Risks of Material Misstatement of Revenues

What is Revenue?

Revenues that the entity recognizes in the income statement during the year are income that the entity sells the goods or services to its customers. These revenues are recognized when the control is passed from the entity to its customers.

It is recognized either when the customer pays immediately or sold on credit which means the goods or services are sold but the payments will be collected later.

In general, revenue is one of the key performance indicators that not only the entity itself want to archive, but the board of director as well as the management of the entity want to accomplish.

That is the main reason why revenues are generally set as the high risks of material misstatement when it comes to auditing due to its nature and amount that recognizes in the income statement.

In this article, we will discuss about the risks of material misstatements related to the revenues.

Inherent Risk:

Inherent risks are the risks that not related to the control, but it is highly related to the nature of the account itself, the level of judgment involve in the management, and the complexity of accounts and transactions.

The inherent risk of the revenues is normally considered as high due the revenues have many criteria with significant judgments are involve by the management of the entity.

Here are the examples of inherent risk relate to the revenues that auditor should pay attention during the audit:

  • Management manipulates the figure to achieve the target set by the board. For example, the is the budget sales set by the board or shareholder and at the end of the year, the actual sales are almost reaching the budget. Management might try to manipulate the sales so that the budget will be achieved and management could entitle to receive the bonus that might agree with upfront with the board or shareholders.
  • Risk of recognizing the revenues that do not occur during the period. These might happen at the middle management where a fake sales account is mad at the end of the year and sales are canceled after the year so that their performance is meet.
  • Due to the complexity of sales terms, revenues might be incorrectly recognized for those goods that are in transit or consign at the customers’ store.
  • The company might fail to derecognize the sales return and result in the overstatement of sales as well as account receivables.
  • Due to the complexity of sales term and a large amount of sales transactions, revenues might be incorrectly sales in a different period that its be recognize. For example, the revenues are recognizing in December 2020 for those transactions that occurred in January 2021.

Therefore, there is a significant risks of material misstatement for the revenues recognition that link to inherent risks of the revenues.

Fraud Risk:

It is obvious or default that fraud risk relate to the revenues are always high. It is due to its nature. The fraud could be committed by entity staffs or at the top management level.

And the form of fraud could be in the form of misappropriation of assets and fraud over financial reporting. For example, the fake sales transactions are creating by sales team by creating the fake customers accounts. Those account will them write off dur to the customers are unable to contact.

However, this kind off fraud might be detected by management by setting up a strong internal control.

Fraud over financial reporting, in the other hand, are very difficult to detect and auditor might need to pay a very great attention since the detect risk are high considering the fraud might be committed by management or even at the board level.

Therefore, there is a significant risks of material misstatements for the revenues related to fraud.

Control Risk:

The risk of material misstatement of the revenue due to control might be occurred but depending on the control of each entity that the auditor auditing.

Auditor normally need to obtain an understanding on the internal control that entity setting to see if there is any loophole could lead to risks of material misstatements on the revenues.

Auditor need to assess the implementation of control whether the key control that help to present error or fraud are effectively and efficiently implement by the company.

If the control is effectively and efficiently implemented, then the risk of material misstatements might be low. And if the control is not strong and the implementation is not effective and efficient, then the risk of material misstatement is high and the auditor should prepare the procedures to address those risks.

What are the engagement risks in the audit?


During the audit process, auditors have to be increasingly wary of the inherent risks that are involved in the audit process. Risk identification tends to be an important part of the audit engagement process because of the fact that it involves potential changes to the disclosure of opinion that auditors have to put forth when it comes to the audit of these financial statements.

In this regard, it can be seen that engagement risks can be defined as one of the most important risks that need to be considered when it comes to designing audit processes and procedures for the engagement parties.


Engagement risk is defined as the overall risk that is associated with an audit engagement process. As a matter of fact, this specific risk is mainly associated with conducting the process of the audit itself, more so than anything else.

From the perspective of the auditor, it is highly important to consider this type of risk, because of the detrimental impact this kind of risk can have on the audit team, and the company, as a whole.

