| by Graham Cosserat
01 Feb 1999
|The audit risk model is at the heart of the audit process. The application of this model is described in SAS 300, Accounting and Internal Control Systems, (ISA 400, Risk Assessments and Internal Control). Although the components of the audit risk model are reasonably well understood, their application in developing a strategy in a particular audit situation is rarely appreciated by students. This article seeks to remedy that defect by explaining how auditors use the risk model in determining the audit procedures to be applied in any particular audit, particularly the mix of tests of control and substantive procedures.
First it is necessary to dispel a couple of widely held misconceptions. The first of these is a belief that the risk model is some kind of mathematical formula. Auditing texts often illustrate the model by presenting it as such. However, its application, as required by SAS 300 (ISA 400), is purely non-mathematical. All that is required is an understanding that there is a positive relationship between each of the components of audit risk (inherent risk, control risk and detection risk) and the overall audit risk of arriving at an incorrect judgement as to the truth and fairness of the financial statements. Since inherent and control risk are outside of the control of the auditors it follows that the higher are the assessed levels of inherent and control risk, the lower must be the level of detection risk if the desired overall level of audit risk is to be attained. The level of detection risk can be varied by the auditors through increasing the level of substantive procedures as necessary. SAS 300 (ISA 400) requires auditors to exercise judgement in assessing inherent and control risks and in determining the required level of substantive procedures. The only time real numbers are required is when auditors choose to apply statistical sampling procedures in the performance of tests.
The second misconception is that internal control weaknesses require the performance of additional tests of control. As will be explained, the risk model requires the performance of fewer or even no tests of control where controls are weak, but the performance of additional substantive procedures.
Materiality, inherent risk and control environment
The assessment of materiality, inherent risk and the control environment all enter into the determination of the appropriate audit strategy. However, for the purpose of this article it will be presumed that the reader is familiar with these terms and they will not be explained in detail. This article will concentrate on the assessment of control risk and, in conjunction with assessments of materiality, inherent risk and the control environment, its implications for the development of an appropriate audit strategy.
Account balances transaction classes and assertions
As was explained in last month�s article Designing Audit Procedures, the building blocks of the audit evidence process are the financial statement assertions applicable to each transaction class and account balance. Similarly, the assessment of audit risk and determination of the appropriate audit strategy applies at this level. In practice, of course, we recognise that many control procedures apply to several assertions so the assessment of control risk is common to all those assertions. Similarly, transactions and balances are interrelated by double-entry bookkeeping. If we can obtain sufficient evidence about an assertion relating to all transactions affecting an account balance we do not need to obtain evidence as to that account balance itself. For example, if we verify the occurrence all fixed asset additions and the completeness of fixed asset disposals during a period, it may not be necessary to verify existence of the balance of fixed assets at the end of that period. However, subject to these considerations as to the sufficiency of audit evidence, consideration of audit strategy is presumed to apply at the level of each material financial statement assertion.
Developing the audit strategy
Figure 1 depicts the approach to developing an audit strategy. It commences with obtaining the understanding of the accounting and internal control systems. This is a requirement of all audits whatever strategy is to be adopted. The default presumption is that all of the evidence will come from the performance of substantive procedures. This is sometimes referred to as the �predominantly substantive� approach. Substantive procedures are those that substantiate the amounts recorded in the financial statements. However, substantive procedures are normally costly to perform. A more efficient audit could be performed if controls are judged to be sufficiently effective to enable a reduction in the level of substantive procedures. Furthermore, in certain situations, substantive procedures may not be able to provide sufficient evidence and a more effective audit could be performed if certain controls could be relied upon. The obvious example is with the completeness of cash receipts. Unless controls over the receipt of cash are effective it may be impossible to determine, through the use of substantive procedures, that all cash to which the entity is entitled has been properly recorded.
An audit strategy that places reliance on internal controls in supporting a reduced level of substantive procedures is sometimes referred to as a �lower assessed level of control risk� approach. This is not, in fact, a single strategy, but a range of strategies determined by the relative effectiveness of applicable control procedures (combined with assessments of inherent risk and materiality). Auditors must make four separate decisions in adopting such a strategy. Each of these decisions must be supported by relevant evidence in all but the first case. These decisions (depicted by diamonds in
Figure 1) are whether:
(The fifth diamond (diamond 3a) relates to modifying the application of the strategy.)
Desirability of adopting a �lower assessed level of control risk� strategy
In many situations it is apparent to the auditors that there is nothing to be achieved by assessing control risk. These include situations where:
In situations such as these auditors would proceed to draw up an audit programme consisting entirely of substantive procedures. In all other situations auditors will make a preliminary assessment of control risk.
