A Comprehensive Guide to Assessing Material Misstatement Risks

Table of Contents

1. Introduction
2. Reasonable Assurance
3. Material Misstatement
4. Audit Risk
5. Inherent Risk
6. Control Risk
7. Detection Risk
8. Benefits of Risk Based Audit
9. Concept of Risk Assessment

Check out Taxmann's Audit of Financial Statements which is a comprehensive guide assists auditors conducting financial statement audits, covering every step from auditor appointment to audit report issuance. It incorporates practical examples, detailed procedures, relevant legal requirements, and templates for documentation. While it is specifically geared towards auditing companies not following Ind AS, its core concepts apply to all auditing scenarios.

1. Introduction

A traditional audit focused on the transactions which make up the financial statements such as the balance sheet. A risk-based approach seeks to identify risks with the greatest potential impact.

Standards on Auditing issued by the Institute of Chartered Accountants of India prescribe a risk based audit approach. The auditor’s objective in a risk-based audit is to obtain reasonable assurance that no material misstatements whether caused by fraud or errors exist in the financial statements.

2. Reasonable Assurance

Reasonable assurance relates to the whole audit process. It is a high level of assurance but is not absolute. Reasonable assurance is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk to an acceptably low level.

The auditor cannot provide absolute assurance due to the inherent limitations in the work carried out, the human judgments required, and the nature of evidence examined. The following are some of the inherent limitations of an audit:

1. The preparation of financial statements involve judgment and subjective decisions or assessments (such as estimates) by the management;

2. Much of the audit evidence obtained by the auditor tends to be persuasive in character rather than conclusive;

3. Audit procedures, however, well designed, will not detect every misstatement. This is because:

a. Any sample of less than 100% population introduces some risk that a misstatement will not be detected;

b. Management or others may not provide the complete information required. This may be intentional or unintentional;

c. Frauds are generally sophisticated and carefully organised schemes designed to conceal it;

d. Audit procedures may not be able to detect misstatement.

3. Material Misstatement

A material misstatement (either individually or the aggregate of all uncorrected misstatements and missing/misleading disclosures in the financial statements) is said to have occurred when it could reasonably be expected to influence the economic decisions of users made on the basis of the financial statements.

The risk of material misstatement may exist at two levels:

1. The overall financial statement level; and

2. The assertion level for classes of transactions, account balances, and disclosures.

4. Audit Risk

Audit Risk is defined as:

• The risk that financial statements contain a material misstatement; and;
• The risk that the auditor will not detect such a misstatement.

In other words, audit risk is the risk of expressing an inappropriate audit opinion on the financial statements that are materially misstated. For example, the auditor gives an unmodified opinion, where in fact, the auditor should have given a qualified opinion. The objective of financial statement audit is to reduce audit risk to an acceptably low level.

Components of Audit Risk

5. Inherent Risk

It is the susceptibility of an assertion to a misstatement that could be material, individually or when aggregated with other misstatements, assuming that there are no related controls. Inherent risk is addressed at both the financial statement level and at the assertion level.

Inherent risk includes events or conditions (whether internal or external) that could result in a misstatement (whether due to error or fraud) in the financial statements. The sources of risk can arise from the entity’s objectives, the nature of its operations/industry, the regulatory environment in which it operates, and its size and complexity.

Example of Inherent risk: Technological developments might make a particular product obsolete, thereby causing inventory to be more susceptible to overstatement as the same may have to be sold at heavy discount thus having lower net realisable value.

Dive Deeper:
[FAQs] on Material Cost | Cost and Management Accounting

6. Control Risk

It is the risk that the entity’s internal control system will not prevent, or detect and correct on a timely basis, a misstatement that could be material, individually or when aggregated with other misstatements.

Example of Control risk: Lack of inventory controls such that employees at a store could walk away with inventory undetected. This may result in a possible risk of material misstatement if the inventory were small, portable and valuable, such as jewellery.

7. Detection Risk

Detection Risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.

8. Benefits of Risk Based Audit

Performing an audit as per Risk Based approach has several benefits, some of which are:

(a) Time flexibility for audit work

Risk assessment procedures do not involve the detailed testing of transactions and balances and therefore, can be performed well before the year end, assuming no major operational changes are anticipated. This can help audit firms to balance the workload of its staff more evenly throughout the year.

Performing risk assessment procedures prior to year-end also provides the client with time to respond to identified (and communicated) weaknesses in internal control and other requests for assistance before the commencement of year-end audit fieldwork.

(b) Audit team’s effort focused on key areas

Under the risk based audit, auditor understands where the risks of material misstatement can occur in the financial statements and therefore, audit team’s effort can be directed towards high-risk areas rather than towards lower-risk areas. This will also ensure efficient utilisation of audit staff resources.

(c) Audit procedures focused on specific risks

Further audit procedures are designed to respond to assessed risks. As a result, tests of details/substantive procedures that only address risks in general terms may be significantly reduced or even eliminated. An understanding of internal controls enables the auditor to make informed decisions on whether to test the operating effectiveness of internal controls. Performing tests of controls will significantly reduce the work of auditor as compared to performing extensive tests of details.

(d) Communication of matters of interest to management

The improved understanding of internal control may enable the auditor to identify weaknesses in internal controls that were not previously recognised. Communicating these weaknesses to management on a timely basis will enable the management to take appropriate corrective action. This may further save time in performing the audit.

9. Concept of Risk Assessment

Risk-based audits require auditors to understand the entity and its environment, including internal controls. The objective is to identify and assess the risks of material misstatement of the financial statements.

A thorough understanding and assessment of the risks of material misstatement, whether due to fraud or error, in the financial statements is fundamental to performing an efficient and effective audit and is at the core of standards on auditing.

Risk assessment requires considerable professional judgment and it is, therefore, important that the audit partner and senior audit team members be actively involved in identifying and assessing the various types of risks and develop an appropriate audit response.

The risk assessment phase of the audit involves the following steps:

• Performing client acceptance or continuance procedures (in accordance with requirements of SQC 1 issued by ICAI);
• Planning the overall engagement;
• Performing risk assessment procedures to understand the business and identify inherent and control risks;
• Identifying relevant internal control processes and assessing their design and implementation of those controls that will either prevent material misstatements from occurring or detect and correct misstatements after they have occurred;
• Assessing the risks of material misstatement in the financial statements;
• Identifying the significant risks that require special audit consideration and those risks for which substantive procedures alone are not sufficient;
• Communicating any material weaknesses in the design and implementation of internal control to management and those charged with governance; and
• Making an informed assessment of the risks of material misstatement at the financial statement level and at the assertion level.

9.1 Risk Assessment Procedures

Inherent risks are identified by performing the following procedures:

• Understanding the Entity and its environment
• Fraud Risk Assessment
• Evaluation of Going Concern
• Performing Preliminary Analytical Review

Control risk are identified during the following procedures:

• Understanding and evaluation of Internal Controls
• Evaluation of Information Technology
• Process Notes and Walkthrough

9.2 Risk Assessment Process

The process of risk assessment involves the following steps:

(i) identify possible risks of material misstatement;

(ii) for each possible risks of material misstatement, assess whether it is at the financial statement level or assertion level;

(iii) for each identified possible risks of material misstatement, assess whether it is in fact a risk of material misstatement and whether such risk of material misstatement is a significant risk of material misstatement.

It is important to note that while risk assessment is done as part of the planning stage of the audit, it is a pervasive activity. As the auditor performs audit procedures, whether tests of control or substantive procedures, the auditor assesses the evidence obtained and evaluates whether new risks of material misstatement are identified. This may be so where the audit evidence obtained or new information obtained is inconsistent with the audit evidence on which the auditor originally based the assessment. For example, during the course of audit, the auditor notes that the explanations being given by the Finance Head are inconsistent with other evidence that the auditor obtains. This may cause the auditor to reassess the engagement level risk and redesign the audit strategy. Another example can be that during the course of audit the engagement team comes across fraud by employees by falsification of expense vouchers.