Engagement risks tend to increase when the client is in a relatively weaker position and is in need of obtaining funding from external sources in order to survive. Alternatively, this phenomenon can also be defined as a position where the company cannot be safely declared as a going concern.

Hence the existing risk that the company faces in this regard is quite substantial and needs to be accounted for in this regard.

The point of concern in this regard is the fact that since the company is likely to default or go bankrupt in the near future, it might also result in the auditor facing litigation because of not having declared the company as not going concerned.

Additionally, it can also be seen that these features and factors tend to exist within the audit process, because of the existing business uncertainty that is true in any case of the business itself. Hence, these engagement risks are inherent need to be identified and dealt with, before the engagement process begins.

Examples of Engagement Risks

Speaking of engagement risks, it can be seen that these are the risks that the auditor is exposed to as a result of taking on the audit process of a certain client. Some examples of engagement risks are mentioned below:

  • A high-risk client: This means when the company is exposed to a certain level of risk, which highlights their going concern phenomenon, it is important for the auditor to identify that so that they are not litigated in the future when the company defaults or becomes bankrupt.
  • Existing repute: The existing reputation of the company is also an important phenomenon which can be used to assess the underlying engagement risk. Mostly with companies who have been involved in unfair and unethical practices in the past, have a shaky reputation in the industry. Hence, this results in a higher degree of engagement risk for the auditor in this regard.
  • Red flags: In certain cases, there is ambiguity about the overall financial position of the company. These red flags can be identified using the Annual Reports and the Financial Statements. Before taking on a client, it is also a good idea to look at these red flags, in order to minimize these engagement risks to an acceptable level.  

Engagement Risks and Audit Process

In the cases where the auditor is deemed to be risk averse, it can be seen that they would be increasingly reluctant to work with clients that have a higher engagement risk.

On the contrary, a relatively new auditor, or an audit firm might agree to take on a client with higher engagement risk, because it would then be set off with the help of the payoffs they will get as a result of this.

However, it must be realized in this regard, that audit procedures need to be expanded in order to offset the inherent engagement risk that is involved with a particular client.


Therefore, it can be concluded that engagement risks tend to be one of the most important risks for any audit process. This is mainly because of the potential they have in negatively impacting and subsequently jeopardizing the name, and repute of the auditor.

Regardless of the fact that these risks are inherent in most business cases, yet it can be seen that they can be improved upon if the client is properly scrutinized before signing the audit engagement contract.

Risk Assessment Procedures in Audit

This International Standard on Auditing (ISA) deals with the auditor’s responsibility to identify and assess the risks of material misstatement within the financial statements, through understanding the entity and its surroundings which incorporates the entity’s control.

The following risk assessment procedures should be following in an audit:

Understanding the entity and its environment:

The auditor shall obtain an understanding of the following factors:

  1. Relevant industry and different external factors such as the applicable financial reporting framework.
  2. The nature of the entity consists of its operations, its ownership and governance structures, the types of investments that the entity is making and plans to make, which include investments in special-purpose entities; and the manner that the entity is established and how it is financed, to permit the auditor to recognize the classes of transactions, account balances, and disclosures in the financial statements.
  3. The entity’s selection and understanding of accounting policies. The auditor should evaluate whether the entity’s accounting policies are appropriate for its enterprise and consistent with the applicable financial reporting framework.
  4. The entity’s goals and strategies, and those related commercial enterprise risks that may result in risks of material misstatement.
  5. The size and assessment of the entity’s financial performance.

Obtaining an understanding of Internal Control:

  • The auditor must acquire enough understanding of each component of internal control over financial reporting to become aware of the types of potential misstatements.
  • The nature, timing, and extent of procedures that might be important to gain an understanding of internal control depend upon the size and complexity of the company and the company’s nature of documentation of its internal control over financial reporting.
  • Obtaining an understanding of internal control consists of comparing the design of controls which can be applicable to the audit and determining whether the controls were implemented.
  • Internal control over economic reporting can be described as consisting of components that consist of the control environment, the organization’s assessment process, information and communication, control activities, and tracking of controls.

