Exam technique 2 – Planning questions and risk (part 2)

RoMM and audit risk in the AAA exam

Risks of material misstatement (RoMM)

Risk of material misstatement (‘RoMM’) may exist at the financial statement or at the level of individual financial statement assertions.

To understand where risks arise at the financial statement level, the auditor must identify significant classes of transactions and balances in which material misstatements may arise.

Where RoMM exist at the assertion level, this will arise through a combination of inherent risk and control risks. Both must be assessed if controls are expected to be relied on as part of the overall assessment of the RoMM.

Inherent risks

ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement identifies five types of inherent risk factors:

  • complexity
  • subjectivity
  • change
  • uncertainty
  • susceptibility to management bias or other fraud risk factors

Candidates should consider whether these factors are present in the scenario provided to assist in identifying RoMM.

Spectrum of risk

The auditor will then assess where on the spectrum of inherent risk these risks sit. This requires an assessment of likelihood and magnitude of the potential misstatement. Significant audit risks are those at the upper end of the spectrum of inherent risk. This will determine what is a significant RoMM.

Assessing the significance

Risks which could not create a material impact, or which are not significant will not be capable of obtaining credit where candidates have been asked to evaluate ‘significant risks of material misstatement’.

Judging what is, or is not, a significant risk is a crucial skill for auditors and in the exam, the ability to make this judgement relevant to a specific scenario is critical to obtaining the credit required to pass.

Worked example

A company has a newly purchased and highly material intangible asset, such as a brand name. The scenario the issue is compounded by management who are under pressure to achieve a certain interest cover ratio or earnings per share. The company has also purchased a plot of land for $3million.

Management will use their judgement to decide the useful life of the intangible asset.

The purchase of land is factual, and unless there is evidence to the contrary, this will be stated at cost in the financial statements.

However, we have both judgement and management bias as inherent risk indicators in respect of the brand name. This is more likely to be a significant risk than the land purchase.

The assessment of inherent risk is the first stage of identifying and evaluating a significant RoMM.

Control risk

An assessment of control risk is also required in assessing whether this RoMM is likely to occur in the financial statements. If there is information provided about controls in the scenario, this should form part of candidates’ judgement in determining whether a risk is significant or not.

Sometimes this will be at the assertion level, for example, in the example of Winberry (September 2022), information was given in the scenario regarding the valuation of inventory:


Although these perishable items were ‘a significant proportion’, the scenario stated that the items are monitored by ‘experienced food and product technology professionals. Many candidates discussed that this would be a valuation risk as inventory may be obsolete however, the scenario provides mitigation against these risks of valuation.

The statement that ‘the company complies with all food safety legislation’ also mitigated the risk that the groceries may breach health and safety legislation.

Note: Candidates should note that this definition of ‘significant’ is a specific audit concept and should not be switched for other words with a similar meaning. Similarly, the word ‘material’ has a specific definition in audit and should not be replaced by similar words, such as ‘significant’.

Significant risk – an identified and assessed risk of material misstatement that, in the auditor’s judgement, requires special audit consideration. 

Candidates will be required to identify and assess those significant RoMMs in the context of the specific scenario. Candidates may be asked to evaluate and prioritise significant RoMM arising in a scenario, or to explain why a significant RoMM has been identified (see the separate article on ‘Answering Section A questions in the AAA exam’ – access via the 'Related links' box).

Candidates can use the potential materiality of a misstatement alongside the inherent risk factors to help them assess which issues give rise to significant RoMM.


For guidance on how materiality is examined, see the specimen exam and the associated Read the Mind of the Marker (Q1) material on the ACCA website. The Examiners Report for the September 2022 examination will also provide additional guidance.

Evaluation of the risk

Significant risk, once identified, must be explained and evaluated in the context of the scenario. This often involves applying financial reporting knowledge to evaluate where and how the risk arises in the scenario. This may be supported by movements in ratios and trends, as well as any incidences of possible management bias.

In Winberry (Sept 2022), the scenario stated that the data breaches might give rises to fines from regulators. Management had not self-reported the breach in an attempt to avoid a fine. Although, most candidates identified there was a RoMM associated with the recording and disclosure of the potential fine, few evaluated how significant an issue this may be.

One way to evaluate this would be to use the recognition criteria for a provision.

Examples of evaluated responses

These are examples of good analysis which well-prepared candidates have provided in the exam and illustrates the depth of evaluation possible using the scenario specific information.

Application of judgement:
These are demonstrations of a candidate's judgement as they are assessing the information in the scenario to draw conclusions and to evaluate the extent of the risk.