9.2.1 Identify Possible Risks of Material Misstatement

Risks are identified from the information gathered by performing the following procedures:

• Inquiries of management and others
• Observation and inspection
• Analytical Procedures

In identifying possible risks of material misstatement, the auditor should resist the temptation to only list the risk factors that are likely to be significant or important. To meet the objective of reducing audit risk to an acceptably low level, the auditor should prepare a comprehensive listing of possible risks of material misstatements. Inconsequential risk factors are eliminated after each possible risk has been appropriately assessed.

Identification of risks is an ongoing process throughout the audit. As the audit progresses, auditor may identify additional risks. These should be added to the list of possible risks and appropriately assessed before making a decision as to whether any further audit procedures are required.

9.2.2 Assess whether identified possible risk of material misstatement is at the financial statement level or assertion level

Risk assessment procedures are performed to identify and assess risks at both the financial statement level and the assertion level for material classes of transactions, account balances, and disclosures. This enables the auditor to design and perform further audit procedures to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion.

Risk Assessment at the overall financial statement level refers to risks of material misstatement that relate pervasively to the financial statements as a whole and therefore potentially affect all assertions. These are those risks of material misstatements that in auditor’s judgment are not confined to specific elements, accounts or items of the financial statements. As these impact the financial statements as a whole, they result in change of overall behaviours and testing strategy relating to the audit as a whole.

Assessed risks at the financial statement level are pervasive in nature and, therefore, requires overall audit response. This may include determining the experience of the audit team, the level of supervision required, and any required modification to the nature and extent of planned procedures.

The second risk assessment relates to risks identifiable with specific assertions at the class of transactions, account balance, or disclosure level. This means that for each account balance, class of transactions and disclosures, an assessment of risk should be made for each individual assertion being addressed.

To respond to the risks at the assertion level, the auditor performs further audit procedures such as test of controls, tests of details, and substantive analytical procedures.

Assertions

Assertions are representations by management, explicit or otherwise, that are embodied in the financial statements. Assertions relate to the recognition, measurement and presentation of classes of transactions and events, account balances and disclosures in the financial statements.

The Implementation Guide on “Risk Based Audit” issued by the Institute of Chartered Accountants of India considers the following assertions:

(a) Completeness (C)

(b) Existence (E)

(c) Accuracy (A)

(d) Valuation (V)

(e) Presentation (P)

(a) Completeness

In presenting the financial statements, management asserts that:

(1) all assets, liabilities and ownership interests that exist at the balance sheet date are recorded in the correct period; and

(2) all revenue and expense transactions that occurred during the period are recorded in the correct period.

Example: Omission to record purchases related to current period where invoices are received after the year end. In this scenario, there is a risk of material misstatement associated with ‘Completeness’ Assertion- that is, purchases are not completely recorded.

(b) Existence

In presenting the financial statements, management asserts that:

(1) all recorded assets exist at the balance sheet date and the entity has the benefit of ownership.

(2) all recorded liabilities and ownership interests exist at the balance sheet date and are attributable to the entity.

(3) all recorded revenues and expenses represent economic events that occurred during the period and are attributable to the entity.

Example: As per terms of agreement, risk and reward related to goods is transferred upon delivery at the premises of Indian Railways and approval by Indian Railways. It takes 7 days for the goods to be delivered. The company, however, records sales immediately on dispatch of goods on 31st March. This would cause the current year balance to include revenue that did not occur (‘exist’) in the current period.

(c) Accuracy

In presenting the financial statements, management asserts that all recorded assets, liabilities, ownership interests, revenues and expenses are shown in the accounting records at amounts that are arithmetically correct, summarized appropriately and posted correctly.

Example: Repairs and maintenance: It is possible that some of these expenses needs to be capitalized and have not been ‘accurately’ posted to capital asset account.