Components of Internal Control:

Control environment:

The auditor should obtain an understanding of the client’s control environment. Along with obtaining this information, the auditor shall evaluate whether management has created and maintained a culture of honesty and ethical conduct and the strengths in the control environment elements collectively provide the appropriate basis for the other components of internal control and whether those other components are not undermined through deficiencies in the control environment.

Monitoring of Controls:

The auditor should obtain an understanding of the significant activities that the company uses to display the effectiveness of its internal control over financial reporting and how the organization initiates corrective actions related to its controls.

Performing Walkthroughs:

The auditor may carry out walkthroughs as part of obtaining information on internal control over financial reporting. In order to perform a walkthrough, the auditor follows a transaction from origination through the company’s processes.

Walkthrough procedures include a combination of inquiry, observation, an inspection of relevant documentation, and re-performance of controls.

Performing Analytical Procedures:

The auditor should perform analytical procedures that are designed to enhance the auditor’s understanding of the client’s business and the significant transactions and events that have occurred since the prior year-end and become aware of areas that could constitute specific risks relevant to the audit.

Identifying and Assessing Risks of Material Misstatement:

Risks of material misstatement at the financial statements level and assertion level should be determined by the auditor.

In identifying and assessing risks of material misstatement, the auditor should discover risks of misstatement using information obtained from performing risk assessment procedures and decide whether any of the identified risks of material misstatement are significant risks.

Factors Relevant to Identifying Fraud Risks:

The auditor must evaluate whether the information obtained from the risk assessment procedures indicates that one or more fraud risk factors are present and should be considered in identifying and assessing fraud risks.

Further Consideration of Controls:

When the auditor has decided that a significant risk, including a fraud risk, exists, the auditor should evaluate the design of the company’s controls that are meant to address fraud risks and other significant risks and decide whether those controls were properly implemented.

Revision of Risk Assessment:

When the auditor obtains audit evidence during the course of the audit that may challenge the audit evidence on which the auditor originally based his or her risk assessment, the auditor must revise the risk evaluation and modify audit approaches in response to the revised risk assessments.




What is Risk Assessment? Explained

Risk assessment procedures should be performed by the auditor that are enough to provide a reasonable basis for identifying and assessing the risk of material misstatement at the financial statements and assertion level whether due to fraud and error.

ISA 315 gives an outline of the procedures that should be followed by the auditor in order to obtain an understanding enough to assess audit risk, and these risks must be considered in the audit plan.

Performing Risk Assessment in the Audit

Risks of material misstatement will arise from various sources, which incorporates external factors, which incorporates things inside the company’s enterprise and surroundings, and company-specific components, which incorporates the character of the corporate, its activities, and control over financial coverage.

Thus, the audit procedures that are essential to become aware of and correctly confirm the risks of material misstatement consist of consideration of every external factor and company-specific factors. ISA 315 goes on to become alert to the subsequent risk assessment procedures:

  • Auditors need to have discussions with the client’s management just about its targets and expectations, and its plans for achieving those goals. The auditor shall consider whether information received from the auditor’s client reputation or continuance method is applicable to distinguishing risks of material misstatement. Inquiries of management, applicable people inside the internal audit function, others inside the entity, within the auditor’s professional judgment, can also have the knowledge this is often presumed to help in distinguishing risks of material misstatement due to fraud or error.
  • If the engagement partner has completed different engagements for the entity, the engagement partner shall consider whether information received has relevancy to distinguishing risks of material misstatement.
  • Wherever the auditor intends to use information obtained from the auditor’s previous expertise with the entity and from audit procedures performed in previous audits, the auditor shall decide whether or not modifications have passed off since the previous audit that will additionally have an effect on its connectedness to the present audit.
  • The engagement partner and completely different engagement team members shall discuss the status of the entity’s financial statements to material misstatement, and therefore the application of the relevant financial reporting framework to the entity’s facts and circumstances. The engagement partner shall decide which matters are to be communicated to engagement team members not involved inside the discussion.
  • Analytical procedures performed as risk assessment procedures should facilitate the auditor in identifying unusual transactions. They may identify aspects of the entity that the auditor was unaware of and may help in assessing the risks of material misstatement to supply a basis for planning and implementing responses to the assessed risks. The auditor should perform the analytical procedure that is designed to reinforce the auditor’s understanding of the client’s business and the important transactions and events that have occurred since the previous year-end and determine areas that may represent risks relevant to the audit. In applying analytical procedures as risk assessment procedures, the auditor should perform analytical procedures with the target of distinguishing unusual transactions, which may indicate a material misstatement. Once the auditor has reviewed the interim financial report, the analytical procedure applied in that review should be considered in planning and implementing risk assessment procedures.
  • Observation and inspection may give records concerning the entity and its surroundings. Examples of such audit techniques will cover a large area, like a remark or examination of the entity’s operations, documents, and reports organized by the method of management.