‘Given that the company do not wish to disclose the breach to the regulator, it is likely that a fine would be probable should the regulator be made aware of the breach’

‘If the breach is not reported to the regulator and is not disclosed by any other party, then the fine is not probable’

‘However, if it is possible the regulator would be made aware then there would be a contingent liability which would require disclosure in the financial statements’

Demonstration of the wider commercial aspects of the lack of disclosure (credit for commercial acumen):
‘The disclosure of the contingent liability would effectively notify the regulator of the breach, making the likelihood of a fine more probable ‘

Further actions relevant to the assertion and scenario:
‘A reliable estimate can be made by reference to historical fines issued to other organisations for similar breaches, hence a provision should be made’

Demonstration of recognition of potential management bias (scepticism by the auditor): Management may be reluctant to provide for the fine as the reduction in profit as a result might mean interest cover covenants are breached’

Assessment of the scale and impact of the risk:
These are assessments of the impact and scale of the risk on the financial statements.

As a result, a provision might be omitted from the company liabilities and profits may be overstated’

‘The amounts payable might be higher as a result of failure to self-report which increases the impact of the misstatement’

‘The potential impact of the understated expenses on the interest cover covenant may make this material by nature if it would result in a breach of covenants’

This demonstrates that the candidate has assessed the materiality of the breach, and even without a specific figure being stated, management’s attitude and the risk of breaching the bank covenants, are likely to make this risk material to the audit.

Linking the risk to wider issues:
‘Management’s failure to self-report may give rise to concerns regarding management’s integrity. Which then gives rise to risks of material misstatement at the financial statements level, thereby reducing the reliability of management’s assertion as a form of audit evidence’

Where more complex financial reporting is examined, such as those topics examined only at Strategic Business Reporting (SBR) level, additional credit will be available for the relevant underlying financial reporting knowledge, or where the candidate provides additional guidance on the relevant area of financial reporting raised in the scenario.

Audit risk

Audit risk is the combination of RoMM and detection risk. Detection risks arise where there is a risk that a material misstatement may not be detected. Where a question requires audit risks, both detection risks and RoMM should be considered.

Some of these detection risks arise in special circumstances:

  • Group audits where the group auditor is reliant on component auditors
  • New clients where there is no past experience of the client and their business.
  • Audits where quality management or ethical threats may prevent the auditor from obtaining sufficient appropriate evidence. For example, in specialised industries where the audit team do not have appropriate, specialised competencies or where intimidation or self-interest threats prevent appropriate challenge of management.

A lack of professional scepticism increases detection risk.

Professional marks

Professional marks awarded in audit risk and RoMM questions typically fall into the following broad categories.

Analysis and evaluation
Candidates will be awarded a mark for prioritising their most significant risks. This must be clearly stated. Simply saying ‘significant risks include...’ will not be awarded the professional skill mark. All the identified risks should be significant, so this is not specific enough. Stating ‘the most significant risk is ….’ or ‘the two most significant risks are…’ should be enough to obtain the credit provided that the identified risk is a significant risk.

A second professional skill mark is available for saying why that risk was selected. This may be justified based on the likelihood or potential magnitude of the material misstatement. The mark here is for the demonstration of that evaluation to determine why something is important. There is no specific correct answer that the examining team are looking for, but rather a demonstration of the thought process behind the judgement.

This can be demonstrated in a conclusion at the end of the relevant requirement or through specific numbering and ordering of paragraphs. The former approach is likely to be easier for candidates in exam conditions.

Professional scepticism and judgement
These skills will test the ability of the candidate to challenge management’s accounting decisions and treatments, or to draw conclusions on why risks are significant in the specific scenario as well as the identification of areas of risk and bias. Often the examining team will allow credit for identifying a specific risk of bias from the scenario and additional marks for drawing conclusions on the accounting treatments used by management. Scepticism is required to link risks and issues to management motives and consider the wider implications of the issue.

Commercial acumen
This skill can also be demonstrated through the evaluation of risks. Commercial acumen can sometimes be thought of as ‘how the world works as opposed to how the auditor thinks. For example, in a scenario assessing the risks arising in a group where a subsidiary has a year-end date a month earlier than the parent company, there are several risks arising from the group accounting implications of this situation. There are, however, further risks arising because the additional month of management accounts will make up the difference. Knowing that this extra month will not have been subject to audit, as well as that the company month end procedures are often less comprehensive than their year-end procedures, demonstrates a knowledge of commercial reality and this would form part of the assessment of commercial acumen.


Candidates will be required to evaluate risks in the context of specific information provided in a scenario in the exam. The examining team are looking for depth of evaluation of significant risks, rather than brief and untailored answers covering large numbers of risks. Candidates are recommended to use past published questions to practice evaluating risks in scenarios and remember to tailor their answer to the specific information in their current exam scenario, little credit will be awarded.

Candidates who follow the rules of WHAT/WHY/IMPLICATION are likely to maximise their technical marks as well as demonstrating good professional skills (and therefore professional skill marks).

Written by a member of the AAA examining team