Risks of material misstatement (RoMM) and audit risks
Risk of material misstatement (‘RoMM’) may exist at the financial statement or at the level of individual financial statement assertions. To understand where risks arise at the financial statement assertion level, the auditor must identify significant classes of transactions and balances in which material misstatements may arise. Where RoMM exist at the assertion level, this will arise through a combination of inherent risk and control risks, both of which must be assessed if controls are expected to be relied on as part of the overall assessment of the RoMM.
ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement identifies five types of inherent risk factors, which increase the risk of material misstatement at either the assertion or financial statement level.
Candidates should consider whether these factors are present in the scenario provided to assist in identifying RoMM. Financial statement assertions where no inherent risk factors are present are unlikely to give rise to significant RoMM.
The auditor will then assess where on the spectrum of inherent risk these risks sit. This is a combination of the assessment of likelihood and magnitude of the potential misstatement. Significant audit risks are those at the upper end of the spectrum of inherent risk.
In the exam, candidates will be required to assess this likelihood and magnitude of potential misstatement when determining what constitutes a significant RoMM. Candidates should note that this definition of significant is a specific audit concept and should not be switched for other words with a similar meaning. Similarly, the word material has a specific definition in audit and should not be replaced by similar words, such as ‘significant’.
|Significant risk – an identified and assessed risk of material misstatement that, in the auditor’s judgement, requires special audit consideration. 1|
Exam questions at the planning stage of the audit will generally require candidates to demonstrate an understanding of the concept of a material misstatement. They will be required to identify and assess those significant RoMMs through application to a specific scenario. Candidates may be asked to evaluate and prioritise significant RoMM arising in a scenario, or to explain why a significant RoMM has been identified. In each case, candidates can use the potential materiality of a misstatement alongside the inherent risk factors to help them determine which items in the financial statements give rise to significant RoMM.
For guidance on how materiality is examined, see the specimen exam and the associated Read the Mind of the Marker (Q1) material on the ACCA website. The Examiners Report for the September 2022 examination will also provide additional guidance.
It is important for candidates to note that a RoMM must be capable of giving rise to a material misstatement and a significant RoMM must be high on the spectrum of inherent risk. Risks which could not create a material impact, or which are not significant will not be capable of obtaining credit where candidates have been asked to evaluate 'significant risks of material misstatement'.
Where a client undertakes a routine transaction for which there is no motivation for bias and no judgement or estimation involved, such as recording the purchase of land, will not give rise to a significant RoMM. In the absence of other information to the contrary, such a transaction will be recorded at cost and this is a factual amount. There may be judgement involved in the estimation of useful economic life of non-current assets, however, as the scenario is referring to land, and this should not be depreciated, so is not relevant in this instance. Unless there is information in the scenario to suggest the finance department are not competent enough to account for a straightforward tangible non-current asset transaction, then this is still unlikely to give rise to a significant RoMM.
Contrast this to a transaction which requires an area of estimation or judgement, or which may be influenced by management bias:
A company has a newly purchased and highly material intangible asset, such as a brand name. The determination of the useful economic life of an intangible asset is judgemental and will be decided by management to a significant extent (unless there is a defined usage of time on the brand name). Perhaps in the scenario the issue is compounded by management who are under pressure to achieve a certain interest cover ratio or earnings per share.
In this case, we have both judgement and management bias as inherent risk indicators. This is more likely to be a significant risk than the land purchase example above.
The assessment of inherent risk is the first stage of identifying and evaluating a significant RoMM.
An assessment of control risk over the related assertion is also required in assessing whether this RoMM is likely to occur in the financial statements. If information is provided about controls in the scenario, this should form part of your judgement in determining whether a risk is significant or not.
Sometimes this will be at the assertion level, for example, in the example of Winberry (September 2022), information was given in the scenario regarding the valuation of inventory:
In this scenario, although perishable items were ‘a significant proportion’, the scenario stated that the perishable items are carefully monitored by ‘experienced food and product technology professionals’. A large number of candidates discussed that this would be a valuation risk as inventory may be obsolete due to it being perishable. The scenario provides mitigation towards the risks of the valuation assertion.
