and regulation. If you’d like to discuss any aspect of external or internal auditing, please contact your local Kreston firm or our central team on