Linkedin
Contact us

All about Risks of Material Misstatement (RMM)

Audicia-Tout-Comprendre-Sur-Les-Risques-Anomalies-Significatives-Rmm-01

All about Risks of Material Misstatement (RMM)

1. What is an RMM (Risk of Material Misstatement)?

During an audit, the objective is to verify whether the annual accounts accurately reflect the company’s situation. However, certain events or transactions can misstate the figures: these are the risks of material misstatement (RMM).

These misstatements can be due to:

  • an error (miscalculation, approximate estimation, oversight),
  • or fraud (intention to manipulate financial information).

Identifying and assessing these risks allows auditors to focus their work where it is truly useful.

This risk consists of 2 sub-risks: IR and IC.

2. What is the CRA (Combined Risk Assessment)?

CRA is the combined risk assessment for each relevant assertion regarding each significant account.

3. What Types of Risks are Analyzed by Auditors?

There are three main categories of risks:

Audit Risk (AR)

When an auditor performs an audit, there is always an audit risk: this is the risk that they express a positive opinion on annual accounts that nevertheless contain material misstatements.

AR (Audit Risk) = IR * IC {CRA} * NDR

Audit risk is a combined risk within an accounting area.

The auditor can influence the NDR.

It is the balance between these 3 risks that determines the strategy and depth of audit work.

When the auditor determines that inherent risk and/or control risk are high, the detection risk must be kept at a low level. This necessitates more in-depth audit work, for example, by using larger samples.
Conversely, if inherent risk and control risk are considered low, the detection risk can be higher.

Inherent Risk (IR) (ISA 200 §4) (ISA 315 § 31 and §5)

This is the risk that a material misstatement exists before any internal control.

Inherent risks will be assessed taking into account two criteria: on the one hand, the likelihood of their occurrence, and on the other hand, the significance of the consequences they could have.

Inherent risks can relate to either a specific account or assertion, or the financial statements as a whole, to assess where material misstatements could occur (examples: unusual management pressure (profit objective), economic and competitive conditions, presence of fraud risk, entity making multiple acquisitions…).

The auditor must understand the entity’s environment in which the company operates (Industry sector, legal and regulatory environment, entity’s activities, specific accounting rules, specific accounting rules, intercompany flows (ownership relationship and related parties), role of IT (structure and complexity of the IT environment (centralized, decentralized), …) to assess IR.

Examples of IR related to a specific account or assertions:

  • a very complex accounting estimate (assertion: accuracy),
  • unusual transactions,
  • rapidly obsolete inventory due to technological innovation (assertion: valuation).

The applicable framework is treated distinctly because risks can arise from how the accounting framework is interpreted and implemented and from the experience of those who apply:

  • standards,
  • accounting principles,
  • industry-specific practices,
  • revenue recognition.

We assess whether an overall inherent risk proves more significant for certain assertions.

IRs are classified as high (higher probability of an RMM in the absence of IC) or low.

Internal Control Risk (ICR) (ISA 200 §4)

This is the risk that a material misstatement is not detected or corrected in a timely manner by the company’s internal control.

We assess ICR for each assertion as “not relying on control” when:

– control not appropriately designed;

– controls have not been implemented;

– we identify substantive tests that provide audit evidence.

We perform an initial assessment after performing walkthroughs.

Many auditors assign a high level to control risk after conducting their risk assessment procedures, to avoid having to test controls.

When no control is in place, a control does not function correctly, or the audit strategy does not provide for control tests, control risk is considered high.

Detection Risk (NDR):

Probability that the auditor does not detect material misstatements after selecting audit techniques.

Business Risk

This is the risk that the business itself is weakened: restructuring, loss of major clients, cyberattacks, regulatory pressure…

This is a preliminary step to identify potential RMMs.

These events can ultimately have a direct impact on the financial statements.

4. how Do Auditors Detect RMMs?

Auditors do not just read the accounts: they also observe the company’s overall environment.

To identify RMMs, they:

  • analyze the entity and its industry sector,
  • study internal controls,
  • examine operational cycles,
  • perform comparative and preliminary analyses (Analytical audit data tools).

Examples of warning signs (Significant RMMs)

  • strong economic instability,
  • cash flow constraints,
  • major organizational changes,
  • related party transactions,
  • ongoing litigation,
  • fraud risk,
  • economic, accounting developments,
  • complexity of transactions,
  • estimation uncertainty.

5. What Happens once the Risks are Identified?

The audit team organizes a planning meeting called Team Planning Event (TPE).

Objective: discuss each risk and decide if it is:

  • confirmed as an RMM,
  • deemed significant (thus a priority in the audit),
  • or dismissed (but documented with justification).

-> A risk is qualified as significant if it involves, for example, potential fraud, an unusual transaction, a highly uncertain estimate, or a related party transaction.

6. How Do Auditors Classify Risks?

Each RMM is linked to a specific part of the financial statements (FSA = Financial Statement Area) and to the assertions that could be affected if the risk materialized.

Two levels of severity are used:

  • Normal: no major risk detected.
  • Significant (ISA 315.27): critical risk requiring in-depth verification.

Engagement-level RMMs affect the financial statements globally.

The auditor must ensure consistency between risk assessment and audit procedures.

7. What is the Effect of CRA on Substantive Procedures?

A higher CRA requires more powerful audit evidence: we then intensify our substantive procedures to secure our audit, limit the risk, and support clear and well-founded conclusions.

8. What is Next after the Assessment?

Once the risks are assessed, the team defines a tailored audit plan:

  • which tests to perform,
  • when to perform them,
  • and with what intensity.

⚠️ Audit is a living process: if new elements emerge, the plan is adjusted accordingly.

If Control Risk:

  • minimum: very limited analytical and substantive procedures;
  • moderate: substantive procedures: designed to detect material misstatements that would not have been detected by controls;
  • high: extensive substantive procedures to reduce detection risk.

9. Why is this so Important?

Focusing on RMMs allows the auditor to:

  • gain efficiency (fewer unnecessary tests),
  • better target risk areas,
  • ensure a reliable audit opinion.

For the company, it is also a sign of seriousness: the accounts presented to investors, shareholders, or partners inspire more confidence.

10. In Summary

  • The RMMs are the risks of errors or fraud that can make financial statements misleading.
  • They can be inherent, related to internal control, or related to business risks.
  • The TPE is a key step where the audit team decides on the severity of risks and adapts the audit strategy.
  • Only proper identification and assessment of RMMs ensure a quality audit.

Categories

Latest Posts