Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / AUDIT
Microlesson · 5-min read

Audit Risk and its Components (ROMM, Inherent, Control & Detection Risk)

# Audit Risk and Risk Assessment

## What is a Misstatement?

A misstatement is the difference between the Amount, Classification, Presentation, or Disclosure (ACPD) of a reported FS item and the ACPD required as per the Applicable Financial Reporting Framework (AFRF).

### Examples of Misstatements

  • Charging capital expenditure to revenue or vice versa
  • Difference in disclosure vs AFRF requirement
  • Selection of inappropriate accounting policies
  • Inappropriate accounting estimates
  • Intentional booking of fake expenses
  • Overstating receivables by not writing off irrecoverable debts
  • Overstating or understating inventories

## Audit Risk — Definition

Audit Risk = Risk that the auditor expresses an inappropriate audit opinion on FS that are materially misstated.

## Components of Audit Risk

### 1. Risk of Material Misstatement (ROMM)

Risk that MM may exist in FS before the start of the audit. ROMM exists at two levels:

LevelDescription
Overall FS levelRisks that relate pervasively (widespread) to FS as a whole and impact many assertions
Assertion levelAssessed to determine Nature, Timing & Extent (NTE) of Further Audit Procedures (FAP)

ROMM at assertion level has 2 components:

  • Inherent Risk: Susceptibility of an assertion to misstatement that could be material, individually or when aggregated, assuming there are no related controls
  • Control Risk: Risk that the Internal Control System (ICS) will not prevent or detect & correct a misstatement on a timely basis. Inverse relation with efficiency of IC. Some control risk will always exist due to inherent limitations of ICS.

> Important: Inherent Risk and Control Risk are entity's risks — they exist independently of the audit and are NOT influenced by the auditor.

### 2. Detection Risk

Risk that the auditor will not detect a misstatement that could be material, individually or when aggregated.

Key features:

  • Inverse relationship with ROMM
  • Reduced by: increasing area of checking, testing larger samples, using competent & experienced team
  • Comprises Sampling Risk and Non-Sampling Risk (SA 530)

## The Audit Risk Equation

```

Audit Risk = ROMM × Detection Risk

Audit Risk = Inherent Risk × Control Risk × Detection Risk

```

Objective: Reduce audit risk to an acceptably low level by reducing Detection Risk (SA 200), since Inherent and Control Risk cannot be controlled by the auditor.

## What is NOT Audit Risk?

Audit risk does NOT refer to the auditor's business risks like:

  • Loss from litigation
  • Adverse publicity
  • Risk that auditor expresses opinion that FS are materially misstated when they are not

## Combined Assessment of ROMM

  • SAs do not refer to inherent & control risk separately, but to combined assessment of ROMM
  • Auditor may make separate or combined assessments depending on preferred techniques and practical considerations
  • Assessment may be expressed in quantitative or non-quantitative terms
  • The need to make appropriate risk assessments is more important than the approaches used

> Assessment of risks is a matter of professional judgment, NOT a matter capable of precise measurement.

Worked example

### Example 1

Example 1 — Computing Audit Risk:

For a manufacturing company:

  • Inherent Risk assessed = High (foreign currency transactions)
  • Control Risk assessed = Medium (good segregation but weak monitoring)
  • To reduce overall Audit Risk to low → Reduce Detection Risk by:
  • Increasing sample sizes
  • Assigning more experienced staff
  • Performing more substantive procedures

### Example 2

Example 2 — Misstatement Types:

ABC Ltd purchased machinery for ₹10 lakhs and debited the entire amount to Repairs & Maintenance expense.

Misstatement: Capital expenditure charged to revenue → P&L understated, Asset value understated → Affects classification and amount (ACPD).

### Example 3

Example 3 — Inherent vs Control Risk:

A jewellery retailer (gold inventory susceptible to theft) has high inherent risk on inventory. If the entity installs CCTV, dual custody and daily reconciliation, control risk may be assessed as low — but inherent risk remains high regardless.

⚠️ Common exam mistakes

  • Treating Inherent Risk and Control Risk as something the auditor can influence — they are entity risks
  • Confusing Audit Risk (technical concept) with the auditor's business risk (litigation/reputation)
  • Assuming that strong controls eliminate inherent risk — they don't; they only reduce control risk
  • Forgetting that some control risk ALWAYS exists due to inherent limitations of ICS
  • Treating risk assessment as a precise mathematical exercise rather than a matter of professional judgment
  • Increasing sample size to reduce inherent or control risk — sample size only reduces detection risk
Bare-Act text SA 200 & SA 315 · ICAI Standards on Auditing · click to expand
SA 200: Overall Objectives of the Independent Auditor — In conducting an audit of financial statements, the overall objectives of the auditor are to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement. Reasonable assurance is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level.
← Previous
Audit Procedures for PPE — Exi
Next →
Audit of Cash and Cash Equival
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic