This NFRA Staff Series document is an educational and illustrative guidance note designed to promote audit quality and awareness of professional standards, focusing on the Risk of Material Misstatement (ROMM) assessment at the assertion level for revenue. Anchored primarily in SA 315 and SA 240, the memorandum explains how auditors should identify, assess, and respond to inherent risk, control risk, and fraud risk through a structured, iterative process. Using a comprehensive hypothetical case study of a pharmaceutical company, the document demonstrates detailed ROMM work papers for revenue from sale of products, including risk identification, assertion mapping, evaluation of internal controls (manual and automated), fraud considerations, and planned audit responses through control testing and substantive procedures. It highlights areas such as variable consideration, cut-off risks, management bias, and revenue estimates as significant or fraud-prone risks. The memorandum reinforces that ROMM assessment is judgment-driven rather than mechanical and underlines the importance of professional scepticism, documentation discipline, and alignment of audit procedures with assessed risks.
NFRA STAFF SERIES
RISK & RESPONSE MEMORANDUM: ROMM ASSESSMENT AT ASSERTION LEVEL FOR REVENUE – A SAMPLE DOCUMENT
| Table of Contents | ||
| Sl.# | Topic | Page # |
| A. | Background- Professional Standard’s Requirements | 2-5 |
| B. | Risk of Material Misstatement (ROMM) for Revenue-Audit of Dhanvantri Limited by CA. Ram Lakhan & Associates | 6-26 |
| I | Review and Signoff by Engagement Team | 6 |
| II | Observations from Detailed Analysis of Financial Performance of Dhanvantri Limited | 7-8 |
| III | ROMM Work Paper for Revenue (Sale of Products) of Dhanvantri Limited | 9-21 |
| IV | Audit Firm’s Staff Guidance on ROMM | 22-26 |
Objective of the document:
This document prepared by NFRA Staff is intended purely towards promotion of awareness of auditing and accounting standards and audit quality as part of NFRA’s education, training, seminar and advocacy initiatives, especially in support of the outreach activities being conducted, and in response to the feedback being received through such engagements.
Disclaimer:
1. NFRA and the subject matter experts do not accept any responsibility or liability for any loss caused to any person or any entity, howsoever arising from the use of or refraining from the use of the contents of this document. This document is not a policy/standard/recommendation/statement of Executive Body of NFRA, the Authority or the Government and is not issued as a substitute for any obligations of Auditors, Management, Those Charged with Governance (TCWG) including Audit Committees, as are provided in applicable law, rules, and regulations. This document shall not be used before any authority or judicial or quasi-judicial body examining the auditors’ duties and responsibilities under applicable professional standards.
2. The facts, circumstances, data and figures and the names used in this document are hypothetical; any similarity or resemblance to the name, character, data
and circumstances of any company or audit firm or entity is entirely coincidental.
Acknowledgements:
We acknowledge the contributions of subject matter experts CA. Nilanjan Paul, CA. Ajit Viswanath and CA. Mohan Lavi in developing this document.
A. Background- Professional Standards’ Requirements
Risk assessment lays the foundation for overall audit approach. SA 315, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment (SA 315) is intended to assist auditors in identifying and assessing the risks of material misstatement in a consistent and robust manner.
Brief introduction to the risk assessment process
SA 315 require auditors to identify and assess risks of material misstatement, whether due to fraud or error, through understanding of (a) the entity and its environment; (b) the applicable financial reporting framework; and (c) the entity’s system of internal controls. The execution of the iterative actions in the context of identifying and assessing risks of material misstatement are interdependent concepts, which are important to establishing a sound basis and foundation for an audit. The quality of auditor’s risk identification and assessment process, therefore, has a pervasive effect on all aspects of the audit.
The risk assessment framework under SA 315 highlights the dynamic and iterative nature of the process for identifying and assessing risks. The preliminary risk assessments, and planned responses to those assessments, may need to change when new information is obtained.
Risks of material misstatement
Audit risk is the risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risk of material misstatement and detection risk.
Risks of material misstatement may exist at two level viz. financial statement level (i.e., risks which are pervasive to the financial statements) and relevant assertion1-level for significant classes of transactions, account balances or disclosures. Initial identification and assessment of risks of material misstatement at the assertion level consists of following two components:
- Inherent risk: The susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
- Control risk: SA 2002 defines Control risk as the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. Further, as per Para 26(c) to SA 315, the auditor shall relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test; As per para A130, the controls can be either directly or indirectly related to an assertion. The more indirect the relationship, the less effective that control may be in preventing, or detecting and correcting, misstatements in that assertion.
