Where risk of material misstatement breaks down
Open any regulatory inspection report from the FRC, the AFM, or the PCAOB and the same finding appears year after year: "The firm assessed risk at the account level rather than the assertion level." In the FRC's 2024 annual inspection results, assertion-level risk assessment was flagged in over a third of reviewed files. The auditors knew the standard. They filled in the template. They still got it wrong.
Risk of material misstatement (RMM) is the combined product of inherent risk and control risk. It represents the likelihood that financial statements contain a material misstatement before any audit procedures are performed. RMM exists independently of the audit itself. ISA 200.13 (n) defines it; ISA 315 tells you how to assess it.
The standard requires assessment at two levels. At the financial statement level, pervasive risks (a weak control environment, going concern doubts, management integrity questions, or industry-wide regulatory upheaval) shape the overall audit strategy. At the assertion level, specific risks for individual account balances and classes of transactions drive the design of procedures under ISA 330 .
In our experience, the financial statement level gets a paragraph of boilerplate and the assertion level gets a dropdown menu. Neither produces the kind of thinking the standard actually demands.
Key points
- RMM combines inherent risk and control risk. It captures the pre-audit state of the financial statements, before the auditor does any work.
- Two mandatory assessment levels exist under ISA 315.30 -31: financial statement level (pervasive risks affecting audit strategy) and assertion level (specific risks driving individual procedure design).
- Assessing "revenue risk: high" without specifying which assertion (occurrence, completeness, accuracy, or cut-off) does not meet ISA 315.31 . Each assertion can carry a different risk level and demand a different response.
- RMM determines the acceptable level of detection risk. Higher RMM forces lower detection risk, which means more persuasive evidence, larger samples, and testing closer to year-end.
What the standard requires vs what actually happens
ISA 315.31 is clear: assess RMM at the assertion level for each significant class of transactions, account balance, and disclosure. Revenue alone carries at least four relevant assertions (occurrence, completeness, accuracy, cut-off), and the risk on each can be materially different. A distributor selling standardised products may have negligible occurrence risk but serious cut-off risk if shipments cluster at period-end.
What actually happens at most firms is a tick box exercise. The audit software presents a grid. The senior picks "high," "medium," or "low" at the account level, copies the same rating across all assertions, and moves on to the next account. The working paper looks complete. The thinking behind it is absent.
I have reviewed files where revenue occurrence was assessed identically to revenue classification, even though the client had complex multi-element arrangements under IFRS 15 and a perfectly straightforward chart of accounts. Occurrence was genuinely difficult. Classification was trivial. The identical assessment produced an identical response, which meant the team over-audited classification and under-audited occurrence in the same engagement.
Financial statement level risks cascade downward
A pervasive financial statement level risk lifts every assertion-level control risk assessment beneath it. If the control environment has material weaknesses (the CFO resigned mid-year, the board has no audit committee, the accounting team has three open vacancies), the auditor cannot assess control risk as low on any individual assertion. ISA 315.30 sits above ISA 315.31 for a reason.
What actually happens is that teams treat these two levels as separate sections of the planning memo, written weeks apart by different people, with no explicit link between them. The financial statement level section says "moderate weakness in control environment." Page twenty of the same file assesses control risk as low for payroll completeness. Nobody reconciles the contradiction because nobody reads both sections in sequence.
At firms like ours, we flag this during engagement quality review. But the fact that it reaches EQR at all tells you how deeply embedded the problem is.
Worked example: Mercer Electronics NV
Van Hoorn Accountants audits Mercer Electronics NV, a mid-market electronics distributor. The engagement team applies the RMM framework to plan revenue procedures.
Mercer has three revenue streams: (1) wholesale distribution of branded electronics to retail chains, (2) installation services bundled with commercial audio-visual systems, and (3) a new direct-to-consumer e-commerce channel launched in Q2. The wholesale channel is mature, high-volume, and runs through automated controls. The e-commerce channel has no historical data and a return rate management estimates at 8-12% but cannot yet substantiate.
For the occurrence assertion on wholesale revenue, IR sits lower on the spectrum. Transactions are standardised, automated matching catches discrepancies, and the revenue recognition point is unambiguous (delivery confirmed by carrier). CR is also lower because the three-way match control has operated effectively for four years. RMM for this assertion: lower.
