| by Gerard Long
01 Nov 1999
Questions about ‘Audit Risk’ are frequently set in examinations. This article considers the Audit Risk approach under the following headings.
(For the purposes of this article the word ‘error’ is used to describe both an unintentional mistake and a deliberate misrepresentation or falsification of the accounting records or of the financial statements).
At its most simple ‘Audit Risk’ is the risk that the auditor will get his opinion wrong. In practice, this nearly always means that the auditor will fail to qualify an audit report that he should have qualified.
In order for this situation to arise there needs to be a material error in the accounting records or the financial statements which was not corrected before the accounts were published and to which the auditor did not refer in the Audit Report.
1 Explanation of the approach and the Audit Risk
Firstly, a material error needs to have occurred. The chances of this happening is commonly referred to as the Inherent Risk.
Secondly, the error needs to have not been detected by the client’s system of Internal Control. The chance of this happening is referred to as the Control Risk.
Thirdly, the auditor must have failed to find the error in the course of his substantive testing or analytical review procedures. The chance of this happening is known as the Detection Risk.
It is only when all of these conditions are fulfilled simultaneously that the auditor will give an inappropriate opinion on a set of financial statements, and the Audit Risk will materialise. Thus it can be said that the Audit Risk is the product of the Inherent Risk by the Control Risk by the Detection Risk. This is normally abbreviated to:
AR = IR x CR x DR
Note: Maximum Risk is assessed as 1 and lower levels between 0 and 1 e.g., Control Risk might be assessed e.g., 0.25 or 0.5.
2 Use of the model:
.05 = IR x CR x DR
Theoretically, the auditor can make Detection Risk as low as he pleases. To eliminate risk altogether the auditor simply has to check every transaction, every asset and every liability! Of course, in practice this is usually just not possible.
The usefulness of this model is that it allows the auditor to set quantitative values on Inherent Risk and Control Risk so as to allow for an increased amount of Detection Risk and hence a lower level of substantive testing.
In other words, the auditor will need to do less substantive testing if the Inherent Risk and/or the Control Risk are low. If, for example, the system of internal control is good then the Control Risk will be low leading to less substantive testing.
On the other hand, the auditor might decide to take no comfort from inherent or control factors and to base his audit opinion purely on substantive procedures (including analytical review). In terms of this model that would mean putting IR and CR = 1 and thus AR = DR. This approach is often taken in the case of smaller or owner- managed enterprises, and it is purely the substantive or vouching approach to auditing.
More commonly nowadays auditors will place at least some reliance on internal control and hence control risk will be evaluated at less than one. The exact figure will be found by means of an analysis of the results of tests of control but the auditor should err on the side of caution. In particular, control risk should never be assessed as zero.
Placing a numeric value on Inherent Risk is more difficult. Many auditors will always regard Inherent Risk as maximum (i.e., one), but to do this, while prudent, is to reduce the usefulness of the model somewhat.
Factors which need to be considered when placing a value on Inherent Risk would include:
In summary, let us take an example of a client who has decided that an overall Audit Risk of 5% is acceptable, that the Inherent Risk is 80% and the Control Risk is 50%. We have:
0.05 = 0.5 x 0.8 x DR
therefore DR = 0.05 / 0.5 x 0.8
DR = .125 or 12.5%
The auditor now knows that he can afford to take a 12.5% chance of not detecting an error during the substantive testing. Conversely he needs 87.5% assurance that the substantive testing will pick up all material errors. He can use this information in conjunction with statistical sampling techniques (which are outside the scope of this article) so as to determine appropriate sample sizes for the purposes of substantive testing.
3 Relationship to the traditional
4 Advantages and disadvantages of the model:
5 The audit risk matrix
*In rare cases substantive tests may not always be necessary for a particular balance or aspect of a balance e.g., ownership of debtors.
This is largely the same as the method described above but while it loses some rigour compared to the quantitative formula-based approach it does mean that quantitative assessments of IR and CR do not have to be made and the resultwill not be tainted by a degree of spurious accuracy.
Unable to open a PDF document? To open a PDF you need Adobe Acrobat Reader, which can be downloaded for free from the Adobe website.