The auditor may assess the ROMM separately for Inherent risk and Control risk or on combined basis.
Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.
ROMM at Assertion Level
The table below depicts different types of assertions based on reading of paragraph 25(b) and A121 – A125 of SA 315.
| Assertions | Material Misstatement Categories | ||
| Transactions/Events during the audit period | Account balances at the period end | Presentation and Disclosure | |
| Occurrence | √ | – | √ |
| Completeness | √ | √ | √ |
| Accuracy | √ | – | – |
| Cut-off | √ | – | – |
| Classification | √ | – | – |
| Existence | – | √ | – |
| Rights and obligations | – | √ | – |
| Valuation and allocation | – | √ | – |
| Classification and
understandability |
– | – | √ |
| Accuracy and valuation | – | – | √ |
According to para A124 of SA 315, the auditor may use the assertions described above or may express them differently, provided all aspects described above have been covered. The auditor may choose to combine the assertions about transactions and events with the assertions about account balances.
Risks that Require Special Audit Consideration
Significant risk (Para 27 & 28 of SA 315)
In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following:
a. Whether the risk is a risk of fraud;
b. Whether the risk is related to recent significant economic, accounting, or other developments like changes in regulatory environment, etc., and, therefore, requires specific attention;
c. The complexity of transactions;
d. Whether the risk involves significant transactions with related parties;
e. The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
f. Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. (Ref: Para. A131-A135)
Risks for which Substantive Procedures alone do not provide Sufficient Appropriate Audit Evidence (Para 30 of SA 315)
Above type of risks may relate to the inaccurate or incomplete recording of routine and significant classes of transactions or account balances, the characteristics of which often permit highly automated processing with little or no manual intervention.
Where routine business transactions are subject to highly automated processing with little or no manual intervention, it may not be possible to perform only substantive procedures in relation to the risk. In such cases audit evidence may be available only in electronic form, and its sufficiency and appropriateness usually depend on the effectiveness of controls over its accuracy and completeness (Ref: Para. A140). This may also be the case in case of transactions of large volume say Revenue, Payroll, etc.
Fraud Risk
(Refer. Para 16 and 25 to 27 of SA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements)
Para 16 of SA 240 requires the auditor to perform certain procedures as part of his/her risk assessment procedures under SA 315 for use in identifying the risks of material misstatement due to fraud. Para 25 of SA 240 requires the auditor to identify and assess the ROMM due to fraud at financial statement level and at assertion level. Para 26 casts a responsibility on the auditor to presume fraud risk in case of Revenue, unless auditor is able to rebut that presumption. Further, para 47 of SA 240 mandates the auditor to document the reasons for the rebuttal.
Para 27 of SA 240 prescribes that the fraud risk, if any, has to be treated as significant risk.
The Auditor uses various approaches to assess the fraud risk including an approach based on concept of ‘Fraud Triangle’.
Revision of Risk Assessment
(Ref. Para. 31 & A142 of SA 315)
During the course of the audit based on the findings of audit procedures, the auditor’s assessment of ROMM at assertion level may change. In such event, the auditor shall revise the assessment and modify the further planned audit procedures.
B. Risk of Material Misstatement (ROMM) for Revenue – Audit of Dhanvantri Limited by Audit Firm CA. Ram Lakhan & Associates
(Notes: This sample ROMM Work Paper for an important financial statement line item (FSLI) i.e., Revenue has been developed for education and training purposes. This ROMM assessment is at assertions level only. It is designed for audit of Standalone Financial Statements (SFS) as well as Consolidated Financial Statements (CFS). In case an audit firm is engaged for an audit of SFS only, contents of this sample document need appropriate changes.)
