NFRA’s Illustrative Revenue ROMM Memo: A Practical Walkthrough for Auditors
1. Purpose and Context of the NFRA Staff Memorandum
The NFRA Staff Series document under discussion is a pedagogical, example-based guidance note designed to enhance understanding of the Risk of Material Misstatement (ROMM) in relation to revenue, particularly at the assertion level. It is built around the requirements of SA 315 and SA 240, and aims to show, in a highly practical manner, how an audit firm can:
- Identify and evaluate inherent, control, and fraud risks for revenue
- Map these risks to specific assertions
- Understand and test relevant internal controls (manual and automated)
- Design and perform a risk-based audit response
The document takes the form of a sample “Risk & Response Memorandum” for a hypothetical pharmaceutical entity, Dhanvantri Limited, audited by CA. Ram Lakhan & Associates. It illustrates working papers for revenue from sale of products and highlights the importance of professional judgment, professional scepticism, and robust documentation.
Important
The NFRA Staff paper is not a standard, policy, or recommendation of NFRA, the Government, or its Executive Body. It is strictly an educational tool and cannot be cited as an authoritative source before any judicial, quasi-judicial, or regulatory forum in relation to auditor responsibilities.
The facts, figures, names, and circumstances in the memorandum (such as Dhanvantri Limited and the audit firm) are deliberately fictional and any resemblance to real entities is purely coincidental.
2. Professional Standards Framework for ROMM Assessment
2.1 Central Role of Risk Assessment in the Audit
Under SA 315, the risk assessment process forms the backbone of the audit strategy. Auditors are expected to identify and assess ROMM—whether arising from fraud or error—through an informed understanding of:
- The entity and its environment
- The applicable financial reporting framework
- The entity’s system of internal control
The standard emphasizes a dynamic and iterative risk assessment. Initial risk evaluations and related planned procedures may need revision as fresh information or audit evidence emerges.
The overall audit risk is a function of:
- Risk of material misstatement (at both financial statement and assertion level), and
- Detection risk (risk that audit procedures fail to detect an existing material misstatement).
2.2 Inherent Risk, Control Risk, and Detection Risk
At the assertion level, ROMM is analysed through two core components:
Inherent risk
The natural susceptibility of an assertion relating to a class of transactions, account balance, or disclosure to material misstatement before considering any related controls.Control risk (
SA 200)
The risk that a material misstatement occurring at the assertion level will not be prevented, or detected and corrected, on a timely basis by the entity’s internal controls.
SA 315 (para 26(c)) requires the auditor to link each identified risk to what can go wrong at the assertion level, having regard to relevant controls the auditor plans to test. As recognised in para A130 of SA 315, controls may have direct or indirect relevance to a particular assertion; the more indirect the link, the weaker the effect in preventing or detecting errors in that assertion.
Detection risk is the risk that auditing procedures do not uncover a material misstatement that actually exists, whether individually or in aggregate.
Auditors may assess ROMM by:
- Separately evaluating inherent and control risks, or
- Assessing ROMM on a combined basis
depending on their methodology and professional judgment.
2.3 Assertion-Level ROMM: Types of Assertions
The document refers to the assertions described in SA 315 (paras 25(b) and A121–A125), including:
- For transactions/events: occurrence, completeness, accuracy, cut-off, classification
- For account balances: existence, rights and obligations, completeness, valuation and allocation
- For presentation and disclosure: classification and understandability, accuracy and valuation, occurrence, completeness
Auditors are permitted to express assertions differently or combine them, so long as all conceptual aspects are covered as required by SA 315.A124.
3. Special Categories of Risk: Significant Risks, IT-Dependent Risks, and Fraud
3.1 Significant Risks under SA 315
Under paras 27–28 of SA 315, auditors must determine which ROMMs qualify as significant risks, considering factors such as:
- Whether the risk relates to fraud
- Links to significant economic or regulatory changes
- Transaction complexity
- Involvement of related parties
- Significant measurement uncertainty and subjectivity
- Transactions outside the normal course of business or appearing unusual
Such risks require heightened auditor focus and often more extensive or tailored procedures.
3.2 Risks Where Only Substantive Procedures Are Not Enough
Para 30 of SA 315 discusses risks for which substantive procedures alone may fail to provide sufficient appropriate audit evidence—commonly where:
- High-volume, routine transactions (like revenue or payroll) are processed in highly automated IT environments with minimal manual intervention, and
- Relevant evidence exists largely in electronic form
In such settings, the effectiveness of IT controls around accuracy and completeness becomes critical to the sufficiency and reliability of audit evidence (see SA 315.A140).
3.3 Fraud Risk under SA 240
SA 240 integrates fraud considerations into the risk assessment under SA 315:
- Para 16 requires specific procedures designed to identify ROMM due to fraud
- Para 25 mandates assessment of fraud-related ROMM at both financial statement and assertion levels
- Para 26 presumes the existence of fraud risk in revenue recognition, unless the auditor can justify rebuttal; para 47 requires documentation of such rebuttal
- Para 27 specifies that fraud risks must always be treated as significant risks
Many firms employ the “Fraud Triangle” model—considering incentive/pressure, opportunity, and rationalisation—to structure their fraud risk assessment.
3.4 Revising ROMM Assessments
As set out in para 31 and A142 of SA 315, if audit procedures reveal new facts or inconsistencies, auditors should:
- Reassess ROMM at the assertion level