Inside ISA 315 Revised: What Caribbean Audit Committees Must Expect on Risk Identification

 

In the first article of this series, we argued that the audit is no longer a compliance ritual — it is a board-level risk lens. If that is true, then the question every audit committee chair should now be asking is this: how does my auditor identify the risks of material misstatement in my financial statements, and how good is that risk-identification process?

That question is no longer rhetorical. Since 15 December 2021, every audit conducted under International Standards on Auditing has been required to comply with ISA 315 (Revised) — a standard that fundamentally redefined the auditor’s obligation to understand the entity, assess the risks, and design a response. Four audit cycles later, the standard is no longer new. But across the Caribbean, our observation is that many audit committees still do not fully appreciate what changed — and therefore do not yet know what they should be demanding of their auditor.

This article unpacks ISA 315 (Revised) for the board reader. It explains why the standard was rewritten, what the principal changes are, what a compliant risk assessment now looks like in practice, and — most importantly — the five questions an audit committee should now be asking the lead audit partner before signing the audit plan for the next cycle.

Why the Standard Was Rewritten

ISA 315 had stood substantially unchanged for over a decade when the IAASB began its revision project. The reasons for the rewrite were three:

• Inconsistent application. Inspections by audit regulators around the world had revealed that risk identification was the single largest source of audit deficiency. Auditors were too often applying a templated risk matrix and missing entity-specific risks.
• Technology had moved. The original ISA 315 was written when journal entries were posted in batches and reviewed manually. The modern Caribbean entity runs on integrated ERP systems, cloud applications, and automated controls — and the standard had not kept pace.
• Complexity had grown. Estimates, fair values, and accounting judgments now dominate the financial statements of regulated entities — expected credit losses under IFRS 9, insurance contract liabilities under IFRS 17, share-based payments, impairment testing. The auditor’s risk assessment had to become sharper and more granular.

The revised standard, effective for audits of periods beginning on or after 15 December 2021, addresses all three. It is longer, more prescriptive, and significantly more demanding than its predecessor.

“Risk identification is the single largest source of audit deficiency worldwide. That is what ISA 315 (Revised) was written to fix.”

The Principal Changes Audit Committees Should Understand

There are five changes in ISA 315 (Revised) that materially affect what an audit looks like — and therefore what an audit committee should expect to see. Each is worth understanding in its own right.

One  |  Inherent Risk Factors Become Explicit

The previous standard required the auditor to assess inherent risk and control risk separately. The revised standard goes further. It requires the auditor to evaluate, document, and articulate the inherent risk factors that drive the assessed level of inherent risk for each significant class of transactions, account balance, and disclosure. The named inherent risk factors include complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or fraud.

In practice, this means the auditor must now explain — for each significant risk — which inherent risk factors apply and why. A templated answer (“revenue is a risk because it is material”) is no longer compliant. The auditor must articulate, for instance, that revenue is high inherent risk because the entity recognises significant judgment in cut-off timing, faces high pressure to meet earnings targets, and operates a multi-jurisdictional contract base that introduces uncertainty in price allocation. That is a meaningfully deeper statement of risk than the old standard required.

Two  |  The Spectrum of Inherent Risk

ISA 315 (Revised) introduces the concept of the spectrum of inherent risk. Rather than the binary “significant risk / not significant risk” categorisation of the old standard, the revised standard requires the auditor to position each risk along a spectrum from lower to higher inherent risk, based on the combined effect of the inherent risk factors.

The practical effect is that the audit response must be calibrated to where the risk sits on the spectrum. A risk near the upper end of the spectrum — close to, but not crossing, the threshold for “significant risk” — now demands a more robust audit response than would previously have been required for the same risk classified simply as “not significant.” This is a real shift in audit effort, and audit committees should expect to see it reflected in the audit plan.

Three  |  Information Technology Becomes Central

Perhaps the most consequential change for Caribbean entities is the new prominence of information technology in the auditor’s understanding of the entity. ISA 315 (Revised) requires the auditor to understand the IT environment relevant to the financial reporting process — including the IT applications, the supporting infrastructure, and the IT processes that govern access, change management, and operations.

More demandingly, the auditor must identify the IT general controls (ITGCs) that address the risks arising from the use of IT, and evaluate the design and implementation of those controls. The control environment of a modern Caribbean entity is, in substance, its IT environment. An audit that does not engage seriously with IT general controls is no longer a compliant audit under ISA 315 (Revised) — it is, increasingly, an audit at risk of regulatory criticism.

“The control environment of a modern Caribbean entity is, in substance, its IT environment. An audit that treats IT as an afterthought is no longer compliant.”

Four  |  Stand-Back Evaluation

The revised standard introduces a stand-back requirement: at the conclusion of the risk assessment, the auditor must step back and evaluate whether the risk assessment as a whole appears reasonable in light of the entity, its environment, and the financial statement assertions. The stand-back is designed to counteract the bias that creeps in during a long planning process — the tendency to keep refining the assessment without ever asking whether, taken together, it still makes sense.

For audit committees, the stand-back is significant. It is a documented, partner-level checkpoint at which the lead audit partner must affirm that the risk assessment captures what matters. The audit committee should expect to see evidence of this — and should expect the audit partner to be able to articulate, in board-level language, what the result of the stand-back was.

