Risk of Material Misstatement: How to Assess

By Charles Hall | Accounting and Auditing

Nov 18

How do you assess the risk of material misstatement? How do you know when to assess inherent risk at high (or low)? Can you assess control risk at high for all assertions? What are significant risks? These are common questions about the risk assessment process.

Audit Risk Assessment

Picture is courtesy of DollarPhotoClub.com

Today we’ll discuss how auditors assess and document risk. We’ll cover:

  • Financial statement level risk
  • Transaction level risk
  • Risk of material misstatement
  • Inherent risk
  • Control risk

Understanding these concepts will put money in your pocket and will result in higher quality audits.

Financial Statement Level Risk

Before picking our audit team, we need a general understanding of the entity.

We must understand the business and its control environment to determine risks at the financial statement level (I think of this as the overall risk). The overall risk will dictate our broader responses such as who the audit team will be.

Consider whether the entity has:

  • Complex transactions
  • Related party transactions
  • New accounting pronouncements
  • Profit pressures
  • Problem vendor relationships
  • Going concern issues
  • Potential debt covenants violations
  • Cash flow problems

We also need to consider the risk of management override. This threat is always a possibility. If management is playing on the edges, consider how you will add muscle and insight to your audit team—or whether you should even perform the engagement.

Keep this thought in mind when considering financial statement level risk assessment: greater overall threats call for a stronger audit team.

Transaction Level Risks

In a previous post, we discussed risk assessment procedures such as walkthroughs, fraud inquiries, and planning analytics. The information gained from those steps is the basis for assessing risk at the transaction level.

Should the transaction risk assessment be performed at the assertion level or for the transaction cycle as a whole? Let’s answer this question by looking at how accounts payable risk might be documented.

If we assess our risk of material misstatement at high for payables (as a whole), what are we saying? That further audit procedures are necessary for all assertions. If we assess risk at high for all payable assertions, and we don’t perform audit procedures in response to the (high) risk assessment, we create an incongruity. We are saying that risk is high for all assertions, but our responses don’t agree.

Wouldn’t it be better to assess risk at the assertion level? For example, if we’ve historically proposed significant journal entries to record additional payables, maybe the risk of material misstatement for the completeness assertion is high. Our audit procedures will include a search for unrecorded liabilities. Now we have an appropriate risk assessment and response (what the audit standards refer to as linkage). The remaining accounts payable assertions could possibly be assessed at low.

Risk of Material Misstatement

We can express the risk of material misstatement (RMM) as:

RMM = Inherent Risk X Control Risk 

While audit standards don’t require that we assess inherent risk and control risk separately, it’s helpful to do so. In a moment, we’ll see that inherent risk often drives our audit responses.

Inherent Risk

So what is inherent risk? My simple definition is the risk that exists when no controls are present. (We are not saying controls don’t exist, just that we are disregarding them as we measure inherent risk.) 

Inherent risk can be a function of:

  • The complexity of the transaction (e.g., derivatives are harder to understand)
  • The nature of the financial statement item (e.g., cash is liquid and subject to theft)
  • The experience and knowledge of the client’s accounting personnel
  • Past audit issues in the area
  • The volume of transactions

As we assess inherent risk, we ask, “what’s the chance that material misstatement will occur assuming there are no related controls?”

Some areas are so risky that the audit standards refer to them as significant risks. These areas require special audit consideration. Significant risks relate to transactions that are complex, nonroutine, or involve judgment. For example, a bank’s allowance for loan losses—due to complexity—demands extra scrutiny. The inherent risk in such areas will always be high.

Now, let’s marry inherent risk with control risk so we can determine our risk of material misstatement.

Control Risk

For audits of smaller entities, control risk is often assessed at high—across the board. Why? To save time. While control risk can’t be assessed at high before performing our risk assessment procedures, we can do so afterward

Assessing control risk at high is permissible as an efficiency decision. (Risk assessment procedures are still required.)

If control risk is assessed at less than high, the auditor is required to test controls to support the lower risk assessment. It may be more economical to perform substantive procedures rather than testing controls. We might, for example, be able to vouch all of the additions to property and equipment in less time than it takes to test the related controls. If this is true, we will opt to use a substantive approach (vouching all significant additions to invoices), and we will assess control risk at high.

