What factors are to be considered by an auditor while making control risk assessment?

A conceptual tool applied by auditors to quantify the audit strategy’s assertion level

What is an Audit Risk Model?

An audit risk model is a conceptual tool applied by auditors to evaluate and manage the various risks arising from performing an audit engagement. The tool helps the auditor decide on the types of evidence and how much is needed for each relevant assertion.

The audit risk model indicates the type of evidence that needs to be collected for each transaction class, disclosure, and account balance. It is best determined during the planning stage and only possesses little value in terms of evaluating audit performance.

Summary

• An audit risk model is a conceptual tool applied by auditors to evaluate and manage the overall risk encountered in performing an audit.
• The audit risk model is best applied during the planning stage and possesses little value in terms of evaluating audit performance.
• Risk elements are (1) inherent risk, (2) control risk, (3) acceptable audit risk, and (4) detection risk.

What Risks are Considered in Each Cycle?

Audit Risk = Inherent Risk * Control Risk * Detection Risk

1. Inherent Risk

Inherent risk is the auditor’s assessment of the susceptibility to material misstatement of an assertion about a transaction class, an account balance, or an attached disclosure, quoted individually or an aggregation. The assessment is performed before the consideration of relevant internal controls in place. Inherent risk is essentially the perceived systematic risk of material misstatement based on the firm’s structure, industry, or market it participates in.

A higher inherent risk indicates that the transaction class, balance, or an attached disclosure is at risk of being materially misstated. Lower inherent risk implies that the account is not likely to be materially misstated.

Inherent risk is based on factors that ultimately affect many accounts or are peculiar to a specific assertion. For example, the inherent risk could potentially be higher for the valuation assertion related to accounts or GAAP estimates that involve the best judgment.

2. Control Risk

Control risk is the auditor’s assessment of how likely a material misstatement can occur in an assertion about a transaction class, account balance, or an attached disclosure and cannot be identified or prevented in a time-sensitive manner by the client’s pre-existing internal controls.

Generally, an auditor will perform a control risk assessment concerning the financial statement level of risk and the assertion level of risk. Therefore, performing such an assessment will require the auditor to possess a strong understanding of the organization’s internal controls.

The client is said to demonstrate a high control risk of the controls if a specific assertion does not operate effectively or if the auditor deems that testing the internal controls would be an inefficient use of audit resources.

For example, the control risk can be higher for a valuation assertion for accounts that are calculated in a complex manner or involve the accountant’s best judgment, if the client’s internal controls lack an independent review and verification of the financial statement calculations.

3. Acceptable Audit Risk

Acceptable audit risk is the auditor’s level of risk that they are willing to accept to release an unqualified opinion on financial statements that can be materially misstated. Unqualified audit opinions state that financial statements are presumed to be free from material misstatements.

4. Detection Risk

Detection risk is the risk that audit evidence for any given audit assertion will fail to capture material misstatements. If the client shows a high detection risk, the auditor will likely be able to detect any material errors. The auditor will react by reducing substantive testing.

If there is a low detection risk, there is a minor probability that the auditor will not be able to detect a material error; therefore, the auditor must complete additional substantive testing.

Relationship Between Acceptable Audit Risk and Audit Assurance

Audit assurance is the direct complement to acceptable audit risk. For example, if acceptable audit risk is 5%, the level of audit assurance would be (1 – 5%) = 95%. Therefore, the auditor gains 95% total assurance that the financial statements are free of material misstatement.

Audit Risk Model in Action

A public accounting firm’s acceptable audit risk is 4%, and the inherent risk and the control risk are 80% and 100%, respectively. What is the detection risk?

Detection Risk = 0.04 / (0.80 * 1.0)

Detection Risk = 0.05

The detection risk of audit evidence for an assertion failing to detect material misstatements is 5%. The audit, therefore, provides (1 – .05) assurance that the financial statements are free from material misstatement.

Related Readings

CFI offers the Commercial Banking & Credit Analyst (CBCA)™ certification program for those looking to take their careers to the next level. To keep learning and advancing your career, the following resources will be helpful:

• Auditor’s Report
• Financial Statement Manipulation
• Negative Confirmation
• Threats to Auditor Independence