(d) Valuation

When presenting the financial statements, management assert that all assets, liabilities, ownership interests, revenues and expenses are valued at appropriate carrying amounts in accordance with their nature and also in accordance with applicable accounting principles.

Example: Even though there is a significant decline in sales price of finished goods, and these are expected to be sold at a price lower than cost, but the valuation of inventory has been done at cost. Here the ‘valuation’ of inventory is not correct.

(e) Presentation

In presenting the financial statements, management asserts that the financial statements are fairly presented; that the figures within them are properly classified, described and disclosed in accordance with applicable accounting principles and the relevant financial reporting framework, and that financial information is appropriately presented, and disclosures are clearly expressed.

Example: There is a risk that there is a material uncertainty regarding going concern, but the management has not made proper disclosures as per SA 570 (Revised).

The auditor designs and performs further audit procedures considering whether the identified possible risk of misstatement relates pervasively to the financial statements as a whole, or whether it relates to specific account balances and assertions.

Financial Statement level risks requires the auditor to change overall behaviours and testing strategy relating to the audit as a whole, rather than applying specific audit procedures to particular account balances and assertions. For example, the impact of a company having an incompetent bookkeeper/finance manager cannot be allocated to a specific financial statement area and is therefore a financial statement level risk.

The auditor considers risks of material misstatement at the assertion level for classes of transactions, account balances, and disclosures. This consideration determines the nature, timing, and extent of audit procedures required at the assertion level to obtain sufficient appropriate audit evidence. For example, valuation of slow-moving or obsolete inventory is an assertion level risk as incorrect valuation of inventory (example not valued at lower of cost and net realisable value as per Accounting Standard 2) affects the ‘valuation’ assertion.

It is important to relate an account balance risk to an assertion. Not doing so will result in a vague risk identification and designing an appropriate response to such risk will be difficult. It will in most cases defeat the objective of risk based audit. Consider the following example:

Example: A company is supplying products to a large customer with multiple locations. Products are supplied to various locations of the customer across the country. The delivery of goods at the respective customer locations takes anytime between 4 days to 30 days depending on the location of the customer and mode of transport. Risks and rewards are transferred when the delivery is made at the specified location. In this case identifying “Sale of Goods” as a risk is a vague risk. This is so because risks in sale of goods could be any of the following possible risks:

(a) Understatement of Sales, that is, even though goods have been delivered but sales have not been recorded (Assertion- Completeness)

(b) Overstatement of sales, that is, even though goods have not been delivered (or not even dispatched) but sales have been recognised (Assertion- Existence);

(c) Unauthorised discounts are given to the customer (Assertion- Valuation);

(d) Invoices are prepare manually and there is possibility of arithmetical errors in the invoice and hence incorrect recording of sales (Assertion- Accuracy);

(e) In case, sales are in foreign currency, incorrect exchange rate (Assertion- Valuation);

Unless the audit team assigns an assertion to the risk in sale of goods, the audit team will not be able to design a suitable response to the assessed risk of material misstatement and will end up doing detailed testing to address all assertions thus defeating the objective of risk based audit.

Now assume that the audit team concludes that the risk is related to cut-off (Existence assertion) because sales are recognised even though the goods have not been delivered and hence risks and rewards have not been transferred. In such a scenario the audit team can perform specific procedures for testing cut-off by examining the proof of delivery for dispatches made in the last month (or such number of days as considered appropriate) and verify that all recorded sales pertain to goods delivered by the year-end. The audit team may perform lower level of testing to address other assertions.

9.2.3 Assess for each identified possible risks of material misstatement, whether it is in fact a risk of material misstatement and whether such risk of material misstatement is a significant risk of material misstatement

As part of the risk assessment, the audit team lists all possible risks of material misstatement based on audit team’s understanding of the entity and its environment. However, not all possible risks of material misstatements may actually be a risk of material misstatement.

The key members of the audit engagement team should discuss all identified possible risks of material misstatement and conclude whether these are in fact risks of material misstatement. The audit team should document the reasons for such conclusion.

