Do you know how to assess inherent risk? Knowing when this risk is low is a key to efficient audits. In this article, I tell you how to assess inherent risk--and how lower risk assessments (potentially) decrease the amount of work you perform.
While audit standards don't require a separate assessment on inherent risk (IR) and control risk (CR), it's wise to do so. Why? So you know what drives the risk of material misstatement (RMM).
Many auditors assess control risk at high (after performing their risk assessment procedures). Why? So they don't have to test controls.
If control risk is high, then inherent risk is the only factor that can lower your risk of material misstatement. For example, a high control risk and a low inherent risk results in a moderate risk of material misstatement. Why is this important? Lower RMMs provide the basis for less substantive work.
The Audit Risk Model
Before we delve deeper into inherent risk assessment, let's do a quick review of the audit risk model. Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.”
Audit risk is defined as follows:
Audit Risk = IR X CR X Detection Risk
Inherent risk and control risk live within the entity to be audited.
Detection risk lies with the auditor.
A material misstatement may develop within the company because the transaction is risky or complex. Then, controls may not be sufficient to detect and correct the misstatement.
If the auditor fails to detect the material misstatement, audit failure occurs. The auditor issues an unmodified opinion when a material misstatement is present.
Risk of Material Misstatement
As we plan an audit, we assess the risk of material misstatement. It is defined as follows:
RMM = IR X CR
Auditors assess the risk of material misstatement at the assertion level so they can determine the level of substantive work. Substantive work is the response to risk.
If the RMM is high, more substantive work is needed. Why? To reduce detection risk.
But if the RMM is low to moderate, less substantive work is needed.
Inherent Risk Definition
What is inherent risk? The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
The risk for cash is greater than that of a building. Cash is easily stolen. Buildings are not.
The risk of a hedge transaction is greater than that of a trade receivable. Hedges can be complicated to compute. Trade receivables are not.
Post-retirement liabilities are inherently risky. Why? It's a complex accounting area. The numbers usually come from an actuary. There are estimates in the form of assumptions.
Inherent Risk Factors
Consider factors such as the following in assessing risk:
Inherent risk is not an average of the above factors. Just one risk factor can make an account balance or transaction cycle or disclosure high risk.
Inherent Risk at Less Than High
When inherent risk is less than high, you can perform fewer or less rigorous substantive procedures.
An example of a low inherent risk is the existence assertion for payables. If experienced payables personnel accrue payables, then the existence assertion might be assessed at low. (The directional risk of payables is an understatement, not an overstatement.) The lower risk assessment for existence allows the auditor to perform little if any procedures in relation to this assertion.
Conversely, the completeness assertion for accounts payable is commonly a high inherent risk. Businesses can inflate their profits by accruing fewer payables. Fraudulent reporting of period-end payables is possible. Therefore, the risk of completeness for payables is often high. That's why auditors perform a search for unrecorded liabilities.
Base your risk assessment on factors such as those listed above. If inherent risk is legitimately low, then great. You can perform less substantive work. But if the assertion is high risk, then it should be assessed accordingly--even if that means more work. (The AICPA has included questions in peer review checklists regarding the basis for lower risk assessments. Their concern (I think) is that auditors might manipulate this risk in order to perform less work. I've heard no one from the AICPA say this. But I can see how they might be concerned about this possibility.)
So, what is the relationship between inherent risk and control risk?
Companies develop internal controls to manage areas that are inherently risky.
A business might create internal controls to lessen the risk that payables are understated. Examples of such controls include:
- The CFO reviews the payables detail at period-end, inquiring about the completeness of the list
- A payables supervisor reviews all invoices entered into the payables system
- The payables supervisor inquires of all payables clerks about any unprocessed invoices at period-end
- A budget to actual report is provided to department heads for review
Inherent risk exists independent of internal controls.
Control risk exists when the design or operation of a control does not remove the risk of misstatement.
In August 2020, the AICPA issued an exposure draft titled Understanding the Entity and its Environment and Assessing the Risks of Material Misstatements. The draft has new inherent risk language, introducing the phrase inherent risk factors. See paragraph .12 for the definition. Inherent risk factors include uncertainty, change, and fraud risk (and more). The draft also introduces the concept of a spectrum of inherent risk which is the degree that inherent risk varies. The spectrum of inherent risk is affected by the inherent risk factors.
Additionally, there is a new definition for significant risks. Again see paragraph .12 of the exposure draft. Significant risks are defined as those assessments close to the upper end of the spectrum of inherent risk. This is a nice change from the extant definition which focuses upon whether the auditor will give the area special audit consideration. In other words the proposed definition focuses on inherent risk factors and not on the auditor’s response. Makes sense to me.