Audit Risk Model
Transcript of Audit Risk Model
AUDIT RISK MODEL
http://www4.semo.edu/gjohnson/notes/audit_risk_model.htm[15/5/2014 2:19:21 PM]
AUDIT RISK MODEL
Audit Risk (AR): risk that auditor will opine (render an opinion) with an unqualified opinion whenunknown to auditor, FS are materially misstated (ultimate risk)
Inherent Risk (IR): risk that errors (or misstatements or deviations) will occur," client-controlled
Control Risk (CR): risk that client's internal control system will fail to prevent/ detect/correcterrors ... client-controlled
Detection Risk (DRI_ risk that auditor's procedures will fail to detect errors ... auditor-controlled
AR IR * CR * OR
Audit risk = inherent risk * control risk * detection risk
Audit risk: always set priority at a low level (.0 1, 05, 10)
Inherent risk: controlled by client ... function of type of business, degree of liquidity, complexity
Control risk: controlled by client ... relates to effectiveness of client's control system in preventing,detecting, and correcting errors.
Detection risk: controlled by auditor ... function of nature, timing, and extent of audit procedures applied ...allowable or acceptable
Solution Set:
(1) Detection risk = audit risk / (inherent risk * control risk)
(2) Detection risk low ... the more evidence you have to collect
AUDIT RISK MODEL
http://www4.semo.edu/gjohnson/notes/audit_risk_model.htm[15/5/2014 2:19:21 PM]
(3) Detection risk high ... the less evidence you have to collect
Audit Risk: risk that auditor issues unqualified opinion when statements are materially misstated, audit riskand detection risk exactly related. IR/CR and detection risk inversely related.
Mgmt Assertions:
(1) existence or occurrence
(2) completeness
(3) rights and obligations
(4) valuation
(5) presentation and disclosure
*auditor's judgment about risks are based on assertions
*assertions translated to account balances, then create audit objectives and procedures
Inherent Risk Factors:
(1) nature of activities (complexity)
(2) regulatory nature
(3) degree of estimates
(4) competency and training of those reporting the financial statements
(5) previous history with entity
(6) preliminary analysis testing ( req'd by SAS in planning)…indicates areas where misstatementsoccur
Control Risk: SAS 78 requires auditor to document control risk assessment ... if controls are not working,control risk is assessed at maximum
Detection Risk: test of details and analytical procedures (ratios)... 1-DR = confidence level... The detectionrisk cannot be lower than the audit risk (the highest of CR or IR):
(1) If CR is moderate or low, test must be designed to prove it
AUDIT RISK MODEL
http://www4.semo.edu/gjohnson/notes/audit_risk_model.htm[15/5/2014 2:19:21 PM]
(2) IR - no implied tests, more efficient, doesn't require tests, simply document assessment
Inherent Risk Assessment:
(1) IR for cash @ maximum level (not fraud, theft or misappropriations)… deal with error
(2) What is the likelihood that client has goofed up enough transactions to materially misstate anaccount?
(3) SAS 99 - must consider fraud or misappropriations in IR
Inherent Risk Assessment Control Risk AssessmentAuditor must document
nothing
below maximumAt maximum
auditor must document and test
documentSAS 78 – internal controls
SAS – Audit Risk