Example: The engagement team identifies valuation of inventory of a particular product to be a possible risk of material misstatement considering the nature of inventory and the auditor’s understanding of the market conditions. However, during the discussions among the engagement team, it is noted that the year-end inventory of the particular product is highly immaterial to the financial statements as a whole and therefore, concluded that the same is not a risk of material misstatement.

After the audit team has assessed all possible risks of material misstatement and determined the risks of material misstatement, it is important to assess their significance.

9.2.4 Significant Risks of Material Misstatement

Significant risks of material misstatements are those risks that, in the auditor’s judgment, require special audit consideration. The auditor makes this assessment before consideration of any internal control that mitigates the risks.

Example: An entity dealing with a large inventory of diamonds would have a high inherent risk of theft given the nature of the inventory.

The auditor considers at least the following factors to make an assessment of the significance of risk of material misstatement:

(i) Whether the risk is a risk of fraud;

(ii) whether it is related to recent significant economic, accounting or other developments and, therefore, requires specific attention;

(iii) the complexity of transactions;

(iv) whether the risk involves significant transactions with related parties;

(v) the degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty;

(vi) whether it involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.

Significant risks often relate to significant non-routine transactions or judgmental matters. Non-routine transactions are those transactions that are unusual, due to either size or nature, and that therefore occur infrequently. Judgmental matters may include the development of accounting estimates for which there is significant measurement uncertainty.

Where the auditor identifies a risk of material misstatement due to fraud, such a risk is always considered as a significant risk.

9.2.5 Assessment of Risks of Material Misstatement

In assessing the risks of material misstatement, the auditor should consider both:

• Likelihood of risk occurrence; and
• Magnitude of impact of the risk resulting in material misstatement

Examples:

(i) Consider a company having a turnover of ` 1000 crores and a net worth of ` 500 crores. The company is highly profitable and has significant bank balances. All transactions are done through banking channels. However, the company maintains some cash balance not exceeding ` 1 lakhs. The cash is in the custody of a cashier who is the sole person to handle cash. In this case even though the likelihood of misappropriation of cash is high, the magnitude of material misstatement resulting from such misappropriation is not material and hence the auditor does not consider this as a risk of material misstatement.

(ii) Consider a company supplying goods to a large profitable public sector undertaking (PSU) owned by the Government of India. Majority of sales are to this PSU. The outstanding receivables from the PSU are ` 200 crores and the total sales of the Company is ` 700 crores. All dispatches are done after inspection by an authorised representative of the PSU and all terms of the sales order are complied with. The receipt of goods has been acknowledged by the customer. However, there has been a significant delay in payment beyond the usual credit period due to nationwide lockdown lasting more than a month. In this case, the magnitude of impact on the financial statements resulting from bad debts is high as the receivables constitute a significant portion of the sales of the company. However, the likelihood of a profitable government owned PSU defaulting in payment, particularly when all terms of the sales order have been complied with, is low even though there might be delays in settlement. The auditor needs to exercise professional judgment considering other factors and information. However, in this case if instead of a large PSU, the customer was a non-government company whose business was severely impacted due to lockdown, the auditor’s assessment of risk would be different despite a good past track of payments by the customer.

(iii) Consider a company engaged in retail sales of fashion products operating through multiple stores across the country and having a turnover of ` 100 crores. The sales at the stores are both in cash and through credit and debit cards. Even though the invoicing is done through a software, use of manual bills is not uncommon. At times the cashier punches cash sales as card sales and vice versa. Cash collected through sales is to be deposited in the bank on the next working day. Reconciliation of daily sales with daily cash deposits is done only periodically at the corporate office. In this case both the likelihood of misappropriation of cash and the magnitude of material misstatement are high and therefore, the auditor should consider this to be a risk.

9.3 Presumed risks of Material Misstatement

Standard on Auditing, SA 240, ‘The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements’ requires that when identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based on a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue, revenue transactions or assertions give rise to such risks.