Preliminary assessment of control risk
This phase of the assessment is concerned with the design of control procedures. Where the understanding of the accounting and internal control systems has been obtained through the use of an internal control questionnaire (ICQ), assessment of the design of controls is part of the same process. Otherwise most auditing firms have developed internal control evaluation checklists (ICEs) for assessing design effectiveness. These checklists identify potential misstatements and control procedures likely to prevent or detect such misstatements. In evaluating design effectiveness the auditors identify the presence of the suggested control procedures or other compensating controls that have the same effect.
Based on this preliminary assessment, the auditors will draw up the audit programme incorporating both tests of control and substantive procedures. The tests of control are designed to verify that control procedures are actually operating as laid down. The level of planned tests of control depends on the assessed level of control risk to be confirmed. The lower the assessed level of control risk, the higher the level of tests of control required to confirm that assessment, and, conversely, the lower the planned level of substantive procedures.
In some respects it might be better if the auditors waited until tests of control were completed before planning substantive procedures. However, experience has shown that the results of tests of control usually confirm the assessed level of control risk and, thus, the planned audit strategy. By designing substantive procedures at this stage detailed planning of the final audit can commence. Moreover, tests of control are typically performed, during the interim audit, simultaneously with substantive tests of details of transactions, sometimes as dual-purpose tests. Since both tests are applied to the same records it is more efficient to draft the audit programme so as to incorporate all tests to be conducted on the same records simultaneously. When testing the control that purchase invoices are supported by goods inward notes and purchase orders, for example, it makes sense to use the same sample of invoices to perform the substantive procedures of ensuring they are mathematically correct and entered into the purchase day book (journal) and purchase (accounts payable) ledger in the correct amount.
Tests of control
In order to justify reducing the level of substantive procedures SAS 300 (ISA 400) requires auditors to test the operating effectiveness of controls. These tests ensure that the control is operating as planned and thus confirm the preliminary assessment of control risk. Tests of control are aimed at detecting deviations from laid down procedures such as documents not properly approved, reconciliations not regularly performed or failure to enforce the required segregation of duty. Tests of control typically involve:
If the tests do not confirm the operation of the control as planned, the audit strategy will need to be reconsidered and the level of substantive procedures increased accordingly.
Effect of the assessment of control risk as less than high on substantive procedures
In considering the effect of the assessment of control risk on the level of substantive procedures necessary to achieve the desired level of detection risk, auditors may vary their nature, timing or extent.
The nature of substantive procedures may vary between tests of details and analytical procedures. In examining individual transactions and items making up an account balance tests of details are far more persuasive than analytical procedures which consider only the reasonableness of recorded totals. However, where a relatively high level of detection risk may be tolerated, analytical procedures may be sufficient. Since analytical procedures are much less costly to perform this would be the preferred option.
The timing of substantive procedures distinguishes between those performed at the balance sheet date and those performed prior to that date. Performance of procedures prior to the year-end reduces pressure on the auditors and enables the audit to be completed earlier. For example, where controls over stock (inventory) records are effective, reliance may be placed on a stocktake prior to the year-end updated by transactions in the intervening period. Where controls are particularly effective attendance at cyclical stocktakes alone may be sufficient.
Reducing the extent of substantive procedures is the commonest benefit to be achieved from assessment of control risk at less than high. Typically this means reliance on smaller sample sizes.
Substantive procedures and control risk Misstatements discovered through substantive procedures need to be reviewed both qualitatively and quantitatively. Quantitative assessment relates to the materiality of misstatements. Qualitative assessment is applicable where a �lower assessed level of control risk� strategy is being applied. Any misstatement suggests the failure of control procedures. Some failures are to be expected due to both inherent limitations of control and shortcomings already provided for in the assessment of control risk. Where the level of misstatements indicate a higher level of control risk than that on which the planned audit strategy has been based, further substantive procedures are needed if the desired level of audit risk is to be achieved.
The determination of audit strategy described in this article is consistent with the requirements of Auditing Standards and is widely applied by auditing firms. The assessment of inherent and control risk as less than high and the performance of a lower level of substantive procedures involves considerable judgement and entails a degree of risk. Critics argue that auditing firms are using the model in unduly restricting the extent of auditing work and impairing the quality of auditing. The other argument is that the risk model enables the more effective application of audit effort and enables the profession to perform a more efficient service without increasing the risk of audit failure. It is certainly a fact that audit costs are falling and that some of the cost savings are being achieved through intelligent use of the strategy described in this article.
Unable to open a PDF document? To open a PDF you need Adobe Acrobat Reader, which can be downloaded for free from the Adobe website.