AUDIT RISK MODEL

 

Audit Risk (AR): risk that auditor will opine (render an opinion) with an unqualified opinion when unknown to auditor, FS are materially misstated (ultimate risk)

 

Inherent Risk (IR): risk that errors (or misstatements or deviations) will occur," client‑controlled

 

Control Risk (CR): risk that client's internal control system will fail to prevent/ detect/correct errors ... client‑controlled

 

Detection Risk (DRI_ risk that auditor's procedures will fail to detect errors ... auditor‑controlled

 

AR IR * CR * OR

 

Audit risk = inherent risk * control risk * detection risk

 

Audit risk: always set priority at a low level (.0 1, 05, 10)

 

Inherent risk: controlled by client ... function of type of business, degree of liquidity, complexity

 

Control risk: controlled by client ... relates to effectiveness of client's control system in preventing, detecting, and correcting errors.

 

Detection risk: controlled by auditor ... function of nature, timing, and extent of audit procedures applied ... allowable or acceptable

 

Solution Set:

          (1)      Detection risk = audit risk / (inherent risk * control risk)

(2)     Detection risk low ... the more evidence you have to collect

(3)     Detection risk high ... the less evidence you have to collect

 

Audit Risk: risk that auditor issues unqualified opinion when statements are materially misstated, audit risk and detection risk exactly related.  IR/CR and detection risk inversely related.

 

Mgmt Assertions:

(1)      existence or occurrence

(2)     completeness

(3)     rights and obligations

(4)     valuation

(5)     presentation and disclosure

*auditor's judgment about risks are based on assertions

*assertions translated to account balances, then create audit objectives and procedures

 

Inherent Risk Factors:

(1)      nature of activities (complexity)

(2)     regulatory nature

(3)     degree of estimates

(4)     competency and training of those reporting the financial statements

(5)     previous history with entity

(6)     preliminary analysis testing ( req'd by SAS in planning)…indicates areas where misstatements occur

 


Control Risk: SAS 78 requires auditor to document control risk assessment ... if controls are not working, control risk is assessed at maximum

 

Detection Risk: test of details and analytical procedures (ratios)... 1‑DR = confidence level... The detection risk cannot be lower than the audit risk (the highest of CR or IR):

(1)      If CR is moderate or low, test must be designed to prove it

(2)     IR - no implied tests, more efficient, doesn't require tests, simply document assessment

 

Inherent Risk Assessment:

 

(1)      IR for cash @ maximum level (not fraud, theft or misappropriations)… deal with error

(2)     What is the likelihood that client has goofed up enough transactions to materially misstate an account?

(3)           SAS 99 - must consider fraud or misappropriations in IR

 

 

 

Inherent Risk Assessment

 

Control Risk Assessment

Auditor must document

nothing

below maximum At maximum

auditor must document and test

document

SAS 78 – internal controls

SAS  – Audit Risk