Do you know how to assess inherent risk? Knowing when inherent risk is low is a key to efficient audits. In this article, I tell you how to assess inherent risk--and how lower risk assessments (potentially) decrease the amount of work you perform.
While audit standards don't require a separate assessment on inherent risk (IR) and control risk (CR), it's wise to do so. Why? So you know what drives the risk of material misstatement (RMM).
Many auditors assess control risk at high (after performing their risk assessment procedures). Why? So they don't have to test controls.
If control risk is high, then inherent risk is the only factor that can lower your risk of material misstatement. For example, a high control risk and a low inherent risk results in a moderate risk of material misstatement. Why is this important? Lower RMMs provide the basis for less substantive work.
Before we delve deeper into inherent risk assessment, let's do a quick review of the audit risk model. Auditing standards (AU-C 200.14) define audit risk as “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.”
Audit risk is defined as follows:
Audit Risk = IR X CR X Detection Risk
Inherent risk and control risk live within the entity to be audited.
Detection risk lies with the auditor.
A material misstatement may develop within the company because the transaction is risky or complex. Then, controls may not be sufficient to detect and correct the misstatement.
If the auditor fails to detect the material misstatement, audit failure occurs. The auditor issues an unmodified opinion when a material misstatement is present.
As we plan an audit, we assess the risk of material misstatement. It is defined as follows:
RMM = IR X CR
Auditors assess the risk of material misstatement at the assertion level so they can determine the level of substantive work. Substantive work is the response to risk.
If the RMM is high, more substantive work is needed. Why? To reduce detection risk.
But if the RMM is low to moderate, less substantive work is needed.
What is inherent risk? The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.
The inherent risk of cash is greater than that of a building. Cash is easily stolen. Buildings are not.
The inherent risk of a hedge transaction is greater than that of a trade receivable. Hedges can be complicated to compute. Trade receivables are not.
Post-retirement liabilities are inherently risky. Why? It's a complex accounting area. The numbers usually come from an actuary. There are estimates in the form of assumptions.
Consider factors such as the following in assessing inherent risk:
Inherent risk is not an average of the above factors. Just one risk factor can make an account balance or transaction cycle or disclosure high risk.
When inherent risk is less than high, you can perform fewer or less rigorous substantive procedures.
An example of a low inherent risk is the existence assertion for payables. If experienced payables personnel accrue payables, then the existence assertion might be assessed at low. (The directional risk of payables is an understatement, not an overstatement.) The lower risk assessment for existence allows the auditor to perform little if any procedures in relation to this assertion.
Conversely, the completeness assertion for accounts payable is commonly a high inherent risk. Businesses can inflate their profits by accruing fewer payables. Fraudulent reporting of period-end payables is possible. Therefore, the inherent risk of completeness for payables is often high. That's why auditors perform a search for unrecorded liabilities.
Base your risk assessment on factors such as those listed above. If inherent risk is legitimately low, then great. You can perform less substantive work. But if the assertion is high risk, then it should be assessed accordingly--even if that means more work. (The AICPA has included questions in peer review checklists regarding the basis for lower risk assessments. Their concern (I think) is that auditors might manipulate inherent risk in order to perform less work. I've heard no one from the AICPA say this. But I can see how they might be concerned about this possibility.)
So, what is the relationship between inherent risk and control risk?
Companies develop internal controls to manage areas that are inherently risky.
A business might create internal controls to lessen the risk that payables are understated. Examples of such controls include:
Inherent risk exists independent of internal controls.
Control risk exists when the design or operation of a control does not remove the risk of misstatement.
Obtain free practical information for CPAs and accountants.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new tab. After logging in you can close it and return to this page.