Audit risk model definition
/What is the Audit Risk Model?
The audit risk model determines the total amount of risk associated with an audit, and describes how this risk can be managed. The model incorporates three types of audit risk into the following equation:
Audit risk (AR) = Control risk (CR) × Detection risk (DR) × Inherent risk (IR)
The three types of audit risk included in the equation are expanded upon below.
Related AccountingTools Courses
How to Conduct an Audit Engagement
Control Risk
Control risk is the risk that potential material misstatements would not be detected or prevented by a client’s control systems. When there are significant control failures, a client is more likely to experience undocumented asset losses, which means that its financial statements may reveal a profit when there is actually a loss. In this situation, the auditor cannot rely on the client’s control system when devising an audit plan.
Detection Risk
Detection risk is the risk that the audit procedures used are not capable of detecting a material misstatement. This is especially likely when there are several misstatements that are individually immaterial, but which are material when aggregated. The outcome is that the auditor would conclude that there is no material misstatement of the financial statements when such an error actually exists. Increasing the quantity and especially the quality of audit procedures will reduce detection risk.
Inherent Risk
Inherent risk is the risk that a client’s financial statements are susceptible to material misstatements in the absence of any internal controls to guard against such misstatement. Inherent risk is greater when a high degree of judgment is involved in business transactions, since this introduces the risk that an inexperienced person is more likely to make an error. It is also more likely when significant estimates must be included in transactions, where an estimation error can be made. Inherent risk is also more likely when the transactions in which a client engages are highly complex, and so are more likely to be completed or recorded incorrectly. Finally, this risk is present when a client engages in non-routine transactions for which it has no procedures or controls, thereby making it easier for employees to complete them incorrectly.
Inherent Limitations of an Audit
Of these three risks, only detection risk is largely under the control of the auditor. That being said, there will always be some amount of detection risk, due to the inherent limitations of an audit. These inherent limitations are caused by the following issues:
The nature of the financial reporting. The creation of financial statements usually involves a certain amount of subjective decision-making, where there is a range of possible numerical values that may be considered acceptable. This means that some line items will inherently be subject to a certain amount of variability that cannot be resolved by adding more audit procedures.
The nature of the audit procedures conducted. There are limitations on an auditor’s ability to obtain audit evidence, because the information provided by the client may not be complete, there is always a fraud risk, and the auditor does not have the legal power to conduct a proper investigation into wrongdoing at a client.
The timing and cost restrictions imposed on an audit. The auditor must make sufficient time and resources available to conduct an audit. Nonetheless, it is impracticable to address all information that may exist, or to pursue every matter in exhaustive detail. Consequently, the auditor is expected to focus resources on those areas most likely to contain risks of material misstatement, which means that reduced resources are targeted at other areas of an audit.
How to Evaluate Audit Risk
The standard approach to the evaluation of risk is to first assess control risk and inherent risk, and use this information to decide upon the most appropriate planned level of detection risk. Then, audit programs are designed to obtain the audit evidence that will support the planned level of detection risk. To arrive at the planned level of detection risk, the following modified version of the audit risk equation can be used:
Planned level of detection risk = (Control risk × Inherent risk) ÷ Acceptable audit risk
For example, an auditor is conducting an initial assessment of a new client, where the acceptable audit risk is 5%. The control risk is initially assessed to be 50%, while the inherent risk is assessed at 90%. By plugging this information into the revised audit risk equation, he arrives at the following outcome:
Planned level of detection risk = (0.50 control risk × 0.90 Inherent risk) ÷ 0.05 acceptable audit risk
Planned level of detection risk = 9%
Given these risk levels, the auditor needs to plan his substantive audit tests to reduce the risk of not detecting material misstatements to 9%.
Though this model seems simple enough, the problem is how to derive the inputs to the model. It is not possible to quantify any of the inputs to the planned level of detection risk – which means that the 9% planned level of detection risk noted in the preceding example could have been half that amount or double it simply by changing an estimate. Another concern is that, since every input to the equation is subjective, how can we realistically expect to multiply and divide them? In essence, we are attempting to apply mathematical concepts to opinions. Nonetheless, the equation is a useful way to conceptualize how an audit program should be constructed to collect a sufficient amount of appropriate audit evidence.