The statement that ‘the company complies with all food safety legislation’ also mitigated the risk that the groceries may breach health and safety legislation.
Judging what is, or is not, a significant risk is a crucial skill for auditors and in the exam, the ability to make this judgement relevant to a specific scenario is critical to obtaining the credit required to pass.
Once candidates have identified a significant risk, this must be explained and evaluated in the context of the scenario. This evaluation will generally involve applying underlying financial reporting knowledge to the specific information in the scenario in order to evaluate where and how the risk arises in the scenario. This can often then be linked to specific movements in ratios and trends, as well as any specific risks of possible management bias.
Again, using an example from September 2022, there was a risk arising in the question of Winberry that the data breaches might give rises to fines from regulators. Management had not self-reported the breach in an attempt to avoid a fine. Most candidates identified there was a RoMM associated with the recording and disclosure of the potential fine. There are several different ways to evaluate this but one way which would score full marks would be to use the recognition criteria for a provision to begin the evaluation as illustrated below.
|Responses which will gain little or no credit in the exam:
Stating a business risk rather than a RoMM or audit risk
‘The company may be fined as a result of the data breach during the year’
Failure to use scenario specific information
‘If this is the case then there may be a requirement to create a provision for such a fine and make associated disclosures which management have not included in the financial statements’
Given that management haven’t reported the breach in order to avoid the fine, management will not have made a provision and or provide any disclosures in the financial statements. This is because management are trying to conceal it – this is scenario specific information, often candidates are told in a scenario whether a provision is made and any failure to make a provision would not then be the relevant risk.
Failure to apply financial reporting knowledge to the specific scenario
‘A provision is required where there is a present obligation as a result of a past event where settlement is probable, and a reliable estimate can be made’
This is deemed financial reporting knowledge from the FA exam and will not attract much credit as unapplied knowledge, as it is stated without reference to the scenario
Examples of evaluated responses
|Application of judgement
‘Given that the company do not wish to disclose the breach to the regulator, it is likely that a fine would be probable should the regulator be made aware of the breach’
‘If the breach is not reported to the regulator and is not disclosed by any other party, then the fine is not probable’
‘However, if it is possible the regulator would be made aware then there would be a contingent liability which would require disclosure in the financial statements’
These are demonstrations of candidate’s judgement as they are assessing the information in the scenario to draw conclusions and to evaluate the extent of the risk.
Demonstration of the wider commercial aspects of the lack of disclosure (credit for commercial acumen)
‘The disclosure of the contingent liability would effectively notify the regulator of the breach making the fine probable‘
Further actions relevant to the assertion and scenario
‘A reliable estimate will be obtained from reference to historical fines issued to other organisations for similar breaches hence a provision should be made’
This is an evaluation as to the correct action
Demonstration of recognition of potential management bias (scepticism by the auditor) ‘Management may be reluctant to provide for the fine as the reduction in profit as a result might mean interest cover covenants are breached’
Assessment of the scale and impact of the risk
‘As a result a provision might be omitted from the company liabilities and profits may be overstated as a result’
This is an assessment of the impact of the risk on the financial statements.
‘The amounts payable might be higher as a result of failure to self-report which increases the impact of the misstatement’
This is part of evaluating the scale of the risk
‘The potential impact of the understated expenses on the interest cover covenant may make this material by nature if it would result in a breach of covenants’
This demonstrates that the candidate has assessed the materiality of the breach, and even without a specific figure being stated, management’s attitude and the risk of breaching the bank covenants, are likely to make this risk material to the audit.
Linking the risk to wider issues
‘Management’s failure to self-report may give rise to concerns regarding management’s integrity. Which then gives rise to risks of material misstatement at the financial statements level, thereby reducing the reliability of management’s assertion as a form of audit evidence’
The above example is far longer than candidates would be required to make in exam conditions, however, this is the sort of good analysis which well-prepared candidates provided in the exam and illustrates the depth of evaluation possible using the information provided in the scenario.
Where more complex financial reporting is examined, such as those topics examined only at Strategic Business Reporting (SBR) level, additional credit will be available for the relevant underlying financial reporting knowledge, or where the candidate provides additional guidance on the relevant area of financial reporting raised in the scenario.