1. Review and Signoff by Engagement Team
| Name & Designation | Signature | Date | |
| Prepared by | CA. Bharat, Engagement Supervisor | 5th November 20XX | |
| Reviewed by | CA. Laxman, Engagement Manager
CA. Sushrut, Information System Audit Expert |
10th November 20XX | |
| Approved by | CA. Ram, Engagement Partner | 15th November 20XX | |
| Reviewed by | CA. Charaka, Engagement Quality Control Reviewer | 16th November 20XX |
II. Observations from Detailed Analysis of Financial Performance of Dhanvantri Limited
This ROMM work paper is for a key source of revenue of Dhanvantri Limited i.e., sale of pharmaceutical products. Separate ROMM work papers will be prepared for other sources revenue of Dhanvantri Limited. Further this ROMM work paper is for audit of Standalone Financial Statements of Dhanvantri Limited. Our firm is also auditors of Consolidated Financial Statements of Dhanvantri Limited and separate ROMM work papers will be prepared for each material component, whose financial information is included in the Consolidated Financial Statements, in co-ordination with the component auditors of those material components. In case of non-material components, we will be applying other audit procedures such as analytical review etc., as considered appropriate under individual facts and circumstances.
Financial Reporting Framework Applicable
Dhanvantri Limited is a listed company, therefore, required to follow Indian Accounting Standards prescribed under Companies (Indian Accounting Standards) Rules 2015. Accordingly, the requirements of Ind AS 115, Revenue from Contracts with Customers are applicable for accounting for Revenue of Dhanvantri Limited. We have performed details review of the nature and type of revenue transactions of Dhanvantri Limited and note that Ind AS 115 application does not pose significant risk from accounting point of view except for Ind AS 115 prescriptions relating to variable consideration in para 50 -59. The variable consideration prescriptions affect the timing and amount of recognition of revenue due to various discount and promotional schemes of Dhanvantri Limited introduced from time to time. However, our discussion with Sales and Marketing Head revealed that the Dhanvantri Limited has not introduced any new incentive or promotional schemes during the year under audit.
Revenue profile of Dhanvantri Limited for the year under audit
(For information about Dhanvantri Limited’s Sales, Distribution and Marketing department organisational structure, sales policy, process and controls, refer documents attached to ROMM Work Paper)
₹ Crores
| Particulars | 31.03.20X(Y-2) (Previous Year 2) | 31.03.20X(Y-1) (Previous Year 1) | Current Year Ending 31.03.20XY | |
| Actuals | Actuals (9 Months) | Forecast (12 Months) | ||
| A. Revenue from contracts with customers | 205,000 | 204,000 | 158,000 | 225,000 |
| Provision for sales return | (500) | (500) | (200) | (300) |
| Rebates, discounts, price reduction and others | (3,500) | (4,000) | (2,800) | (4,700) |
| Revenue as per contracted price, net of returns | 201,000 | 199,500 | 155,000 | 220,000 |
–
| Particulars | 31.03.20X(Y-2) (Previous Year 2) | 31.03.20X(Y-1) (Previous Year 1) | Current Year Ending 31.03.20XY | |
| Actuals | Actuals (9 Months) | Forecast (12 Months) | ||
| Disaggregated revenue by type | 220,000 | |||
| Sale of products | 197,000 | 195,000 | 151,000 | 215,000 |
| Sale of services | 4,000 | 4,500 | 4,000 | 5,000 |
| B. Other operating revenue | 4,500 | 4,800 | 4,300 | 4,000 |
Our discussion with Sales and Marketing Head during the year revealed that the pharmaceutical industry across the globe witnessed a successful year, driven by demographic shifts and evolving patient needs. Back home in India, the pharmaceutical industry continues to see strong growth of 7-10%. Dhanvantri Limited impressive revenue growth (forecast) of 9.75% is line with the industry trend. The key drivers in India are growing population, demographic and lifestyle changes, and increased access to modern medicines. These factors are further aided by Government of India incentive schemes such as Ayushman Medical Insurance scheme.
Review of published information
We have reviewed in detail the following information and data of Dhanvantri Limited and do not find any information that may have material impact on our ROMM for Revenue from Sale of Products.
1. Annual Reports for the year audit and previous year.
2. Quarterly financial results submitted to stock exchange i.e., Bombay Stock Exchange (BSE).
3. Earnings call transcripts and press releases on the website of Dhanvantri Limited.
Our Engagement Team also had discussions with Sales, Distribution and Marketing Team of Dhanvantri Limited.
