The risk of material misstatement (rmm) audit procedures response to risks & evaluating the audit verification obtained.
THE RISK OF MATERIAL MISSTATEMENT (RMM) AUDIT PROCEDURES -
RESPONSE TO RISKS & EVALUATING THE AUDIT VERIFICATION OBTAINED.
SUMMARY: Audit procedures responsive to risks of material misstatement at the relevant
assertion level. This part provides guidance to the auditor in designing and performing further
audit procedures, including tests of the operating effectiveness of controls, where relevant or
necessary, and substantive procedures, whose nature, timing, and extent are responsive to the
assessed risks of material misstatement at the relevant assertion level. a lot the auditor may
determine that a combined approach using both tests of the operating effectiveness of controls
and substantive procedures is an effective approach. Irrespective of the approach selected,
under the Auditing Standard.
The auditor’s assessment of the identified risks at the assertion level provides a basis for
considering the appropriate audit approach for designing and performing further audit
procedures. In some cases, the auditor may determine that only by performing tests of
controls may the auditor achieve an effective response to the assessed risk of material
misstatement for a particular assertion.
MEANING THE RMM
Auditors must consider audit risk and must determine a materiality level for the financial
statements taken as a whole." Auditors also "must obtain a sufficient understanding of the
entity and its environment, including its internal control, to assess the risk of material
misstatement the risk of material misstatement has been assessed for major accounts,
transaction streams and disclosures, the auditor must develop an audit plan in which he or she
documents the audit procedures that, when performed, are expected to reduce audit risk to an
acceptably low level
In additional: The auditor is required to assess the risk of material misstatement (RMM)
according to Audit Risk and Materiality in Conducting an Audit. RMM is the auditor’s
combined assessment of inherent risk and control risk. Auditors are also required to perform
audit procedures to respond to assessed RMM. The auditor should obtain an understanding of
the entity and its environment, including its internal control, sufficient to identify and assess
the risks of material misstatement of the financial statements whether due to fraud or error,
and sufficient to design and perform further audit procedures
In my article have tried to clearly discuss how the auditor responds to the risk of material
misstatement (RMM) in designing and performing audit procedures.
The auditor's overall responses to address the assessed risks of material misstatement at the
financial statement level may include emphasizing to the audit team the need to maintain
professional skepticism in gathering and evaluating audit evidence, assigning more
experienced staff or those with specialized skills or using specialists, providing more
supervision, or incorporating additional elements of unpredictability in the selection of further
audit procedures to be performed. Additionally, the auditor may make general changes to the
nature, timing, or extent of further audit procedures as an overall response, for example,
performing substantive procedures at period end instead of at an interim date.
The auditor’s overall responses to the assessed RMM include
1. Maintaining professional skepticism in gathering and evaluating audit evidence.
2. Assigning more experienced staff.
3. Using specialists.
4. Greater supervision of staff.
5. Element of unpredictability in selection of further audit procedures.
6. Changes in nature, timing, and extent of further audit procedures.
7. Increase the number of locations to be included in the audit scope.
The effectiveness of the control environment has a significant bearing on whether the auditor
will employ a primarily substantive approach or a combined approach that uses tests of
controls as well as substantive procedures.
AUDIT PROCEDURES RESPONSIVE TO RISKS OF MATERIAL MISSTATEMENT
The auditor should design auditing procedures to achieve the objective of a high level of
assurance that the financial statements are free of material misstatement. Those further
auditing procedures consist of either tests of controls or substantive procedures. In designing
further audit procedures, the auditor should consider such matters as:
The significance of the risk
• The likelihood that a material misstatement will occur
• The characteristics of the class of transactions, account balance, or disclosure involved
• The nature of the specific controls used by the entity, in particular, whether they are manual
• Whether the auditor expects to obtain audit evidence to determine if the entity's controls are
effective in preventing or detecting material misstatements.
The nature of the audit procedures is of most importance in responding to the assessed risks.
There should be a clear linkage between audit procedures and the risk of material
misstatement at the relevant assertion level for each class of transactions, account balance,
and disclosure. The higher the auditor’s assessment of risk, the more reliable and relevant the
Evidence must be to satisfy the auditor’s objectives. The higher the RMM, the more likely it
is that the auditor will perform the procedures at the end of period or at unpredictable or
unannounced times. Certain procedures may only be performed at or after the period end date.