For the occurrence assertion on e-commerce revenue, the picture inverts. No historical return baseline exists. Management's 8-12% return estimate drives a material provision. The return policy allows 30-day unconditional returns, but the fulfilment system only flags returns when the warehouse scans them back in (often 10-15 days after the customer ships). Revenue is recognised at dispatch, and the team has no assurance that December dispatches with January returns are being reversed in the correct period. IR: higher on the spectrum. CR: higher, because the fulfilment system was designed for wholesale and has no automated return-matching for e-commerce orders. RMM for this assertion: significant risk.
The complication that changes everything
During December fieldwork, the team discovers that Mercer ran a "guaranteed Christmas delivery" promotion offering full refunds if orders arrived after December 23. The promotion was approved by the commercial director without informing the finance team. The fulfilment system has no field for promotional return terms. Management's 8-12% return estimate does not incorporate this promotion at all.
Now what? IR for the occurrence assertion on e-commerce revenue moves to the upper end of the spectrum. The return provision is almost certainly understated. But the real problem is deeper. The control the team planned to test (the warehouse scan-in process) does not capture refunds processed through the payment gateway without a physical return. Customers who received late deliveries got refunds directly through the e-commerce platform. Those refunds never touched the warehouse system.
CR for this revenue stream is no longer "higher." It is effectively at maximum, because the relevant control does not address the relevant risk. The team must now redesign its procedures entirely: reconcile payment gateway refund data directly to the general ledger, confirm a sample of promotional refund transactions with the payment processor, and reperform management's return provision calculation with the promotional terms included.
This is the kind of mid-engagement pivot that separates a genuine risk assessment from SALY. If the RMM framework had been a tick box exercise, the team would have tested the warehouse scan control, found it operating effectively for wholesale, and concluded that revenue occurrence was adequately addressed. The promotional refunds flowing through a completely separate system would have gone untested.
Why getting the level wrong matters more than getting the rating wrong
I think the profession fixates too much on whether a risk is "high" or "significant" and not enough on whether the risk is being assessed at the right level of granularity. A revenue balance rated "moderate" at the account level tells you almost nothing. The same balance decomposed into occurrence (significant for e-commerce), completeness (low for all channels), accuracy (moderate for bundled installation services), and cut-off (higher for wholesale due to period-end shipping volumes) tells you exactly what to test and how aggressively to test it.
This is not a theoretical distinction. An under-assessed RMM produces insufficient procedures and audit failure. An over-assessed RMM produces over-auditing and budget overruns that erode team morale and client relationships. Both outcomes damage audit quality, just through different mechanisms. The only assessment that works is one specific enough to drive a proportional response, and that requires assertion-level thinking even when the template does not force it.
Reasonable people disagree about whether firm templates should enforce assertion-level assessment through mandatory fields or whether that level of prescription creates its own tick box problem. I lean toward mandatory fields with free-text justification, because at least it forces the conversation, but I understand the argument that no template can substitute for professional judgement and that over-structured tools breed compliance without comprehension.
Key standard references
- ISA 200.13 (n) defines risk of material misstatement as the risk that financial statements are materially misstated prior to audit, consisting of inherent risk and control risk.
- ISA 315.30 requires the auditor to assess RMM at the financial statement level, identifying pervasive risks not specific to individual assertions.
- ISA 315.31 requires assertion-level assessment for classes of transactions, account balances, and disclosures. This is the paragraph regulators cite most frequently in inspection findings.
- ISA 315.35 requires the risk assessment to serve as the basis for designing further audit procedures under ISA 330 .
- ISA 330.6 requires the auditor to design and implement overall responses to assessed RMM at the financial statement level.
Related terms
Related tools
Related reading
Frequently asked questions
Why must RoMM be assessed at two levels?
ISA 315.30 requires assessment at the financial statement level for pervasive risks (weak control environment, going concern doubts) that affect the overall audit strategy. ISA 315.31 requires assessment at the assertion level for specific accounts and disclosures, which drives the design of individual audit procedures under ISA 330. Both levels are mandatory and interact — a pervasive weakness raises the floor for all assertion-level assessments.
How does the financial statement level assessment affect assertion-level work?
A pervasive financial statement level risk, such as a weak control environment, lifts all assertion-level control risk assessments. You cannot assess control risk as low on individual assertions when the entity-wide control environment has material weaknesses. The financial statement level assessment also drives strategic decisions like assigning more experienced team members and performing more work at year-end rather than interim.
What is the most common inspection finding related to RoMM?
Regulators consistently find that firms assess RoMM using generic language ('risk on revenue: high') without specifying which assertion they are assessing. ISA 315.31 requires assessment at the assertion level. Revenue has at least four relevant assertions (occurrence, completeness, accuracy, cut-off), each of which can carry a different risk level and require a different audit response.