The auditor should obtain an understanding of the information system, as well as the connected business processes, applicable to financial coverage, such as:

  • The classes of transactions inside the company’s operations that are important to the financial statements; The procedures, inside each machine-driven and manual systems, by that those transactions are initiated, authorized, processed, recorded, and reported;
  • The related accounting records, supporting facts, and accounts in the financial statements which could be used to initiate, authorize, process, and record transactions;
  • The information system and its way of capturing events and conditions, except transactions, that are important to the financial statements; and the period-end financial reporting method.
  • The auditor should additionally acquire an understanding of how information technology affects the company’s flow of transactions.

ISA 315 needs that the risk assessment procedure should comprise a combination of the above procedures and the standard also needs that the engagement partner and other key engagement team members should discuss the status of the entity’s financial statements to material misstatement.

How to Identifying Audit Risk?

The goal of the auditor is to become aware of and accurately determine the risks of a material misstatement by providing a basis for designing and enforcing responses to the risks of material misstatement.

It is important to refer to the traditional audit risk model to remain important to the audit process. The audit risk model identifies the following three types of audit risk components:

Inherent Risk

Inherent risk is the susceptibility of an assertion about a category of transaction, account balance, or disclosure to a misstatement that would be material, either individually or when aggregated with other misstatements, before consideration of any related controls.

Inherent risk is considered to be higher where a high degree of judgment and estimation is involved or where transactions of the entity are highly complex.

Control Risk

Control risk is the risk of a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure, and that the misstatement will be material, either individually or when aggregated with other misstatements, and will no longer be prevented or detected and corrected, on a timely basis, by means of the entity’s internal control.

When the audited entity does not have adequate internal controls to prevent and detect instances of fraud and error in the financial statements, control is considered to be high. 

Detection Risk

Detection risk is the risk that the procedures performed by the auditor to reduce audit risk to a low degree won’t find a misstatement that exists which may be material, either individually or in aggregate. Detection risk will be reduced by auditors by increasing the amount of sampled transactions for detail testing.

The following terms have the meanings attributed below for the purpose of ISAs:

Assertions – Representations by management, explicit or otherwise, that are embodied inside the financial statements, as used by the auditor to not to forget the possibility of different forms of misstatements that may occur.

Business risk – A risk resulting from significant conditions, events, circumstances, actions that could adversely influence an entity’s potential to gain its targets and execute its strategies.

Internal control – The procedure designed, applied, and maintained by using those charged with governance, management, and other employees to provide reasonable assurance about the achievement of an entity’s goals with reference to reliability of financial reporting, effectiveness, and performance of operations, and compliance with relevant laws and regulations.

Risk assessment procedures – The audit techniques done to attain an understanding of the entity and its environment, such as the entity’s internal control, to become aware of and identify the risks of material misstatement at the financial statement and assertion levels whether due to fraud and error.

Significant threat – An identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration.

Here are some tips to follow while identifying audit risk:

– To plan the audit, you need to pick out your client’s precise risks. To become aware of the risks, you’ll want to gain an understanding of the entity, and which means asking a lot of questions. If you want clarification of something, don’t be shy — ask questions.

– In gaining an understanding of the entity, it’s necessary that you just grasp their business. It’s additionally necessary that you just get a better understanding of your client’s important accounts and group action cycles.

The intention here is simple: the more you acknowledge your client, the additional you’ll be able to determine their risks.