III ROMM Work Paper for Revenue (Sale of Products) of Dhanvantri Limited Assessment of Risk of Material Misstatement for Revenue- Risk and Response Summary
| Objective
This workpaper has been prepared to document the evaluation of (a) risk of material misstatement (ROMM/ RMM) for the identified account captions and disclosures including the relevant risk factors that were considered to assess the level of inherent risk, (b) the assertions at which the risk exists (c) evaluation of whether a risk of fraud exists (d) the process level controls identified to address the relevant risks and the planned control reliance approach (e) planned audit response with respect to the identified risks |
Overall summary of ROMM for Revenue from Sale of Products
| ROMMs | Inherent Risk | Control Risk | Fraud Risk | Overall ROMM | ||
| Sl.# | ROMM Description | Manual Controls | IT Environment | |||
| ROMM 1 | Revenue is recognised for arrangements that do not meet the definition of a contract under the standard or do not exist. (Ind AS 115) | Medium (M) | Low (L) | NA | No | Low (L) |
| ROMM 2 | Revenue is not accurately recorded because the transaction price is not appropriately determined as per Ind AS 115 | Significant (S) | NA | Low (L) | Yes | Significant (S) |
| ROMM 3 | For performance obligations satisfied at a point in time, an inaccurate amount is recorded for revenue. | Medium (M) | NA | NA | No | Low (L) |
| ROMM 4 | For performance obligations satisfied at a point in time, revenue is not recognised in the correct accounting period. | Significant (S) | High (H) | Low (L) | Yes | Significant (S) |
Based on above analysis, overall ROMM for Dhanvantri Limited Revenue from sale of products is ‘Significant’.
(Note: However, this assessment is not a mathematical exercise. Engagement Teams have to exercise professional judgment and apply professional skepticism to estimate these risk bucket levels)
These ROMM levels will be considered in determining the nature and extent of testing e.g., sample sizes for both test of controls and substantive tests.
Summary of Inherent Risk Assessment (Also refer Audit Strategy Document for Preliminary Findings
Sl. No. |
Accounts/
|
Amt |
Assertions |
Inherent risk Level |
Fraud Risk? |
Control
|
Substantive Procedures |
Estimation involved? |
|||||
(₹) |
Complete- ness |
Existence/ Occurrence |
Accuracy/ Valuation |
Cut off |
Rights & Obligat ions |
Factors /Note 1 |
Level |
Note 2 |
|||||
ROMM 1 |
Sale of products |
xxx |
– |
Y |
– |
– |
Y |
Note1.1 |
M |
No |
Refer Section1aManual Control |
Yes(Refer Section 2) |
No |
Provision for sales return |
xxx |
– |
– |
– |
– |
– |
|||||||
Estimate onrevenue
|
xxx |
– |
– |
– |
– |
– |
|||||||
ROMM 2 |
Sale of products |
xxx |
– |
– |
Y |
– |
Y |
Note 1.2 |
S |
Yes Note 2.1 |
Refer Section 1b Auto-mated Control |
Yes (Refer Section 2) |
Yes (Refer Section 3) |
Provision for sales return |
xxx |
– |
– |
– |
– |
– |
|||||||
Estimate onrevenue
|
xxx |
– |
– |
– |
– |
– |
|||||||
ROMM 3 |
Sale of products |
xxx |
– |
– |
Y |
Y |
– |
Note 1.3 |
M |
No |
Yes |
Yes (Refer Section 2) |
No |
ROMM 4 |
Sale of productsDossier revenue
|
xxx |
Y |
Y |
– |
Y |
– |
Note1.4 |
S |
YesNote2.2 |
Yes |
Yes |
No |
Other ROMM, if any |
Other accounts |
xxx |
Other factors specific to engagement |
||||||||||
Note 1 – Factors considered assessing level of Inherent Risk
Note 1.1 ROMM 1
The company has large volume of transactions across various geographies. However, given the non-complex nature of contract arrangement, the inherent risk
is evaluated as Medium.
Note 1.2 ROMM 2
The Company has agreements with its customers whereby the Company provides adjustments/ discounts/ rebates to the transaction price based on various criteria (including sale volumes, channel wise sales etc). This involves assumptions and estimations which has a possibility of management bias and risk of fraud. Accordingly, the risk has been determined as Significant.
Note 1.3 ROMM 3
Given the volume of activity and the size of account balance, there is susceptibility to error and hence the risk evaluated is Medium.
Note 1.4 ROMM 4
There are pressures on the management to meet revenue targets; the management performs cut-off adjustments at the period end to prevent incorrect revenue recognition, and historically there is an increase in sales near the period end, and this may provide opportunities for the management to manipulate the revenue recognition. Therefore, a risk of fraud has been identified with respect to this ROMM. Accordingly, significant risk is identified w.r.t early recognition of revenue
Note 2 Factors considered in assessing Fraud Risk
Note 2.1 ROMM 1
This involves assumptions and estimations which includes a possibility of management bias; hence a risk of fraud has been identified.
Note 2.2 ROMM 4
There is a significant pressure on the senior management of the company to meet its revenue targets and accordingly, Engagement Team (ET) has evaluated overstatement of revenue near the period end as a fraud risk.
1a. Identified Manual Controls (other than controls relating to estimates)
(Refer Separate Work Papers on Flow Charts and Walkthroughs for identification of these manual controls)
Sr.no. |
What could go
|
Control
|
How is the control
|
Level of
|
Frequency of Control |
Risk
|
Planned
|
Control reliance /
|
ROMM 1 |
The revenue is not recorded based onthe quantity
|
The
|
1. Physicalcounting by
|
As this is a transaction levelcontrol, andthere is
|
Recurring |
Low |
To be decidedbased on
|
Yes – Controlreliance planned / Low control risk |
–
Sr.no. |
What could go
|
Control
|
How is the control
|
Level of
|
Frequency of Control |
Risk
|
Planned
|
Control reliance /
|
ROMM 4 |
Since the accounting of revenue occurs at the time of raising of invoice (through the system) the revenue may be recognised before the delivery of the goods to the
|
Sales cut off working (containing the actual
|
1. AGM Finance reviews the cut off working by
|
Since thecontrol operates at a transaction level; the precision is evaluated to be high |
Monthly |
High |
3 |
Yes – Controlreliance planned / Low control risk |
1b. Identified Automated Controls (other than controls relating to estimates)
(Refer separate work papers of IS Audit Team for evaluation and assessment of Information Technology General Controls (ITGCs) and Application Controls)
S. No. |
What could go
|
Control Description
|
Relevant IT
|
Automated
|
How is the
|
Level of
|
Risk
|
Control
|
ROMM 1 |
Unauthorised creation /
|
Access right to create and update sales order is restricted to
|
Application layer (SAP) |
Access control |
Access right restriction |
Automated control, High precision |
Low |
Yes – Control relianceplanned /
|
Incomplete, inaccurate and
|
Access for customer master creation &
|
Application layer (SAP) |
Access right restriction |
Automated control, High precision |
Low |
Yes – Control reliance planned /
|
||
Invoice could be raised without a sales order |
The system is configured to permit invoice creation only against a valid sales order. |
Application layer (SAP) |
Configuration |
Automated control, High precision |
Low |
Yes – Control reliance planned /
|
||
Accounting entries for
|
The system is configured to pass automated entries in the designated GL
|
Application layer (SAP) |
Configuration |
Automated control, High precision |
Low |
Yes – Control relianceplanned /
|
–
S. No. |
What could go
|
Control Description
|
Relevant IT
|
Automated
|
How is the
|
Level of
|
Risk
|
Control
|
Unauthorised or |
Access for price master |
Application |
Access control |
Access right |
Automated |
Low |
Yes – Control |
|
ROMM 2 and |
unapproved updation to price master, Inaccurate recording of sale proceeds. |
creation & updation is restricted to authorised personnel |
layer (SAP) |
restriction |
control, High precision |
reliance planned /
|
||
The invoice |
Invoice details relating |
Application |
Configuration |
Automated |
Low |
Yes – Control |
||
ROMM 3 |
price in the invoice may be incorrectly modified / edited |
to item code and price are automatically
|
layer (SAP) |
control, High precision |
relianceplanned /
|
2. Substantive Procedures (Summary of the approach for substantive procedures performed including nature, timing and extent)
S. No. |
Substantive
|
Description of
|
Test of details or substantive analytical procedure |
Nature of
|
Timing of
|
Extent of planned procedur e & Sampling approach |
If Interim, what are the roll forwardprocedures? |
Expert/
|
If any Report is
|
|
|
|
|
|
|
|
|
|
& 5) |
|
|
|
SP1 |
Obtain transaction level confirmationfor revenue
|
Test ofdetails |
Inspection (confirmation) |
Final |
Specific item testing |
NA |
NA |
The sales reportshave been
|
ROMM 1
|
SP2 |
For balance population, test the invoices by agreeing the underlying documents such as
|
Test of details |
Inspection |
Final |
Statistical
|
NA |
NA |
Refer above |
|
|
|
PO/ contract |
|
|
|
|
|
–
S. No. |
Substantive
|
Description of
|
Test of details or substantive analytical procedure |
Nature of
|
Timing of
|
Extent of planned procedur e & Sampling approach |
If Interim, what are the roll forwardprocedures? |
Expert!
|
If any Report is
|
& 5) |
|||||||||
ROMM 4 |
SP 3 |
For invoicesraised close to the period end, examine underlying documentationsuch as
|
Test of
|
Inspection |
Final |
Statistical sampling |
NA |
NA |
Refer above |
SP 4 |
For sales returns recorded post
|
Test of details |
Inspection |
Final |
Statistical sampling |
NA |
NA |
Agree the sales register to the trial balance as of April 202X |
–
S. No. |
Substantive
|
Description of
|
Test of details or substantive analytical procedure |
Nature of
|
Timing of
|
Extent of planned procedur e & Sampling approach |
If Interim, what are the roll forward procedures? |
Expert!
|
If any Report is
|
SP 5 |
For invoicesraised subsequent to the period end, examine underlying documentation such as shipping note/ delivery note,
|
Test ofdetails |
Inspection |
Final |
Statistical sampling |
NA |
NA |
Refer above |
3. Estimates (Summary of the approach for procedures performed in response to estimate identified
ID |
Estimate
|
Underlying
|
Estimate elements |
Describe the approach to
|
How is the
|
Level of
|
Frequency of Control |
1 |
Value of rights to return / Sales return provision – the
|
Provision forsales return |
Provision for sales returns are estimated on the basis of
|
Control testing To test the control framework – “Review of sales return provision working on a periodic frequency (e.g.,
|
Approval by VP-Finance |
As there is consistency of performance of control, hence the level of precision would be
|
Quarterly |
–
ID |
Estimate
|
Underlying
|
Estimate elements |
Describe the approach to
|
How is the
|
Level of
|
Frequency of Control |
2 |
Provision for chargeback |
Estimate on revenue
|
a) Method – The Company creates provision for chargebacks based on the inventory lying with the
|
Control testingTo test the control framework – “Review of revenue charge back working on a periodic frequency (e.g., monthly basis) approved by VP-
|
Approval by VP-Finance |
As there is consistency of performance of control, hence the level ofprecision would be
|
Quarterly |
4. Management’s Expert (The management Experts involved for getting assistance by management)
| ID | Name of Management Experts | Area involved/ Process affected | Has the auditor also documented procedures performed to assess the competency, capability and objectivity of specialists/ experts engaged by the management. |
Type of Specialist | Procedures performed by Management Expert |
Procedures performed by Auditor |
| Not applicable. Although accounting for revenue from sale of products of Dhanvantri Limited involves some estimations due to sales incentives, volume discounts and Sales Returns etc., Management Experts are not required/engaged in these estimation processes as these processes are not complex. | ||||||
5. Auditors Expert ! Specialists (Other than IT Team)
The auditor involved the following Specialists! Experts to provide assistance for the purpose of audit as agreed in the planning meeting with the auditor:
| ID | Name of Management Experts | Area involved/ Process affected | Has the auditor also documented procedures performed to assess the competency, capability and objectivity of specialists/experts engaged by the management. |
Type of Specialist | Procedures performed by Auditor’s Expert |
| Not applicable. Although accounting for revenue from sale of products of Dhanvantri Limited involves some estimations due to sales incentives, volume discounts and Sales Returns etc., Audit Experts are not required/engaged in these estimation processes as these processes are not complex. | |||||
IV. Audit Firm’s Staff Guidance on ROMM
1. Risk Assessment Matrix
Our firm uses 3 x 3 Risk Assessment Matrix and performs ROMM at assertion level separately for Inherent Risk and Control Risk as depicted below.
| Likelihood (Probability)
|
Severity (Magnitude) | |||
| Low | Medium | High | ||
| High | Medium | High | High | |
| Medium | Low | Medium | High | |
| Low | Low | Low | Medium | |
Further, a combined ROMM is arrived using the following approach, subject to engagement team’s professional judgment, which would form the basis, along with assurance provided by analytical procedures, in deciding the nature and extent (Sample Size) of Test of Details (a type of substantive test).
| Inherent Risk | Control Risk | Risk of Material Misstatement |
| High | High | High |
| High | Medium | High |
| High | Low | Medium |
| Medium | High | High |
| Medium | Medium | Medium |
| Medium | Low | Low |
| Low | High | Medium |
| Low | Medium | Low |
| Low | Low | Low |
Note: The above exercise is not a mathematical exercise but needs the application of professional judgment and professional skepticism by the Engagement Team.
