New Delhi — India’s National Financial Reporting Authority (NFRA) has issued a focused Audit Practice Toolkit aimed at tightening how auditors assess revenue risk and document responses. Published in January 2026, the Risk & Response Memorandum (ROMM) for revenue provides a practical template for identifying what can go wrong in revenue recognition, assessing assertion‑level risks and linking audit procedures directly to those risks.
NFRA ROMM Toolkit requirements
The toolkit is presented as illustrative, but its structure mirrors the expectations regulators typically apply during inspections. It asks auditors to separate inherent risk, control risk and fraud risk, to assess risks at the assertion level (for example accuracy, cut‑off or existence), and to record why any decision to treat revenue as low risk is justified. Notably, NFRA treats revenue as a presumed fraud risk and requires clear documentation where auditors conclude otherwise.
Where many audit files fall short is not in law but in practice. The ROMM pushes auditors away from generic statements such as “revenue risk exists” and towards specific descriptions that explain why a risk arises and how the chosen audit steps respond to it. For small and medium firms, the toolkit clarifies regulatory expectations and raises the minimum standard for risk notes, discouraging rote, copy‑paste language.
Internationally, the ROMM aligns well with the thrust of ISA 315 (Revised 2019) by promoting structured thinking about inherent risk factors and stronger links between risk and response. Compared with the Institute of Chartered Accountants of India (ICAI) working paper templates, which provide a full file structure and detailed checklists, NFRA’s ROMM concentrates on sharpening judgment in one high‑risk area rather than replacing comprehensive firm guidance.
Despite its benefits, the toolkit leaves some important issues unaddressed. It targets engagement‑level documentation and does not explain how firm‑wide quality management systems under ISQM‑1 should shape engagement risk assessments. The example used focuses on product sales, so service contracts, large engineering procurement contracts and subscription‑based SaaS revenue models will require adapted guidance. Technology risk and automated controls receive only limited treatment, leaving auditors without detailed direction on data integrity and system‑driven revenue models.
In effect, the ROMM strengthens planning discipline more than execution detail. It asks auditors to explain the link from identified risk to specific audit steps, but it does not prescribe how to determine the precise nature, timing and extent of those steps across diverse business models. Regulators and firms may therefore need follow‑up guidance or additional toolkits to address other high‑risk areas such as related parties, accounting estimates and financial instruments.
The practical impact could nonetheless be significant. By elevating the quality of planning notes and making clear reasoning a yardstick for inspections, NFRA signals that audit quality will be judged by reasoning recorded at the engagement level, not merely by end‑point penalties. If NFRA expands this approach to other domains, incremental toolkits could quietly reshape audit practice in India, improving transparency and investor confidence.
ABC Live reviewed the ROMM on NFRA’s official site and compared it with ICAI templates and international standards, notably ISA 315 (Revised). This analysis reflects editorial assessment based on public sources and aims to explain what the toolkit fixes and where further work is needed.
Key Takeaways:
- NFRA released the ROMM Toolkit to improve how auditors document revenue risk and link procedures to assertion‑level risks.
- The NFRA ROMM Toolkit aligns with ISA 315 principles and raises planning and documentation standards beyond ICAI templates.
- Gaps remain on firm‑level quality systems, complex revenue models and technology risks that require further guidance.
