Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / SA 315
Microlesson · 5-min read

Identifying and Assessing Risk of Material Misstatement through Understanding the Entity & Environment

## SA 315 — Identifying and Assessing the Risk of Material Misstatement

### Key Definitions

Assertions — Representations by management embodied in financial statements, used by the auditor to assess potential misstatements.

RAP (Risk Assessment Procedures) — Procedures performed to:

1. Understand the entity and its environment (including internal controls)

2. Identify and assess ROMM (Risk of Material Misstatement) due to fraud or error — at both the Financial Statement level and Assertion level

---

### Understanding the Entity & Its Environment

The auditor must understand:

1. Industry & regulatory factors, including the applicable Financial Reporting Framework (FRF)

2. Nature of the entity — operations, ownership/governance structure, investments, organisational structure

3. Accounting policies — selection and application

4. Objectives, strategies, and related business risks

### Sources of Information for RAP

  • Information from other engagements done for the entity
  • Information from client acceptance & continuance process
  • Information from previous engagements and other audits
  • Inquiries of others
  • Discussion among the audit team

---

### Internal Control — Definition

> The process designed, implemented, and maintained by TCWG, management, and other personnel to provide reasonable assurance about achieving objectives relating to:

> - Reliability of financial reporting

> - Effectiveness and efficiency of operations

> - Safeguarding of assets

> - Compliance with laws and regulations

### Five Components of Internal Control

ComponentDescription
Control EnvironmentFoundation — tone at top, integrity, ethical values
Entity's Risk Assessment ProcessHow management identifies and responds to business risks
Information SystemProcesses for initiating, recording, processing, and reporting transactions
Control ActivitiesPolicies and procedures (e.g., segregation of duties, physical controls, performance reviews)
MonitoringOngoing assessment of controls' effectiveness

---

### Two Levels of Risk

#### Financial Statement Level

  • Risks that relate pervasively to the financial statements
  • Potentially affect many assertions
  • Often arise from a weak control environment

#### Assertion Level

Transaction Assertions (During Year)Balance Assertions (Year-End)Presentation & Disclosure Assertions
OccurrenceExistenceOccurrence & Rights/Obligations
CompletenessRights & ObligationsCompleteness
AccuracyCompletenessClassification & Understandability
Cut-offValuation & AllocationAccuracy & Valuation
Classification

Worked example

### Example 1

A retail company has weak IT controls — the system allows transactions to be posted without supervisory approval. This is a risk at the financial statement level because the weak control environment pervasively affects multiple assertions across many balances: completeness of revenue, occurrence of purchases, and accuracy of inventory.

### Example 2

The auditor is testing the 'Existence' assertion for trade receivables at year-end. The risk is that debtors listed in the books may not actually owe the stated amounts. The auditor responds by designing external confirmation procedures specifically targeting this assertion-level risk.

### Example 3

During the year, a company records sales transactions. The 'Cut-off' assertion risk means sales occurring just before year-end may be recognised in the wrong period. The auditor tests cut-off by reviewing sales invoices and dispatch records around the year-end date (e.g., last 5 days of the year and first 5 days of the next year).

⚠️ Common exam mistakes

  • Mixing up transaction-level assertions (Occurrence, Completeness, Accuracy, Cut-off, Classification) with balance-level assertions (Existence, Rights & Obligations, Completeness, Valuation & Allocation) — the assertion sets differ depending on what is being tested.
  • Confusing ROMM at FS level (pervasive, environment-driven) with ROMM at assertion level (specific to an account balance or transaction class).
  • Thinking internal control provides absolute assurance — it only provides reasonable assurance due to inherent limitations such as human error and management override.
  • Forgetting that the auditor must understand all five components of internal control, not just test individual control activities.
Reference:
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic