AUDIT RISK MODEL

http://www4.semo.edu/gjohnson/notes/audit_risk_model.htm[15/5/2014 2:19:21 PM]

AUDIT RISK MODEL

Audit Risk (AR): risk that auditor will opine (render an opinion) with an unqualified opinion whenunknown to auditor, FS are materially misstated (ultimate risk)

Inherent Risk (IR): risk that errors (or misstatements or deviations) will occur," client-controlled

Control Risk (CR): risk that client's internal control system will fail to prevent/ detect/correcterrors ... client-controlled

Detection Risk (DRI_ risk that auditor's procedures will fail to detect errors ... auditor-controlled

AR IR * CR * OR

Audit risk = inherent risk * control risk * detection risk

Audit risk: always set priority at a low level (.0 1, 05, 10)

Inherent risk: controlled by client ... function of type of business, degree of liquidity, complexity

Control risk: controlled by client ... relates to effectiveness of client's control system in preventing,detecting, and correcting errors.

Detection risk: controlled by auditor ... function of nature, timing, and extent of audit procedures applied ...allowable or acceptable

Solution Set:

(1) Detection risk = audit risk / (inherent risk * control risk)

(2) Detection risk low ... the more evidence you have to collect

AUDIT RISK MODEL

http://www4.semo.edu/gjohnson/notes/audit_risk_model.htm[15/5/2014 2:19:21 PM]

(3) Detection risk high ... the less evidence you have to collect

Audit Risk: risk that auditor issues unqualified opinion when statements are materially misstated, audit riskand detection risk exactly related. IR/CR and detection risk inversely related.

Mgmt Assertions:

(1) existence or occurrence

(2) completeness

(3) rights and obligations

(4) valuation

(5) presentation and disclosure

*auditor's judgment about risks are based on assertions

*assertions translated to account balances, then create audit objectives and procedures

Inherent Risk Factors:

(1) nature of activities (complexity)

(2) regulatory nature

(3) degree of estimates

(4) competency and training of those reporting the financial statements

(5) previous history with entity

(6) preliminary analysis testing ( req'd by SAS in planning)…indicates areas where misstatementsoccur

Control Risk: SAS 78 requires auditor to document control risk assessment ... if controls are not working,control risk is assessed at maximum

Detection Risk: test of details and analytical procedures (ratios)... 1-DR = confidence level... The detectionrisk cannot be lower than the audit risk (the highest of CR or IR):

(1) If CR is moderate or low, test must be designed to prove it

AUDIT RISK MODEL

http://www4.semo.edu/gjohnson/notes/audit_risk_model.htm[15/5/2014 2:19:21 PM]

(2) IR - no implied tests, more efficient, doesn't require tests, simply document assessment

Inherent Risk Assessment:

(1) IR for cash @ maximum level (not fraud, theft or misappropriations)… deal with error

(2) What is the likelihood that client has goofed up enough transactions to materially misstate anaccount?

(3) SAS 99 - must consider fraud or misappropriations in IR

Inherent Risk Assessment Control Risk AssessmentAuditor must document

nothing

below maximumAt maximum

auditor must document and test

documentSAS 78 – internal controls

SAS – Audit Risk