Components of ROMM – Inherent Risk & Control Risk

## Components of ROMM: Inherent Risk & Control Risk

ROMM = Inherent Risk (IR) × Control Risk (CR)

Both are entity-level risks — they exist independent of the audit and can only be influenced by the client, not by the auditor.

---

### Inherent Risk (IR)

Definition: The susceptibility of an assertion (related to an account balance, class of transactions, or disclosure) to a misstatement that could be material — before considering any related internal controls.

Inherent Risk arises due to:

• Nature of the Business (e.g., complex industry)
• Nature of the Assertion (e.g., estimates involve judgment)

> Inherent Risk may be higher for some assertions than others.

#### Factors that Increase Inherent Risk:

#### Examples:

• Revenue area in a startup (high judgment, pressure to show growth)
• Complex financial instruments (derivatives valuation)
• Goodwill impairment testing

---

### Control Risk (CR)

Definition: The risk that a material misstatement that could occur in an assertion will not be prevented, detected, or corrected on a timely basis by the entity's Internal Control system.

#### Key Relationships:

> Inverse relationship: Better internal controls → Lower Control Risk

#### Examples of High Control Risk:

• Unauthorised access to cash (no segregation of duties)
• Petty cash limits (e.g., ₹10,000) not adhered to
• No authorization required for journal entries
• Absence of bank reconciliation

---

### Important Note: Both IR & CR are Entity Risks

• They exist independent of the audit
• They can only be influenced by the client through improvements to operations and controls
• The auditor cannot change IR or CR — only Detection Risk
• IR and CR together constitute ROMM

$$\text{ROMM} = \text{IR} \times \text{CR}$$