What is risk of material misstatement?
Risk of material misstatement (RoMM) is the combined product of inherent risk and control risk. It represents the likelihood that the financial statements contain a material misstatement before the auditor performs any procedures — it exists independently of the audit itself.
ISA 315 requires the auditor to assess RoMM at two levels. At the financial statement level, pervasive risks (such as a weak control environment, management integrity concerns, or going concern doubts) affect the overall audit strategy. At the assertion level, specific risks for individual account balances, classes of transactions, and disclosures drive the design of individual audit procedures under ISA 330.
The assertion-level assessment is where the audit response is shaped. Each significant account may have multiple relevant assertions — occurrence, completeness, accuracy, valuation, cut-off, classification, presentation — and the risk level can differ across assertions within the same account. A revenue balance might carry high risk for occurrence but low risk for classification.
Key Points
- RoMM combines inherent risk and control risk. It represents the pre-audit state of the financial statements — the likelihood of material misstatement before the auditor does any work.
- Two mandatory assessment levels. Financial statement level (pervasive risks affecting audit strategy) and assertion level (specific risks driving individual procedure design) under ISA 315.30–31.
- Assertion-level specificity is required. Assessing "revenue risk: high" without specifying which assertion (occurrence, completeness, accuracy, cut-off) does not meet ISA 315.31 requirements.
- RoMM drives the acceptable level of detection risk. The higher the RoMM, the lower the detection risk must be, requiring more persuasive, extensive, and timely audit procedures.
Why it matters in practice
The interaction between the two assessment levels is where many firms fall short. A pervasive financial statement level risk — such as a weak control environment — lifts all assertion-level control risk assessments. The auditor cannot assess control risk as low on individual assertions when the entity-wide control environment has material weaknesses. The financial statement level assessment also drives strategic decisions: assigning more experienced team members, increasing supervision, and performing more work at year-end rather than interim.
The most common regulatory finding is generic risk assessment without assertion specificity. Regulators consistently report that firms write "risk on revenue: high" without specifying which assertion carries the elevated risk. Revenue has at least four relevant assertions (occurrence, completeness, accuracy, cut-off), each of which can carry a different risk level and require a different audit response under ISA 330.
Getting the RoMM assessment right is foundational — it determines the nature, timing, and extent of every further audit procedure. An under-assessed RoMM leads to insufficient work and potential audit failure. An over-assessed RoMM leads to over-auditing and wasted resources.
Key standard references
- ISA 200.13(n): Definition of risk of material misstatement as the risk that the financial statements are materially misstated prior to audit, consisting of inherent risk and control risk.
- ISA 315.30: Requirement to assess the risks of material misstatement at the financial statement level, identifying pervasive risks that are not specific to individual assertions.
- ISA 315.31: Requirement to assess the risks of material misstatement at the assertion level for classes of transactions, account balances, and disclosures.
- ISA 315.35: Requirement to use the risk assessment as the basis for designing and performing further audit procedures under ISA 330.
- ISA 330.6: The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the financial statement level.
Related terms
Related reading
Frequently asked questions
Why must RoMM be assessed at two levels?
ISA 315.30 requires assessment at the financial statement level for pervasive risks (weak control environment, going concern doubts) that affect the overall audit strategy. ISA 315.31 requires assessment at the assertion level for specific accounts and disclosures, which drives the design of individual audit procedures under ISA 330. Both levels are mandatory and interact — a pervasive weakness raises the floor for all assertion-level assessments.
How does the financial statement level assessment affect assertion-level work?
A pervasive financial statement level risk, such as a weak control environment, lifts all assertion-level control risk assessments. You cannot assess control risk as low on individual assertions when the entity-wide control environment has material weaknesses. The financial statement level assessment also drives strategic decisions like assigning more experienced team members and performing more work at year-end rather than interim.
What is the most common inspection finding related to RoMM?
Regulators consistently find that firms assess RoMM using generic language ('risk on revenue: high') without specifying which assertion they are assessing. ISA 315.31 requires assessment at the assertion level. Revenue has at least four relevant assertions (occurrence, completeness, accuracy, cut-off), each of which can carry a different risk level and require a different audit response.