The audit risk model enables you to focus on the important--and to ignore the unimportant. It is the key to performing efficient audits. So, today, we look at how to understand the audit risk model.
Remember the cowboy movie The Good, The Bad, The Ugly? Well, in audits we have the same.
The Good. The audit firm issues an unmodified opinion and the financial statements are fairly stated. Moreover, the audit file properly supports the opinion.
The Bad. The audit firm issues an unmodified opinion and the financial statements are fairly stated, but the work papers are weak. The audit firm just got lucky.
The Ugly. The audit firm issues an unmodified opinion but the financial statements are not fairly stated. Material error (or fraud) is present. And the audit file…well, we won’t go there. It’s ugly.
Audit failure occurs when an audit firm issues an unmodified opinion and the financial statements are not fairly stated. A material misstatement is present and the auditor doesn’t know it.
Material misstatements occur and remain in financial statements when:
Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.”
In other words, audit risk is the result of what the company does (or does not do) and what the auditor does (or does not do).
The audit risk model is defined as follows:
Inherent Risk X Control Risk X Detection Risk
I like to think of these three factors as follows:
The first two (inherent risk and control risk) live in the company’s accounting system; the third (detection risk) lies with the audit firm.
As the the risk of material misstatement (the company’s risk) increases, so should the auditors work. Proper audit work decreases detection risk (the risk that the auditor will not detect material misstatements).
To understand the audit risk model, consider the tale of a villain.
A villain (inherently a thief) desires to make his way into your home. You have locks on your doors and an alarm system (controls, if you will). But you forget to lock your back door and you don’t set the alarm. During the night, the thief comes in and steals your money. You see the thief fleeing away, but you don't know how much you've lost. So, what’s next? You call the police. Why? To see if everything is okay.
This is the audit risk model in physical form.
Think of a material misstatement as a villain. Its nature is to be wrong (inherent risk). If internal controls are weak or absent (control risk), the misstatement survives. And if the auditor fails (detection risk), the villain lives on without being caught.
Some transactions are more likely to be misstated. They are inherently risky. Why? Reasons include:
Inherent risk is what a transaction is (independent of related controls). There is a higher risk of misstatement—or not. And where does this risk come from? The transaction’s nature or its environment.
Internal controls are necessary when a transaction is risky. Why? To monitor and manage the risk. Think about the words internal control. First, internal means the control occurs within the company. Second, control means to manage.
Since some transactions are more prone to theft or error, companies need internal controls to prevent or detect misstatements.
Examples of internal controls include:
If internal controls are designed appropriately and work correctly, the financial statements should be materially correct. But if the internal controls are absent or ineffective, material misstatements can occur. What then? Well, it’s up to the auditor.
The auditor is tasked with detecting material misstatements. If he or she does not, audit failure occurs. The audit firm issues an unmodified opinion but a material misstatement is present.
Auditors decrease detection risk—the risk that material misstatements will not be detected—by appropriately planning and performing their work. Consider pricing your riskier audits at a higher amount.
Get my free weekly accounting and auditing digest with the latest content.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.
CPA Hall Talk
Sign up for my