2. Audit Risk Model
• AR = IR x CR x DR
• AR = Audit risk
– Also referred to as Residual Risk
– The risk that the auditor will incorrectly issue an
unqualified opinion
• IR = Inherent risk
– The risk of material misstatements absent any
internal controls or testing
3. Audit Risk Model
• CR = Control risk
– The risk that internal controls will fail to prevent
or detect material misstatement
• DR = Detection risk
– The risk that audit tests will fail to detect material
misstatement
• Therefore, audit risk is a function of inherent
risk, unchecked by controls and not detected
by the auditor
4. Risk Components
• Inherent risk
– Higher in complex transactions
– Higher where items are more naturally prone to
fraud
– Based in part on prior experience
– Industry and management pressures
• Inherent risk cannot be changed by the
auditor
5. Control Risk
• Part of Audit Risk Model
• Depends on the design and execution of controls
• Audit Risk = risk that internal controls will FAIL to prevent or
detect misstatement
– High CR means high risk controls will fail
– Low CR means low risk controls will fail
• If CR is high, auditor will not rely much on controls
• If CR is low, auditor can rely on ICS and reduce other types of
testing
6. Is Risk Quantifiable?
• Yes and No
• Often assessed in percentage terms
• Requires judgment because no number is out
there to be measured
• Detection risk needs to be quantified for
statistical testing
7. Interrelationship of Risks
• IF IR and CR are high,
then
• If IR is high and CR is
low
• If IR is low and CR is low
• If IR is low but CR is
high
• DR should be low (lots
of testing)
• DR can be higher,
because controls offset
high IR
• DR can be high
• Somewhat indicative of
fraud. DR should be
very low
8. What is Acceptable Audit Risk?
Risk the auditor is willing to take of being wrong
Generally considered in terms of unqualified
where there are misstatements, but not in
reverse
Depends on engagement risk
› Financial stability
› Industry factors
› Management integrity
Degree of reliance on audited statements
9. Keep Things Open
• Control risk assessment must be backed up by
control testing results
• If tests show weaker controls, CR is higher,
thus DR needs to be lower
10. Internal Control Objectives
• Reliability of financial statements
• Efficiency and effectiveness of operations
• Compliance with laws and regulations
• Safeguarding of assets
12. Design of ICS
• Preventing material misstatements
• Detecting material misstatements
• Preventing misappropriation
• Detecting misappropriation
• SarbOx: Management must assess and report
on design
– How are transaction initiated, authorized,
recorded, processed, and reported?
– Are there any weaknesses?
13. Management’s Report on ICS
• Must describe design
• Must make assertions about effectiveness
• Must report material weaknesses
• A single weakness prevents claim that ICS is
operating effectively
• Must be able to document basis for report
• Auditor will provide an opinion on the report
• Any weaknesses mean that auditor’s report will
be adverse.
14. Risk Assessment
• Management’s identification of risks
– Economic
– Industry
– Regulatory
– Operating risks
• Analysis and management of risks
• Examples
– Oil companies in the Gulf of Mexico
– Smith Corona
15. Control Activities
• Policies and procedures to address risks
• Pertains to all four other areas
• Separation of duties
• Proper authorization
• Adequate documents and records
• Physical control over assets and records
• Independent checks
17. Monitoring
• Need to ensure controls are working
• Monitoring now more pressing because of
SarbOx
• Control needs change
• Personnel change
• Organizational structure changes