Five  |  Documentation Has Sharpened

Finally, ISA 315 (Revised) materially expands the auditor’s documentation obligations. The audit file must now contain documentation of the inherent risk factors considered, the rationale for the position on the spectrum of inherent risk, the IT applications and ITGCs identified, the stand-back evaluation, and the linkage between assessed risks and planned audit responses. These are not box-ticking requirements — they are evidence that the auditor has done the work the standard demands.

In the Caribbean regulatory context — where supervisors at the BOJ, FSC, ECCB, CIMA, and FSRC are increasingly seeking access to audit working papers — documentation quality has become a regulatory question as well as a professional one. Audit committees would be wise to ask, periodically, what their auditor’s most recent inspection findings have been.

What a Compliant Risk Assessment Looks Like in Practice

In a Dawgen Global engagement run under the D·ASSURE™ methodology, the Strategic Risk Mapping pillar — the S of the framework — operationalises ISA 315 (Revised) in five concrete steps. The pattern below is what an audit committee should expect to see from any competent auditor, regardless of which firm:

• A documented understanding of the entity that is specific to the business, not borrowed from a template. The auditor should be able to describe the entity’s revenue model, regulatory environment, financing structure, and the principal pressures on management — in the auditor’s own words.
• A risk register that names risks in entity-specific language. “Revenue recognition” is not a risk. “Recognition of multi-element software licence revenue under fixed-price contracts with right-of-return clauses” is a risk. The first is a category; the second is what the auditor must assess.
• Each named risk positioned on the inherent risk spectrum, with the contributing inherent risk factors explicitly identified. A risk that is high on complexity but low on susceptibility to bias is a different risk from one that is high on both — and the audit response differs accordingly.
• An IT environment scoping that names the financial reporting applications, identifies the relevant ITGCs, and reaches a documented conclusion on whether the IT controls can be relied upon for substantive testing efficiency.
• A stand-back memorandum, signed by the engagement partner, evaluating the risk assessment as a whole and explaining how it informs the planned audit response.

Five Questions the Audit Committee Should Ask

For the audit committee chair preparing for the next audit planning meeting, the following five questions cut through to the heart of ISA 315 (Revised) compliance:

• Walk me through the three highest inherent risks you have identified for this audit, and explain — in business language — why each one is high on the inherent risk spectrum. An auditor who cannot answer this question without referring to a template has not done the work.
• Which IT applications support our financial reporting process, and which IT general controls are you relying on? If the answer is vague or generic, the audit response will be vague and generic.
• Where on the spectrum of inherent risk does our expected credit loss model (or insurance contract liabilities, or any major estimate) sit, and what specifically drives that position? The answer reveals whether the auditor has truly engaged with the estimate or merely accepted management’s working.
• What did your stand-back evaluation conclude? The audit committee is entitled to know what the partner concluded after stepping back from the planning detail.
• If a regulator inspected your risk assessment file for this engagement, what — if anything — would you want to strengthen before they arrived? This is the diagnostic question. Any auditor who answers “nothing” is either unusually confident, or insufficiently self-critical.

“An auditor who cannot articulate the top three inherent risks without referring to a template has not done the work the standard demands.”

How Dawgen Global Operationalises ISA 315 (Revised)

Within D·ASSURE™, ISA 315 (Revised) compliance lives inside the S pillar — Strategic Risk Mapping. Every Dawgen Global audit begins with an entity-specific risk dialogue led by the Jamaica Assurance Team, drawing on the CARISK™ risk taxonomy to ensure that enterprise risks are mapped to financial statement assertions in a structured, repeatable way. The IT environment is scoped by our IT audit specialists — a distinct discipline within our integrated practice — and ITGCs are tested in coordination with substantive procedures rather than as a parallel afterthought.

The stand-back evaluation is conducted by the engagement partner in writing, with the engagement quality reviewer (a second partner) reading the file before the audit response is finalised. The output — the audit plan presented to the audit committee — is structured to make the inherent risk factors, the spectrum positioning, the IT environment, and the planned response all visible to a non-specialist reader. This is not a technical luxury. It is what ISA 315 (Revised) demands.

What’s Next in the Series

Article 3 takes up the ISQM 1 and 2 quality regime — the firm-level and engagement-level quality management framework that audit committees and regulators are now using to evaluate audit firms themselves. If ISA 315 (Revised) defines what a single audit should look like, ISQM 1 and 2 define what an audit firm should look like to deliver such audits consistently. Read together, the two define the modern audit.

If you are an audit committee chair or CFO and would like a confidential briefing on what ISA 315 (Revised) means for your next audit, or a diagnostic review of your current auditor’s risk assessment approach, the Dawgen Global Audit & Assurance team welcomes the conversation. Write to [email protected] or visit dawgen.global.

About the Author

Dr. Dawkins Brown is the Executive Chairman and Founder of Dawgen Global, an independent, integrated multidisciplinary professional services firm headquartered in New Kingston, Jamaica, with operations across more than fifteen Caribbean territories. He writes weekly on Caribbean governance, audit, and assurance matters through Caribbean Boardroom Perspectives and The Caribbean Advisory Brief.

The Caribbean Audit Imperative

A twelve-article series from Dawgen Global  |  dawgen.global

About Dawgen Global