## SA 315 – Identifying and Assessing ROMM

### The Four-Step Risk Assessment Process

Under SA 315, the auditor must:

Step	Action
1. Identify	Risks by understanding the entity and its environment (including Internal Controls)
2. Assess	Whether identified risks relate more pervasively to FS as a whole
3. Relate	Each risk to what can go wrong at the assertion level
4. Consider	The likelihood of misstatement and its magnitude (could it lead to a material misstatement?)

---

### Critical Note: RAP ≠ Sufficient Audit Evidence

> Risk Assessment Procedures (RAP) alone do NOT provide Sufficient Appropriate Audit Evidence (SAAE).

Reason: RAP helps the auditor understand risks and plan, but does not test the assertions themselves. The auditor must also perform Further Audit Procedures (FAP) in response to identified risks.

$$\text{Complete Audit} = \text{RAP} + \text{Further Audit Procedures}$$

---

### Procedures Performed During Risk Assessment Stage

#### 1. Inquiry of Management and Others Within the Entity

The auditor seeks information from multiple internal sources:

a) Employees (below management level)

Insights into appropriateness of policies for unusual or complex transactions
Ground-level understanding of how policies are actually applied

b) In-House Legal Counsel

Details on litigation (pending lawsuits)
Regulatory compliance issues
Fraud allegations
Warranty and post-sale obligations
Contract interpretation matters

c) Internal Audit Personnel

Information on Internal Control procedures and their design
Effectiveness of controls
Management's response to internal audit findings (were recommendations implemented?)

> Why multiple sources? Management may present an optimistic picture. Non-management employees, legal counsel, and internal auditors provide independent, more candid perspectives.

---

### Other Risk Assessment Procedures (to be covered further)

In addition to Inquiry, the auditor also performs:

Analytical Procedures (comparison of financial data to expected patterns)
Observation and Inspection (of the entity's operations, documents, reports)
These are covered in detail in subsequent topics (SA 315 procedures in full).

Worked example

### Example 1

Example – Inquiry from Legal Counsel:

During risk assessment of PQR Ltd, the auditor inquires with the company's in-house legal counsel. Counsel discloses: (1) a ₹2 crore product liability lawsuit filed by a customer, (2) a tax assessment order under appeal for ₹80 lakh, and (3) interpretation disputes on a major supply contract. None of these were mentioned by management during initial discussions. The auditor now identifies ROMM in Provisions & Contingent Liabilities and designs specific further audit procedures — legal confirmation letters and review of court documents.

### Example 2

Example – Why RAP alone is insufficient:

An auditor understands from risk assessment that the revenue area has high ROMM (startup company, aggressive revenue targets). This knowledge alone does not give the auditor evidence that revenue is misstated or correctly stated — it only tells the auditor WHERE to focus. The auditor must now perform Further Audit Procedures (e.g., vouching sales invoices, debtors circularization, cut-off testing) to actually obtain audit evidence on the revenue assertion.

### Example 3

Example – Inquiry from Internal Audit:

The internal audit team of XYZ Ltd recently completed a review of the procurement process and found that purchase orders above ₹5 lakh were not always getting dual authorization. Management acknowledged the finding but had not yet implemented the fix. For the statutory auditor, this signals HIGH Control Risk in the procurement area — appropriate further audit procedures (e.g., increased substantive testing of large purchases) must be planned.

⚠️ Common exam mistakes

Thinking Risk Assessment Procedures provide audit evidence — they only help identify and assess risk; Further Audit Procedures are needed for actual evidence.
Limiting inquiry only to top management — SA 315 requires inquiry from employees at various levels, legal counsel, and internal auditors for a complete picture.
Forgetting that internal audit findings must be followed up — if management did not implement recommendations, that itself is a risk signal.
Treating Step 4 (consider likelihood AND magnitude) as optional — both factors together determine whether ROMM is significant enough to drive further procedures.

Reference: SA 315 — SA 315 (Revised) – Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →

SA 315 – Risk Assessment Procedures

Worked example

⚠️ Common exam mistakes