Additionally, the audit firm evaluates the classification of ROMM in Revenue as ‘Significant Risk’ or ‘Fraud Risk’ based on the criteria given in SA 315 or SA 240. Refer specific paragraphs below on these two critical audit areas.
Our firm’s methodology generally requires following confidence levels (quantitative terms) against each of the above risk bucket levels and those confidence levels will be used in determining nature & extent of testing (sample size determination using statistical audit sampling tables)
| Risk Bucket Level | Significant | High | Medium | Low |
| Confidence Level | 90-95% | 80-90% | 70% | 30-50% |
2. Evaluation of entity’s Internal Control System including Information Technology (IT) System
Entity’ internal control systems are significant components in achieving the management assertions regarding transactions and account balances that form part of the financial statements. Evaluation of internal control systems including IT platforms is an important part of our firm’s audit process. This aspect assumes added criticality in the audit assignments where we are required to express opinion on the design and operating effectiveness of company’s internal financial controls with reference to financial statements u/s 143(3)(i) of CA 2013.
Our firm’s audit methodology in this area is guided by prescriptions in the Guidance Note on Audit of Internal Financial Controls Over Financial Reporting3. A few important aspects to note are given below.
As per para 14.5 Guidance Note on Audit of Internal Financial Controls Over Financial Reporting “The auditor’s overall assessment of control risk for a particular assertion involves combining judgements about the prescribed controls, the deviations from prescribed controls, and the degree of assurance provided by the sample and other tests of controls”. Further, if the controls are expected to be operating effectively, then control risk is considered to be Low.
Risks associated with control
As per Para 113 to Guidance Note on Audit of Internal Financial Controls Over Financial Reporting – Factors that affect the risk associated with a control include:
♦ The nature and materiality of misstatements that the control is intended to prevent or detect;
♦ The inherent risk associated with the related account(s) and assertion(s);
♦ Whether there have been changes in the volume or nature of transactions that might adversely affect control design or operating effectiveness;
♦ Whether the account has a history of errors;
♦ The effectiveness of entity-level controls, especially controls that monitor other controls;
♦ The nature of the control and the frequency with which it operates;
♦ The competence of the personnel who perform the control or monitor its performance and whether there have been changes in key personnel who perform the control or monitor its performance; (Refer IG 6)
♦ The degree to which the control relies on the effectiveness of other controls (e.g., the control environment or information technology general controls);
(Refer IG 7 and IG 8)
♦ Whether the control relies on performance by an individual or is automated (i.e., an automated control would generally be expected to be lower risk if relevant information technology general controls are effective)
Level of Precision or Control Risk
As per para 19.10 Guidance Note on Audit of Internal Financial Controls Over Financial Reporting gives factors that auditors might consider when judging level of precision of control like consistency of performance, predictability of expectations, level of aggregation, purpose of control etc.
Overview of our firm’s overall approach for evaluation of internal control systems is given below.
3. Fraud risk assessment
Our firm uses an approach that is based on concept of ‘Fraud Triangle’ depicted below.
–
4. Audit Sampling approaches
Our firm generally uses the statistical sampling tables for selection of sample sizes prescribed in the globally used technical material issued by the AICPA . The reason being it is more aligned with the risk-based audit approach required under SAs and Audit Quality Control Standards and also it gives sample sizes for substantive tests and not just test of controls. In some cases of less complex audits, our firm uses the sample sizes given in the Guidance Note on Audit of Internal Financial Controls Over Financial Reporting referred earlier.
Notes:
1 Representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur. SA 315.A123 further describes about assertions used by the auditor to consider the different types of potential misstatements.
2 SA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing
3 Issued by the Institute of Chartered Accountants of India for the purpose of issuing audit report of adequacy and operating effectiveness of company’s internal financial controls with reference to financial statements u/s 143(3)(i) of CA 2013