– All entities have controls. If you have a customer in which the owner reviews financial results, communicates the importance of quality or sets a strong “tone on the top” via demonstrating integrity, your client has controls.

When in search of to discover your client’s controls, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) elements and principles can help you detect feasible gaps.

– On each audit, you are required to assess the layout of controls applicable to the audit and decide whether those controls were implemented. This isn’t the identical element as trying out the working effectiveness of controls.

To provide a basis for designing and performing further audit procedures the auditor must identify the risk of material misstatements following these steps_

  • Identify risk throughout the process of understanding the entity and its environment.
  • Assess the identified risk and evaluate its impact on the financial statements.
  • Relate the identified risk at the assertion level considering the controls to be tested.
  • Consider the possibility of misstatements and their effect on the financial statements. 




Importance of risk assessment in auditing

Identifying and assessing audit risk is a necessary part of the audit process. ISA 315, distinguishing and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its surroundings, offers in-depth guidance to auditors regarding audit risk assessment. Risk assessment is the more important activity to the overall success of an audit.

the risk assessment method performed at the design stage of the audit, then constantly challenged and reevaluated as procedures are done and a lot of proof is gained. This is genuinely what can drive a top-quality audit. Risk assessment, whereas conducted properly, allows to try and do the audit better.

It offers auditors insights into what the most effective use of time will be. From the results, it may be determined in a very general sense what’s needed to try and do serving to the audit to be a lot of economical and effective. Risk assessments bring many different comprehensive advantages on the audit method, as well.

Audit Risk

Audit risk consists of inherent risk, management risk, and detection risk. Audit risk is that there is a chance that financial statements are materially misstated, although the audit opinion states that the financial statements are free from any material misstatements.

The aim of an audit is to reduce the audit risk to a suitably low level through adequate testing and enough proof. Audit firms carry insurance to manage audit risk and thus the potential legal liability.

Audit Risk and its importance

Assessment of audit risk is vital for the audit procedure because of the fact auditors cannot and do not arrange to check all transactions. It might not be possible for the auditor to check all these transactions, and no-one would be ready to pay for the auditors to do.

Traditionally, auditors have used a risk-based approach if you’d wish to minimize the prospect of giving inappropriate audit opinion, and audits conducted in accordance with ISAs should follow the risk-based approach, that has got to make sure that the audit work is dispensed with efficiency, using the foremost effective tests supported the audit risk assessment.

Auditors ought to direct audit work to the key risks where it is more possible that mistakes in transactions and balances may end up in a material misstatement in the financial statements.

ISA 315 offers the auditor’s obligation to find out the risks of material misstatement in the financial statements through an understanding of the entity and its environment, consisting of the entity’s internal controls and risk analysis method.

In the past, lacking in identifying and assessing risks had been typically solely a causative part of different audit deficiencies. The concept that a poorly performed risk assessment ought to end in an audit failure should send shockwaves through corporations of all sizes. It’s important to acknowledge one among the key risk assessment activities – Performing Walkthroughs.

In performing a walkthrough, the auditor follows a transaction from origination through the company’s processes, together with information systems, until it’s mirrored within the company’s financial records. PCAOB standards tend to specialize in the role of the walkthrough in evaluating the design and implementation of key controls.

What’s frequently lost on auditors is that one of the key objectives of understanding every side of control over financial records is to understand the categories of possible misstatements that may occur. This can be a very important understanding for an auditor to possess so as to be ready to discover the key controls to check.

Most critical to your audit plan, performing a risk assessment permits you to discover the risks which could be aiming to be the most effective priority. Usually, the risk assessment will simply become long which will hold you back from conducting the audit. Taking the time to try and do it properly saves you lots of your time and energy throughout the audit.

Firms should be focused on how they will improve the standard and extent of their risk assessments. A way they will improve is to place good targeted team discussions into their risk assessment method.

Involving senior engagement group leadership within risk analysis method, together with at intervals the performance of walkthroughs, can end in an additional rigorous assessment of the sorts of potential misstatements that may occur.

A bigger rigorous risk assessment, alongside with accurately designed and executed audit techniques to take care of the assessed risks, can bring on grown audit satisfactory.