The audit risk model enables you to focus on the important--and to ignore the unimportant. It is the key to performing efficient audits. So, today, we look at how to understand the audit risk model.
The Good, The Bad, The Ugly
Remember the cowboy movie The Good, The Bad, The Ugly? Well, in audits we have the same.
The Good. The audit firm issues an unmodified opinion and the financial statements are fairly stated. Moreover, the audit file properly supports the opinion.
The Bad. The audit firm issues an unmodified opinion and the financial statements are fairly stated, but the work papers are weak. The audit firm just got lucky.
The Ugly. The audit firm issues an unmodified opinion but the financial statements are not fairly stated. Material error (or fraud) is present. And the audit file…well, we won’t go there. It’s ugly.
Audit failure occurs when an audit firm issues an unmodified opinion and the financial statements are not fairly stated. A material misstatement is present and the auditor doesn’t know it.
Material misstatements occur and remain in financial statements when:
- Internal controls (a responsibility of the company) fail or are improperly designed, and
- Audit work (a responsibility of the auditor) is lacking
Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.”
In other words, audit risk is the result of what the company does (or does not do) and what the auditor does (or does not do).
Audit Risk Model
The audit risk model is defined as follows:
Audit Risk Model
Inherent Risk X Control Risk X Detection Risk
I like to think of these three factors as follows:
- Inherent risk - the nature of the transaction or disclosure (risky or not risky)
- Control risk - the chance that material misstatements will not be prevented or detected by internal controls
- Detection risk - the chance that material misstatement will not be detected by the auditors
The first two (inherent risk and control risk) live in the company’s accounting system; the third (detection risk) lies with the audit firm.
As the the risk of material misstatement (the company’s risk) increases, so should the auditors work. Proper audit work decreases detection risk (the risk that the auditor will not detect material misstatements).
To understand the audit risk model, consider the tale of a villain.
A Tale of a Villain
A villain (inherently a thief) desires to make his way into your home. You have locks on your doors and an alarm system (controls, if you will). But you forget to lock your back door and you don’t set the alarm. During the night, the thief comes in and steals your money. You see the thief fleeing away, but you don't know how much you've lost. So, what’s next? You call the police. Why? To see if everything is okay.
This is the audit risk model in physical form.
Think of a material misstatement as a villain. Its nature is to be wrong (inherent risk). If internal controls are weak or absent (control risk), the misstatement survives. And if the auditor fails (detection risk), the villain lives on without being caught.
Some transactions are more likely to be misstated. They are inherently risky. Why? Reasons include:
- The complexity of the transaction (e.g., derivatives)
- The asset is easy to steal (e.g., cash)
- The need for judgment (e.g., a bank’s allowance for loan losses)
- The volume of transactions is high (e.g., cash)
- The accounting personnel are inexperienced or lack sufficient knowledge
Inherent risk is what a transaction is (independent of related controls). There is a higher risk of misstatement—or not. And where does this risk come from? The transaction’s nature or its environment.
Internal controls are necessary when a transaction is risky. Why? To monitor and manage the risk. Think about the words internal control. First, internal means the control occurs within the company. Second, control means to manage.
Since some transactions are more prone to theft or error, companies need internal controls to prevent or detect misstatements.
Examples of internal controls include:
- The reconciliation of monthly bank statements to the general ledger
- Receipting clerks are not allowed to reconcile bank statements (to enhance segregation of duties)
- The cash supervisor reviews the daily work of collections personnel
- A department head reviews and approves bi-weekly time records (before payroll is processed)
- The accounting supervisor reviews all new vendors (added by payable clerks) to ensure legitimacy
If internal controls are designed appropriately and work correctly, the financial statements should be materially correct. But if the internal controls are absent or ineffective, material misstatements can occur. What then? Well, it’s up to the auditor.
The auditor is tasked with detecting material misstatements. If he or she does not, audit failure occurs. The audit firm issues an unmodified opinion but a material misstatement is present.
Auditors decrease detection risk—the risk that material misstatements will not be detected—by appropriately planning and performing their work. Consider pricing your riskier audits at a higher amount.
Understanding the Audit Risk Model - A Simple Summary
- Audit failure occurs when an auditor issues an unmodified opinion and a material misstatement is present
- Audit Risk = Inherent risk X Control risk X Detection risk
- Inherent risk is the nature of the transaction or disclosure (is it prone to misstatement?)
- Control risk is the chance that material misstatements will not be prevented or detected by internal controls
- Detection risk is the chance that material misstatements will not be detected by the auditor
- Internal controls, if designed well and working correctly, prevent or detect material misstatements
- Audits, if designed well and performed correctly, detect material misstatements