Other question styles may examine the understanding of inherent risks and RoMM in slightly different ways. One such approach would be for the candidates to justify why a particular risk has been classified as a RoMM by the audit partner. In this sort of question, the underlying skills are the same: These risks should be assessed for materiality and against the inherent risk factors to determine the likelihood and magnitude of the risk arising.
Using the provision example above – the answer would contain similar points of evaluation should the requirement ask candidates to explain why the fine gave rise to a significant risk of material misstatement in the financial statements. An answer here would focus on why the issue was material, where judgements and uncertainties arise and how that links to management bias risk.
Audit risk is the combination of RoMM and detection risk. Detection risks arise where the auditor procedures are such that audit procedures may not detect a material misstatement. Where a question requires audit risks, both detection risks and RoMM should be considered.
Some of these detection risks arise in special circumstances, such as group audits where the group auditor is reliant on component auditors or new clients where there is no past experience of the client and their business. Detection risks may also arise in audits where quality management or ethical threats may prevent the auditor from obtaining sufficient appropriate evidence. Examples of ethical and quality management threats which may increase detection risk include specialised industries where the audit team do not have appropriate, specialised competencies or where intimidation or self-interest threats prevent appropriate challenge of management. It is also the case that a lack of professional scepticism and confirmatory bias increase detection risk which is why the skills examined in this exam are important for auditors.
Professional marks awarded in audit risk and RoMM questions typically fall into the following broad categories
Analysis and evaluation
Prioritisation of significant risks. Here candidates will be awarded a mark for prioritising their most significant risks. This must be clearly stated. Simply saying 'significant risks include….' will not be awarded the professional skill mark. All the identified risks should be significant, so this is not specific enough. Stating 'the most significant risk is….' or 'the two most significant risks are…' should be enough to obtain the credit provided that the identified risk is a significant risk. A second professional skill mark is available for saying why that risk was selected. This may be justified on the basis of the likelihood or potential magnitude of the material misstatement. The mark here is for the demonstration of that evaluation to determine why something is important. There is no specific correct answer that the examining team are looking for, but rather a demonstration of the thought process behind the judgement.
This can be demonstrated in a conclusion at the end of the relevant requirement or through specific numbering and ordering of paragraphs. The former approach is likely to be easier for candidates in exam conditions.
Professional scepticism and judgement
These skills will test the ability of the candidate to challenge management’s accounting decisions and treatments, or to draw conclusions on why risks are significant in the specific scenario as well as the identification of areas of risk and bias. Often the examining team will allow credit for identifying a specific risk of bias from the scenario and additional marks for drawing conclusions on the accounting treatments used by management Scepticism is required to link risks and issues to management motives and consider the wider implications of the issue.
This skill can also be demonstrated through the evaluation of risks. Had the marks in the evaluation of business risks not been awarded for appreciating that failure to report may increase the severity of the fine, it could have been awarded here. Commercial acumen can sometimes by thought of as ‘how the world works’ as opposed to how the auditor thinks. For example, in a scenario assessing the risks arising in a group where a subsidiary has a year-end date a month earlier than the parent company, there are several risks arising from the group accounting implications of this situation. There are, however, further risks arising because the additional month of management accounts will make up the difference. Knowing that this extra month will not have been subject to audit, as well as that the company month end procedures are often less comprehensive than their year-end procedures, demonstrates a knowledge of commercial reality and this would form part of the assessment of commercial acumen.
Candidates preparing for the AAA exam should be mindful that they will be required to evaluate risks in the context of specific information provided in a scenario in the exam. The examining team are looking for depth of evaluation of significant risks, rather than brief and untailored answers covering large numbers of risks. Candidates are recommended to use past published questions to practice evaluating risks in scenarios, but should remain mindful that unless the answer is tailored to the specific information in their current exam scenario , very little credit will be awarded. Well prepared candidates using good technique often achieve full marks in risk questions and this is often indicative of those candidates demonstrating the requisite skills of an auditor.
(1) Glossary of Terms, IAASB (2020)