The extent or quantity of audit procedures is determined by the auditor’s judgment. The
auditor should consider the assessed risk of material misstatement, the tolerable misstatement,
And the degree of assurance desired. Generally, sampling is used to achieve audit objectives.
Tests of controls should be performed if controls are expected to be effective in preventing or
detecting a material misstatement in a relevant assertion the auditor should obtain evidence
about how controls were applied at relevant times during the period under audit. If
substantially different controls were used at various times, the auditor should consider each
time period separately.
Tests of controls may be designed to be performed concurrently with test of details. When
performing these dual-purpose tests, the auditor should consider how the outcome of the test
of controls may affect the extent of substantive procedures to be performed.
A material misstatement that is detected by the auditors, but not identified by the entity,
should be considered as at least a significant deficiency. It may also be a strong indicator of a
material weakness in internal controls that should be communicated to management. When
evidence about the operating effectiveness of controls is obtained during an interim period,
consideration should be given to what further evidence is needed for the remaining period. If
the auditor plans to use audit evidence about the effectiveness of controls that was obtained in
a prior period,
The auditor should also increase the extent of testing of controls as the rate of expected
deviation increases. In some instances the expected rate of deviation may be too high to
obtain evidence that will sufficiently reduce the control risk. Tests of controls would then be
Once the auditor determines that automated controls are working effectively, the auditor
should perform tests to determine that the controls continue to work as intended, especially if
changes are made to the program.
Considering the Nature, Timing, and Extent of Further Audit Procedures
The nature of further audit procedures refers to their purpose (tests of controls or substantive
procedures) and their type, that is, inspection, observation, inquiry, confirmation,
recalculation, reperformance, or analytical procedures. The auditor should obtain audit
evidence about the accuracy and completeness of information produced by the entity's
information system when that Information is used in performing audit procedures. For
example, if the auditor uses non-financial information or budget data produced by the entity's
information system in performing audit procedures, such as substantive analytical procedures
or tests of controls, the auditor should obtain audit evidence about the accuracy and
completeness of such information
Timing refers to when audit procedures are performed or the period or date to which the audit
evidence applies. The higher the risk of material misstatement, the more likely it is that the
auditor may decide it is more effective to perform substantive procedures nearer to, or to
perform audit procedures unannounced or at unpredictable times. Certain audit procedures
can be performed only at or after period end, for example, agreeing the financial statements to
the accounting records, or examining adjustments made during the course of preparing the
financial Statements. If there is a risk that the entity may have entered into improper sales
contracts or that transactions may not have been finalized at period end, the auditor should
perform procedures to respond to that specific risk.
Extent refers to the quantity of a specific audit procedure to be performed, for example, the
extent of an audit procedure is determined by the judgment of the auditor after considering the
tolerable misstatement, the assessed risk of material misstatement, and the degree of
assurance the auditor plans to obtain. An auditor may use techniques such as computer-
assisted audit techniques to enable him or her to extensively test electronic transactions and
account files. Such techniques can be used to select sample transactions from key electronic
files, to identify transactions with specific characteristics, or to test an entire population
instead of a sample. This Statement regards the use of different audit procedures in
combination as an aspect of the nature of testing as discussed above. However, the auditor
should consider whether the extent of testing is appropriate when performing different audit
procedures in combination.
The timing of tests of controls depends on the auditor's objective and the period of reliance on
those controls. When the auditor tests controls at a particular time, the auditor may obtain
audit evidence that the controls operated effectively only at that time. The auditor should test
controls for the particular time, or throughout the period, for which the auditor intends to rely
on those controls. Audit evidence pertaining only to a point in time may be sufficient for the
CONCLUSION: The auditor's assessment of the identified risks at the relevant assertion
level provides a basis for considering the appropriate audit approach for designing and
performing further audit procedures. In some cases, the auditor may determine that
performing only substantive procedures is appropriate for specific relevant assertions and
risks. In those circumstances, the auditor may exclude the effect of controls from the relevant