Also, it is possible to have a low to moderate risk of material misstatement if your inherent risk is low—even if your control risk is high. How? Consider the following equation.

Risk of Material Misstatement Formula

IR (low) X CR (high) = RMM (low or moderate)

What does this mean? Well, you can get to a low or moderate RMM without testing controls. Also, you may not need to perform much in the way of substantive procedures–depending on your final RMM for the area.

Plant, Property and Equipment Example

As an example of how this works, think about a low inherent risk assessment regarding plant, property, and equipment. 

  • What’s the inherent risk related to the existence of your client’s main office building? Low. 
  • If your client has no controls related to the existence of the building, would the lack of controls have any bearing on the overall RMM? No. 
  • Do you need to test any controls? No. 
  • Do you need to perform any substantive procedures? Yes, if plant, property and equipment is material. Why? ASC 330.18 says “Irrespective of the assessed risks of material misstatement, the auditor should design and perform substantive procedures for all relevant assertions related to each material class of transactions, account balance, and disclosure.”
  • Do you need any substantive audit steps (concerning the building) in your audit program? Yes, but it could be as simple as seeing the building (to address the existence assertion).

Call to Action

Consider reviewing your risk assessments, and see if some of the inherent risk assessments will allow you to assess your RMMs at low to moderate–even if control risk is assessed at high.

This is the last in our series of posts about audit risk assessment. Thanks for joining in the journey.

If you have suggestions for other posts, please leave a comment with your idea. Thanks.

Learn from my CPA Hall Talk newsletter!

Get my free weekly accounting and auditing digest with the latest content.

Powered by ConvertKit

About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses.He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events.Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.

Leave a Comment:

(4) comments

armando balbin November 18, 2015

No question that assessing the risks is the most efficient way to perform an audit. No question either that the required risk assessment documentation is needed for an appropriate audit planning, execution, and review. However, the documentation requirement should be a bit different between the audit of a large company, having several on the field auditor, and one small company being audited by one CPA with no assistants. I like to put an example, which is not in the risk assessment but in the audit program; it conveys my idea better. The need to relate the audit procedure to a specific assertion, like the reason for confirming the bank balance. If we are to make a road trip from California to Florida, we take a map and plan it in detail, including which highways to take, motels, etc. Do we need to do the same planning when we go to the neighborhood grocery store? Excessive documentation at the very small organization level is undue, overloading the audit work and the related expense.

Charles Hall November 20, 2015

Armando, yes, the audit documentation for smaller audits should be less than that of larger audits. For many smaller audits, there may only be two or three areas that deserve extra attention. By performing the risk assessment work, we can know what those areas are.

Bill Allen November 23, 2015

To further clarify IC testing. It is only used to lower RMM, so if you have a low IR there is no need to test controls to lower the RMM. The only other time to test controls is when it is required as in the Single Audit.
As to the statement that no audit procedures are required in the above example, I don’t agree. If an account is significant (building) and the relevant assertions are existence and valuation. If you assess IR as low you must still perform a substantive test. In this example I would use an analytic such as “I see the building” and “I compared depreciation to the last 5 years and it is consistent.” AU-C Section 330.18 requires a substantive test be performed on all relevant assertions.
Great article and good example of how a proper risk assessment will increase audit proficiency.

Charles Hall November 23, 2015

Bill, good to hear from you. I haven’t seen you in some time. I agree with your comment about IC testing–only needed if we are trying to lower RMM (and for Single Audits).

I also agree that substantive tests are required for all relevant assertions. A relevant assertion is one that has a meaningful bearing upon the fair presentation of the account. So is there a relevant assertion for the building? “Seeing” and documenting the visual of the building definitely takes care of the existence assertion. And it certainly would not hurt to inquire about impairment. Of course, the visual inspection of the building would also help support the impairment consideration. I don’t disagree with the performance and documentation of this procedure– wouldn’t hurt to do so and would only take a minute.

Thanks for you comments and take care.

Add Your Reply

Leave a Comment: