Risk of Material Misstatement: How to Assess.

by Charles Hall

https://cpahalltalk.com/assess-the-risk-of-material-misstatement/

How do you assess the risk of material misstatement? How do you know when to assess inherent

risk at high (or low)? Can you assess control risk at high for all assertions? What are significant

risks? These are common questions about the risk assessment process.

Today we’ll discuss how auditors assess and document risk. We’ll cover:

 Financial statement level risk

 Transaction level risk

 Risk of material misstatement

 Inherent risk

 Control risk

Understanding these concepts will put money in your pocket and will result in higher quality

audits.

Financial Statement Level Risk

Before picking our audit team, we need a general understanding of the entity.
 We must understand the business and its control environment to determine risks at the financial

statement level (I think of this as the overall risk). The overall risk will dictate our broader

responses such as who the audit team will be.

Consider whether the entity has:

 Complex transactions

 Related party transactions

 New accounting pronouncements

 Profit pressures

 Problem vendor relationships

 Going concern issues

 Potential debt covenants violations

 Cash flow problems

We also need to consider the risk of management override. This threat is always a possibility. If

management is playing on the edges, consider how you will add muscle and insight to your audit

team—or whether you should even perform the engagement.

Keep this thought in mind when considering financial statement level risk assessment: greater

overall threats call for a stronger audit team.

Transaction Level Risks

In a previous post, we discussed risk assessment procedures such as walkthroughs, fraud inquiries,

and planning analytics. The information gained from those steps is the basis for assessing risk at

the transaction level.

Should the transaction risk assessment be performed at the assertion level or for the transaction

cycle as a whole? Let’s answer this question by looking at how accounts payable risk might be

documented.

If we assess our risk of material misstatement at high for payables (as a whole), what are we

saying? That further audit procedures are necessary for all assertions. If we assess risk at high for

all payable assertions, and we don’t perform audit procedures in response to the (high) risk

assessment, we create an incongruity.We are saying that risk is high for all assertions, but our

responses don’t agree.

Wouldn’t it be better to assess risk at the assertion level? For example, if we’ve historically

proposed significant journal entries to record additional payables, maybe the risk of material

misstatement for the completeness assertion is high. Our audit procedures will include a search for

unrecorded liabilities. Now we have an appropriate risk assessment and response (what the audit

standards refer to as linkage). The remaining accounts payable assertions could possibly be

assessed at low.

Risk of Material Misstatement

We can express the risk of material misstatement (RMM) as:

 RMM = Inherent Risk X Control Risk

While audit standards don’t require that we assess inherent risk and control risk separately, it’s

helpful to do so. In a moment, we’ll see that inherent risk often drives our audit responses.

Inherent Risk

So what is inherent risk? My simple definition is the risk that exists when no controls are

present. (We are not saying controls don’t exist, just that we are disregarding them as we measure

inherent risk.)

Inherent risk can be a function of:

 The complexity of the transaction(e.g., derivatives are harder to understand)

 The nature of the financial statement item (e.g., cash is liquid and subject to theft)

 The experience and knowledge of the client’s accounting personnel

 Past audit issues in the area

 The volume of transactions

As we assess inherent risk, we ask, “what’s the chance that material misstatement will occur

assuming there are no related controls?”

Some areas are so risky that the audit standards refer to them as significant risks. These

areas require special audit consideration. Significant risks relate to transactions that are complex,

nonroutine, or involve judgment. For example, a bank’s allowance for loan losses—due to

complexity—demands extra scrutiny. The inherent risk in such areas will always be high.
Now, let’s marry inherent risk with control risk so we can determine our risk of material

misstatement.

Control Risk

For audits of smaller entities, control risk is often assessed at high—across the board. Why? To

save time. While control risk can’t be assessed at high before performing our risk assessment

procedures, we can do so afterward.

Assessing control risk at high is permissible as an efficiency decision. (Risk assessment procedures

are still required.)

If control risk is assessed at less than high, the auditor is required to test controls to support the

lower risk assessment. It maybe more economical to perform substantive procedures rather than

testing controls. We might, for example, be able to vouch all of the additions to property and

equipment in less time than it takes to test the related controls. If this is true, we will opt to use a

substantive approach (vouching all significant additions to invoices), and we will assess control

risk at high.

Also, it is possible to have a low to moderate risk of material misstatement if your inherent risk is

low—even if your control risk is high. How? Consider the following equation.

Risk of Material Misstatement Formula

IR (low) X CR (high) = RMM (low or moderate)

 What does this mean? Well, you can get to a low or moderate RMM without testing controls. Also,

you may not need to perform much in the way of substantive procedures–depending on your final

RMM for the area.

Plant, Property and Equipment Example

As an example of how this works, think about a low inherent risk assessment regarding plant,

property, and equipment.

 What’s the inherent risk related to theexistence of your client’s main office building? Low.

 If your client has no controls related to the existence of the building, would the lack of controls

have any bearing on the overall RMM? No.

 Do you need to test any controls? No.

 Do you need to perform any substantive procedures? Yes, if plant, property and equipment is

material. Why? ASC 330.18 says “Irrespective of the assessed risks of material misstatement, the

auditor should design and perform substantive procedures for all relevant assertions related to each

material class of transactions, account balance, and disclosure.”

 Do you need any substantive audit steps (concerning the building) in your audit program? Yes, but

it could be as simple as seeing the building (to address the existence assertion).

Call to Action

Consider reviewing your risk assessments, and see if some of the inherent risk assessments will

allow you to assess your RMMs at low to moderate–even if control risk is assessed at high.

This is the last in our series of posts about audit risk assessment. Thanks for joining in the journey.

If you have suggestions for other posts, please leave a comment with your idea. Thanks.